Breaking Down What Vulnerability Scanning & Penetration Testing Are For 2024

 

Introduction

As we head into 2024, I keep getting asked is what is one of the best ways to mitigate from becoming a victim.  This article outlines just how to do that.

 Vulnerability Assessments

This type of test runs automated scans across the major components that reside in both your IT and Network Infrastructures. These primarily include the servers, and other workstations and wireless devices. These assessments primarily look for known vulnerabilities that exist, without any human intervention involved.

The scans can run as short as a few minutes to as long as a few hours. After the probing has been completed, a report is usually generated for the client, and from there, it is up to them to decide how to proceed with any specific actions to remediate the issues.

This test is also known as a “Passive” kind of test in the sense that it only detects those weaknesses that are highly visible and can be exploited very easily by a Cyberattacker. This just serves as a tipping point of what other vulnerabilities could be lurking. In a sense, the Vulnerability Scan van be viewed as merely conducting an EKG as to what is going on in terms risk exposure.

One of the primary advantages of this kind of assessment is the cost. It is very affordable, even to the SMB which makes it a very attractive option. The downside is that if there are any recommendations that are provided in the report, it will not be specific to your business, rather, it will just be general in nature, based upon previous threat profiles. Because of its low cost, a Vulnerability Scan can be run on a continual cycle, at different timing intervals.

Further, the vulnerabilities that have been discovered are not exploited to see what the root cause of them are, or to see if there are other vulnerabilities that could lie underneath.

Penetration Testing

This can be viewed as the “Angiogram” in the detection of the vulnerabilities, weaknesses and gaps that reside in your IT/Network Infrastructures. A huge deep dive is done, with many kinds of tests being conducted. They won’t last for just a matter of a few hours, rather, they go on for long and extended periods of time.

Second, there is not much automation that is involved when conducting a Penetration Test. It is primarily a manual based process, which takes the work of many skilled professionals, with years of experience. These people are also known as “Ethical Hackers” because they are taking the mindset of Cyberattacker and using every tactic in the book in order to break down your walls of defense.

With this effort, these individuals are not only looking for the known vulnerabilities, but they are also looking for the unknown ones as well, such as covert backdoors that could have been left behind in source code development. In other words, heavy active scanning is involved, unlike the Vulnerability Assessments.

Third Penetration Testing is not just done on digital assets. It can also be used to unearth any gaps or weaknesses that are found within the Physical Infrastructure of a business as well. For example, a team can be specifically assigned to see how easy it is replicate an ID badge and use that fool the security guard at the main point of entry.

Fourth, Penetration Testing can also be used to ascertain the level of vulnerability the employees have to a Social Engineering Attack. In this regard, a specialized team can be called upon to make Robocalls to the Finance and Accounting departments to see if they can be tricked into making payments on fake invoices. Or the calls could involve reaching out to the administrative assistants of the C-Suite and luring them into wire large sums of money to a phony, offshore account.

Fifth, Penetration Testing can be used in both the internal and external environments of a business.

Typically, there are at least two teams involved (perhaps even three) when conducting these kinds of tests, which are as follows:

Ø  The Red Team: These are the Ethical Hackers that are trying to break into your systems as previously described;

 Ø  The Blue Team: These are the Ethical Hackers that work internally with your IT Security Team, to see how well they react to and fend off the attacks that are being launched towards them by the Red Team; 

Ø  The Purple Team: This may or may not be used, depending upon the security requirements of the client. This team is a combination of the Red and Blue ones and provide an unbiased feedback to both teams as to how they have done during the course of the exercise.

At the end, the client is given an exhaustive report of the findings from the Penetration Test, as well as suggestions of actions that can be taken to remediate the problem. Although the biggest advantage of this kind of exercise is the deep level of thoroughness that is involved, the downside is that they can be quite expensive. As a result, Penetration Tests are typically only carried out perhaps once, or at most, twice a year.

The question which often get asked: “What kind of test should I get”? It all comes down to cost. Typically, the smaller businesses can only afford the Vulnerability Scan, whereas the medium sized business can afford the Penetration Test. But truthfully, each and every business should know all of the vulnerabilities that lurk in their systems, especially the unknown ones, as this is what the Cyberattacker will primarily go after.

A security breach can cost easily 10X more than any of these tests just described. Therefore, the CISO and his or her IT Security team need to remain constantly proactive; thus making the Penetration Test the top choice to go with in the end.

Conclusions

The question which often get asked: “What kind of test should I get

”? It all comes down to cost. Typically, the smaller businesses can only afford the Vulnerability Scan, whereas the medium sized business can afford the Penetration Test. But truthfully, each and every business should know all of the vulnerabilities that lurk in their systems, especially the unknown ones, as this is what the Cyberattacker will primarily go after.

A security breach can cost easily 10X more than any of these tests just described. Therefore, the CISO and his or her IT Security team need to remain constantly proactive; thus making the Penetration Test the top choice to go with in the end.

