this is the archive page

6 security trends to keep an eye on in 2020

Happy 2020! As a practitioner and consultant I’m excited to see what the year brings in terms of new technology, research, and clever Twitter and blog posts from the security community. To get the ball rolling, here are six security trends to keep your eye on as we start the new year.

Two security trends for home users and consumers:

1. Attacks against smart home products will increase

We will see more discovered vulnerabilities in, and attacks against, so-called “smart home” products, such as smart speakers, security systems, and cameras. Any time we see widespread deployment of technology that is, relatively speaking, in the early stages of maturity, we expect that attackers will pay attention and work to discover ways to circumvent security functions of these devices. In the last few months we’ve seen lasers used to surreptitiously command smart speakers, attackers remotely compromise smart home devices, and the inadvertent disclosure of PII from smart camera owners by the camera’s vendor. Expect attackers to look for, find, and exploit ways to control, obtain sensitive data from, and disrupt these devices.

What you can do today:

Make sure you’ve hardened your smart home devices. Change factory passwords after you install them, restrict the activities they can perform without identity validation, and regularly review the “connected apps” they use.

2. An influx of noise on social media

Because of the 2020 presidential election, we expect that social influence operations will substantially escalate from foreign states that have an interest in our country’s politics. This will include social media “news” posts, activity programmatically generated by computer-controlled (or “bot”) accounts, and an uptick in spam e-mail and robocalls to your phone. There’s also the possibility that attackers will target our voting machines. Stanford University’s Cyber Policy Center published an excellent paper on the risks and some countermeasures and controls to ensure our elections are conducted with integrity and security.

What you can do today:

Be cautious with blindly trusting any material you read from your browser or smartphone. Make sure you’re getting your news from vetted sources that are known to publish content of substance based on careful investigation and thorough research. Contact your state and local boards of elections and tell them you expect the voting process to be secure, transparent, and free from any interference, and ask what is being done to ensure this happens.

Four security trends for enterprises:

1. Ransomware incidents will continue to shift from opportunistic to targeted attacks.

Opportunistic attacks—those that aren’t focused on a specific individual or organization, but instead sent broadly to the public Internet—are certainly still going to happen, but we are seeing more and more ransomware incidents that are deliberate in nature, with a focused effort on a specific organization (say, the City of Baltimore or New Orleans). Attackers will build phishing and social engineering campaigns designed to exploit human weaknesses, as well as find exposed infrastructure with technical weaknesses and misconfiguration that will allow them a presence on the network. They will use this presence to install ransomware on key systems, attempting to impact the organization’s operations sufficiently to encourage payment.

2. Business e-mail compromise attacks will continue

We also expect to see “business e-mail compromise” attacks continue, as attackers conduct similar focused campaigns to obtain access to trusted e-mail accounts, and use that access to trick employees into providing cash, gift cards, funds transfers, or financial information. It is by far the most common successful “cyber” attack we see in our customer environments, one that’s trivial for an attacker to perform with commoditized tools and methodologies, and susceptible users at nearly every business.

What you can do today:

Begin a comprehensive security awareness training effort, intended to teach users to spot and report these attacks. Inform every employee that their managers and leadership aren’t going to ask them to take pictures of gift cards and text them back, so those requests can be safely ignored! Review your security controls posture to ensure you have sufficient defense against these threats.

3. Improvements in attacker capability

Attackers will focus research efforts on credential theft, bypass of so-called “next generation” endpoint protection solutions, and defeating multi-factor authentication. We can expect to see new standalone tools, shared code, and malware kits that leverage these advances.

What you can do today:

Ensure your risk management efforts include staying current with modern threats, including those that compromise the effectiveness of the controls you’ve deployed. Continue to monitor the threat landscape, the output from vendors that provide these solutions, and at least annually review your control set to ensure it aligns with the risks you’ve identified.

