Get My Score

Trending in Security

Smart City Security - NIST CSF

Our Rush to Automate Our Cites 

In “The ‘Too-Smart’ Home – Uninvited Guests,” I look at unintentional threats due to insecure internet-connected devices. Do we face some of the same issues with our rush to automate our smart cities, where spending is expected to grow from $80 billion in 2018 to over $158 billion by 2021? As reported numerous times over the past year, the answer is a resounding yes, with Industrial Internet of Things (IIoT) devices harboring an unknown number of vulnerabilities. The New York Times even recently reported on the potential threat, citing that cities, in the rush to publicize their ‘smart creds’, many times don’t understand the privacy, security, and financial implications of their deployments. These deployments are many times proposed by technology vendors, not always taking into account the readiness of the city to properly manage them. However, not all is lost!

Smart City threats - NIST CSF 

Attack Vectors

As with the home, it is not only the infrastructure that may be compromised, but the data gathered as well.  But in contrast with the home, both outcomes may be much more damaging, if not fatal.  One good measure of potential vulnerabilities is to map a typical smart city to the 16 DHS critical infrastructure sectors




Relevant areas of concern include communications, emergency services, government, and commercial facilities, information technology, transportation systems, water and wastewater, and in many cases, energy, healthcare, and dams. Instead of each of these separately managed and secured, under a smart city initiative, one or more may very well be under the control of a single, interconnected operations platform, where a single breach may impact multiple sectors simultaneously.  Highlighting concerns, a recent ISACA survey identified energy, communications, and transportation as the three sectors (71%/70%/64%) that will benefit most from a smart cities initiative but are also the most susceptible to breach.

Attacks can come from multiple sources, including malware/ransomware as well as denial of service, with both nation-states (67%) and hacktivists (63%) likely culprits.  And, with more smart infrastructures in place, hackers have a larger attack surface, with pre-existing vulnerabilities more likely to be found and exploited.  Research from Threatcare and IBM X-Force Red, lends credence to this, having uncovered multiple zero-day vulnerabilities across different IIoT vendors. Security gaps identified include the use of default passwords, authentication bypass flaws, SQL injection vulnerabilities, and even open ports where control is possible from across the internet.  And the threat has only increased, with a recent Gemalto study finding that almost half of all businesses can’t detect if an IoT device has been breached.  There are even websites such as Censys and Shodan (among others) that make an attempt at tracking IoT devices.  And, more sophisticated attacks could take place against RF-controlled devices that may find their way into smart city architectures.  For example, Trend Micro recently identified security gaps in many commercial products, vulnerable from hardware-based rogue RF controller man-in-the-middle attacks.


The Threat Landscape

Moving from the general to the more specific, what are the types of IIoT devices one may encounter, and what specific actions are most effective and that one or more of the sectors described earlier?


Function / Use






Structural monitoring

Monitoring of vibrations and material conditions in buildings, bridges and historical monuments.


Noise monitoring

Sound monitoring in bar areas and centric zones in real time.





Smart roads

Intelligent Highways with warning messages and diversions according to climate conditions and unexpected events like accidents or traffic jams.


Smart lighting

Intelligent and weather adaptive lighting in street lights.


Smart parking

Monitoring of parking spaces available in the city.


Traffic congestion

Monitoring of vehicles and pedestrian levels to optimize driving and walking routes.





Forest fire detection

Monitoring of combustion gases and preemptive fire conditions to define alert zones.


Air pollution monitoring

Control of CO2 emissions of factories, pollution emitted by cars and toxic gases generated in farms.


Snow level monitoring

Snow level measurement to know in real time the quality of ski tracks and allow security corps avalanche prevention.


Landslide and avalanche protection

Monitoring of soil moisture, vibrations and earth density to detect dangerous patterns in land conditions.


Earthquake early detection

Distributed control in specific places of tremors.


