6 Golden Aspects Of A Good Cyber Hygiene Plan

 

Introduction

The world of Cybersecurity is bandied about with a bunch big buzzwords, techno jargon, etc.  One these is the term “Cyber Hygiene”.  It has become much more prevalent as the COVID19 pandemic continues, and the Remote Workforce is now a guaranteed happening for the long term.  This is the focal point of this article.

What Is Cyber Hygiene?

In a general sense, Cyber Hygiene means that all employees of a business, even up to and including the C-Suite, must follow a set of best practices in order to make sure that all devices and digital assets are protected from being a Cyber target. 

With the advent of the Internet of Things (IoT) and just about everything being connected together, the attack surface has greatly expanded.  Thus, the need to be proactive is a must these days, and not just something that gets checked off a list at later point in time.

The Cyberattacker of today has now become extremely stealthy and covert – in fact, they find the weaknesses of an unsuspecting victim merely by building up a profile on them with information that is publicly available, primarily those of Social Media Sites. 

In other words, your business and employees could very well be watched without anybody knowing it until it is too late.  This is yet another reason why maintaining a strong level of Cyber Hygiene is more critical than ever.

How To Maintain A Strong Level of Cyber Hygiene

The following are some tips to help your employees maintain a proactive mindset when it comes to Cyber Hygiene:

1)     Conduct an inventory of all of your assets:

This not only includes digital assets, but even physical assets as well.  Remember, the Cyberattacker is going to go after those crown jewels that are the most vulnerable and least protected in your organization.  Therefore, your IT Security team needs to conduct an inventory of everything you have, and from there, complete a Risk Assessment, and rank them on a categorization scale.  This will then give you a good idea of those assets are most prone to a security breach and those that are the least likely to be hit.  Those that are deemed to be the weakest should of course have the strongest controls associated with them.

2)     Teach your employees about passwords:

You need to train your employees about how to keep their passwords safe.  This includes not sharing them with other coworkers, and not to use a slight variation on an existing password when it comes time to reset it.  But most importantly, tell them about the dire need now to create and long complex passwords, by making use of a Password Manager.  With this, these kinds of passwords can be created instantaneously, without your employees having to remember them.  Also, they can be reset on a prescribed time schedule, which is based upon your security policies.

3)     Always update your systems:

This is probably one of the oldest security rules to be found in the books.  But despite this, many organizations fail to heed this, until it is too late.  Therefore, your IT Security team needs to make it an almost daily practice to keep checking for the latest software updates and patches, and deploy them as needed.  But, one key thing has to be remembered here:  As far as possible, always test these patches and upgrades in sandboxed environment first, before they are released into your IT and Network Infrastructure.  This extra practice is to help ensure that what is about to be applied will actually work in your environment, and not make more a security nightmare.

4)     Keep an eye over what is assigned:

This simply means adopt the principle of Least Privilege:  Give only the bare minimum of rights, privileges, and access to your employees that they need to get their job done.  This even includes the members of your IT Security team.  But there is one thing that you also need to keep your eye on – a sudden escalation in the administrative rights that have been given to an employee.  This means that they somehow did this themselves (which could also be indicative of an Insider Attack that is about to take place), or a Cyberattacker has gained access to the database where all of the user profiles are stored at).  Therefore, you need to keep a vigil eye if this does happen.  Any escalation in privileges should occur only when a review of the request has been done, and if the employee really needs it.

5)     Get rid of old equipment:

This is also technically referred to as “End Of Life”.  This means that the hardware or software that is used in the device is no longer supported.  In other words, there will no longer be any software upgrades or patches that are available to them.  Obviously, this can pose a grave Cybersecurity risk to your company.  But just don’t get rid of them by simply throwing these out-of-date devices into the trashcan.  Rather, make use of a data destruction company that can properly purge any information and data, and dispose of them in a safe and secure fashion, so that they are not vulnerable to Dumpster Diving attacks.

6)     Have Security Awareness Training:

This is also one of those things that you hear about on a daily basis, and unfortunately, most CISOs still disregard the importance of this.  With the bulk of the American workforce still working from home (WFH), this kind of training is now even more important than ever before.  There are many ways that you can about to implement this, but the key here is to make the training engaging and to test the employees to make sure that they are taking this seriously.  A good example of this is Phishing training.  After you have explained what it is, how to recognize a rogue email, conduct a mock Phishing campaign to see which of your employees still fall for the bait.  Those that do should be retrained again, with a much stronger emphasis on the seriousness of it.

