Sunday, March 31, 2024

Why Hackers Are Now Breaking Their Own "Ethics"

 


It was just yesterday that I was writing a tentative outline for a possible course on Continuing Education (CE), at a nearby Junior College.  The proposed topic is on Penetration Testing, and I even wrote a blurb on the outline as to how Pen Testers are actually “Ethical Hackers”.  If you are new to Cybersecurity, you may be wondering, “OK, what is exactly hacking that is Ethical?”  Well, it does exist, and here is a technical definition for it:

“Ethical hacking is the use of hacking techniques by friendly parties in an attempt to uncover, understand and fix security vulnerabilities in a network or computer system.”

(SOURCE:  https://www.ibm.com/topics/ethical-hacking)

So as you can see from the above definition, the operative word is “friendly”.  In the world of Penetration Testing, the guys that do the actual hacking belong to what is known as the “Red Team”.  But they can only carry out their planned hacks with explicit and written consent for the client that they are doing it for.  But this now brings up another key point.

Even with the traditional “bad guy” hackers, there used to evolve a code of “Ethics” as well.  Hacking has been around since the 1960s, and since then, a certain code of cadence was created.  Examples of this include the following:

*Any entity that involved healthcare, and the delivery of life saving services, were completely of limits.  This means primarily hospitals and ERS.

*Critical Infrastructure could not be touched.  If it were to be, it would be considered an act of war by the impacted country, with the repercussions unthinkable (perhaps even a nuclear war).  But it is important to keep in mind here that Cyberattackers are pushing the envelope as far as they can, with the prime example being that of the Colonial Gas Pipeline attack.  Although the actual pipeline was not affected, it did affect the financial markets and the supply chain in a cascading effect.

More details on this can be seen at the link below:

https://www.cisa.gov/news-events/news/attack-colonial-pipeline-what-weve-learned-what-weve-done-over-past-two-years

*Individuals and businesses that were going to become a victim could only be hit once, and not anymore. 

*The COVID-19 pandemic also ushered in a new era of “bad guy” hacker Ethics, especially in the way of not targeting testing places and those entities providing the much-needed vaccinations.

But after the pandemic eroded away (it is still technically here, though), the rules of “Ethical Hacking” by the Cyberattacker has changed greatly. This has been brought up a lot by the covertness, stealthiness, and sophistication of Ransomware attacks.  For example, we are not just seeing computers being locked up and files encrypted, we are now seeing it in its worst form ever.  This includes the selling of PII datasets on the Dark Web and conducting Extortion like Attacks.

A lot of the disappearance of a kind of good gestures in “bad guy” hacking has been catalyzed by two main factors:

1)     The increased interconnectivity with just about everything (primarily brought on by the IoT).

2)     The advent of Generative AI.

In my own view, it is the latter which is the dominant force here.  For example, a Cyberattacker can easily create the source code for crafting a piece of malicious payload that can be deployed to launch a Supply Chain Attack (like the Solar Winds hack), or even use it to create a Phishing Email that it is almost impossible to tell the difference between a real one a fake one. 

Another unfortunate catalyst driving this new trend is the fact that many of the hackers are now getting much younger in age.  In fact, with so much that is available online and on the Dark Web, even a novice still in junior high school and rent a service called “Ransomware as a Service”, and have a third party launch a devastating attack for literally pennies on the dollar.

Also in the hacking circles, it has even become a badge of honor to attack high value targets, such as companies that are in the Fortune 500.  In fact, the Cyberattackers in this regard have become so brazen that will even leverage the media to their own benefit in order to fully advertise what they have done.  In a horrible sense, this is how a Cyberattacker adds to their “resume”.  More details on this can be seen at the link below:

https://www.darkreading.com/threat-intelligence/ransomware-gangs-pr-charm-offensive-pressure-victims

But this has also led to the take down of the more traditional Ransomware groups, such as “Black Cat”.  Heck, even Cyberattackers are snitching on their own brand so that they can remain at the top of the hacking list, with the “best reputation” that is possible.  More information about this can be found at the link below:

https://www.darkreading.com/cybersecurity-operations/feds-snarl-alphv-blackcat-ransomware-operation

My Thoughts On This:

Back in the day, hacking simply meant that somebody would just break into a computer system just to see what it contained, it was just a “curiosity” based attack.  But as it has been described in this blog, this is no longer the case.  Going into the future, just simply expect the worst.  Things will not get any better.  The more that you try to fortify your systems, the more the Cyberattacker is going to pound on your door.

