Thursday, July 20, 2017



Enjoy the heart pumping speed of the racing video above or go directly to the article below:

Cybersecurity: The Need for SPEED


If you look at a range of recent security industry reports, you’ll see varying times quoted for how long it takes criminals and bad actors to exploit your network and exfiltrate data, and how long it takes to discover and remediate a breach. On average, though, the numbers look something like this:
  • Time to compromise would take minutes, if not seconds.
  • Time to exfiltrate data, days if not weeks.
  • Time to discover or identify the breach often takes months if not years.
Of course, there are a lot of factors that impact these times, including the maturity of the organization, employee education programs (or lack thereof), headcount, and the people, processes, and technology you have in place.
It can also depend on how quickly response teams work together when an incident occurs. As pointed out in the 2017 annual “Cost of a Data Breach Study,” rapid response drives down the cost of a data breach. According to this report, “Failure to quickly identify the data breach increases costs. If the MTTI (Mean Time to Identify) breach was less than 100 days, the total cost was $2.8 million. If it was over 100 days, the estimated cost was $3.83 million.”
It’s clear that when it comes to security, time is of the essence. To help you prioritize, here’s a handy acronym you can share with your teams when it comes to your cyber security initiatives:
S – Situational Awareness
P – Patching (Cyber Hygiene)
E – Evolve Continuously
E – Event Monitoring
D – Detection

Situational Awareness

What is situational awareness?  One source defines it as “[…] the perception of an enterprise’s security posture and its threat environment; the comprehension/meaning of both taken together (risk); and the projection of their status into the near future.”
Some of the questions you need to answer to determine your situational awareness include:
  • Do you know where and what your vulnerabilities are in your people and processes? Do you have a plan to mitigate them? Does that plan include timelines or training?
  • Have you conducted penetration testing to detect weak points in your network? Do you have a plan to address any issues found?
  • If compromised, do you have a plan in place to address it quickly? When was the last time that plan was reviewed or tested?
  • Are your cyber security teams and your business continuity or disaster recovery teams tied at the hip?

Patching (Cyber Hygiene)

While zero-day vulnerabilities often make headlines, malicious hackers more commonly exploit vulnerabilities that have already been revealed. For example, many businesses (including a Honda manufacturing plant and some hospitals) had their operations interrupted by the WannaCry ransomware exploit, because they didn’t patch known vulnerabilities quickly enough. Running patch updates monthly won’t cut it. Desktops should be updated as soon as patches are released as your first line of defense. Server patches may take a bit longer, as they may require time for testing to verify that functionality isn’t affected. In the case of operating systems that are no longer supported, like older versions of Windows, users must be migrated to newer ones that are, or a plan developed to migrate them if an immediate move isn’t practical.

Evolve Continuously

Your people, processes, and technology must constantly evolve. You don’t want to be one of those organizations that gets notified of a compromise by law enforcement before your security teams are aware of the situation.
Here are some important questions to consider in measuring your security maturity:
  • Are your people studying, getting education, and keeping up with current events and technology advancements?
  • Are your processes still valid? Do they need to be updated or modified?
  • When is the last time your systems were updated or upgraded?
  • Do you know if your current antivirus software can detect or mitigate exploits that run in memory? Is it time for an RFP for a new endpoint security product?

Event Monitoring

Continuous monitoring of events is a key factor of being able to discover a breach and react quickly.
Key questions you should consider include:
  • Can you easily detect malicious traffic?
  • Can you quickly identify endpoint changes?
  • Are you able to recognize if these changes are malicious or benign?
  • If the changes are malicious, is Endpoint Data Remediation (EDR) available or do you need to reimage the device?
  • Are you monitoring external traffic from your network to and from the Internet (C2 traffic) for malware and potential indicators of compromise?
  • Are you monitoring internal traffic? What potential malicious communication has taken place from one endpoint to another?
  • Are you monitoring your cloud applications, as well as devices and endpoints outside the company network?

Detection

As we saw earlier in the Ponemon study, the faster that a data breach is detected, the more you can reduce costs and business impact. If you factor in the hours spared by your security team, as well as legal, public relations, operations, and other parts of the organization, the savings add up quickly. That time can be better spent growing your business and improving operations. By detecting breaches earlier, you can also better protect your brand reputation and maintain customer loyalty.

