I am a shameless promoter of information security awareness and training (A&T).

If I could get people to take three or four minutes of training on information security every week, I would do it.

I want everyone to be able to detect phishing emails and fake text messages quickly and easily.

I hear some of you groan in frustration and say, “Why bother? It doesn’t work!”

I strongly disagree.

I don’t agree that end users are the “problem,” that they can’t learn how to protect themselves and their data.

I see end users as normal human beings who want to do the right thing, to do their jobs and not make mistakes. In the same vein, the bad guys out there are working very hard at their job to trick our users, our friends, and our family.

The bad guys spend hours and hours learning what people will click on in an e-mail, identifying the exact words that trigger the urge to help out and click the link in that malicious e-mail. Or call that fake 800 number to fix a problem. Or quickly answer a request from the president or CFO or CIO.

Without a doubt, the potential consequences of that click, call, or answer are exactly why information and security awareness belongs on your list of infosec priorities.

Read more: Essential security practices to protect your business

So who needs information and security awareness training?

Everyone!

Absolutely everyone in your company or organization needs regular A&T. From the CEO and CFO, the CIO to the admin at the front desk, everyone, all the way down the line. A&T that starts at the top is the most effective. If the CEO believes that A&T is valuable and worth doing, then the program will be significantly more effective.

Ok, tell me more about this training 

First, it’s both awareness and training. If you make your users aware of the risks, the threats that are out there, and why they need to be on guard or on alert, then the training will be more effective. At the same time, you don’t want to go down the FUD route (fear, uncertainty, and doubt). Be honest with your users and let them know that they are targets.

There are criminal organizations that do nothing but gain access to companies and organizations. These organizations are called access brokers. They are the groups that send out a blizzard of e-mails aimed at stealing credentials. These access brokers then sell that access to the ransomware groups who do the damage and encrypt or steal the data and demand the ransom. The threats to you and your company or organization are real, and they are persistent, and they evolve.

Second, be aware that people retain information and learn new skills differently, so your training will need to be adaptive. Some people like written instructions with short quizzes at the end to test what they learned. Some people like roleplay training or training wrapped in a short video (either animated or live action). Some like classroom-based training where they sit down—with others—and hear someone talk about a security topic (think brown bag sessions). They want to be with others in order to learn the material. The good thing is you have options for providing training for your users.

Alright then, when and where do you do this training? 

All year long, not just once a year. People need regular awareness and training just like computers need monthly patching.

Training—like patching—should happen monthly, or even weekly, to get the best bang for your buck. We live in a complex world with active threats that continue to evolve. Your training has to be frequent and needs to evolve as the threats evolve.

Those of us in information security preach the gospel of monthly vulnerability scanning and monthly patching. But often, we don’t preach quite so much about monthly awareness and training.

A&T helps, and I know that firsthand, as a preacher of the Gospel of Training, chapter 1, verse 1: “Train your users regularly.”

As for where to do the training, do it wherever people will take it. . You might do monthly lunch–and-learns, either face to face or online or computer-based training that is designed for mobile devices or PCs. We are far enough into this decade that you can find companies that offer computer-based training or other kinds of training that will fit your budget and needs.

The benefits of information security awareness training 

Besides potentially decreasing the number of incidents that your company or organization experiences in a given year, a good information security awareness and training program can:

• Help lower your cyber insurance premium.
• Help you meet regulatory compliance requirements.
• Help better protect your employees on the job and at home.

What’s more, what you spend on a good A&T program can be offset when you factor in the benefit of recovering from fewer incidents and lower cyber insurance premiums. It is money well spent. What do you do for ISAT? Please feel free to e-mail me with comments or questions.

Read more from John Bruggeman:

Why test patches before deploying to production?

Cloud security controls that help mitigate risk

Cyber Insurance, part 1: What is Cyber Insurance and do I need it?

Cyber Insurance, part 2: Getting ready for the insurance company questionnaire

Cyber Insurance, part 3: Filling out the questionnaire

Cyber Insurance, part 4: What do you do if your cybersecurity insurance policy is denied?

The future (and arguably the present) of networking belongs to the Cloud. Legacy WAN networks deployed on aging MPLS systems can no longer handle the sheer amount of data, processing power, and security needed to keep businesses competitive. The resources required to maintain legacy networks are becoming increasingly untenable. More and more, we find on-prem data centers reaching the end of their lifespan, requiring migrations to a cloud-based network. Software-defined wide area network (SD-WAN) is a robust methodology that shifts the burden of data flow from hard-line MPLS networks to the cloud.

SD-WAN deployment benefits include increased network speed, less downtime, and increased efficiency across the board. Additionally, it expands data real estate. Companies need real-time access to their applications, mobile data, at-home devices, and data from IoT devices. As a result, the number of points of presence (PoP) for many companies, especially those in the healthcare field, has grown exponentially. Because of this, the number of potential vulnerabilities for cyberattacks has grown to match. As such, the future of SD-WAN will hinge on current and cutting-edge security tools such as SASE, ENI, and specific deployments of machine learning (ML) and AI.

What is SD-WAN?

In a nutshell, SD-WAN architecture shifts the control of a wide area network for a company and its branches from an onsite data center and hardware to cloud-based software. This software controls connectivity, data management, and the flow of information from headquarters to company branches and remote workers. SD-WAN connection endpoints—branches, data centers, cloud platforms, or corporate offices—are referred to as the SD-WAN edge. As we’ll discuss in more detail later in the post, securing the edge network is a core issue vital to the future of SD-WAN.

According to a study conducted by Gartner with CBTS, the drivers of SD-WAN adoption are the need to:

• Improve networking speed and agility.
• Minimize or eliminate downtime.
• Reduce costs and make predictable capital expenditures.

Optimize performance for end users and administrators.

Also read: Key SD-WAN advantages your hybrid work-from-home model needs

The future of SD-WAN

Cyberattacks continue to grow in volume and complexity. In 2021, an attack with an instance of 17 million requests was recorded from a botnet three times larger than any previously registered attack. The rate and escalation of cyberattacks are not slowing down. A second attack later that year—an attack of 22 million requests per second—dwarfed the first attack. Experts predict that another attack will take place soon that surpasses 30 million requests per second. Fortunately, cybersecurity measures continue to evolve as preventing cybercrime becomes a focus for enterprises and government agencies.

