Tag Archives: ThirdCertainty

Cyber Dangers to Critical Infrastructure

Many critical infrastructure systems, such as those that control the electric grid, oil and gas refineries and transportation, are now getting linked to the internet. That makes them easier to manage and maintain but also could put them in the line of fire for cyber attacks.

I recently discussed the issues involved in upgrading and protecting these critical industrial control systems with Patrick McBride, chief marketing officer at Claroty, a startup that intends to secure the operational technology networks that run companies’ infrastructure systems. A few big takeaways from our conversation:

Old systems, new protections

When industrial systems were built, sometimes decades ago, no one considered the need for digital protections. “The systems were never designed, especially 10, 15, 20 years ago, with cybersecurity in mind,” McBride told me. Their primary design goals were the safety of the workers and the resilience of the systems, he said. “Security wasn’t even an afterthought. It wasn’t a thought.”

See also: How Tech Created a New Industrial Model  

Now, a new class of tools is coming online to help monitor these legacy systems. Using behavior analysis and anomaly detection, they are designed to catch intruders early in the attack life cycle. “Monitoring technology is going to play a huge part in this environment,” McBride said.

Mishmash of systems leaves exposures

Big industrial plants are careful about what they put on their networks, but some are putting wireless and other access points on systems as time-saving techniques to gather data more efficiently.

When organizations began to recognize the need for cybersecurity, some traditional IT security vendors repurposed existing technology, McBride said.That didn’t work particularly well, because in the industrial control systems, the networks speak to other kinds of protocols.“You’ve got a whole set of overwhelming business value from pulling data out of those plant systems and being able to provide that information back to the executive,” McBride said.

For example, there are a lot of Windows XP machines in industrial environments that keep air conditioning going, or run chemical manufacturing plants and refineries.

Potential for escalating industrial attacks

In December 2016, attacks on the Ukrainian power grid cut off a fifth of all electrical power in the capital city of Kiev. The purposeful takedown was attributed to Russia. The troubling fallout: Threat researchers around the world have found indications of the type of malware used in Ukraine on other energy and industrial companies’ networks, McBride said, showing that hackers are at least probing for vulnerabilities.

See also: It’s Time to Accelerate Digital Change  

But threats from nation-states are only one issue. “There are other categories that people are really starting to worry about. If you combined the ease at which it is to gain a foothold on these networks and the relative ease you can attack these systems, it’s not hard,” McBride said. “You don’t have to squint too hard to say … ‘Terrorist organizations might want to do this or buy expertise to help them do that.’”

This post originally appeared on ThirdCertainty.

Don’t Hit Snooze Button on Cyber Threat

WannaCry was a wake-up call. Petya is a wake-up call. Last I checked, wake-up calls were meant to bring about change.

After WannaCry, we saw a massive surge in patching around the globe, not to mention a 22-year-old “accidental hero” in the U.K. who helped halt the malicious software. It’s proof that beating the drum continuously to public and corporate institutions about serious cyber defense tactics doesn’t seem to do the trick, and once again we will see a tangible drop in cybersecurity activity until the next big attack. It will only keep getting worse.

See also: 5 Best Practices in Wake of WannaCry  

The question is quite simple—why aren’t organizations doing more about this? We witness the answer every day: Most organizational leaders refuse to support their internal teams when asked for procedural change or proper funding for cybersecurity defenses—which cuts their bottom line.

In practice, it’s quite easy to see the lack of emphasis given to cybersecurity when it warrants only 3-6 percent of IT budgets, and oftentimes that number includes risk management. Moreover, our community just now is scratching the surface of providing tangible cybersecurity reports to the organizational board level, meaning its level of import is still not equal to that of numerous other reporting requirements.

There are strict physical safety measures imposed on numerous industries, like seat belts and airbags, yet we need look only at the current U.S. administration and its public stance on cybersecurity to see an instance of unbelievably insufficient governmental policy.

The entire intelligence community and the cybersecurity community that supports the government knows and has known the Russians have sophisticated teams and methodologies that have been used to attack us for years. This administration seems to have turned a blind eye on our national defense given their consistent refusal to admit Russia’s complicity.