For more information on what is expected in the way of hacks for 2024, click on the link below:

http://cyberresources.solutions/blogs/2024_Hacks.pdf

Sunday, March 24, 2024

How To Improve Your Code Signing Process: 6 Golden Tips

 


With the advent of AI, one of the biggest issues that face all businesses and individuals alike is making sure that whatever receive is actually legitimate.  This could be in the form of an Email, phone call, or even a legitimate piece of mail. 

With all of the advances that are taking place, especially in that of Generative AI, creating illegitimate content that looks real, but is phony is very hard to discern.  For example, as this next Presidential Election cycle comes up in jut a matter of months, the issue of Deepfakes will come about.

This is where the Cyberattacker will try to create a video impersonating one of the candidates, which will look like the real thing.  From here, the video will then prompt you to a fake site, which will ask you to enter your username and password, which then the Cyberattacker will collect. 

More than likely, you will also be prompted to make a donation of sorts, but that money, once submitted will be sent over to a phony bank account, never being able to be recovered again.

Another example of this, is the source code that software developers use in order to create web based applications.  Very often in this regard, open-source APIs are used to help create and deliver the project quicker to the client. 

But the problem here is that the libraries and repositories that host them don’t keep them updated, or even replace them when newer or updated versions of the same APIs come out.

To help alleviate this problem, a procedure called “Code Signing” is used.  This can be technically defined as follows:

Code signing is the process of applying a digital signature to a software binary or file. This digital signature validates the identity of the software author or publisher and verifies that the file has not been altered or tampered with since it was signed. Code signing is an indicator to the software recipient that the code can be trusted, and it plays a pivotal role in combating malicious attempts to compromise systems or data.”

(SOURCE:  https://www.digicert.com/faq/code-signing-trust/what-is-code-signing)

Put in simpler terms, this is a more sophisticated way of confirming that the source code (or piece of it) that you receive is actually legitimate coming from the real source.  But this too has been wrought with difficulties, with the recent Solar Winds hack.  In extra effort here as well, he Certificate Authority/Browser , also known as the “CA/B” Forum launched a new set of guidelines for maintaining code-signing certificates.  More information about this can be seen at the link below:

http://cyberresources.solutions/blogs/Code_Signing.pdf

But apart from what is also available, there are a certain number of steps that you and your IT Security team should take as an extra, proactive step.  Here are some suggested guidelines:

1)     Secure the Keys:

Although this option is available for both On Premises and Cloud based deployments, it is far more efficient if you have the latter.  For example, Microsoft Azure has specific vaults that you can create and deploy for this very purpose.

2)     Access Control:

The use of Role Based Access Control, also known as “RBAC” is very important here.  For example, you would give a Network Administrator control to maintain the servers at your business, but you would not give these to your administrative assistant.  So therefore, the Code Signing Process should be only limited to those individuals that are intimately involved in the creation of the source code.  Further, all of the rights, permissions, and privileges that you give them, must be monitored closely.  All of this falls into an area which is known as Privileged Access Management (PAM), and will be examined in a future blog.

3)     Implement a Rotation Schedule:

As the name suggests, you should never ever use the same Code Signing Key over and over again.  The best practices here would mandate that for each source code release that you make, a new set of Keys has to be created.  If even one Key is compromised, all subsequent releases associated with that Key will also be affected.

4)     Have Time Stamps:

For each source code release, the Code Signing Key must have a time stamp to it, and have the sender notify of you when it has been sent.  Anything that has a long-time interval should be a big red flag, as this could indicate the source code could have been altered maliciously.

5)     Check the Integrity:

Always check the integrity of the Code Signatures.  If there was more than one that is required, have each software confirm the validity of it before it is released.

6)     Keep it simple:

Whatever methodology you make use of for your Code Signing Procedures, make sure you keep it simple, so that not only will it be quick to deploy but whatever security policies you use to keep it safe will also be easily enforced.  Just as important, make sure that you keep this process centralized, so that whoever from the IT Security team will be managing this will have clear transparency into it. 

