InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
President Joe Biden on Tuesday signed into law a $1.5 million government funding bill that includes legislation mandating critical infrastructure owners report if their organization has been hacked or made a ransomware payment.
Biden signed the legislation during a White House ceremony that was attended by administration officials and top Democratic lawmakers, including including House Speaker Nancy Pelosi (Calif.), Senate Majority Leader Chuck Schumer (N.Y.).
The Strengthening American Cybersecurity Act — which was attached to the spending deal that keeps the federal government open until September — requires that critical infrastructure operators alert the Homeland Security Department’s Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours of a breach and 24 hours if the organization made a ransomware payment. It also grants CISA the power to subpoena entities that don’t report a cyber incident or ransomware payment.
CISA will have up to two years to publish a notice in the Federal Register on proposed rulemaking to implement the reporting effort, though it may move faster due to heightened concerns about Russian cyberattacks bleeding out of Moscow’s invasion of Ukraine.
“This historic, new law will make major updates to our cybersecurity policy to ensure that, for the first time ever, every single critical infrastructure owner and operator in America is reporting cyber-attacks and ransomware payments to the federal government,” Senate Homeland Security Committee Chair Gary Peters (D-Mich.), who authored and championed the legislation along with Sen. Rob Portman (R-Ohio), said in a statement.
Portman, the panel’s top Republican said the legislation will “give the National Cyber Director, CISA, and other appropriate agencies broad visibility into the cyberattacks taking place across our nation on a daily basis to enable a whole-of-government response, mitigation, and warning to critical infrastructure and others of ongoing and imminent attacks.”
While some applications are still being built on a monolithic (all-in-one) architecture – i.e., all components in a single code base, on a single server, connected to the internet – an increasing number of them is now based on the microservices architecture, with each application microservice a self-contained functionality, “housed” in a container managed by an orchestrator like Kubernetes, deployed on the cloud (public or private), and communicating with other application microservices over the network in runtime.
But with applications no longer self-contained, security vulnerabilities are no longer present just in the code; vulnerabilities can “start” on one microservice, go through multiple components, and “finish” on a different microservice.
“We are no longer dealing with just vulnerabilities, but also with vulnerable flows between microservices. On top of that, as cloud-native applications are built on multiple infrastructure layers – the container, the cluster, and the cloud – they way these layers are configured affects what a hacker can do with these vulnerabilities,” notes Ron Vider, one of the co-founders and the CTO of Oxeye.
Modern architectures require modern AppSec testing solutions
This dramatic change in how applications are structured has made traditional approaches to application security ineffectual and has created security blind spots for AppSec and DevOps teams.
“Old-school” software composition analysis (SCA) and static, dynamic, and interactive application security testing (SAST, DAST, IAST) tools are run independently, are not synchronized with one another, and are unable to cross-reference and use enriched data from other code layers in the environment. The incomplete and inaccurate results they provide when testing cloud-native apps have made it obvious that a new approach and new, better tools are needed.
Oxeye is one such tool. It essentially combines all AST methodologies with a new generation of security control assessment capabilities and, as a result, excels in finding and correctly prioritizing vulnerabilities in cloud-native applications that need to be addressed. It helps clear the noise of false positives/negatives delivered by legacy solutions, and allows developers and AppSec teams to focus on high-risk, critical vulnerabilities.
Getting started with Oxeye is fantastically easy: you need to deploy a single component (Oxeye Observer) into your staging or testing environment, and you do it by using a single YAML file containing its definitions.
“The Oxeye Observer immediately starts running within the cluster and starts it automatic discovery process,” Vider told Help Net Security.
“First it analyzes the infrastructure to understand how the application is configured, and it does that by communicating with the with the Docker API, the containerd API, the Kubernetes API and the cloud provider API, and fetching the relevant configuration. Then, it detects potential vulnerabilities in the code (the application’s code and the third-party components). Next, it analyzes the communication between the different components and traces their flow. Finally, it validates the found vulnerabilities by sending payloads to the application and analyzing its behavior, to understand whether it’s exploitable or not.”
The CERT of Ukraine (CERT-UA) warned of a spear-phishing campaign targeting Ukrainian armed forces personnel.
The Computer Emergency Response Team of Ukraine (CERT-UA) is warning of an ongoing spear-phishing campaign targeting private email accounts belonging to Ukrainian armed forces personnel.
The Ukrainian agency attributes the campaign to the Belarus-linked cyberespionage group tracked as UNC1151.
In mid-January, the government of Kyiv attributed the defacement of tens of Ukrainian government websites to Belarusian APT group UNC1151. Defaced websites were displaying the following message in Russian, Ukrainian and Polish languages.
