Sunday, June 30, 2024

How To Create Cyber Social Norms: 7 Golden Tips

 


One of the mantras today in Cybersecurity is to create a Security Policy, or even Policies, and make sure that it is enforced.  While this has been true for who knows how long, the catalyst for this was during the COVID19 pandemic. 

For instance, right when it hit, CISOs and their IT Security teams were left scrambling trying to deploy company devices to what has now become the near 99% remote workforce.  Of course, the gravity of the pandemic caught everybody off guard, but another reason companies were so slow in this was that they did not have a good Security Policy in place.

Even if they did, it was probably barely rehearsed on a regular basis.  But now that the pandemic has more or less dissipated, CISOs have hopefully learned their lessons.  Not only is it good to have a Security Policy when it comes time to respond to a disaster, but also it is greatly needed to support a good level of Cyber Hygiene amongst the other employees of the business.

But depending upon how large your organization is, it can be truthfully hard to enforce a Security Policy with each and every employee.  Therefore, it is very important for the CISO, as well as other members of the top brass, to make sure that a proper cadence of “Social Norms” are followed.  You may be asking what this is? Well, here is an informal definition of it:

“Social norms typically are informal, unwritten rules that guide acceptable behavior among members of a group or society.“

(SOURCE:  https://www.darkreading.com/cybersecurity-operations/achieve-next-level-security-awareness-by-creating-secure-social-norms)

In other words, you are taking certain parts of the Security Policy that will help to maintain that level of Cyber Hygiene that you want, but actually acting them out in your daily interactions with others.  So, the idea here is as you practice these “Social Norms”, others will watch it, and from there, take your cue.  This is another subtle way of practicing good Cyber habits.  That’s why it is so important for managers in a business to do this on a proactive basis, because in our society, everything is learned in a top-down fashion.

So to get you started, here are some tips:

1)     Have training:

Yes, this is a topic that has been beaten over many times, but it’s the truth.  You first have to have regular training sessions with your employees in order to instruct them about the value and the importance of the datasets that your company possesses.  It is the lifeblood of it, and if anything is compromised in this regard, your business will be on its knees.  But two key points here are:

Ø  Keep your training engaging and interesting.

Ø  Make sure that it is appropriate for the target audience.  Don’t take a “one size fits all” approach.

 

2)     Know where the data resides at:

Believe it or not, many CISOs to this say don’t even know what is contained in their databases.  So if you want to establish a sense of a “Social Norm” here, know where every piece of data is, and convey that knowledge accordingly (obviously, this is something that an administrative assistant does not need to know about).

3)     Make use of MFA:

As I have written before about this, this is an acronym that stands for “Multifactor Authentication”.  The predecessor to this was the 2FA, which stands for “Two Factor Authentication”.  But since the Cyberattacker has more or less circumvented the latter, the time for MFA has now come. This is where two deploy at least three or more different authentication mechanisms in order to confirm the identity of your employee.

4)     Understand Social Engineering:

Although this is almost as old as Phishing, it is being used quite a bit today.  This is where the Cyberattacker tries to build up a friendly, but cunning rapport with an employee of a company in order to squeeze out details from them about the company’s datasets.  In this regard, also have training programs on this, and even conduct role plays with employees so that they will truly understand the gravity of a Social Engineering Attack.

5)     Implement a Privacy Policy:

While these are mostly prevalent on websites (primarily due to the data privacy laws that mandate them, especially with regards to the use of “Cookies”), it is important to take this and create a Privacy Policy that is internal to your company.  For example, not only does the business have the right to keep their datasets private, but employees and even customers have this right as well. 

6)     Get an Identity Service:

The three main credit reporting bureaus are Equifax, Experian, and Transunion.  Through whichever agency you wish to fo go through, take advantage of their free credit reporting services.  Offer this to all of your employees and even customers.  In case you are ever hit with a security breach, they will be able to contact them immediately to have their accounts frozen in a quick manner.