Perimeter access control and geofencing

Access and communications control to restricted areas and detection of people in non-authorized areas.


Liquid presence monitoring

Liquid detection in data centers, warehouses and sensitive building grounds to prevent breakdowns and corrosion.


Radiation levels

Distributed measurement of radiation levels in nuclear power stations surroundings to generate leakage alerts.


Explosive and hazardous gases

Detection of gas levels and leakages in industrial environments, surroundings of chemical factories and inside mines.


Crime noise monitoring

Gunshot monitoring in real time.

 Water and Wastewater




Potable water monitoring

Monitor the quality of tap water in cities.


Chemical leakage detection

Detect leakages and wastes of factories in bodies of water.


Water leakages

Detection of liquid presence outside tanks and pressure variations along pipes.


River floods

Monitoring of water level variations in rivers, dams, and reservoirs.


Pollution levels

Control real-time leakages and wastes in bodies of water.


Water flow

Measurement of water pressure in water transportation systems.





Smart grid

Energy consumption monitoring and management.


Tank level monitoring

Monitoring of water, oil and gas levels in storage tanks and cisterns.


Photovoltaic installations

Monitoring and optimization of performance in solar energy plants.


High voltage line monitoring

Monitoring of line issues due to severe weather.

From Iibelium




Privacy, data, and identity theft

Authentication, encryption, and access control

Electric car charging stations,

Device hijacking

Device identification and access control, security lifecycle management

Traffic lights, robotics

Permanent and Application Level Denial of Service

Authentication, encryption, access control, application level DDoS protection, security monitoring, and analysis

Electric grids, monitoring systems

Man-in-the-middle attacks

Authentication and encryption, security lifecycle management

Water supply

From:  Rambus



One way to look at a solution is to first consider a set of universal security hygiene actions, and then look at specific requirements sector-by-sector.  An analysis by Microsoft looked at the properties of highly secure devices, and came up with the following recommendations:


Examples and Questions to Prove the Property

Hardware-based Root of Trust

Unforgeable cryptographic keys generated and protected by hardware. Physical countermeasures resist side-channel attacks.

Does the device have a unique, unforgeable identity that is inseparable from the hardware?

Small Trusted Computing Base

Private keys stored in a hardware-protected vault, inaccessible to software. Division of software into self-protecting layers.

Is most of the device’s software outside the device’s trusted computing base?

Defense in Depth

Multiple mitigations applied against each threat. Countermeasures mitigate the consequences of a successful attack on any one vector.

Is the device still protected if the security of one layer of device software is breached?


Hardware-enforced barriers between software components prevent a breach in one from propagating to others.

Does a failure in one component of the device require a reboot of the entire device to return to operation?

Certificate-based Authentication

Signed certificate, proven by unforgeable cryptographic key, proves the device identity and authenticity.

Does the device use certificates instead of passwords for authentication?

Renewable Security

Renewal brings the device forward to a secure state and revokes compromised assets for known vulnerabilities or security breaches.

Is the device’s software updated automatically?

Failure Reporting

A software failure, such as a buffer overrun induced by an attacker probing security, is reported to a cloud-based failure analysis system.

Does the device report failures to its manufacturer?

From: Microsoft Research, The Seven Properties of Highly Secure Devices


IBM’s recommendations, based on the identified vulnerabilities described earlier, and more focused on software and processes, include: 

  • Implementing IP address restrictions for who can connect to the smart city devices, especially if networks rely on the public internet.
  • Leveraging basic application scanning tools that can help identify vulnerabilities.
  • Using strong network security rules to prevent access to sensitive systems, as well as safer password practices.
  • Disabling unnecessary remote administration features and ports.
  • Taking advantage of security incident and event management tools to scan network activity and identify suspicious internet traffic.
  • Hiring ethical hackers to test systems, such as IBM X-Force Red. These teams are trained to “think like a hacker” and find flaws in systems before the bad guys do.