 

Why CISOs & Cyber Insurance Carriers Need To Bridge Their Differences In 2024

 

Well, here we are in the last full weekend of 2023.  The Social Media platforms abound on what is going to happen in 2024.  Well, as for Cyber, the pundits have already started to make their claims.   But one area that has been overlooked by them and will continue to be a very hot button topic going into next year will be that of Cybersecurity Insurance.

This is something I have written about extensively before, and heck, I have even written an entire book about it.  People think that getting a Cyber Insurance Policy is the same thing as getting medical or car insurance.  Unfortunately, it is not as cookie cutter as that.  There are a lot of variables that are at play here, which are both quantitative and qualitative in nature.

Probably the one of the biggest reasons fo this is that Cyber Insurance is still a relatively new area.  The first policy was written by AIG back in 1997.  Over time, the problem that has evolved today is that the businesses that want to get a Cyber Insurance Policy think that the carriers are simply gauching and taking advantage of them with a lot of red tape to go through only face very high premiums.

On the other hand, since this is all new territory to the carriers, they are still struggling to find their footing and even trying to break even, at best.  In fact, when they first started to offer Cyber Insurance, many of them decided how much the premium should be just based on a gut feeling.  There was no scientific approach to this, or even any form of actuarial science being applied to it.

Because of this, it was very easy to get an insurance policy.  As a result, claims from businesses started to pour in even for the smallest things, and the carriers started to face steep losses.  So fast forward to now, and the result is now that the carriers have been much more stringent before a business can apply for a policy.  Although I am not a total expert in this area, before a policy can actually be awarded, there is a lot of hoops that an entity has to go through.

For example, the owner of a business has to fill out a lengthy assessment questionnaire.  It covers everything from making sure the right controls are in place, to how datasets are being protected, if there are response plans in place to mitigate a security breach should it occur, and even making sure that a business is in full compliance with the various data privacy laws, such as the GDPR, CCPA, etc.

Also, the organization may be succumbed to getting a pre insurance audit done first before the policy can even be considered.  This is just another precautionary step that the carriers have started to take to make sure that the assessment questionnaire is 100% truthful.  Third, there are a lot of areas now in which a carrier will not make a full payment on, because the threat landscape is changing on a daily basis.

A perfect example of this is the Ransomware payment.  If a business paid the ransom, they would be reimbursed after they have filed a claim.  But because since this threat variant has exploded ever since the days of the COVID-19 pandemic, there are no payments being made on these kinds of claims.  In fact, if a victim makes an actual payment, they will be further dinged on their Cyber Policy.

So what can be done to bridge this ever-dividing gap?  Well, the CISOs of Corporate America and the insurance carrier have to come to sort of middle ground.  How can this be done?  Well, it all comes down to forming a partnership between the two.  In other words, the CISO should not view an insurance company as a nemesis, and likewise respectively, they should not view a prospective policy holder as a potential Gaucher.

This has to be a firm relationship, and it has to be based on quantitative measures.  The best area in which to get started is to come to some sort of mutually agreeable consensus as to what risk is.  Every company has their own way of defining it, and the insurance carriers have yet another way of looking at it.  Although there are many ways in which to calculate risk, there needs to be also some sort of baselines and best practices that all parties can be happy with the end.

Also, with the advent of AI and ML, calculating Cyber risk should hopefully be an easier task now.  By mutually agreeing on it, a fair policy can be struck on both sides. 

But in order to make this happen, the CISO has to share confidential information about the metrics they are using to calculate their certain level of risk.  Likewise, the insurance carrier has to make sure that they do indeed keep it confidential.  Once this first level of trust has been established, then perhaps this proposal will start to blossom into a long term one.

To get another insight into this, click on the link below:

https://www.darkreading.com/cyber-risk/why-cisos-should-get-involved-with-cyber-insurance-negotiation

 

How The Good Guys Are Fighting The Dark Side Of AI

 

Apart from the political environment that we are facing today, one of the other hot topics has been that of AI, especially that of the Generative one.  We have heard it in the news daily, and the stocks of some of the major AI players have skyrocketed (Nvidia is one of those).  It seems like we are in a bubble, much like the .com era back in the late ‘90s.  But with all bubbles, there will of course be a burst.

