Time For Security Major Effort?

I.e. Do we need to make a major research effort to solve all(or most) Cybersecurity problems?

Why?

Because mistakes keep happening:

And these are not small mistakes – they may shift our world underneath us…  As California considers more legislation and Breach reporting requirements, other states may also look into this issue.  At Databreachtoday.com there is a story about how California is proposing new changes to Data breach notification requirements.

The California law is  adding clarification to potential breaches, as before it is not obvious that government issued identification is part of “personal identification”, and any biometric data as well.

The now defined “personal information” includes:

  • Social Security number;
  • Driver’s license number, California identification card number or other government-issued identification number;
  • Account number or credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual’s financial account;
  • Medical information;
  • Health insurance information;
  • Unique biometric data generated from measurements or technical analysis of human body characteristics, such as a fingerprint, retina or iris image, or other unique physical representation or digital representation of biometric data;
  • Information or data collected through the use or operation of an automated license plate recognition system.

It is good to get clarification which only means most other states will follow and also enact similar laws.

If you have a breach you are on the clock and will be judged by how fast you can deliver information to your customers or employees about the breach.

 

What is different in California is the privacy law AB375 which is actually referred as “The California Consumer Privacy Act of 2018.”

(1) The right of Californians to know what personal information is being collected about them.
(2) The right of Californians to know whether their personal information is sold or disclosed and to whom.
(3) The right of Californians to say no to the sale of personal information.
(4) The right of Californians to access their personal information.
(5) The right of Californians to equal service and price, even if they exercise their privacy rights.
There are going to be implications for all companies that store data from this law.
So are we now forced to spend a lot more money and to push for much higher Cybersecurity? Yes and no…  of course we will have to focus on Cyber aware policies that pay closer attention to how we use data, but is it truly necessary to spend an inordinate amount of money on Cyber products and people?
I don’t believe so.
We have to learn how to do the basics efficiently.
It is the basics that are not done right… that is the focus and constant improvement we need to focus on. Maybe a new tech is needed, but it will likely not cost an arm and a leg. It should be a Risk-reward analysis that uncovers what is needed from the governance policy and standards.
That is what is needed – proper governance, and reviewing what is really needed. A ‘moonshot’ or silver bullet is not there for us, we don’t have to ask some super agency to create a Cybersecurity ‘Manhattan Project’  that will solve all our problems.  The problems we have will always be there until we address them.
Let’s get after them now…  Contact us to get started.

Is Compliance Enough for Your Company?

If you accept credit cards you need PCI compliance

If you have health data then you need HIPAA compliance.

A financial company gets many pieces of compliance which depends on what types of financial instruments you sell. You may need other types of compliance.

Unfortunately PCI compliance does not require a backup of your critical data , so if you have critical data then it is up to your judgement to set up processes to make sure if they are corrupted then can be recovered.

This point of corruption of data to recovery is the single most likely reason for small businesses to fail six months after a major cybersecurity event.

In 2019 your company could be doing business as usual in January, then in February the right attack could cause problems for your company…  if you are not ready for it, six months later you could be out of business.

Which is why we want to highlight it and make sure you understand the inattention that can cause disaster.

We are here to go over your processes to make sure that this type of disaster does not happen. You can make it go away for a few dollars and attention. That is all it takes.

Contact Us to discuss – Three-One-Four-five -zero-four, three,nine, seven, four.  Leave me a message and I will get back to you.

TonyZ

 

 

Unknown Risks – Are you ready for 2019?

Are you ready for new year surprises?

Why is it that 60% of businesses fail after a major Cyber attack?

  1. Spam Email – most attacks come in through well crafted emails (spear phishing)
  2. Social Engineering – An attacker can use 1 and 4 to call you to craft a sneaky method to get on your network.
  3. Darkweb – all information created from 1,2,4, and 5 are here and for sale to other hackers. I.e. a cyber attacker does not need to be an expert at all things, only at 1 and buy the others.
  4. Facebook Hacks – or other social media. Hackers use social media to profile you and then use 1&2 to attack you
  5. IoT (Internet of Things) in House – vulnerabilities are not patched and attacks come into IoT devices
  6. Unknown Zero-Day – unknown sophisticated attack using non-defensible methods(i.e. cannot defend against this)

The following is per Smallbiztrends.com ,  and it looks like that is what it says: 60% of small companies go out of business within 6 months of a cyber attack.

I want to discuss why that is?