From:  IBM, The Dangers of Smart City Hacking

And remember that these recommendations also apply to 3rd parties, an environment known to be especially vulnerable, and one where a breach may lead to disastrous consequences in the context of a smart city.  

In essence, develop a comprehensive architecture for proposed smart city services and applications, planning head vs creating a bolt-on architecture where every new sector becomes an exception or custom integration.  This planning is also critical in defining a least-privilege architecture where only those systems that must communicate with one another are actually able to do so.  Sure, a single screen depicting power, water, and roadways may look good and not disappoint Hollywood, but this may not be the most secure implementation. As with enterprises, leverage best practices such as the NIST-CSF, CIS, SOC2, and others, as a baseline to evaluate one’s security posture. 

To draw an analogy from the public cloud, the cities and their vendors share responsibility for the secure deployment, operation, and updates of any hardware and software deployed.  And, as opposed to deployments where detailed lifecycle security plan may be a ‘nice-to-have,’ here it is critical.  This is doubly true for devices whose data is made available to the public-at-large, such as the City of Santa Clara, CA traffic cameras.  In support of this, the government will step in to push the industry along, as with California’s recent IoT legislation.  Though only a beginning and not by any means comprehensive, it does imply that IIoT security has gained awareness.


Divergent Views – The East and the West

 Are there different priorities and approaches between smart city deployments in London and Shanghai, for example?  The answer is yes.  Though much of the technology will be the same, approaches to individual privacy differ.  There is less reluctance to gather PII from multiple sources and then correlate it, and many of the views track debates concerning just how to open the internet should be and to what data citizens should have access.  Already, many deployments include facial recognition to target individuals, and these use cases are spreading to the US.  On the positive side, there is probably a greater emphasis on centrally planning and securing any deployment.


The Future

As I noted earlier, there is still time to properly secure the IIoT with many of the suggestions listed above.  Looking to the future, a few initiatives are in play to better secure the various devices deployed.  As an example, the major public cloud providers, with their interests in the IoT space, have proposed and deployed architectures to better secure their services and devices.  Examples include Google’s Titan, Microsoft Azure Sphere/Pluton, and AWS’s IoT Device Defender.   One would hope that the various players reach consensus on a single, interoperable approach, but in any case, it will take years for these more secure devices to be deployed, and existing devices will still present vulnerabilities.

Check out our Leveraging NIST CSF Playbook, for more information on securing our critical infrastructure. 

HHS Releases Voluntary Cybersecurity Practices for Health Industry

Voluntary Cybersecurity Practices for the Healthcare Industry

Just after the new year, the US Dept of Health and Human Services (HHS) released updated guidance to help healthcare organizations protect themselves against a cyber attack.  This guidance is not only timely, but essential given the continued escalation of attacks against healthcare environments--attacks that are becoming more complex, including DDoS, ransomware, and those against connected devices.   As they say, thieves go where the money is, and the typical healthcare record is worth $100 , 10x more than those across other verticals such as financial records.   The cost of a breach is just as impactful, with a loss of over $400 per record compromised.


     healthcare data breach cost 2018

 Organizations of all sizes, but especially smaller ones that may not have deep IT expertise, will, therefore, benefit from this guidance. 

The overall intent of the guidance is a:

  • Cost-effectively reduce cybersecurity risks for a range of health care organizations;
  • Support the voluntary adoption and implementation of its recommendations; and
  • Ensure, on an ongoing basis that content is actionable, practical, and relevant to health care stakeholders of every size and resource level.

Note that these are great goals for any vertical!

Resulting from the 2015 Cybersecurity Act (CSA), the guidance, Health Industry Cybersecurity Practices:  Managing Threats and Protecting Patients, aligns closely with the NIST CSF, a set of best practices that Cavirin embraces and supports.  The five threats explored in this document are as follows:

  • E-mail phishing attacks
  • Ransomware attacks
  • Loss or theft of equipment or data
  • Insider, accidental or intentional data loss
  • Attacks against connected medical devices that may affect patient safety

The two technical HHS volumes, Cybersecurity Practices for Medium and Large Health Care Organizations, and Cybersecurity Practices for Small Health Care Organizations go into much greater detail and the 
Managing Threats and Protecting Patients Resource and Template document maps the best practices to specific NIST identifiers.  

Best practices for threat mitigation fall into ten areas:

  • E-mail protection systems
  • Endpoint protection systems
  • Access management
  • Data protection and loss prevention
  • Asset management
  • Network management
  • Vulnerability management
  • Incident response
  • Medical device security
  • Cybersecurity policies
 NIST CSF for Healthcare

Check out the Cavirin NIST CSF Playbook, where we outline the mapping between the NIST CSF and healthcare-specific standards and best practices such as HIPAA and IEC/TR 80001-2-2 similar to what the HSS recommends here.  
Cavirin's healthcare solution supports the NIST CSF, HIPAA technical controls as well as the AWS HIPAA Quickstart, and the ability to customize frameworks based on specific business requirements including the CIA (Criticality, Impact, Availability) for specific controls so that healthcare organizations can automate compliance to achieve and maintain their golden cybersecurity posture just as Pacific Dental Services, Cepheid, and a large national healthcare partner have done.



2019 Cloud Security Predictions

Plus Other Cloud Security Predictions for 2019

Well, 2018 is almost behind us, (sigh!) and we see 2019 as a watershed moment in hybrid and multi-cloud adoption. Organizations, maybe yours included, are increasingly comfortable in running critical workloads across multiple environments as long as they can maintain visibility and control. And, the major public cloud providers have embraced hybrid deployments with products that streamline adoption, such as Microsoft’s Azure Stack and the just-announced AWS Outposts. But we still have a long way to go. For example, how do you best secure these more complex deployments?

At Cavirin, we’ve supported and embraced the hybrid cloud from our earliest days. We offer security monitoring and remediation via CloudTrail and Lambda Functions for AWS, as well as the equivalent StackDriver and Functions on Google Cloud. The same capabilities are shortly coming to Azure. Across all three clouds, CIS hardening and network policy checks are available today. Increasingly, the public cloud providers are combining their own security offerings with those of their cloud partners, offering their customers better control. We recently announced Google Cloud Security Command Center integration--a good example of this trend.

Not to ignore the workloads, remember once again that under the cloud provider shared responsibility model, AWS, Azure, and Google Cloud secure the services they offer ‘in the cloud,’ but the customer takes over for their ‘on the cloud’ applications and data. Our new Ansible Playbooks, in combination with our continuous assessment, permits the operator to first create ‘golden images’ based on their risk profile, and then track any deployments for drift and immediately invoke corrective actions if required.

So, what are some specific predictions for 2019? Here’s a selection from our input to various publications:

  • Cloud 2.0: Security, especially across multi-cloud and in combination with on-premise, will continue to be top of mind. Additional awareness of both insider and external threats will be combined with effective tools that balance protection and usability. More CISOs will peer with CIOs as opposed to reporting to them. Further, mainstream enterprises will look beyond just getting their apps to work in the cloud. They will move to the next phase of optimizing performance, manageability, and security as part of a true multi-cloud deployment, where they have critical workloads both on-premise as well as within one or more public clouds. Smaller enterprises, with an awareness of cloud risks, will deploy third-party cloud security software.
  • Mind the Gap: Too often, SecOps or SIEM tools report on issues, but follow-up by DevOps is delayed. For security, this can result in major risks. We’ll see a wider deployment of tools that close the loop from this monitoring to change management, helping to automate many processes that require manual intervention. An example could be monitoring one’s hybrid infrastructure for change in security posture, automatically triggering Ansible Playbooks to correct to the known good baseline.
  • DevSecOps Becomes Real: On the back of DevOps and SecOps, many now understand the concept behind DevSecOps. But, that has happened, is that this is still pushback on how to best automate checks, and how to protect against potential job loss. This is solvable with some of the new approaches on the market, and through past technology and role transitions, job loss was never as high as anticipated.
  • Elevating the Importance of Cybersecurity: Business executives will embrace cybersecurity as a primary business responsibility, and not simply a technology issue. This will be combined with new state and potentially federal laws that improve privacy and reduce exposure. These shifts parallel trends internal to the organization, where technologies are increasingly vendor-managed and IT moves to the business units. The overall move to the cloud is only one example of this. Conversely, cyber and information security, due to importance, will transition from a technology function to a legal function.
  • ML and AI Reality Check: No set of predictions would be complete without homage to AI. There is no shortage of investment in this space, and startups with novel ideas. The goal will be to better understand how these technologies solve well-understood problems, how they integrate with existing workflows, and most importantly, how they remove risk. This all can’t happen soon, given that the hackers, especially those state-sponsored, are deploying many of the same tools. As noted in BlackHat this past summer, 2019 is the year that the industry must go back on the offensive.


Check out our News page for links to all the articles our leaders were featured in during 2018. 

voting vulnerabilities

Regardless of Potential Vulnerabilities - We Must Vote

With less than six days until one of the most important elections in recent history, coverage of potential vulnerabilities has never been greater.  Compared to 2016, the typical voter is more aware of any threats, and probably more scared.  There is a concern that people will just stay home, thinking that their vote will be compromised, as captured in a recent Pew Research Center Survey

mid-term election vulnerabilities

Given that the vote is fundamental to our democracy, this isn’t good. But, as the New York Times summed it up, even though or voting process is vulnerable and outsiders are looking to sow pervasive doubt over the integrity of American elections--the only chance we have is to vote. 

As we look back as early as a decade ago and confirmed just this last summer at DefCon, researchers identified vulnerabilities in both the voting machines as well as state election infrastructures. During the lead-up to 2016, Russia actively probed for security gaps.  Given that elections fall under state jurisdiction, the potential attack surface varies widely depending upon whether paper records are maintained, the training of personnel, and the chain-of-custody of voting results.  Best practices are summarized here.  One alarming statistic is that, although states can take advantage of federal programs to vet their systems, less than half actually requested it as of the end of October.  This where the types of attacks have become much more sophisticated over the last two years.

However, there are other, indirect threats as well, over which individuals have more direct control.

Recently, McAfee published a good rundown on deficiencies in state election websites.  Here, the threat is not at the polling place, but beforehand, with an unsuspecting voter fooled into going to the incorrect polling location entering personal information.  The cat may already be out of the back regarding the latter threat, with security firms reporting that over 35 million voter records are now available on the dark web.   These types of threats, in terms of sheer numbers of voters impacted, can be more destructive than the small percentage of voting machines that may (or may not) be compromised. 

And, we’re increasingly aware of the potential impact of social networks in spreading disinformation.  Unlike 2016, the Facebooks and Twitters of the world have realized their roles, both positive and negative, and are attempting to put the necessary checks in place.  But they will be hard-pressed to stay a step ahead of the hackers.

Hopefully, with additional focus, federal dollars, and press overwatch, Nov 6th won’t present any issues.  And even if we run into some concerns, the strength of our overall voting democracy will prevail, as long as we continue to believe, stay resilient, and vote.