7)     Use a Password Manager:

Yes, as much as we have tried to get rid of passwords, they are still around, and will continue to be for a long time to come.  They still continue to be one of the biggest nightmares in Cybersecurity today.  Therefore, make use of a Password Manager to further enhance the protection of your datasets.  Thee are simple, but powerful software applications that create ling and complex passwords that are difficult to crack.  Best of all your employees don’t even have to remember them, the Password Manager takes care of all of that.  But if you are going to use it, make sure that you as a CISO, start using it first.

My Thoughts On This:

Creating “Social Norms”, following the tips  just reviewed, should not be an insurmountable task.  But as I have said before, this all has to start from the C-Suite.  If the members here follow it, then other employees, in a cascading fashion, will also follow suit until it becomes a second nature to them.

Sunday, June 23, 2024

Outer Space: To Boldly Go Where No Cyberattacker Has Gone Before

 


For the longest time that I can remember, I have always been a huge lover of astronomy.  Even during part of my college days I was a member of a local astronomy club, getting a good detail of the moon and other celestial objects in the universe through our low-tech telescope.  

My passion for that and even space travel continues till today, as I still watch videos on YouTube on the Apollo missions.  In fact, my favorite question that I like to ask of people is:  “Do you think space ends, or if it does, what is beyond it?”  Well, that will be a discussion for a later time.

But since the retirement of the Space Shuttles, it seems like the trend is now for private companies to launch their own kinds of spacecraft, some of the more famous ones that I can recall are those from Boeing and I think even Elon Musk.  But with this privatization, comes a new kind of issue that we thought could never happen before:  And that is, nothing but Cybersecurity.

In fact, people view it as such a serious matter that even top-level researchers at the California Polytechnic State University just released a scathing 95-page report on the specific Cyber related risks that could potentially happen.  The entire report can be viewed at this link:

https://ethics.calpoly.edu/spacecyber.html

One of the primary reasons cited for this heightened level of awareness is that many nations around the globe are also participating in this “space race” of sorts.  Coupled with the fact that some of them could be even rogue states like Russia, China, and North Korea, the problems could now really settle in. 

Another driver for this is the increasing level of interconnectivity between our own wireless devices, and all of the satellites that are up there, orbiting the Earth.  This is has been driven by the explosion of the Internet of Things, also known as the “IoT”. 

A good example of this is your GPS system.  When you make use of a tool, such as Google Maps, it is not the information that is stored onto your wireless device that is providing you with the directions.  Rather, it is the many GPS based satellites that are communicating with your wireless device. 

That is why there is much fear of the evolution of Smart Cars, because in all practicality, a Cyberattacker would just have to launch a threat variant at one of these satellites in order to cause a high level of confusion amongst drivers.

In fact, as much as we do it on the ground here, researchers are now even modelling that specific the Cyber threat variants in outer space.  One such effort is known as the “ICARUS”, which is an acronym that stands for “Imagining Cyberattacks to Anticipate Risks Unique to Space”.  In this framework, the researchers have detailed all  of the hypothetical variables that could lead to a security breach.  Some of these include:

*The attack vector.

*The type of exploits.

*Any potential threat actor motivations and incentives.

*The potential victims.

*Other space capabilities that an attack could compromise.

Through the above and many other of these kinds of variables, the researchers can model over 4 million Cyberattack scenarios (also firmly believe that Generative AI has to be a big part of this as well).  More information about this framework can be found at this link:

https://www.securityinfowatch.com/cybersecurity/press-release/55089421/cal-poly-releases-imagineering-report-to-anticipate-scenarios-for-outer-space-cyberattacks

Also, another driver that is causing huge concern for a Cyberattack in outer space is the increasing number of satellites that are now being launched into Earth Orbit.  For example, it has been estimated that since 2012, there has been an average of 2,600 new satellite launches on an annual basis. 

Yet another catalyst that is providing more motivation for the Cyberattacker to launch a threat variant into Outer Space is just its sheer vastness, and all of the complexities that go along with it.  Because of this, it is now much easier for him or her to hide their tracks, as opposed to launching security breaches down here on Earth.

