Securitybeat Advisors LLC

Category: Uncategorized

  • The Shift in Corporate Cybersecurity Strategies

    During NCS Madison’s CIO & CISO Strategy Meeting in Boston, MA on April 23, 2019, my discussion group concluded that evolving cyber threats and regulations are triggering enhanced capabilities in enterprises and initial capability in start-ups and small businesses.

    DISCUSSION SUMMARY

    Digital Transformation has driven rapid change in how organizations develop, deliver, and manage their businesses. Technology has become the enabler for business value and the new target for crime. As a result, cybersecurity is now an agenda item in the boardrooms of organizations big and small. 

    At NCS Madison’s 2019 CIO & CISO Strategy Event in Boston, MA, fifteen cybersecurity leaders shared their strategy for cybersecurity and explored trends. The organizations represented a mix of small and large scale enterprises, operating in healthcare, banking, pharma, retail, manufacturing, and the public sector. The discussion included:

    1. Aligning the Cybersecurity Plan;
    2.  Obtaining Actionable Intelligence;
    3. Developing Cybersecurity Practices;
    4. Cybersecurity Plan Validation and Reporting.

    Despite the diversity of the participants, all agreed to these takeaways:

    1. Established enterprises are increasingly adding secondary security frameworks to refine cybersecurity capabilities. Most enterprises are adding the CIS Critical Security Controls.
    2. Small and emerging organizations are rapidly adopting the NIST Cybersecurity Framework (CSF) to drive cybersecurity planning. 
    3. Emerging privacy regulations are clouding established frameworks for asset classification and control. Uniform cybersecurity planning to these mandates is problematic at best. 
    4. New organizational approaches are evolving to insure stakeholder involvement when setting front office vs. back office priorities. Departmental alignment is no longer sufficient. 
    5. The search for actionable intelligence continues. No common approach or methods surfaced in the discussion.
    6. Culture remains one of the biggest obstacles in cybersecurity capability, especially in the public sector.
    7. All are doing some form of ethical hacking to validate cybersecurity capabilities. 

    DISCUSSION COMMENTARY

    The starting point for Cybersecurity planning is to identify the control objectives most appropriate for the inherent risks of the organization. Inherent risk is associated to what products and services the organization offers, the technology being used, and how the systems and third-parties are connected.

    Stakeholders are a key component to the success of the Cybersecurity plan. As businesses undergo digital transformation, key managers from the front office are now coming into play. One participant offered a three domain approach for identifying stakeholders: 1) Operational technology (IT, automation and planning), 2) Cross technology (Security systems and design), 3) Commercialized technology (outward facing products and services). All concurred that digital marketing is more important than ever. Supporting this effort is also big data and business intelligence. 

    Tenable’s Trends in Security Framework Adoption Survey found that 84% of organizations align to at least one security framework, while 44% use more than one. Almost all of our group used at least one while the majority of the group used two. The survey also ranked the security frameworks being used, with PCI DSS (47%), ISO 27xxx (35%), CIS Critical Security Controls (32%), and NIST Framework for Improving Critical Infrastructure Security (29%).  The majority of our group used the NIST Framework.

    Rapid changes in laws and regulations are challenging cybersecurity planning. The group discussed Risk & Insurance’s  Top 5 Privacy and Cyber Regulations and Why They Should Concern Risk Managers. Most have been focusing on GDPR and believe is a lot of work but doable. The California Consumer Privacy Act (CCPA) is problematic due to non-standard definitions of personal information. Much like GDPR, New York’s Cybersecurity Regulation (23 NYCRR Part 500) is a lot of work but manageable.

    Much of Cybersecurity capability hinges on the ability to obtain actionable intelligence. No uniform approach was offered by the group. Many are collecting vulnerability data in real time, analyzing it, and prioritizing next steps. Some position this as a subcomponent to a broader data analytics strategy. Others look at the behavior of users to the system and investigate anomalies. A few is the group use deceptive technologies to lure their advisories in and foil their reconnaissance efforts.

    The team discussed Ponemon Institute’s report Separating the Truths from the Myths in Cybersecurity with 84% of respondents concerned that their cybersecurity practices were not keeping pace, 30% stating that a product cybersecurity program had yet to be established, and 63% reporting that less than half of their IT assets are being tested for vulnerabilities. One attendee working in the state government and supporting the gaming technology stated her concern about culture. The biggest struggle is changing that human concept of what risk and security means. The context of the digital transformation is foreign to them. Many in the group agreed that culture needs to move higher in the top 10 list.  Someone offered phishing campaigns to spread awareness and continuous education. Another started to imbed the business into IT governance model so it becomes part of the culture.

