How The CrowdStrike Attack Will Translate Into Water Supply Attacks

 

The CrowdStrike Supply Chain Attack from last Friday is still being felt, especially with the ripple effects being felt by the major airlines.  But, more than that, people are still wondering how could a software update cause so much turmoil around the world? 

Although it will take some time to unravel all of this, the bottom line is the sheer level of interconnectivity among devices, both physical and digital, that is happening today.  Just one little flaw or a vulnerability can exploited very quickly by a Cyberattacker, and cause even more devastation.

Even though CrowdStrike claims that this was an error in the actual patch, it was a Cyberattack.  But only time will tell.  But this attack underscores yet another area in our American society that still eludes the security pundits today:  how to make ou Critical Infrastructure from a large scale Cyberattack.  Unfortunately, the answer is that there is no clear-cut solution.

The primary reason for this is that many of the systems that were designed to support our Critical Infrastructure was designed back in the 1960s and 1970s.  Many of the vendors who created them are either no longer in existence, or have merged with another company. 

Therefore, finding the parts to replace these legacy components is almost close to impossible. If anything, new ones will have to be created, which could take months or even years.

The other issue here is that when these components were built, Cybersecurity was not even a concept that was thought about.  All of the attention was paid to physical access security.  So, even trying to add new software packages to the ones that are already in place is by no means an easy task either. 

For instance, the main risk is that of interoperability between the two.  If they don’t work together, then the chances are much greater, something even worse could go wrong.

In the last couple of years, we have seen attacks to our Critical Infrastructure actually happen.  Probably one of the best examples was the attack on the Colonial Gas Pipeline.  Deliveries were delayed for over a week, and the futures markets that trade in this were also rattled.  In the end, the CEO paid a ransom of well over $4 million. 

Now, one of the greatest fears is that something like this could happen to our precious water supply.  Can you imagine not having a fresh water supply for over a week?  If this were to happen, we would all perish.  While the fix to this is very difficult to figure out at the moment, over time, something will evolve. 

But it will most likely take a lot of time.  But this does not mean that you, the CISO, have an excuse for not taking proactive steps to mitigate this risk happening, if you are tasked with seeing the IT side of a water supply system.

So, what can you do, you might be wondering?  Here are some steps that you can take:

1)     Figure out where all of the data lies:

Yes, even a company that deals with the water supply has large amounts of data that they collect and store.  But many times, when a CISO is asked if they know about where their company’s data is stored at, they very often go “Huh”?  There is no excuse for these, IMHO.  Take the time to figure out where the datasets reside at, and how they are stored.  Create data maps so that you will also have a visual to refer to.

2)     Conduct Risk Assessments:

When this term is used, the image of doing this on digital assets often comes to mind.  But, this kind of methodology can also be used for the Critical Infrastructure as well, even the water supply systems.  In this regard, take close stock of what is protecting your databases.  This is one of the first areas that a Cyberattacker will go after, so you will need to make sure that you have at least some controls in place.  While putting in new ones may not be an option right now, you could certainly at least explore the possibilities of at least trying to optimize them more.

3)     Look at network traffic:

Even with the legacy technologies that are in place, there is still network traffic that happens.  Take the time to analyze this, and make sure that all of the traffic that happens within is always encrypted.  Perhaps even consider upgrading your firewalls, routers, hubs, network intrusion devices, etc.  The issue of interoperability with the legacy systems should not be an issue here, as you are just trying to fortify the lines of defenses for the flows of network traffic.

4)     Update the documentation:

More than likely, the documentation that comes with a piece of Critical Infrastructure will be outdated.  Therefore, take the time to try to update them.  This will be very crucial if indeed you are impacted by a security breach.  Of course, this also underscores the importance for Incident Response/Disaster Recovery/Business Continuity planning as well.

My Thought On This:

Unfortunately, we will be seeing many more Supply Chain Attacks just like the CrowdStrike one.  Btu rather than having digital assets being impacted, it will be our Critical Infrastructure.  Remember the days of 9/11?

 Well, instead of planes crashing into buildings, we could very likely see major attacks hitting our Critical Infrastructure at the large cities here in the United States, but in a simultaneous fashion.  This is something I don’t even want to think about, but the harsh reality is that it could very well  happen.

And the worst part yet is, how long will it take to recover?  Weeks? Months?  Something to think about, especially for you, the CISO.

Why The CISO, And Not The Employee, Is The Weakest Link

 

On Friday, in the early morning hours, the world woke up to what will quite possibly be the world’s largest Cybersecurity breach ever.  Many Cyber pundits are merely calling it a “large scale outage”, in my humble view, I think it was a security breach.  Why do I say this?  It is too eerily close to the Solar Winds attack.  Just one vulnerability was exploited, and from there, it had a cascading effect to over 1,000 victims, ranging from the smallest of the SMBs to the Fortune 500 to even the Federal Government.

So of course, a lot of finger pointing has been going around, and unfortunately, it was Microsoft that took the brunt of the blame for it.  However, this is far from the truth.  Microsoft is a client of CrowdStrike, and is heavily dependent upon their services to actually work right for the gargantuan Azure Cloud Platform.  But in the end, somebody will have to take the fall for it, and only a thorough investigation will reveal that.

What happened Friday is also directly related to another hot button topic in Cybersecurity today:  The notion that employees are the weakest link in the security chain.  I will share my views about this at the end of the blog.  But it is true, ever since the COVID-19 pandemic, the need for security awareness training has never been greater.

Many people have written blogs, articles, whitepapers, and even books as to what makes a great security awareness training program.  But it all comes down to three things:

*The training has to be made interesting so that the audience will remember what they have learned.

*It has to be specific to the department, job title, or what roles the employee does on a daily basis.

*There has to be follow-up to make sure that employees are applying what they have been taught.

For this blog, I will focus on the last one.  I know of companies that after having given a training program on Phishing, will actually launch a mock Phishing exercise to see how many employees have fallen prey to it.  For those that do, very often, a warning or a slap on the wrist is usually given, and then it is forgotten about.  But there is where often the failure starts.  For these  employees, a further, personalized approach needs to be taken. 

Here are three tips to get started with this:

1)     See what the employee is doing wrong:

Don’t simply bring him or her into your office, it will be much more intimidating for them.  Rather, take a very friendly, casual approach, such as taking a coffee break, or even take the employee out to lunch.  Tell them what you have been noticing in their Cyber Hygiene, and try to figure out why they are doing what they do.  For example, why are they using the same password over and over again?  Why are they not double checking the emails they get in their inbox?  Or, why are they consistently using apps for their work when they have not been authorized to do so?  And so forth.  This should give you a much greater insight into their ways of doing things.

2)     Create a “Credit Score”:

Once you have figured out what the employee is doing wrong, or why they are not following the security policies that you have set forth, try to create something like a “Credit Score” for them.  However, do not share this with them, it will make your employees feel as if Big Brother is watching them.  Just use this numerical value as a metric, or even as a Key Performance Indicator (KPI) to see just how well they are improving over time (which is hopefully the case).

3)     Give one on one help:

I remember when I was back in high school, I was struggling through Algebra II, and after my parents gave up on helping me, they resorted to finding me a tutor, who could give me that one on one time.  This tutor helped me in the specific areas that I was weak in, and over time, my grades improved.  This is the same approach that you have to take as well with your employee who is exhibiting a low level of Cyber Hygiene.  But, in my view, hire a person that is specially trained in this.  Don’t just farm out somebody from your IT Security team, as they have more than  enough to deal with on a daily basis.    Try to find a contractor that specializes in offering Cyber education, as they will be the most accustomed to offering tutoring sessions.

4)     Reward the employee:

As the tutoring goes on, and  if you see an improvement in their respective “Credit Score”, reward your employee.  This can take place with just a simple pat on the back, sending out positive messages with the right emojis, giving them a gift card, or even taking them out to lunch again.  The bottom  line is that once the employee feels appreciated for the efforts and remediations  that they are undertaking, they will continue with this trend for a long time to come, until you don’t have to coach them anymore.

My Thoughts On This:

You might be thinking at this point:  “I don’t have the time and resources to do this for each and every employee”.  Of course, you don’t.  These strategies are designed to help those employees that display the lowest, or weakest behavior when it comes to their Cyber Hygiene.  There will be some that will get it right the first time after the training, and those that will lie somewhere in the middle.  But the idea is that once other employees see others maintaining strong levels of Cyber Hygiene, they will feel compelled to do the same.

In the end, it comes down to what is known as “Behavioral Analysis”.  In others words, trying to figure out why people act and do things the way they do.  This is becoming a hot sector now in Cybersecurity, and rightfully so, with all that is going on, especially now with Generative AI being so dominant.

So now, to back to that one thing:  I do not think at all that employees are the weakest link to the security chain.  Rather, I find that the CISO and the other members of the C-Suite to be the weakest link.  They do not practice what they preach, and if they did, we would see a much different picture in terms of employee Cyber Hygiene today.

In the end, it takes both people and technology to have a great line of Cyber defense for your business.

How To Avoid In Becoming A Victim Of AI Eavesdropping: 5 Point Checklist

 

Well, it has been an awhile since I have written anything about Generative AI.  It’s still continuing to make the news headlines, and most of the publicly traded companies are seeing their Earnings Per Share (EPS) going to even newer highs, such as the case with Nvidia, even after their recent stock split. 

But despite all of this, and rightfully so, there is still a growing angst amongst the general public here in the United States as to how the tools that have Generative AI baked into them can be misused.

For example, one of them is how the video conferencing platforms, such as those of Zoom, Webex, Teams, etc.  record conversations in a meeting.  For example, when you have a meeting with your coworkers or manager, you often have the option to have a recording of it, to be used as a future reference, if the need arises.

Here are some of the scenarios which pose some of the greatest risks:

1)     Flaws in the transcription:

As I have written about before, Generative AI (and for that matter, all branches of AI) are primarily “Garbage In and Garbage Out”.  Meaning, the output that you get in the end is only as good as the datasets that are fed into the model.  Even if you take the time to make sure that all of these datasets you feed into it are as cleansed and optimized as possible, mistakes can happen, whether it is intentional or not.  For example, if you have a meeting, and choose to have it recorded, there could be flaws in the actual language of the transcript that could convey a very negative connotation.  Thus, before the transcript is ever released to the team, it is imperative that you double this language first to make sure that all is good.

2)     The right to use it or not:

Very often, it is the originator of the meeting that has the option to launch a recording session or not.  Unfortunately, the other members who have been invited to it do not have that option.  Thus, if an employee does not like the idea of being recorded, they still may feel forced to, especially if the meeting originator is their boss and wants to use it.  Although the recording mechanisms very often do notify the employees ahead of time that the conversation in the meeting will be recorded, a quick fix to this is to have the meeting originator actually reach out to each team member to make sure it’s OK that they are being recorded.  If the majority say no, then it will be time to do things the old-fashioned way, by having a professional minute taker present  to take notes.

3)     Data exfiltration:

In today’s world, many online meetings occur in which private and confidential information is very often shared amongst the members.  The thinking here is that since everybody knows each other, all is good.  But unfortunately, this is far from the truth.  For instance, there is the grave possibility the transcript could be the target for a Data Exfiltration attacks.  When we hear about this, we often think of databases being hacked into.  Because of this, we often forget about the other places where data might be saved, especially those in video conference meetings.  The Cyberattacker is fully aware of this, and thus makes this a target.  While there is no sure fix for this, the best thing you can do is to make use of the tools that your Cloud Provider gives you to monitor your AI Apps.  A great example of this is Purview from Microsoft, which is available in any Azure or M365 subscription.

4)     Third party usage:

Many of the vendors that create AI based products and services very often, and covertly, use the data that you submit in order to further refine the AI algorithms that are being used in their models.  This is also true with the recording of the video conference meetings, and the transcripts that come of them.  A perfect example of this is the recent Zoom debacle, where this  occurred.  This led to an 86 million Dollar lawsuit.  More details in this can be found at this link:

https://www.darkreading.com/cybersecurity-analytics/following-pushback-zoom-says-it-won-t-use-customer-data-to-train-ai-models

While you can’t have a direct control over what is collected initially, make sure that you read all of the licensing and end user agreements carefully.  And, if after you start using the AI recording tool and feel that the data is being misused in this fashion, you do have rights under the data privacy laws, such as those of the GDPR and CCPA.  But it is always wise to consult with an attorney first to see the specific rights you are afforded under them, and how you can move forward.

5)     Covert participants:

Back in the days of the COVID-19 pandemic, “Zoombombing” was one of the greatest Cyber threats that were posed to the video conferencing platforms.  While this may dissipated to a certain degree, the threat is still there.  But this time, given how stealthy the Cyberattacker has become, they don’t even have to make an appearance.  They can still listen covertly, and record that way as well, without you even knowing it.  Probably one of the best ways to mitigate this risk from happening is to make sure that your video conference meeting is encrypted to the maximum extent possible, and that you require login password that is long and complex (a good tool to use here is the Password Manager).

My Thoughts On This:

All of that I have described in this blog is known technically as “AI Eavesdropping”.  It is also important to keep in mind that this risk is not just born out of the video conferencing platforms, it can happen on any device that has Generative AI built into it.  A good example of this are the various “fit bits” that you can wear as a watch. 

As Generative AI continues to further evolve at a very fast pace, you, the CISO should also take responsibility for creating a separate security policy that is targeted just towards Generative AI.  Some of the things that should be addressed are how your company uses the data that is collected from Generative AI, how it is stored and used, and the rights that your employees have if they feel they have been violated against.

3 Golden Ways To Overcome The Flaws Of SOC2 Compliance

 

One of the biggest issues today in the world of Cyber is that of Vendor Management.  With the world become interconnected on a daily basis, outsourcing certain business processes has become the norm.  For example, a business can find a third-party supplier overseas, or even here in the United States.  But whoever you choose to work with, it is highly imperative that that vet your partner as much as possible, in order to make sure that their levels of Cybersecurity come up to par with what you have.

In this regard, it is the “SOC” compliance framework that is most widely used in order to confirm just how Cyber strong and resilient a potential third-party supplier is.  It is an acronym that stands for “Service Organization Control”, and there are actually three different versions of it.  It is the second one, officially known as “SOC2” which is the most common standard.

From within this, there are two different types of “SOC2”, and they are as follows:

1)     SOC 2, Type 1:

This focuses strictly on the effectiveness of the controls that reside within the IT/Network Infrastructure of a third-party supplier.  This is primarily used to determine if these controls are enough to safeguard the datasets that you will be entrusting them with.

2)     SOC 2, Type 2:

 

This is a much more exhaustive study, and examines the effectiveness of the controls in the IT/Network Infrastructure of the third-party supplier over a defined period of time.

But there are three short comings of the SOC2 Framework, which need to be addressed:

1)     The Scope:

Unless it is requested by the business that is seeking a SOC2 compliance report from a third-party supplier, not all of the controls will be included.  Therefore, there is no guaranteed way of finding out if all of the controls have been upgraded and/or fully optimized.

2)     The Timeframe:

Most SOC2 assessments only provide a review of the controls at one point in time (unless the Type 2 study is specifically requested).  Therefore, it really has no value afterwards, because the Cyber Threat Landscape is always changing, on a dynamic basis.

3)     The Subjectivity:

Typically, it is the third-party supplier that will perform the SOC2 assessment on those controls that they deem is important.  While the business that is vetting out potential vendors will have input, it is no guarantee that they will actually be honored.

So while the SOC2 framework does offer some benefits, it does have its disadvantages as well.  So what can a business do?  Here are some tips:

1)     Create a questionnaire:

Just like how insurance carriers are now requiring potential policy holders to fill out an exhaustive survey attesting to their controls, you should do the same for the third-party suppliers that you are scoping out.  But, take this even one step further.  After they have filled out your questionnaire, have an outside auditor conduct the validity of it.

2)     Do more exhaustive testing:

In this regard, require that the potential third . ty suppliers conduct both Vulnerability Scanning and Penetration Testing to make sure that all gaps and weaknesses have been uncovered.