My Thoughts On This:

Other key factors that need to be taken into consideration include the following:

*Mapping Policies

*The type of Certificate Authority that you want to make use of

*A defined approval process

*Setting up expiry dates for the Code Signing Keys

*The kinds of Cryptographic Algorithms you want to use

Also keep in mind that the police and procedures that you have in place will need to be evaluated and updated on a regular basis, as the Cyber Threat Landscape keeps changing and becoming more complex.

Sunday, March 17, 2024

How To Conduct A Quick Cyber Assessment - 4 Golden Tips

 


Whenever a business is hit by a Cyberattack, the first priority of course is restore mission critical applications as quickly as possible.  Then from there it is all about dealing with the fallout from it, especially when it comes to facing customers and possibly law enforcement.  Then the last thing on your mind would be to conduct a detailed forensics investigation to examine what led to the breach, and how it can be avoided again.

But there is still a question that will linger in your mind”  “Who was the Cyberattacker that launched this variant against my business?”  While it is easier now to determine this when compared to the past, it is still a 50-50 proposition.  And in the end, you may even not think it’s worth it, because after all, if the Cyberattacker is in a foreign country, how will you bring them to justice?

In fact, this entire process that I have just portrayed is technically called “Attribution”.  More information about this can be seen at the link below:

https://www.darkreading.com/cyberattacks-data-breaches/how-to-identify-cyber-adversary-standards-of-proof

But maybe its time to take a step back now, and assess the chances of you becoming a victim.  I don’t mean that you have to follow a NIST or CISA based framework to the letter, but take a simple, real-world  approach to it.  Here are some tips to do this:

1)     Examine your own business:

Take a very close stock of your business model.  Take a close look at all of the digital and physical assets that you have, and then ask yourself this very basic question:  “What is it a potential Cyberattacker will go after?”  Of course, this will primarily depend upon what you have, but also keep in mind that a Cyberattacker will try to get access to something low on the totem pole in order to get to something much higher and valuable, like the database that holds the passwords of your employees and customers.  In other words, follow this quote:

               “Know your enemy and you will win a hundred battles; know yourself and you will win a     thousand."

               (SOURCE:  https://www.darkreading.com/cyberattacks-data-breaches/how-to-identify-cyber-   adversary-what-to-look-for)

2)     Your security tools:

This is a subject that I have written about before, on many occasions.  But in this instance, ask your IT Security team took a quick look at what you really have, then ask yourself these questions:

*How many brands come from just one vendor?

*How many come from multiple vendors?

*Is it possible to cut down on what I have and strategize?

*How much time does it take to make sure that each device is always optimized?

If your business still has the traditional Perimeter Defense model, then going after these security devices will be amongst the first choices for the Cyberattacker to go after.  After all, once they break through this, they can get access to just about anything.  But if you have the Zero Trust Security model, then this is entirely different.  But the bottom line here is that you want to consolidate all of your security tools, and deploy them in the most strategic areas.  And if possible, try to stick to just one or two vendors for all of this.  It will make it a lot easier for the IT Security team to manage, and will not have to parse through so many varying log output files.  The moral of the story here:  With too many tools, your attack surface is greatly increased!!!

3)     Timing:

Examine how long it takes you to actually detect and respond to a security breach.  Believe it or not, it takes a business an average of seven months to do this.  The metrics that reflect this are known as the “Mean Time To Detect” and the “Mean Time To Respond”, also known as “MTTD” and “MTTR”, respectively.  You will want to of course respond to a breach and contain as soon as possible.  But try also to set specific goals for yourself as well.  For example, it should take no longer that three hours to detect and contain a breach, should it ever happen.

4)     Examination:

Finally, take a look at your own IT and Network Infrastructure.  For instance, or are you still 100% On Prem, or in the Cloud, using something like the AWS or Microsoft Azure?  Or are you still using a Hybrid based approach?  If you are still On Prem, you are putting your business at grave risk, IMHO.  You are far better off going to a total, 100% Cloud based infrastructure.  At least with this, you will get, for the most part, all of the tools readily available to protect your infrastructure.

