4 Golden Tips On How To Make Cybersecurity A Priority

 

With all of the tech layoffs that have been happening, the disappointing financial news from Palo Alto, the emergence of AI, etc. Cybersecurity is getting another look over.  While the total number of attacks have gone down since last year, the total number of extortion attacks have actually increased, in large part due to Ransomware.  More information about this can be seen at the link below:

https://newsroom.orange.com/cyberextortion/

Also, with the complexities of the Cyber Threat Landscape changing almost every minute, now is the time for you, the CISO, to reevaluate your priorities when it comes to Cybersecurity.  So to help you get started, here is a starting point of what you should consider:

1)     Everybody is responsible:

Unfortunately in today’s world, everybody thinks that combatting security breaches is still the sole responsibility of the IT Security team.  This couldn’t be further from the truth.  Everybody has a role in keeping their place of employment safe!!!  This has to be emphasized over and over again in order for all involved to fully understand this.  This even includes external parties, such as contractors, suppliers, etc.  But even more important, the mindset of the C-Suite has to change as well.  Yes, the buck stops with you (as the CISO) for Cybersecurity, but all responsibility has to be shared with everybody on this level, going all the way from the CEO to the CFO to the COO, etc.  In this regard, Cybersecurity should not be viewed as just an expense, rather, it must be viewed as an investment!!!  Bring things down in terms of dollars and cents, and what it will mean if there is any kind of downtime.

2)     Know thy data:

Believe it or not, even to this day, CISOs do not even know where their data sets even reside at.  So, now you must take the time to get a grasp of this, and know exactly where everything is.  If needed, create a separate team to map out where everything is, even all of the databases.  Keep this document backed up, both as a hard copy and an electronic copy.  Make sure that it is updated at all times, no matter what.  Also, conduct regular audits of your datasets to make sure that there are no instances of data exfiltration that could be occurring.

3)     Have your plans:

When the COVID-19 pandemic hit, companies were in a huge scramble to figure out how to deploy their remote workforce.  A large part of this nightmare was due to the fact that none of these entities had a formal Incident Response (IR) plan in place.  This is a formal document which details as to how you will respond in the case of a security breach.  A future blog will outline the details of what should be included in this kind of plan.  But the bottom line here is that if you don’t have this in place, create one immediately, and practice it on a regular basis.  Even more importantly, update it from the lessons learned each time to practice it!!!

4)     Keep training:

Keep training your employees in the sheer importance of maintaining strong levels of Cyber Hygiene.  There are different ways in which to deliver this kind of training, but make sure that it fits the role of the employees.  In other words, don’t take a one size fits all approach, the training has to be customized, in order for your employees to truly understand what is at stake.  Also, don’t make these just lecture sessions, make it interactive so that the audience can take away something from it, and apply what they have learned.

My Thoughts On This:

It is even more important now than ever to take Cybersecurity seriously.  Just because a security breach has not happened to you does not mean it will not happen down the road.  Spending some time now and some money will pale in comparison to the exorbitant costs you will face if you do become a victim!!!

3 Effective Ways To Keep Up With The Cyber Landscape In 2024

 

The world of Cybersecurity as we know it today is always changing, and will forever be changing.  It will by no means be a static one, like perhaps it was in the late 20^th century.  Given how everything is all connected together now, the evolution of AI, the stealthier mindset of the Cyberattacker, etc. will all be changing this for a very long time to come.

So the question now comes down to as to how a business, or even a CISO of a much larger organization come to grips with this, and how they can keep up. It will by no means be an easy task, and trying even to do it will be a full-time job.  So to get started with, here are three key areas which will become important this year on the Cyber landscape:

1)     Threat Hunting:

The bottom line here is that the days of simply doing these kinds of tests whenever you felt the need to do it no longer suffice.  Many people have their own definition of what Threat Hunting is, but IMHO, this is a deep and comprehensive test that tries to find any threat actors or malicious payloads that have been deployed into your IT and Network Infrastructure.  It has been recommended that this kind of test be done at least once a quarter, but even now this is not proving to be enough.  It has come to the point that it needs to be done almost every day.  But the good news here is that the Cyber vendors who make these kinds of tools are fully aware of this, and are producing new services that will allow you to do this, such as a Cloud based deployment, so it remains highly affordable to you.  My recommendation is to start looking at this as soon as you can.