3)     Have airtight contracts:

Once you have selected a third-party supplier, it is absolutely critical that the contracts you have them sign are completely “airtight”.  This means that they have attested to, under the penalties of perjury, that all of the needed controls are in place and will be optimized on a continual basis.  Also, your goals and expectations need to be clearly spelled out here as well.  Always get a reputable attorney to draw up these contracts for you, don’t rely on a Generative AI tool like ChatGPT to do this for you.

My Thoughts On This:

Although risks can still happen, it is up to you in the end to select the third-party supplier that not only best meets your needs, but also their levels of Cybersecurity are also on par with yours.  In the end, if they are the victim of a Data Exfiltration attack, you will be ultimately held responsible for it, not them.

Finally, it is also equally important that you maintain a clear and transparent line of communications with them, especially when it comes to the sharing of Cyber Intelligence about potential Threat Variants that could be coming down the road.

How Even The Smallest Of Nations Can Create A Rock Solid Data Privacy Law

 

Just recently, I submitted a book manuscript which covers the tenets and provisions of all of the major data privacy laws, which include the GDPR, CCPA, etc.  The basic thrust of all of them is to make sure that not only are organizations doing their very best to make sure the controls that they have implemented are safeguarding the datasets to the maximum extent possible, but also to give the right to the dataset owners a strong voice as to how they should be used.

Many states here in the US have adopted their own version of a data privacy law, with other countries following suit as well.  The latest one in this addition is the tiny island nation called Papua New Guinea.  I have heard of it of course, but I had to Google where this little country is located at.  Its in in the Southwestern part of the Pacific Ocean, and the largest country within close proximity of it is Australia.

The legislation that they have created and passed is called the “National Data Protection and Governance Policy 2024.  The exact text of the legislation can be downloaded at this link:

http://cyberresources.solutions/blogs/PNG_Data_Privacy.pdf

There are seven major sections to it, but here is a summary of some of the major highlights of it:

The role of data protection does not rely solely on just one entity.  Rather, it is a shared responsibility between government agencies, businesses, academia, non-profit entities, etc.

*The goal of the country is to establish a “Digital Infrastructure” of sorts, which will allow for all digital assets to be connected with another, especially as the IoT revolution sets in with the population.

*Cyberattacks are now happening much more frequently to the smaller nations in the Pacific Rim, therefore strong legislation like the one mentioned here is absolutely needed.

*The need for Cyber resiliency is a must for Papua New Guinea, therefore it is the goal of this new legislation to establish the framework to make this into a reality.

*Transparency amongst the public is a must in order for any kind of data privacy action to take place, and this new law helps to ensure that this actually does happen.

*One of the more macro goals of this legislation is to further enhance the reach of the Cyber frameworks developed by Papua New Guinea into the international arena.  For example, it has joined the following:

Ø  Global Cross-Border Privacy Rules (CBPR) Forum (more details can be found here:  https://www.commerce.gov/global-cross-border-privacy-rules-declaration

 

Ø  The government of Papua New Guinea is also working on a Memorandum Of Understanding with the government of Japan in order to participate in Cyber Warfare games with the other smaller island nations also located in the Pacific Rim.  (more details can be found here:  https://www.darkreading.com/cyber-risk/japan-runs-inaugural-cyber-defense-drills-with-pacific-island-nations

 

*Even the smallest of nations, such as that of Papua New Guinea, can be strong foe against the Cyberattacker groups.

 

Finally, this new piece of legislation based by this tiny country has eight major objectives to it, which are as follows:

Ø  Establish Clear Principles

 

Ø  Strengthen Data Protection

 

Ø  Promote Data Governance

 

Ø  Facilitate Data Sharing

 

Ø  Enhance Data Literacy

 

Ø  Foster Innovation and Economic Growth

 

Ø  Ensure Flexibility and Adaptability

 

Ø  Align with International Standards

 

Further details about them can be found at this link:

https://www.ict.gov.pg/ndgdpp/

My Thoughts On This:

Here in the United States, we are still struggling in terms of the enforcement of the data privacy laws that we have created.  Not only are the local governments slow to act on this, but with each state producing their own version of it, there is way too much confusion about them.  Therefore, we need a central authority to have a federally created and enforced data privacy law.

Seeing how quickly even the tiniest of nations, such as that of Papua New Guinea can do something like this so quickly, we can learn a lot from them.