See also: WannaCry Portends a Surge in Attacks  

This makes a bold statement that the White House has no intention of preventing, at a policy level, cyber attacks. There are still gaping holes in the federal CISO and White House CISO positions and we haven’t received any movement in policies or executive orders of any substance.

This article originally appeared on ThirdCertainty. It was written by Paul Innella.

How to Shield Your Sensitive Data

Recent high-profile photo hacks have made headlines. In March, internet hackers targeted celebrities including Miley Cyrus, Emma Watson and Amanda Seyfried, resulting in the leak of intimate photos that were posted on sites such as 4chan and Reddit. Similarly, back in 2014 hacker Ryan Collins exposed nude photos and videos of several celebrities after obtaining them from iCloud accounts.

But celebrities aren’t the only ones vulnerable to hackers. Imagine if your organization’s C-level executives had sensitive information stored in their email or documents. Hackers could obtain proprietary information, causing financial nightmares and damaging your organization’s reputation.

See also: Cloud Apps Routinely Expose Sensitive Data  

Many enterprises fail to properly secure their email and documents from attacks, thinking that firewalls and traditional security solutions are sufficient. But without a security solution in place, the entire organization can be at risk if just one employee falls victim to a phishing attack. Some 91% of phishing hacks lead to content breaches that can snowball, causing you, your contacts and their contacts exponential harm.

What can be done to mitigate the possibility of data breaches?

Unstructured data

Each day, millions of corporate and government email users worldwide have candid conversations over email—whether between employees, supply chain partners or other external participants—sharing information that often is proprietary and mission-critical. And the volume of data in emails and documents is doubling each year.

This collaboration is crucial for today’s businesses, but maintaining privacy standards and document security can be challenging. To ensure productivity through collaboration, expedite projects and make timely decisions, employees are sharing unstructured data both inside and outside the firewall. Yet once the information is outside the firewall, it may not be protected. By establishing a secure environment that protects content inside and outside the organization, all parties can communicate freely via digital channels.

Rights management

There is an expected level of trust between you and your internal and external stakeholders that the information you are sharing is for their eyes alone. While there is no foolproof way to ensure that someone isn’t reading over your recipient’s shoulder, rights management is another way to enforce security permissions. This adds an extra layer of protection to emails, documents and photos even when opened by a permitted source. Content is protected from misuse while at rest, in transit and in use. And the ability to track and monitor for authorized use and attempts of unauthorized use of content can help ensure that data and intellectual property stay within the circle of trust.

Encryption

Encryption offers yet another layer of security for your information by making content only accessible to the devices and users with specified usage rights.

Data with encrypted in-use protection allows the authorized recipient to decrypt content by tethering to the specific device and user. This means that content in an authorized receipt could get hacked—but the hack could easily be mitigated.

See also: Forget Big Data; You Need Fast Data  

Bottom line: Breaches are an invasion of privacy whether you are a CEO, developer or celebrity. It’s imperative to ensure that no matter where your content travels or what device you use, at any point it is protected from getting into the wrong hands. Armed with the knowledge to ensure secure content collaboration whether inside or outside an enterprise network, you can avoid becoming the next headline.

This article originally appeared on ThirdCertainty. It was written by Erik Brown.

Best Practices for Cyber Threats

All any company decision-maker needs to do is pay heed to the intensifying regulatory environment to understand that network security has become a mission-critical operational issue.

Consider that the Colorado Division of Securities is implementing 90 pages of new rules to clarify what financial “broker-dealers” and investment advisers must do to protect information stored electronically.

That’s on top of the New York State Department of Financial Services enforcing new cybersecurity rules for financial services firms that wish to do business in the Empire State. And, of course, Europe is rolling out new privacy rules known as the General Data Protection Regulation, which will affect more than 4,000 U.S. companies doing business in Europe, including many small and midsize businesses.