But a catalyst that could be driving this one on a possible downtrend is that of the Cyberattacker.  As much as the potential and promise there is of Generative AI, there are also the real risks that it could be used for malicious purposes as well.  So in this blog, we look at four areas where the Cyberattacker has done this:

1)     Phishing Emails:

As we all many know, this is probably the oldest of the threat variants out there.  But over time, we learned how to spot the signs of it, such as misspelled words, typos, redirected URL’s that did not match, etc.  But with ChatGPT now in existence, a Cyberattacker can now create a Phishing email that has hardly any of these mistakes.  Another common type of Phishing email has been the BEC one, in which an administrative assistant is sent an invoice asking for a large some of money to be wired to a bank account.  There have been warning signs with this as well, but once again, ChatGPT has made this almost impossible to tell what is real and not.  In fact, according to a recent report by SlashNext, there has been a 1,265% rise in Phishing emails since ChatGPT came out into the market.  You can download this report at the link below:

http://cyberresources.solutions/blogs/Phishing_2023.pdf

2)     Impersonation Attacks:

This happens when a Cyberattacker uses an AI tool to create a voice that sounds authentic.  For example, with robocalls in the past, it was usually some digital voice that chimes in if you answered the phone, and you could more or less tell that it was a fake.  But not with ChatGPT being used.  Now, it sounds like a real person, which is close to impossible to realize that it is actually a fake.  More detail about this can be seen at the links below:

https://www.darkreading.com/cyberattacks-data-breaches/ai-enabled-voice-cloning-deepfaked-kidnapping

https://leaderpost.com/news/local-news/regina-couple-says-possible-ai-voice-scam-nearly-cost-them-9400

3)     Deepfakes:

These have actually been around longer than even before ChatGPT made its mark.  One of the best examples of this are the Presidential campaigns.  Back in the 2016 election, fake videos of the candidates were created, which looked almost like the real candidates.  In them, they would ask for campaign donations.  But of course, any money sent would actually be deposited to an offshore bank account once again.  Deepfakes are really hard to detect, but if you look closely enough, there are some very subtle cues that will give it away.  So my soapbox here is that in the election next year, please be extremely careful if you encounter these kinds of videos.  An example of this can be seen at the link below:

https://www.cbsnews.com/chicago/news/vallas-campaign-deepfake-video/

4)     Chatbots:

These are the digital agents that you see on a lot of websites today.  They usually appear in the lower right had side of your screen.  I have a seen a ton of them, and believe me no two are alike.  But once again, given AI today, a chatbot can be literally created in just a matter of a few minutes, and be used for malicious purposes.  For example, the chatbot could employ the tactics of Social Engineering in order to con you in giving out personal information, or worst yet, submit your credit card number or banking information.

My Thoughts On This:

Of course, the good guys are starting to get on top of this.  One way that this is being done is through the use of “Generative Adversarial Networks”, also known as “GANs”.  It also consist of two subcomponents which are:

*The Generator:  It creates new data samples

*The Discriminator:  This discriminates generated data against the information the GAN has been trained on.

Because of this unique combination, Threat Researchers can now model what potential threat variants will look like, as described in the last section. 

But despite all of this, for you, the best defense still remains is your gut.  If something does not feel right, or if your first impressions of a video, chatbot, or an even email raises triggers, then disconnect yourself immediately from that platform.

The longer you are engaged with it, the worse the consequences could be.

But it is not just here in the United States, but even other countries and governments around the world are fearful about the negative use of Generative AI.  For example, in a recent report published by KPMG, over 90% of Canadian CEOs think that using it will make their business far more vulnerable than ever before. 

More details can be seen here at this link:  https://kpmg.com/ca/en/home/media/press-releases/2023/10/generative-ai-could-help-and-hinder-cybersecurity.html

Why The Help Desk Is The Next Big Cyber Target In 2024

 

I have been in the world of IT; I would say for probably over 20 years.  It’s only been in the last 10 or so that I have ben devoted exclusively to Cybersecurity.  I would say that one of the most thankless and most under appreciated jobs is that of the Help Desk. 

They are usually the front and last lines help for the end user.  Not only are these expected to be knowledgeable in what they do, but they are also expected to do deliver great customer service, under all conditions.

I know of people who have had this kind of role, and to be honest, it’s a burn out role.  Not only do you customers chew you out, but you are expected to be on top of everything, all the time.  Worst yet, there are even metrics and KPIs that you have to come through on.  One of them is how long you stay on the phone to resolve an issue.

Because of all of this, and under the enormous strain that the Help Desk people are under, they have now become a primary target for the Cyberattacker.  The threat variants can come in all various forms, but the most “popular” form seems to be that of Social Engineering. 

In this regard, many robocalls, phony calls, and even emails are being sent trying to impersonate real end users, in order to heist out as much confidential information as possible, namely the passwords and other sorts of credentials.

So what can a Help Desk Manager do to help protect their staff?  Here are some key tips:

1)     Make sure that you only resolve issues that are related to company issued devices.  If the end user cannot confirm the details of this, then the call should be terminated immediately.  Or, if it was determined later that it was a legitimate end user needing help, then other avenues should be offered for assistance to resolve the problem.

 

2)     Once a staff member receives a call, they should not only communicate and further verify the identity of the end user using only their company issued device. 

 

3)     To verify the actual identity of the end user who is calling I, you should always use some form MFA, as well as use a push notification mechanism.  So for example, when a Help Desk member is picking up a call, they should immediately send a push notification to the device of the end user.  In turn, they should read back that number.  If they don’t receive that notification, or refuse to cooperate, then this is a huge, red flag!!!

