this is the archive page

Focusing on security in digital transformation

When your company starts to think about a digital transformation, they must consider how they will secure the data that is critical to the business. The strategic benefits of a digital transformation can quickly be lost if the data you are storing in the Cloud or on mobile devices is lost, stolen, or compromised.

Just as the move from mainframes to minis to PCs transformed how businesses operated in the 80s and 90s, the opportunity to enhance and upgrade your business using the best technology platform can transform your business and prepare it for exponential growth. At the same time, using the best security technology during a digital transformation ensures that you can focus on that growth and not persistent threats to your data and systems.

What does it mean to go through a digital transformation?

For most companies, digital transformation has three main components—resiliency, scale, and speed to market—and involves re-writing, re-architecting, and re-platforming legacy and traditional applications into cloud-native modern apps. These new applications allow for a mobile-first design that pushes data and security out to the edge device.

A sample of transformative steps a company can take are:

  • Transform and move back-office processes to a cloud-hosted solution.
  • Shift to a mobile-first philosophy and leverage IoT devices.
  • Allow your products or services to be consumed on a subscription basis.
  • Move to an agile software development process focused on the customer.
  • Permit staff to work from anywhere, on any device.

To ensure success of these steps and the value they can bring, information security must be part of the discussion as key strategic decisions are made. Furthermore, knowing the exact location of the data on which these systems rely can help protect your company’s data and long-term health of the organization.

Digital transformation security will require a culture change

As companies compete with innovative ideas and first-to-market tools, the security team supporting these advances also must adapt and change. However, a sticking point for innovation is the ongoing support of legacy applications. A report by Deloitte in 2020 noted that the average IT department devoted 50% of their budget to maintenance and only 19% to innovation. A 2020 survey conducted by the Ponemon Institute reported that 82% of the respondents believe their organization experienced a data breach because of the company’s digital transformation. Clearly, innovation and security must happen simultaneously.

CIOs investing in a digital transformation strategy know that integrating a new culture of security at the beginning of the digital transformation will create a sound foundation for a transformed company. No single security tool or policy or procedure can protect all the data. What will protect the data is a mindset that says, “I am as responsible for security as much as the CISO is.”

Ultimately, it is all about the data

Before a digital transformation, information security teams could expect to have firewalls at the edge to protect the internal network. All work was conducted on company-owned hardware connecting to the internal network where centralized data centers protected the crown jewels of your data 24×7.

As legacy systems are transformed and updated, however, new security tools and controls are needed to protect and monitor who can access the data and what they can do with it. Accordingly, security tools need to move up the stack with legacy security tools that are focused on the network and host moving up to the application layer to focus on the data. The goal is to protect the data, not the device or the network.

The four must-have modern security areas for your digital transformation security plan

Zero Trust Network Access

Zero Trust Network Access is not a product or an SKU you can buy, but a mindset that starts with the expectation that no device is trusted, and no user is trusted. Instead, trust must be demonstrated and verified before access is granted to an object or system or service. Read more about ZTNA here: https://www.cbts.com/blog/zero-trust-networks/

Third-party risk management

When you move applications to a cloud-hosted solution, you are trusting your data and systems to a third party. You now need to manage the risk that exists with that third party on a regular basis and confirm that the provider you are using has the same, or better, security posture as your own. Learn more about ZTNA: https://www.cbts.com/blog/how-do-you-ensure-the-security-of-your-supply-chain/

IoT device management

During a digital transformation, a myriad of devices will interact with your systems and data. While your transformation will initially focus mobile devices with people making the requests, you also want to design for IoT devices—like Alexa or Siri—and how they can interact with your cloud-hosted applications, and what security concerns arise. See how IoT impacts the medical field: https://www.cbts.com/blog/digital-transformation-in-healthcare-begins-in-the-cloud/

Cloud security controls

As your new cloud-native applications are brought into production, your security team will need to use cloud security controls, like CASB, CSPM, and CWPP. Cloud access security brokers (CASB) are cloud-native security tools that ensure users in your environment can access only the cloud services that they are allowed to access. Cloud security posture management (CSPM) monitors your cloud environment and alerts you when security permissions are not set correctly for a system or data. Cloud Workload Protection Platform (CWPP) is a security tool that makes sure that the applications running in your cloud environment are protected from malware and viruses. Read more about these controls: https://www.cbts.com/blog/cloud-security-controls-mitigate-risk/

In conclusion

Plainly, security must be part of the conversation as you plan your digital transformation. Whatever plan you make, security is at least as important as the reasons your company pursues its transformation. If you have questions about how to integrate security into your plan, contact our security team.

Enhanced supply chain security and optimization through cloud computing

The need for supply chain security

Managing supply chains has never been more complicated. There are numerous threats to fragile supply chains. Cyber attacks and malware are growing in number and complexity, seemingly daily. Supply chains are an attractive target because they offer a backdoor into dozens or hundreds of companies’ systems that are a part of the chain. To combat the eventuality of these events and bolster supply chain security, Disaster Recovery as a Service (DRaaS) furnishes backups of mission-critical data.

Beyond the external threats are the internal ones: aging infrastructure, poorly optimized data, lack of flexibility and scaling, and no backup plan. These variables limit business agility, and modern supply chain demands that companies must be able to pivot on a dime with little notice. Cloud technology has risen to meet the challenges of maintaining fluid supply chains. AI and machine learning tools grant insights into existing data streams while best-in-class security systems actively monitor and seek out evolving malware threats. This blog will examine how cloud computing provides supply chain security and optimization solutions.

Supply chain optimization

Optimizing a supply chain entails getting the most out of your data flows and securing said data through backups and security measures. Cloud-native predictive AI tools can help you analyze trends and stay ahead of supply chain disruptions. IoT devices and monitoring tech such as RFID tags track products during each step of the journey from manufacturing to purchasing to fulfillment. The Cloud allows for greater visibility and security across the supply chain.

Cloud systems also offer more opportunities for automation and simplification of supply chain management. APIs can simplify integrations across platforms and are valuable tools for creating complex automation workflows. Automatic backups are one of the core advantages of utilizing the Cloud.