Let’s assume our small business is like most small businesses, they are living “paycheck-to-paycheck” in a small biz manner. I.e. there is enough business to make payroll and to do a few things for the business: small changes for new technological improvements(new computer, new phones, website improvements).  But is there enough time and effort to overhaul IT cyberdefense?  Why overhaul when you can make adjustments, since with adjustments we can still stay alive and keep on surviving another year.

What if an unforeseen attack occurs? That we are not ready for? So that means we have to reconstruct our IT information “from scratch”. I.e. from non-electronic sources. In that case a lot of things can go wrong, and if expenses go too high or it takes too long to reconstruct, one can easily see how it might be easier for the small business to go out of business rather than create a huge debt burden. This is why 60% of small business goes out of business with a successful cyber attack.

The attacks coming into your business are no longer from loner hackers or your neighborhood Geek with too much time on his hands… The attackers are sophisticated and in great breadth, which are certainly coming daily  because it is easy to setup thousands and millions of attacks on previously purchased databases with information stolen in years past hacks on the Darkweb. The hacker uses his computer knowledge and this information to craft sneaky spear phishing attacks. Once on the network it could be months before you actually find out what is happening, since he will sell his access to your network to others who are experts at extracting money out of you.

So the hacker goal is to employ a number of experts over time to infiltrate and eventually extract extortion scams out of ransomware schemes…   FBI news and tips for dealing with Ransomware.

New IoT attack examples from Anson McCade’s Twitter feed:

 

So in the future a crafty sneaky attacker could control more than your business servers, but also your fitness devices and more. I.e. Pay the hacker $1000 or else …

 

Contact us to update and overhaul your cyberdefense methods.

Innovation and Cybersecurity

Amazon versus sears innovation, comparisons

The obvious angle(in 2018) is to applaud Amazon and chide Sears for the massive technological progress and stagnation respectively. 

Sure Sears did well in it’s day by pioneering catalogs and selling many things one does not think about right out of the catalog(houses and cars). But somehow when the internet technology came into being they were not interested in _this_ new “catalog”. The reason I mention this phenomena is  that it is very hard for CEO’s to see the future with a new technology.  One must live and breathe it (like Mr Bezos did).  what does it mean to “live and breathe it”? 

In my opinion it requires a CEO to understand the underlying technology, which nicely segways into Cybersecurity.  If one does not build cybersecurity from scratch (from the beginning).  Creating security after the software is built can make it difficult if not impossible to create true Cybersecurity.   In the picture above there is also an image of hurricanes which are either over land, or moving there.  Which company can better absorb “hurricane of a market”? Or an actual hurricane with the required disaster recovery plans?

Let’s list some of the risks a CEO has to think about in navigating a strategy for the future:

  1. Innovation (how to be a better company with more profits)
  2. Economic environment (general economy)
  3. Regulations (government or industry)
  4. Labor Issues (employee problems)
  5. Natural disasters (including hurricanes – electrical storms etc)
  6. Criminal endeavors (including cybersecurity)
  7. New Competitors (with technological improvements)
  8. Miscommunications by CEO or other officers that cause production problems

What order should your specific list be in?

Maybe you have Labor issues first? then Production problems, competitors and Economic environment.

Usually – Natural disasters and criminals are not in the major crosshairs of a typical company.

The reason people are not focusing on Cybersecurity is that the risk or threat does not seem to be that high in their eyes.

From the VISA  “Global Compromise Trends” informational image (from their presentation a couple of weeks ago) shows that current attacks are shifting from small merchants to eCommerce,financial institutions, and aggregators/ integrators or resellers. I.e. entities that affect several small businesses.

So we find out that for now the small businesses are not in the immediate cross hairs. But the coming Armageddon is surely coming (Winter is Coming), and how can I say that? It is because the criminal element is always changing and learning… developing new methods to attack anyone on the Internet. As soon as you spend no time on Cybersecurity it will catch up with  you.  the reason it will happen quickly and with little forewarning.  Not like a Hurricane which we can see forming off shore.

The expert analyst can see things coming, but most small businesses cannot see this happening.  The technological advances are coming fast, and it is too hard to figure out what is really going to affect a business in the future from the following major themes:

  1. AI – Artificial Intelligence and Machine Learning(Robots) are great improvements for humanity and hard to say what how it affects Cybersecurity/Innovation.
  2. Quantum Computing – Once the quantum computer has been built encryption and Cybersecurity will change quickly as the game changes.
  3. Nanotechnology – was a rallying cry and buzzword for some time, and the tech has been improving. How does this affect your world? In some ways this is already happening in current 2018/2019 computers.
  4. What will the space tech change here on earth, just like NASA’s moon program created many new technologies the drive to go to Mars will do the same.