Finally, another Cyber risk that is posed in the blackness above us is something that is referred to merely as “Space Junk”.  These are merely prototypes of rockets used for testing purposes.  Astonishingly enough, there are over 35,000 major pieces of this “Space Junk” out there, and even 1 million more that are smaller in nature.  In theory, it is feared that a Cyberattacker could target one of these pieces of “Space Junk”, and target it to crash towards an important satellite, such as a GPS location one.

My Thoughts On This:

I am by no means an expert on Outer Space, but IMHO, while its great researchers are starting to model Cyber threat variants in Outer Space, we are still a long way off in seeing a direct attack happening, for example, when one satellite intercepts another.  Rather,  I think the biggest concern right now should be if a Cyberattacker launches a malicious payload into Outer Space, and uses that to cause major damage, such as to our Critical Infrastructure.

With this kind of approach, it would be much more difficult to determine the root cause of a security breach, and produce ways to mitigate that particular from happening in the future.

 

Sunday, June 16, 2024

6 Traits That Entrepreneurs And Cyberattackers Share

 


When people conjure up the image of a Cyberattacker, very often the image of them wearing a hoodie, sitting in a dark room hunched over five monitors very often comes to mind.  But, while this could be true to some degree, this is really not how Cyberattackers truly operate.  Of course, he or she will want to keep their tracks as covered as possible, so that they can evade detection.  But believe it or not, the Cyberattacker of today often thinks like an entrepreneur when they plan to launch an attack, or even attempt to form a Cyberattacking group of sorts.

So what goes into their mind, you are asking?  Well here are some clues to it:

1)     They try to find the markets:

In the old days of the hacks, the goal of the Cyberattacker was to launch what is known as a “Smash and Grab” campaign.   Meaning, the goal was to get in by any means that are possible, get whatever they could, and run off into the distance, with hopes of not being caught.  But today’s Cyberattacker takes a very unique approach.  Just like entrepreneurs, they study the kind of market that they can get into.  In other words, what fits the profile of a potential victim?  Once this has been figured out, the Cyberattacker, using open-sourced tools, such as Social Media, then tries to find their victim.  But keep in mind that there are many other tools that can be used out there in the public domain, such as “OSINT”, which stands for “Open-Source Intelligence”.  Also, it may not be an individual that they are trying to target, it could even be a business.  Or worst yet, the Cyberattacker may have even been hired by someone on the Dark Web or through other covert means in order to launch an attacks.

2)     Creating the product/service:

Once an entrepreneur has an understanding of the market that they want to get into the next step is to create or further develop a product or service that will meet the needs and demands of prospects.  In this case, once the Cyberattacker as figured out their victim, their next step is to then determine their weapon of choice.  For instance, will it be a Phishing Attack?  Or one that involves Social Engineering?  Or perhaps even launch a Ransomware Attack to steal information and data?

3)     Getting the funding:

As the entrepreneur is now finalizing the business plan, the next thing on their mind is to now figure out how to get funding to launch their brand-new product or service.  There are two ways they could do this, which are either tapping into their own savings, or reaching out to investors.  In the case of the Cyberattacker, their goal here is to now figure how they will get the means to launch their Attack Vector.  For example, will he or she be joined by other Cyberattackers in an effort to pool resources, or will they go on it solo?  The goal here, just like the entrepreneur, is to keep costs as low as possible, primarily to avoid raising red flags.  So, they could hire a service on the Dark Web that could launch the attack for literally pennies on the dollar (the most popular one in this regard is “Ransomware as a Service”).  Or, the most preferred method is to take the profile of an existing Threat Variant and modify in some fashion so that it will be deadlier.  In other words, building a better mouse trap.

