Get My Score

Trending in Security

aws outage

It’s Everyone’s Job to Ensure Online Safety at Work

This week’s NCSAM theme is ‘It’s Everyone’s Job to Ensure Online Safety at Work.”  Basically, it means that you need to take personal responsibility to ensure your CyberPosture.  Why is this so critical, and why do smaller businesses have to take additional precautions?  In many cases, these organizations have less of a budget or skillset to implement security-in-depth, and their employees may think that they are too small a target.  But, with larger organizations more apt to take proper precautions, the SME space becomes a ripe hunting ground.  The sad thing is that a single major breach is much more likely to put a smaller company out of business or tarnish their reputation to an extent that requires a long road to recovery.  In fact, 61% of SMEs experienced a cyberattack in 2017, but only 21% considered their ability to respond to be effective.

Over the last year, at Cavirin we’ve written plenty about ‘the enemy within’ as well as verticals that are the most vulnerable to employee carelessness.  Have we made any progress?  Unfortunately, it looks as if we’re heading in the opposite direction.  A Ponemon study released in the spring of this year states that the number of incidents per organization involving employee or contractor negligence has increased from 10.5 to 13.4 times per year since 2016. 

Overall, negligence, and not malicious intent or hacking, was the cause of 64% of breaches, impacting every vertical, with financial, services, industrial, energy, and healthcare the top five.  Each resulting breach cost an average of $283K, for a total of $3.8M per organization.  The table below breaks this out in additional detail.  But, where it really gets interesting is the impact of how long it takes to identify and remediate the breach.

 

cost for security breaches

If identified early, the total exposure is about 2/3 less than those that take three months or more to address.  How does one identify the breach quickly?  More on this in a bit!

 

cost for insider data breaches

Note:  This table includes malicious behavior and credential theft, for a median of $8.5M vs the $3.8M stated earlier, but the overall trend is the same.

How else might we be losing ground?   I hate to admit it, but my home state of California is one of the worst offenders.  I don’t know if it is complacency or the fact that we are surrounded by so much tech, but based on a recent study, also by Ponemon, we are the 6th worst state at -3.05 as it relates to our cyber hygiene, our personal CyberPosture.  The folks in New Hampshire must be doing something right!

 

most secure states, least secure states

More telling than just a number, are the actions taken by those with ‘good’ cyber hygiene, vs those without.  This includes backing up data, keeping software up to date, bank statement monitoring, and other obvious actions listed in the table below.

security best practices

 

So what can you do to immediately improve your cybersecurity posture?  The table above applies equally well to individuals as well as businesses.   Within the organization, one of the most fundamental tasks of IT is to ensure that laptops and servers are updated and backed-up automatically, encryption is in place, firewalls are active, and proper password hygiene is enforced.  Unfortunately, this is not always the case.  And, employee training is sometimes very nebulous, but one action that has an immediate impact is anti-phishing training.  Many IT departments also clearly identify any email from a source outside of the organization. 

One potential area of added threat is the employee with their BYOD iPhone or Android phone.  SMEs are less likely to implement device management software, and this presents a problem.  It just takes one employee, wanting to up-level their Fortnite creed, or tricked into downloading a fake Google Play Store, to bypass Android security and potentially compromise the entire organization.  Without any controls in place, these threats are incredibly hard to track…. until it is too late.

Last but not least, how do we ensure quicker discovery of any breach, with a goal of minimizing damage?  Looking back at the data on the escalating cost of a breach the longer it goes uncorrected, or how to identify a BYOD threat in less than a Fortnite, a solution is to deploy a platform to continually assess the organization’s CyberPosture.  This includes both servers, if the SME controls any, either on-prem or in the cloud, as well as that of their cloud provider.  Cavirin’s CyberPosture Intelligence provides just such as solution, not only for SMEs, but for enterprises and MSSPs of all sizes.

 

Additional resources:

StaySafeOnline (NCSA)

Cybersecurity Resources Road Map (CERT)

Cybersecurity for Startups (CERT)

 

 

 

0
0
0
s2sdefault
aws outage

Welcome to NCSAM Week 2, “Millions of Rewarding Jobs: Educating for a Career in Cybersecurity.”  This particular topic is close to home, as I have two daughters in high school who will be shortly deciding what majors to study, and whether cybersecurity is of interest.

Although at Cavirin we place a lot of confidence in our cloud security automation capabilities, we still require skilled security personnel to plan and operate the solution, as well as digest the resulting data.  And that need, even with all the AI and ML in the world, won’t go away anytime soon.  In fact, many are predicting millions of unfilled security jobs in the coming years, and the recently published National Cyber Strategy calls out ‘Develop a Superior Cybersecurity Workforce’ as a strategic national security advantage.  This is this century’s equivalent of the ‘missile’ gap after WW2 and at the beginning of the Cold War, a gap that spurred interest in engineering. 

But what the engineers of the previous generation accomplished in the physical space, must now translate with the same focus and creativity into the virtual space.  And the ‘physical’ toys, the wagons and Lincoln Logs, that kids at the time were most familiar with, are in many cases supplanted by virtual ones – smartphone applications and video games.  I won’t comment on whether this is good or bad, but it does attune Generation Z, the post-millennials, for quick response and multi-tasking, skills valuable in cybersecurity.  So what is the best path forward?

The National Initiatives for Cybersecurity Education (NICE) is one framework, depicted below.  NICE supports policies that encourage hiring, developing, and retaining a skilled workforce for both the private and public sectors.  But we have a long way to go, as evidenced by the number of unfilled jobs at CyberSeek.  I doubt the average elementary school or even middle-school teacher has ever heard of NICE, and it is hard enough to encourage females to even consider STEM in general.   There are really three timelines in play – the immediate need, the near-term, that can be addressed by the universities, and longer-term, where the next generation come into their own.

For those already in the workforce, we all know that continual retraining and re-education is critical to career growth.  Consider mainframe specialists who then became comfortable with minicomputers, and later still, PCs.  Corporations must make it financially appealing for those wishing to make a change, including covering the cost of advanced degrees if deemed to offer a competitive advantage (which they should).

For those not yet in the workforce, higher educational institutions must double-down on <practical> cybersecurity programs, scholarships, and internships within the industry.  Programs that focus on identifying and solving breaches in the pressure of an operational environment.   Universities should elevate cybersecurity to a major discipline, on par with Civil, Electrical, and Mechanical.  Some have already gone down this path, but most have not.  But the real question is how to get students interested, as early as high school. 

A few electives cover the Internet, but over the last decades, the core curriculum has not really changed from English, math, science, and history.  Maybe time for a change to the more practical aspects of survival in the 21st Century?  Cyber could be one module.  In parallel, for those so inclined, the nationwide GenCyber camps for grades 10 and above are a great opportunity, and cover topics as diverse as risk assessment and threat detection, forensics and incident response, network security, and of course intro to cryptography.

The next generation is where we can make a real difference.  What does it take to get the average 10-year old interested in math or science, or for that matter, security?  In a way that removes the ‘nerdy’ connotations, we’ve seen with robotics and space.  Fact is, there are a lot of resources already available.  Some good links include:

 https://nicerc.org/student/

https://nicerc.org/curricula/requestcurriculum/

http://uscyberpatriot.org/Pages/About/What-is-CyberPatriot.aspx

 And, from the recent Wired Magazine article by Geetha Murali, CEO of Room to Read, a few recommended books to get started in the right direction:

  • Lab Girl, by Hope Jahren
  • Brazen: Rebel Ladies Who Rocked the World, by Penelope Bagieu
  • Headstrong: 52 Women Who Changed Science and the World, by Rachel Swaby
  • The Evolution of Calpurnia Tate, by Jacqueline Kelly
  • Girls Think of Everything: Stories of Ingenious Inventions by Women, by Catherine Thimmesh
  • Good Night Stories for Rebel Girls, by Elena Favilli and Francesca Cavallo

Across all age groups, a set of core skills have been identified that are markers for success in the field: 

  • Problem-solving
  • Verbal and written communications
  • Data Analysis
  • System and project management
  • Team building and leadership
  • Software programming

 

 

0
0
0
s2sdefault
aws outage

15th Annual Cybersecurity Month Kicks Off

Welcome to National Cybersecurity Awareness Month, or NCSAM for short.  Now in its 15th year, the goal is to have each of us do our part in protecting our most critical assets--be it a nuclear power plant or a photo of Niko the pup on Instagram--how can we protect what's important to us? 

The National Cyber Security Alliance has put together themes--the first is home security.  What do you need to do both as a ‘home admin’ as well as communicating security hygiene to your family, with a goal of establishing and maintaining your home ‘CyberPosture.’  We’ve prepared an infographic that summarizes the top tips for strengthening your home's cybersecurity defensive posture along the way.   

Week 1:  Make Your Home a Haven for Online Safety  

Every day, parents and caregivers teach kids basic safety practices ‒ like looking both ways before crossing the street and holding an adult’s hand in a crowded place. Easy-to-learn life lessons for online safety and privacy begin with parents leading the way. Learning good cybersecurity practices can also help set a strong foundation for a career in the industry. With family members using the internet to engage in social media, adjust the home thermostat or shop for the latest connected toy, it is vital to make certain that the entire household ‒ including children – learn to use the internet safely and responsibly and that networks and mobile devices are secure. Week 1 will underscore basic cybersecurity essentials the entire family can deploy to protect their homes against cyber threats.

NCSAM Week 1, by the numbers:

  • The number of smart homes in North America is expected to hit 73 million by 2021, making up more than 50% of all households.
  • Both parents and teens are concerned about online security, according to a 2017 NCSA survey. Among their top fears: someone accessing a teen’s account without permission (teens 41% vs. parents 41%); someone sharing a teen’s personal information about them online (teens 39% vs. parents 42%); and having a teen’s photo or video shared that they wanted private (teens 36% vs. parents 34%).
  • Additionally, 34% of teens indicate that they are the most knowledgeable person about cybersecurity in the family – followed by 24% who think dad is, and 18% who think mom is.

Other NCSAM Happenings

We will be participating in a couple webinars this month, the first a CISO panel, “Best Practices for Cyber Hygiene” is this Thursday at 9 AM PT--Register Here.  Later this month on Oct 24, our Chief Security Office, Joe Kucic, will host a panel, “Protecting Our Critical Infrastructure Starts with NIST.”  He’ll be joined by guest CISOs--Register Here.

For an inside look at the home attack surface, including potential entry points for hackers that you may not have thought of, check out the article “The Too-Smart’ Home - Uninvited Guests” on the IoT Evolution web site.  So what are we doing about these threats?  California, just this week, took a major step forward as the first state in the nation (as usual) with an IoT cybersecurity law to take effect in January 2020.  It helps mandate some common sense baselines for home routers and other Internet-connected devices.

Don't forget to check out our NCSAM Champions page, where we post our favorite materials and events available by other NCSAM Champions. 

For all the latest regarding NCSAM follow and post on Twitter/Instagram using the hashtags #CyberAware and #CyberPosture

0
0
0
s2sdefault
aws outage

The Benefits of a Hybrid Cloud

Having different workloads on both public and private clouds embraces a hybrid cloud strategy that is increasingly becoming popular with IT and CISOs. In essence, this strategy means avoiding the proverbial “putting your eggs in one basket”, which is the best way to invite risk and breaches to your data.

We got a glimpse into the vulnerability of the cloud last week when Microsoft Azure’s South-Central US data center region was down for a while after a severe lightning storm disrupted their cooling system.

According to a TechTarget article, Azure Outage Spotlights Cloud Infrastructure Choices, “the surge hit the power cooling systems, and subsequent rising temperatures triggered automatic hardware shutdowns.  Nearly three dozen cloud services, as well as the Azure status page, bore the brunt of the storm”.  The article cited that “much of the problem lies in how Microsoft has built out its public cloud architecture, where most Azure regions are comprised of a single data center”.  Additionally, there are so many risks of failures from many events, when workloads are solely stored on single data centers. To avoid this happening in the future writer James Montgomery at TechTarget said, “Microsoft must also modify its software to accommodate a multi-availability-zone architecture”.

This Microsoft incident points out, once again, that a cloud first strategy opens up an organization to service outages and downtime.  According to analytics firm Cyence, a startup that models the economic impact of cyber risk, the four-hour AWS outage in 2017 caused S&P 500 companies to lose approximately $150m.  It’s crazy to think how much could be lost if a major cloud provider is offline for days.  Lloyd’s, the specialist insurance and reinsurance market, in partnership with the risk modeler, AIR Worldwide put out a report in January that calculated an "extreme" cyber-incident -- one that takes a top cloud provider offline in the US for three to six days -- would result in industry losses of $15bn. 

Azure Outage, AWS downtime

A hybrid cloud infrastructure provides organizations more control of their critical workloads, which could mean everything if a cloud provider is unfortunate enough to be pushed offline for hours/days.  Check out our eBook, The Enterprise Journey to the Hybrid Cloud, which walks you through the steps required to building a world-class Hybrid Cloud infrastructure from setting goals and developing consensus to building and deploying secure hybrid workloads.

 

0
0
0
s2sdefault
vote tampering

 

Looking ahead to this fall’s elections, I won’t dwell on the ‘who’, be it Russia, China, North Korea, or someone closer to home, but some entity, somewhere, will  ‘meddle’, and the best we can do is to minimize the impact. 

 We’ve read that the Russians have moved beyond simple (ok… not so simple) vote tampering, and social networks are old hat.  So what can we control?

The very integrity of the data, an assurance that what is stored within the enterprise or in the cloud is unaltered;  has not been tampered with.  Here is where cloud security comes into play.

Over the past few years, we’ve witnessed way too many instances of data stored in the cloud compromised, including marketing data, political party data, health records, etc.     With the rush to the cloud, pressures from our CFOs, and a bit of groupthink, we’ve become sloppy.  The same precautions we’ve taken for our on-premise data centers – access controls, both internal and external, encryption, and even record keeping – some of us have forgotten, with negative impacts that shouldn’t be a surprise.  But posting the data across the internet is only the first salvo.  Hackers now have the tools to alter the data at-rest, and without proper checks in place, the source of truth becomes elusive. But the solution is not difficult, and doesn’t require a string of esoteric certifications.  Just common sense.

The public cloud providers offer a number of services designed to monitor your accounts – your controls, services, and applications – while at the same time providing notifications if something is amiss.  In parallel, software vendors like Cavirin offer powerful security tools that pick up where the cloud provider leaves off.  Cavirin provides real-time visibility and remediation of hybrid infrastructures so that governments can identify gaps in their defenses and take immediate action to more effectively address pressing threats they might/will face.

As part of making your move to the cloud, understand your exposure and the tools available, both CSP and 3rd party, to mitigate.  And put in place and execute a plan before moving any critical workloads or data to AWS, Azure, Google Cloud, etc.  Looking forward to November, this should serve as a call-to-action.

In the same way that GDPR forced the privacy issue, and even in the US had a positive impact such as the CCPR in my home state of California, we can take it upon ourselves to make sure that our clouds are in order… are secure and free from tampering.  We’re at 90 days, so put in place a plan!

0
0
0
s2sdefault

© 2018 Cavirin Systems, Inc. All rights reserved.