My Thoughts On This:

Finally, make some time to study the various methods that Cyberattackers have used in the past in order to launch their malicious payloads.  Most of this should be available online, especially from either NIST or CISA.  Finally, remember to take the above-mentioned steps from a holistic approach, and above all, be honest to yourself when you do this kind of informal assessment.

Saturday, March 16, 2024

ChatGPT Versus Gemini: Which One Comes On Top???

 


I have been writing about AI a lot lately, especially when it comes to Generative AI.  In fact, I am authoring an entire book on the subject matter.  But somehow or another, we tend to think that ChatGPT is the only Gen AI tool that is out there for the consumer.  However, this is far from the truth.  There are many others, and one that is starting to gain some attention is from Google, which is called “Gemini”.  This was actually formerly known as “Bard”.

Interestingly enough, I came across an article this morning which compares the two in a side-by-side matchup.  So here we go:

1)      The creation of diagrams:

If you are a technically oriented person like I am, then creating diagrams in your content (whatever it may be) is important to illustrate key points.  I am not a very good graphics designer, so I rely heavily upon the tools that I have available to me in Word.  But which of these tools is better?  The author felt that Geminin did a far better job in composing a technical diagram, whereas ChatGPT totally fizzled out.  In fact, it suffers from a phenomenon called “Hallucination”.  What is it you may be asking?  Well, here is a definition of it:

“AI hallucinations are incorrect or misleading results that AI models generate. These errors can be caused by a variety of factors, including insufficient training data, incorrect assumptions made by the model, or biases in the data used to train the model.”

(SOURCE:  https://cloud.google.com/discover/what-are-ai-hallucinations#:~:text=AI%20hallucinations%20are%20incorrect%20or,used%20to%20train%20the%20model.)

In other words, you don’t get the output that you were wanting to get, despite the fact that the Gen AI model probably has been trained over 100X.

2)     Explaining Diagrams:

If an end user sees a diagram, and they don’t understand, the first inkling will be to ask for help interpreting it.  Of course, this is where Gen AI can come into play.  The author of the article found that while both ChatGPT and Gemini suffice for the need, the latter is a bit less wordy than the former.

3)     Examining Log Files:

One of the life bloods for the IT Security team in figuring out if anything is going wrong are to examine the log files that have been outputted by the network security devices.  It can take a long time to do this manually, so Gen AI can help here.  Which tool is better?  When presented with an actual log file, both analyzed it the same way.  But Gemini was a bit more concise than when compared to ChatGPT.

4)     Creating documentation:

Having Incident Response/Disaster Recovery/Business Continuity plans are a must for any business.  When the two tools were asked to create a sample plan, the author found that Gemini did a better job in understanding what the exact requirements were.

5)     The Creation of Source Code:

Creating scripts is one way for the IT Security team to help automate routine and mundane tasks, such as those found in Penetration Testing and Threat Hunting.  When these tools were asked to produce a few lines of a script code, both came  out as equal winners.

6)     Data Analysis:

When both were asked in this regard, Gemini was a clear loser.  It only suggested ways to analyze the metrics, whereas ChatGPT actually did the task to varying degrees, by making use of its “Data Analyst” plugin, which allows for Excel files to be ingested into the Gen AI model.

7)     Creating phony Phishing attacks:

One of the best ways you can find out if your employees are paying attention to your Security Awareness training is by launching a mock Phishing Email attack, and see who falls prey to it.  When Gemini and ChatGPT were asked to create a mock Phishing Email, the author found that Gemini created a more succinct and deceptive message versus ChatGPT, which created a wordy one.

8)     Data Privacy Laws:

Let’s face it, the wording in the GDPR, CCPA, HIPAA, and any other sort of compliance framework can be a nightmare to understand.  So what do you do in this particular situation?  Well ask Geminin or ChatGPT for help.  The author did this exact thing, and found out Gemini was better than Chat GPT in this regard.

My Thoughts On This:

So, you now may be asking, which one should I use?  From what I read in the article and wrote about in this blog, it seems that Gemini has the upper hand here.  But, try both for yourself and see which ones provide the best output for your needs.

For more help on which on to use, click on the link below:

https://www.darkreading.com/cybersecurity-operations/why-chose-google-bard-help-write-security-policies

 

 

Sunday, March 10, 2024

How Biometrics Is A Double Edged Sword In Cyber

 


I have been in IT Security for a long time, probably at least 20+ years.  I first got started in the Biometrics field.  Of course, I had no idea what this was all about, so I had to teach myself a lot about what the technology is.  From there, I started the first security gig, in which I was reselling Hand Geometry Scanners and Fingerprint Scanners from two leading vendors. 

I had to define my market, and I decided to focus on Physical Access Entry applications.  This is simply meant that I would present these two devices as a means to replace the traditional lock and key.  I thought that this would be more or less an easier sales cycle, because who wouldn’t want an automated to open up their doors?

Well, I was proved wrong, and in a big way.  Even despite the craze that Biometrics got after the 9/11 attacks (especially that of Facial Recognition), people simply either did not understand it, or simply just did not care about it.  So as result, I found myself educating people about it, more than selling it.  Of course, I did not make much money in those years that I had the business, but this new path put me on a different trajectory.

I ended up closing down this first business, and opened up a new one 15 years ago.  This focused on content generation about Biometrics, such as authoring articles and doing podcasts with top Biometrics vendors.  I even wrote and published three books on this subject through a leading publisher, CRC Press.  But now fast forward some 20 years later to the present time.

Where is Biometrics today?  Honestly, I have been out of the field for too long to see where the trends are.  One fact that I do know of is that is has received strong as being used as an authentication mechanism for an MFA solution.  In this regard, both Fingerprint Recognition and Iris Recognition have received a lot of attention.

But even despite the good that Biometrics can bring to an organization, it is one of those technologies that still receives more negative attention.  And now, it may be at its worst.  Just in November of 2023, the Department of Defense (DoD) released a detailed report about the specific weaknesses of Biometrics.  This report can be downloaded at this link:

http://cyberresources.solutions/blogs/DOD_Biometrics.pdf

But to just summarize, here are the some of the major weaknesses that were reviewed in the report:

*Data Theft:  This was compared to stealing a password, and from there, access to just about anything can be yielded.

*Spoofing/Impersonation:  There were instances where something like a Fingerprint Recognition Template was hijacked, and spoofed in order to gain access to a high secure area.

*Data Privacy:  Just like AI, Biometrics are often viewed as a “black box solution”.  Meaning, you give it the input, and from there, you get the output, with no knowledge as to how the insides of the system work.  This has led to huge concerns with respect to data protection and privacy.

*Integration:  From the best of my knowledge, it appears that Biometrics is not being heavily used as a standalone solution.  Rather, it is being used as an add on, such as in MFA, as reviewed earlier.  So, there are integration challenges here as well, especially if Biometrics is going to be used to further secure our Critical Infrastructure.

My Thoughts On This:

In fact, Biometric data is now viewed as “Personal Identifiable Information” (or “PII” for short).  Because of this, they are now prone to the data privacy laws such as the GDPR, CCPA, HIPAA, etc.  More details on this can be seen at the link below:

https://www.darkreading.com/cyber-risk/thought-gdpr-compliance-was-hard-buckle-up

Now again, I am not sure about all of the technological advancements that have occurred in the recent with regards to Biometrics, one thing I can tell you for sure is that when an image of a fingerprint is captured, it is usually converted over into a mathematical file.  In this case, it would be a binary one, which is represented as a series of 1’s and 0’s, like this:  1100010101000100111.  So if you think about it, if a Cyberattacker were to steal this, what can they do with it?

IMHO, not much really.  It’s not like stealing a credit card number.  And for that matter, there should really be no issue at all with data privacy laws, unless the end user has some sort of extremely unique identifier that is associated with their particular Template.  I can agree with the last point, but in terms of spoofing, I still find that a little hard to believe.

One of the only ways I can see this happening is if an image of a fingerprint has been left on the sensor, and has not been completely wiped away.  If you choose to use Biometrics as means of defense, my best advice would be to deploy it with the same amount of caution as you would with other Cyber related devices, and use the same approaches to make sure that it will work well in your particular environment.

