Cyber Protecting Our Most Critical Assets: The Kids Of America

 

This blog today is one that I am very passionate about.  It has to do with how Cyber protect the most innocent of citizens in our society – our children.  They are undoubtedly the hope for our future in the crazy world we live in today.  Today unfortunately, kids have access to just about everything online, even despite all of the parental controls being put into place.

Because of the high degree of vulnerability that they possess, the Cyberattacker is purposely targeting these youngsters (and it is out of sheer disgust that I have to make that statement).  But it’s not just the innocent children that are being preyed upon; it is also the educational systems that they attend.  Just consider some of these statistics:

*From the time period of 2016-2022, there were more than 1,600 Cyberattacks in our public school system.  More information about this can be seen at the link below:

https://www.k12six.org/map

*Because of all of these Cyberattacks, certain schools in the states of Minnesota, New Hampshire, and North Carolina have had to close down permanently.

Although I might be getting a little political here, the Biden Administration has done far more than what the previous Administration has done in this regard.  But, given the climate that exists right now in DC, trying to get anything passed through Congress  in terms of creating new legislation is taking forever.  But in the meantime, the private sector in Corporate America has to take a much bigger role.

Here three proposed steps  that can be taken:

1)     Teach the teacher:

In this blog, the age group that I am referring to are the K-6 years.  Here teachers not only have a horrendous amount of responsibility to their students, but they have to make sure that the kids remain safe as much as possible while they are in school.  And yes, this even includes what is known as  “Cyberbullying”.  But how can the teachers try to protect the kids in this aspect if they have no experience in it themselves?  They key here is that they need to be educated in this also.  I firmly believe that the CISOS in Corporate America need to really step up to the plate and offer Cyber training to these teachers.  My belief here is forget how much money you are going to charge, but rather do it on a pro bono basis out of the goodness of your heart.

2)     Integrate into the curriculum:

Once the teachers have been taught some of the basics of Cybersecurity, then the governing body of the school districts should then mandate that the same needs to be taught to the kids.  I fully realize that this could be a very difficult task to do, as the attention span of kids is very short.  They are not going to care about Encryption, Cryptography, or anything like that.  Rather, you need to make it into a game that they can easily understand and play with for some time.  There are actually free resources out there that teachers can use, and probably one of the best ones to use is:

https://cyber.org/standards

 

Here is also another great resource from CISA:

https://www.cisa.gov/protecting-our-future-cybersecurity-k-12

3)     More partnerships with the higher education sector:

With this, I am talking that the K-6 school districts should try to form up partnerships with the colleges and universities that are currently offering Cybersecurity degrees, or those that have invested a good chunk of $$$ into research.  Likewise, the colleges and the universities should do the same.  In the end, this is a win-win benefit to all.  The K-6 schools will be able to gain access to first class Cyber assets at a fraction of the cost it would take to get it from the private sector. Also, the colleges and the universities can in turn offer summer camps to these kids so that they can be kept busy and their minds stimulated.  Who knows, maybe the seeds will be planted into them to perhaps explore Cyber as a possible career option?

My Thoughts On This:

The problem of the lack of Cybersecurity in K-6 stems form differing areas, but here are the common ones:

*Lack of funding:  Schools desperately need money, so hopefully the Biden Administration can do more to speed up the process.  Perhaps even sign an Executive Order?

*The lack of skilled workers.  This once again goes back to the issue of the idiotic and stupid hiring managers only wanting a certain skillset.  But get over this.  You can also train somebody if they have some baseline knowledge, are motivated, and most importantly, are willing to learn.  But the schools need to pick up hiring in this aspect as well.  But once again, money is very tight.  Perhaps even hiring contractors could be a solution as well.

*As stated before, Corporate has to do a lot more.  Forget about the bottom line on this one, CISOS.  Whatever happened to the part of your civic responsibility???  Businesses have to do more to help the K-6 school districts, even if it is on a pro bono basis.

As for what I am doing, I have launched a new company that will be offering Cyber teaching to colleges, and yes, even the K-6 schools as well.  I really don’t care about the money in this situation.  What matters to me the most is that I can give back what has been given to me.  If I can help protect just one kid from Cyberbullying or a Cyberattack, I will feel my mission has been partially accomplished.

How A CISO Needs To Handle PR After A Data Breach: 3 Golden Tips

 

As I mentioned in one of my earlier blogs last week or so, it is data that is the lifeblood of any business today.  Whether it is quantitative, qualitative, Big Data, you name it, it is what makes Corporate America move forward.  The same can even be said of AI and ML systems.  They need data (and large amounts of it) in order to get the job done for you. 

But the Cyberattacker, seeing how valuable all of this, has now made stealing it one of their top priorities.  This is technically known as “Data Exfiltration”.

Typically, this happens on a very covert level, and in fact, you probably won’t even recognize that it is happening to you.  The primary reason for this is that the Cyberattacker is taking it out very slowly, so that no alarms or warnings are triggered. 

But you won’t realize that you have become a victim until it is too late.  At this point, it is quite likely that the Cyberattacker will attempt to launch an extortion attack, or even to sell the heisted data sets on the Dark Web.

Now, consider this statistic:

In 2022, there were almost 2,000 instances of Data Exfiltration that impacted almost 422 million victims, both individuals and businesses.  This is according to the latest market research report from the Identity Theft Resource Center.  More information on this can be seen at the link here:

https://www.idtheftcenter.org/post/2022-annual-data-breach-report-reveals-near-record-number-compromises/

In the end, we can all become victims of a data breach.  It’s just the way that the world has become.  But now the key thing to do here is to try to be as proactive as possible, and to mitigate those risks from happening to you.  But suppose you are impacted by this?  What do you?  Well, in terms for a business, here are some steps to follow:

1)     Notify your customers:

The first thing that the Cyberattacker is going to go after are the PII datasets of your customers and even your employees.  So once the “aha” moment comes and you realize that you have been impacted by a security breach, you need to immediately contact your customers.  If your company is small enough, the best approach here would be to personally contact all of your customers and let them know what happened.  Or the next best alternative is (if a lot of them have been impacted) to send each one of them in an email and a snail mail letter.  But don’t make this a last priority.  It should be your first!!!  Why I say this is that not only is it both your legal and moral obligation to do this, but by quickly notifying your customers, they will feel that you really do care about them, and the probability will be higher that they will stick with you.  If you don’t take this approach, you might as well say goodbye to all of them.

2)     Inform all relevant stakeholders:

When I say “stakeholders”, I am referring to your C-Suite, Board of Directors, third party suppliers, shareholders, etc.  They too deserve to know what has happened, and how corrective actions are being taken.  But with this group of people, you can divulge out more information, which should include the following:

 

*What datasets were stolen

*How they were stolen

*Details of all of the parties that have been impacted

*When the security actually happened

*How quickly your IT Security team responded

*What immediate corrective actions have been taken

*If law enforcement and the relevant regulators have been informed

*What steps have been taken to take care of customers (such as have they been notified, are       they being offered free credit reports, etc.)

*How the impacted parties can reach out to get more information

In this aspect, it is important to keep in mind that each state has their own laws about notifying impacted parties, but this is no excuse.  As a CISO, it is your responsibility to alert individuals that have been affected!!!

3)     Take responsibility:

If you have been hit with a security breach, apart from notifying the relevant parties (as just described), you also have to make a public statement about it as well.  This is where you, the CISO, need to take full accountability and responsibility for what has happened.  After all, you are the captain of the ship that it trying to protect the most valuable assets of your business.  Don’t “pussyfoot” about it, or try to point the fault at others.  Just come, say what happened, and accept it.  This will carry a long way in the eyes of the public and in terms of your brand image/reputation, rather than trying to hide and lie about things.  In fact, a recent study has shown that 25% of customers are very unforgiving of a company if they are not told the truth about what has happened, when it comes to a security breach.  More information about this can be seen at the link below:

https://www.aflac.com/docs/about-aflac/csr-survey-assets/2019-aflac-csr-infographic-and-survey.pdf

My Thoughts On This:

Finally, as the CISO, you need to far beyond the minimum what the law and data privacy regs mandate that you must to do.  You really have to bend over backwards and help all of those that have been impacted.  In fact, these kinds of processes should be included in your Incident Response Plans.

 

Stopping Ransomware At The Hardware Level

 

When the COVID-19 pandemic hit, all broke lose on the Cybersecurity Threat Landscape.  For instance, many new threat variants emerged, and old ones resurfaced.  But probably the biggest threat to evolve was that of Ransomware.  As we all know, this is where a Cyberattacker literally holds your device hostage, and encrypts all of the files that are contained within it.  The only way to recover it is if you a ransom, usually by Bitcoin.

But again, this is no guarantee at all.  Only a very small handful of Cyber attacker groups actually delivered on their promise, and sent out the decryption algorithms to the victim.  Ransomware attacks have now become even deadlier, with the Cyberattacker selling PII datasets on the Dark Web, or even worse, launching extortion like attacks.

What can a business owner do?  Well in today’s podcast, we have the honor and privilege of interviewing Tom Ricoy, the Chief Revenue Officer at a Cybersecurity firm known as Cigent.  They have created many solutions so that you, the SMB owner, can mitigate the risks of a Ransomware attack.  Find out more by listening to this podcast, and the download link is right here:

https://www.podbean.com/site/EpisodeDownload/PB1445D1E72SC2

 

 

How To Leverage Automation to Optimize Cyber Risk Management

 

As the Cybersecurity Threat Landscape grows in terms of sophistication, covertness, and stealthiness, one theme remains constant:  Gauging what your risk level is.  To many different individuals and businesses, this will have a very different meaning and approach.  Part of the problem why Cyber Risk is such an ambiguous term is that both quantitative and qualitative factors can be taken into consideration.

Some companies cannot handle any kind of risk, while others can withstand a lot more, and not bear so much of a financial burden in the end.  But just as much as trying to define it is complicated, is calculating what your level of Cyber Risk actually is.  There are many methodologies available that one can choose from, but even this can be confusing as well.

So where does one get started?  Well, in this podcast, we have the honor and privilege of interviewing  Padraic O’Reilly, the Co Founder and Chief Product Officer of Cyber Saint Security.  He and his team have created a number of tools and solutions that you can easily calculate the Cyber Risk of your company.  Find out more by downloading the podcast at this link:

https://www.podbean.com/site/EpisodeDownload/PB1444039ZA5JD

The Top 3 Cyber Risks Of Latent Data

 

There is no doubt that businesses today are facing uncertain times.  A lot of this has been due to the layoffs in the tech sector, and the persistent interest hikes by the Federal Reserve to keep inflation lower, and keep it at bay. 

But one thing is also for certain, the growth of AI and ML has picked up its pace very quickly since the beginning of this year, and a lot of that has been driven by the evolution of ChatGPT. 

But what people fail to realize is that both AI and ML are needed to learn.  In other words, they need to be given a baseline from which they can literally learn something, and from there, try to predict the outcomes of an issue or an event, or to simply answer a query that an end user could pose to ChatGPT. 

But in order to do this, it all takes data, and tons of it.  This can be compared to putting fuel in your car.  If you don’t have any, you of course will not go anywhere. 

This is the same with AI and ML.  They need data as their fuel to keep their algorithms and models running on a real time basis. 

This can be in the form of structured data (which are quantitative in nature), or unstructured data (which is qualitative in nature).  Btu what the actual datasets need to be will depend upon what the AI/ML application has been designed to do.

The world of Data Science is truly a unique one, and in fact to get off of the subject a little bit, this is where the majority of jobs will be in the future.  But there are different kinds of data (apart from the ones just mentioned). 

For example, there is Data at Rest, Data in Motion, and Data in Transaction.  TO make life even more confusing, there is now even a new piece of data classification that has been emerging out of the woodworks.

This is known as “Dark Data”.  What is it you may be asking?  Well, a technical definition of it as follows:

“These are the information assets organizations collect, process and store during regular business activities, but generally fail to use for other purposes (for example, analytics, business relationships and direct monetizing).”

(SOURCE:  https://www.gartner.com/en/information-technology/glossary/dark-data)

In other words, put in simpler terms, this is the information and data that is not being used by a business.  In other words, it is simply being stored for no useful purpose.  One might wonder why a business would do this, but it is hard to give an answer. 

Obviously, they have their own reasons for doing this, and it is something that would not be public information.