For voter registration and other critical infrastructure officials looking to protect future cybersecurity threats check out the Cavirin Playbook, "Leveraging NIST CSF".




cybersecurity utilities

 Cybersecurity for Our Critical Infrastructure - Utilities - Thoughts of a CSO

The Utilities sector has been well positioned for several years as a Critical Infrastructure based on Federal Energy Regulatory Commission (FERC) requirements to adhere to the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) guidelines and Cybersecurity Risk Management Process guidance.  In the past, the challenge has been that Corporate Information Technology was managed separately then Industrial Control Systems (ICS) which provided gaps for bad actors to exploit.  These days the challenge is expanding to end users with emerging "always-on" Internet-connected smart devices.  The challenges posed are both to the end-user consumer and to the overall power grid based on coordinated attack capabilities.  This is further complicated by most end-user consumer smart devices having all or some components manufactured outside the USA entering foreign made embedded chips that could be used against another nation, corporation, and/or individual with minimal effort.  This sector is the most important of all Critical Infrastructure industries as the other sectors need utilities to operate.

These types of threats have been proven and the genie is out of the bottle.  Stuxnet, a sophisticated computer worm that targets centrifuges used to produce the enriched uranium that powers nuclear weapons and reactors, is the prime example of this situation that was contained and tested in a controlled environment protected to a greater level than Utilities.  Direct action may be more difficult to execute but still, nation-state actors will find successful opportunities. 

The challenge for the Utilities sector is to establish detective controls that spot anomalies before they can be detected by a human.  The biggest threats will come from indirect sources (Vendors, Suppliers, Customers) in the future.  These channels will have weaknesses that cannot be addressed, and safe measures will need to be implemented with the expectation that those channels are compromised.  Visualization of your organizational CyberPosture at all levels will become the norm and monitored as closely as are Voltage range and Kilowatt usage.  When there is no defined boundary to keep bad actors out the shift is towards real-time monitoring.

Yes, all organizations are implementing best practices shift left for coding, DevSecOps, etc., but in many cases, the ability to consolidate the CyberPosture view in real-time has not yet been implemented.  The usage of data visualization is another dynamic tool that has been lagging, but I expect this to become the new security domain field that will attract a great deal of attention over the next 12 to 18 months.  The National Association of Corporate Directors, highlighted in their 2017 Cyber-Risk Oversight guidance, the need for this data visualization.  My previous work at Verizon on the Verizon Risk Report (VRR) combined the Verizon Data Breach Investigations Report (DBIR) with threat intelligence from Recorded Future and external risk vectors from BitSight, which provided a security industry foundational baseline for others to build from that created great visualization techniques.  Side Note: There was some data visualization introduced with the 2018 DBIR report on the website that reduced the report size which provided historical context of top threats over time.  The second level of the VRR started to include various elements of inside-out security sources (starting with End Point Detection and Protection leveraging Tanium and Cylance) and was expanding to culture and process elements at the third level.  There is more work to be done with many other security areas being incorporated.  In my recent discussions with a major telecommunications provider and a national bank,  the data visualization movement has started and will continue gaining momentum. 

Besides data visualization, I expect that all critical infrastructure industries will expand physical air gap separation of networks.  In some ways, we are returning to the 1990s.  Back in those days, I supported customers that had air gaps.  A French bank kept Internet computers off the corporate network; a major University kept Student and Financial systems on a separate network, and a major of military establishment used air gaps.  We have allowed technology gains to fool us into thinking that we are more secure when in fact those solutions increased the risk factors.  This happened for several reasons: product development cycles were sped out the door and there is a minimal financial risk of providing insecure software and hardware to most customers.   If you introduce an unsafe automotive vehicle then there are financial penalties that those manufacturers must pay for the people that are hurt and/or killed as a result.  When have you seen a technology company punished for releasing unsafe hardware and/or software?  Therefore Utilities, actually all critical infrastructures, need to design security architectures that expect security flaws to be built-in the solutions that they purchase and implement.