4)     Launching the product/service:

Now, once the victim (the target market) has been selected, and the funding has been secured, the next move is to now launch the actual Threat Variant, in order achieve the desired outcome.  Most likely, it will be an attempt to heist login credentials, or exfiltrate data that can be used to either sell on the Dark Web, or even launch a Ransomware Extortion Attack.  But, just like the entrepreneur, if things are not going as planned or expected on the initial launch, they will shift strategies in order to gain what has been planned.  In the case of the Cyberattacker, it would be to stay as covert as possible.

5)     The continuation of the marketing:

Once the entrepreneur has reached a point of some stability and have actually achieved sales on their new product or service, their next goal is to keep up with the marketing strategies or even tweak them further in order to generate more prospects, which in turn, will lead to more sales.  This is also true of the Cyberattacker.  Once they have launched their Threat Variant, found a way in, and remained as covert as possible, their next objective would be to move across the IT/Network Infrastructure in a lateral fashion to see they can steal.  For example, it could be trade secrets, other sorts of confidential documentation, or even Intellectual Property (also known as "IP”.). 

6)     The next wave:

For the entrepreneur, once they have had a successful launch of their product or service, the next thing for them is to figure out what to produce next.  Most likely, since funding and resources will still be rather tight, they will take what they have already created, and attempt to add more functionalities to it to perhaps even serve a different market entirely.  The same is true for the Cyberattacker.  Once they have achieved what they wanted to get with Threat Variant, they will want to add more stuff to it to not make it only stealthier, but even deadlier as well.  In this case, it is quite likely that they will even target an entirely new victim.

My Thoughts On This:

What I have detailed in this blog is the basic model that a Cyberattacker could potentially follow.  All of the steps may not be followed.  But the bottom line here is that just like when launching a new business, a lot of time is spent these days trying to figure out how to do it right the first time.  The same is also very true of the Cyberattacker.  They now take their time to carefully profile and target their victims, in an effort to strike them at their weakest point when they are the least aware of it.

 

Sunday, June 9, 2024

The Top 10 Risks Of The Remote Workforce & How To Solve Them

 


It seems like the COVID 19 pandemic is now but just a past memory.  But, while this may be true, the variants of it are still out there, and are affecting people to varying degrees.  One of the offshoots of the pandemic was the Remote Workforce.  While this has never been a new concept, the degree to which it happened is something that no individual or business could have ever predicted.  But fast forward to now, and the Remote Workforce is still strong. 

While many companies are now trying to adopt a hybrid-based approach, many employees still prefer the Remote Workforce.  And, why not?  As long as they are getting the work done and meeting goals, what difference does it really matter where they work from?  In fact, it has been shown in the  past couple of years Working From Home (WFH) actually makes for a much happier employee.

But even more importantly, now that we have understood the ramifications of a near 99% Remote Workforce, the Cybersecurity aspects of it must also be addressed.  Remember the threats that happened when the pandemic first hit?  Such as the risks of intermeshing of the corporate and home networks?  And that ever famous “Zoombombing”?  While these may now be or more mitigated, CISOs and their respective IT Security teams need to realize that the Remote Workforce is now a permanent fixture in the American society, and the Cyber risks that are inherent with it must be addressed.

So, here are a few areas which need to be paid attention to:

1)     Data In Transit:

This simply refers to the flow of network communications that take place between the server and the remote device, and even vice versa.  While the traditional VPN has proved successful in encrypting this, it showed its vulnerabilities during the height of the pandemic.  Therefore, it is highly recommended that you make use of something more advanced such as the Next Generation Firewall.

2)     Data At Rest:

These are the datasets that are not being transacted or processed, but rather, they are simply sitting in a static mode in your database.  While they may not be being used, it is still highly imperative that you protect them to the highest degree that you can.  This has, and continues to be of one of the prized targets for the Cyberattacker.  Even more so, if you don’t protect these kinds of datasets with the right type of controls, you could be in for a serious audit by the regulators of the data privacy laws, such as the GDPR, CCPA, HIPAA, etc.

3)     The IAM:

This is an acronym that stands for “Identity and Access Management”.  Simply put, this is the policy that you have in place to assign the rights, privileges, and permissions to each employee.  The cardinal rule here is to follow the concept of “Least Privilege”.  This merely states that you don’t give employees any more access than they need to in order to do their daily job tasks.  If you are in the Cloud, such as with Microsoft Azure, there are many IAM tools that you can deploy in just a matter of a few minutes.

4)     The Endpoints:

These are the devices that your Remote Workforce is using.  One of the other major problems during the pandemic was that employees were using their own, personal devices in which to do their job tasks, due to the fact that businesses simply did not have enough endpoints that could be provisioned in time.  But now that we have learned this lesson, it is imperative now to fortify them with either an EDR or XDR based solution.

5)     DDoS and Phishing:

The first one is an acronym that stands for “Distributed Denial of Attacks”. This is where the Cyberattacker launches a flood of rogue data packets to the server so that it will come to a grinding halt, and unable to serve the resources to the end users.  And of course, we all probably know about, and have at least heard of Phishing.  While these are some of the oldest threat variants, they are still being used quite a bit even today.  Therefore, you need to take the appropriate protective measures to mitigate this from happening.

6)     The Zero Trust:

The traditional security model in Cyber has been that of the “Perimeter Defense”.  Essentially, this is where  only circle of defense surrounds the business, and all of the defensive mechanisms are thrown at it.  But guess what?  If the Cyberattacker were to break through this, they will then have total reign over your IT/Network Infrastructure.  To avoid this, it is imperative that you implement what is known as the “Zero Trust Framework”  This is where the Infrastructure is segmented out into different zones, and each one has their own layer of defensive measures, primarily making use of MFA.  This is where at least three or more differing authentication measures are used to confirm the identity of the employee.  The idea here is that that the statistical odds of the Cyberattacker from breaking into your “Crown Jewels” becomes almost zero, given all of the layers that they have to break through.

7)     Software Patches:

This is also one of the other cardinal rules in Cybersecurity.  You and your IT Security team must keep vigilant of the respective software patches and updates that come out from your vendors, even including the firmware.  They also must be downloaded and deployed in a regular fashion.  To make this effective, have a dedicated resources that can keep tabs on this.

8)     The Plans:

The pandemic taught CISOs one very painful lesson:  The need to have Incident Response/Disaster Recovery/Business Continuity Plans.  Not only should they be documented, but they also must be rehearsed at least once a quarter, and updated with the lessons learned.

9)     The Training:

Probably even more now than ever before, you need to have regular Security Awareness Training programs for your employees.  These also must be done at least once a quarter, if not more often.  But one very important thing to remember here is not to take a “one size fits all” approach  to the training.  They must be specifically tailored to the audience to whom you are delivering it to. 

10)  Compliance:

Today, data privacy is very much a hot button topic, especially with the advancements that are being made in Generative AI.  Therefore, you need to make sure that you are in compliance with all of the applicable data privacy laws that you are supposed to abide by.  One of the best ways to do this is to conduct a Penetration Test, in order to find any vulnerabilities, and from there, remediate them quickly.

My Thoughts On This:

While these tips just provided are meant to protect your Remote Workforce, they should also be used in everyday practice to make sure that your employees, no matter where they are located in the world, are always maintaining a strong level of Cyber Hygiene.

Sunday, June 2, 2024

3 Key Golden Ways To Keep Up With The SEC Cyber Rules

 


There are many buzzwords floating about in the world of Cybersecurity today, and of the biggest ones that has stayed around is “Risk”.  This term applies to all parts of our lives, and people have different ways of actually defining it. 

For example, in the workplace, it could mean going above and beyond the call of duty to show your manager what you can do.  Or personally, it could mean doing something is anxiety provoking, but you are still going to do it to face your fears.

Even in Cyber, businesses, and heck even the Federal Government have different ways of defining it.  But, I have written a lot on this topic (in fact, even an entire book), and the way I think of it is this:  “The amount of downtime that a business can withstand after becoming a victim of a security breach”. 