See also: How to Anticipate Cyber Surprises  

I recently sat down with Edric Wyatt, security analyst at CyberScout, to discuss the first step any organization — of any size and in any sector — can take to increase its security maturity. His answer: Get cozy with the National Institute of Standards and Technology’s risk management framework set forth in its NIST 800 series of documents. (Full disclosure: CyberScout underwrites ThirdCertainty.) And let’s not overlook looming compliance standards covering data privacy and security, such as the Payment Card Industry Data Security Standard (PCI DSS) and the Health Insurance Portability and Accountability Act (HIPAA).

Here are a few takeaways from our discussion:

NIST is foundational. NIST 800 is composed of Uncle Sam’s own computer security policies, procedures and guidelines, which have been widely implemented in the Department of Homeland Security, the Department of Defense and most big federal agencies. New York state’s new rules for financial firms incorporate the NIST framework, and the U.S. Food and Drug Administration, likewise, refers to the NIST framework in guidance for medical device manufactures.

NIST is aggressive. Derived from extensive public and private research, NIST 800 exists as a public service. It lays out cost-effective steps to improve any organization’s digital security posture. Implementation materials are available at no cost to organizations of all types and sizes, small- and medium-sized companies, educational institutions and state and local government agencies.

NIST is flexible. At the end of the day, the NIST series guides organizations to shaping security policies and security controls that are flexible, adaptable — and effective. One vital component is senior management buy-in. New policies can and should be implemented and tweaked in a methodical, measurable manner and should be championed by senior leaders. The goal should not be just tightening security, Wyatt says, but also making one’s organization more reliably productive. A continual feedback loop can help keep controls alive and vital, Wyatt says.

See also: Cyber Challenges Under NIST’s Framework  

This article originally appeared on ThirdCertainty.

Cyber: How to Fix the Human Factor

More than ever, chief security officers are being held accountable for keeping their businesses safe. Phishing attacks, data breaches, ransomware and the ever-increasing access by employees to technology and data are driving this accountability. But there’s only so much that technology solutions can do to protect against threats.

What else should organizations do? It turns out that most breaches are the result of an employee mistake, so looking to their staff as their first line of protection is a critical success factor today.

Security awareness training is now recognized as one of the critical components of a robust security architecture. But are employees getting the security awareness training they need and deserve? Unfortunately not. Too many organizations still choose to provide no security awareness training at all, or simply provide annual PowerPoint-based training program, or training that is dry and difficult to understand.

See also: Quest for Reliable Cyber Security  

Employees often think they’re prepared or think, “That’ll never happen to me” — until it does. Then the employee often is too ashamed to go to a boss or IT department after an incident occurs.

Traditional training doesn’t work

The information and best practices the employee received from training were never understood, didn’t seem relevant or just didn’t come back to him.

What happened? Cyber attacks aren’t changing every five years — it’s more like every five months. Organizations can’t afford to fall behind on security training.

Employees must be armed with the knowledge and skills to protect themselves and their organizations. Traditional, outdated training does little to prepare workers for the deluge of cyber attacks they face or the risks they create for themselves. There are ways to make a change in the workplace.

Instead of training employees as passive observers, make training interactive and teach actionable, real-world skills.

Recognize that hacks happen

Instead of instilling a mindset that an incident must never happen, give employees the confidence to speak up, even if they make a mistake.

Instead of focusing solely on security, focus on learning, too. Make training brief, fun and sticky so that it is always top-of-mind when needed.

Instead of focusing on a single type of risk, prepare employees for the range of security threats they’ll face, whether from an external cyber attack or from their own use of technology or access to data.

See also: Cybersecurity: Firms Are Just Sloppy  

Hacks can happen even if the staff practices security procedures. Look at the victims of the Twitter Counter breach. No actual Twitter accounts were hacked, but a third-party application was, and the hackers left unnerving tweets on organizations’ accounts. Employees should be prepared for events like this. Practicing real-world scenarios can help prepare for the worst-case events. Training needs to keep up with the technology that employees are using and the risks they face.

It’s time to stop using outdated training techniques and for organizations to invest in their employees and assets by providing security training that will make a difference and change the behavior of its staff. They can’t afford not to.

This article originally appeared on ThirdCertainty. It was written by Marie White.