 

4)     Always ask the end user to verify the serial number of the device they are having issues with.  Of course, if they need help in doing this, you should help, but also be aware of any cues to indicate that it could be a fake call, if the end user is taking longer than usual to find it.

 

5)     If the issue in question involves the replacement of a wireless device, such as a smartphone, then you should have a policy in place that the device has to be physically returned to the company headquarters.  Only then can a new device.  Of course, if the end user is an employee, they will have to use their own personal device to conduct job tasks.  In this case, you will probably have to deploy some substandard security protocol, such as phone authentication.

 

6)     Now we come to the biggest issue of all:  Password Resets.  This is the nemesis of the Help Desk staff, and it gets even more complex now because of identity verification.  The answer to this is simple:  Simply institute the use of a Password Manager.  That way, not only long and complex passwords can be created, but the end user (or employee) can manage all that themselves, so that you can now focus on the more urgent requests.

 

7)     In a final effort, if MFA for some reason cannot be deployed, then another option would be to initiate a video conference call (such as Zoom or WebEx)  where the end user will have to physically show to you their government issued ID (such as a driver’s license, passport, etc.) and the device they are having issues with.

 

8)     If you use other authentication mechanisms such as tokens, or digital certificates, make sure that they only have a lifespan for just one use and destroy it.  That way, the risk of it being replicated is greatly mitigated.

 

My Thoughts On This:

The use of AI is only compounding this problem even more.  For example, Deepfakes can be used to create fake, live images of real people, it can even be used to create legitimate voices as well.  Because of this, if you make use of a Voice Recognition system, it could very well be circumvented in these cases. 

All you can do is enforce a strict policy where all of the Help Desk staff have to follow a set standard of authentication procedures, with no questions asked.

This will be especially important if you outsource your Help Desk functions to a third party.  More details about the threat of Deepfakes can be seen at this link:

https://www.npr.org/2023/03/23/1165146797/it-takes-a-few-dollars-and-8-minutes-to-create-a-deepfake-and-thats-only-the-sta

 

 

The Top Cyber Investments For 2024

 

Introduction

There is no doubt that Cybersecurity and AI are  hot industries right now, and it is expected to be so for a long time to come, assuming that threats will keep emerging. So, what are the hot areas right to invest in for 2024? Here is a sampling:

1)     Get Cybersecurity Insurance:

As the new attack vectors are coming out, a lot of businesses are prone to be being hit. You may take the best defensive posture that you can, but that will not guarantee anything. You could still become a victim. All one can do is to mitigate that risk as much as possible, and protect your business financially. This is where investing in a good Cyber Policy will become of grave importance. But keep in mind that is getting much more difficult now to get comprehensive plan. The reason for this is that the carriers are putting businesses, especially the SMBs, through the wringer when it comes to compliance checks to make sure all of the controls are in place. For example, even before a business can apply, the owner must fill out a very comprehensive assessment questionnaire attesting that all checks and balances are in place, and any remediations have been deployed. In order to confirm this, a carrier can even conduct an audit to make confirm the responses in the survey. Only when this has passed the mark will the applicant be considered for a policy. Keep in mind that are premiums are also going up, primarily because of all of the ransomware attacks that have occurred recently. So now is the best time to lock into a policy.

2)     Implement DevSecOps:

This is a fancy term which simply means that the IT Security, Operations, and Software Development teams are working together as a cohesive unit in order to make sure that any software development project that takes place meets stringent security requirements. The emphasis of secure source coding has long been forgotten about, but not anymore. Businesses are realizing just how vulnerable Web and mobile apps are, and the need to make sure that the underlying engine that runs them is rock solid. Thus, one of the primary objectives of DevSecOps is not only to have an extra pair of eyes to QA the source code, but to implement the principles of automation as well. This will bring many benefits, such as Infrastructure as a Code, and sophisticated version control techniques, where the need to roll back to earlier versions of source code can happen seamlessly.

3)     The Zero Trust Framework:

This is another fancy of piece of techno jargon that means segmenting out your IT and Network Infrastructure, and implementing at three least or more layers of differing authentication protocols. This can also be referred to as Multifactor Authentication (MFA), but what makes this different is that with Zero Trust, nobody is trusted, not even longest-term employees in either the internal or external environments. Sound extreme? It is, but companies that have been implementing this have had some successes so far. But one of the key things here is that you should invest in some of the latest Cyber technologies that are out there. Using passwords and challenge/response will no longer suffice. It means it’s now time to get such items as the Next Generation Firewall, Biometric based Modalities, network security devices that make use of AI and ML algorithms, and SIEMS that allow your IT Security Team to get a holistic view of what is happening out there in real time, from one dashboard.