Saturday, March 9, 2024

The Top 3 Voting Risks You Need To Know About For The 2024 Elections

 


I am the first in my family to have been born in the United States.  I am very proud of that fact, and I remember watching the Presidential Debates with awe.  Even watching the primaries and the general election was fun.  But fast forward to today, and nobody can ever believe that this would have happened.  An election that could be potentially won based on fear and violence.  But this is the awful reality of it now, and while extremely unfortunate, it must be dealt with.

Much of the danger comes because of the Cyber risks that are now posed when voting for the President of the United States.  To this end, the nation’s lead Cyber agency, the Cybersecurity and Infrastructure Security Agency (also known as “CISA”) is taking front and center stage to help protect the election process that will be coming up in November of this year.

Here are some of the key steps that are taking:

*They have set up an Elections Operations Center, headquartered in Alexandria, VA.  One of the main missions of this entity is to collect intel on a real time basis and share that will everybody involved.

*They have conduct face to face, live Security Awareness Training programs for both state and local officials.  This includes such things as Tabletop exercises, and just general awareness of what to look out for in both Phishing and Social Engineering plots.  Training is also being provided in containing DDoS and Ransomware attacks, which are also grave threat variants.  More information about this can be seen at the link below:

https://www.darkreading.com/ics-ot-security/bangladeshi-elections-ddos-crosshairs

*They have launched the “Protect2024” website.  The link for this is:  https://www.cisa.gov/topics/election-security/protect2024  This site offers a lot of key information for election officials to use when it comes to fortifying their voting stations.

One of the other major threats to the election this year is of course once again, AI.  But in this regard, the biggest variant are what are known as “Deepfakes”.  This is where Generative AI can  be used to replicate a political candidate in a fake video.  Very often, these videos will be asking for campaign donations, with a link that you can click on.  But be extremely aware of this, as your money will most likely be sent to a phony overseas account.

But yet another threat which looms on the horizon has nothing to do with AI or Cyber.  Rather, it is the old tactic of planting doubt in people’s minds.  For example, if you keep telling a lie enough times, not only will you start to believe it, but others around you will also.  This is what Trump was trying to do in the last Presidential Election, when there was no evidence to show whatsoever that there was any kind of voter fraud that was taking place.

The worst part of this came when Trump refused to concede the fact that Biden had won the election.  This is the first time in history that it ever happened, and that planted more seeds of doubts in people’s minds.  More details about this psychological phenomenon can be seen at the link below:

https://www.darkreading.com/vulnerabilities-threats/battling-misinformation-during-election-season

Of course, the viral nature of Social Media does not offer any help to this situation either.  In an effort to help American citizens think clearly and not to be swayed by misinformation, CISA has also launched another website called “Rumor versus Reality”.  This is the link for it:  https://www.cisa.gov/topics/election-security/rumor-vs-reality  It provides a lot of good tips and useful information so that you will not be influenced in any way, and cast your vote in an objective manner. 

Also, as sad as it is, there is also the physical threat to election workers.  Its’s not just to them, but it has been extended to their families as well.  This was all played out after the last Presidential Election, when many election workers came forward and testified under oath in front of Congress the utter hell that they went through with these threats.

In response to this, 14 states have passed tough legislations against threats made to election workers.  To help enforce this, a “watchdog” group has been created, called the “National Conference of State Legislatures”.  The details of their work can be seen at the link below:

https://www.ncsl.org/elections-and-campaigns/state-laws-providing-protection-for-election-officials-and-staff

For more details on the specific threats that election workers faced in 2020, visit the link below:

https://electionlab.mit.edu/articles/online-hostility-towards-local-election-officials-surged-2020

My Thoughts On This:

I highly doubt that are forefathers ever thought in their wildest dreams that the land they envisioned to be the United States of America would ever turn out to be like this.  As much as I hate to say, we have become the laughingstock of the world.  I can remember during the days of Reagan and Bush elder we were held in high prestige.

I even remember going to India during these times, and all of my relatives kept asking me:  “What is like to grow up in America?”  Of course, my answer back then was far more different than what I would give now.  But anyways, as the voting season comes closer, try not to be swayed by any misinformation.  You vote for the candidate that you think will be the best for this great country.

And in terms of the Cyber threats, visit the CISA sites on which I out the links to on this blog.  They will probably be your greatest source of objective information and data.  Also, follow this old adage:  “Always trust your gut.  If something feels right, don’t do it”. 

Good luck with the voting!!!

Sunday, March 3, 2024

The Clash Between AI & Data Privacy: How It Can Be Resolved

 


One thing that is for sure is that there are a lot of data privacy laws out there.  As I have written about many times before, some of the most notable ones are the GDPR, CCPPA, and HIPAA.  In the simplest terms, they have tenets and legislations embedded into them to make sure that businesses are maintaining all of the needed controls in order to make sure that the datasets that they have in their possession about their customers and employees are in safe hands.

There is much more to it of course, but the good news is that at least there are the regulators out the who are watching these companies, and should they go astray, they will come under the eyes of a comprehensive audit and possible financial penalties.  But the main problem here is that at least in the United States, there is no one central law that can handle all of the 50 states.

In other words, there can be 50 different privacy laws created each with their own set of requirements and caveats.  So, what if a business owner transacts business in all of the states, is he or she still responsible for becoming compliant with them?  The short answer to this is yes.   It will of course be a herculean task to accomplish, but whether it is fair or not, they will ultimately be held responsible.

Now, there is another issue which is further compounding this problem even more:  The explosion of AI on a global basis.  Obviously, AI models will be holding and transacting a ton of information and data.  After all, that is how they function and operate.  Because of the “black box” nature of AI, many people are now concerned about how they personal data will be protected here as well, and rightfully so.

So far, 8 states in total have come out with their own version of a data privacy law, and some of those include Oregon, Montana, and Texas.  Privacy surrounding the use of AI has also been addressed in these pieces of legislation.  But, even from within these states, these laws are wildly different.  For example, because of its much smaller population size (only about one million), the threshold of what constitutes data privacy has been set much lower, thus resulting in a lower ratio of audits and penalties if businesses are not compliant.

In terms of Texas, they have spelled out various financial thresholds in which businesses have to meet certain data privacy requirements.  For example, an organization that produces far less revenue will not be held to nearly the same standards as one that is a Fortune 500 company.  And in Oregon, the data privacy laws have been extended to include protection for linked devices (such as IoT based ones), to fitness watches, to even transgender health records.

So now as AI becomes much more entrenched into American Society, these data privacy laws will have to be adjusted on a big-time basis in order to accommodate and take into these advancements.  Here are four top trends to be on the lookout for as this year continues to unfold:

*Data leaks and exfiltration from Large Language Models (LLMs), which is a component of AI.

*Using existing customer information to train new AI models, without their knowledge or consent.  A good example of this is the recent fiasco with Zoom.  More details about this can be found at the link below:

https://www.darkreading.com/cybersecurity-analytics/following-pushback-zoom-says-it-won-t-use-customer-data-to-train-ai-models

*Expect more passage of widely varying data privacy laws from states located in the Northeast sector of the United States.

*Many unforeseen security breaches will occur as businesses continue to adopt AI on a rapid scale. To this effect, the Federal Trade Commission (FTC) will be a key regulatory body here.

*The Presidential Election of this year will only heighten the negative uses of AI, especially when it comes to Deepfakes, Phishing email attacks, and phony websites asking for political donations.

*There will be an increased awareness in terms of determining who owns the data, and under which data privacy law it should fall under.  This is also known as “Data Sovereignty”.  For example, suppose you run an online business, and you store all of your customer’s information and data in the Cloud.  Who owns it?  You? Your Cloud Provider?  Also, which data privacy law should it fall under?  The CCPA, or the GDPR?

My Thoughts On This:

Right now, it is the United States Federal Government who is our best friend right now to make sure that the states follow data privacy and protection.  In fact, the Biden Administration has passed some key pieces of legislation and even Executive Orders (EOs) to enforce this.  But the problem is that the technology is advancing far too rapidly than what the laws can keep up with.

For example, if a set of law is passed today, it will quickly become outdated tomorrow with the pace of innovation that is taking place in AI today.  One way to possibly resolve this to some degree is to have another department within the Federal Government called the “Department of Cybersecurity”.  From here, all of the AI and data privacy laws can be created and passed here, then trickling down to all of the 50 states.