2)     UEBA:

This is an acronym that stands for “User and Entity Behavior Analytics”.  Long story short, this is where you deploy the needed tools to keep track of how well your employees are keeping up on their Cyber Hygiene.  But the key difference here is that you will not just be getting a holistic picture, but rather, a full report on each and every employee of yours.  Given the advancements that have been made today, you can even get an entire picture painted for you of just risky the behavior of your employee is.  Of course, you will need to tell them how you will be watching them ahead of time.  But once again, given how things are changing, you cannot take anything for granted.  This is especially true of hiring contractors.  Also, by deploying UEBA, you will get far better indications of when an Insider Threat could be happening.  Another key advantage if using UEBA is that it can create updated baseline profiles for you, on a real time basis.  For more information about UEBA, click on the link below:

https://www.darkreading.com/cyber-risk/how-to-get-the-most-out-of-ueba

3)     The rise of data:

There is no doubt that today, there is a sheer explosion of data that is happening today.  Not only can it be a nightmare to store all of it, but worse yet, it can be almost disastrous to try to keep up with the data privacy laws and their rules/regulations.  But, data can carry a lot more meaning these days.  For example, Big Data sets often contain hidden trends that convey a lot of meaning.  For example, it can give you greater insights into your competition and customers.  But above all, it can even give you very subtle clues as to who is gaining access to your system, what times that it is happening, etc.  But don’t attempt to do this all by yourself.  Rather, use both AI and ML to do this for you.  They can do it in just a matter of sheer minutes, and give extremely granular insights into each and every bit of data that your business has.

My Thoughts On This:

For you the business owner, this is of course a lot to digest in.  But I always keep a motto:  Take things one day at a time.  The one nice thing about the Cyber community is that we all band together in a time of need.  So if you need help with any of these above-mentioned items, please reach out to me or I can refer you to somebody else.

Also, stay tuned for future blogs on this very topic, but focusing in on other areas of concern that you need to be aware about.

How To Correct Medical Device Cyber Weaknesses: 2 Golden Tips

 

The US Healthcare system has been regarded as one of the best in the world.  A lot of this has not only to do with the extensive amount of training that future doctors, nurses, and other practitioners have to undergo, but we are also blessed that we have all of the advanced technology in the world.  Not many countries can say the same.

But there is one area in our great healthcare system that is still lacking:  Yep, you guessed it, it has to do with our Cybersecurity.  Attackers still love to pounce on the targets here, especially when it comes to the heisting of patients information and data.  But there is yet another area here where it is even more detrimental:  Implanted medical devices.

A good example of this is the pacemaker.  It is used to control the heartbeat, so that it maintains a proper rhythm.  But unfortunately, it is now accessible via radio control by the patient’s doctor.  While this is a good thing, it can be a bad thing also, because the Cyberattacker can also take control of it, take control of the pacemaker, and literally kill the patient wherever they are at.

Luckily to my knowledge nothing like this has happened yet, but the potential for it is quite strong.  In response to this, the United States FDA has now mandated that all manufacturers of medical devices follow a principle called “Secure By Design”.  This is where certain kinds of controls have to be literally embedded into the device, in order to safeguard the security of the patient.

More information about the FDA requirements can be seen at the link below:

http://cyberresources.solutions/blogs/fda.pdf

More details about “Secure By Design” can also be found at the link below:

https://www.darkreading.com/application-security/lock-down-the-software-supply-chain-with-secure-by-design

An example of such a control is Multifactor Authentication, also known as “MFA” for short.  This is where at least three or more differing mechanisms are used to confirm the identity of an individual. 

But another problem now is that a lot of the healthcare providers are now moving to the Cloud (such as the AWS or Azure) in order to host the applications that support these medical devices.  As a result, this comes under the guise of what is known as the “Share Responsibility Model”.  As a user of the Cloud, you actually share your resources with other “tenants” in order to keep your monthly costs down.

While this is of course a good thing, it can be a bad thing because now your datasets can theoretically become that much more accessible to malicious third parties.  But, the Cloud providers do give you the resources and the tools that you need to protect your part of the Cloud, but you have to take responsibility to make sure that they are configured properly to your security requirements.

