Risk Management Should Be: Known Threats Evaluated – Find Unknown Threats

It is a known fact that Risk management looks in the known facts department.  As we try to evaluate what issue to focus on.

Nowhere is this Security as last point of order more evident than in the Cryptocurrency markets being created with ICO’s (Initial Coin Offerings).

You would think that when setting up an ICO which is based on a Cryptological currency the security of the venture would not be an afterthought. But it apparently was several times as stated in ZDNet article  Cryptocurrency Catastrophes of 2017.

wallet addresses were changed on websites and million$ were stolen in the form of ethereum coins.

I am not interested in the Cryptocurrency market, but am interested in human psychology and efforts. In this new field it apparently does not dawn on many CEO’s of these new entities that security should be a central tenet in their business model. Especially since their venture is completely digital, i.e. constructed in a computer.

We as humans have a hard time with focusing on security. As it is hard enough to create an ICO and a cryptocurrency so when it is time to develop the website to sell  or manage cryptocurrencies the security is an afterhought?

Why are we always behind?

  1. July – Coindash ICO $7.4mil stolen
  2. Veritaseum’s ICO $8mil stolen
  3. Parity  wallet  $30mil stolen
  4. November: Tether $30.9 mil stolen
  5. User found vulnerability and exploited it thus freezing $160 mil in funds.

There were a bunch of scams as well, but those I am not interested in. So $76mil were stolen and $160mil frozen due to a lack of preparedness and misunderstanding of Cybersecurity.

Why is it we always focus on cybersecurity after something happens? After an issue occurs, thus making it known.

 

The problem we have in Cybersecurity is to focus a little bit of our time and effort before known issues come into being.

Contact Me to discuss this in detail as we can forge a path forward in this new digital age.

 

 

As Technology Changes Faster “Remember The Basics”

I like Jonas Bjerg’s YouTube video of “How Abundance Will Change The World”

Elon Musk  predicts 100 Gigafactories in the world(of which he will build 4)

Peter Diamandis  and Elon were at the World Government Summit 2017.

Cost per Genome is going down and has gone down exponentially.

Quick review of video: ‘So robots will take over, the world will have abundance and people will lose meaning (having lost their jobs)’.

So what will happen to friction of all this? When have you known people to actively agree 100% with how technology has gone along?  As usual there is no thought to security.

What about crime?

I know, I am in Cybersecurity field, and to me it is simple to see, when “some” people lose their jobs to robots, they may become hackers and either create new crime syndicates, or work for an already successful syndicate.

Maybe I want to make more money than from the Universal Basic Income that some are proposing once many of the drivers and doctors are out of a job. How will I make more money? by figuring out a way to get a piece of the cyber slice$ that is around “in abundance”

Then we have a Dark Reading post ‘Back to Basics’ Might be your best Security weapon

Here Lee Waskevich’ commentary points out what I have said for many blogposts: We must focus on the basics first then we can point out the more advanced issues.

So let’s train our employees to find the scams in our mailbox (email and mail)  SCMagazine points out a survey that found 32% of Britons would become a money mule for criminals.  The issue is that unemployed people talk themselves into many things, especially if they have no previous arrest records.

In this Blog we know that people do illegal things and companies and people must defend themselves appropriately. Even as technologies become increasingly complex with more robotics and electrification of everything. (I always wonder why we focus on Cybersecurity AFTER a breach has occurred).

Let’s put 10% of our efforts into Cybersecurity and then we will be better off. Contact Us to review your Cybersecurity profile.

Ok, that’s good, but what about the Crypto Currency craze? There will and are thefts here – Hot for Security has a story on how $400k was stolen in BlackWallet application using DNS, and as you can see right now 1/16/2018  13:30 the site is down.

So what does that mean? If you are involved with money and even crypto currencies you better be testing your environment for cyber attacks.

What will 2018 bring to Cybersecurity?

Happy New Year 2018 very soon!!!

This is a good time to review the technologies that are shaping our lives which means what to Cybersecurity?


Amazon, iPhone devices, Android devices… these are technological breakthroughs that are quickly changing their technological landscape to either enhance user friendliness and features or to be the better brand or flagship product type in the technological category they belong. This means more Internet connectivity, not less.