SASE

Secure Access Service Edge (SASE, pronounced “sassy”) is an architecture that utilizes SD-WAN via an encompassing cloud-native framework. First defined in 2019 by Gartner, SASE is a philosophical approach to cloud security instead of a set of tools or a specific technology. The SASE model merges networking and security to reduce hardware, simplify operations, and minimize security risks.

SASE engages with five core technologies:

• Integrated SD-WAN
• Cloud access security
• Firewall as a Service (FWaaS)
• Secure web gateways
• Zero trust network access (ZTNA)

SASE is a borderless approach to networking, meaning it can support globally distributed teams and customers. Global environments allow employers to embrace a modern, work-from-anywhere mentality. Migrating to SASE PoPs optimizes where data lands in the network by combining software apps and data storage. Additionally, the integration of FWaaS refines and maximizes security measures for data centers. SASE reduces latency and results in a higher performing network by adding PoPs globally, so data doesn’t have to travel as far. These gateways provide the functionality, reliability, and access that teams and customers need.

ENI

Edge network intelligence (ENI) allows enterprises visibility of their end-user and IoT devices. ENI creates a complete view of the entire data plane for each user (wired and wireless). This allows IT teams to home in on issues such as latency via automatically generated issue tickets. ENI also proactively engages in self-healing for the network after problems have been identified. Another feature of ENI is integration with AI-empowered Network as a Service (NaaS) such as Cisco Meraki or Juniper Mist.

Learn more: Thinking big on future of networking

AI/ML

ENI uses machine learning algorithms to detect, monitor, and interact with end-user devices across a client’s data estate. SASE providers also deploy AI to scan for threats and block attacks proactively.

But in terms of potential, AI and ML are just beginning to scratch the surface. AI/ML will be integral to the future of SD-WAN.

Other innovations

Beyond security advancements offered by SASE, ENI, and other AI solutions, other innovations will continue to trend as SD-WAN moves into the future. Those innovations revolve around:

1. Operational simplicity.
2. Automation.
3. Reliability.
4. Scalability.
5. Solutions with flexible business models.

Given the movement of most industries, it also seems highly likely that future iterations of SD-WAN technology will work well with multi-cloud platforms and help to streamline those environments.

Strategic roadmap for the future of SD-WAN

Legacy MPLS architecture is nearing the end of its lifespan in many cases. Compounded with the surge of data streams from mobile, at-home, and IoT devices, networks are primed to falter in the immediate future without SD-WAN solutions. Replacing traditional networks in favor of SD-WAN will allow for greater agility, simplicity, and performance on every level of business operations.

CBTS is at the forefront of SD-WAN conversion for our clients. The flexibility of SD-WAN means that delivery is potentially borderless, with service in over 60 countries. Often, we can utilize existing MPLS networks to deploy SD-WAN quickly and efficiently. Our suite of managed services—including networking—are best-in-class and a valuable way to offload burden from IT teams.

Get in touch to learn more about future-proofing your business with our managed SD-WAN, networking, or security services.

What do the search for old car parts and cyber reconnaissance have in common? Google dorking. Before you head off this page to check out life hack videos, let me explain.

I have been using Google search, Google cache, and the Internet archive for years now to help me find parts and information to support my classic car habit. . It just so happens that many of the techniques that I use are extremely effective in doing reconnaissance on your enterprise. What’s more, they are free and—while not well known by most—they are certainly used by attackers. Since I began this blog talking about car parts, clearly I own a couple of classic cars. Anyone who has ever owned a classic car knows that you spend as much time looking for parts and repairing classic cars as you do driving them.  (Sure, I can get replica parts more easily but they are not always available and are often outrageously expensive. Besides I would miss out on the thrill of the hunt.) Google dorking is what allows me to spend a little more time driving, just as it could give bad actors a little more time and information to attack your network.

Ok, so what is Google dorking, besides something that sounds super-nerdy?

Basically, Google dorking is taking advantage of advanced search techniques to ferret out information and uncover vulnerabilities that you wouldn’t otherwise find with a typical search.

There are a couple of basic search operators you can use with Google. Many know about the Boolean operators or the “ “/in quotes operator, but there are several more that can be quite interesting to use. For example, site:syntax. If you start your Google query with site:www.yourenterprise.com, Google will return only the results within the pages contained at www.yourenterprise.com. Very handy. You can extract everything you might want to know at a specific site without having to wade through all the other non-relevant results. For instance, I use this operator to extract all the data about a specific car part out of an entire forum.

The more search terms you use, the fewer results from that specific site. Let me show you how I use that to my advantage.  Let’s say I search all the Craigslist sites across the country using the following syntax: site:*.craigslist.org post id: Datsun 14″ rims. Evidently, I am looking for Datsun 14” rims. The “post id:” is specific to only allow results where someone is selling something rather than returning a listing of offers from each of the Craigslist sites. As you probably guessed, the * is a wild card and will return results for all Craigslist sites across the country. How does this affect my enterprise security?

Now that you know how that you don’t need anything special to taking advantage of Google dorking, you likely won’t be surprised that the site:syntax technique I described above could be used to query every server in yourenterprise.com to look for literally anything. Another useful syntax along the same lines is intitle:index.of name size, which  will return directory file listings that have been left accessible to the public on the Internet. Combining this method with the site:*.yourenterprise.com above would list all the Internet-facing directory listings at all servers in the yourentrprise.com domain—with a single query.

Read more: Essential security practices to protect your business

Syntax is not the only way to do what Google dorking does

Two other similar tools make reconnaissance even easier. The first is Google Cache, which keeps a cached copy of web pages that are no longer available and keeps those web pages cached for about 90 days. The second is the archive.org Wayback Machine, which stores copies indefinitely. I mention both of these because companies believe they can remove what they deem sensitive information off of their websites so it can’t be uncovered for reconnaissance.  If the information was publicly accessible there is a reasonable chance that it never goes away thanks to the Wayback Machine. I use the Wayback Machine to look up web pages from 20 years ago that detail how to modify a particular part so it can be used today. With the Wayback Machine, you can use those orphaned links in forums that go nowhere, and access the content they pointed to 10 or 20 years ago.  Similarly, bad actors can access old web pages that companies believed they had made inaccessible, scrape potentially sensitive information, and create problems that you never anticipated.