Advanced security is another advantage of using the Cloud in supply chains. Public clouds, such as Google Drive and Microsoft OneDrive, have some of the best minds in security working around the clock to stay ahead of cyber criminals. However, many supply chains implement a multi-cloud environment. Smaller cloud providers may not have as robust security as industry leaders and may leave backdoors open to hackers. Multiply this by the number of companies and systems linked via a supply chain, and the potential for vulnerabilities explodes.

Data must be secured in all locations — onsite, in the Cloud, on third-party systems, and via a separate DRaaS solution.

Supply chain security fundamentals

Creating a secure supply chain is a two-fold strategy that involves identifying vulnerabilities and creating an automated backup system with disaster recovery as a critical component.

Vulnerabilities includes:

  • Deploying AI-driven security tools to seek out and destroy ransomware before it becomes a threat.
  • Creating an inventory of potential system security weak points.
  • Incorporating password best practices company-wide.

Creating a robust data protection program involves:

  • Automating backups to the Cloud.
  • Enacting cloud security best practices, which include solutions such as Zero Trust Networks.
  • Utilizing an encrypted unified data storage solution such as a data lake.
  • Using a DRaaS solution to allow for a speedy recovery from a cyber attack or natural disaster.

Learn more: How do you ensure the security of your supply chain?

Scaling and flexibility

Maintaining national or global supply chains comes with a great degree of uncertainty. Responding to shortages, overstock, or even crises is vital to modern supply chains so corporations must scale and pivot as needed.

A cloud environment is an ideal resource for scaling in near real time. You pay for storage or services as needed. With the mass adoption of serverless computing and microservices, you can drill down and develop the exact tools you need when you need them and deploy them across platforms. Additionally, AI keeps you agile by flagging potential issues. Your data works harder by providing invaluable business intelligence that translates into informed strategic decisions.

Data protection and recovery

DRaaS experts are vital to your supply chain because malware is always evolving and may eventually be able to target cloud backups.

How malware works now

While familiar tactics like phishing or spear phishing are still around, dangerous new ploys threaten supply chain security. For example, malware can now be implanted directly in documents and images. Another approach is to lock the disk drive itself rather than individual files. One particularly insidious assault uses malware with a timer that may remain dormant for months or even years. Hackers know to target older systems that may have more vulnerabilities.

Protection through DRaaS

Increasingly, companies must contend with climate change-fueled disasters that may damage business locations and devastate vital systems. Properly setting up DRaaS is a safeguard against both malware and catastrophic events. A DRaaS system should be a secondary, offsite cloud backup system and even though cloud vulnerabilities exist, a DRaaS can be made inaccessible to hackers and bad actors through expert setup.

Maintaining supply chain security now and into the future

Managing and securing supply chains remains one of the most significant business challenges. CBTS can help you optimize and secure your supply chain. Our experts craft custom solutions to address security, backups, and supply chain data insights through cloud-based solutions.

With decades of experience under our belts, CBTS helps our clients make sense of supply chain management. We partner with industry-leading technology providers, and our thousands of certified engineers and project managers make navigating evolving technology a breeze.

Get in touch today to learn how to optimize and secure your supply chains with cloud technology.

Overcoming a weakness in MFA with Duo Verified Push and RBA

For many organizations, multi-factor authentication—or MFA—is the first line of defense against the chance that an employee’s credentials have been compromised. If one of those credentials is compromised, the unauthorized user will fail subsequent tests and be blocked from spaces both physical and digital. Organizations do not usually create this system and instead rely on products like Cisco Duo to manage MFA for them.

Remember that multi-factor authentication is based on the rules of authentication: Something you know (your password), something you have (your cell phone or mobile device), and/or something you are (like your fingerprint or other biometric). Ideally, if you can’t provide or authenticate through one of these as required, your access request is denied. At the same time, a single one of these items that is stolen or compromised should not permit unauthorized entry into company systems.

MFA is a critical piece of other security measures, like zero trust networks. Read more: Zero Trust Networks (ZTN): what are they and how do I implement one?

Attackers take advantage of human weakness to create MFA fatigue

Flaws can emerge in any good process. In this case, the weakness is MFA fatigue, which can be a real problem for companies trying to improve their cybersecurity programs. Several corporate breaches have occurred due to an employee approving an MFA request despite the fact that they are not actively authenticating into an application or computer system. The threat actor or criminal attacker can attempt to bypass MFA by first repeatedly sending SMS text messages or Authenticator push requests to a compromised account where the attacker knows the username and password.

Duo, probably the most popular MFA vendor, has provided Duo Push for years as a secure method for authentication. Attackers exploit Duo Push from a social engineering perspective, repeatedly sending requests that eventually coerce the end user into approving an illegitimate request. The attacker is counting on the fact that the end user will approve one of the authentication requests to make the requests stop. This attack exploits a weakness of human nature—giving in when fatigued—to bypass the MFA security control. In response, MFA vendors have come up with some very interesting approaches to counteract this weakness in MFA.

Duo Push requires equal effort for the end user to approve or deny the transaction. If you are faced with a dozen or more push requests and denying each one keeps presenting another push challenge, eventually the end user—who is becoming irritated seeing this over and over—is going to press “approve” to see if they get a different outcome. After all, one of the definitions of insanity is doing the same thing over and over again but expecting a different outcome.

How did Duo strengthen its MFA offering?

To combat this, Duo has released the Verified Push feature, which is currently in public preview and will be available to all license levels of Duo. This is a helpful feature and one I think any Duo customer should consider testing, if not deploying.

Instead of just allowing an “approve” or “deny” single tap response characteristic of MFA, Duo Verified Push requires the end user to enter a three-digit code that pops up on their phone screen as part of a push notification in order to approve the authentication request. The end user must take an action and actively participate in the approval process by entering the three digit code. Incidentally, you can increase the code from three to up to six digits.   

I think this approach will work because we are all being trained to be more suspicious. Imagine the attacker sends multiple MFA requests hoping to fatigue an end user who is configured for and expecting verified pushes. The actual legitimate user must enter the three-digit code on one of those requests in order to approve the request. What’s more, it takes less effort for the legitimate end user to deny the fraudulent requests if they know they are not currently trying to access an application. If you are being harassed with pushes, why would you make the extra effort to enter in the code? Your security team can also follow up with training that under no circumstances should an end user enter the code unless they are actively authenticating to an application, device, or operating system. That can actually be laid out in the acceptable use policy for your organization along with threat of termination for violation.