The prime benefit here will be that there will be just one common set of standards and best practices, with no wild variations in the legislation, as we are seeing today.

Saturday, March 2, 2024

What The MTTR Is & How To Improve It

 


Believe it or not, just a couple of weeks ago, I signed the contract for my 18th book.  I just started writing the manuscript for it a few days ago, but now it is being bumped into my 15th book.  I am hoping to get it done by the early summer.  Interestingly enough, the topic is about Generative AI, and how that can be used to help improve the security metrics that are used in Cybersecurity today.

No doubt there are many of them, but the two key ones that I plan to focus on are what is known as the “Mean Time To Detect” (also known as the “MTTD”) and the “Mean Time To Respond” (also known as the “MTTR”). 

Although the definitions to them can vary and be complex, in simpler terms, the former refers to how quickly (or slow) the IT Security team is in detecting an imminent threat, and the latter refers to how long it takes for them to contain and/or mitigate it.

Astonishingly enough, it takes on average 270 days for an IT Security team to control an imminent threat.  To you and me, this seems to be unfathomable, but it’s true.  The source in which this information is available can be seen at the link below:

https://www.mend.io/blog/securing-the-software-supply-chain-mend-open-source-risk-report/

Because of this, it is the MTTR that is becoming a very key metric to the CISO and its higher ups today.  You may be asking at this point, why is this metric so bad?  Here are some reasons for it:

*With the advent of AI, many new innovations are proceeding at a very fast pace.  In fact it is so quick that many IT Security teams of today simply cannot keep up with what it takes to secure them.  And, this trend is only expected to quicken even more.  Many more tools are being used, such as Virtual Machines (VMs) and the like.  This can also be technically referred to as “Sprawl”.

*There is the issue of context.  With so many new products and services being AI driven, the sheer number of false positives is becoming totally numbing.  Although AI can also be used in this regard to only present the real and legitimate threats to an IT Security team via the SIEM, it still takes time to have to manually configure all of this.  By spending more time on this effort, much less resources are dedicated to actually fighting off the threats that are already present.

*Many organizations lack a cohesive Vulnerability Management program that can be easily deployed and enforced.  Because of the lack of this, just like the false positives, there is a very strong blur as to what can even be considered to be a vulnerability or not.  For instance, only 33% of them can be deemed of a critical nature.  So that leaves about 67% of them that are not real.  So how is an IT Security team supposed to filter through all of this?

(SOURCE:  https://www.edgescan.com/intel-hub/stats-report/)

To make matters even worse, there has been recorded a mind blowing 25,082 total number of vulnerabilities, which represents a staggering 24% increase from the previous year.

(SOURCE:  https://www.cvedetails.com/browse-by-date.php)

So given these dire situations, what can you, as the CISO of your business do help improve your MTTR metric?  Here are some steps to start with:

*Conduct a comprehensive Risk Analysis:  I have always been a huge fan of this.  With this approach, you are inventorying all of your assets, both physical and digital, and ranking them according to a Vulnerability Scale.  There are already frameworks that are out there to help you do this, most notably from CISA and NIST.  By doing this, you can also examine what you truly need and don’t need.  In turn, this will help to reduce Sprawl, which will then decrease the amount of vulnerabilities that in the end you have to manage.

*Examine your Triaging Structure:  See what you have in place right now, and determine if it is really working or not.  If it is not, then you and your IT Security team will have to produce a way to either improve it or replace it in its entirety.  But whatever you end up doing, test it in a sandbox environment first before deploying into your production environment.

*Be proactive it:  Once you have done the above two things, make sure that you keep a proactive watch on how your MTTR is doing.  Keep measuring on a regular schedule, because after all in the end, being the CISO, you will be ultimately held responsible for it.

My Thoughts On This:

The above are just some steps that you can take, and of course, as things evolve (especially with AI), there will be other actions you need to take as well.  But one of the big benefits of a lower MTTR is that your C-Suite will be more prone to give you a higher budget – in the name of keeping the business safe.

Also, keep an eye on my new book.  It will actually discuss how a Digital Person can help your IT Security team in bringing down your MTTR.

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...