Read more: Cybersecurity guidance from the top

Google dorking is anything but dorky

In conclusion, by no means are these the only Google dorking or tool options available to search for reconnaissance data within your organization using Google. They do, however, show you how easy it is to learn much more about your organization than they should be able to. True, it is one more thing to learn in order to improve your security posture, but it will pay to become alert and familiar to what can be done with Google dorking.

If you need any help addressing questions about your enterprise security, please feel free to reach out to the CBTS Security Team.

Continue reading: Software bill of materials (SBOMs): what is it good for?

I’m writing this blog post because it needs to be written.  It seems pretty obvious that you should test patches to your OS or applications in a test environment that closely matches your production environment before you deploy that patch in production.  However, just because something seems obvious doesn’t mean that it is.

So that folks reading this can avoid the hours of recovery that I’ve had to endure back in the day—before I knew better—let’s go over some things that can go wrong with a patch, either to the OS or an application.

First, why do you have to patch?

Just because the vendor issues a patch, do you have to apply it?

No, you don’t have to apply it, but you need to consider the risk of not applying the patch before you simply ignore it. 

Risk? What risk?

When a vendor issues a patch to an operating system (think Windows Patch Tuesday or Linux updates or Apple Mac updates), they do so for a reason. Almost always, the reason the vendor issues the patch is because a vulnerability has been detected.  The patch ostensibly removes the vulnerability from the OS. Yay, risk averted!

Read more: our team looks at a recent incident in I just met a vuln named Follina

But what if you don’t want to apply the patch?

You’re a busy IT person, you don’t have time to reboot production servers after applying patches to the OS. What is the worst that could happen?

Well, let’s assume that the patch from the vendor fixes a vulnerability that allows an attacker to gain full control of your production server. 

That’s bad and you want to mitigate or remove that risk as quickly as possible.  

Of course, there are often mitigation techniques or compensating controls that can be used to lessen the risk of an identified vulnerability. Often the compensating controls involve removing a vulnerable service, or implementing firewall rules to block specially crafted packets, or adding Access Control Lists (ACLs) around a vulnerable device.  The compensating control(s) can limit or mitigate the vulnerability, but they often come with side effects, or additional restrictions that limit the functionality of the server or device.

Consequently, establishing the habit of regularly applying patches to your production environment is good InfoSec hygiene.

Next, now that you know it’s necessary to patch, how do you do that safely?

Make sure you have a test environment where you can apply the patches. This environment should match your current production environment.  The same operating system on your production servers should be on your test servers. You don’t have to have ten of the same kind of server in test, but if you have a production file server that is Windows Server 2016, that’s the kind of server you should have in test.  If you have a mixed environment in production, like a 2016 server and 2019 server, duplicate that in test. If you have a Mac running some applications and a Windows server running another application, duplicate that configuration in test.  If you have 100 virtual servers in production, all running the same OS, that’s fine; have one test server that mirrors the 100 virtual servers in production.

Step three: you’re ready to update your first test server!

OK, you’ve got your test environment setup, you apply the first patch, and…. nothing!

The server comes back up cleanly, meaning that it’s up and running and you didn’t detect any errors. Great! You’re done, you can quickly apply the patches to production.

Not so fast!

Have you done your testing now that the server is back up? Before you call it a day, ask and answer these questions:

1. Do the applications running on that server run or function as before?
2. Are there any errors in the event log or other logs?
3. Is server performance impacted?
4. Does the server perform all the functions it did prior to applying the patch?
5. Have you confirmed that the patch was actually applied? (Sometimes you think it’s applied, but the patch is not actually applied.)
6. Have you scanned the server to confirm the vulnerability is no longer present? See question 5 above.
7. Does your IT team have questions?

Ok, let’s assume the answers to the questions above are satisfactory. Guess what?  You should  run the server for 24 or 48 hours in your test environment and check questions number 1, 2, 3, and 4 again just to be sure everything is working as expected.  (Can you tell I used to run a production environment?)

If, after a quick but decent enough burn-in time—which is usually short for critical patches—you can now schedule the patches that have passed these questions for deployment to production.

Finally: How often should you patch?

When you apply the patch and confirm that the vulnerability has been removed, the risk regarding that vulnerability has been addressed.

As you can see, this is why we recommend testing patches in a test environment before rolling out to production.  Hopefully this short blog post will help you as you build up your patch management process and plans.

If you have any questions please feel free to reach out to the CBTS Security Team!

Read more from John Bruggeman:

Cloud security controls that help mitigate risk

Cyber Insurance, part 1: What is Cyber Insurance and do I need it?

Cyber Insurance, part 2: Getting ready for the insurance company questionnaire

Cyber Insurance, part 3: Filling out the questionnaire

Cyber Insurance, part 4: What do you do if your cybersecurity insurance policy is denied?

One of the more fiery topics of discussion amongst security practitioners and luminaries in 2022 is the role of phishing simulation and assessment in an enterprise security control strategy.

It has long been gospel that security awareness training is an essential practice for an organization taking security seriously. We need to continually remind our employees about the threats they face, and the responsibilities they carry to protect themselves and their employer from those threats. Training should be:

• Consistently delivered, in a regular “drip” throughout a year, so that the message stays top-of-mind.
• Current and relevant, covering recent attack trends in detail (and even using examples of tactics that have been successful against the organization) and focused on the behaviors and actions expected of employees.
• Nontechnical, delivered “in their language” and in a way that they can understand.
• Engaging, produced and executed with content that draws in the audience and impacts them.

The last point is particularly relevant in this discussion about phishing simulation.

Why we do phishing simulation

We characterize phishing simulation as the practice of delivering simulated phishing attacks to employees—along with associated training material—in an effort to teach them to recognize and respond to the real thing, but in a safe and educational setting. This practice is the manifestation of the principle of “experiential learning”. Since the 1970s educators have considered this to be a formal field of education, and have explored its value as a part of a larger educational strategy. Our man Confucius said it well: “I hear, I know; I see, I remember; I do, I understand.”

Also, people remember best when they experience something rather than just read about it or watch a video on their computer.

Teaching your employees the “how-not-tos” of phishing. 

Applied to security awareness training, our goal is to have users experience the practice of receiving a phishing email that was unexpected, and then measure their response. Do they report it? Do they poke at it a bit before doing so? Do they fall for the fraudulent claims that come from the sender? Through this effort we determine their susceptibility—or their resilience—to this attack vector.