    References:

    1. https://www.tenable.com/whitepapers/trends-in-security-framework-adoption
    2. https://riskandinsurance.com/top-5-cyber-security-regulations/
    3. https://www.ponemon.org/var/www/vhosts/www.ponemon.org/research/ponemon-library/security/separating-the-truths-from-the-myths-in-cybersecurity.html

  • Piracy or Privacy – Safe Harbor Ahead

    For over 5o years, privacy laws have called upon websites and applications to transparently state their policy for the collection, onward transfer, security, and access to sensitive personally identifiable information. Trustworthy organizations not only post their intent but also limit their collection and usage to strictly support and evolve the service. Most are questioning if Facebook is trustworthy given its aggressive collection strategy, onward transfer to the highest bidder, and lack of controls – both in technology and process. Ready to Cut the Cord on Facebook?

    NOTICE: Interestingly, clever observers saw the potential abuse over 3 years ago when the Messenger app was introduced and the extent of data collection and device control was announced. If a tree falls in the woods, does it make a sound??? 

    COLLECTION: Facebook did give notice of aggressive collection requirements. We cannot complain that they didn’t have the right to collect this information. The question remains, however, “did they honor the remaining privacy principles”?

    Well, as it turns out, the other privacy elements are not covered in the application-specific NOTICE which pops up at the time of install. The Facebook Messenger application instead has a Data Policy URL of https://m.facebook.com/privacy buried in the settings page. Let’s see what is covered and what isn’t.

    ONWARD TRANSFER: Facebook does not detail the third parties that have access to your personal information, nor do they define their process to ensure third parties have the necessary security if onward transfer is necessary.No mention of Global Science Research or Cambridge Analytica. How can the personal information of 50 million users disappear without a trace?

    ACCESS: Facebook does state what the application has access to, but not the extent of access their staff and authorized third parties have to the sensitive information being collected. Facebook also does not provide a means for users to access what is collected and correct any errors and omissions. 

    SECURITY: Facebook obfuscates its security responsibility to the users. After concerns have been raised, awareness material now details how to disable their default-open settings. IMO, you need to be a power user to apply the guidance and not break the app. One Facebook insider says that data harvesting was routine and controls were lax. The extent of misuse was up to the developer and Facebook had no visibility on how the data would be protected once it left Facebook’s servers.

    In conclusion, Facebook gets a “F” for implementing only couple privacy principals and leaving the user to defend themselves in this evolving wild-wild west. I sincerely doubt that Facebook can salvage its flawed technology platform or put enough process in place to restore our trust. Facebook needs more than a face lift. Where will my virtual family go next?

    References:

    1. https://www.huffingtonpost.com/sam-fiorella/the-insidiousness-of-face_b_4365645.html
    2. https://www.facebook.com/privacy/center/?entry_point=privacy_shortcuts_redirect
    3. https://www.theguardian.com/news/2018/mar/20/facebook-data-cambridge-analytica-sandy-parakilas?CMP=share_btn_url

  • Wild West of Cryptocurrency

    Criminals have ALWAYS Followed the Money…

    Financial transactions have always been a risk, both with criminals looking to steal the money when at rest or in transit, and criminals committing fraud or money laundering. We’ve had counterfeit currency, fake checks, ATM card skimming, and the like. Why wouldn’t we think that crime wouldn’t move to cryptocurrency?

    Few understand that consumers need assurances through trusted financial institutions with (security) certified processes and technologies. An awakening is needed in the recently emerged Cryptocurrency market. The value of your crypto coins depend upon it!

    Even within historically trusted encryption methods of the past, safety in e-Business has always a race against time. How long will it take to brute force a cypher through an off-line attack and can I do it before keys are rotated? How long will a given set of ciphers be considered strong and when will they need replacing?

    Weren’t countermeasures for such concerns designed into end-to-end cryptocurrency transactions?

    In a recent review of Cryptocurrency Mining by Malwarebytes, we see that in a mere 10 minutes an attacker can break a block in this gravy train. Blocks must be processed end-to-end within that timeframe.  Leave it to Coinhive to invent a miner and not keep it under control. Sophos researchers found Coinhive infestations in nineteen Android apps this past week (Computing). A zero-day flaw in Telegram, now patched, also installed a miner that pulled in Zcash and Monero (SecureList).  An attack is now in the wild in search of weak cryptocurrency implementations.

    Cryptocurrency is not without its share of fraud. Look no further than LoopX who recently disappeared, along with $4.5M in ICO (Naked Security).  It’s no wonder that the US SEC has recommended regulations.

    References:

    1. https://www.malwarebytes.com/blog/security-world/2017/12/how-cryptocurrency-mining-works-bitcoin-vs-monero
    2. https://www.computing.co.uk/ctg/news/3026552/researchers-find-javascript-cryptomining-code-in-19-android-apps
    3. https://securelist.com/zero-day-vulnerability-in-telegram/83800/
    4. https://nakedsecurity.sophos.com/2018/02/14/cryptocurrency-startup-loopx-exit-scams-with-4-5m-in-ico/