Conclusions

Overall, this article has provided you with some tips as to how you can maintain a good level of Cyber Hygiene for both your business and employees.  Obviously, there are more action items that need to be taken into consideration, but this list is a good start.  In the end, we all are prone to becoming a victim of a Cyber-attack, but by having a strong level of Cyber Hygiene, that risk should be greatly mitigated.

Fast Track Back To The 1980s: How Did We Survive Without AI Or Google???

 

When it comes to IT Security, there is one tough job that probably nobody wants to have:  Being the tech support person.  I used to do it a long time ago back in my grad school days, and I got a huge feeling of joy when I knew I made a difference in the day of a customer.  But keep in mind that is only 20% of them.  The remaining 80% want everything fixed right now, and when you repair something, they show no appreciation for it, whatsoever. 

As technology has evolved further, and as people are pretty much working remotely now, the support tech is faced yet with another daunting task:  How to keep employees honest and abiding by using only authorized tools for doing their daily job tasks.  This is even harder to enforce when people work from home.  This has been a problem for a long time, and it has become technically known as “Shadow IT”. 

But further exacerbating this problem even more now is the explosion of Generative AI, and how people are using it much more often now in the workplace, in order to meet tight deadlines.  In fact, The Conference just conducted a research project on this, and here is what they found:

*56% of employees now use Generative AI, whether it is allowed or not.

*Only 26% of businesses surveyed have an active AI security policy in place.

*Over 30% of employees use Generative AI to speed up their deliverables even though they were not supposed to.

*91% of the IT support techs polled feel that they feel pressured to compromise security in order to boost the bottom line by using AI tools.

*Astonishingly, 81% of the tech support reps feel that is almost impossible to enforce security policies, especially when it comes to using AI.

More details about this study can be seen at the following link:

https://www.conference-board.org/press/us-workers-and-generative-ai

So now, it’s not so much of the issue of using non approved devices or apps, now it’s becoming the risk of using Generative AI in the workplace when employees are told specifically not to.  So now, this trend has now been appropriately called “Shadow AI”.  So, what can be done about this?  Here are three tips any CISO can adopt and follow:

1)     Let ‘em use AI:

Let’s face it, AI is here to stay, and it is not going anywhere for a long time to come.  So, why not let your employees just use it?  Well, to a certain degree.  You and your IT Security team should find a bunch of AI apps that employees can potentially make use of.  But before deploying them, first vet them and test them out in a sandbox environment.  Then, tell your workers all about it, and encourage them to use it.  By doing this, you will be showing them  that you take their career growth seriously, and by using something at least Generative AI related, this should alleviate the temptation of using non approved AI tools.  But also caution your employees in this regard, and remind them of  the consequences if they don’t follow the rules.  Try to emphasize that as much as you are spending on them, and that they need to reciprocate equally as well.

2)     Educate them:

We all keep hearing every day how important it is to have security awareness training for employees.  The same now also holds true about the use of Generative AI in the workplace.  There are serious risks that can be borne out by not following the security policies that have been set forth.  Remind them that if they do use unauthorized AI apps, this can be a grave consequence not only for the company but even for their jobs as well.

3)     Monitor all activity:

As the CISO, make sure that your IT Security team is monitoring all activity.  There are many tools that can be used to automate this process, and yes, they are AI driven.  LOL. 

My Thoughts On This:

Hopefully by taking the above-mentioned tips into action, your employees should be a happier crowd.  But then of course, there will be those that whine and complain that they have to use Generative AI 100% all together in order for them to get their jobs done.  If this happens, throw this question back to them:  How did you make it in high school and college when there was no AI or Google???

That is of course, if they are of that age.

What Is The Latest In Wireless Security? Find Out Here

 

One of the biggest buzzwords we hear in the Cyber world is that of threat intelligence.  This can have different meanings to just about anybody you ask, but on a global level, it simply refers to the act of collecting information and data to try to predict what future threat variants could possibly look like.  This of course can be a very time-consuming process, but there are other tools now which are available to speed up the process, and this includes the likes of AI and ML.

Every business thinks about protecting their digital assets first. But what about the more tangible ones, such as your wireless connections and smartphones that your employees make use of to do their daily job tasks?  After all, wireless devices still a remain a highly prized target in the eyes of the Cyberattacker.  What can be done to fortify your lines of defense in this regard?

Well, in today’s podcast, we have the honor and the privilege of interviewing Dr. Brett Walkenhorst, the CTO of Bastille.  They have created cutting edge solutions for this very scenario.

You can download the podcast at this link:

https://www.podbean.com/site/EpisodeDownload/PB14E0A4CUUTIY

Are Cyber Table Tops Really Worth It? 3 Reasons Why They Still Are

 

In the blogs that I have written not only for myself, but for paying clients as well, I have developed a lot of content when it comes to testing, Incident Response, Disaster Recovery, Business Continuity, etc.  The common denominator in all of this is that there is some kind or type of technological tool and human intervention that is used. 