4)     Hire a professional trainer:

Having security awareness training programs is something that you hear all the time, and now with the Remote Workforce becoming a permanent fixture, you will hear more about it. The main problem here is that with employees WFH, it can be difficult to deliver this kind of training, and at the same time, hold the attention span of your workers that are attending. Many companies have tried to do this on their own internally, but with mixed results. So, it is highly recommended that you spend some extra dollars and hire a professional team of trainers to deliver to do the teaching. Of course, you will want to make sure that a deep level of Cyber experience, but they will know all of the tricks of the trade (such as using Gamification) to keep your employees engaged, and retain/apply what they have learned. This will be a longer-term investment, but the ROI will pay off.

5)     Get a virtual team:

The days of having a traditional CISO are now very quickly dwindling. Either they are getting fired, quit because they are burned out, or they are just too expensive to keep on board. So now, is your time to invest in vCISO services and get a sharp consultant on board that will get the job done, according to the timeframes you have set forth in the contract. Best of all, the hiring a vCISO will only be a fraction of the cost it would take to hire a full time CISO. Also, you will have the freedom for scalability, in other words, you can terminate and/or bring them back on board as needed. Also another advantage of this is that your vCISO will have a plethora of other contacts that you can also bring own board contractually to help with staff augmentation, data privacy compliance, etc.

6)     Get rid of your On Prem Infrastructure:

Keeping an IT/Network Infrastructure in house is now outdated. Not only is it costly, but it is a time consuming and administrative nightmare to keep up with all of the latest updates that are needed. It’s time to invest in a great Cloud platform, such as that of the AWS or Microsoft Azure, for just a fraction of the cost. Both of these providers offer affordable pricing, but best of all you can invest in the latest Operating Systems and software apps for a fixed monthly price, versus getting them at retail. Also, both of these providers offer many other solutions you can create and deploy at almost no extra cost. With WFH, this is the only way to go now into the future and stay ahead of your competition.

The 4 Major Causes Of Cyberbullying In Grades K-8

 

As we come close to wrapping up 2023 (just another two weeks away), the Cyber pundits are already making their predictions of what the top Cyber trends and threats will be for next year.  When the time comes closer, I will write about it.  But, there is one thing for sure:  AI will still most likely dominate the news headlines, and especially its impacts on Cybersecurity.

As I have written about before, AI does bring its strategic advantages to the table, as well as its shortcomings.  The biggest one here is that it can be turned around 180 degrees, and used for nefarious purposes.  A good example of this is when a Cyberattacker uses ChatGPT to create some kind of malicious script that can be inserted through a backdoor of a web application.

But yet, there is another horrible aspect to it:  Cyberbullying.  Of course the traditional bullying has existed for who knows how long, but the digital aspect of it didn’t really fully escalate until when the COVID-19 pandemic hit. 

It’s now called Cyberbullying, and it can happen across age groups, all walks of life, and really just about anywhere else where you can get an Internet connection, and log into somewhere.

But unfortunately, it seems like that it is our youngsters in school now are a primary target, along with their teachers and supervisors.  In fact, back in 2022, it was documented that there were over 1,436 instances of reported Cyberbullying cases across the United States public school systems.  (SOURCE:  https://www.sophos.com/en-us/press/press-releases/2023/07/the-state-of-ransomware-in-education).

So you might be asking why are the schools and these innocent kids so heavily targeted?  Here are some key thoughts:

*The IT and Network Infrastructures of our nation’s schools is totally outdated and archaic.  Yes, the kids may have their smartphones with them, but the underlying  technological process to keep the kids safe and deliver them a high-quality education is severely lacking.  Because of this, there are many backdoors that are present, thus allowing the Cyberattacker to penetrate into, and launch their reign of terror.

*The lack of transparency.  Schools by law are required to all key parties of any security breaches that have occurred, even including Cyberbullying ones.  But the schools are often reluctant to do this, so they often hire an outside third party to disclose all of this information to the public.  Thus in the end, the people (who are the parents) often told last and given the least amount of information.

*The Cyberattacker is becoming much more sophisticated.  As stated earlier in this blog, given the advent growth of AI, it is now far easier for a Cyberattacker to imitate real life people using Deepfakes, and even launch extremely convincing Social Engineering attacks as well.

*Children are doused with technology.  When I was a kid, I was lucky even to get a remote-controlled car that I always wanted.  Smartphones were not even conceived back then.  Heck, Google didn’t even exist either.  To do any research, we had to go to the brick-and-mortar library, and use the good old-fashioned encyclopedias.  But now, it seems like that kids have everything that is technology related, and worst yet, they are all interconnected with one another, which makes Cyberbullying even easier to do against them.

My Thoughts On This:

Of course, Cyberbullying is much more complex than this.  But when it comes to kids, this nation’s most precious asset, parents have to really law down the law when it comes to using and possessing electronic devices, such as Smartphones.  But you can’t tell people what to do, it all differs with parenting style.  But IMHO, kids should not even be given Smartphones until they hit college level age. 

Cyberbullying is a topic that not only I am not just passionate about, but take very seriously.  Over the course of this year, I have written numerous blogs and newsletters about it.  Heck, I even have a book I will be writing about next year (the contact for this has been signed).  So stay tuned for this content, and learn how not to become a victim of Cyberbullying!!!