For more on this and protecting our critical infrastructure, check out our Webcast on October 24th, Protecting Our Critical Infrastructure Starts with NIST CSF.  If you cannot make it, no worries, register anyway and a link to the recording will be sent to you following the event.

aws outage

It’s Everyone’s Job to Ensure Online Safety at Work

This week’s NCSAM theme is ‘It’s Everyone’s Job to Ensure Online Safety at Work.”  Basically, it means that you need to take personal responsibility to ensure your CyberPosture.  Why is this so critical, and why do smaller businesses have to take additional precautions?  In many cases, these organizations have less of a budget or skillset to implement security-in-depth, and their employees may think that they are too small a target.  But, with larger organizations more apt to take proper precautions, the SME space becomes a ripe hunting ground.  The sad thing is that a single major breach is much more likely to put a smaller company out of business or tarnish their reputation to an extent that requires a long road to recovery.  In fact, 61% of SMEs experienced a cyberattack in 2017, but only 21% considered their ability to respond to be effective.

Over the last year, at Cavirin we’ve written plenty about ‘the enemy within’ as well as verticals that are the most vulnerable to employee carelessness.  Have we made any progress?  Unfortunately, it looks as if we’re heading in the opposite direction.  A Ponemon study released in the spring of this year states that the number of incidents per organization involving employee or contractor negligence has increased from 10.5 to 13.4 times per year since 2016. 

Overall, negligence, and not malicious intent or hacking, was the cause of 64% of breaches, impacting every vertical, with financial, services, industrial, energy, and healthcare the top five.  Each resulting breach cost an average of $283K, for a total of $3.8M per organization.  The table below breaks this out in additional detail.  But, where it really gets interesting is the impact of how long it takes to identify and remediate the breach.


cost for security breaches

If identified early, the total exposure is about 2/3 less than those that take three months or more to address.  How does one identify the breach quickly?  More on this in a bit!


cost for insider data breaches

Note:  This table includes malicious behavior and credential theft, for a median of $8.5M vs the $3.8M stated earlier, but the overall trend is the same.

How else might we be losing ground?   I hate to admit it, but my home state of California is one of the worst offenders.  I don’t know if it is complacency or the fact that we are surrounded by so much tech, but based on a recent study, also by Ponemon, we are the 6th worst state at -3.05 as it relates to our cyber hygiene, our personal CyberPosture.  The folks in New Hampshire must be doing something right!


most secure states, least secure states

More telling than just a number, are the actions taken by those with ‘good’ cyber hygiene, vs those without.  This includes backing up data, keeping software up to date, bank statement monitoring, and other obvious actions listed in the table below.

security best practices


So what can you do to immediately improve your cybersecurity posture?  The table above applies equally well to individuals as well as businesses.   Within the organization, one of the most fundamental tasks of IT is to ensure that laptops and servers are updated and backed-up automatically, encryption is in place, firewalls are active, and proper password hygiene is enforced.  Unfortunately, this is not always the case.  And, employee training is sometimes very nebulous, but one action that has an immediate impact is anti-phishing training.  Many IT departments also clearly identify any email from a source outside of the organization. 

One potential area of added threat is the employee with their BYOD iPhone or Android phone.  SMEs are less likely to implement device management software, and this presents a problem.  It just takes one employee, wanting to up-level their Fortnite creed, or tricked into downloading a fake Google Play Store, to bypass Android security and potentially compromise the entire organization.  Without any controls in place, these threats are incredibly hard to track…. until it is too late.

Last but not least, how do we ensure quicker discovery of any breach, with a goal of minimizing damage?  Looking back at the data on the escalating cost of a breach the longer it goes uncorrected, or how to identify a BYOD threat in less than a Fortnite, a solution is to deploy a platform to continually assess the organization’s CyberPosture.  This includes both servers, if the SME controls any, either on-prem or in the cloud, as well as that of their cloud provider.  Cavirin’s CyberPosture Intelligence provides just such as solution, not only for SMEs, but for enterprises and MSSPs of all sizes.


Additional resources:

StaySafeOnline (NCSA)

Cybersecurity Resources Road Map (CERT)

Cybersecurity for Startups (CERT)





© 2018 Cavirin Systems, Inc. All rights reserved.