When our Security Consulting team does phishing simulation for our customers, we carefully craft content in coordination with their security team, identifying scenarios and approaches that are particularly troublesome for their users. We use tools to deliver the e-mail and web content that allows us to measure the responses from the targets: simply opening the message and reading the content; clicking the links or opening the attachments; or submitting data to a form built to steal credentials.

By developing several different campaigns with varied scenarios and content, sent to many different groups of employees, we can start to pinpoint weaknesses in their awareness of threats, and adjust the training to match. We also direct the users who engage with the content to training material on the subject immediately. We find those who have been told “you just failed a phishing test” are paying quite a bit more attention and are more ready learners. When organizations perform these exercises regularly with targeted training in between, we see improvement in the reporting metrics. Users are more likely to report not just the simulated attacks, but actual attacks, as opposed to engaging with them. As an example of the effectiveness, one of our financial services clients saw a 20% drop in “click rates” (users who open a link in a phishing e-mail instead of reporting it) over a three-year period after consistent training.

Read more: Why should you do information security awareness and training?

Criticisms of phishing simulation

Sounds great, right? Not to everyone. There’s been criticism about this practice, and it stems largely from teams who use unsavory content in their simulated campaigns. Think about an e-mail purporting to be from a company that promises to pay off all your student loan debt, or give you free lifesaving drugs if you’re a terminally ill patient. It’s pretty brutal to yell “surprise, we were just kidding, here’s some training!” after sending someone one of those e-mails. So it’s important to be sensitive about the pretext of a message we’re sending to train someone—we don’t want to be hurtful, even if the attackers don’t mind doing so.

Another study has shown that phishing training doesn’t help, that people continue to click on phishing links.

So there are contrary studies regarding the value of phishing training

Hurt feelings aside, we need to face facts: historically, the only way to determine if our security strategy is viable against real attacks is to use real attacks to test it. This is why we do penetration testing! But machines and humans react differently, so we have a thin line to walk: do what the attackers do without causing actual trauma. Some consider the risk of that trauma to be so great that it isn’t worth the potential benefits of training. What if the previous financial customer I mentioned only saw a 5% improvement over the three-year period? Or a 1%? Is that worth the monetary cost of the practice, as well as the frustration of the users who are targeted? These are important questions!

Why phishing simulation puts the odds in your favor

Let’s think about this like we thought about the pandemic. Why wear masks? Not because it completely prevents the spread of a disease, but because it lowers the occurrence of spread. If I have a hundred opportunities to be infected in a day, and wearing a mask means even one of those hundred opportunities is eliminated, that’s an improvement.

We are in the business of reducing risk, and that means any positive change is valuable. The idea that “this security control didn’t eliminate all risk, so it isn’t useful” is nonsense, in my opinion. This same attitude says, because this endpoint protection solution stopped 19 of20 pieces of malware but it allowed one, it is a failure. We know that’s illogical! That’s 19 pieces of malware we didn’t have to worry about—and, a situation where 19 attacks were unsuccessful is obviously better than 20 that were successful.

We cannot eliminate all risk, and those that set such a goal for themselves will always be disappointed and behind. They subscribe to an unrealistic, unattainable view of protecting an organization, and will be unsuccessful every time. Incremental gains in a security program’s effectiveness are not only meaningful, they’re usually the only type of growth we see. Rarely do organizations achieve wholesale, life-altering improvements in a short period of time. That’s the approach of a lazy security practitioner. But if we have 1,000 employees and we turn even one of them from a “clicker” to a “reporter”, that’s growth, and that means potentially dozens or even hundreds of chances to be compromised that are eliminated. In coordination with a larger strategy that includes other training, e-mail security systems, endpoint and network protection, least privilege, and strong authentication, we can start to have a real effect on minimizing the impact of these attacks.

How do we effectively use a phishing simulation?

Now, if you’re simply performing simulations to generate metrics and make your security team look successful, yeah, you’re going to have a bad time.

Simulations are useful as a way to identify weaknesses to which you will apply training. Here’s an example of what our security services team sees as a beneficial training cycle:

• Acme Co receives a targeted phishing campaign that uses a Microsoft account credential theft attack and a scenario claiming to be a password reset request. A quarter of their employees (100 users) click the link, and 10% (40 users) submit credentials, resulting in a security incident.
• Acme Co recovers and delivers training to their users, explaining what the attackers did, what they were after, and the recognizable content in the attack that was notable for future detection (an urgent request claiming to be from an authority figure, delivered in an unusual manner: an e-mail message). Users are asked to watch for these telltale signs, and report them in the future, even if they’re unsure if they’re dangerous.
• Acme Co waits a month and delivers a series of phishing simulations.
  • To those that clicked the link, the same type of message as the actual attack is used.
  • To those that did not click the link, a similar, but slightly more sophisticated message is used, with slicker, more convincing graphics in the e-mail and on the website.
  • To those that reported the message, a simulation with the same attack vector (Microsoft account credential theft) but a different pretext (the employee’s manager is sending the e-mail) and scenario (the employee needs to verify their W-4 is up to date) is delivered.
• The results of these exercises are collected and analyzed, with the following happening:
  • Employees that still fell for the simulated attack are coached in a 10-minute in-person/virtual training session by a member of the security team along with the employee’s manager.
  • Employees that ignored the message but did not report it are notified and reminded about the reporting process.
  • Employees that reported the simulated message are rewarded with a $5 Starbucks gift card.
  • Broad training content for all employees is updated to mention the telltale signs used in this type of attack and what to watch for.
  • A regular monthly communication to all employees mentions this phishing attack and re-emphasizes the warning signs and reporting process.
• Acme Co repeats the simulation a few months later, with a slightly modified pretext and scenario and this time asks the user to provide their MFA one-time password along with their credentials. Results are analyzed and used to drive future training as before.

Remember that this is simply one piece of a larger strategy. Yes, it takes people and intentional planning and follow-up. That’s what good security looks like! Humans are harder to secure than machines.

Read up on all the security practices that are essential for protecting your business.

Conclusion

Like it or not, your users will be receiving phishing e-mails. You can’t stop every one of them from entering your inboxes. Either you teach them safely to recognize this content and respond well, or you leave them to their own capabilities and hope for the best. The attackers typically don’t share our qualms about using unsavory tactics. While we don’t want to stoop to their level, we do need to recognize that we’re facing actors that often go to any lengths to trick our users and we need to effectively prepare them for what they’ll face—and if reading about it in a slide deck or e-mail newsletter isn’t helping, we need to consider what will actually move the needle.