Read up on other critical security training your organization needs now: The value of phishing simulation in a strong security program.

Duo takes a big step toward overcoming weakness in MFA

One step up from verified push is Risk-Based Authentication (RBA) from Duo, another new feature in public preview right now that is part of their arsenal to address MFA fatigue and continuous trusted access. Unlike Verified Push, the RBA feature will not be available in all Duo offerings, which has three feature license tiers: MFA, Access, and Beyond. You’ll find the RBA feature only in the higher level Access and Beyond license tiers.

RBA takes a different approach to MFA fatigue. RBA changes the acceptable authentication methods based on the perceived risk at that point in time for that account. For example, RBA can step up the MFA requirement to a Duo Verified Push if multiple standard Duo Pushes are being denied, which indicates that an attacker is trying to fatigue an end user into supplying an approval.

RBA also now leverages enhancements in Remembered Devices to determine changes in risk. For instance, if a user turns on their corporate issued device while within the office walls the Remembered Devices policy in Duo would generate a secure device token that allows that user seamless access in  that office environment. If the user then accessing those same resources remotely, Duo would detect the location change and require the device re-authenticate. Subsequently, if that location has never been seen before, Duo could force a Duo Verified Push and over time learn the user behavior of successful logins. RBA then eliminates the need to use more aggressive verification methods until the next high-risk authentication request is received.

RBA strengthens a system of authentication types

Duo supports a large number of authentication types. Secure authentication types available in RBA include Duo Verified Push, WebAuthn security key, a platform authenticator such as Touch ID, or an OTP (one-time password).  RBA allows you to determine which authentication methods are acceptable once Duo has identified a specific MFA request with more associated risk than a standard MFA login, overcoming weakness in human nature with a process that attackers can’t plan for.  RBA is a welcome addition to balance more aggressive authentication method requirements with end user ease of authenticating. It only steps up the requirements when a risk is perceived, which addresses potential pushback from the user community if more aggressive methods were standard authentication mechanisms.

Get more information on RBA, including RBA’s enhanced Remembered Devices functionality: https://duo.com/docs/risk-based-auth

If you are a Duo customer, the CBTS security team would be happy to consult with you how to best implement these Duo features and fight the MFA fatigue that is likely growing among your users. If you are looking for an MFA solution, then you definitely need to consider Duo. CBTS would love the opportunity to show you how it works and recommend other managed security services.

Information privacy is not the same thing as information security

When talking about information privacy, some people think it’s the same thing as information security, but for security professionals, they are not the same thing.

If you talk about privacy, you are really talking about confidentiality.

When talking about keeping information —or data—secure, information security professionals focus on three key things: Confidentiality, integrity, and availability, also known as the CIA triad, which is the foundation of any organization’s security program.  If you think about it visually, it would look like this:

Venn diagram describing Privacy vs. Security

Privacy focuses on how personal data is used and controlled. The graphic puts privacy in that circle of how companies collect personal information, how they use that personal information in an authorized manner, and how they ensure the information is accurate.

Security focuses on keeping the data safe from unauthorized access and use, making sure the data reliable and accurate, and ensuring the data is available for use when needed.

Let’s look at examples to show the difference between privacy information and security

We’ll start with Amazon, an entity that touches almost everyone’s information in some way, shape, or form.

Amazon and privacy

If you buy products online from a vendor like Amazon, you expect that they will keep the information you share with them confidential. This information includes things like where you live (shipping information), how you are paying for your purchases (credit card or debit card), what you buy (shampoo, jewelry, clothing, personal items), and how often you buy things (once a week, once a month, etc.). All this information that Amazon has stored about you is related to information (data) that you would most likely want to keep private.

Note that none of your order information is personally identifiable information (PII), except for your method of payment.

In this example, you shared personal information with Amazon with certain expectations: For starters that Amazon will keep that information private and not disclose it to just anyone; and secondly, that only authorized people at Amazon can see your personal information.

Despite all the questions this suggests, today we won’t go into how Amazon makes money from selling your information to various companies. The terms of use of your information is in the privacy terms between you and Amazon.

Amazon and security

From Amazon’s the point of view, the focus is the CIA triad and ensuring that:

1. The information they are storing about you stays confidential (e.g., it’s not stolen by a competitor or criminal gang).

2. This data maintains its integrity, that is, it is not changed in some way by someone (e.g., your order is changed from 1 pair of socks to 10, or the price is changed from $10 to $1); and  

3. The data is available, so that you can see your order anytime, day or night, from anywhere on any device.

Equally important to Amazon is that this data is available to them when they want it so they can pick the right quantities, ship it to the right address, charge the right credit card, etc.

In this example, Amazon keeps the information you share confidential and available, and at the same time ensures that it hasn’t been modified and has maintained its integrity. For more on privacy, review how SD-WAN answers the challenge of remote workforce networking.

How do financial institutions treat information privacy and security?

As a consumer, one of your primary concerns is the trustworthiness of the business that takes care of your hard-earned money.

Your bank and privacy

Your bank or credit union has a lot of sensitive information about you, much of which is personally identifiable information, or PII. They know your name, address, age, social security number, and bank account numbers; the balances of your credit card, mortgage, savings and checking accounts; and the amount of your paycheck and how frequently you are paid. You most definitely want this data to remain private and confidential.

Not surprisingly, your bank also wants to keep your information private, particularly according to Federal regulations regarding PII and PCI (credit card). At the same time, your bank wants you to feel like you can trust them with this very private, very personal information.

Incidentally, banks also sell your information based on the privacy agreements that you agreed to when you opened the account, but this is a topic we also won’t address in this blog post.

Read up on how CBTS UCaaS services are PCI compliant.

Your bank and security

Banks also want to keep your information secure, and also follow the CIA triad. They make sure your information is kept confidential, so that only the appropriate people can see your PII and other bank-specific information.

To prevent your account balances from being not manipulated in some way, the integrity and accuracy of your account information is essential to your bank or credit union. Your bank also makes your account information (your data) available so that you can check your balances and access your money any time, from anywhere. Like Amazon, the bank works to keep your information confidential and available and maintains the integrity of the data so that it is used appropriately and according to the privacy terms you agree to when you opened the account (see the privacy terms for US Bank).

Are you all clear on information privacy and security now?

Hopefully these examples help clarify the difference between privacy—keeping your sensitive data private—and security—which ensures that your data is kept confidential and available in a way that maintains its integrity.

If you want to limit what any business—like Amazon or your bank—knows about you, find and review the data sharing policies with the companies you use. Also, some companies provide options for limiting how your personal information is shared with other companies. Those details are in the company privacy policies which you can typically and easily find online. Security doesn’t just happen. Learn why you should do information security awareness and training.

Software bill of materials (SBOMs): what is it good for?

Absolutely EVERYTHING!

Man and woman looking at tablet
A software bill of materials lists the components used to build an application.

As an attack vector, the computer supply chain is attractive one and attacks on it continue to rise. Most people view a supply chain attack as something that affects only hardware. A typical scenario would involve a malicious actor working in a factory. This bad actor installs chips into the hardware that allow some kind of remote access once the system is booted or, alternatively, pre-install malware on a hard drive before the computer ships. But these days this can also include a “software” supply chain.

The hardware world has long had a complete list of components shipped as part of a system delivery known as a “Bill of Materials.” This BOM provides the customer with a detailed inventory of all the parts and pieces of a box, usually down to the types of memory installed, the processor model, everything. On rare occasions, this would include at least a starting firmware/software version, whatever the OEM put into the system itself.

A software bill of materials (SBOM) is the software equivalent of the hardware version: a list of all the components used to build an application, including any open-source or commercial components in addition to whatever code is original to the vendor. SBOMs, though, have not been quite as standard as their hardware counterparts.

Read more: How do you ensure the security of your supply chain?

Why is a software bill of materials important?

Not surprisingly, the information in a bill of materials can help determine how to fix something on whatever system to which the BOM is referring. On the hardware side, serial numbers, component specifics, and overall product identification numbers are essential when replacing a hard drive, motherboard, memory module, or any other hardware item.

Think of a software bill of materials (SBOM) in the same context. Wouldn’t it be simpler to fix a software bug if you had a list of all the additional software components in an application? Wouldn’t you sleep better at night knowing that your application consumes a specific Python library for input and output? What about your logging components? And—I’m just spitballing here—wouldn’t it be great to know for sure that you didn’t have a vulnerable version of a logging component for some, oh, I don’t know, web server like Apache?

Yeah, I know: it seems so far-fetched that something like that would ever be a threat, right?

Not only is it important to know where your software comes from, it’s also important to know what software components and shared libraries you have running on your devices or inside your applications. That’s where the concept of a software bill of materials comes into play.

With an inventory of all the software components used in an application or on a deployed device, your organization can finally figure out if you use Open Source Software library A, or custom software library B, and then which asset has which version!

Certainly, that would make those late-night calls over winter vacation much easier to take, as the solution to the question “do we run this?” would be right at your fingertips!

More on avoiding late-night, vacation-time emergencies: Improve your cybersecurity defense with centralized logging, continued: A deeper dive!

Aren’t software bills of materials already standard procedure?

Unfortunately, no.

The good news is that the National Telecommunications and Information Administration (NTIA) has been thinking about this concept since 2018! They’ve put together a site for practitioners to use and learn about SBOMs, and have written up some FAQs and consumable documents that help guide anyone new to this concept. Additionally, the Cybersecurity and Infrastructure Agency (CISA) has created weekly workstream meetings to share information with anyone interested, based on different topics. You can find the workstream events listed here.

What to do in the meantime

Ultimately, either generating your own software bills of materials or asking your vendors to supply them will substantially increase your ability as an organization to answer those age-old questions:

  1. Are we vulnerable to this new zero-day vulnerability?
  2. Where exactly are we vulnerable to it?

If you find yourself needing to create the SBOM yourself, be sure to visit that NTIA site, which also offers guides to creating SBOMs, evaluating the many online resources to help you out, and dispelling misconceptions about SBOMs (for example, they are not really a roadmap for hackers; the benefits to you are far greater than to a hacker who has so many other exploits available).

Taking time and care to catalog your software components correctly (and update that catalog frequently!) will help you and your leadership sleep better at night. For the most part.

Sleep even better with help from our security team! Contact us today with your security needs.

Read up on things you can do right now to strengthen your security posture:

Why should you do information security awareness and training?

Car parts and cybersecurity: what is Google dorking?

The value of phishing simulation in a strong security program

Improve your cybersecurity defense with centralized logging

Why should you do information security awareness and training?

I am a shameless promoter of information security awareness and training (A&T).

woman on laptop in information security training
Information security and awareness training can decrease the number of incidents that your company or organization experiences in a given year.

If I could get people to take three or four minutes of training on information security every week, I would do it.

I want everyone to be able to detect phishing emails and fake text messages quickly and easily.

I hear some of you groan in frustration and say, “Why bother? It doesn’t work!”

I strongly disagree.

I don’t agree that end users are the “problem,” that they can’t learn how to protect themselves and their data.

I see end users as normal human beings who want to do the right thing, to do their jobs and not make mistakes. In the same vein, the bad guys out there are working very hard at their job to trick our users, our friends, and our family.

The bad guys spend hours and hours learning what people will click on in an e-mail, identifying the exact words that trigger the urge to help out and click the link in that malicious e-mail. Or call that fake 800 number to fix a problem. Or quickly answer a request from the president or CFO or CIO.

Without a doubt, the potential consequences of that click, call, or answer are exactly why information and security awareness belongs on your list of infosec priorities.

Read more: Essential security practices to protect your business

So who needs information and security awareness training?

Everyone!

Absolutely everyone in your company or organization needs regular A&T. From the CEO and CFO, the CIO to the admin at the front desk, everyone, all the way down the line. A&T that starts at the top is the most effective. If the CEO believes that A&T is valuable and worth doing, then the program will be significantly more effective.

Ok, tell me more about this training 

First, it’s both awareness and training. If you make your users aware of the risks, the threats that are out there, and why they need to be on guard or on alert, then the training will be more effective. At the same time, you don’t want to go down the FUD route (fear, uncertainty, and doubt). Be honest with your users and let them know that they are targets.

