this is the archive page

Software bill of materials (SBOMs): what is it good for?

Absolutely EVERYTHING!

Man and woman looking at tablet
A software bill of materials lists the components used to build an application.

As an attack vector, the computer supply chain is attractive one and attacks on it continue to rise. Most people view a supply chain attack as something that affects only hardware. A typical scenario would involve a malicious actor working in a factory. This bad actor installs chips into the hardware that allow some kind of remote access once the system is booted or, alternatively, pre-install malware on a hard drive before the computer ships. But these days this can also include a “software” supply chain.

The hardware world has long had a complete list of components shipped as part of a system delivery known as a “Bill of Materials.” This BOM provides the customer with a detailed inventory of all the parts and pieces of a box, usually down to the types of memory installed, the processor model, everything. On rare occasions, this would include at least a starting firmware/software version, whatever the OEM put into the system itself.

A software bill of materials (SBOM) is the software equivalent of the hardware version: a list of all the components used to build an application, including any open-source or commercial components in addition to whatever code is original to the vendor. SBOMs, though, have not been quite as standard as their hardware counterparts.

Read more: How do you ensure the security of your supply chain?

Why is a software bill of materials important?

Not surprisingly, the information in a bill of materials can help determine how to fix something on whatever system to which the BOM is referring. On the hardware side, serial numbers, component specifics, and overall product identification numbers are essential when replacing a hard drive, motherboard, memory module, or any other hardware item.

Think of a software bill of materials (SBOM) in the same context. Wouldn’t it be simpler to fix a software bug if you had a list of all the additional software components in an application? Wouldn’t you sleep better at night knowing that your application consumes a specific Python library for input and output? What about your logging components? And—I’m just spitballing here—wouldn’t it be great to know for sure that you didn’t have a vulnerable version of a logging component for some, oh, I don’t know, web server like Apache?

Yeah, I know: it seems so far-fetched that something like that would ever be a threat, right?

Not only is it important to know where your software comes from, it’s also important to know what software components and shared libraries you have running on your devices or inside your applications. That’s where the concept of a software bill of materials comes into play.

With an inventory of all the software components used in an application or on a deployed device, your organization can finally figure out if you use Open Source Software library A, or custom software library B, and then which asset has which version!

Certainly, that would make those late-night calls over winter vacation much easier to take, as the solution to the question “do we run this?” would be right at your fingertips!

More on avoiding late-night, vacation-time emergencies: Improve your cybersecurity defense with centralized logging, continued: A deeper dive!

Aren’t software bills of materials already standard procedure?

Unfortunately, no.

The good news is that the National Telecommunications and Information Administration (NTIA) has been thinking about this concept since 2018! They’ve put together a site for practitioners to use and learn about SBOMs, and have written up some FAQs and consumable documents that help guide anyone new to this concept. Additionally, the Cybersecurity and Infrastructure Agency (CISA) has created weekly workstream meetings to share information with anyone interested, based on different topics. You can find the workstream events listed here.

What to do in the meantime

Ultimately, either generating your own software bills of materials or asking your vendors to supply them will substantially increase your ability as an organization to answer those age-old questions:

  1. Are we vulnerable to this new zero-day vulnerability?
  2. Where exactly are we vulnerable to it?

If you find yourself needing to create the SBOM yourself, be sure to visit that NTIA site, which also offers guides to creating SBOMs, evaluating the many online resources to help you out, and dispelling misconceptions about SBOMs (for example, they are not really a roadmap for hackers; the benefits to you are far greater than to a hacker who has so many other exploits available).

Taking time and care to catalog your software components correctly (and update that catalog frequently!) will help you and your leadership sleep better at night. For the most part.

Sleep even better with help from our security team! Contact us today with your security needs.

Read up on things you can do right now to strengthen your security posture:

Why should you do information security awareness and training?

Car parts and cybersecurity: what is Google dorking?

The value of phishing simulation in a strong security program

Improve your cybersecurity defense with centralized logging

Why should you do information security awareness and training?

I am a shameless promoter of information security awareness and training (A&T).

woman on laptop in information security training
Information security and awareness training can decrease the number of incidents that your company or organization experiences in a given year.

If I could get people to take three or four minutes of training on information security every week, I would do it.

I want everyone to be able to detect phishing emails and fake text messages quickly and easily.

I hear some of you groan in frustration and say, “Why bother? It doesn’t work!”

I strongly disagree.

I don’t agree that end users are the “problem,” that they can’t learn how to protect themselves and their data.

I see end users as normal human beings who want to do the right thing, to do their jobs and not make mistakes. In the same vein, the bad guys out there are working very hard at their job to trick our users, our friends, and our family.

The bad guys spend hours and hours learning what people will click on in an e-mail, identifying the exact words that trigger the urge to help out and click the link in that malicious e-mail. Or call that fake 800 number to fix a problem. Or quickly answer a request from the president or CFO or CIO.

Without a doubt, the potential consequences of that click, call, or answer are exactly why information and security awareness belongs on your list of infosec priorities.

Read more: Essential security practices to protect your business

So who needs information and security awareness training?

Everyone!

Absolutely everyone in your company or organization needs regular A&T. From the CEO and CFO, the CIO to the admin at the front desk, everyone, all the way down the line. A&T that starts at the top is the most effective. If the CEO believes that A&T is valuable and worth doing, then the program will be significantly more effective.

Ok, tell me more about this training 

First, it’s both awareness and training. If you make your users aware of the risks, the threats that are out there, and why they need to be on guard or on alert, then the training will be more effective. At the same time, you don’t want to go down the FUD route (fear, uncertainty, and doubt). Be honest with your users and let them know that they are targets.

There are criminal organizations that do nothing but gain access to companies and organizations. These organizations are called access brokers. They are the groups that send out a blizzard of e-mails aimed at stealing credentials. These access brokers then sell that access to the ransomware groups who do the damage and encrypt or steal the data and demand the ransom. The threats to you and your company or organization are real, and they are persistent, and they evolve.

Second, be aware that people retain information and learn new skills differently, so your training will need to be adaptive. Some people like written instructions with short quizzes at the end to test what they learned. Some people like roleplay training or training wrapped in a short video (either animated or live action). Some like classroom-based training where they sit down—with others—and hear someone talk about a security topic (think brown bag sessions). They want to be with others in order to learn the material. The good thing is you have options for providing training for your users.

Alright then, when and where do you do this training? 

All year long, not just once a year. People need regular awareness and training just like computers need monthly patching.

Training—like patching—should happen monthly, or even weekly, to get the best bang for your buck. We live in a complex world with active threats that continue to evolve. Your training has to be frequent and needs to evolve as the threats evolve.