Contact us today to learn more about how we can help you build stronger security for your organization.

Happy summer, everyone! To celebrate, there’s a new Microsoft Windows zero-day vulnerability, currently classified by NVD as CVE-2022-30190, and nicknamed by the community as Follina. It exploits a flaw in the Microsoft Support Diagnostic Tool (MSDT) that uses the tool’s special protocol handler configuration to retrieve and execute arbitrary code from a remote system.

As a reminder to the newer folks on the scene, a vulnerability is classified as a “zero day” if the creator of the vulnerable product becomes aware of the vulnerability’s existence when an exploit for the vulnerability is made public.

Those are fun because it means:

• The vendor has to hustle to understand the vulnerability and develop both workarounds and a patch.
• There’s a chance this vulnerability has been in use by attackers for a while, but none of our security controls were able to detect it. It’s like finding a spy cam in your house—how long has it been there? Who put it there? How’d they get in? It’s really unsettling!

We’ve talked about this before—what happens when you’ve got a vulnerability in your systems, but no patch? How does your vulnerability management program handle it? In this case, the attack observed by researchers is triggered by a malicious Office document, which executes the MSDT call to grab the attacker’s code and run it. This is problematic—like most businesses, our organization tosses around Office documents like monkeys toss around bananas (that’s apocryphal; I have no idea if monkeys wantonly toss around bananas).

How do you solve a problem like Follina?

If there’s no patch currently, organizations are vulnerable by default, at least until the anti-malware controls deployed at the network and endpoint layers are updated to detect the exploit. Our first recommendation is to contact your security vendors and ask if they have rolled out, or are planning to roll out, detection or prevention for this attack. Mention Follina or CVE-2022-30190.

So, while we’re waiting for those updates, we still have to operate our business. It’s helpful to consider a workaround. Microsoft has released a bulletin describing a workaround for Follina that can be deployed to disable the MSDT protocol handler. To use this workaround, your organization needs to be able to implement configuration changes on your assets across the entire enterprise. Many companies depend on Group Policy Objects to do this, but that approach is often difficult if you have a remote workforce that isn’t checking in with your Active Directory daily.

Our second recommendation, therefore, is to use a mobile device management solution that can remotely control, implement configuration changes, and install software and updates to your fleet of workstations and mobile devices no matter where they are. There’s a larger problem here, though, that goes beyond this vulnerability. Attackers deliver malicious files to our users all the time—as e-mail attachments, or from malicious websites, or through social networks. What if we can’t tell at a glance if a document is benign or malicious? How can our organization defend against dangerous documents when receiving documents from third parties is a normal, everyday part of our business processes?

Something’s coming: treat it like a threat

Our third recommendation is to assume every document is dangerous. Each one needs to be evaluated before we can allow a user to interact with it—especially if the document originated from outside our organization.

Reputational and behavioral detection can often locate malicious files even if a signature doesn’t exist yet, and can be implemented everywhere these documents enter your environment—from the web, e-mail, or physical media. That means that these controls need to be enforced wherever your users sit, including remote locations that may be outside the on-premises network of your LAN.

You may also consider controls that can sanitize potentially dangerous documents as they flow to the end-user, or provide isolation features that protect the user’s workstation during e-mail and web browsing.

Finally, blocking the download of specific file types—through e-mail and web traffic—that are considered risky is a common tactic. Stripping Office documents from e-mails that originate from the Internet might be a controversial move but could be implemented temporarily during “times of crisis”, i.e., when a vulnerability like this is being exploited in the wild but no patch is available. And if there are certain file types you know you’ll never need to receive—RTF documents, XLSM sheets, etc.—those can be blocked without much impact.

So, as always, keep an eye on the bulletin from Microsoft for a patch to test and roll out to your population; keep an eye on your defenses, to look for suspicious activity; and keep an ear to the community, in case new vulnerabilities or methods of exploitation are discovered. Need help with your cyber defense? Contact the CBTS cybersecurity team today.

As I mentioned in my previous post on cloud security, depending on the kind of cloud solution you have, you might be the one responsible for implementing any and all security controls.

All major cloud providers have risks and also have ways of implementing controls to mitigate those risks. There are whole categories of security providers for various part of a cloud security program. As you begin to plan your move to a cloud solution you will see acronyms like CASB, CSPM, CWPP, and SASE.

It can get a little confusing with all the acronyms, but each product has a reason for existing.

Let’s start with CASB or cloud access security broker

A cloud access security broker ensures that the user trying to access a cloud service (think Salesforce or Office 365 or SAP) should be able to access the service, and that they are doing only the things they are supposed to do.

Obviously, there are some fundamental controls that you want to have in place for your cloud applications. You want to be able to see what your users are doing in the cloud (visibility), you want to detect threats to your systems and data, and you want to make sure you maintain compliance with the regulations that apply to your organization.

At the most basic level you want to make sure only the people you allow can access the cloud services you use. In other words, should John be able to access customer data stored in Salesforce?

In addition—and more importantly—you want to make sure they can only do things they are supposed to do. As a security professional, you want to make sure John does not delete or modify data he shouldn’t. CASB provides controls and visibility over what John does when he signs into Salesforce.

The basics just won’t cut it against today’s security challenges

You might think, I already have Active Directory (AD) or some other identity management (IM) tool (Okta, OneLogin, Centrify, etc.), why do I need a CASB solution? Well, your IM solution might only work for local access, or it might not be tied into or connected to your cloud solution. CASB is designed, as the name implies, to broker the access between the IM solution and the cloud service.

For example, think about the steps that go into giving a new hire  access to all the services they need to do their job. You want to give the new hire an e-mail account, access to the payroll system to enter their time, and then—if they are in sales—access to Salesforce or a similar tool to track and follow up on leads. If they are writing or reading reports, they need access to the collaboration tool/Office product (O365 or Google Workspace, etc.).

What is often overlooked is one of the big gaps for a lot of companies: de-provisioning services when someone leaves an organization. Provisioning a new hire with access to the applications they need to do their job is often automated with a well-designed workflow  with few manual steps. De-provisioning access is often not as well–automated;  frequently employees retain access days or weeks after they have left the company, even when the separation (i.e., firing) was not on good terms.