The true measure of this though, is in the dollar amount.  For instance, an SMB could not afford much downtime, but a much larger one, like a Fortune 100, probably could.

But however you define Risk, it is certainly catching the attention of Cyber professionals across all levels.  So much so, even the SEC has now intervened and mandated that publicly traded companies must disclose if they are a victim of a security breach within a matter of days.  The exact text of this can be seen at the link below:

http://cyberresources.solutions/blogs/SEC.pdf

Under these new rules, a publicly traded company must report within four days not only if they have been impacted by a security breach, but also, if there have been any data leakages that may have occurred has a result.  The main intention here is not only to protect shareholders and employees, but to keep a sense of calm amongst the financial markets in case something did actually happen.  To give you a sense of reality of just how seriously the Federal Government takes this ruling by the SEC, the following incidents have been brough into the crosshairs for the Feds:

1)     Clorox:

They were impacted by a security breach in August of 2023.  The damage was far reaching, as it greatly affected the company’s supply chain.  The cost of the attack has been estimated to be as high as $65 million, which a lot can be attributed to legal and forensic exam expenses.  The worst part of this is that Clorox knew it had grave vulnerabilities in their IT/Network Infrastructure for many years before they were impacted.  More details on this can be seen at the link below:

https://www.bloomberg.com/news/articles/2024-03-26/clorox-audit-flagged-systemic-flaws-in-cybersecurity-at-manufacturing-plants?embedded-checkout=true

2)     Prudential:

They were hit with a security breach in February of this year.  Fortunately, not much damage was done in the end, and the good news here is that the company actually reported this in time, pursuant to the SEC rules of disclosure.  Apparently, the Cyberattacking group was able to penetrate into the IAM system of Prudential, and from there, was able to exfiltrate over 36,000 PII datasets.  What was unique about this is that Prudential actually reported this incident before it discovered the loss of the datasets. More information about this can be seen at the link below:

https://therecord.media/prudential-discloses-new-information-from-february-incident

3)     United Health:

They too suffered a massive security breach in February of this year.  The source of the attack was attributed to a nation state actor (such as Russia, China, North Korea, etc.).  The impact of this breach was far reaching, as it impacted over 30 million people who rely upon United Health insurance to pay for their medical expenses.  Even healthcare professionals were impacted as well.  Right now, the company faces at least 24 separate lawsuits, and costs that could very well exceed $1.6 billion.  Apparently, although the company did not publicly disclose this, they paid $22 million to the hacking group in order to get some control back over their IT/Network Infrastructure.  More details about this can be found at the link below:

https://www.forbes.com/sites/noahbarsky/2024/04/30/unitedhealths-16-billion-tally-grossly-understates-cyberattack-cost/?ss=cybersecurity&sh=1dabfb395aab

My Thoughts On This:

Apart from abiding by the tenets and provisions that have been established in the SEC ruling, as just reviewed, companies need to take a much more proactive stance to help mitigate the risks of them being impacted by a security breach

Ø  Keep a constant vigilance:  In this regard, make use of a SIEM and other Generative AI tools that will help monitor all of your log files on a real time basis.  Most importantly, they will be able to filter through all of the false positives, so that only the real and legitimate ones are presented to your IT Security team.

 

Ø  Always be transparent: Apart from reporting to the SEC, as a CISO, you must take responsibility for keeping all of the key stakeholders informed of what is happening.  This will save you great pain down the road if you are also faced with an audit by the GDRP, CCPA, HIPAA, etc.

 

Ø  Share your intelligence:  The Cyber community is finally starting to realize that it literally “takes a village” in order to keep the Cyberattacking groups at bay.  But in order for this to happen, you have to share whatever intelligence you gather with both the private and public sectors (such as DHS, CISA, the FBI, etc.).

Beware Of That IoT Device You Are Going To Give As A Gift!!!

  As we fast track now into Thanksgiving and the Holidays, gift giving is going to be the norm yet once again.   To me, I think it should be...