4. The California Consumer Privacy Act went into effect on January 1.

That means if you serve customers in California and (a) make $25M in revenue, (b) possess personal data for more than 50,000 individuals, or (c) sell personal data and make more than 50% of your revenue from that effort, you are subject to the law. You’re required to tell customers what data you’re collecting about them, provide this data to them when requested, and delete it when requested. The EU’s General Data Protection Regulation (GDPR) made this practice more common in 2018, but we anticipate a greater number of US businesses will be looking to add it in 2020.

What you can do today:

Read the CCPA to see if you’re subject to the law, and if so, get ready to field requests from customers or face penalties.

 

Related Articles:

Is SMS-based Multi Factor Authentication Secure?

Understanding “Data Breach Safe Harbor” law

Create your data breach response plan

How to efficiently search for executive technical talent

Finding the right executive talent to manage a rapidly evolving technology environment is proving to be one of the most significant challenges facing the enterprise in this age of digital transformation.

The fact of the matter is, those who are qualified for senior-level IT jobs have spent the bulk of their careers overseeing the static, silo-laden infrastructure of the on-premises data center and have only recently come to grips with the scalability and availability of the cloud. In short order, however, both of these environments will become steeped in artificial intelligence, system autonomy, and a host of other technologies that will not only remake data infrastructure itself but also business processes, services, and perhaps the entire business model.

This puts the enterprise in an unstable position when it suddenly finds itself without a key player since it can leave a major gap in day-to-day operations or even bring key processes to a standstill. With the business at risk, then, the faster you can fill that job with a qualified candidate and then transfer the necessary knowledge, the faster you reduce the severity and duration of the situation.

Attributes technically-inclined executive talent should have

The problem that most organizations encounter is that the pool of candidates possessing the right experience and leadership skills is limited. Ideally, you need to find not just a good manager but a technology visionary with the following skillsets:

  • Communications. When working with non-technical executive leadership or front-line employees, the candidate must be able to translate complex technology solutions in ways that are both relatable and compelling. Likewise, they must be able to understand the needs and concerns of others as they relate to the mission of the organization.
  • Foresight. The ability to seek out mission leaders and champion new initiatives, even in the face of internal blowback, is essential. This skill must apply not only to new deployments but in supporting ongoing programs as well.
  • Deep knowledge. Tech leaders should have a broad knowledge of technologies and technology initiatives and should be fully versed in the impact they will have on legacy operations and future goals. The ability to determine risk and evaluate risk ownership is also a key attribute.
  • Leadership. Mentoring, monitoring, and managing both individuals and teams is a crucial aspect of the job. Successful project management is also required, as is longer-term strategic thinking.

Laying out the requirements for top technical talent is one thing, actually finding qualified candidates is quite another. A typical mistake is to rely on internal HR and other sources to locate and vet candidates when there are specialized consultants and staffing services that can tap a far wider range of resources to acquire senior-level candidates.

CBTS provides access to top executive talent

At CBTS, we provide quick access to top executive talent with all of the skills needed to take control of demanding technical environments. Since we are at heart a technology company, we understand the technical needs of our clients and what it takes to achieve success in an increasingly competitive landscape.

Our subject matter professionals prescreen all potential candidates to ensure they are experts in their respective fields and maintain all the necessary training and certifications. We also provide a range of staffing solutions, from temporary placements to maintain operations while permanent hires are being vetted, to the transition of the temp executive to full-time status should they turn out to be the right person for the job. Either way, the enterprise saves time and money during the appointment process and lessens the risk of a bad hire or termination.

Conclusion

Despite all of the advanced technology that has come to bear on the modern business model, the most valuable enterprise asset remains its human talent, particularly those at the top of the organizational structure. Vacancies at this level must be filled quickly but not carelessly. By turning to outside help like CBTS, organizations will find that they can satisfy both demands with a temporary hire in conjunction with a thorough, professional candidate search.

For information on how CBTS can help with your staffing needs, please visit: https://www.cbts.com/consulting-services/it-staffing-and-consulting/.