“Ukrainian! All your personal data has been sent to a public network. All data on your computer is destroyed and cannot be recovered. All information about you stab (public, fairy tale and wait for the worst. It is for you for your past, the future and the future. For Volhynia, OUN UPA, Galicia, Poland and historical areas.” reads a translation of the message.
In November 2021, Mandiant Threat Intelligence researchers linked the Ghostwriter disinformation campaign (aka UNC1151) to the government of Belarus. In August 2020, security experts from FireEye uncovered a disinformation campaign aimed at discrediting NATO by spreading fake news content on compromised news websites. According to FireEye, the campaign tracked as GhostWriter, has been ongoing since at least March 2017 and is aligned with Russian security interests.
Unlike other disinformation campaigns, GhostWriter doesn’t spread through social networks, instead, threat actors behind this campaign abused compromised content management systems (CMS) of news websites or spoofed email accounts to disseminate fake news.
Now Serhiy Demedyuk, deputy secretary of the national security and defence council, told Reuters, that the Ukrainian government blamed the UNC1151 APT group. Demedyuk explained that the attacks were carried out to cover for more destructive actions behind the scenes.
The nation-state group is using the compromised accounts to target contacts in the victims’ address books. Attackers spear-phishing messages have been sent from email accounts using the domains
i.ua-passport.space
and
id.bigmir.space
.
The phishing messages used a classic social engineering technique in the attempt to trick victims into providing their information to avoid the permanent suspension of their email accounts.
The phishing attacks are also targeting Ukrainian citizens, reported the State Service of Special Communications and Information Protection of Ukraine (SSSCIP).
Warning ⚠️ A phishing #attack has started against Ukrainians! Citizens' e-mail addresses receive letters with attached files of uncertain nature. The mass distribution of such messages to messengers may happen. #cyberattacks#Ukrainepic.twitter.com/YPvFH2oNk0
Learning attacker Tactics, Techniques and Procedures (TTPs) are imperative in defending modern networks. This hands on guide will help guide you through these with step by step tutorials using numerous pictures for clarity.
Almost every part of our everyday lives is closely connected to the internet – we depend on it for communication, entertainment, information, running our households, even running our cars.
Not everyone in the world has access to the same features and content on the internet, though, with some governments imposing restrictions on what you can do online. This severely limits internet freedom and, with it, the quality of life and other rights of the affected users.
Internet freedom is a broad term that covers digital rights, freedom of information, the right to internet access, freedom from internet censorship, and net neutrality.
To cover this vast subject, we’ve compiled 50 statistics that will give you a pretty clear picture about the state of internet freedom around the world. Dig into the whole thing or simply jump into your chosen area of interest below:
The master decryption keys for the Maze, Egregor, and Sekhmet ransomware families were released on the BleepingComputer forums by the alleged malware developer.
The Maze group was considered one of the most prominent ransomware operations since it began operating in May 2019. The gang was the first to introduce a double-extortion model in the cybercrime landscape at the end of 2019. At the end of 2019, the Maze ransomware implemented data harvesting capabilities and started threatening the victims to release the stolen data for all those victims who refuse to pay the ransom.
In November 2020, the Maze ransomware operators announced that they have officially shut down their operations and denied the creation of a cartel.
Maze operation then rebranded in September as Egregor, but on February 2021 several members of the Egregor group were arrested in Ukraine.
The Sekhmet operation was launched in March 2020 and it has some similarities with the above ransomware operations.
While TTP’s of Egregor operators are almost identical to that of ProLock, the analysis of Egregor ransomware sample obtained during an incident response conducted by Group-IB revealed that the executable code of Egregor is very similar to Sekhmet. The two strains share some core features, use similar obfuscation technique. Egregor source code bears similarities with Maze ransomware as well.
Now the decryption keys for these operations have now been leaked in theBleepingComputer forums. The keys were shared by a user named ‘Topleak’ who claims to be the developer for all three operations.
“Hello, It’s developer. It was decided to release keys to the public for Egregor, Maze, Sekhmet ransomware families. also there is a little bit harmless source code of polymorphic x86/x64 modular EPO file infector m0yv detected in the wild as Win64/Expiro virus, but it is not expiro actually, but AV engines detect it like this, so no single thing in common with gazavat.” the user wrote on the forum.
“Each archive with keys have corresponding keys inside the numeric folders which equal to advert id in the config. In the “OLD” folder of maze leak is keys for it’s old version with e-mail based. Consider to make decryptor first for this one, because there were too many regular PC users for this version. Enjoy!”
TopLeak user pointed out that it is a planned leak, and is not linked to recent arrests and takedowns conducted by law enforcement. The alleged ransomware developer added that none of the ransomware gang will ever return in ransomware operation and that the source code of tools ever made is wiped out.
In one of the archives leaked by the user there is the source code for a malware dubbed ