Capsicum attended and listened to a select panel of local cyber professionals at the Ft. Lauderdale Hilton at a recent Cyber Security Conference.
The conference featured educational sessions discussing current cybersecurity threats and solutions. The event featured an all-star lineup of Cybersecurity professionals, including a keynote from Klint Walker of the Department of Homeland Security. Topics included a security event analysis, a hacker's “fingerprints”, and cyber resilience training.
Three Cybersecurity themes proliferated during the event:
- The Key to Understanding the Threat Landscape is to Understand that it is Constantly in Flux
Today’s technology is driven by the concept of convenience, yet today’s risk landscape is shaped by the reality that convenience and security do not always go hand in hand. Information technology (the application of computers to process, transmit, and store data, typically in a business or enterprise environment) and operational technology (hardware and software systems that monitor and control physical equipment and processes) are not distinct any more. IT is not isolated; rather, it is interconnected.
With more devices becoming interconnected, the available attack surface is continually expanding. Basically, more data equals more targets. On top of the expanding attack surface, it’s also getting easier and easier to be a cybercriminal. Law enforcement speakers pointed out how cybercriminals are collaborating, organizing, and communicating with increasing sophistication. Increasing connectivity has made “Island hopping” through business or social networks that much easier, and phishing attacks are being socially engineered with remarkable detail and intel.
One speaker recounted how easy it was to access the contact list, text messaging threads, and call history data of seven prior individuals who had connected their cell phone to the speaker’s rental car. Another speaker highlighted the ease of accessing a businesses’ enterprise system via an unpatched integrated HVAC system. Internet-of-Things and other embedded devices are immediately vulnerable when connected to the internet and are thus easily overlooked. It is important to remember to patch IOT devices (once the patches have been tested and verified) – HVAC, Nest, Ring, elevators, etc. (both the OT systems as well as IT systems).
What’s important for organizations to understand is whether this level of connectivity is necessary. Not every organization is fully cloud-based for security reasons, and likewise, organizations should not hastily embrace IOT unless operations necessitate it. forthcoming advanced technologies provide great convenience but also present unknown risks that we are prepared to address; additional examples to consider are Fin-tech, embedded medical devices and Medical IoT devices, and wireless body area networks technology (a wireless network of wearable computing devices). While it is not plausible for every business, many organizations eliminate this risk by locking down unnecessary technologies: i.e., no USB policies, bans on cross-border communication, prohibiting bring-your-own-device, and eliminating other unnecessary technologies. Even then these policies are not always followed and difficult to enforce.
- Employees Remain an Integral Part of Any Organization’s Cyber Strategy
“We have two Cybersecurity threats: our employees and then everyone else” – Don Cox – MBA, MSc ITM, CISM, PMP
Employees can be an organization's greatest defense against cyber threats or the first line of liability. Accordingly, it is remarkably important to ensure your employees are trained and comfortable with approaching the reality of cyber threats against your organization. Training your employees is protecting your organization from your employees.
People are still the variable most easy to exploit so having organized programs (such as a suspicious email button) and awareness campaigns (education and faux-phishing tests) ensure employees will stay cognizant and vigilant. Having supplementary training for those who fail faux-phishing tests is highly recommended as well. One speaker suggested stressing the value of cybersecurity and its relationship to the longevity of an organization, and thus that employee’s job. Another emphasized teaching employee’s how to protect their cyber assets at home, which should translate into better work behavior. As for technical solutions to implement to supplement employee behavior, one speaker suggested monitoring behavior analytics to identify and respond to abnormalities with employee device usage.
Permissions, access, and other policies need to strike a delicate balance: If you are too stringent people are going to bypass your security, if you are too lax they are going to introduce threats. The key is to manage risk and utilize the tools that allow employees to achieve their goals while involving and managing the human element.
Perhaps most importantly, employees need to feel they can discuss strange cyber-events without being blamed or getting fired. In sum, the best strategy is awareness and transparency, from both employee and employer.
- Mergers & Acquisitions are a Vital Area in which Businesses Need to Exercise Safety and Security
Organizations poised for growth are an attractive target to malicious actors, and the numbers speak for themselves. This year, there were 49,000 merger & acquisition transactions worldwide; 83% of them ultimately failed. But even when these complicated and delicate deals are successful, 52% of successful mergers still have security issues following the merger. In some notable cases, targeted phishing campaigns began as soon as 30 minutes after a public announcement of a merger.
What can a party do to minimize this threat? At the outset, CISOs should have a seat at the M&A negotiation table, and cyber risk needs to be talked about as a key component to the merger. At some level, the security team should be engaged. Although executives may hide behind confidentiality, that is no reason to keep the security team out, they’re security and this should be a worthwhile exercise for all involved
The experts also suggest having comprehensive premerger priorities for enterprise security, including going back to basics with a focus on identity, privilege, access, and dual-factor; utilize the NIST framework; reducing risk profile by having vendors audit and test your security; constantly store well-configured backups within secure repositories; teaching employees, making sure both parties to an M&A deal maintain a thorough asset inventory.
If you don’t think cybersecurity is a key factor to an M&A deal, just ask Verizon, who bought Yahoo at a 10% discount following the disclosure of two breaches at Yahoo.
With years of experience mitigating cyber-threats, including company insiders, misconfigurations, missing security updates, malware, and programming errors, Capsicum’s team knows how deeply a company suffers when an intruder exploits their network’s vulnerabilities. For companies seeking more robust security in their current network, our team members perform a thorough, top-down assessment to create a unique security profile for your company.
Our Certified Ethical Hackers (CEH) and Computer Hacking Forensic Investigators (CHFI) provide risk assessment, penetration testing, code review, cloud security, threat hunting, and phishing attack simulation in order to create a unique security profile for your company by flagging vulnerabilities and anticipating weaknesses within your technical infrastructure and verifying that the policies, procedures, and controls you have in place are truly being enforced. With Capsicum at your side, risk assessment, penetration testing, code review, cloud security, threat hunting, and phishing attack simulation are just a few of the services our team of law enforcement and military-trained technology professionals can perform. If your business network has already been compromised, we use state-of-the-art forensic techniques to investigate all possible threats and respond to incidents quickly and effectively. We then work with you to set up world-class solutions that minimize your risk of future incidents.
If you have additional questions regarding any of our services, please do not hesitate to contact us either by phone or email.