What does more Internet mean? Does more function mean less security? Based on statistics, one thing is for sure, this means cybersecurity will be more important in 2018. Because as you will see more connectivity means a ripple will cause more problems, so we _have_ to focus on cybersecurity a certain amount or this decision of apathy to cybersecurity will cause you regret.

If we look back to the year 2015, in one of our blogposts, we discussed the relevance of the Cisco VNI (Visual Networking Index) forecast. In 2015, the projection as to how many devices will be connected to the Internet to be an immense 24 billion devices by 2019. Current day VNI projection are showing a much larger number than the 2015 projection, with numbers now at 29.1 billion, although closer, we should get even better projections as time goes on.

What is the relevance of this then? It means the number of connections to the Internet has grown exponentially, no mention of the data usage we have when plugged in to the net. More devices, means more occurrences of net usage. More net usage means a wider variety of data transfer and traffic. More data traffic means more open opportunity to risk factors that may lead to higher risk in cybersecurity.

What is alarming is when we think about how much of that number is criminal traffic and how much of that is checking your defenses. We want to advance to a new level by increasing capabilities but we may be overlooking that more capabilities mean more chances of risk. In many cases, we don’t see the possibilities of where risk may come about, because we are focused on making it work or creating revenue. So do we see the increase of possibilities and opportunities that we have increases technological capabilities and Risk analysis complexity?

That is why, developing a risk analysis process is important. It is not only a review of how much and what kind of Internet occurrences you have but a check on the data load you use. Alongside this realization of data transfer, it is pertinent that you do optimal checks and create regular controls updates within your your organization. Having an external risk auditor will help a lot in knowing how much more protection you need to uphold or how much risk oversight you need to work on. If you value the investment you have worked on, it always pays back to also value its maintenance through cyber protection. Contact us, to learn more.

From Vulnerability Found, To Patched Safe

 

While we are preparing for the holidays and the New Year, may it be Christmas/ Hanukkah or otherwise, the hackers are also busy prepping for their busiest time of the year. Although the Holidays is a season to be jolly, it is not a reason to slack off in keeping up with your Cyber Security.

The following image shows a potential timeline of when a vulnerability is found, disclosed to public, Anti-virus software rewritten, patch released, and patch installed.

Notice there is a number of days with no defense in your machines, and that is why a patch that is released should be installed soon.

Why do we say that hackers are also busy? This is because when people tend to lower down their guard, thinking that everyone is busy with the flow of the season, it is also the time that our Cyber protection becomes lenient and weak. When the defense turns less, then the attacker works harder to find these weakness and then it snowballs.

The reason for the easy attacks by the criminal hackers is because we become complacent and do not patch vulnerabilities when we should, and as you can see the vulnerability has been known by the wily attackers for some time… which makes time your enemy.

 

Ever seen a honeybee hive? The bees defend their hives vigorously, regardless of the time of day or season of the year. They attack-to-defend, to secure the hive at the slightest sense of a perceived threat. That is how optimal your Cyber defense should work. That is how wide your Cyber security should be manifested. It should cover all impact levels and all angles whether the threat may be old or new, small or huge.

 

Just like the bees, to keep your system up to date in “sensing perceived threats”, regular sweep and periodic re-enforcement of defenses must be done by updating your system patches. Before running any computer patches on your system, it is always a good decision to perform a system backup at a certain point. This is for you to be able to reset your systems at its most recent format should the patch go bad in the middle of its installation.  Keep in mind that a patch is a fix to system vulnerabilities (that has been out for months), and it is only now that a fix has been created. Although it took time to create the patch, it is still imperative that the patch be run to ensure that probable threats to your system are reduced if not totally eradicated; and for your computer to work properly improving its performance and usability.

 

Question is, how do you know which patch to run? This depends on the probable risks you are able to determine, based on the major threats and concerns you have sited. To illustrate in a process map, think of it this way:

 

  1. Determine the major threats to your working system. Major threats are external forces that you have no control of, that may interrupt or invade your secure cyber space. This may include:

 

  1. Unauthorized access
  2. Insider threat
  3. Data loss due to external sharing
  4. Insecure interfaces
  5. Fraud / Hijacked accounts

 

  1. Next, determine the major concerns that you need to work on to defend your system against the major threats. Major concerns are the areas that cover the major threat and of which you have the capacity to control. Examples are:

 

  1. Data Loss / Leakage
  2. Privacy and confidentiality of information
  3. Legal and regulatory compliance
  4. Compromised security

 

  1. Identify the impact of the threats and the likelihood that they will occur affecting your major concerns. This depends on your usage to the system. These are the magnitude of the identified Risks that you need to work on. Remember the formula for risk analysis as:

 

Risk = Likelihood * Impact

 

The higher the impact of the major threats, the higher the risk factor.

 

  1. Determine the controls and oversite that you need to work on and improve/update your network processes to fix or to be ready to defend your systems aggressively. This is where necessary patching comes in.

 

Since patching is a strenuous process (doing back up, uninstalling all system instances, then patching), it is where most people slack off. You cannot expect not to be robbed if the gate of your house is closed but the front door is open. It may take a while getting used to checking for bug fixes, but vigilance is the key to reducing risks.

 

So if we patch less (due to holidays or otherwise) and we are not as vigilant as we should be amidst the season break, then … you can expect that Hackers are indeed getting busy.

Contact us this year or next to discuss your details.

Insider Threats: No1 Cybersecurity Problem

 

Not all Insider threats are malicious in nature, some problems are just laziness, incompetence, not paying attention, or just plain mistakes. How does Murphy’s law  for Cybersecurity work again?

Social engineering is when a someone (usually an evil criminal hacker) tries to trick you by using your good intentions of going about your business on an every day basis.

What happened when evil  hackers wanted to change Point of Sale Credit card systems?

They were not turned away at Michael’s and in fact were allowed to install their own credit card systems, since no one checked if that was sanctioned by corporate or otherwise(no process to see that) and sales associates go along with social engineering scams if they are well executed.

Then of course the evil hackers captured all credit cards as used by shoppers in that location.

Here are some uncomfortable insider threat truths:

  1. The average hacker stays hidden in the network for 140 days.
  2. 45% of IT personnel knowingly circumvented their own policies
  3. There has been a 29% increase in the total cost of data breaches sine 2013
  4. 20% of organizations experience a BYOD (Bring Yur Own Device) breach
  5. 78% of people aware of the risks of unknown links still click on them anyway
  6. 65% of professionals identified phishing and social engineering as the biggest security threat
  7. 70% of millenials admitted to bringing outside applications in violation of IT policies
  8. Trade Secrets lost – Employee of company’s trusted business partner stole the information before accepting job from competitor
  9. Virtual machines Data loss – closely guarded computer code can be exfiltraded using  virtual machines which are hard to detect.
  10. File sharing not secure(dropbox and more), as employees abruptly quit their job and former employees retained cloud access

There are many more stories of businesses not double checking as they should…

When we do not double check a single mistake can blow up to a serious mistake and then it mushrooms from there.

The biggest problem with Cyber attacks is that they are hard to find and attribute (find who did it and blame them/ arrest them). That   is why it takes so long to find an attack that was successful (140 days or more).

If you have not thought about this then it is high time to do it. Cyber attacks are becoming more sophisticated and can cripple your business by taking over key pieces of machinery. As we move to the new year (2018) and if there is no thought put towards cybersecurity… Then it is high time you did because the solution is not very hard or that costly if you compare the loss to your reputation.

There are actions to be done to minimize risks.

An average Hacker stays hidden for so long you will not know what is happening until it is too late. Do you know how companies find out?  When the authorities contact the company and tell them the bad news.

There are many bad news scenarios:

Company trade secrets are lost to a competitor –

Employee of the company’s trusted business partner stole the information before accepting job from competitor.

File sharing not secure, as drop box or other programs can be abused by employees before they leave to other jobs.

There are more real life scenarios cataloged in this youtube Video by SEI (Software Engineering Institute) Carnegie Mellon

Although each person makes a decision of good vs evil you have to help them make this decision a right one by setting the checks and balances within your company, and letting everyone know that there is a review of your actions. So if something does happen there is a paper trail, and it is not “lost” which is always the evil  thought (they won’t find me).

The key is to get your company up to speed as the bigger companies do (what is called the Enterprise companies– 1000 computers and larger).

Contact Us as a CISA certified person we can help you with GRC (Governance Risk Compliance) as an enterprise company does things it always leaves a trail so that a criminal internal or external can be found.