A CASB solution that controls who has access to what cloud services can help simplify both ends of the provisioning workflow. As a result, you can end up with an automated workflow that can very quickly grant and remove access with the click of a button.

Now we will look at cloud security posture management or CSPM

CSPM is a tool or set of tools that ensures that the controls you want to have in place for your cloud environment are correct. Your organization might have to follow a particular security standard like NIST 800-53 or ISO 27000 due to government regulations. A CSPM tool can ensure all your cloud infrastructure stays in compliance with those security standards.

Numerous security breaches have happened due to misconfigured permissions with cloud storage. Mismanaged Amazon S3 buckets have caused major data disclosures. Companies that thought they had good practices in place—like Booz Allen Hamilton and Deep Root Analytics in 2017—leaked data because of misconfigurations.

A CSPM will constantly monitor your cloud environment for configuration changes and settings to make sure that the rules and controls you want to have in place for your environment are in place. Additionally, some solutions will automatically fix incorrect settings to ensure compliance with privacy laws and government regulations regarding data privacy.

Go straightforward with a cloud workload protection platform (CWPP)

Cloud workload protection platform is designed—as the name sounds—to protect what you are doing in the Cloud from attacks by malware or viruses. Just as you run endpoint protection software on servers in your datacenter, you want the same thing happening in  your cloud environment if you are hosting your own servers or virtual machines. Most CWPP solutions offer an agent version, just like you use now, or an agentless version that pulls information from your cloud-hosting environment. While there are advantages to the agent version, you typically get better intelligence from the agent version at the cost of performance in your cloud environment. The agentless version usually has no impact on your cloud workload, but typically you will not get all the details that you get from an agent.

Relative newcomer secure access service edge (SASE) can give smaller business more security attitude 

Secure access service edge, known as SASE (pronounced “sassy”), is a cloud-based information technology model where both the network and the security for the network are offered on demand without having ownership of the hardware or security tools. This kind of solution is growing in popularity for small startup companies and companies that are very flexible because you purchase your networking and security as you need it.

SASE typically has four main components:

1. A CASB solution to provide security for your cloud applications,
2. A secure web gateway (SWG) for access to your cloud applications where you can implement
3. Your zero trust network (ZTN), and finally,
4. Firewall-as-a-Service.

This is a lot of acronyms and buzz words, but they can and do really work together, with the result that you can implement very good security controls if you design your cloud environment with SASE in mind.

SASE works best and easiest when you have a totally cloud environment. You can see why that would make it appealing to startup companies that do not have legacy hardware and storage and other technology that must have security “bolted” on later to make it cloud-friendly.

I can hear some of you saying, “What is the key takeaway?” 

For CIOs and IT Directors, the key takeaway is that there are advantages to moving on-premises storage and computer systems to a cloud service. However, you need to carefully plan what you are moving, why you are moving it, and what controls will you have in place to make sure the systems and data you move to a cloud service (SaaS, IaaS, PaaS) is as secure as you need it.

For security practitioners, you need to recognize that the security controls you use for on-premises assets are not always the same controls you use for cloud assets.  Consequently, your thinking needs to shift and you need to make sure the controls you use are appropriate for cloud hosted assets.

If your company is relatively new and does not have a significant investment in on-premises computer resources, your move to the cloud could be smooth and painless. On the other hand, if your company is a mature company with lots of assets on premises and in-house, as well as custom applications, your journey will likely be longer and require significantly more planning and preparation.

I hope this has been helpful, reach out and let me know if you have any questions.

Read more from John Bruggeman:

Weighing the risks and benefits of moving to the Cloud

2022 Cybersecurity Predictions

Cyber Insurance, part 1: What is Cyber Insurance and do I need it?

Cyber Insurance, part 2: Getting ready for the insurance company questionnaire

Cyber Insurance, part 3: Filling out the questionnaire

Cyber Insurance, part 4: What do you do if your cybersecurity insurance policy is denied?

Hello everyone, I hope 2022 will be a better year for all of us, and like so many others I have some predictions about what is on the horizon for cybersecurity in the coming year.

My predictions are similar to others in the cybersecurity community but I know that folks other than information security professionals read this blog so I want to get this information out to that constituency as well as the info-sec community.

Here are the top seven things I think we can expect in 2022

1. Ransomware attacks will continue to increase, not decrease in 2022.

The business of ransomware, i.e., Ransomware-as-a-Service, is just too profitable for it to slow down or stop. The process is too developed, too streamlined, and too easy for criminals and the threat actor community to give it up. For those of us on the Blue team (the defense side in the whole red team/blue team dichotomy), we will continue to defend and protect our data and assets from threat actors on premises (traditional IT) and in the cloud (AWS, Azure, etc.).

Ransomware-as-a-Service is now so mature that there are access brokers, malware developers, hosting platforms, extortion specific websites, and even customer service teams to help victims pay via Bitcoin, plus you can be certain that criminals are making cybersecurity predictions of their own. Stay alert everyone: We are being targeted.

Read more: https://www.crowdstrike.com/cybersecurity-101/ransomware/ransomware-as-a-service-raas/  

2. Supply chain risk will continue to grow.

This is an outgrowth of the first item—ransomware increasing—and the number of vectors where criminals can attack is limited only by the number of companies in your supply chain. So think about who is supporting your business. Are they a secure company? Can they prove it?

If you don’t know your vendor partners well or if you don’t know how secure they are, you need to find out. You are as insecure as they are.  You need to make sure you are as well protected as feasible from risky suppliers.  Third-party risk management will be a critical component of your risk management strategy in 2022 and beyond.

Read more: https://www.securityweek.com/critical-sap-vulnerability-allows-supply-chain-attacks

Read more: Software bill of materials (SBOMs): what is it good for?

3. Monitoring endpoints with MDR or XDR will grow to defend against the increase of ransomware.

To defend against ransomware attacks, the need for “eyes on glass” 24×7 will increase in 2022 and beyond.  Demand for managed detection and response (MDR) and eXtended detection and response (XDR) will increase due to management wanting to defend against attacks. Insurance companies as well are requiring companies and organizations to have MDR/XDR in order to qualify for cybersecurity insurance.