There are criminal organizations that do nothing but gain access to companies and organizations. These organizations are called access brokers. They are the groups that send out a blizzard of e-mails aimed at stealing credentials. These access brokers then sell that access to the ransomware groups who do the damage and encrypt or steal the data and demand the ransom. The threats to you and your company or organization are real, and they are persistent, and they evolve.

Second, be aware that people retain information and learn new skills differently, so your training will need to be adaptive. Some people like written instructions with short quizzes at the end to test what they learned. Some people like roleplay training or training wrapped in a short video (either animated or live action). Some like classroom-based training where they sit down—with others—and hear someone talk about a security topic (think brown bag sessions). They want to be with others in order to learn the material. The good thing is you have options for providing training for your users.

Alright then, when and where do you do this training? 

All year long, not just once a year. People need regular awareness and training just like computers need monthly patching.

Training—like patching—should happen monthly, or even weekly, to get the best bang for your buck. We live in a complex world with active threats that continue to evolve. Your training has to be frequent and needs to evolve as the threats evolve.

Those of us in information security preach the gospel of monthly vulnerability scanning and monthly patching. But often, we don’t preach quite so much about monthly awareness and training.

A&T helps, and I know that firsthand, as a preacher of the Gospel of Training, chapter 1, verse 1: “Train your users regularly.”

As for where to do the training, do it wherever people will take it. . You might do monthly lunch–and-learns, either face to face or online or computer-based training that is designed for mobile devices or PCs. We are far enough into this decade that you can find companies that offer computer-based training or other kinds of training that will fit your budget and needs.

The benefits of information security awareness training 

Besides potentially decreasing the number of incidents that your company or organization experiences in a given year, a good information security awareness and training program can:

  • Help lower your cyber insurance premium.
  • Help you meet regulatory compliance requirements.
  • Help better protect your employees on the job and at home.

What’s more, what you spend on a good A&T program can be offset when you factor in the benefit of recovering from fewer incidents and lower cyber insurance premiums. It is money well spent. What do you do for ISAT? Please feel free to e-mail me with comments or questions.

Read more from John Bruggeman:

Why test patches before deploying to production?

Cloud security controls that help mitigate risk

Cyber Insurance, part 1: What is Cyber Insurance and do I need it?

Cyber Insurance, part 2: Getting ready for the insurance company questionnaire

Cyber Insurance, part 3: Filling out the questionnaire

Cyber Insurance, part 4: What do you do if your cybersecurity insurance policy is denied?

2023 Strategic Roadmap: The Future of SD-WAN

The future (and arguably the present) of networking belongs to the Cloud. Legacy WAN networks deployed on aging MPLS systems can no longer handle the sheer amount of data, processing power, and security needed to keep businesses competitive. The resources required to maintain legacy networks are becoming increasingly untenable. More and more, we find on-prem data centers reaching the end of their lifespan, requiring migrations to a cloud-based network. Software-defined wide area network (SD-WAN) is a robust methodology that shifts the burden of data flow from hard-line MPLS networks to the cloud.

strategic roadmap future of sd-wan

SD-WAN deployment benefits include increased network speed, less downtime, and increased efficiency across the board. Additionally, it expands data real estate. Companies need real-time access to their applications, mobile data, at-home devices, and data from IoT devices. As a result, the number of points of presence (PoP) for many companies, especially those in the healthcare field, has grown exponentially. Because of this, the number of potential vulnerabilities for cyberattacks has grown to match. As such, the future of SD-WAN will hinge on current and cutting-edge security tools such as SASE, ENI, and specific deployments of machine learning (ML) and AI.

What is SD-WAN?

In a nutshell, SD-WAN architecture shifts the control of a wide area network for a company and its branches from an onsite data center and hardware to cloud-based software. This software controls connectivity, data management, and the flow of information from headquarters to company branches and remote workers. SD-WAN connection endpoints—branches, data centers, cloud platforms, or corporate offices—are referred to as the SD-WAN edge. As we’ll discuss in more detail later in the post, securing the edge network is a core issue vital to the future of SD-WAN.

According to a study conducted by Gartner with CBTS, the drivers of SD-WAN adoption are the need to:

  • Improve networking speed and agility.
  • Minimize or eliminate downtime.
  • Reduce costs and make predictable capital expenditures.

Optimize performance for end users and administrators.

Key benefits of SD-WAN

Switching to a cloud-based network as many company-wide benefits. Some of these include:
  • Dependable connectivity.
  • Faster network speeds.
  • Deployment over existing MPLS infrastructure.
  • Greater control of IT policy and permissions across the enterprise.
  • Easy monitoring of network performance.
  • Enabling managed services.
  • Enhanced security and early warning monitoring of potential threats.
  • Deployment of automation across the business-wide network.
  • Orchestration services such as Unified Communications as a Service (UCaaS).
  • Support for a range of cloud and multi-cloud platforms, including Microsoft Azure and Amazon AWS.

Also read: Key SD-WAN advantages your hybrid work-from-home model needs

The future of SD-WAN

Cyberattacks continue to grow in volume and complexity. In 2021, an attack with an instance of 17 million requests was recorded from a botnet three times larger than any previously registered attack. The rate and escalation of cyberattacks are not slowing down. A second attack later that year—an attack of 22 million requests per second—dwarfed the first attack. Experts predict that another attack will take place soon that surpasses 30 million requests per second. Fortunately, cybersecurity measures continue to evolve as preventing cybercrime becomes a focus for enterprises and government agencies.

SASE

Secure Access Service Edge (SASE, pronounced “sassy”) is an architecture that utilizes SD-WAN via an encompassing cloud-native framework. First defined in 2019 by Gartner, SASE is a philosophical approach to cloud security instead of a set of tools or a specific technology. The SASE model merges networking and security to reduce hardware, simplify operations, and minimize security risks.