One of the biggest issues of storing Latent Data is the sheer cost of storage that can add up quickly.  For example, if you have On Premises Infrastructure, you have finite resources.  But if you have your IT and Network Infrastructure based in the Cloud (such as AWS or Azure), you will have many resources at your disposal to store these datasets.

Although the Cloud offers you both elasticity and scalability in this regard, using more storage will also add up to your monthly bill.  To give you a point of example of this, it has been quoted that Netflix has spent nearly $10 Million per month on storing Latent Data.  (SOURCE:  https://www.comparitech.com/blog/vpn-privacy/netflix-statistics-facts-figures/).

Another key issue to keep in mind is that even if you are not using these kinds of datasets, simply storing them for indefinite periods of time will also make you subject to the guises of the various data privacy laws, such as the GDPR, CCPA, HIPAA, etc.  This will mean that you will have to make sure that you have implemented the right  kinds of controls to protect these datasets. 

If you don’t and they have been leaked out, you will not only be the subject of an audit, but you could also face very stiff fines and penalties as well.  For example, under the GDPR, this can amount to up to 4% of your total gross revenue.  Now, that is a huge chunk of change, IMHO. 

Third, there is a huge risk that simply having data around for no useful purpose whatsoever will become prey to the eyes of the Cyberattacker.  In fact, this would be a very easy really to go after.  If he or she gets hold of it, they can use that to launch ID Theft attacks, sell it on the Dark Web, or worst yet, make it publicly available in an extortion like attack.  

By having this “useless” kind of data, not only are you putting your employees and customers at grave risk, but you are also risking your complete brand image if you do experience a data leakage issue, whether it is intentional or not.

My Thoughts On This:

Simply put, keeping any sort of extraneous datasets around is a huge risk to borne.  Not only can it be costly, but it can even lead to potential security, as just reviewed.  So what is the best way out of this situation?  Just simply delete whatever you don’t need or use. 

For example, if you have launched a recent marketing campaign, and have already used the information and data that has been collected from it, there is no use having it around.

Remember, datasets can lose their value to a company quickly over time, because it has not been updated.  This can also be a costly proposition if you intend to, but have no solid business case to do so. 

But, if you do intend to get rid of Latent Data, make sure you hire a data destruction company to do it.  Have everything documented in case you do ever face an audit from a regulator.

Automatic Vs. Autonomous Vs. Human Penetration Testing: Which Is Best???

 

Just last night, I finished and submitted my final manuscript for my 12^th book.  It is all about Ransomware and Penetration Testing.  We all know to varying degrees how dangerous Ransomware can be, but believe it or not, it has been around for the last 30 years or so. 

In fact, the first Ransomware attack was delivered using a floppy disk.  But this threat variant has evolved into something that has become extremely dangerous and costly.

For example, the Cyberattacker of today is not just locking up your computer and encrypting your files.  Rather, they are now threatening extortion like style attacks, where they will expose your PII datasets if you don’t pay up. 

Or worst yet, they can even sell it on the Dark Web.  But as I said stated in the book to be that we all are at risk of becoming a victim of Ransomware, the key is in learning how to mitigate that risk from actually happening.

One of the best ways to do this is through what is known as a Penetration Test.  This is where you hire a team of individuals, or even a company that specializes in doing this, and they literally try to break down your walls of defense.  In other words, they try to take the mindset of an actual Cyberattacker, and try to launch and throw everything and anything they have towards your IT and Network Infrastructures. 

You may be asking at this point why go through all of this?  Well, this is about the best way to truly find out where your weaknesses and vulnerabilities are.  In many ways, its like a cardiologist conducting an angiogram on your heart. 

They will not truly know where the blockages are until your heart is illuminated with the special dye.  Then from there, the course of proper medical treatment can then be followed.

The same thing with a Penetration Test.  A tester will not know what kinds of remediations and controls that you need to put into place to cover your gaps until they do the needed testing.  But it is very important to keep in mind that this all what is known as “Ethical Hacking”. 

In other words, the Penetration Testing team not only needs to you have your explicit permission to do all of this, but you and they have to sign a contract.  And, if the Penetration Testing team feels that they need to do more tests, then they will have to explain the objectives and also ask for written permission in that regard.