Those of us in information security preach the gospel of monthly vulnerability scanning and monthly patching. But often, we don’t preach quite so much about monthly awareness and training.

A&T helps, and I know that firsthand, as a preacher of the Gospel of Training, chapter 1, verse 1: “Train your users regularly.”

As for where to do the training, do it wherever people will take it. . You might do monthly lunch–and-learns, either face to face or online or computer-based training that is designed for mobile devices or PCs. We are far enough into this decade that you can find companies that offer computer-based training or other kinds of training that will fit your budget and needs.

The benefits of information security awareness training 

Besides potentially decreasing the number of incidents that your company or organization experiences in a given year, a good information security awareness and training program can:

  • Help lower your cyber insurance premium.
  • Help you meet regulatory compliance requirements.
  • Help better protect your employees on the job and at home.

What’s more, what you spend on a good A&T program can be offset when you factor in the benefit of recovering from fewer incidents and lower cyber insurance premiums. It is money well spent. What do you do for ISAT? Please feel free to e-mail me with comments or questions.

Read more from John Bruggeman:

Why test patches before deploying to production?

Cloud security controls that help mitigate risk

Cyber Insurance, part 1: What is Cyber Insurance and do I need it?

Cyber Insurance, part 2: Getting ready for the insurance company questionnaire

Cyber Insurance, part 3: Filling out the questionnaire

Cyber Insurance, part 4: What do you do if your cybersecurity insurance policy is denied?

2023 Strategic Roadmap: The Future of SD-WAN

The future (and arguably the present) of networking belongs to the Cloud. Legacy WAN networks deployed on aging MPLS systems can no longer handle the sheer amount of data, processing power, and security needed to keep businesses competitive. The resources required to maintain legacy networks are becoming increasingly untenable. More and more, we find on-prem data centers reaching the end of their lifespan, requiring migrations to a cloud-based network. Software-defined wide area network (SD-WAN) is a robust methodology that shifts the burden of data flow from hard-line MPLS networks to the cloud.

strategic roadmap future of sd-wan

SD-WAN deployment benefits include increased network speed, less downtime, and increased efficiency across the board. Additionally, it expands data real estate. Companies need real-time access to their applications, mobile data, at-home devices, and data from IoT devices. As a result, the number of points of presence (PoP) for many companies, especially those in the healthcare field, has grown exponentially. Because of this, the number of potential vulnerabilities for cyberattacks has grown to match. As such, the future of SD-WAN will hinge on current and cutting-edge security tools such as SASE, ENI, and specific deployments of machine learning (ML) and AI.

What is SD-WAN?

In a nutshell, SD-WAN architecture shifts the control of a wide area network for a company and its branches from an onsite data center and hardware to cloud-based software. This software controls connectivity, data management, and the flow of information from headquarters to company branches and remote workers. SD-WAN connection endpoints—branches, data centers, cloud platforms, or corporate offices—are referred to as the SD-WAN edge. As we’ll discuss in more detail later in the post, securing the edge network is a core issue vital to the future of SD-WAN.

According to a study conducted by Gartner with CBTS, the drivers of SD-WAN adoption are the need to:

  • Improve networking speed and agility.
  • Minimize or eliminate downtime.
  • Reduce costs and make predictable capital expenditures.

Optimize performance for end users and administrators.

Key benefits of SD-WAN

Switching to a cloud-based network as many company-wide benefits. Some of these include:
  • Dependable connectivity.
  • Faster network speeds.
  • Deployment over existing MPLS infrastructure.
  • Greater control of IT policy and permissions across the enterprise.
  • Easy monitoring of network performance.
  • Enabling managed services.
  • Enhanced security and early warning monitoring of potential threats.
  • Deployment of automation across the business-wide network.
  • Orchestration services such as Unified Communications as a Service (UCaaS).
  • Support for a range of cloud and multi-cloud platforms, including Microsoft Azure and Amazon AWS.

Also read: Key SD-WAN advantages your hybrid work-from-home model needs

The future of SD-WAN

Cyberattacks continue to grow in volume and complexity. In 2021, an attack with an instance of 17 million requests was recorded from a botnet three times larger than any previously registered attack. The rate and escalation of cyberattacks are not slowing down. A second attack later that year—an attack of 22 million requests per second—dwarfed the first attack. Experts predict that another attack will take place soon that surpasses 30 million requests per second. Fortunately, cybersecurity measures continue to evolve as preventing cybercrime becomes a focus for enterprises and government agencies.

SASE

Secure Access Service Edge (SASE, pronounced “sassy”) is an architecture that utilizes SD-WAN via an encompassing cloud-native framework. First defined in 2019 by Gartner, SASE is a philosophical approach to cloud security instead of a set of tools or a specific technology. The SASE model merges networking and security to reduce hardware, simplify operations, and minimize security risks.

SASE engages with five core technologies:

  • Integrated SD-WAN
  • Cloud access security
  • Firewall as a Service (FWaaS)
  • Secure web gateways
  • Zero trust network access (ZTNA)

SASE is a borderless approach to networking, meaning it can support globally distributed teams and customers. Global environments allow employers to embrace a modern, work-from-anywhere mentality. Migrating to SASE PoPs optimizes where data lands in the network by combining software apps and data storage. Additionally, the integration of FWaaS refines and maximizes security measures for data centers. SASE reduces latency and results in a higher performing network by adding PoPs globally, so data doesn’t have to travel as far. These gateways provide the functionality, reliability, and access that teams and customers need.

ENI

Edge network intelligence (ENI) allows enterprises visibility of their end-user and IoT devices. ENI creates a complete view of the entire data plane for each user (wired and wireless). This allows IT teams to home in on issues such as latency via automatically generated issue tickets. ENI also proactively engages in self-healing for the network after problems have been identified. Another feature of ENI is integration with AI-empowered Network as a Service (NaaS) such as Cisco Meraki or Juniper Mist.

Learn more: Thinking big on future of networking

AI/ML

ENI uses machine learning algorithms to detect, monitor, and interact with end-user devices across a client’s data estate. SASE providers also deploy AI to scan for threats and block attacks proactively.

But in terms of potential, AI and ML are just beginning to scratch the surface. AI/ML will be integral to the future of SD-WAN.

Other innovations

Beyond security advancements offered by SASE, ENI, and other AI solutions, other innovations will continue to trend as SD-WAN moves into the future. Those innovations revolve around:

  1. Operational simplicity.
  2. Automation.
  3. Reliability.
  4. Scalability.
  5. Solutions with flexible business models.

Given the movement of most industries, it also seems highly likely that future iterations of SD-WAN technology will work well with multi-cloud platforms and help to streamline those environments.