 

So how can futurists dabbling and current innovators striving make things more difficult for the current CEO?  Well, it happened for Sears… in 18 years Sears went from a still respectable retailer to a forlorn husk of it’s former self. Why? because the Sears CEO of Y2000 did not foresee the Internet as it is today, only 18 years later we cannot go without the Internet and everyone expects eCommerce to exist (this was not obvious in 2000).  So how much time should you spend on the future?

Obviously it can’t be a majority of what we do, but we have to decide whether the future is worth 5-10% of your time. Out of a 40 hour work week, 2-4 hours could be spent on future endeavors. I believe this formula is at a minimum. 

The question is where and how you want to go with your future time, and I would like to discuss how solving the Cybersecurity problem for good (i.e. managing it on autopilot) will free up your time in innovation.

IF you build Cybersecurity into your operation then you really do not have to worry about criminals taking a big chunk of your technology(i.e. China) and then you can truly focus on the things that probably make life more interesting (new gadgets that will increase your market share).

Updated 20/23 noon: Wall Street Journal has an article  about the Ford CIO experimenting with Quantum Computers, as he signed a $100k 1-year contract with NASA’s Quantum Artificial Intelligence Laboratory. “Our mission is to be early enough in the game so that when it’s evolved to the point of maturity and applications that matter to the business, we’ll have an advantage,” said Ken Washington, Ford’s chief technology officer and vice president of research and advanced engineering, in an interview with CIO Journal.

Notice how it is important for the CIO to look to the future and innovate just like  I said above… quantum computers have the chance to completely change the game in computer processing power as it may be x to y power instead of 2 to y with current binary technologies.  x could be 4 or 10 or another number (this is being devised now) as the engineering for a quantum computer is challenging. The math is available, so all we need is the engineering to catch up with the theory.

 

So let me show you how Innovation and Cybersecurity intertwines and makes for a better company in the today and into the future.  Contact me to discuss

 

 

 

 

NIST 800-171 Compliance Can be Done Quickly!

NIST 800-171 Compliance actually means DFARS Cybersecurity requirements must be met.

The NIST 800-171  requirements have always vexed small manufacturers due to the specific wordiness, so the NIST (National Institute of Standards and Technology) has been trying to make this easier to understand with the following pdf: https://nvlpubs.nist.gov/nistpubs/hb/2017/NIST.HB.162.pdf

This is an important paragraph: from pdf

Executive Order 13556, Controlled Unclassified Information, November 4, 2010, establishes that the Controlled Unclassified Information (CUI) executive Agent, designated as the National Archives and Records Administration (NARA), shall develop and issue such directives as are
necessary to implement the CUI Program. Consistent with this tasking and with the CUI Program’s mission to establish uniform policies and practices across the federal government, NARA issued a final federal regulation in 2016 that established the required controls and markings for CUI government-wide. This federal regulation binds agencies throughout the
executive branch to uniformly apply the standard safeguards, markings, dissemination, and decontrol requirements established by the CUI Program.

 

So needless to say if you are a small manufacturer  and sell stuff to the US government you will have to be compliant  or else…. what is the or else?  I surmise the or else is pretty bad, since there has been plenty of time for you to get on board of this new initiative . Admittedly it has been a chore to get through the NIST 800-171  documents up to now.  As I have discussed in June on this site.

Like this for example:

There are many such points in the document,

Here is the full list of 14 points you have to work on:

14 controls have to be set up

  1. AC  – Access Control
  2. AT – Awareness & Training
  3. AU – Audit & accountability
  4. CM – Configuration Management
  5. IA – Identification and Authentication
  6. IR – Incident Response
  7. MA – Maintenance
  8. MP – Media Protection
  9. PS – Personnnel Security
  10. PP – Physical Security
  11. RA – Risk Assessments
  12. SA – Security Assessments
  13. SC – System & Communications protection
  14. SI – System & Information integrity

 

None of these points are actually brain surgery, where you need 10 plus years of training and schooling. In fact most of these your IT department can perform in their regular work. they just need support from above (i.e. resources).

The one point of audit and accountability the company itself cannot do it by itself effectively. As there is nothing like a person outside of the organization to have a point of view that can be fresh or at least without the company culture in mind.  which is what we do here at Fixvirus.com

So these 14 points should not dissuade you from becoming compliant, in fact even if you do not have multi-factor authentication(Identitification and Authentication), and it would take 6 months to implement, all you have to do is to create a POAM or  Plan of Action and Milestone.   So once you have writtenup proof or POAMs then you are compliant – easy.

This is how I can state that you can come into “compliance” with NIST 800-171 quickly.

Contact us to review and discuss .