But there is another way yet in which a business can beef up its line of defenses without having to use any kind of technology per se.

These are known as “Tabletop Exercises”.  It can be defined as follows:

“A tabletop exercise is a discussion-based practice that uses a hypothetical situation to coach a technical or executive audience through the cybersecurity incident response life cycle.”

(SOURCE:  https://www.darkreading.com/operations/top-6-mistakes-in-incident-response-tabletop-exercises)

So as you can see from the above, these kinds of exercises are very much discussion based.  The leader of it portrays a hypothetical security breach, and the audience is asked to come up with a solution.  While these can be effective to some varying degrees, there are a number of key areas that a CISO and his or her IT Security team need to address, in order to make Tabletop exercises even more effective. 

Here are the tips:

1)     Involve the entire audience:

It is very important to remember that a Tabletop exercise is not just another college lecture where you have PowerPoint slides and give out notes.  These are meant to be engaging, and in order to make it so, each member has to be involved and give their input.  In fact, this is really very much like a Security Awareness Training program for your employees.  In order to get great participation, you have to make it both fun and engaging.  In other words, you kind of want to make this like a social kind of event.  If the audience is large enough, break them out into separate teams for even closer collaboration.

2)     Get different groups of people involved:

A cardinal rule of thumb here is never to get the same crowd over and over again.  It is very important that you get different participants all the time, so that you will get varied feedback.  That will be much more meaningful than getting the same answer out every time, but in different ways.  For example, perhaps take a representative number of employees from each department that exists in your business.  That should give you some varied answers.  Also remember that Tabletop exercises are not just restricted to employees, you should also get other key stakeholders involved as well.  Consider this like a focus group interview you are conducting to get market research on a potential new product or service you could launch.

3)     Vary up the threat variants:

As mentioned earlier in this blog, the facilitator of a of the Tabletop exercise usually first starts out with a hypothetical security breach.  But it is also important here to keep in mind as well that you need to mix up the threat scenarios.  For example, in one training session, talk about Ransomware, the other Phishing, etc.  But always make the threat relevant to the business.  For example, if you choose to use a Phishing based scenario, then give the example of a Business Email Compromise (BEC) attack, and how the accounting team can fall into the trap of responding to a fake invoice.  But also remember not to make the scenarios so depressing for the audience that they simply do not want to want to respond or give feedback.  It takes a balance  here.  Further tips on how to do this can be seen at the link below:

https://www.darkreading.com/edge-articles/designing-tabletop-exercises-truly-help-thwart-cyberattacks

Also remember that by varying your attack scenarios,

My Thoughts On This:

One of the key areas that is extremely beneficial from a Tabletop exercise is the feedback that is solicited from the audience.  Remember to incorporate these into all of your security plans, primarily your Incident Response (IR), Disaster Recovery (DR), and Business Continuity (BC) plans.  But the best lesson learned is to practice them on a real time basis, at least once a quarter!!!

How To Embrace The Era Of Cyber Transformation - 3 Golden Nuggets

 

One of the key buzzwords in Cybersecurity is that of “Transformation”.  Just like other techno jargons that fly out there, this term can have different meanings to people.  But broadly speaking, it can be defined as follows:

“A cybersecurity transformation enables you to rapidly reduce cyber risk and confidently adopt new digital technologies that support your strategic goals.”

(SOURCE:  https://www.pwc.com/m1/en/services/consulting/technology/cyber-security/transformation.html)

But in the end, it is the CISO who has to embrace this definition and make it work for their organization.  Of course, being such a broad definition, this is for sure a tall order to fulfill.  So, how can it be done?  Well, one lesson I have learned in life is to break down things into more manageable tasks, and get help when you need it.

So in this regard, here are three steps that a CISO or even a vCISO can take to accomplish this part of their mission.  Here we go:

1)     Get the right people:

Very often, when a CISO gets a new project that is handed down to them, their first inkling is to handle it all by themselves in order to prove their grain of salt to their higher ups.  But this is totally flawed thinking.  The primary role of the CISO (vCISO) is to get the project, but assign it down to the relevant members of the IT Security team (or even other departments as necessary) to get the job done.  Take for example a Disaster Recovery (DR) plan.  Obviously, a CISO cannot write the entire by themselves, so you delegate to the different people who can write the different sections to compile the entire thing.  Then you, the CISO, it is your responsibility to review the document and deliver the final one to the higher ups.  But most importantly, you also will be responsible for practicing the DR plan on a regular basis to make sure that it is up to snuff, and that the people on the team will react in a quick manner to bring up mission critical processes as quickly as possible.  Make sure to spread the knowledge that you have, and always communicate in a clear and concise manner.

2)     Make sure your goals are the company goals:

By this, I simply mean that whatever you are doing, make sure as much as possible that it is also relevant to the entire company and not just to your team.  Take for example the DR plan once again.  Obviously, your IT Security team can’t write it all.  You need to get people from other departments involved (such as HR, Finance, Accounting, etc.) to write their parts as well.  After all, they will be directly impacted by a security breach as well.  Another example would be Cyber security awareness training.  You can’t use a one size fits all approach for this.  For instance, what your IT security team needs to be trained will have no relevance whatsoever say, for the HR department.  They need to be trained in the concepts of Social Engineering so they can spot our calls directly from phony recruiters.

3)     Think of the holistic picture:

This can considered to be kind of a repeat of the last one.  But in this instance, once you are given a project and completed it over the required time period, you need to be asking yourself, “How will the company benefit from all of this?”  Of course, the first though here is to see how your specific role can benefit from this, and how you can advance.  But in the long term, this is rather a selfish way of thinking.  Instead, think also (and most importantly), how your entire company can benefit from it.  Ultimately, when you present the final deliverable to the CEO and Board of Directors, they will see the ROI quickly.  And in the end, this will simply be brownie points for you, the CISO, in the end.

My Thoughts On This:

I guess the moral of the story here is that for you, the CISO, you need to get away from the siloed way of thinking that is so prevalent in the Cyber industry today.  Working in siloes serves no purpose whatsoever in today’s digital age.  By taking the holistic approach and way of thinking, you, your company, and everybody else will advance in the long run.

To Use ChatGPT Or Not: A Writer's Dilemma

 

Although it is a story now past well gone, but do you remember the Hollywood writer’s strike?  I never really paid too much attention to it, not until today.  Apparently, there was a lot more at stake than I had realized.  At the crux  of the matter was how Artificial Intelligence (AI) would impact the writer’s ability to get the much-deserved credit, and most importantly, compensation for all of that hard work.

Probably even last year, this would not have been an issue at all, or even long before that.  As I have written before, AI has been around for a very long time.  In fact, I wrote an entire book about it, and I covered in some detail as to how AI will never be even remotely close to the human brain. 

The best that it will ever achieve in terms of business dominance is being used for automation purposes for mundane and routine tasks, and possible augmentation to other processes.

The primary reason why AI has become such a furor is the dawn of ChatGPT. It seems like everybody I know uses it, for good reasons of course.  But in the world of writing, no matter what the form is, authors and writers are now using this platform to create novels, books, manuscripts, etc.  While there is nothing legally wrong with this, I find ethical issues with it.

I mean I am all for using ChatGPT as an aid, or a supplementary tool, but not for using to write an entire manuscript.  You see, there is really nothing magical about ChatGPT.  It once again uses AI algorithms, most notably those of the GPT4.  So, to give you an idea of how it works, you simply tell ChatGPT the permutations of the content that you want to write, and wham-bham, it will give you something in just a few minutes.

But keep in mind that this is not original content!!!  Remember, ChatGPT is nothing but garbage in and garbage out.  So, as the input to give you your desired output, it will need content from other books, texts, manuscripts, etc.  The problem here is that ChatGPT will not tell you where it extracted its information from.  So if you end up somehow publishing this work, you run the risk of a lawsuit, if other authors and writers see that their work is in yours!!!

In fact, just recently, there have been a few lawsuits in this regard.  For me as a technical writer, I hardly put any emotion or throughs into the words I write.  My job is to merely take all of the complicated stuff that happens in the Cybersecurity world, and bring it down to a level that anybody can understand and apply.  Probably the best example of this is these blogs I write.

I look up articles on the Internet to see what the latest happenings are, and write it in such a way it is meaningful to you, and that you can apply it somehow in your everyday life.  I have never used ChatGPT for anything I have ever written, and I don’t ever intend to. 

It is my most heartfelt opinion that a writer or an author should be able to write content on their own, using their own style and voice.  Of course, one will need resources to use, and that is why there is Google, and I guess to a certain extent, ChatGPT.

But if you are a novelist or a creative writer of different sorts, ChatGPT will be of no use to you.  You see, AI cannot output sentiments, emotions, feelings, or anything like that.  It only gives you a directed output to what you are asking directly, through the various queries that you submit to it. 

So in this regard, you need to learn how to create meaningful queries, which are also known as “Prompts”.  In fact, a whole news of social science has evolved into this, officially known as “Prompt Engineering”.