Personally I have never done a Penetration Test, but I have heard stories about it form people I know that actually do them.  But this morning, I came across a very interesting article from an individual that does this kind of work, and he offered three tips of free advice on how to keep your business safe.  Here they are:

1)     Adopt the Zero Trust Framework:

This is one of the biggest buzzwords in the Cyber industry today, and the basic mantra of this is to “Never Trust, Always Verify”.  What it all comes down to is that no employee in your business should be trusted when it comes to access of shared resources or PII datasets.  This even transcends down to your employees that have been with you the longest.  Anytime that anybody wants access to something, they have to be verified.  But the key here is that this happen with at least three or more different authentication mechanisms.  This include a password, a PIN number, an RSA token, or even Biometric.  Another part of the Zero Trust Framework is to break out your IT and Network Infrastructures into different zones or segments, with their own layer of defense, using Multifactor Authentication.  So essentially you are breaking away from the traditional Perimeter Defense model, which is so easy for a Cyberattacker to break into these days.  Although this is all heavily preached, it is rarely practiced in the real world.  According to a recent survey to the online magazine called “CIO”, only 25% of organizations have actually deployed this new approach.  More information about this can be seen at the link below:

https://www.cio.com/article/230351/network-segmentation-as-security-imperative.htm

They key takeaway here is that you should have the right mix of controls in place, both from a logical and physical perspective.

2)     Keep your IT/Network Infrastructure Modern:

By this, I don’t mean that you should buy everything out there that has come out.  But keep your systems and devices all updated with the latest patches and upgrades.  This includes firmware.  Whenever you get that “End of Life” notice, it is time to start thinking of replacing your hardware.  Most vendors are pretty good at giving you advanced notice about all of this, and I know for a fact that Microsoft gives customers at least 12 months’ notice before anything comes this extent.  But even after this, there is still a usually a small grace period in which full support is still provided.  The best solution here is to use the Cloud, like Azure.  With this, you don’t even have to be concerned with applications running out of a service life.  Microsoft takes care of all of that for you.

3)     Monitor your logs:

Probably the best way to find out if anything is awry is to keep a constant check on the files that are outputted by your network security devices.  Now, this may sound like a horrible and tedious chore to do, but you can automate this entire process, by using both AI and ML.  For example, they can filter through all of the logs, and alert you and your IT Security for any abnormal behavior in network traffic patterns.  Also, they will be able to filter out all of the false positives that come in.  That way your team can focus on what is for real and legitimate.

My Thoughts On This:

There are also many new buzzwords that are coming out in Penetration Testing, and they are “Automatic” and “Autonomous”.  Many Cyber vendors of today are trying to deploy software packages that can conduct Penetration Testing on their own, proclaiming the fact that human intervention is not needed.  Now, I have to put a disclaimer here. 

I have not personally tried out these tools myself, but if I were having a Penetration Test, I would still want an actual, real live human being doing it.

I am all for automaton for certain parts of a Penetration Test, but you cannot rely on just that solely.  You still need that human presence to walk you through what was discovered, and what the remediations are to fill up your gaps and vulnerabilities.

The Problem With Borderless Data: How To Come Into Compliance

 

In today’s times, one of the biggest issue in Cyber is that of protecting data, especially those of customers, and employees.  These can also be referred to as Personal Identifiable Information (PII) datasets.  Just about every company, large and small, in Corporate America are always scrambling to figuring out the best ways to not only protect them, but also to make sure that they are not leaked out intentionally or not.

In this regard, many of these companies are also starting to realize than maintaining databases On Prem is probably not the best way to go in having databases.  So, the mass migration to the Cloud has begun, such as to the AWS or Azure. 

The primary reason for this is that these Cloud providers can offer customers the latest in cutting edge technologies when it comes to creating databases, as well as free tools when it comes to protecting them.

But best of all, when compared to an On Prem database, these solutions are a lot more affordable in terms of price, and it is up to the Cloud provider to keep your databases updated and secure.  But keep in mind that you are still 100% responsible for configuring any database that is deployed in the Cloud to your own security requirements.  That is not the duty of AWS or Azure.

But despite this, there still remains a large issue.  For example, what if a US based business also has offices, employees, and even customers in another country, such as the European Union?  Who owns this data, and most importantly, how will this business come into compliance with the data privacy laws for that particular country?