 

The Evolution Of The Online SAT: 3 Cyber Risks You Need To Know

 

As I reflect back on my days while growing up, I often reflect back on how I made it through high school, college, and even grad school without Google, or even a smartphone.  But we did it the old-fashioned way, and that was using the Funk and Wagnalls Encyclopedias, and going to the library every day.  Neve did I realize back then (or for that matter anybody, really) that things like Azure or ChatGPT would come into existence.

But one nemesis I had back in high school was that good ‘ole SAT.  I have never done well on standardized tests, and so I ended up taking it like three times, but still never did very good at it.  By good fortune and the grace of God, I was still able  to get into Purdue. 

Back then, we had to report to our school, show some kind of ID, sit down, and take the tests with our number 2 pencils.  Then we had to wait patiently for the next six weeks until we got our results back.  But now, the SAT is starting to be offered online, and will be totally that way starting in 2024. 

The main trigger point for this was the COVID-19 pandemic when test takers had to take the SAT at home.

Along with the advantages of taking it online, come the risks as well, especially from the standpoint of Cybersecurity.  Here is what is at stake:

1)     BYOD:

This is an acronym that stands for “Bring Your Own Device”.  This is where businesses would let their employees do their daily job tasks, straight from their own, personal device.  Again, this peaked during the COVID-19 crisis, as many companies simply were not prepared at the time to issue company devices.  One of the biggest security risks here is that very often these devices do not offer the same level of protection, because many people simply just do not install all of the needed stuff.  So, data leakages are quite common, and are a top prey for the Cyberattacker.  Quite surprisingly, the College Board (the creators and administrators of the SAT) now allow high schoolers to bring their own smartphone, tablet, notebook, etc.  to take the exam  online.  But if the student cannot afford a smartphone, one will be provided to them.  When I took the SAT, nothing was allowed except your ID and pencils.  Not even  a bottle of water.  If you were caught in anything, you were immediately thrown out.  So by letting then use their own device, who is to say that they won’t have materials on their smartphone  to help them cheat?  Obviously, the exam proctors can’t inspect these personal devices, as violation of privacy rights will abound greatly.

2)     The Network Security:

By now having it all online, the school is going to have to make doubly sure that they have the required bandwidth to support the test taking day.  It has been estimated that each student will need at least 100 Kkps of bandwidth to start and end the test.  Now imagine if there were hundreds of students taking this exam all at the same time?  Not only will this lead to slower load times of the online SAT, but it may cause the students to take a lot longer than the allotted to finish it.  Also, slower networks are a backdoor for the Cyberattacker.  For example, with this kind of throughput, the Cyberattacker can get a closer look  into the integrity of the network traffic, determine where the weak spots are at, and from  there, insert the malicious payload.  Another downside here is that high schools often have very limited budgets for doing IT stuff.  As a result, they may try to cut corners in order to accommodate this increased bandwidth need, but once again, this will create more holes for  the Cyberattacker to penetrate  into.

3)     The students themselves:

When we think of a Cyberattacker, we have the image of a person in a dark room in front of a computer with a hoodie, in some foreign country.  But the truth of the matter is that even the high school students themselves could be hackers.  For example, on the Dark Web, there are many “as a Service” offerings that a student can buy for pennies on the dollar.  Many of these services are those that offer launching a Cyberattack on behalf of the purchaser.  It takes very little technical skill and time to do this, so it is a very attractive option for anybody that is bent on doing damage in the digital sense.  The fear now is that on the scheduled day for an SAT, a student could pay for one of these services to launch a Ransomware or even DDoS attack in order to further move back the test date, thus greatly affecting the college application and financial aid process for the test takers.

My Thoughts On This:

In order to level the playing field equally to all students, and to offer the maximum amount of protection from all fronts, schools should consider administering the SAT in a Cloud based environment, such as that of Microsoft Azure.  For example, the school can create a virtual desktop environment for all of the test takers, and once the test administering is done,  these virtual desktops can then be deleted.

IMHO, this is a very affordable and efficient manner in which to deploy the SAT for everybody.  Of course, the details of this kind of infrastructure will vary, depending upon the needs and security requirements of each and every high school.

But whatever happens, we must come to accept that these are the consequences of moving to a 100%, digital based environment.  It sort of goes back to my blog from yesterday, where I wrote about Cyberwarfare: How can one discriminate between a civilian and an enemy combatant when the battle ground is completely digital??  Likewise, how do we know if the students are for real when they take the online version of the SAT??

These are some tough obstacles that will have to be overcome.  More information about the online SAT can be found at this link:

https://newsroom.collegeboard.org/digital-sat-brings-student-friendly-changes-test-experience

 

 

Understanding The Fine Line Between Cyberattackers & Hacktivists

 

When it comes to warfare, we all have been accustomed to the traditional ways of land, air, and sea battles.  But there is now a new kind of warfare that is going on, and that is the Cyberwarfare.  There is really nothing new about this per se, but given the recent conflicts in Israel and the Ukraine, it has elevated to much newer heights and has taken on even a stronger sense of urgency.

Cyberwarfare is not just about nation state threat actors going to combat with the governments of other countries.  Now, it is targeting innocent civilians.  True, many of the Cyberattacks that do occur are from typically overseas (such as Russia, China, Iran, North Korea, etc.), but these are more targeted ones with a specific victim in mind. 

With the new kind fo Cyberwarfare, citizens of countries are being targeted en masse, with multiple attacks being placed on them.  In fact, it has gotten so bad, that the International Committee of the Red Cross (also known as the “ICRC”) has come up with a guiding set of principles that is designed to minimize as much as possible civilian casualties.

The goal here is to identify and distinguish who a true combatant is versus an innocent bystander.  Here is what the ICRC came up with:

Ø  Do not direct cyberattacks against civilian objects.

 

Ø  Do not use malware or other tools or techniques that spread automatically and damage military objectives and civilian objects indiscriminately.

 

Ø  When planning a cyberattack against a military objective, do everything feasible to avoid or minimize the effects your operation may have on civilians.

 

Ø  Do not conduct any cyber operation against medical and humanitarian facilities.

 

Ø  Do not conduct any cyberattack against objects indispensable to the survival of the population or that can release dangerous forces.

 

Ø  Do not make threats of violence to spread terror among the civilian population.

 

Ø  Do not incite violations of international humanitarian law.

 

Ø  Comply with these rules even if the enemy does not.

 

(SOURCE:  https://www.darkreading.com/cyberattacks-data-breaches/establishing-new-rules-cyber-warfare)

It is important to keep in mind that this set of guiding principles is still very new, and the intended groups that this message has been designed to resonate with are nor only just the Cyberattacker ones, but also the so called “Hacktivists”.  You don’t hear this term too often, so here is a technical definition of it:

“Hacktivism is the act of hacking, or breaking into a computer system, for politically or socially motivated purposes. The individual who performs an act of hacktivism is said to be a hacktivist. The hacktivist who does such acts, such as defacing an organization’s website or leaking that organization’s information, aims to send a message through their activities and gain visibility for a cause they are promoting.”

(SOURCE:  https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-hacktivism/)

So while the Cyberattacker is fueled by the ambition of money, the Hacktivist is much more motivated by political reasons to launch threat vectors.  However, the unfortunate news is that not a lot of these groups are expected to advocate the work advanced by the ICRC.  But in the long run, it is hoped that these eight principles can be used to bring Hacktivists to justice, in a court of law. 

The ICRC designed these principles to match up with international humanitarian laws, most notably those set forth in the Geneva Convention.  One anticipated drawback of all of this is that it will be extremely hard to distinguish between the real combatants and the innocent civilians. 

But at least this framework is a good start, and the ICRC should be highly commended for launching this effort.  Hopefully all of the known nation state threat actors will realize the gravity of the situation when they target innocent civilians.  More details on this initiative can be seen at the link below:

https://www.bbc.com/news/technology-66998064

 

 

Why Is The US Behind The ROW For Cyber??? Find Out Here

 

I have mentioned quite about the EU with regards to its ever-famous data privacy law, affectionately known as the “GDPR”.  While this does data security for end users, it has become a nightmare for business owners to keep up with.  Also, to make matters even more confusing and harder for organizations to come into compliance is that now it seems like each of the member nations are now coming out with their own set of data privacy laws.

One such country is Germany.  They have just recently come out with a new Cyber mandate, which is called the  IT-SiG 2.0 mandate.  Here are some of the key provisions of this new legislation:

1)     Monitor in real time:

This tenet now forces German businesses and even those international businesses that conduct transactions in the EU must monitor threat vectors in their environment on a real time basis, and counter them off at the same time as well.  It also takes a realistic view in that it states that not all Cyberthreats can be mitigated.  It now mandates that every German business, no matter how large or small, must deploy these kinds of security technologies:

Ø  Intrusion detection Systems

Ø  Security Information and Event Management (SIEM) Systems

Ø  Security Orchestration, Automation, and Response (SOAR) Systems

 

2)     Keep up the visibility: 

This new German law also requires that businesses must keep a constant vigilance on their Cyber Threat Landscape, and make best efforts to try to predict what the future will hold.  Just like the above, the following are also required, no matter what the size of the business is:

Ø  Regular Risk Assessments

Ø  Conducting Penetration Testing and Vulnerability Scans.

The CISA has something similar to this, and it is known as the “ Binding Operational Directive 23-01”.  The caveat with this is that it only applies to Federal Government agencies, and not to the private sector.  More details on this mandate can be seen at this link:

https://www.cisa.gov/news-events/directives/bod-23-01-improving-asset-visibility-and-vulnerability-detection-federal-networks

This Germany’s first step towards implementing a national Cyber strategy, of which all businesses must follow.  Here in the US, the Biden Administration has come up with something similar called the “National Cybersecurity Strategy”, but once again its main focus is on Critical Infrastructure (which is good) and the Federal Government. 

As far as I know, there has not been much emphasis placed on the private sector.  The other good provision that it does contain is that highly recommends a close collaboration between the Federal Government, Corporate America, and academia.

More information about this can be seen at the link below:

https://www.darkreading.com/vulnerabilities-threats/white-house-releases-implementation-plan-for-cybersecurity-strategy

Another key facet of this mandate is that it also strongly emphasizes less reliance upon the adoption of new technologies, and instead, make more strategic use of what is already in place.  In other words, less is better than more, and this is where the Risk Assessment will come into key play. 

In response to this, the CISA came out with yet another new plan, which is called the “Cybersecurity Strategic Plan”.  It is meant to be active until 2026.  Once again, more details on it can be found here:

https://www.cisa.gov/news-events/news/cisa-cybersecurity-strategic-plan-shifting-arc-national-risk-create-safer-future

My Thoughts On This:

So as far as I can tell, the new German Cyber law focuses in on the following:

Ø  Combat the immediate threats.

Ø  Beef up the lines of defenses by constantly watching your threat environment.

Ø  Try to get a look into the future (AI would be a great tools to use here).

There has now been some clamor that the United States must follow the lead like Germany has done.  But here is the key difference:  While here in the United States we have all of the Cyber provisions that we need, they have not been enforced across all 50 states.

So now, the question comes, if other countries can make their provinces abide by a national strategy, how come the US can’t?  That is a tough one to answer.  I have always advocated for Federal Legislation for Cybersecurity, and have that flow down to all of the states, rather than having each state come with its own version of the CCPA. 

Another difference is that other countries, even those in Africa and the Middle East, are much more proactive than the US.  We are still reactive, and only react when something bad actually happens.  Even then we still don’t always learn our lesson well.

 

How To Be AI Safe This Holiday Season - 4 Golden Tips

 

As we now start the last month of 2023, the one thing that is probably hot on your minds is the holiday shopping, and getting gifts for families and friends.  Usually electronic items are at the top of the list, but this time, you need to be especially careful, given the boom in AI and ML.  As I have written about this before, while these technologies do have great advantages, they also pose a grave security risk also.

So, to keep your loved ones and even your business and employees safe, here are some quick tips to keep in mind as you go amuck with your shopping:

1)     Avoid free products:

Yes, we all like free stuff.  But with AI, play it safe here.  A lot of the new products and services that are coming out are still new, and in fact, many are still beta versions.  However, these vendors need test data in order to train their AI models.  While they could invite people to be guinea pigs for this, a popular route that they choose is to offer you a free AI product.  But be careful here.  This is probably a tactic to sucker you in to be one of those guinea pigs with notifying you ahead of time, especially if they do not say how your data will be collected and used.  Just remember that old adage here:  “You get what you pay for”.

2)     Review your agreement:

Technology vendors are notorious for having End User Licensing Agreements (also known as “EULAs”) that are long and hard to decipher.  They realize that many customers won’t have the patience to read through all of the legalese, and they will just go ahead and sign.  But when it comes to AI products, have your lawyer look over the EULA first.  It needs to spell out your data privacy rights, and how you can opt out of stuff.  If these clauses are not there, then this is a huge, red flag.

3)     Make sure your privacy is protected:

You may have heard of regulations like the GDPR and the CCPA.  These are data privacy laws that are meant to protect your private information.  But what most people do not know is that they don’t offer blanket coverage to everybody.  For the example, the CCPA applies mostly to people who live in California, while the GDPR applies to businesses that conduct transactions mostly in the EU.  Therefore, if you really want to make sure that your getting the privacy you want, then consider upgrading to an enterprise version of the AI product and/or service that you want to get.  This will cost some extra money, but at least you know that the vendor will be protecting privacy rights, and if they are violated, you will be afforded legal recourse.

4)     Confirm the vendors:

During this time, you need to be especially careful of scamming, especially those of Phishing emails and robocalls.  Before you purchase any AI product and/or service, always confirm that the vendor is for real.  This can easily be done by contacting your local Better Business Bureau, and doing some Google searches.  In this regard, pay careful attention to customer reviews.  Of course, there will be some negative ones, but if the good does not outweigh the bad, this should yet be another huge, red flag to you.

My Thoughts On This:

The bottom line is that AI is going to be with us for a long time to come.  It’s not going to disappear in any way, shape, or form.  While it can be exciting to use and give as a gift, it’s still very new to most people.  In fact, in the business world, company adoption of it is going to rise by at least 66% in the coming year.  (SOURCE:  https://www.nngroup.com/articles/ai-tools-productivity-gains/)

While nobody is immune to a threat vector from an AI product or service, the above tips should at least help mitigate those risks to a certain degree. Just pay extra careful attention to where you are shopping this holiday season, and you should be just fine for a great time.