Summary

With an estimated 1.38 billion records of data reported stolen in 2016 approximately 43 records per second – putting the need for speed model into place can lead to a more mature security program that helps you save time and money over the long run.
Bob Carver made Klout’s Top 10 list of most recommended influencers to follow in #CyberSecurity and #infosec. You can follow him on Twitter: @cybersecboardrm. 

LinkedIn has announced he is Top 5 Cybersecurity Influencers to follow on the platform.
Copyright © 2017 Bob Carver CISM, CISSP, M.S.


Tuesday, January 10, 2017

Eleven Cybersecurity Predictions and a Wish List for 2017

Copyright © 2016 Bob Carver CISM, CISSP, M.S.

Let's start with some of things I got right in 2016:

IoT - This was #1 on my list for 2016 Predictions last year. The beginning of IoT security problems have been seen and felt this year. The Mirai botnet took down 85 websites for a good part of the day in various parts of the U.S., parts of the UK and the EU.  These botnets also took two well known websites offline for a large part of a day. Various reports of Internet interruption have been reported all over the world due to IoT botnet activity.
Signature based AV and IDS - continues to be worth less in all computing environments and unable to detect the vast majority of sophisticated malware.
Automation - is starting to be seen in several areas of information security; however, it has a way to go to fully integrate into monitoring, forensics and the incident response process.
Received a wish from last year's wish list:
UL-like certification - for security of various IoT or things that connect to the Internet. There are several organizations attempting to do this now.  If I was a betting man, I would put my money on Mudge Zatko’s project to have some of the best success.

Predictions 2017:

1. More issues with the IoT (Internet of Things) – Although the U.S. Congress was shocked at a recent hearing of the power of hijacked IoT, it still does not want to legislate IoT, the majority of users don’t know how to secure IoT and vendors/resellers may not be under any legal threat to take any action to better their products. This means more mischief or worse will take place in the coming year. If no one is held responsible, the malware writers and botnet herders will play (“wreak havoc”).
The Mirai botnet was just the tip of the iceberg. It was a relative unsophisticated test just to see what can be accomplished. Just as we can only see the tip of an iceberg, the majority of the iceberg is submerged below water and has yet to be seen.
While we are on the subject of IoT, let’s put ICS (Industrial Control Systems), IIoT (Industrial Internet of Things) in this same risk bucket. Many of these devices can be hijacked similarly to IoT and cause major hurt for all networks and users involved.
The ICS and IIoT users/manufacturers have generally been more serious on securing their platforms in recent times; however, there are laggards and legacy systems that are still in need of shoring up their security.
The question still remains when and who will ultimately take responsibility for this mess?
2. Advanced Endpoint Security – If you haven’t purchased Advanced Endpoint Security yet, this is the year everyone should have an RFP out to upgrade their endpoint protection. All traditional AV is evaded with malware that has any level of sophistication. Cybercriminals are selling malware with guarantees that their malware will not be detected by any traditional AV.
3. Compliance to Insurance Standards vs. Compliance to traditional Cybersecurity Standards (NIST, ISO and the list goes on) – In the near future, your Cybersecurity Insurance provider will have the larger influence on what type of security defenses, detection, mitigation, people, processes and technology you will need to have in place. If you don’t follow their recommendations/guidelines, you either won’t be able to obtain insurance or your premiums and deductibles will be so high that it will most likely force you to abide. Note currently insurance companies can only assess relative risk by the industry a business is in. The statisticians/actuaries will be working night and day to be able to assess risk factor down to a much more granular level than categorizing the industry a business is in. Their job will not be easy since the risk factors can be extremely dynamic in nature.
4. Traditional IOC (Indicators of Compromise) MD5/SHA256 hashes of malware, IP addresses, URLs or domain names of botnet command and control servers may become less important. Why? Hashes can change with minor modifications of code making an almost infinite number of variants. URL’s and domains can change daily, hourly or even by the minute. By the time all IOC’s have been vetted and published, the game has changed and the last IOC’s merely point to past historical data.  If they are to be of any value, the dwell time will make it necessary to vet and publish these IOC’s in as close to "real-time" as possible.
Of course, knowing IOC’s in advance, like cracking DNG (Domain Name Generation) algorithms is also useful.
As a result, we need to focus more weight on TTP’s (Tactics, Techniques and Procedures) used in cyberattacks and how we will immediately recognize or block those attacks.
5. Malware, where is the malware?  
Yes, Kaspersky estimates there are 323,000 pieces of new malware each day while Virustotal recently saw 413,720 pieces of new malware in a day. So why do I say where is the malware?
Fileless malware, Exploit Kits, memory resident malware and legitimate operating system processes will continue to increase and be responsible for a larger portion of malicious cybersecurity activity. Hijacked legitimate processes or simply using legitimate user credentials will make it more difficult to determine whether a legitimate process is used for good or malicious activities. Note most traditional Antivirus have these processes whitelisted, indicating they can only be used for good, legitimate work. Unfortunately, the cybercriminals have discovered that good legitimate tools can also be used for nefarious purposes.
6. Banking/Financial Sector – The famous question to a bank robber was, "Why do you rob banks?" The answer, “Because that is where the money is.” Various cybercrime schemes in the financial industry have been started by testing in the East and gradually moving their exploits to the West and most likely will not be slowing down any time in the near future.
Traditionally the goal for cybercriminals was simply to move cash from banks to their own accounts. New exploits to make money are being coded and executed every day.
Some recent trends that are bound to evolve and get more creative over time:
  • ATM’s - exploit one ATM and be able to empty the entire network of ATM’s. 
  • Mobile banking apps – the mobile or app is compromised and the account is taken over by the cybercriminal.
  • One European bank that was often used to hide money from tax collectors was breached and its clients were blackmailed to ensure their tax evading plans were not revealed to the authorities.
  • Risk of malicious manipulation of ledgers and databases. 
If you can imagine a reasonable scenario, most likely it will be attempted.
7. The Cloud – The cloud is already one of the favorite methods for distributing malware. Enterprises are still honing their abilities to monitor, scan for vulnerabilities, lock down and protect the cloud. When cybercriminals take advantage of the cloud, then the enterprise will truly know their weaknesses, continuing to refine their monitoring, hardening and security practices.
8. Ransomware – will continue to grow; however, it may not be the traditional "encrypt your computer and demand bitcoin" to give you the decryption key. Cybercriminals will be concocting new business models and new platforms to execute them. Encryption is becoming old school. Data destruction, data manipulation, being locked out of digital platforms and old-fashioned blackmail could be some of those new criminal activities. It may go into the cloud, automobiles, IoT/IIot/ICS and beyond.
9. Mobile – in spite of unending patches and upgrades the smartphone still is one of the most vulnerable platforms.  There has been progress; however, if the sophisticated actor wants to compromise your emails, texts, contacts or banking apps, they most likely will gain access. Blackberry was the king of secure phones for the longest time. Unfortunately, they did not keep up with consumer demands for modern, convenient apps and browsing the Internet. Let’s hope security is better embedded by design in the phones the general public purchases getting back to the level of security Blackberry was known for. Look for financial exploits and access to personal information.
10. Terrorists and Rogue Nations - will utilize traditional cybercriminal activities to raise money for their cause.  They have been losing ground in their land grabs. This may cause some of them to go virtual and get behind the keyboard.
11. Phishing and Social Engineering – Simply said, it is not going away. This is still one of the most popular ways that a perpetrator gains the initial foothold in a network. As long as they get a regular, small percentage return on their continued attempts, it is not going away. In the meantime defenders need to continue to raise the bar in their detection algorithms, possibly utilizing machine learning, because the cybercriminals will continue to raise the bar with their exploits.
Wishes for 2017, the New Year:
1. That everyone understands there is no more "set it and forget it" security programs that are sufficient to protect you. You must be dynamic to keep up with the attackers.
2. That some group ultimately takes responsibility for IoT/ICS security matters.
3. Threat platforms progress to make IOC’s available as close to real-time as possible. That TTP’s become more important in Threat Intelligence and be made available more quickly.
4. That more IoT/IIoT/ICS be purchased that includes a warranty to support security patches for at least 5 years (or more) and forces users to change passwords (and ideally usernames) at initial login to the device.
5. Expiration dates on IoT/IIoT/ICS. If these devices have serious security flaws that can no longer be remediated, they should be forced to have an "end of life" date where they would be retired and taken out of service.
Remember, being compliant does not mean you are secure.
Everyone be vigilant and have a safe, great 2017!