But to make implanted medical devices more secure, it is recommended that the following steps be taken, and quickly:

1)     The hospitals have to do their part:

Usually, the medical device vendors will provide information to the practitioners about the devices that they are interested in using.  An example of this is the “Manufacturer Disclosure Statement for Medical Device Security”, also known as the “MDS2”.  It spells out all of the details of the security features that a particular device has, and from there, the facility can make an informed decision as to whether to use it or not.  But the bottom line is that it must be read, and just discarded away!!!

2)     Configure those devices:

The vendors will also have documentation on how to further fine tune your procured devices to best meet your security requirements.  Heed these documents carefully also!!!  Most medical facilities don’t do this, and instead rely on the default settings.  Don’t do this!  This is where you will have more back doors open than you realize. 

My Thoughts On This:

Another catalyst that is leading to the explosion of implanted medical devices is the Internet of Things, also known as the “IoT”.  The connections between devices still remain unencrypted, making it more a risk to use.  Also, the growth of AI and ML isn’t helping matters much either on the Cybersecurity front, either.

The best advice I can give here for the medical practitioners are to stay proactive, and make sure that ever security control is used to the maximum extent possible.

6 Golden Tips To Get Prepared For The CMMC Certification

 

For those companies in the defense sector, you know very well that the Department of Defense (DoD) is pretty much your main bread and butter.  But as the Cyber Threat Landscape has evolved, so have the security precautions that the DoD has set into place to make sure that whatever information is transmitted to during and after the bidding process remains confidential.

To this end, they have implemented what is known as the “Cybersecurity Maturity Model Certification”, also known as the “CMMC” for short.  Long story short, this is where the Defense Industrial Base (DIB) and their subcontractors have to reach a certain level of Cyber certification before they will even be allowed to bid on any kind of contract. 

The CMMC framework has been going on for a number of years now.  In fact, there are two different versions of it.  In the first one, there were five different levels of certification that could be achieved, but with the newer version of it, there are only three.  In fact, the requirements have actually eased up a bit in this round to help defense contractors get their certifications quicker.

Although achieving CMMC certification at any level can be both a herculean and daunting task, as a CISO of a defense business, you have to realize that simply achieving it is not the end of your Cybersecurity efforts to beef up your  lines of defenses.  You will have to keep pushing through, no matter how hard and long the journey might be.

To this end, I came across an article in which a 30-year-old veteran of the Cyber industry who echoes these same thoughts.  His mantra is “Harden”, and he has a six-step approach to this:

1)     Harden your people:

This includes both the members of your IT Security team and the other employees in your company.  The best way to do this is through constant security awareness training programs, and holding mock simulation attacks.

2)     Harden your Cloud:

Whatever Cloud platform you make use of, such as the AWS, Azure, or the GPC, make sure to use all of the tools that are available to you in your subscription to protect your IaaS, PaaS, and your SaaS environments.  An important thing to keep in mind here is that you are ultimately responsible for the configuration of these tools, not your Cloud provider!!!

3)     Harden they endpoints:

The term “endpoint” can be confusing, but for purposes of this blog, it simply means all of the devices in your company that are being used by your employees, whether they are on site, hybrid, or remote.  The best level of protection that you can offer here is to use what is known is known as an “Endpoint and Detection Response” (also known as “EDR”) solution to fortify all of those devices.

4)     Increase your levels of both visibility and detection:

This simply means collecting all of the information and data from your network security devices into one central repository, such as that of a SIEM.  This will show you all activity on a real time basis from just one point of view.  You can also make use of both AI and ML tools to help filter out for the false positives, so that only the real and authentic ones are presented to your IT Security team for appropriate triaging.

5)     Keep hunting:

As a CISO, you can never assume that all of your weaknesses and gaps have been filled.  There will always be some, so therefore, you should always on a regular basis, be engaged in both Penetration Testing and Threat Hunting exercises on a regular basis (at least on a quarterly basis).  Also, conducting Vulnerability Scans would be a good thing here to do as well.

6)     Respond quickly:

The bottom line here:  If you detect a threat, respond immediately!!!  Don’t wait for seven months or so in order to detect it (that is currently how long it takes Corporate America to detect a security breach).  For this to happen, you have the right Incident Response (IR), Disaster Recovery (DR), and Business Continuity (BC) plans in place, and they must be rehearsed also on a regular basis.