This is where some serious problems come in.  While once again, the Cloud is a great venue, the lines become extremely blurred as to how the data is geographically stored.  While AWS and Azure does give you a choice of the geographic area as to where you want to house your database, it is very general in nature. 

For instance, it will only ask you if you want to have it in Europe, Australia, a certain part of the US, etc.  You really do not know where the exact physical location of your database server is at.

The Cloud providers do this primarily because of security reasons, obviously.  But it is no help to the business, as they are trying to figure which data privacy law they need to come into compliance with. 

The most famous of these is the GDPR, and this was passed and enacted five years ago.  In fact, this law remains as the de facto standard, and it is from this, that many of the other data privacy laws have emerged, and as of today, there are well over 130 of them on a global basis.

Complicating this matter even more is that in order to get the most affordable price for their Cloud deployment, many companies often choose what is known as a “Shared Hosting Plan”. 

Although you will have the look and feel of your own server (you will get a dedicated control panel), the truth of the matter is that your virtual server is actually stored on one physical drive, which houses many other virtual servers, owned by other businesses (these are also known as “tenants”). 

So how do you know that there is no cross talk or spill over from one tenant to another?  There is no guarantee in this, and in this instance, you are left to the mercy of the Cloud provider to prevent this from happening.  So, while you may think your database is being hosted in Europe, how do you know which country it actually reside in? 

Once again, the Cloud providers are very elusive in providing this kind of information.  In the end, the business owner needs to know, so they will know which specific data privacy law affects them, and how they need to come into compliance with it as well.

Now while the Cloud can offer great cost savings upfront, the rest is made up by the business having to shell out huge amounts of money in order to make sure that they have implemented the right controls as mandated by the data privacy law to protect the datasets. 

But once again, if a business does not know at least the general vicinity of where their data is being stored, how will they know which law to follow?

One of the primary reasons why companies are in such a huge rush to come into compliance is not only the damage to brand reputation in case of a security breach, but also it is the fear of the audits.  For example, if a regulator from the GDPR decides to audit your controls, and finds that they are not adequate enough, the company in question can be fined as much as 4% of their entire gross revenue. 

Now, that is a huge chunk of change.

The most recent example of this is Meta, the famous parent company of Facebook.  They were fined a whopping $1.3 Billion because of not having the right controls in place to protect the PII datasets of the customers in the European Union.  More information about this can be found at the link below:

https://www.darkreading.com/endpoint/meta-hit-1-3b-record-breaking-fine-gdpr-violations

And guess which data privacy law the fine was imposed by?  Yep, you got it, the GDPR.  But now here comes a new problem:  The advent of both AI and ML.  For any kind of business, or no matter how large or small they might be, harnessing datasets can be a very time consuming and laborious task, if it is done by human beings. 

Of course, nobody has that kind of time.  So as a result, many businesses are now relying upon AI and ML to automate the processes of going through the datasets, and manipulating them to find any intelligence or unseen trends.

Because of this, not only does the storage of data becomes an issue but even where it is being processed becomes a whole different ballgame.  For example, what if a US business has the actual data stored in Germany, but the actual processing of it takes place in California? 

Now, they have to deal with two sets of data privacy laws, not only the GDPR, but also the CCPA.  This not only adds more confusion, but even more expense as the business tries to come into compliance with both sets of laws.

In the end, the technical term for all of this is “Borderless Data”.  For more insight into this, click on the link below:

http://cyberresources.solutions/Blogs/Borderless_Data.pdf

My Thoughts On This:

This of course is by no easy means to resolve.  Probably one of the best ways forward is for the Cloud provider to be more transparent to the Cloud tenants into the geographic location of where the databases are being hosted at.  This does not have to be public information, and the Cloud provider can (and should) disclose this to a trusted officer of the tenant. 

Another option would be to offer one location where all of the databases created and processing will take place.  For instance, if the business picks one datacenter in the US, at least they will have a much better idea of which data privacy law to follow. 

But for the time being, what makes this matter even worse is that each state is now coming up with their own data privacy laws, with different provisions attached to them.

So, this once again brings up the question of centralizing all Cyber efforts into one place, at least here in the United States. Is time now for the Department of Cybersecurity to do this?  It may very well happen.  Stay tuned.