SASE engages with five core technologies:

  • Integrated SD-WAN
  • Cloud access security
  • Firewall as a Service (FWaaS)
  • Secure web gateways
  • Zero trust network access (ZTNA)

SASE is a borderless approach to networking, meaning it can support globally distributed teams and customers. Global environments allow employers to embrace a modern, work-from-anywhere mentality. Migrating to SASE PoPs optimizes where data lands in the network by combining software apps and data storage. Additionally, the integration of FWaaS refines and maximizes security measures for data centers. SASE reduces latency and results in a higher performing network by adding PoPs globally, so data doesn’t have to travel as far. These gateways provide the functionality, reliability, and access that teams and customers need.

ENI

Edge network intelligence (ENI) allows enterprises visibility of their end-user and IoT devices. ENI creates a complete view of the entire data plane for each user (wired and wireless). This allows IT teams to home in on issues such as latency via automatically generated issue tickets. ENI also proactively engages in self-healing for the network after problems have been identified. Another feature of ENI is integration with AI-empowered Network as a Service (NaaS) such as Cisco Meraki or Juniper Mist.

Learn more: Thinking big on future of networking

AI/ML

ENI uses machine learning algorithms to detect, monitor, and interact with end-user devices across a client’s data estate. SASE providers also deploy AI to scan for threats and block attacks proactively.

But in terms of potential, AI and ML are just beginning to scratch the surface. AI/ML will be integral to the future of SD-WAN.

Other innovations

Beyond security advancements offered by SASE, ENI, and other AI solutions, other innovations will continue to trend as SD-WAN moves into the future. Those innovations revolve around:

  1. Operational simplicity.
  2. Automation.
  3. Reliability.
  4. Scalability.
  5. Solutions with flexible business models.

Given the movement of most industries, it also seems highly likely that future iterations of SD-WAN technology will work well with multi-cloud platforms and help to streamline those environments.

Strategic roadmap for the future of SD-WAN

Legacy MPLS architecture is nearing the end of its lifespan in many cases. Compounded with the surge of data streams from mobile, at-home, and IoT devices, networks are primed to falter in the immediate future without SD-WAN solutions. Replacing traditional networks in favor of SD-WAN will allow for greater agility, simplicity, and performance on every level of business operations.

CBTS is at the forefront of SD-WAN conversion for our clients. The flexibility of SD-WAN means that delivery is potentially borderless, with service in over 60 countries. Often, we can utilize existing MPLS networks to deploy SD-WAN quickly and efficiently. Our suite of managed services—including networking—are best-in-class and a valuable way to offload burden from IT teams.

Get in touch to learn more about future-proofing your business with our managed SD-WAN, networking, or security services.

Car parts and cybersecurity: what is Google dorking?

What do the search for old car parts and cyber reconnaissance have in common? Google dorking. Before you head off this page to check out life hack videos, let me explain.

What do old car parts and Google dorking have in common?

I have been using Google search, Google cache, and the Internet archive for years now to help me find parts and information to support my classic car habit. . It just so happens that many of the techniques that I use are extremely effective in doing reconnaissance on your enterprise. What’s more, they are free and—while not well known by most—they are certainly used by attackers. Since I began this blog talking about car parts, clearly I own a couple of classic cars. Anyone who has ever owned a classic car knows that you spend as much time looking for parts and repairing classic cars as you do driving them.  (Sure, I can get replica parts more easily but they are not always available and are often outrageously expensive. Besides I would miss out on the thrill of the hunt.) Google dorking is what allows me to spend a little more time driving, just as it could give bad actors a little more time and information to attack your network.

Ok, so what is Google dorking, besides something that sounds super-nerdy?

Basically, Google dorking is taking advantage of advanced search techniques to ferret out information and uncover vulnerabilities that you wouldn’t otherwise find with a typical search.

There are a couple of basic search operators you can use with Google. Many know about the Boolean operators or the “ “/in quotes operator, but there are several more that can be quite interesting to use. For example, site:syntax. If you start your Google query with site:www.yourenterprise.com, Google will return only the results within the pages contained at www.yourenterprise.com. Very handy. You can extract everything you might want to know at a specific site without having to wade through all the other non-relevant results. For instance, I use this operator to extract all the data about a specific car part out of an entire forum.

The more search terms you use, the fewer results from that specific site. Let me show you how I use that to my advantage.  Let’s say I search all the Craigslist sites across the country using the following syntax: site:*.craigslist.org post id: Datsun 14″ rims. Evidently, I am looking for Datsun 14” rims. The “post id:” is specific to only allow results where someone is selling something rather than returning a listing of offers from each of the Craigslist sites. As you probably guessed, the * is a wild card and will return results for all Craigslist sites across the country. How does this affect my enterprise security?

Now that you know how that you don’t need anything special to taking advantage of Google dorking, you likely won’t be surprised that the site:syntax technique I described above could be used to query every server in yourenterprise.com to look for literally anything. Another useful syntax along the same lines is intitle:index.of name size, which  will return directory file listings that have been left accessible to the public on the Internet. Combining this method with the site:*.yourenterprise.com above would list all the Internet-facing directory listings at all servers in the yourentrprise.com domain—with a single query.

Read more: Essential security practices to protect your business

Syntax is not the only way to do what Google dorking does

Two other similar tools make reconnaissance even easier. The first is Google Cache, which keeps a cached copy of web pages that are no longer available and keeps those web pages cached for about 90 days. The second is the archive.org Wayback Machine, which stores copies indefinitely. I mention both of these because companies believe they can remove what they deem sensitive information off of their websites so it can’t be uncovered for reconnaissance.  If the information was publicly accessible there is a reasonable chance that it never goes away thanks to the Wayback Machine. I use the Wayback Machine to look up web pages from 20 years ago that detail how to modify a particular part so it can be used today. With the Wayback Machine, you can use those orphaned links in forums that go nowhere, and access the content they pointed to 10 or 20 years ago.  Similarly, bad actors can access old web pages that companies believed they had made inaccessible, scrape potentially sensitive information, and create problems that you never anticipated.

Read more: Cybersecurity guidance from the top

Google dorking is anything but dorky

In conclusion, by no means are these the only Google dorking or tool options available to search for reconnaissance data within your organization using Google. They do, however, show you how easy it is to learn much more about your organization than they should be able to. True, it is one more thing to learn in order to improve your security posture, but it will pay to become alert and familiar to what can be done with Google dorking.