My Thoughts On This:

Back to the Hollywood saga:  Eventually, the writers were able to an agreement to a contract.  They will get compensated and credit for the work that they have done, but in return, if they use ChatGPT or any other type of AI tool for content generation, then they have to explicitly state that in their respective manuscripts. 

Will we see more of theses kinds of disputes and lawsuits down the road?  I predict that there will be.  As ChatGPT evolves further, writers and authors will have different purposes for using it.  But I sincerely hope that anybody in the writing field, no matter what it might be, will use their natural brain much more so than an artificial one.

If you want to see an article which details some ChatGPTs disadvantages, click on the link below:

https://www.darkreading.com/application-security/chatgpt-other-generative-ai-apps-prone-to-compromise-manipulation

The Return Of The Keylogger!!!

 

In today’s Cyber world, most of the threat variants that we keep hearing about are pretty much Phishing and Ransomware.  But as these have become the prominent ones of today, don’t forget the old-fashioned ones still linger around. 

These are the Trojan Horses, Worms, Viruses, etc.  But there is still one that we hardly hear about:  The Key Logger.  You may be asking at this point what exactly is it?  Well, it can be technically defined as follows:

“Keyloggers are a particularly insidious type of spyware that can record and steal consecutive keystrokes (and much more) that the user enters on a device. The term keylogger, or "keystroke logger," is self-explanatory: Software that logs what you type on your keyboard. However, keyloggers can also enable cybercriminals to eavesdrop on you, watch you on your system camera, or listen over your smartphone's microphone.”

So simply put, it is a malicious payload that is deployed onto your computer – it records each and every keystroke that you make.  The Cyberattacker uses this primarily to capture your login and password information.  Of course, they could even record a conversation that you are having and use that to launch an extortion style attack, but without the Ransomware component attached to it.

The question often arises if they are legal or not.  Technically, they are not illegal, but it depends upon the activity in which they are engaged in.  For example, if you are a remote worker, your employer could very well deploy a keylogging software to keep an eye on you to make sure you are doing work related activities.  But, if the Cyberattacker is engaging in it, then by all means, yes, it is illegal.

But the history of keylogging goes back far than even Phishing ever did (its first notable attack was on the AOL subscriber base in the late 1990s).  Believe it or not, the first piece of keylogger came out in the 1970s.  This was actually used to spy on electric typewriters. 

This was developed in the Soviet Union by scientists, during the peak of the Cold War.  At the time, ti was called the “Selectric Bug”, and more information can be found here on it at this link:

https://spectrum.ieee.org/the-crazy-story-of-how-soviet-russia-bugged-an-american-embassys-typewriters

But of course now, in today’s digital world, keyloggers have become extremely stealthy and also covert.  You simply do not know when it has been deployed onto your device or computer.  So now, here are the following major types of keyloggers:

1)     The USB keylogger:

Ye, you got it.  Those portable storage devices that you use, such as the USB ones, can also consist of a keylogging software, which nobody knows about.  So, once you insert it, that malicious payload will be deployed onto your computer.

2)     The Acoustic keylogger:

Believe it or not, the way that click on your keyboard resonates with a unique sound.  The keyloggers of this type can record this, and even recreate an entire document from it.  A study on this was conducted by UC Berkely, and in one instance, they were able to recreate 96% of the content of a document.  More information about this can be seen at the link below:

https://newsarchive.berkeley.edu/news/media/releases/2005/09/14_key.shtml

3)     The Electromagnetic keylogger:

Yes, even your keyboard can emit faint electromagnetic charges.  More technical information about this can be seen at the link below:

https://vimeo.com/2007855?pg=embed&sec=2007855

4)     The Smartphone keylogger:

If the Cyberattacker can break into your smartphone, it will be quite easy for them to use the sensors on it to launch a keylogger onto it.  Research has shown that the accuracy rate of this can be as high as 97%.

5)     The Software keylogger:

This is probably the most “famous” one out there, and has been used for the longest time.  These often appear as Trojan Horses, or can even be deployed if you click on a malicious link.  That is why is why it is also imperative that you do not click on web advertisements when you are in your web browser.

My Thoughts On This:

Keylogging software can also be used for ethical purposes as well, especially when it comes to developing new products and services, in an effort to enhance the end user experience.  It can also be used to detect gaps and vulnerabilities in the source code of a software application.

Now you might be wondering, how can you protect yourself from getting a keylogger?  Well just practice good Cyber Hygiene.  It will never eliminate the risk in its entirety, but it will for sure mitigate it. And always keep your smartphone updated with the latest patches and upgrades.