Strategic roadmap for the future of SD-WAN

Legacy MPLS architecture is nearing the end of its lifespan in many cases. Compounded with the surge of data streams from mobile, at-home, and IoT devices, networks are primed to falter in the immediate future without SD-WAN solutions. Replacing traditional networks in favor of SD-WAN will allow for greater agility, simplicity, and performance on every level of business operations.

CBTS is at the forefront of SD-WAN conversion for our clients. The flexibility of SD-WAN means that delivery is potentially borderless, with service in over 60 countries. Often, we can utilize existing MPLS networks to deploy SD-WAN quickly and efficiently. Our suite of managed services—including networking—are best-in-class and a valuable way to offload burden from IT teams.

Get in touch to learn more about future-proofing your business with our managed SD-WAN, networking, or security services.

Car parts and cybersecurity: what is Google dorking?

What do the search for old car parts and cyber reconnaissance have in common? Google dorking. Before you head off this page to check out life hack videos, let me explain.

What do old car parts and Google dorking have in common?

I have been using Google search, Google cache, and the Internet archive for years now to help me find parts and information to support my classic car habit. . It just so happens that many of the techniques that I use are extremely effective in doing reconnaissance on your enterprise. What’s more, they are free and—while not well known by most—they are certainly used by attackers. Since I began this blog talking about car parts, clearly I own a couple of classic cars. Anyone who has ever owned a classic car knows that you spend as much time looking for parts and repairing classic cars as you do driving them.  (Sure, I can get replica parts more easily but they are not always available and are often outrageously expensive. Besides I would miss out on the thrill of the hunt.) Google dorking is what allows me to spend a little more time driving, just as it could give bad actors a little more time and information to attack your network.

Ok, so what is Google dorking, besides something that sounds super-nerdy?

Basically, Google dorking is taking advantage of advanced search techniques to ferret out information and uncover vulnerabilities that you wouldn’t otherwise find with a typical search.

There are a couple of basic search operators you can use with Google. Many know about the Boolean operators or the “ “/in quotes operator, but there are several more that can be quite interesting to use. For example, site:syntax. If you start your Google query with site:www.yourenterprise.com, Google will return only the results within the pages contained at www.yourenterprise.com. Very handy. You can extract everything you might want to know at a specific site without having to wade through all the other non-relevant results. For instance, I use this operator to extract all the data about a specific car part out of an entire forum.

The more search terms you use, the fewer results from that specific site. Let me show you how I use that to my advantage.  Let’s say I search all the Craigslist sites across the country using the following syntax: site:*.craigslist.org post id: Datsun 14″ rims. Evidently, I am looking for Datsun 14” rims. The “post id:” is specific to only allow results where someone is selling something rather than returning a listing of offers from each of the Craigslist sites. As you probably guessed, the * is a wild card and will return results for all Craigslist sites across the country. How does this affect my enterprise security?

Now that you know how that you don’t need anything special to taking advantage of Google dorking, you likely won’t be surprised that the site:syntax technique I described above could be used to query every server in yourenterprise.com to look for literally anything. Another useful syntax along the same lines is intitle:index.of name size, which  will return directory file listings that have been left accessible to the public on the Internet. Combining this method with the site:*.yourenterprise.com above would list all the Internet-facing directory listings at all servers in the yourentrprise.com domain—with a single query.

Read more: Essential security practices to protect your business

Syntax is not the only way to do what Google dorking does

Two other similar tools make reconnaissance even easier. The first is Google Cache, which keeps a cached copy of web pages that are no longer available and keeps those web pages cached for about 90 days. The second is the archive.org Wayback Machine, which stores copies indefinitely. I mention both of these because companies believe they can remove what they deem sensitive information off of their websites so it can’t be uncovered for reconnaissance.  If the information was publicly accessible there is a reasonable chance that it never goes away thanks to the Wayback Machine. I use the Wayback Machine to look up web pages from 20 years ago that detail how to modify a particular part so it can be used today. With the Wayback Machine, you can use those orphaned links in forums that go nowhere, and access the content they pointed to 10 or 20 years ago.  Similarly, bad actors can access old web pages that companies believed they had made inaccessible, scrape potentially sensitive information, and create problems that you never anticipated.

Read more: Cybersecurity guidance from the top

Google dorking is anything but dorky

In conclusion, by no means are these the only Google dorking or tool options available to search for reconnaissance data within your organization using Google. They do, however, show you how easy it is to learn much more about your organization than they should be able to. True, it is one more thing to learn in order to improve your security posture, but it will pay to become alert and familiar to what can be done with Google dorking.

If you need any help addressing questions about your enterprise security, please feel free to reach out to the CBTS Security Team.


Continue reading: Software bill of materials (SBOMs): what is it good for?

The value of phishing simulation in a strong security program

One of the more fiery topics of discussion amongst security practitioners and luminaries in 2022 is the role of phishing simulation and assessment in an enterprise security control strategy.

woman at computer working on phishing simulation
What role does phishing simulation play in your security program?

It has long been gospel that security awareness training is an essential practice for an organization taking security seriously. We need to continually remind our employees about the threats they face, and the responsibilities they carry to protect themselves and their employer from those threats. Training should be:

  • Consistently delivered, in a regular “drip” throughout a year, so that the message stays top-of-mind.
  • Current and relevant, covering recent attack trends in detail (and even using examples of tactics that have been successful against the organization) and focused on the behaviors and actions expected of employees.
  • Nontechnical, delivered “in their language” and in a way that they can understand.
  • Engaging, produced and executed with content that draws in the audience and impacts them.

The last point is particularly relevant in this discussion about phishing simulation.

Why we do phishing simulation

We characterize phishing simulation as the practice of delivering simulated phishing attacks to employees—along with associated training material—in an effort to teach them to recognize and respond to the real thing, but in a safe and educational setting. This practice is the manifestation of the principle of “experiential learning”. Since the 1970s educators have considered this to be a formal field of education, and have explored its value as a part of a larger educational strategy. Our man Confucius said it well: “I hear, I know; I see, I remember; I do, I understand.”

Also, people remember best when they experience something rather than just read about it or watch a video on their computer.

Teaching your employees the “how-not-tos” of phishing. 

Applied to security awareness training, our goal is to have users experience the practice of receiving a phishing email that was unexpected, and then measure their response. Do they report it? Do they poke at it a bit before doing so? Do they fall for the fraudulent claims that come from the sender? Through this effort we determine their susceptibility—or their resilience—to this attack vector.

When our Security Consulting team does phishing simulation for our customers, we carefully craft content in coordination with their security team, identifying scenarios and approaches that are particularly troublesome for their users. We use tools to deliver the e-mail and web content that allows us to measure the responses from the targets: simply opening the message and reading the content; clicking the links or opening the attachments; or submitting data to a form built to steal credentials.

By developing several different campaigns with varied scenarios and content, sent to many different groups of employees, we can start to pinpoint weaknesses in their awareness of threats, and adjust the training to match. We also direct the users who engage with the content to training material on the subject immediately. We find those who have been told “you just failed a phishing test” are paying quite a bit more attention and are more ready learners. When organizations perform these exercises regularly with targeted training in between, we see improvement in the reporting metrics. Users are more likely to report not just the simulated attacks, but actual attacks, as opposed to engaging with them. As an example of the effectiveness, one of our financial services clients saw a 20% drop in “click rates” (users who open a link in a phishing e-mail instead of reporting it) over a three-year period after consistent training.

Read more: Why should you do information security awareness and training?

Criticisms of phishing simulation

Sounds great, right? Not to everyone. There’s been criticism about this practice, and it stems largely from teams who use unsavory content in their simulated campaigns. Think about an e-mail purporting to be from a company that promises to pay off all your student loan debt, or give you free lifesaving drugs if you’re a terminally ill patient. It’s pretty brutal to yell “surprise, we were just kidding, here’s some training!” after sending someone one of those e-mails. So it’s important to be sensitive about the pretext of a message we’re sending to train someone—we don’t want to be hurtful, even if the attackers don’t mind doing so.

Another study has shown that phishing training doesn’t help, that people continue to click on phishing links.

So there are contrary studies regarding the value of phishing training

Hurt feelings aside, we need to face facts: historically, the only way to determine if our security strategy is viable against real attacks is to use real attacks to test it. This is why we do penetration testing! But machines and humans react differently, so we have a thin line to walk: do what the attackers do without causing actual trauma. Some consider the risk of that trauma to be so great that it isn’t worth the potential benefits of training. What if the previous financial customer I mentioned only saw a 5% improvement over the three-year period? Or a 1%? Is that worth the monetary cost of the practice, as well as the frustration of the users who are targeted? These are important questions!

Why phishing simulation puts the odds in your favor

Let’s think about this like we thought about the pandemic. Why wear masks? Not because it completely prevents the spread of a disease, but because it lowers the occurrence of spread. If I have a hundred opportunities to be infected in a day, and wearing a mask means even one of those hundred opportunities is eliminated, that’s an improvement.

We are in the business of reducing risk, and that means any positive change is valuable. The idea that “this security control didn’t eliminate all risk, so it isn’t useful” is nonsense, in my opinion. This same attitude says, because this endpoint protection solution stopped 19 of20 pieces of malware but it allowed one, it is a failure. We know that’s illogical! That’s 19 pieces of malware we didn’t have to worry about—and, a situation where 19 attacks were unsuccessful is obviously better than 20 that were successful.

We cannot eliminate all risk, and those that set such a goal for themselves will always be disappointed and behind. They subscribe to an unrealistic, unattainable view of protecting an organization, and will be unsuccessful every time. Incremental gains in a security program’s effectiveness are not only meaningful, they’re usually the only type of growth we see. Rarely do organizations achieve wholesale, life-altering improvements in a short period of time. That’s the approach of a lazy security practitioner. But if we have 1,000 employees and we turn even one of them from a “clicker” to a “reporter”, that’s growth, and that means potentially dozens or even hundreds of chances to be compromised that are eliminated. In coordination with a larger strategy that includes other training, e-mail security systems, endpoint and network protection, least privilege, and strong authentication, we can start to have a real effect on minimizing the impact of these attacks.

How do we effectively use a phishing simulation?

Now, if you’re simply performing simulations to generate metrics and make your security team look successful, yeah, you’re going to have a bad time.

Simulations are useful as a way to identify weaknesses to which you will apply training. Here’s an example of what our security services team sees as a beneficial training cycle:

  • Acme Co receives a targeted phishing campaign that uses a Microsoft account credential theft attack and a scenario claiming to be a password reset request. A quarter of their employees (100 users) click the link, and 10% (40 users) submit credentials, resulting in a security incident.
  • Acme Co recovers and delivers training to their users, explaining what the attackers did, what they were after, and the recognizable content in the attack that was notable for future detection (an urgent request claiming to be from an authority figure, delivered in an unusual manner: an e-mail message). Users are asked to watch for these telltale signs, and report them in the future, even if they’re unsure if they’re dangerous.
  • Acme Co waits a month and delivers a series of phishing simulations.
    • To those that clicked the link, the same type of message as the actual attack is used.
    • To those that did not click the link, a similar, but slightly more sophisticated message is used, with slicker, more convincing graphics in the e-mail and on the website.
    • To those that reported the message, a simulation with the same attack vector (Microsoft account credential theft) but a different pretext (the employee’s manager is sending the e-mail) and scenario (the employee needs to verify their W-4 is up to date) is delivered.
  • The results of these exercises are collected and analyzed, with the following happening:
    • Employees that still fell for the simulated attack are coached in a 10-minute in-person/virtual training session by a member of the security team along with the employee’s manager.
    • Employees that ignored the message but did not report it are notified and reminded about the reporting process.
    • Employees that reported the simulated message are rewarded with a $5 Starbucks gift card.
    • Broad training content for all employees is updated to mention the telltale signs used in this type of attack and what to watch for.
    • A regular monthly communication to all employees mentions this phishing attack and re-emphasizes the warning signs and reporting process.
  • Acme Co repeats the simulation a few months later, with a slightly modified pretext and scenario and this time asks the user to provide their MFA one-time password along with their credentials. Results are analyzed and used to drive future training as before.

Remember that this is simply one piece of a larger strategy. Yes, it takes people and intentional planning and follow-up. That’s what good security looks like! Humans are harder to secure than machines.

Read up on all the security practices that are essential for protecting your business.

Conclusion

Like it or not, your users will be receiving phishing e-mails. You can’t stop every one of them from entering your inboxes. Either you teach them safely to recognize this content and respond well, or you leave them to their own capabilities and hope for the best. The attackers typically don’t share our qualms about using unsavory tactics. While we don’t want to stoop to their level, we do need to recognize that we’re facing actors that often go to any lengths to trick our users and we need to effectively prepare them for what they’ll face—and if reading about it in a slide deck or e-mail newsletter isn’t helping, we need to consider what will actually move the needle.

Contact us today to learn more about how we can help you build stronger security for your organization.

I just met a vuln named Follina

Happy summer, everyone! To celebrate, there’s a new Microsoft Windows zero-day vulnerability, currently classified by NVD as CVE-2022-30190, and nicknamed by the community as Follina. It exploits a flaw in the Microsoft Support Diagnostic Tool (MSDT) that uses the tool’s special protocol handler configuration to retrieve and execute arbitrary code from a remote system.

As a reminder to the newer folks on the scene, a vulnerability is classified as a “zero day” if the creator of the vulnerable product becomes aware of the vulnerability’s existence when an exploit for the vulnerability is made public.

Those are fun because it means:

  • The vendor has to hustle to understand the vulnerability and develop both workarounds and a patch.
  • There’s a chance this vulnerability has been in use by attackers for a while, but none of our security controls were able to detect it. It’s like finding a spy cam in your house—how long has it been there? Who put it there? How’d they get in? It’s really unsettling!

We’ve talked about this before—what happens when you’ve got a vulnerability in your systems, but no patch? How does your vulnerability management program handle it? In this case, the attack observed by researchers is triggered by a malicious Office document, which executes the MSDT call to grab the attacker’s code and run it. This is problematic—like most businesses, our organization tosses around Office documents like monkeys toss around bananas (that’s apocryphal; I have no idea if monkeys wantonly toss around bananas).

How do you solve a problem like Follina?

If there’s no patch currently, organizations are vulnerable by default, at least until the anti-malware controls deployed at the network and endpoint layers are updated to detect the exploit. Our first recommendation is to contact your security vendors and ask if they have rolled out, or are planning to roll out, detection or prevention for this attack. Mention Follina or CVE-2022-30190.

So, while we’re waiting for those updates, we still have to operate our business. It’s helpful to consider a workaround. Microsoft has released a bulletin describing a workaround for Follina that can be deployed to disable the MSDT protocol handler. To use this workaround, your organization needs to be able to implement configuration changes on your assets across the entire enterprise. Many companies depend on Group Policy Objects to do this, but that approach is often difficult if you have a remote workforce that isn’t checking in with your Active Directory daily.

Our second recommendation, therefore, is to use a mobile device management solution that can remotely control, implement configuration changes, and install software and updates to your fleet of workstations and mobile devices no matter where they are. There’s a larger problem here, though, that goes beyond this vulnerability. Attackers deliver malicious files to our users all the time—as e-mail attachments, or from malicious websites, or through social networks. What if we can’t tell at a glance if a document is benign or malicious? How can our organization defend against dangerous documents when receiving documents from third parties is a normal, everyday part of our business processes?

Something’s coming: treat it like a threat

Our third recommendation is to assume every document is dangerous. Each one needs to be evaluated before we can allow a user to interact with it—especially if the document originated from outside our organization.

Reputational and behavioral detection can often locate malicious files even if a signature doesn’t exist yet, and can be implemented everywhere these documents enter your environment—from the web, e-mail, or physical media. That means that these controls need to be enforced wherever your users sit, including remote locations that may be outside the on-premises network of your LAN.

You may also consider controls that can sanitize potentially dangerous documents as they flow to the end-user, or provide isolation features that protect the user’s workstation during e-mail and web browsing.

Finally, blocking the download of specific file types—through e-mail and web traffic—that are considered risky is a common tactic. Stripping Office documents from e-mails that originate from the Internet might be a controversial move but could be implemented temporarily during “times of crisis”, i.e., when a vulnerability like this is being exploited in the wild but no patch is available. And if there are certain file types you know you’ll never need to receive—RTF documents, XLSM sheets, etc.—those can be blocked without much impact.

So, as always, keep an eye on the bulletin from Microsoft for a patch to test and roll out to your population; keep an eye on your defenses, to look for suspicious activity; and keep an ear to the community, in case new vulnerabilities or methods of exploitation are discovered. Need help with your cyber defense? Contact the CBTS cybersecurity team today.

Cloud security controls that help mitigate risk

As I mentioned in my previous post on cloud security, depending on the kind of cloud solution you have, you might be the one responsible for implementing any and all security controls.

Woman looking at tablet in server room configuring cloud security controls

All major cloud providers have risks and also have ways of implementing controls to mitigate those risks. There are whole categories of security providers for various part of a cloud security program. As you begin to plan your move to a cloud solution you will see acronyms like CASB, CSPM, CWPP, and SASE.

It can get a little confusing with all the acronyms, but each product has a reason for existing.

Let’s start with CASB or cloud access security broker

A cloud access security broker ensures that the user trying to access a cloud service (think Salesforce or Office 365 or SAP) should be able to access the service, and that they are doing only the things they are supposed to do.

Obviously, there are some fundamental controls that you want to have in place for your cloud applications. You want to be able to see what your users are doing in the cloud (visibility), you want to detect threats to your systems and data, and you want to make sure you maintain compliance with the regulations that apply to your organization.

At the most basic level you want to make sure only the people you allow can access the cloud services you use. In other words, should John be able to access customer data stored in Salesforce?

In addition—and more importantly—you want to make sure they can only do things they are supposed to do. As a security professional, you want to make sure John does not delete or modify data he shouldn’t. CASB provides controls and visibility over what John does when he signs into Salesforce.

The basics just won’t cut it against today’s security challenges

You might think, I already have Active Directory (AD) or some other identity management (IM) tool (Okta, OneLogin, Centrify, etc.), why do I need a CASB solution? Well, your IM solution might only work for local access, or it might not be tied into or connected to your cloud solution. CASB is designed, as the name implies, to broker the access between the IM solution and the cloud service.

For example, think about the steps that go into giving a new hire  access to all the services they need to do their job. You want to give the new hire an e-mail account, access to the payroll system to enter their time, and then—if they are in sales—access to Salesforce or a similar tool to track and follow up on leads. If they are writing or reading reports, they need access to the collaboration tool/Office product (O365 or Google Workspace, etc.).

What is often overlooked is one of the big gaps for a lot of companies: de-provisioning services when someone leaves an organization. Provisioning a new hire with access to the applications they need to do their job is often automated with a well-designed workflow  with few manual steps. De-provisioning access is often not as well–automated;  frequently employees retain access days or weeks after they have left the company, even when the separation (i.e., firing) was not on good terms.

A CASB solution that controls who has access to what cloud services can help simplify both ends of the provisioning workflow. As a result, you can end up with an automated workflow that can very quickly grant and remove access with the click of a button.

Now we will look at cloud security posture management or CSPM

CSPM is a tool or set of tools that ensures that the controls you want to have in place for your cloud environment are correct. Your organization might have to follow a particular security standard like NIST 800-53 or ISO 27000 due to government regulations. A CSPM tool can ensure all your cloud infrastructure stays in compliance with those security standards.

Numerous security breaches have happened due to misconfigured permissions with cloud storage. Mismanaged Amazon S3 buckets have caused major data disclosures. Companies that thought they had good practices in place—like Booz Allen Hamilton and Deep Root Analytics in 2017—leaked data because of misconfigurations.

A CSPM will constantly monitor your cloud environment for configuration changes and settings to make sure that the rules and controls you want to have in place for your environment are in place. Additionally, some solutions will automatically fix incorrect settings to ensure compliance with privacy laws and government regulations regarding data privacy.

Go straightforward with a cloud workload protection platform (CWPP)

Cloud workload protection platform is designed—as the name sounds—to protect what you are doing in the Cloud from attacks by malware or viruses. Just as you run endpoint protection software on servers in your datacenter, you want the same thing happening in  your cloud environment if you are hosting your own servers or virtual machines. Most CWPP solutions offer an agent version, just like you use now, or an agentless version that pulls information from your cloud-hosting environment. While there are advantages to the agent version, you typically get better intelligence from the agent version at the cost of performance in your cloud environment. The agentless version usually has no impact on your cloud workload, but typically you will not get all the details that you get from an agent.

Relative newcomer secure access service edge (SASE) can give smaller business more security attitude 

Secure access service edge, known as SASE (pronounced “sassy”), is a cloud-based information technology model where both the network and the security for the network are offered on demand without having ownership of the hardware or security tools. This kind of solution is growing in popularity for small startup companies and companies that are very flexible because you purchase your networking and security as you need it.

SASE typically has four main components:

  1. A CASB solution to provide security for your cloud applications,
  2. A secure web gateway (SWG) for access to your cloud applications where you can implement
  3. Your zero trust network (ZTN), and finally,
  4. Firewall-as-a-Service.

This is a lot of acronyms and buzz words, but they can and do really work together, with the result that you can implement very good security controls if you design your cloud environment with SASE in mind.

SASE works best and easiest when you have a totally cloud environment. You can see why that would make it appealing to startup companies that do not have legacy hardware and storage and other technology that must have security “bolted” on later to make it cloud-friendly.

I can hear some of you saying, “What is the key takeaway?” 

For CIOs and IT Directors, the key takeaway is that there are advantages to moving on-premises storage and computer systems to a cloud service. However, you need to carefully plan what you are moving, why you are moving it, and what controls will you have in place to make sure the systems and data you move to a cloud service (SaaS, IaaS, PaaS) is as secure as you need it.

For security practitioners, you need to recognize that the security controls you use for on-premises assets are not always the same controls you use for cloud assets.  Consequently, your thinking needs to shift and you need to make sure the controls you use are appropriate for cloud hosted assets.

If your company is relatively new and does not have a significant investment in on-premises computer resources, your move to the cloud could be smooth and painless. On the other hand, if your company is a mature company with lots of assets on premises and in-house, as well as custom applications, your journey will likely be longer and require significantly more planning and preparation.

I hope this has been helpful, reach out and let me know if you have any questions.

Read more from John Bruggeman:

Weighing the risks and benefits of moving to the Cloud

2022 Cybersecurity Predictions

Cyber Insurance, part 1: What is Cyber Insurance and do I need it?

Cyber Insurance, part 2: Getting ready for the insurance company questionnaire

Cyber Insurance, part 3: Filling out the questionnaire

Cyber Insurance, part 4: What do you do if your cybersecurity insurance policy is denied?

SASE: What is it, why now, and is it right for you?

For many organizations, the pandemic has been a driver for digital transformation. With applications and operations rapidly migrating to the Cloud, security must follow the user and not be tied to the traditional brick and mortar location. Digital transformation is a complex process since organizations now require expertise in both networking and security, and the move to the Cloud can be costly as well.

Woman looking at tablet on network secured with SASE

This is where Secure Access Service Edge (SASE, pronounced “sassy”) comes in. The term is a new concept, originating from Gartner in 2019. In the not-too-distant past, SASE stood for Self-Addressed Stamped Envelope, and the evolution of the acronym exemplifies just how quickly our world is going digital.

With its Network Security as a Service offering, CBTS combines SD-WAN technology with SASE principles to provide efficient, secure, and cost-effective networks for organizations trending towards remote and branch operations. To help you embark on your own digital transformation journey, CBTS has prepared a guide on key SASE benefits, what challenges you should look out for, and why the trend is here to stay.

What is SASE, and how does it work?

In precise terms, SASE is a network architecture that combines software-defined wide area networking (SD-WAN) and security into a singular cloud framework. That means organizations benefit from improved efficiency, heightened security, and simplified WAN deployment.

The SASE framework and philosophy is a novel approach to a cloud enabled enterprise network with many operational, business, and security benefits. For example, converging an organization’s cloud-based networking and security services reduces complexity, boosts network performance, and minimizes the number of vendors and devices IT oversees.

Additionally, there is a considerable reduction in hardware requirements, lessening IT staff’s workload related to deployment and maintenance while expanding actionable security alerting and monitoring.

By implementing SASE, you’ll engage with five core technologies:
  1. Integrated SD-WAN: Optimize network administration and performance by leveraging software and cloud-based technology for enterprise network connectivity.
  2. Cloud access security: Ensure safe use of cloud technology for your enterprise. Improving cloud security prevents malware infections, data leaks, and regulatory noncompliance.
  3. Firewall as a service: Deploy cloud-based firewalls to take advantage of advanced threat protection, URL filtering, DNS security, and intrusive prevention systems.
  4. Secure web gateway: Protect your internal network and users from potentially malicious unsecured Internet traffic.
  5. Zero trust network access: Reduce the risk of attacks and data leaks by verifying the identity of users or devices attempting to access your network.

  6. Learn more about how SASE and Zero Trust Network Access work together to deliver safe, secure, and reliable remote access to your network.

Learn more about how SASE and Zero Trust Network Access work together to deliver safe, secure, and reliable remote access to your network by downloading this e-book: SASE and ZTNA for Dummies

Complete your SD-WAN migration with improved security

Migrating to SD-WAN has become a critical endeavor for enterprises across the globe, and SASE provides the ideal path to a successful implementation.

Due to the swift spread of the coronavirus crisis, many enterprises quickly shifted to a distributed workforce. They soon realized that their existing VPN-based solutions were often unreliable, with limited performance and security measures. We’ve previously covered how SD-WAN security enhances critical business applications, but in short, enterprises benefit from a networking solution offering more affordable, reliable, and faster connectivity.

In the SASE framework, these benefits are realized alongside improved security for a remote workforce. With remote work here to stay, organizations must be able to support increasingly dispersed teams safely, and security is paramount to doing so.

SASE employs a flexible, cloud-based firewall that protects users and computing resources located at the network’s edge. It offers secure web gateways to protect companies from the threat of harmful outside resources. It also implements zero-trust network access, which bases security on identity rather than aspects like an IP address.

Altogether, by leveraging SASE, organizations ensure branch offices can take advantage of ongoing digital innovation efforts and improved security features as they scale.

Also read: Employ cloud-enabled security to safeguard your SD-WAN network

Keep pace in a shifting digital landscape

Our increasing dependence on the Internet of Things (IoT) and edge computing necessitates a trustworthy, homogenized approach to cloud-based services and security. In this environment, SASE is already an essential aspect of a company’s digital makeup.

Remote workforces must be able to rely on sophisticated, tailored cloud services that allow them to perform their duties with confidence. IT staff cannot be held back by legacy hardware or features that are merely stitched together instead of well-integrated.

The digital landscape is constantly evolving, and so are its threats. Our 2022 Cybersecurity Predictions asserted that ransomware attacks will increase. Additionally, nation-state attacks will see an uptick, while the number of states starting to give privacy rights to consumers is on the rise.

Enterprises can best address these concerns by deploying an integrated, complete response to the cloud-based security needs of modern organizations.

Reduce the burden of network and security maintenance

Beyond increased efficiency and reduced complexity, taking the plunge with a combined networking and security offering simplifies operations for an enterprise’s IT staff.

Regardless of where users are located, SASE ensures security policies are standardized. It also simplifies the authentication process by applying the right policies based on what the user requests at sign-in. In fact, IT executives can set these policies centrally using cloud-based management platforms. These procedures massively reduce risk, as the entire system is less complex and offers a universal approach.

Where an enterprise’s IT staff is often overloaded with menial, time-consuming tasks, a combined SD-WAN and security offering frees your team to improve business efficiency, address IT concerns that affect the bottom line, and support the organization.

Why CBTS for SASE?

If legacy infrastructure, increasing complexity, and skyrocketing costs are standing in the way of your team completing your digital transformation journey, CBTS is the right partner for you.

It’s critical that the partner you select has experience in both network and security solutions. CBTS offers a wide range of expertise compared to other managed service providers. As a Check Point Software Technologies 5-Star Partner, it has a long track record of delivering extensive networking and security overhauls. In 2020, CBTS was named a Gartner Magic Quadrant leader for its VMware SD-WAN™ edge expertise. By combining VMware SD-WAN with SASE network security principles, CBTS delivers comprehensive cloud-native network security.  

Our experts work alongside you from the assessment phase to the implementation of your SD-WAN and security capabilities to provide ongoing, full-spectrum support for your organization.

Contact the experts at CBTS to enhance and simplify security for your modernized networking environment.

2022 Cybersecurity Predictions

Hello everyone, I hope 2022 will be a better year for all of us, and like so many others I have some predictions about what is on the horizon for cybersecurity in the coming year.

My predictions are similar to others in the cybersecurity community but I know that folks other than information security professionals read this blog so I want to get this information out to that constituency as well as the info-sec community.

Here are the top seven things I think we can expect in 2022

1. Ransomware attacks will continue to increase, not decrease in 2022.

Cyber security predictions for 2022, what’s on the horizon?

The business of ransomware, i.e., Ransomware-as-a-Service, is just too profitable for it to slow down or stop. The process is too developed, too streamlined, and too easy for criminals and the threat actor community to give it up. For those of us on the Blue team (the defense side in the whole red team/blue team dichotomy), we will continue to defend and protect our data and assets from threat actors on premises (traditional IT) and in the cloud (AWS, Azure, etc.).

Ransomware-as-a-Service is now so mature that there are access brokers, malware developers, hosting platforms, extortion specific websites, and even customer service teams to help victims pay via Bitcoin, plus you can be certain that criminals are making cybersecurity predictions of their own. Stay alert everyone: We are being targeted.

Read more: https://www.crowdstrike.com/cybersecurity-101/ransomware/ransomware-as-a-service-raas/  

2. Supply chain risk will continue to grow.

This is an outgrowth of the first item—ransomware increasing—and the number of vectors where criminals can attack is limited only by the number of companies in your supply chain. So think about who is supporting your business. Are they a secure company? Can they prove it?

If you don’t know your vendor partners well or if you don’t know how secure they are, you need to find out. You are as insecure as they are.  You need to make sure you are as well protected as feasible from risky suppliers.  Third-party risk management will be a critical component of your risk management strategy in 2022 and beyond.

Read more: https://www.securityweek.com/critical-sap-vulnerability-allows-supply-chain-attacks

Read more: Software bill of materials (SBOMs): what is it good for?

3. Monitoring endpoints with MDR or XDR will grow to defend against the increase of ransomware.

To defend against ransomware attacks, the need for “eyes on glass” 24×7 will increase in 2022 and beyond.  Demand for managed detection and response (MDR) and eXtended detection and response (XDR) will increase due to management wanting to defend against attacks. Insurance companies as well are requiring companies and organizations to have MDR/XDR in order to qualify for cybersecurity insurance.

Read more: https://www.forbes.com/sites/forbesbusinesscouncil/2021/12/22/with-rising-cyber-insurance-costs-and-requirements-consider-new-alternatives-to-fight-ransomware/?sh=288404226e14

4. Multi-factor access (MFA) for e-mail and other business application access will grow, as will Zero Trust Networks (ZTN).

These security controls will grow to help defend against ransomware attacks. Just like MDR/XDR, MFA will be a requirement to qualify for cyber insurance. Companies like DUO and others will see increased sales as companies move to MFA to meet those cybersecurity insurance requirements.

Read more: https://solutionsreview.com/security-information-event-management/understanding-and-complying-with-the-new-mfa-requirements-for-cyber-insurance/

Zero trust Networks will be more than a buzz word in 2022 as more companies look to reduce their risk and attack surface. Some areas will be easier to move from classic trust frameworks, where the device is trusted because the company owns the device, to Zero Trust where the user, the device, and the applications are not implicitly trusted. Boards and senior executives will be asking and expecting CIOs to make the move to less trust, more verification from the edge on down the chain.

Read more: https://www.forbes.com/sites/forbestechcouncil/2021/12/09/why-zero-trust-and-identity-will-be-boardroom-priorities-in-2022/?sh=5f2670a1d315

5. Cybersecurity insurance premiums will rise by 20%, 30%, and more.

The cost of insurance against cybersecurity attacks, data loss, and other security risks will continue to rise and drive the adoption of other threat detection and prevention tools as mentioned above. Companies looking to renew existing policies will face 30%, 40%, and higher percentage premium increases due to the explosion of attacks in 2020 and 2021. In addition to higher rates, the security controls that have to be in place to purchase insurance will increase (see items 3 and 4 above).

Read more: https://www.forbes.com/sites/theyec/2021/11/02/cyber-attacks-are-on-the-rise—what-executives-and-insurance-providers-can-do/

6. Nation-state attacks will increase.

With Russia testing out cyberattack tools against Ukraine, and North Korea testing out attacks techniques against South Korea and others, nation-states will continue to attack soft targets around the globe. Collateral damage will occur as nation states test and launch attacks against targets with some attacks impacting suppliers to other companies. Third-party and supply chain risks will be identified as vector for these attacks which is how many other companies will be impacted.