If you need any help addressing questions about your enterprise security, please feel free to reach out to the CBTS Security Team.


Continue reading: Software bill of materials (SBOMs): what is it good for?

The value of phishing simulation in a strong security program

One of the more fiery topics of discussion amongst security practitioners and luminaries in 2022 is the role of phishing simulation and assessment in an enterprise security control strategy.

woman at computer working on phishing simulation
What role does phishing simulation play in your security program?

It has long been gospel that security awareness training is an essential practice for an organization taking security seriously. We need to continually remind our employees about the threats they face, and the responsibilities they carry to protect themselves and their employer from those threats. Training should be:

  • Consistently delivered, in a regular “drip” throughout a year, so that the message stays top-of-mind.
  • Current and relevant, covering recent attack trends in detail (and even using examples of tactics that have been successful against the organization) and focused on the behaviors and actions expected of employees.
  • Nontechnical, delivered “in their language” and in a way that they can understand.
  • Engaging, produced and executed with content that draws in the audience and impacts them.

The last point is particularly relevant in this discussion about phishing simulation.

Why we do phishing simulation

We characterize phishing simulation as the practice of delivering simulated phishing attacks to employees—along with associated training material—in an effort to teach them to recognize and respond to the real thing, but in a safe and educational setting. This practice is the manifestation of the principle of “experiential learning”. Since the 1970s educators have considered this to be a formal field of education, and have explored its value as a part of a larger educational strategy. Our man Confucius said it well: “I hear, I know; I see, I remember; I do, I understand.”

Also, people remember best when they experience something rather than just read about it or watch a video on their computer.

Teaching your employees the “how-not-tos” of phishing. 

Applied to security awareness training, our goal is to have users experience the practice of receiving a phishing email that was unexpected, and then measure their response. Do they report it? Do they poke at it a bit before doing so? Do they fall for the fraudulent claims that come from the sender? Through this effort we determine their susceptibility—or their resilience—to this attack vector.

When our Security Consulting team does phishing simulation for our customers, we carefully craft content in coordination with their security team, identifying scenarios and approaches that are particularly troublesome for their users. We use tools to deliver the e-mail and web content that allows us to measure the responses from the targets: simply opening the message and reading the content; clicking the links or opening the attachments; or submitting data to a form built to steal credentials.

By developing several different campaigns with varied scenarios and content, sent to many different groups of employees, we can start to pinpoint weaknesses in their awareness of threats, and adjust the training to match. We also direct the users who engage with the content to training material on the subject immediately. We find those who have been told “you just failed a phishing test” are paying quite a bit more attention and are more ready learners. When organizations perform these exercises regularly with targeted training in between, we see improvement in the reporting metrics. Users are more likely to report not just the simulated attacks, but actual attacks, as opposed to engaging with them. As an example of the effectiveness, one of our financial services clients saw a 20% drop in “click rates” (users who open a link in a phishing e-mail instead of reporting it) over a three-year period after consistent training.

Read more: Why should you do information security awareness and training?

Criticisms of phishing simulation

Sounds great, right? Not to everyone. There’s been criticism about this practice, and it stems largely from teams who use unsavory content in their simulated campaigns. Think about an e-mail purporting to be from a company that promises to pay off all your student loan debt, or give you free lifesaving drugs if you’re a terminally ill patient. It’s pretty brutal to yell “surprise, we were just kidding, here’s some training!” after sending someone one of those e-mails. So it’s important to be sensitive about the pretext of a message we’re sending to train someone—we don’t want to be hurtful, even if the attackers don’t mind doing so.

Another study has shown that phishing training doesn’t help, that people continue to click on phishing links.

So there are contrary studies regarding the value of phishing training

Hurt feelings aside, we need to face facts: historically, the only way to determine if our security strategy is viable against real attacks is to use real attacks to test it. This is why we do penetration testing! But machines and humans react differently, so we have a thin line to walk: do what the attackers do without causing actual trauma. Some consider the risk of that trauma to be so great that it isn’t worth the potential benefits of training. What if the previous financial customer I mentioned only saw a 5% improvement over the three-year period? Or a 1%? Is that worth the monetary cost of the practice, as well as the frustration of the users who are targeted? These are important questions!

Why phishing simulation puts the odds in your favor

Let’s think about this like we thought about the pandemic. Why wear masks? Not because it completely prevents the spread of a disease, but because it lowers the occurrence of spread. If I have a hundred opportunities to be infected in a day, and wearing a mask means even one of those hundred opportunities is eliminated, that’s an improvement.

We are in the business of reducing risk, and that means any positive change is valuable. The idea that “this security control didn’t eliminate all risk, so it isn’t useful” is nonsense, in my opinion. This same attitude says, because this endpoint protection solution stopped 19 of20 pieces of malware but it allowed one, it is a failure. We know that’s illogical! That’s 19 pieces of malware we didn’t have to worry about—and, a situation where 19 attacks were unsuccessful is obviously better than 20 that were successful.

We cannot eliminate all risk, and those that set such a goal for themselves will always be disappointed and behind. They subscribe to an unrealistic, unattainable view of protecting an organization, and will be unsuccessful every time. Incremental gains in a security program’s effectiveness are not only meaningful, they’re usually the only type of growth we see. Rarely do organizations achieve wholesale, life-altering improvements in a short period of time. That’s the approach of a lazy security practitioner. But if we have 1,000 employees and we turn even one of them from a “clicker” to a “reporter”, that’s growth, and that means potentially dozens or even hundreds of chances to be compromised that are eliminated. In coordination with a larger strategy that includes other training, e-mail security systems, endpoint and network protection, least privilege, and strong authentication, we can start to have a real effect on minimizing the impact of these attacks.

How do we effectively use a phishing simulation?

Now, if you’re simply performing simulations to generate metrics and make your security team look successful, yeah, you’re going to have a bad time.