Read more: https://www.forbes.com/sites/forbesbusinesscouncil/2021/12/22/with-rising-cyber-insurance-costs-and-requirements-consider-new-alternatives-to-fight-ransomware/?sh=288404226e14

4. Multi-factor access (MFA) for e-mail and other business application access will grow, as will Zero Trust Networks (ZTN).

These security controls will grow to help defend against ransomware attacks. Just like MDR/XDR, MFA will be a requirement to qualify for cyber insurance. Companies like DUO and others will see increased sales as companies move to MFA to meet those cybersecurity insurance requirements.

Read more: https://solutionsreview.com/security-information-event-management/understanding-and-complying-with-the-new-mfa-requirements-for-cyber-insurance/

Zero trust Networks will be more than a buzz word in 2022 as more companies look to reduce their risk and attack surface. Some areas will be easier to move from classic trust frameworks, where the device is trusted because the company owns the device, to Zero Trust where the user, the device, and the applications are not implicitly trusted. Boards and senior executives will be asking and expecting CIOs to make the move to less trust, more verification from the edge on down the chain.

Read more: https://www.forbes.com/sites/forbestechcouncil/2021/12/09/why-zero-trust-and-identity-will-be-boardroom-priorities-in-2022/?sh=5f2670a1d315

5. Cybersecurity insurance premiums will rise by 20%, 30%, and more.

The cost of insurance against cybersecurity attacks, data loss, and other security risks will continue to rise and drive the adoption of other threat detection and prevention tools as mentioned above. Companies looking to renew existing policies will face 30%, 40%, and higher percentage premium increases due to the explosion of attacks in 2020 and 2021. In addition to higher rates, the security controls that have to be in place to purchase insurance will increase (see items 3 and 4 above).

Read more: https://www.forbes.com/sites/theyec/2021/11/02/cyber-attacks-are-on-the-rise—what-executives-and-insurance-providers-can-do/

6. Nation-state attacks will increase.

With Russia testing out cyberattack tools against Ukraine, and North Korea testing out attacks techniques against South Korea and others, nation-states will continue to attack soft targets around the globe. Collateral damage will occur as nation states test and launch attacks against targets with some attacks impacting suppliers to other companies. Third-party and supply chain risks will be identified as vector for these attacks which is how many other companies will be impacted.

A manufacturing company in Indiana won’t be a target but AWS or Azure will be, and the company’s AWS instance will be impacted as well. When nation-states are involved even the biggest vendors can go down.

Read more: https://www.securitymagazine.com/articles/96781-top-15-cybersecurity-predictions-for-2022

7. California Privacy laws will start to impact U.S. businesses the same way that the GDPR impacted the EU.

The California Consumer Privacy Act (CCPA) and the new California Privacy Rights Act (CPRA) are just the tip of the iceberg in terms of new privacy legislation in the US. More than 30 states in the U.S. have data privacy laws and the number of states starting to give privacy rights to consumers is on the rise. This trend will continue and impact virtually every company that does business in the United States in 2022.

To get a head start on this, find out where your customer data resides, make sure you know everywhere it resides, and then start your data labeling process. You can be the CIO hero if you know where the data resides and how to delete it or correct it so that your customers can be forgotten or updated if they want, and you can prove that you did it.

Read more: https://news.bloomberglaw.com/privacy-and-data-security/top-privacy-law-issues-in-2022-as-congress-debates-a-federal-law

That is what I see on the horizon for 2022. What are you seeing and what predictions for cybersecurity have you made? E-mail me at john.bruggeman@cbts.com and let me know your thoughts on the upcoming challenges and opportunities in 2022.

Read more from John Bruggeman:

Cyber Insurance, part 1: What is Cyber Insurance and do I need it?

Cyber Insurance, part 2: Getting ready for the insurance company questionnaire

Cyber Insurance, part 3: Filling out the questionnaire

Cyber Insurance, part 4: What do you do if your cybersecurity insurance policy is denied?

Improve your cybersecurity defense with centralized logging

Improve your cybersecurity defense with centralized logging, continued: A deeper dive!

Getting ransomware-proof, continued: CIS controls for medium-size organizations

Over my past three blog posts, I’ve talked about cyber insurance. The first one covered the topics of what it is and do you need it. The second post discussed what you need to have or know before you make the call to your agent to get a quote. My third post examined in detail what type of questions you’ll be asked and who else besides the information technology group has to be involved in order to answer the questions from the insurance carrier.

Now let’s talk about what to do if you can’t buy insurance, either because the premium is too high or no insurance carrier will cover you. Unfortunately, these days insurance carriers are denying coverage more often due to the very high probability that your company will be attacked and compromised. You want to prepare yourself for that possibility.

In this blog, I’ll cover your options if you are denied. Part one will address the reasons why the insurance company won’t cover you and what you can do to fix those issues. The second part will cover what you can do instead.

Why insurance companies won’t cover you

Insurance companies typically deny cyber insurance because they think you are too risky. Just like a 16-year-old who just got their drivers license is very risky for a car insurance company, your company or organization can be viewed as too risky if you don’t have good cybersecurity practices in place.

How to resolve issues

First, you should try to find out why you were denied. It’s likely that the insurance carrier won’t tell you why, you’ll just be denied. To find out, take a look at the questions in  Cyber insurance, part 2: The insurance company questionnaire and also in Cyber Insurance, part 3: Filling out the questionnaire. When you answer the questions in those two blogs, the areas you need to improve will likely stand out.

But what to do?

More often than not, the problem that is preventing you from qualifying for insurance can be resolved by adopting an information security framework like the NIST Cyber Security Framework or CIS Controls. A framework helps you standardize what you are doing to protect your data, assets, and systems from threats. You can adopt either of these frameworks at no cost to you, other than your time and effort.

Something else you can do that doesn’t cost anything other than time but will help improve your security posture is answering these five questions from Justin Hall. After you answer those question you can take these five steps to make your environment safer.

Alternatives to buying cybersecurity insurance

Second, what can you do instead of buying insurance?

Self-Insurance

Something to consider if you can’t buy insurance is establishing “self-insurance” against a ransomware attack or other cyber incident. Your comptroller or CFO might like this idea. If you take the money equivalent to an annual insurance premium and invest that in your information security program, you can make your environment more secure.

Imagine this scenario:

The insurance premium for a small company (100 employees or less) can range anywhere from $15,000 to $25,000 a year for a $1,000,000 policy. Take that money and implement some of the basic security controls in NIST or CIS and you’ve improved your information security program right away. Strategically do that each year for five years and you will then have a much more secure environment that is resistant to cyber attacks.

