Controlling Your Cyber Supply Chain

We don’t have “hall monitors” walking around our offices checking for fires. It’s something all persons of the organization have a watch out for (in large part, because of personal safety). Well, if your company goes bankrupt because all its IP has been stolen, I think that impacts your personal safety. So, start a program of being “security smart” within your organization.

Back in September, I wrote a piece that questioned whether or not you trust your network. As an extension to that piece, this piece focuses on your cyber supply chain.

Let’s begin with this simple premise: you may never fully know who is a part of your cyber supply chain. Why do I say that?  It is because it is exactly impossible for you to have a watchful eye on all parts of the supply chain. It would be a full time job for you. In my view, the only entity that could have full control of their cyber supply chain is a government (emphasis on could because even for a government full control of the cyber supply chain could be an incredibly difficult and expensive proposition).

If you accept that simple premise, then by extension, you will have no problem accepting this one as well: the probability of you being breached is greater than zero.

If you are with me so far, this is excellent. It means you have not bought a bag of magical beans from vendors or consultants who are already preaching to you that you are on the way to the cyber secure promised land. Continue reading “Controlling Your Cyber Supply Chain”

Potentially Unwanted Leaks: Social Engineering, Small Missteps, and Big Mistakes

Therefore, you are faced with a situation where you not only have to protect your information but also ensure a third-party is protecting your information. By no means is this an easy task. And if you cannot do that, you need to ensure that you are equipped with the necessary tools to protect against what we’ve been calling “potentially unwanted leaks” (PUL).

In our previous article, we laid the groundwork for what we believe to be a serious threat to ICS/SCADA devices: social engineering. We continue here with some definitions, some of which you may already know. 

Phishing

Phishing is a relatively broad term for any attempt to trick victims into sharing sensitive information, such as passwords, usernames and credit card details. The intent is almost always malicious. Another characteristic of phishing is that it tends to be random, usually exploratory in nature, as opposed to a targeted act. Instead of targeting a specific individual or group of individuals, phishing tends to target multiple victims from within the same organization. Think of phishing as the “throwing spaghetti on the wall and whatever sticks” approach. Continue reading “Potentially Unwanted Leaks: Social Engineering, Small Missteps, and Big Mistakes”

A National Cybersecurity Action Plan is a Serious Priority

We cannot allow this slow economic bleed of our economy to continue. It slows down and even reverses living standards. We simply cannot invest billions into research and development and have it siphoned from us with a few clicks. There is no justifiable reason to let this happen anymore. Smart and competent people have been sounding the alarm bells for some time, but they need more voices to back them.

Expectedly, our cybersecurity issues are growing.  We say expectedly for a variety of factors including, but not limited to: size and scope of breaches, increasing costs that cannot be accurately estimated or predicted, a proliferation of technologies and abilities, and geopolitical tensions. Given current conditions, we do not see a particularly bright future if our current cybersecurity strategy remains more or less constant.

What is our current strategy? In short, it is the accumulation of a lot of expensive toys to hold together decaying infrastructure, along with a healthy dose of the putting aside or worse, ignoring, the basics. In short, we look to more technological solutions, but we avoid the single greatest problem: our decisions. The growing track record of failures demonstrates that this “technology-heavy” approach is not working.

The underlying problem with this strategy is that it is simply untenable unless there is some revolutionary technology that completely changes the landscape. And while we do think artificial intelligence and quantum computing will be game-changing, we do not necessarily believe they will solve all our problems. Poor handling and implementation of these two technologies may, in fact, accelerate our demise. Therefore, we cannot continue to throw what limited resources we have at supposed technological wizardry, fixes, and repairs when the root of our deepest problems are inherently insecure systems, poor maintenance, and social engineering. Continue reading “A National Cybersecurity Action Plan is a Serious Priority”

Science of Cybersecurity Interview with Chuck Brooks

Frank Abagnale, one of the world’s most respected authorities on the subjects of forgery, embezzlement, cybercrime, and secure documents succinctly states the troubling environment. “The police can’t protect consumers. People need to be more aware and educated about identity theft. You need to be a little bit wiser, a little bit smarter and there’s nothing wrong with being skeptical. We live in a time when if you make it easy for someone to steal from you, someone will.” There are many malicious actors out in the digital landscape and it will be increasingly important to stay ever vigilant.

Email interview held on 30th September 2017 – as follows between Alan Radley (questioner) and Chuck Brooks (relator):

  1. What are your thoughts on the current state of cybersecurity, both for organizations and for consumers?

The current state is a scary one. Constant breaches have demonstrated that as consumers we are becoming more and more dependent upon digital commerce. Our banking accounts, credit cards, and financial daily activities are interconnected. We are all increasingly vulnerable from hackers, phishers, and malware proliferating across all commercial verticals.

In the past year, the employment of ransomware has become a method of cyber-attack choice by hackers. This is because many networks (especially hospitals, utilities, universities, and small businesses) are comprised of different systems, devices and often lack required patching and updating necessary to thwart attacks. The recent Wannacry, and Petya attacks were certainly wake up calls to the disruptive implications of ransomware.  We can expect to see more such attacks because of the ease of infection and because the vulnerabilities to networks still remain. Continue reading “Science of Cybersecurity Interview with Chuck Brooks”

Here’s How to Make Patching Security Holes Easier For Everyone

We’re realists. That’s why we propose this interim solution: making patching and protecting all American devices easy, especially for the individual. If nothing else, it hopefully can stimulate a culture change in our cybersecurity behavior.

A lot has been said recently about patching and what role it plays in cybersecurity. A patch is just a small piece of software, made available to the consumer from the software company that “patches” a security flaw in the software. That’s all. But these patches, when installed, can save you a world of hurt.

Many of the worst breaches we have seen could have been avoided if patches were installed in a timely manner. Before we start getting flak that patching for an entire enterprise is not some “flick of the switch” easy procedure, we’re on your side. We agree with you. You need a system in place so you can roll out these patches on all devices within your enterprise. The biggest problem for enterprise-sized organizations is not so much installing the patches but managing the logistics behind patching an entire system. It’s more project management than anything, so you need to find what is right for you and your organization. Continue reading “Here’s How to Make Patching Security Holes Easier For Everyone”

Will the World Really Cooperate in Curbing Cybercrime?

Some people wonder why is it so hard to get agreement on international treaties, particularly when an issue (say, oh, cybersecurity, for example) is so “obvious” that something must be done about it. And you may have also noticed that doing something about it is easier said than done.

As part of this ongoing series (previous parts, in order, here, here, here, and here), I have been trying to make the case that differing interests make cooperation on cybersecurity issues virtually impossible. This is not criticism. It’s just reality. And while it would be easy to look at Brexit or Eastern European and American politics as a push back to the globalist system, which – in theory – could help develop a platform for greater cooperation regarding cybersecurity concerns, it’s just not that simple.

As I explained in my previous article, some wounds cannot be easily healed, and some cultures have longer memories than others. Don’t try to judge whether holding long grudges or not is legitimate, but rather, just accept that it happens and we have to deal with it. And with that backdrop, I point towards to the Convention on Cybercrime, sometimes known as the Budapest Convention, the first international treaty that focuses on crimes that take place on the Internet. Even if your cyber work does not cross international lines, it would be best if you spend just a few minutes on the Budapest Convention in order to familiarize yourself what it covers and what it does not. Continue reading “Will the World Really Cooperate in Curbing Cybercrime?”

Cybersecurity: A fiduciary duty

This plague has only increased and has prompted much research and writing on cybersecurity best practices (including by us) settling on, at the very least, one or more best practices designed to lessen (if not entirely mitigate) the effects of ransomware.

The recent WannaCry ransomware exploit brought into full view several factors that terrify many companies and their boards of directors. Why? Because these directors are charged with the fiduciary duty of overseeing the cyber risk preparations and defences of their companies for their shareholders.

In today’s environment, this presents quite a challenge for companies and boards alike. Security has always been a challenge because the defender must be right 100 per cent of the time and an attacker needs only one lucky shot. Effective cyberattacks can involve factors, such as:

1. A ‘zero-day’ or previously unknown software exploit (or vulnerability) that even advanced IT departments could not have reasonably planned for

2. An exploit that encrypts files when enabled or executed, and will not give the files back unless a ransom is paid

3. A public relations nightmare trying to explain to third parties, regulators (and in the case of WannaCry, hospital patients) why service levels dropped (i.e. evaporated) due to lack of properly segmented back-up recovery media and/or less than rigorous implementation of standard patches for older operating systems. Continue reading “Cybersecurity: A fiduciary duty”

Five Ways an External Risk Adviser Can Help the Board Solve the Cyber Risk Puzzle

Boards are used to dealing with economic, environmental, geopolitical, societal and even some technological risks. Much like a driver doesn’t need to know the details of how an engine works to safely steer a car through traffic, directors don’t need to have deep expertise in cybersecurity controls and protocols to steer the organization through the minefields of today’s threat landscape.

“At the board level, I don’t think the board can ever dig deep enough to understand what’s going on under the covers.” — The National Association of Corporate Directors (NACD), “The Evolving Relationship Between the General Counsel and the Board.”

Board directors are faced with the nearly insurmountable task of providing adequate oversight of cybersecurity risks. While they are used to dealing with various types of risk, many directors feel uneasy with their own level of understanding and decision-making around cyber risks, and require the expertise of an external risk adviser. Continue reading at SecurityIntelligence.com

Why we need a #Cybersecurity “Moon Shot” Now.

Cybersecurity must be conquered. The United States must do so to preserve peace and seek knowledge, and “it will be the greatest adventure in which man, let alone the United States, has ever engaged.” Let’s conquer cybersecurity today. And not just for ourselves. But for the generations to come.

I often wonder about the legacy that we would leave our children today if all were too suddenly end. Would they be proud of our accomplishments? Would we leave a lasting effect on mankind? Or would our children view our time as a wasted decade (or two)? Meaning we have so much and so many riches. Yet we find no bother in having someone (something/some nation-state) steal them willy-nilly without attribution or consequences? I wonder.

When I was growing up, I idolized these guys, the Mercury Seven astronauts. They represented the best of the best. Our heroes. The men who would make going to the Moon and walking on the moon not only possible, but they would get it done. Period. Failure was not an option. And they did not fail. Continue reading “Why we need a #Cybersecurity “Moon Shot” Now.”

Have We Normalized Theft?

Lost in so much of the cybersecurity conversation is that protection rarely offers a return on investment. Protection is a tax on business and a tax on individuals. So unless we start “feeling” this theft on a more personal level and take the steps to properly educate ourselves of the human dimension, we are going to run out of money to invest in protection real fast.

When did cyberattacks truly begin to concern us? Was it the Morris worm of 1988? One would have wished it was, but clearly this is not the case. How about the 2008 cyberattack on USCENTCOM? That worm, likely injected into the DoD system through a single USB key, took about 14 months to clean up by some estimates. Fast forward nine years, Equifax. 145 million records stolen. Have we learned yet? I wish I could say “okay, this time we will do something about it!” but I am not too optimistic.

Why?

Because I feel we have slipped into a dangerous area: we have allowed the normalization of data theft. And today, data theft means anything from personally identifiable information to R&D/intellectual property to good old fashioned money. My feeling is that because we don’t “feel” data the same way we would, oh a stack of $20s, we don’t really appreciate what is being lost. Continue reading “Have We Normalized Theft?”