Social Engineering: Life Blood of Data Exploitation (Phishing)

What do Jeffrey Dahmer, Ted Bundy, Wayne Gacy, Dennis Rader, and Frank Abigail all have in common, aside from the obvious fact that they are all criminals?  They are also all master manipulators that utilize the art of social engineering to outwit their unsuspecting victims into providing them with the object or objects that they desire.  They appear as angels of light but are no more than ravenous wolves in sheep’s clothing. There are six components of an information system: Humans, Hardware, Software, Data, Network Communication, and Policies; with the human being the weakest link of the six.

By Zachery S. Mitcham, MSA, CCISO, CSIH, VP and Chief Information Security Officer, SURGE Professional Services-Group
Social engineering is the art of utilizing deception to manipulate a subject into providing the manipulator with the object or objects they are seeking to obtain. Pretexting is often used in order to present a false perception of having creditability via sources universally known to be valid. It is a dangerous combination to be gullible and greedy. Social engineers prey on the gullible and greedy using the full range of human emotions to exploit their weaknesses via various scams, of which the most popular being phishing.  They have the uncanny ability to influence their victim to comply with their demands.

Phishing is an age-old process of scamming a victim out of something by utilizing bait that appears to be legitimate. Prior to the age of computing, phishing was conducted mainly through chain mail but has evolved over the years in cyberspace via electronic mail. One of the most popular phishing scams is the Nigerian 419 scam, which is named after the Nigerian criminal code that addresses the crime.

Information security professionals normally eliminate the idea of social norms when investigating cybercrime.  Otherwise, you will be led into morose mole tunnels going nowhere. They understand that the social engineering cybercriminal capitalizes on unsuspecting targets of opportunity. Implicit biases can lead to the demise of the possessor. Human behavior can work to your disadvantage if left unchecked. You profile one while unwittingly becoming a victim of the transgressions of another. These inherent and natural tendencies can lead to breaches of security. The most successful cybersecurity investigators have a thorough understanding of the sophisticated criminal mind.

Victims of social engineering often feel sad and embarrassed. They are reluctant to report the crime depending on its magnitude. And the CISO to comes the rescue! In order to get to the root cause of the to determine the damage caused to the enterprise, the CISO must put the victim at ease by letting them know that they are not alone in their unwitting entanglement.

These are some tips that can assist you with an anti-social engineering strategy for your enterprise: Employ Sociological education tools by developing a comprehensive Information Security Awareness and Training program addressing all six basic components that make up the information system. The majority of security threats that exist on the network are a direct result of insider threats caused by humans, no matter if they are unintentional or deliberate. The most effective way an organization can mitigate the damaged caused by insider threats is to develop effective security awareness and training program that is ongoing and mandatory.

Deploy enterprise technological tools that protect your human capital against themselves.

Digital Rights Management (DRM) and Data Loss Prevention (DLP) serve as effective defensive tools that protect from the exfiltration enterprise data in the event that it falls into the wrong hands...[…] Read more »…..

This article first appeared in CISO MAG.

<Link to CISO MAG site: www.cisomag.com>

How to find weak passwords in your organization’s Active Directory

Introduction

Confidentiality is a fundamental information security principle. According to ISO 27001, it is defined as ensuring that information is not made available or disclosed to unauthorized individuals, entities or processes. There are several security controls designed specifically to enforce confidentiality requirements, but one of the oldest and best known is the use of passwords.

In fact, aside from being used since ancient times by the military, passwords were adopted quite early in the world of electronic information. The first recorded case dates to the early 1960s by an operating system created at MIT. Today, the use of passwords is commonplace in most people’s daily lives, either to protect personal devices such as computers and smartphones or to prevent unwanted access to corporate systems.

With such an ancient security control, it’s only natural to expect it has evolved to the point where passwords are a completely effective and secure practice. The hard truth is that even today, the practice of stealing passwords as a way to gain illegitimate access is one of the main techniques used by cybercriminals. Recent statistics, such as Verizon’s 2020 Data Breach Investigations Report leave no space to doubt: 37% of hacking-related breaches are tied to passwords that were either stolen or used in gaining unauthorized access.

For instance, in a quite recent case, Nippon Telegraph & Telephone (NTT) — a Fortune 500 company — disclosed a security breach in its internal network, where cybercriminals stole data on at least 621 customers. According to NTT, crackers breached several layers of its IT infrastructure and reached an internal Active Directory (AD) to steal data, including legitimate accounts and passwords. This lead to unauthorized access to a construction information management server.

Figure 1: Diagram of the NTT breach (source: NTT)

As with other directory services, Microsoft Active Directory remains a prime target for cybercriminals, since it is used by many businesses to centralize accounts and passwords for both users and administrators. Well, there’s no point in making cybercrime any easier, so today we are going to discuss how to find weak passwords in Microsoft Active Directory.

Active Directory: Password policy versus weak passwords

First, there is a point that needs to be clear: Active Directory indeed allows the implementation of a GPO (Group Policy Object) defining rules for password complexity, including items such as minimum number of characters, mandatory use of specials characters, uppercase and lowercase letters, maximum password age and even preventing a user from reusing previous passwords. Even so, it is still important to know how to find weak passwords, since the GPO may (for example) not have been applied to all Organizational Units (OUs).

But this is not the only problem. Even with the implementation of a good password policy, the rules apply only to items such as size, complexity and history, which is not a guarantee of strong passwords. For example, users tend to use passwords that are easy to memorize, such as Password2020! — which, although it technically meets the rules described above, cannot be considered safe and can be easily guessed by a cybercriminal.

Finding weak passwords in Active Directory can be simpler than you think. The first step is to know what you are looking for when auditing password quality. For this example, we will look for weak, duplicate, default or even empty passwords using the DSInternals PowerShell Module, which can be downloaded for free here.

DSInternals is an extremely interesting tool for Microsoft Administrators and has specific functionality for password auditing in Active Directory. It has the ability to discover accounts that share the same passwords or that have passwords available in public databases (such as the famous HaveIBeenPwned) or in a custom dictionary that you can create yourself to include terms more closely related to your organization.

Once installed, the password audit module in DSInternals Active Directory is quite simple to use. Just follow the syntax below:

Test-PasswordQuality [-Account] <DSAccount> [-SkipDuplicatePasswordTest] [-IncludeDisabledAccounts] 

[-WeakPasswords <String[]>] [-WeakPasswordsFile <String>] [-WeakPasswordHashesFile <String>] [-WeakPasswordHashesSortedFile <String>] [<CommonParameters>]

The Test-PasswordQuality cmdlet receives the output from the Get-ADDBAccount and Get-ADReplAccount cmdlets, so that offline (ntds.dit) and online (DCSync) password analyses can be done. A good option to obtain a list of leaked passwords is to use the ones provided by HaveIBeenPwned, which are fully supported in DSInternals. In this case, be sure to download the list marked “NTLM (sorted by hash)”..[…] Read more »….

 

“To be successful, CISOs must have intentionality and focus”

Most of today’s CISOs got into the role accidentally. Yet tomorrow’s CISO will have chosen this role by intent. It will be a chosen vocation. Therefore, CISOs will need to focus on the role and start cultivating the skills required to become a security leader. This was a key message from a presentation on The Future CISO by Jeff Pollard, Principal Analyst, Forrester Research.  Speaking at the Forrester Security & Risk Global 2020 Live Virtual Experience on September 22, Pollard urged CISOs to check if they are “Company Fit” and to prepare for what’s next. He also outlined the six different types of CISOs: transformational, post-breach, tactical/operational, compliance guru, steady-state, and customer-facing evangelist. Pollard showed how CISOs can build a roadmap for transitioning from one type to another and explore strategies for obtaining future CISO and related roles.

By Brian Pereira, Principal Editor, CISO MAG

“CISOs do an insanely challenging job under challenging circumstances. They have to worry about their company, adversaries who attack, insider threats, and also employee and customer experience. This is not easy. That’s why intent matters,” said Pollard.

He advised CISOs to plan for the role and make a meaningful contribution at the C-Level. Skills enhancement, both for the CISO and the security teams is also crucial.

Pollard alluded to the example of Pixar Animation Studios, which achieved immense success and bagged many awards because it has intent and focus.

“Pixar is a company that matches this intent. They know exactly what they want to do. They have a specific methodology for stories, how they think about content. Technology drives the stories that they tell. They are an incredibly innovative company. There is a secret history of Pixar that ties in with the CISO role,” said Pollard.

Pixar earned 16 Academy awards, 11 Grammys, and 10 Golden Globes.

“They earned all these awards because they operate with intent and focus. When you operate without intent and focus, and when you don’t plan for this role, and when you don’t actively cultivate all of the skills that you need, then this happens,” said Pollard.

By “this” he meant that CISOs lose focus and find their role challenging, which could even lead to burn out.

He urged security leaders to start writing their own stories and to think about their stories with intent, discipline, and rigor.

Why CISOs lose focus

The CISO was never a “No” department. In saying “Yes” to everyone and trying to do everything for everyone, CISOs lost their focus.

CISOs juggle many tasks like product security concerns, compliance concerns, regulatory issues, legal issues, beaches and attackers, and incident response. And then, there are new priorities that come up.

“0% of CISOs are great at everything. And that’s what most security leaders have had to do. You can’t do all of that and be effective. It’s not possible. But that’s what happened to the role — priority after priority and trade-off after trade-off. None of it results in the success that we want,” said Pollard.

He added, “CISOs haven’t operated with constraints, which lead to focus. And focus leads to innovation. We are just doing too much and not succeeding. We are too tactical. We say yes to a lot. The CISO is not the department of No.”

How many are C-level?

While most security leaders aspire for a seat at the table in the board room, very few make the cut.

A 2020 study by Forrester Research shows that just 13% of all security leaders are actual C-level titles or CISO.

The Forrester study considered those with an SVP or an EVP title and compared that to those with a VP, Director, or another title — across Fortune 500 companies. The other data point from this study is that the average tenure of the CISO is 4.2 years and not two or three years.

“Even those who got a seat at the table are not treated like a true C-level executive. They do not have the same access for authority that those others have. And most of the 13% are on their third or fourth CISO role. After the second one, they don’t take that laying down anymore. They demand to be an actual C-level,” said Pollard.

What CISOs need to do

CISOs need to plan for a four-year stay, and they can take some inspiration from Pixar by writing their own stories.

“The reason why this is so important is because you are looking at a four-year stay. It’s going to be hard for CISOs because they are going to do all their tasks for four years with all these limitations. They can make mistakes if they do not operate with intentionality and if they don’t fight for what they deserve. The good news is that CISOs can get this right and write their own story. It’s just about thinking about it in terms of intent and our own story,” advised Pollard.

Going back to the Pixar example, he urged CISOs to simplify and focus. Like Pixar, they should combine characters (or tasks) and hop over detours.

“You will feel like you are losing valuable stuff, but it is actually freeing you. Fire yourself. find a way to replace yourself. Get rid of activities that you don’t need to do. And don’t be afraid to empower the direct reports that work for you,” he said.

Reproduced with permission from Forrester Research 

The 6 types of CISOs

Forrester Research began thinking about the future or the CISO two years ago and came up with a concept that there were 6 types of CISOs. The roles could overlap, and one could have the attributes of other types as well.

Pollard said the CISO should consider these 6 types when thinking about their intent and focus. These types give one the opportunity to think about their roles and future careers —  and even life after being a CISO.

We started thinking about this concept of the future CISO two years ago. We figured out there were 6 types of CISOs out there.

1. The Transformational CISO

This is a more strategic type of CISO who thinks about customers and business outcomes. They focus on turn around and transformation of the security program. They take it from one that may be too insular and too internally focused to one that focusses on the outside of the organization. They do this to make the security program more relevant to the rest of the business.

2. The Post-breed CISO

This CISOs comes in after the organization has been breached. There is intense media and board speculation. Add to that, litigation, regulatory investigations, and potential fines. There is a lot of chaos and they must remediate the situation and lead through the turbulence.

3. Tactical / Operational expert

This is the action-oriented CISO who gets things done. They are adept at sorting out technical issues and building out cybersecurity programs for the company.

4. Compliance Guru

They have a thorough knowledge of compliance requirements and they operate in a heavily regulated industry. They help the company to figure out how to navigate international issues and wars as well as oversight from the FTC, PCI, HIPPAA, and other regulatory bodies. For them, Security is always a risk management conversation.

5. The Steady-State CISO

The minimalist who doesn’t rock the boat and change the status quo overnight. They maintain a balance between minimal change and keeping up. Maybe things are just fine at the company right now and security is working for them.

6. Customer Facing Evangelist 

This type is common at the tech and product companies. They evangelize the company’s products and services with a commitment to cybersecurity. And they speak about how security and privacy help customers.

CISO Company Fit

Forrester defines “CISO Company Fit” as the degree to which the CISO type at the company matches the type the company needs to maximize the success of both parties.

“If the company fit is not suitable, then security leaders have to deal with burn-out and angst.  And part of that burn-out comes from the fact that they may not have CISO Company fit,” said Pollard..[…] Read more »…..

This article first appeared in CISO MAG.

<Link to CISO MAG site: www.cisomag.com>

Security theatrics or strategy? Optimizing security budget efficiency and effectiveness

Introduction

I am a staunch advocate of the consideration of human behavior in cybersecurity threat mitigation. The discipline of behavioral ecology is a good place to start. This subset of evolutionary biology observes how individuals and groups react to given environmental conditions — including the interplay between people and an environment.

The digital world is also a type of environment that we have all ended up playing in as computing and digital transactions become ever-present in our lives. By understanding this “digital theater,” we can determine a best-fit strategy to produce an effective cybersecurity play that optimizes security budgets.

Why having an effective strategy is important

I’ll offer up an example from nature to show the importance of an effective strategy. You may read this and wonder what it has to do with cybersecurity, but bear with me.

Starlings feed their chicks with leatherjackets and other insect larvae. During nesting season, the starlings work hard finding food and relaying it back and forth to the nest of chicks. If you’ve ever observed any bird during this season, you might have noticed by the end of it, they have lost feathers and look pretty beat up. But the sacrifice is important: effective feeding of chicks will produce fledglings that then go on to reproduce. Reproduction is seen as a success in evolutionary terms.

However, starlings are capable of carrying more than one leatherjacket in their beak. The more they can carry, the fewer trips they need to make. Fewer trips mean the parent starling is less likely to fall foul of bad health or predators. However, there is a tradeoff. To find the leatherjackets, the starling has to forage. Too many leatherjackets in the beak and it becomes harder to forage. The optimum number of leatherjackets is a trade-off between the number of trips and foraging efficiency.

Any strategy that plays out in the real world is a balance: a trade-off between what seems to be optimal and what is strategically efficient. The starling could try to cram lots of larvae into its beak and this might seem to be a show of capability and a great strategy, but in the end, it would just be a piece of theater.

In evolutionary biology, this balance is known as an Evolutionary Stable Strategy, or ESS. In nature, this would be a strategy that confers “fitness” so an organism can reproduce at an optimal rate. The concept behind an ESS also applies in cybersecurity, where fitness is also about finding a best-fit strategy for a given environment.

Security, like feeding chicks, is about knowing how to use the right tools for the job in an optimal manner and not just for show. This creates a fine balance that can help optimize a security budget.

Security and trade-offs: A complex equation

Enough of the biology lesson! Back to cybersecurity. The security industry, like most industries, has a culture. This culture has informants, people in your company who influence decisions and people outside such as vendors who sell security products. The result can be an overwhelming cascade of information. This can lead to decisions that are based on less-than-optimal input.

Back in 2008, security man extraordinaire Bruce Schneier wrote a treatise entitled “The Psychology of Security”. In this, Bruce talks about how security is a tradeoff. He goes on to explain how these trade-offs, which often come down to finding a balance between cost and outcome, are actually much more nuanced. Bruce says that asking “Is this effective against the threat?” is the wrong question to ask. Instead, you should ask “Is it a good trade-off?”

Security teams can be put under enormous pressure to “do the right thing.” An example is the recent ransomware attack on Garmin. If you are being effectively held hostage by malicious software that prevents your business from running, you have to do something and quickly. Garmin is reported to have paid the ransom of $10 million.

But was this a shrewd move? Was the trade-off between business disruption and hope of a decryption key a balanced one? When making that decision, there are multiple considerations. Can the company offset the cost of the ransomware? Will the decryption key end the attack or have the hackers installed other malware into the company’s IT system?

Security systems, like biological ones, are reliant on making good trade-off decisions to move the needle of security towards your company’s safety.

Back to basics to optimize security trade-offs

Security can be a costly business. Solutions, services and platforms all need to be costed and maintenance and upgrades factored in. And the choice is astounding. In terms of just startups in the cybersecurity sector, there were around 21,729 at last count. The amount of spending on cloud security tools alone is expected to be around $12.6 billion by 2023.

Getting the balance right is important. An organization must cut through the trees to see the wood. In doing so, the balance of financial burden against cyber-threat mitigation can be made.

Going back to basics is the starting point. There is little point in putting on a security show with the latest in machine learning-based tech if you misconfigure a crucial element so the data becomes worthless. At this point in history, machines are nothing without their human operators. We have to get back to basics, build a strong strategy and culture of security before layering on the technology.

The basics, human factors and a great security ESS

Weaving this together we can ensure optimization of a security budget through an awareness of strategic security considerations, e.g.:

The basics

The fundamentals of security are covered by several frameworks and general knowledge of Operations Security (OPSEC). Frameworks such as Center for Internet Security (CIS) and NIST-CSF set out basics for a robust cybersecurity approach. These include knowing what assets (both digital and physical) you have and how to control access.

The human factors

Cybercriminals place a focus on using humans to perpetrate a cyberattack. This is inherent in the popular tactics of social engineering, phishing and other human-activated cybercrimes. Employees, non-employees (e.g., contractors), supply chain members and so on all need to be evaluated for risk. Mitigation of the risk levels can be alleviated using several techniques:

  • Security awareness training for all: Teaching the fundamentals of security is an essential tool in a cybersecurity landscape that focuses on human touchpoints. But security awareness needs to be performed effectively. Some training sessions feel more like those old-school lessons that ended up with snoozing students. Modern security awareness is engaging, interactive and often gamified.
  • The issue of misconfiguration: It isn’t just employees clicking on a malicious link in a phishing email that is cause for concern. Loss of data due to misconfiguration of IT components cost companies around $5 trillion in 2018 – 2019. Security awareness training needs to extend to system administrators and others who take care of databases, web servers and so on.
  • Patch management. Like misconfiguration, ensuring that IT systems are up to date can be the difference between exposed data and safe data. This process has been complicated by the increase in home working. But this fundamental piece of security hygiene is as vital as it ever was.
Never trust, always verify

The concept of zero-trust security has highlighted the importance of robust identity and access management (IAM). The idea behind this tactic is to always check the identity of any individual or device attempting to access corporate resources. Zero trust defines an architecture that puts data as a central commodity and trust as a rule to determine access rights..[…] Read more »….

 

Fundamentals Of Cryptography

The mathematics of cryptography

Under the hood, cryptography is all mathematics. For many of the algorithms in development today, you need to understand some fairly advanced mathematical concepts to understand how the algorithms work.

That being said, many cryptographic algorithms in common use today are based on very simple cryptographic operations. Three common cryptographic functions that show up across cryptography are the modulo operator, exclusive-or/XOR and bitwise shifts/rotations.

The modulo operator

You’re probably familiar with the modulo operator even if you’ve never heard of it by that name. When first learning division, you probably learned about dividends, divisors, quotients and remainders.

When we say X modulo Y or X (mod Y) or X % Y, we want the remainder after dividing X by Y. This is useful in cryptography, since it ensures that a number stays within a certain range of values (between 0 and Y – 1).

Exclusive-or

In English, when we say OR, we are usually using the inclusive or. Saying that you want A or B probably means that you’re willing to accept A, B or both A and B.

Cryptography uses the exclusive or where A XOR B equals A or B but not both. The image above shows a truth table for XOR. Notice that anything XOR itself is zero, and anything XOR zero is itself.

XOR is also useful in cryptography because it is equivalent to addition modulo 2. 1 + 0 = 1 and 1 + 1 = 2 = 0 (mod 2) = 0 + 0. XOR is one of the most commonly-used mathematical operators in cryptography.

Bitwise shifts

A bitwise shift is exactly what it sounds like: a string of bits is shifted so many places to the left or right. In cryptography, this shift is usually a rotation, meaning that anything that “falls off” one end of the string moves around to the other.

The bitwise shift is another operator that has special meaning in modulo 2. In binary (mod 2), shifting to the left is multiplying by a power of two, while shifting to the right is division by a power of two.

Common structures in cryptography

While cryptographic algorithms within a “family” can be similar, most cryptographic algorithms are very different. However, some cryptographic structures exist that show up in multiple different cryptographic “families.”

Encryption operations and key schedules

Many symmetric encryption algorithms are actually two different algorithms that are put together to achieve the goal of encrypting the plaintext. One of these algorithms implements the key schedule, while the other performs the encryption operations.

In symmetric cryptography, both the sender and the recipient have a shared secret key. However, this key is often too short to be used for the complete encryption process since many algorithms have multiple rounds. A key schedule is designed to take the shared secret as a seed and use it to create a set of round keys, which are then fed into the algorithm that actually performs the encryption.

The other half of the encryption algorithm is the part that converts the plaintext to a ciphertext. This is typically accomplished by using multiple iterations or “rounds” of the same set of encryption operations. Each round takes a round key from the key schedule as input, meaning that the operations performed in each round are different.

The Advanced Encryption Standard (AES) is a classic example of an encryption algorithm with separate parts implementing the encryption operations and key schedule, as shown above. The different variants of AES (AES-128, AES-192, and AES-256) all have a similar encryption process (with different number of rounds) but have different key schedules to convert the various key lengths to 128-bit round keys.

Feistel networks

A Feistel network is a cryptographic structure designed to allow the same algorithm to perform both encryption and decryption. The only difference between the two processes is the order in which round keys are used.

An example of a Feistel network is shown in the image above. Notice that in each round, only the left half of the input is transformed and the two halves switch sides at the end of each round. This structure is essential to making the Feistel network reversible.

Looking at the first round (of both encryption and decryption), we see that the right side of the input and the round key are used as inputs to the Feistel function, F, to produce a value that is XORed with the left side of the input. This is significant because the output of F in the last round of encryption and the first round of encryption are the exact same. Both use the same round key and same value of Ln+1 as input…[…] Read more »….

 

How CTOs Can Innovate Through Disruption in 2020

CTOs and other IT leaders need to invest in innovation to emerge from the current COVID-19 crisis ready for the next opportunities.

Are you ready for 2021’s opportunities? Are you ready for the new business models that will emerge once the COVID-19 coronavirus is behind us? What strategic technology moves will your organization make today to invest in the innovation to bring your enterprise out of the current crisis, stronger and better?

CTOs and other senior technology leaders should now be focusing on these key questions as we enter the second half of 2020. Sure, it was critically important to pivot instantly to enable working from home in the first half of this year. Yes, there’s still work to be done improving the systems that enable employees to work from home, especially since organizations are making many of these arrangements permanent. However, the strategic longer term moves that senior leaders make today are what will help their organizations emerge stronger on the other side of this crisis.

CTOs are at risk now of focusing solely on short-term needs when it is equally important to plan for technology and innovation initiatives to help their organizations come out of the crisis and meet post-coronavirus challenges, according to a new report from Gartner, How CTOs Should Lead in Times of Disruptions and Uncertain.

Read all our coverage on how IT leaders are responding to the conditions caused by the pandemic.

Disruption is nothing new for technology leaders. In Gartner’s survey of IT leaders, conducted in early 2020 before the coronavirus pandemic struck, 90% said they had faced a “turn” or disruption in the last 4 years, and 100% said they face ongoing disruption and uncertainty. The current crisis may just be the biggest test of the resiliency they have developed in response to those challenges.

“We are hearing from a lot of clients about innovation budgets being slashed, but it’s really important not to throw innovation out the window,” said Gartner senior principal analyst Samantha Searle, one of the report’s authors, who spoke to InformationWeek. “Innovation techniques are well-suited to reducing uncertainty. This is critical in a crisis.”

The impact of the crisis on your technology budget is likely dependent on your industry, Searle said. For instance, technology and financial companies tend to be farther ahead of other companies when it comes to response to the crisis and consideration of investments for the future.

Other businesses, such as retail and hospitality, just now may be considering how to reopen. These organizations are still focused on fulfilling the initial needs around ensuring employees and customers are safe. In response to the short-term crisis, CTOs and other IT leaders were likely to focus on things like customer and employee safety, employee productivity, supply chain stabilization, and providing the optimal customer experience. But the innovation pipeline is also a crucial component.

Innovation doesn’t necessarily have to cost a lot of money. Budgets are tight, after all. Searle suggests incremental innovations and cost optimizations, gaining efficiencies where they are achievable.

Consider whether you’ve already made some investments in AI, chatbots, or other platforms. Those are tools that you can use to improve customer experience during the ongoing crisis or even assist with better decision making as you navigate to the future.

Remember, investments will pay off on the other side. For instance, companies that thought more about employing customer safety measures are the ones that will come out better in terms of brand reputation.

In a retail environment, for instance, an innovation for employee and customer safety might be replacing touch type with voice interactions.

Searle said that the crisis has also altered acceptance of technologies that may not have been desirable in the past. For instance, before the pandemic people generally preferred seeing a doctor face-to-face rather than via a telemedicine appointment.

“That’s an example of where societal acceptance of the technology has changed a lot,” she said.

Another example that was not quite ready for prime time as the crisis hit is the idea of drones and autonomous vehicles making deliveries of groceries, take-out orders, and other orders. However, those are technologies that companies can continue to invest in for the longer term benefits.

Another key action CTOs and other IT leaders should take is trendspotting, Searle said. Trends can be around emerging technologies such as AI, but they can also be economic or political, too. The current pandemic is an example that disruption is the new order, and that just focusing on emerging technology as the only perceived catalyst of disruption has been a a misstep by many organizations, according to Searle. She recommends that organizations use trendspotting efforts to assemble a big picture of trends that will impact technology strategic decisions as your organization begins to rebuild and renew.

In terms of challenges in the next 6 months, CTOs remain focused on the near term. In an online poll during a recent webinar, Searle asked CTOs just that question. The biggest percentage said that their challenge was improving customer experience at 31%. Other challenges were maintaining employee productivity (28%), infrastructure resilience (22%), supply chain stability (8%), and combatting security attacks (8%)…[…] Read more »…..

 

Democratizing Cybersecurity Protects Us All

Cybersecurity is a sophisticated art. It can truly consume the time and resources of IT teams as they work to safeguard valuable data from the growing risk of cyberattacks and data breaches. The technical nature of it, along with the specific expertise it requires, has created a workforce gap that many fear is nearly impossible to bridge.

By Akshay Bhargava, Chief Product Officer at Malwarebytes

In fact, the cybersecurity workforce gap has been reported to be over four million globally, causing an alarming void of security experts who are fit to protect business and consumer data. This gap is particularly painful for small and midsize businesses (SMBs) where recruiting cybersecurity expertise may be particularly costly or challenging. Unfortunately, with the average cost of a breach weighing in at a hefty $3.92 million, cybersecurity is not something any business – no matter the size – can afford to get wrong. This is especially concerning for SMBs where estimates have found that as many as 60% are forced to shut their doors after a cyberattack.

But the damage caused by a successful attack can extend beyond the SMB itself.

Not only will the SMB suffer in the event of a cyberattack, but the larger enterprises it partners with are also put at risk. Take the 2019 Quest Diagnostics data breach as an example. Nearly 12 million patients were exposed after hackers took control of a payments page for one of Quest’s billing collection vendors, AMCA, exposing account data, social security numbers and health information. The same attack also impacted 7.7 million customers of LabCorp. AMCA has since filed bankruptcy.

It’s also been reported that it was an email attack on a vendor of Target Corp. that exposed the credit card and personal data of more than 110 million consumers in 2013. The Target breach has been traced back to network credentials stolen from an email malware attack on a heating, air conditioning and refrigeration firm used by Target.

In each instance, the exposure of a smaller organization put a much larger enterprise at risk. There is hope though, that if we can democratize cybersecurity, SMBs could realize the same protections enterprises require, and we’d all be much safer as a result.

So, what can be done? How can SMBs achieve a cybersecure environment like their enterprise competitors? The key lies in automation and empowering employees.

Automation Unlocks Cybersecurity Democratization

Adopting security automation is an effective way to achieve cyber resilience without adding staff or cost burden. It’s the core of cybersecurity democratization. In fact, companies that fully deploy security automation realize an average $1.55 million in incremental savings when handling a data breach. Not only will automation relieve the pressure from continued staff and skills resource constraints, it’s also dynamically scalable, always on, and enables a more proactive security approach that makes the business exponentially more secure. When applying automation, consider each of these three critical security process areas:

1. Threat detection and prevention. Technologies including advanced analytics, artificial intelligence and machine learning give SMBs the ability to apply adaptive threat detection and prevention capabilities so that they can stay one step ahead of cybercriminals without added staff. By automating threat detection, powered by strong threat intelligence, SMBs can detect new, emerging threats while also increasing the detection and prevention of known threats that may have previously slipped past corporate defenses. Furthermore, they can reduce the noise from incident alerts and false positives from detection systems, improving overall threat detection and prevention success rates.

2. Incident responseIf a successful cyberattack does break through, it can move throughout an environment like wildfire. Incident response time is critical to mitigating the severity of the damage, and for those SMBs impacted by the security skills shortage, having the response team needed to react fast is likely a problem. By automating incident response, organizations can greatly improve their cyber resilience. Adopt solutions that will automatically isolate, remediate and recover from a cyberattack:

  •  Isolate. By automating endpoint isolation SMBs are able to rapidly contain an infection while also minimizing disruption to the user. Effective isolation includes the automated containment of network, device and process levels. Advanced solutions will also impede malware from “phoning home” which will restrict further damage to the environment.
  • Remediate. Automating remediation will quickly and effectively restore systems without requiring staff resource time or expertise. It will also allow CISOs to remediate endpoints at scale to significantly reduce the company’s mean-time-to-response.
  • Recover. Finally, incident response should also provide automated restore capabilities to return endpoints to their pre-infected, trusted state. During this recovery process it’s also wise to enable automated detection and removal of artifacts that may have been left behind during the incident. This is essential to preventing malware from re-infecting the network.

3. Security task orchestrationTo further relieve security staff while ensuring cyber resiliency, low-level tasks should be automated, including the orchestration between complex, distributed security ecosystems and services. This will ensure a more nimble and responsive environment in the event a cyberattack is successful. Cloud-based management of endpoints can help, specifically if it provides deep visibility with remediation maps[…] Read more »…..

This article first appeared in CISO MAG.

<Link to CISO MAG site: www.cisomag.com>

Coronavirus-themed Malware and Ransomware Ramp Up

Cybercriminals are known to leverage on global phenomenon for personal gain, be it the elections or the Olympic Games. And COVID-19 is no different. Scammers are using the pandemic to capitalize on a public scare that is already dire.

By Pooja Tikekar, Feature Writer, CISO MAG

Hackers are using social engineering tools to formulate phishing emails in the name of the World Health Organization (WHO) and other regulatory bodies to target vulnerable victims. These phishing emails contain documents with embedded links that result in malware and ransomware attacks.

Here are some of the COVID-19-themed cyberthreats:

1. CovidLock

The security team at DomainTools discovered a domain (coronavirusapp[.]site), which claims to have a real-time Coronavirus Tracker. It poses as a download site for an Android app that maps the spread of the virus across the globe. However, the app has a hidden ransomware application named “CovidLock” that threatens to delete contacts, pictures and videos on the victims’ device if a ransom of $100 in Bitcoin is not paid within 48 hours.

Image source: DomainTools
2. Dharma (CrySIS)

Dharma belongs to the family of CrySIS malware and was first discovered in 2016. The malware is distributed in malicious email attachments to deliver the payload. The payload is attached as an executable file by name “1covid.exe,” which begins to encrypt files after it is downloaded. The encrypted files have an extension called “.ncov” (supposedly Novel Coronavirus). It also drops a ransom note prompting users to write an email to “coronavirus@qq.com” to restore their files.

dharma ransom note
Image source: Quick Heal
3. Emotet

The Emotet malware spam (malspam) emails contain a warning note and call to action for downloading a malicious Word doc attachment, which is said to contain precautionary health measures and latest updates related to Coronavirus. On opening the attachment and enabling macros in Office 365, an obfuscated VBA macro script begins to run in the background, which further installs a Powershell script and downloads the Emotet malware. The Emotet script also downloads a few other malicious payloads to extract additional data from the targeted system.

4. Maze

Maze ransomware was discovered in 2019, however, amid the Coronavirus crisis, it is used to target health care organizations. It threatens to publish patient records online, thereby putting the health care organizations at risk of the immediate violation of the General Data Protection Regulation (GDPR). According to DataBreaches.net, the operators of Maze ransomware attacked the London-based clinical testing firm Hammersmith Medicines Research, as it has volunteered its services to the U.K.’s National Health Service (NHS) and local medical practices to help test medical frontline staff for COVID-19.

maze ransom note
Image source: Wikimedia Commons
5. REvil

Also known as Sodinokibi, the REvil ransomware operators are targeting managed service providers (MSPs) and local governments amid the pandemic. The operators scan the internet for vulnerable machines to deploy the malware payload through a Virtual Private Network (VPN). The operators targeted and infected California-based biotechnology company 10x Genomics to steal sensitive information, as the firm is part of an international alliance sequencing cells from patients who have recovered from the Coronavirus.

6. NetWalker

A variant of Mailto, the NetWalker ransomware targets home and corporate computer networks to encrypt the files it finds. It targets victims by sending phishing emails attached to execute the payload of the ransomware. Further, the file name “CORONAVIRUS_COVID-19.vbs” tricks users into executing it. Once the “vbscript” is executed, the ransomware is dropped in “C:\Users\<UserName>\AppData\Local\Temp\qeSw.exe.” The shadow copies are erased from the system, making safe file recovery difficult.

netwalker ransom note
7. Ginp

Kaspersky researchers have discovered the Ginp Banking Trojan that takes advantage of Android users to steal credit card credentials of potential victims…[…] Read more »…..

This article first appeared in CISO MAG.

<Link to CISO MAG site: www.cisomag.com>

Cloud Strategies Aren’t Just About Digital Transformation Anymore

Organizations have been transferring more data, workloads, and applications to the cloud to increase the pace of innovation and organizational agility. Up until recently, the digital transformation was accelerating. However, cloud adoption recently got a major shove as the result of the crisis, which can be seen in:

  • Dramatic remote work spikes
  • Capital expenditure (CapEx) reductions
  • Business model adaptations to maintain customer relationships

In fact, in a recent blog, Forrester reported robust 2020 first quarter growth of top three providers with AWS at 34%, Microsoft Azure (59%), and Google Cloud Platform (52%). The driver, according to Vice President and Principal Analyst John Rymer, is “Faced with sudden and urgent disruption, most enterprises are turning to the big public cloud providers for help.”

“We are seeing a huge increase in our clients wanting to digitize in-person processes and ensure they are accessible 24/7 and integrated with existing technologies through utilizing cloud services [such as] developing contactless ordering systems for physical retail locations, which both reduce the need for face-to-face interaction, but also sync with existing POS and stock management systems,” said Bethan Vincent, marketing director at UK digital transformation consultancy Netsells Group. “This requires both API integrations and a solid cloud strategy, which seeks to build resilience into these new services, protecting against downtime and the knock-on effect of one system affecting another.”

Jiten Vaidya, PlanetScale

Jiten Vaidya, PlanetScale

Speaking of resiliency, there is a corresponding uptick in Docker and Kubernetes adoption. “We have seen an interest in databases for Kubernetes spike during the COVID-19 pandemic. Kubernetes had already emerged as the de facto operating system for computing resources either on-premise or in the cloud,” said Jiten Vaidya, co-founder and CEO of cloud-native database platform provider PlanetScale. “As the need for resiliency and scalability becomes top of the mind, having this uniform platform for database deployment is becoming increasingly important to enterprises.”

While business continuity isn’t the buzzy topic it was during the Y2K frenzy, many consulting firms and technology providers say it’s top of mind once again. However, it’s not just about uptime and SLAs, it’s also about the continuity of business processes and the people needed to support those business processes.

Greater remote work is the new normal

Chris Ciborowski, CEO and co-founder of cloud and DevOps consulting firm Nebulaworks, said many of his clients have increased their use of SaaS platforms such as Zoom and GitLab/GitHub source code management systems.

“While these are by no means new, there has been a surge in use as identified by the increased load on the platforms,” said Ciborowski. “These are being leveraged to keep teams connected and driving productivity for organizations that are not used to or built for distributed teams. [M]any companies [were] already doing this pre-pandemic, but the trend is pouring over to those companies that are less familiar with such practices.”

Chris Ciborowski, Nebulaworks

Chris Ciborowski, Nebulaworks

Dux Raymond Sy, CMO and Microsoft MVP + regional director at AvePoint, which develops data migration, management and protection products for Office 365 and SharePoint, has noticed a similar trend.

“Satya Nadella recently remarked [that] two years of digital transformation has happened in two months,” said Sy. “Organizations and users that were on the fence, have all adopted the cloud and new ways of working. They didn’t have a choice, but they are happy with it and won’t revert to the old ways.”

However, not all organizations have learned how to truly live in the cloud yet. For example, many have adopted non-enterprise, consumer communication and/or collaboration platforms, which have offered free licenses in response to COVID-19. However, fast access to tools can result in ad-hoc, unstructured and ungoverned processes.

“Adoption isn’t a problem anymore, but now productivity and security are. As we emerge from the post-pandemic world, organizations are going to need to clean up their shadow IT, overprivileged or external users that can access sensitive data they shouldn’t and sprawling collaboration environments,” said Sy. “The other mistake we are seeing organizations make is not continuously analyzing their content, finding their dark data, and reducing their attack profile. Organizations need to make a regular habit of scanning their environments for sensitive content and making sure it is where it is supposed to be or appropriately expire it if it can be deleted. Having sensitive content in your environment isn’t bad, but access to it needs to be controlled.”

Dux Raymond Sy, AvePoint

Dux Raymond Sy, AvePoint

All the cybersecurity controls organizations have been exercising under normal conditions are being challenged as IT departments find themselves enabling the sudden explosion of remote workers. In fact, identity and access management company OneLogin recently surveyed 5,000 remote workers from the U.S. and parts of Europe to gauge the cybersecurity risks enterprises are facing. According to the report, 20% have shared their work device password with their spouse or child, which puts corporate data at risk, and 36% have not changed their home Wi-Fi password in more than a year, which puts corporate devices at risk. Yet, 63% believe their organizations will be in favor of continued remote work post-pandemic. One-third admitted downloading an app on their work device without approval.

“Organizations everywhere are facing unprecedented challenges as millions of people are working from home,” said Brad Brooks, CEO and president of trusted experience platform provider OneLogin in a press release. “Passwords pose an even greater risk in this WFH environment and — as our study supports — are the weakest link in exposing businesses’ customers and data to bad actors.”

CapEx loses more ground to OpEx

SaaS and cloud have forever changed enterprise IT financial models, although many organizations still have a mix of assets on-premises and in the cloud. In the wake of the 2008 financial crisis, businesses increased their use of SaaS and cloud. Digital transformation further fueled the trend. Now, CFOs are taking another hard look at CapEx as they fret about cashflow.

Suranjan Chatterjee, Tata Consultancy Services

Suranjan Chatterjee, Tata Consultancy Services

“The pandemic has crystalized the fact that there are basically two types of companies today: those that are able to deliver digitally and connect to customers remotely, and those that are trying to get into this group,” said  Miles Ward, CTO at business and technology consulting services firm SADA. “Since the world turned on its head the past few months, we’ve seen companies in both groups jump on cloud-based tools that support secure connections, scaled communications, rapid development and system access from anywhere, anytime. Using these tools, companies can reduce their risk; nothing feels safer than going from three to five-year commitments on infrastructure to easy pay-as-you-go, and pay only for what you use, commitment-free systems.”

Business models have shifted to maintain customer relationships

Businesses negatively impacted by shelter in place and stay at home executive orders have reacted in one of two ways: adapt or shut down temporarily until the state or country reopens. The ones that have adapted have been relying more heavily on their digital presence to sell products or services online, with the former being supplemented with curbside pickup. The businesses that shut down completely tended to have a comparatively weak digital strategy to begin with. Those companies are the ones facing the biggest existential threat..[…] Read more »…..

 

 

The ever changing role of a CSO with David Levine

With a wide and diverse variety of positions during his 23-year tenure with the Ricoh, Vice President Corporate and Information Security and CSO David Levine shares his perspective on the role of the CISO,  how he stays abreast of industry trends and in the current COVID-19 era, what it means to have a remote team. 

 

Q: How has the role of the CISO changed over your career?

A:  The CISO role has continued to grow in organizational and strategic importance within many businesses, including Ricoh. What was once a blended function in IT is now its own critical function with its leader (CISO/CSO) having a seat at the table and reporting, if applicable, to the board on a regular basis. That’s a significant transformation!

Q: What is the biggest challenge for a CISO today?

A: This ties into my answer above, the security budget and staffing has not necessarily kept pace with increasing demands and importance. As more and more of the organization as well as customers and partners realize they need to engage and include security the team gets spread thinner. This can put a real strain on the organization and its effectiveness. Prioritization and risk assessment become critical to help determine what needs to be focused on. You also cannot ignore the fundamental challenge of just keeping pace with operational fundamentals like vulnerability remediation, patching, alert response and trying to stay ahead of highly skilled adversaries. 

Q: How do you stay abreast of the trends and what your peers are doing?

A: I use a variety of approaches to track what’s going on relative to trends and my peers. Daily security email feeds are a great source to get a quick recap on the last 24 hours, leveraging one or more of the big research firms and being active in their councils is a great mix of access to analysts and peers. I am also active in the CISO community and participate in events run by great organizations like Apex. 

Q: What advice would you give an early stage CIO or CISO joining an enterprise organization?

A: Although I have been with Ricoh for many years, if I was moving to a new organization, I would take the time to ensure I understand:

 

  • the company’s objectives and priorities; 
  • what’s in place today and why;
  • what security’s role in the organization has been;
  • what’s working and what isn’t.

 

I’d also commit to completing initial benchmarking and make sure I spent time, upfront, to start to build solid relationships with key stakeholders.

Q: Have you been putting cloud migration first in your organization’s transformation strategies?

A: We adopted a cloud first mentality a few years ago. The cloud isn’t perfect for everything but in many cases it’s a great solution with a lot of tangible advantages.

Q: What are your Cloud Security Challenges?

A: For us, one of the biggest challenges is keeping pace with the business from a security and governance standpoint. We are currently working on putting in comprehensive policies and requirements, along with tools like a checklist, which will make it clear what’s needed and also enable the various teams to do some of the upfront work without needing to engage my team. That’s a win-win for everyone and reduces the likelihood of a bottleneck.

Q: What are your top data priorities: business growth, data security/privacy, legal/regulatory concerns, expense reduction?

A: YES! In all seriousness, those are all relevant priorities my team and I need to focus on. This further adds to the prior points around more work than hours and resources. 

Q: Did you have specific projects or initiatives that have been shelved due to COVID-19 and current realities?

A: Like most of my peers that I have talked to, we have put on hold most “net new” spending for now. The expectation is we will get back to those efforts a bit down the road. We are also taking a look to see what opportunities we have to streamline expenses.

Q: Has security been more of a challenge to manage while your teams have shifted to a Work From Home structure?

A: I am proud of my teams and the ecosystem we put in place. All in all, it’s been a pretty smooth transition. My team is geographically dispersed and a few key resources were already remote. However, that is not to say there aren’t any challenges – not being able to put hands on devices has made some investigations and project work more difficult but we’ve found safe ways to complete the tasks. Ensuring the teams stay connected and communicate is also important. 

Q: What were/are the most significant areas of change due to COVID-19?

A: We certainly had to make some exceptions to allow access and connectivity that we would not have done under normal circumstances, but it was the right thing to do for our business and our customers. We also had to shift some users to work from home who typically would not and as such, didn’t have the right resources. Both of these highlighted areas to focus on in the next revisions of our Business Continuity Plans which contemplated the need to shift work and locations but not necessarily everyone working from home. There is also a need to reemphasize security, policies, training when working from home.