How to build a Cyber Risk Program

Digital Transformation is defined as the process of exploiting digital technologies and supporting capabilities to create a robust new business model which is led by executive management or at the board level. But is it also an opportunity to build a security strategy to align cyber risk to desired business outcomes?

According to IDC (Source – Worldwide CISO Influence Survey 2018), business leaders and CISOs view information security as vital to competitiveness of products and services while protecting the interests of their customers.

Areas an Enterprise Cyber Risk Program should cover

When an organization promises to deliver the value of digital business to customers, it’s often the case that security is not at the table when critical decisions are being made. Without security representation at the right time, organizations are exposing themselves to business critical risks that could severely damage their brand.

As organizations continue to expand their digital footprint, an Enterprise Cyber Risk Program should be an integral part of the plan and should cover the following four areas:

  • Understanding and protecting your data.
  • Securing your applications.
  • Ensuring appropriate access.
  • Identifying and responding to incidents.

Questions to consider when building an Enterprise Cyber Risk Program

Here are some questions to consider as you build your program:

  1. What is your most critical and sensitive data? Where does it reside and how should you classify and protect it?
  2. With 90% of exploits being attributed to code defects in applications, how are you securing what has become the main entry point to your environment?
  3. How do you assure that the right people and things have the right access to the right data at the right time?
  4. It’s easy to monitor for security incidents that you are looking for, but how do you detect the ones that you have missed and drive them back into your automated detection and response processes?

CBTS can help you

If you would like to discuss in more detail, please email security@cbts.com.

 

Related Articles:

The key to strong security programs

Create your data breach response plan

Three steps to enhancing security solutions

Cybersecurity Awareness Month: the Essential Security Practice

I’ve spent more than half of my 23-year IT career in security. In seeing shifts from standalone viruses to networked worms to state-sponsored attackers and ransomware, I’ve heard folks say periodically that we’re failing as an industry. “Look at all the breaches,” they say, “we’re obviously having no impact, we need to rethink everything we’re doing.”

To which I say, frankly, that view is nuts. Totally bonkers.

Effective prevention, detection and response is the goal of information security

Of course, the number of breaches we see, the volume of lost records, and the degree to which certain threat actors can act with impunity inside certain networks, is always alarming. The practitioners I know don’t see that as a hopeless situation, but instead as an opportunity to which they will rise. The fact is, we’ve had a clear positive impact. I know that, because no threat actor can do whatever they want on any network they want. Attacks are stopped every day. Breaches are detected, cleaned up, and improvements are made every week.

Think of it like law enforcement: The goal of law enforcement isn’t to stop crime, because you’ll never stop all crime. It’s not possible. It’s not even a reasonable goal that any police officer aims for. The goal is to minimize crime and allow law enforcement to protect as much as they can.

The information security industry has a similar goal: It’s not possible to guarantee an organization won’t suffer a breach. However, organizations can commit to doing their best to stop opportunistic attacks. When a breach does occur, the organization can commit to a complete and effective response.

Use October to re-commit your organization to cybersecurity awareness

I’ve been reminded recently, though, where our most challenging work will continue to reside, and that is in improving the cybersecurity awareness of the non-technical folks in our midst.

Fraud, business email compromise, and e-mail account compromise are still plaguing many organizations.

The Internet Crime Complaint Center noted recently that in the last three years we’ve seen over $26 billion dollars lost to these attacks.

Technical controls can help, but the most important step we can take is educating individuals about the types of attacks that they can expect to see and how to report them.

Our partners Proofpoint and Cofense have some great resources available to help address this threat. I know we can continue to make our organizations more secure as we work together, equipping our customers with the tools and practices to protect themselves and their assets.

Happy October, and Happy Cybersecurity Awareness Month!

 

Related Articles:

Understanding the “attacker mindset” in security

Three steps to enhancing security solutions

Create your data breach response plan