My Thoughts On This:

Don’t wait to get CMMC certification to take these above-mentioned steps.  In fact, the DoD even recommends that the best way to get certified is for your company to be proactive on the Cyber front at all times, and take all of the steps that are necessary to protect your lines of defense.

The Top 3 Security Breaches Of 2023 & Why They Happened

 

I know that it seems kind of unusual to be posting about some of the top Cyberattacks that happened in 2023 (just last year), but I am going to take a shot now at it, and review those that were some of the major ones.  So, here we go:

1)     MOVEit:

This has probably been of the largest Cyber breaches that happened last year.  It is essentially a file transfer software package.  The malicious payload that was deployed into was the ever so famous SQL Injection Attack.  Here are some of stats into its large impact:

“*More than 62 million individuals were impacted.

*Over 2,000 organizations were breached.

*Approximately 84% of breached organizations are US-based.

*Approximately 30% of breached organizations are from the financial sector.

*$10 billion is the total cost of the mass hacks so far.”

(SOURCE:  https://www.darkreading.com/cyberattacks-data-breaches/top-3-data-breaches-2023-what-lies-ahead-2024).

This security breach demonstrated just how wide scale a single piece of malicious payload can be.  In fact, it can even be likened to the Solar Winds hack, there just one backdoor was used to infiltrate and infect thousands of victims, which included some of the largest of the Fortune 500 companies and even the US Federal Government.

Although three major patches have been released, it still continues to impact victims.  Some of the notable ones include Sony Interactive Entertainment, the BBC, British Airways, the US Department of Energy, and Shell.  This truly represents a broad spectrum of industries and only proves that nobody is immune to a Cyberattack.

2)     The Indian Council of Medical Research (ICMR):

This security breach has been deemed to be one of the largest in terms of data exfiltration.  By using a simple alias of “pwn0001”, the names, addresses, and phone numbers of over 81 million Indian citizens was exposed.  They were also able to hijack the datasets from the COVID-19 databases owned and operated by the Indian Government.  More information about this can be seen at the link below:

https://www.thehindu.com/news/national/us-cyber-security-form-indicates-data-breach-sourced-from-icmr/article67477424.ece

Here are some of the stats of this breach:

“*5 million breached personal records and COVID test details from the New Delhi-based organization.

*90GB of data offered for sale for $80,000.”

(SOURCE:  https://www.darkreading.com/cyberattacks-data-breaches/top-3-data-breaches-2023-what-lies-ahead-2024).

This Cyberattack simply underscores the need to keep auditing the controls that you have in place for protecting your information and data, and the need to have an effective response plan in place to contain any breaches like this.

3)     23andMe:

In this particular Cyberattack, credential stuffing was the main threat vector that was used.  Login information (such as usernames and passwords) were hijacked, and were able to gain access to private data, which included the following:

*Names

*Email addresses

*Dates of birth

*Genetic ancestry and history

Here are the stats of the impact:

“*9 million user accounts were compromised — about half of the company's users.

*More than 5.5 million customer records were scraped and leaked.

*$6 is the average black-market price of a breached account.”

(SOURCE:  https://www.darkreading.com/cyberattacks-data-breaches/top-3-data-breaches-2023-what-lies-ahead-2024).

This security breach only underscores the need to deploy and maintain strong levels of Cyber              Hygiene, as well as the need to implement Multifactor Authentication (also known as “MFA”).

My Thoughts On This:

As I said earlier in this blog, nobody is immune to becoming a victim of a Cyberattack.  As I have said time and time again, the key is in mitigating that risk from happening.  Corporate America really needs to step up to the plate and take accountabilities for all of the datasets that are in their possession.  They have to realize, that we, as US citizens, are trusting them with the safekeeping of them.

They need to know where all of the datasets reside at, and continually do Risk Assessments not only to make sure that the controls protecting them are optimized, but to address and quickly remediate any gaps or weaknesses that have been found. 

Also, the need to keep training employees is a must to make sure that they are maintaining their contributions to a high caliber of Cyber Hygiene.  Also, companies need to make sure that they have all of the right plans in place in order to contain the breach, should it happen.

These include the Incident Response (IR), Disaster Recovery (DR), and Business Continuity (BC) Plans.  They must not only be documented, but they must practice on a regular basis to keep them updated.