Simulations are useful as a way to identify weaknesses to which you will apply training. Here’s an example of what our security services team sees as a beneficial training cycle:

  • Acme Co receives a targeted phishing campaign that uses a Microsoft account credential theft attack and a scenario claiming to be a password reset request. A quarter of their employees (100 users) click the link, and 10% (40 users) submit credentials, resulting in a security incident.
  • Acme Co recovers and delivers training to their users, explaining what the attackers did, what they were after, and the recognizable content in the attack that was notable for future detection (an urgent request claiming to be from an authority figure, delivered in an unusual manner: an e-mail message). Users are asked to watch for these telltale signs, and report them in the future, even if they’re unsure if they’re dangerous.
  • Acme Co waits a month and delivers a series of phishing simulations.
    • To those that clicked the link, the same type of message as the actual attack is used.
    • To those that did not click the link, a similar, but slightly more sophisticated message is used, with slicker, more convincing graphics in the e-mail and on the website.
    • To those that reported the message, a simulation with the same attack vector (Microsoft account credential theft) but a different pretext (the employee’s manager is sending the e-mail) and scenario (the employee needs to verify their W-4 is up to date) is delivered.
  • The results of these exercises are collected and analyzed, with the following happening:
    • Employees that still fell for the simulated attack are coached in a 10-minute in-person/virtual training session by a member of the security team along with the employee’s manager.
    • Employees that ignored the message but did not report it are notified and reminded about the reporting process.
    • Employees that reported the simulated message are rewarded with a $5 Starbucks gift card.
    • Broad training content for all employees is updated to mention the telltale signs used in this type of attack and what to watch for.
    • A regular monthly communication to all employees mentions this phishing attack and re-emphasizes the warning signs and reporting process.
  • Acme Co repeats the simulation a few months later, with a slightly modified pretext and scenario and this time asks the user to provide their MFA one-time password along with their credentials. Results are analyzed and used to drive future training as before.

Remember that this is simply one piece of a larger strategy. Yes, it takes people and intentional planning and follow-up. That’s what good security looks like! Humans are harder to secure than machines.

Read up on all the security practices that are essential for protecting your business.

Conclusion

Like it or not, your users will be receiving phishing e-mails. You can’t stop every one of them from entering your inboxes. Either you teach them safely to recognize this content and respond well, or you leave them to their own capabilities and hope for the best. The attackers typically don’t share our qualms about using unsavory tactics. While we don’t want to stoop to their level, we do need to recognize that we’re facing actors that often go to any lengths to trick our users and we need to effectively prepare them for what they’ll face—and if reading about it in a slide deck or e-mail newsletter isn’t helping, we need to consider what will actually move the needle.

Contact us today to learn more about how we can help you build stronger security for your organization.

I just met a vuln named Follina

Happy summer, everyone! To celebrate, there’s a new Microsoft Windows zero-day vulnerability, currently classified by NVD as CVE-2022-30190, and nicknamed by the community as Follina. It exploits a flaw in the Microsoft Support Diagnostic Tool (MSDT) that uses the tool’s special protocol handler configuration to retrieve and execute arbitrary code from a remote system.

As a reminder to the newer folks on the scene, a vulnerability is classified as a “zero day” if the creator of the vulnerable product becomes aware of the vulnerability’s existence when an exploit for the vulnerability is made public.

Those are fun because it means:

  • The vendor has to hustle to understand the vulnerability and develop both workarounds and a patch.
  • There’s a chance this vulnerability has been in use by attackers for a while, but none of our security controls were able to detect it. It’s like finding a spy cam in your house—how long has it been there? Who put it there? How’d they get in? It’s really unsettling!

We’ve talked about this before—what happens when you’ve got a vulnerability in your systems, but no patch? How does your vulnerability management program handle it? In this case, the attack observed by researchers is triggered by a malicious Office document, which executes the MSDT call to grab the attacker’s code and run it. This is problematic—like most businesses, our organization tosses around Office documents like monkeys toss around bananas (that’s apocryphal; I have no idea if monkeys wantonly toss around bananas).

How do you solve a problem like Follina?

If there’s no patch currently, organizations are vulnerable by default, at least until the anti-malware controls deployed at the network and endpoint layers are updated to detect the exploit. Our first recommendation is to contact your security vendors and ask if they have rolled out, or are planning to roll out, detection or prevention for this attack. Mention Follina or CVE-2022-30190.

So, while we’re waiting for those updates, we still have to operate our business. It’s helpful to consider a workaround. Microsoft has released a bulletin describing a workaround for Follina that can be deployed to disable the MSDT protocol handler. To use this workaround, your organization needs to be able to implement configuration changes on your assets across the entire enterprise. Many companies depend on Group Policy Objects to do this, but that approach is often difficult if you have a remote workforce that isn’t checking in with your Active Directory daily.

Our second recommendation, therefore, is to use a mobile device management solution that can remotely control, implement configuration changes, and install software and updates to your fleet of workstations and mobile devices no matter where they are. There’s a larger problem here, though, that goes beyond this vulnerability. Attackers deliver malicious files to our users all the time—as e-mail attachments, or from malicious websites, or through social networks. What if we can’t tell at a glance if a document is benign or malicious? How can our organization defend against dangerous documents when receiving documents from third parties is a normal, everyday part of our business processes?

Something’s coming: treat it like a threat

Our third recommendation is to assume every document is dangerous. Each one needs to be evaluated before we can allow a user to interact with it—especially if the document originated from outside our organization.

Reputational and behavioral detection can often locate malicious files even if a signature doesn’t exist yet, and can be implemented everywhere these documents enter your environment—from the web, e-mail, or physical media. That means that these controls need to be enforced wherever your users sit, including remote locations that may be outside the on-premises network of your LAN.

You may also consider controls that can sanitize potentially dangerous documents as they flow to the end-user, or provide isolation features that protect the user’s workstation during e-mail and web browsing.

Finally, blocking the download of specific file types—through e-mail and web traffic—that are considered risky is a common tactic. Stripping Office documents from e-mails that originate from the Internet might be a controversial move but could be implemented temporarily during “times of crisis”, i.e., when a vulnerability like this is being exploited in the wild but no patch is available. And if there are certain file types you know you’ll never need to receive—RTF documents, XLSM sheets, etc.—those can be blocked without much impact.

So, as always, keep an eye on the bulletin from Microsoft for a patch to test and roll out to your population; keep an eye on your defenses, to look for suspicious activity; and keep an ear to the community, in case new vulnerabilities or methods of exploitation are discovered. Need help with your cyber defense? Contact the CBTS cybersecurity team today.