A manufacturing company in Indiana won’t be a target but AWS or Azure will be, and the company’s AWS instance will be impacted as well. When nation-states are involved even the biggest vendors can go down.

Read more: https://www.securitymagazine.com/articles/96781-top-15-cybersecurity-predictions-for-2022

7. California Privacy laws will start to impact U.S. businesses the same way that the GDPR impacted the EU.

The California Consumer Privacy Act (CCPA) and the new California Privacy Rights Act (CPRA) are just the tip of the iceberg in terms of new privacy legislation in the US. More than 30 states in the U.S. have data privacy laws and the number of states starting to give privacy rights to consumers is on the rise. This trend will continue and impact virtually every company that does business in the United States in 2022.

To get a head start on this, find out where your customer data resides, make sure you know everywhere it resides, and then start your data labeling process. You can be the CIO hero if you know where the data resides and how to delete it or correct it so that your customers can be forgotten or updated if they want, and you can prove that you did it.

Read more: https://news.bloomberglaw.com/privacy-and-data-security/top-privacy-law-issues-in-2022-as-congress-debates-a-federal-law

That is what I see on the horizon for 2022. What are you seeing and what predictions for cybersecurity have you made? E-mail me at john.bruggeman@cbts.com and let me know your thoughts on the upcoming challenges and opportunities in 2022.

Read more from John Bruggeman:

Cyber Insurance, part 1: What is Cyber Insurance and do I need it?

Cyber Insurance, part 2: Getting ready for the insurance company questionnaire

Cyber Insurance, part 3: Filling out the questionnaire

Cyber Insurance, part 4: What do you do if your cybersecurity insurance policy is denied?

Improve your cybersecurity defense with centralized logging

Improve your cybersecurity defense with centralized logging, continued: A deeper dive!

Getting ransomware-proof, continued: CIS controls for medium-size organizations

Cyber Insurance, part 4: What do you do if your cybersecurity insurance policy is denied?

Over my past three blog posts, I’ve talked about cyber insurance. The first one covered the topics of what it is and do you need it. The second post discussed what you need to have or know before you make the call to your agent to get a quote. My third post examined in detail what type of questions you’ll be asked and who else besides the information technology group has to be involved in order to answer the questions from the insurance carrier.

Insurance companies may choose to not insure you for various reason. Discover those reasons, how to resolve issues, and alternatives to buying cybersecurity insurance.

Now let’s talk about what to do if you can’t buy insurance, either because the premium is too high or no insurance carrier will cover you. Unfortunately, these days insurance carriers are denying coverage more often due to the very high probability that your company will be attacked and compromised. You want to prepare yourself for that possibility.

In this blog, I’ll cover your options if you are denied. Part one will address the reasons why the insurance company won’t cover you and what you can do to fix those issues. The second part will cover what you can do instead.

Why insurance companies won’t cover you

Insurance companies typically deny cyber insurance because they think you are too risky. Just like a 16-year-old who just got their drivers license is very risky for a car insurance company, your company or organization can be viewed as too risky if you don’t have good cybersecurity practices in place.

How to resolve issues

First, you should try to find out why you were denied. It’s likely that the insurance carrier won’t tell you why, you’ll just be denied. To find out, take a look at the questions in  Cyber insurance, part 2: The insurance company questionnaire and also in Cyber Insurance, part 3: Filling out the questionnaire. When you answer the questions in those two blogs, the areas you need to improve will likely stand out.

But what to do?

More often than not, the problem that is preventing you from qualifying for insurance can be resolved by adopting an information security framework like the NIST Cyber Security Framework or CIS Controls. A framework helps you standardize what you are doing to protect your data, assets, and systems from threats. You can adopt either of these frameworks at no cost to you, other than your time and effort.

Something else you can do that doesn’t cost anything other than time but will help improve your security posture is answering these five questions from Justin Hall. After you answer those question you can take these five steps to make your environment safer.

Alternatives to buying cybersecurity insurance

Second, what can you do instead of buying insurance?

Self-Insurance

Something to consider if you can’t buy insurance is establishing “self-insurance” against a ransomware attack or other cyber incident. Your comptroller or CFO might like this idea. If you take the money equivalent to an annual insurance premium and invest that in your information security program, you can make your environment more secure.

Imagine this scenario:

The insurance premium for a small company (100 employees or less) can range anywhere from $15,000 to $25,000 a year for a $1,000,000 policy. Take that money and implement some of the basic security controls in NIST or CIS and you’ve improved your information security program right away. Strategically do that each year for five years and you will then have a much more secure environment that is resistant to cyber attacks.

Incident Response Services

Another option is to purchase incident response services in case you have a cyber incident. In this case you are purchasing re-active services when something bad happens. It’s not as good as preventing the incident, but you get help recovering from the crisis.

Limited Insurance

A third and final option would be to purchase a scaled down or limited form of insurance that will help you with recovery from an incident but not provide the payout of the ransom. The following services are not insurance but are services you should consider purchasing:

  • Awareness and training services for your staff. This can potentially improve your defense against phishing e-mails or business e-mail compromise attacks.
  • Coaching for your executive team on how to handle a data breach or ransomware attack. Not everyone is prepared to respond calmly when a crisis occurs, so coaching can help.
  • Run a ransomware or data breach tabletop-exercise (TTX). This allows your team to walk through the steps of a data breach or ransomware event and experience some of the steps that you will experience in that kind of event.
  • Hire a ransomware negotiator to act on your behalf in case you are attacked. There are professional ransomware negotiators that assist with the price and payment if you choose to pay the threat actor.

These are just a few of the steps you can take in case you can’t purchase cyber insurance at a price you can afford. One other action to consider is partnering with an expert vendor that specializes in information security and helping companies establish and strengthen their cybersecurity programs.  Contact our security team today to get your security program on the road to insurability.

In my next blog, I’ll talk about what we can expect on the cybersecurity front in 2022.


Read the cyber insurance series from John Bruggeman:

Cyber Insurance, part 1: What is cyber insurance, and do I need it?

Cyber Insurance, part 2: Getting ready for the insurance company questionnaire!

Cyber Insurance, part 3: Filling out the questionnaire

Catch up with these tools for your cybersecurity toolbox from CBTS Consulting CISO John Bruggeman:

Improve your cybersecurity defense with centralized logging

Improve your cybersecurity defense with centralized logging, continued: A deeper dive!

Zero Trust Networks (ZTN): what are they and how do I implement one?