Incident Response Services

Another option is to purchase incident response services in case you have a cyber incident. In this case you are purchasing re-active services when something bad happens. It’s not as good as preventing the incident, but you get help recovering from the crisis.

Limited Insurance

A third and final option would be to purchase a scaled down or limited form of insurance that will help you with recovery from an incident but not provide the payout of the ransom. The following services are not insurance but are services you should consider purchasing:

• Awareness and training services for your staff. This can potentially improve your defense against phishing e-mails or business e-mail compromise attacks.
• Coaching for your executive team on how to handle a data breach or ransomware attack. Not everyone is prepared to respond calmly when a crisis occurs, so coaching can help.
• Run a ransomware or data breach tabletop-exercise (TTX). This allows your team to walk through the steps of a data breach or ransomware event and experience some of the steps that you will experience in that kind of event.
• Hire a ransomware negotiator to act on your behalf in case you are attacked. There are professional ransomware negotiators that assist with the price and payment if you choose to pay the threat actor.

These are just a few of the steps you can take in case you can’t purchase cyber insurance at a price you can afford. One other action to consider is partnering with an expert vendor that specializes in information security and helping companies establish and strengthen their cybersecurity programs.  Contact our security team today to get your security program on the road to insurability.

In my next blog, I’ll talk about what we can expect on the cybersecurity front in 2022.

Read the cyber insurance series from John Bruggeman:

Cyber Insurance, part 1: What is cyber insurance, and do I need it?

Cyber Insurance, part 2: Getting ready for the insurance company questionnaire!

Cyber Insurance, part 3: Filling out the questionnaire

Catch up with these tools for your cybersecurity toolbox from CBTS Consulting CISO John Bruggeman:

Improve your cybersecurity defense with centralized logging

Improve your cybersecurity defense with centralized logging, continued: A deeper dive!

Zero Trust Networks (ZTN): what are they and how do I implement one?

We are on to Part 3 of our Cyber Insurance series. You have read parts one and two, you know you need it, and you have an idea what questions are going to be asked. Now you need to answer them.

Hmm… do you (CIO, CISO, IT director, director of information systems) have all the answers?

Not likely. You probably have some of the answers, but not all.

Information security is not just a job for IT, it’s a job for the entire company. Everyone has a part to play for the organization to be cyber secure.

Read more: Top 5 cybersecurity actions to take right now

Some of the questions the insurance carrier will ask are related to data owned by other departments. Your HR department is responsible for safely storing employee information (salary information, tax information [including SSN], and healthcare information). The finance department is responsible for making sure your vendor information, company bank information, investments, and other financial data are stored securely. If you have a software development team or you store customer data, your application development team is responsible for that data.

GRC is an acronym you want to remember if you don’t know it already. Governance, Risk, and Compliance is the team that is typically responsible for making sure you have a plan or framework in place to keep your information safe, secure, and available.

For a small company, the GRC team might be all the vice presidents or managers, for a larger company it could be a dedicated team, and for a Fortune 100 company, it’s a team that reports to the board.

As the CIO you will likely have to answer these questions, so in a perfect world you call your chief information security officer (CISO) to fill out the questionnaire. On that call, they let you know that because of the proactive steps they have taken below, you can expect to get the best possible quote:

• Micro-segmentation of the network.
• NGFW at the perimeter.
• XDR on all the end points with 24×7 monitoring.
• SIEM tool implementation.
• Monthly vulnerability assessments and remediation.
• MFA implementation for e-mail, VPN, and network access.
• A third-party security program assessment of your information security program, which is based on the NIST Cyber Security Framework.
• Adaptive information security and awareness training.
• Data governance and risk assessment protocols, policies, and procedures.

Congratulations, you are #WINNING!

“But, wait,” you say, “I don’t have a CISO or a person in the CISO role. What do I do?”

Don’t panic; that’s understandable and not unusual.

Not everyone has an adaptive information security program with all the features listed above. I have talked with clients who are at the adaptive level (level 4 on a 1-4 scale), and I’ve talked with those that are risk informed (level 2) and organizations in between.

The list of security practices above can be hard for an organization to implement unless top level management has regulatory requirements (e.g., Sarbanes Oxley, GLBA, PCI-DSS, or other federal regulations) or the organization has experienced a data breach, ransomware attack, or an expensive cyber incident of some kind.

Read more: The basics of Incident Response Planning: how do you do it?

The goal of a good information security program and cyber insurance is to avoid these kinds of cybersecurity incidents:

• Accidental disclosure or data breach of sensitive or PII type information.
• Ransomware attack that cripples your organization.
• Business e-mail compromise (BEC) that causes financial loss.
• E-mail fraud (fake invoices or similar).
• Malicious insider threat or other cyber incident.

What can you do if you do not have an adaptive information security program but you know you have risks and you want mitigate those risks as much as possible?

You need to know the basics of your environment, in other words, the who, what, when, where, and how of your information environment:

Who are you collecting data about? Your customers? Your employees? Random people who visit your website? Potential customers? Do you buy mailing lists?

What data do you collect? Personal data? Private data (social security numbers, credit cards, etc.)? Tracking information about your staff or customers?

When do you collect the data? When you make first contact? Every time you engage with them?

Where do you store that data and how?

Why are you storing that data and for how long?

How are you storing that data?

Consider this another way to think about what is important to a cyberinsurance provider. Moreover, I suggest you get some help with this process internally, and probably externally with a vendor partner. The vendor partner could be your auditors, or a company like CBTS that specializes in information security and helping companies set up a good InfoSec program. Contact our security team today to get your security program on the road to insurability.

Read more about Cyber Insurance from John Bruggeman:

Part 1: What is Cyber Insurance and Do I need it?

Part 2: Cyber Insurance, part 2: Getting ready for the insurance company questionnaire!

Part 4: What do you do if your cybersecurity insurance policy is denied?

More tools for your cybersecurity toolbox from CBTS Consulting CISO John Bruggeman:

Getting ransomware-proof, continued: CIS controls for medium-size organizations

Improve your cybersecurity defense with centralized logging

Improve your cybersecurity defense with centralized logging, continued: A deeper dive!

Zero Trust Networks (ZTN): what are they and how do I implement one?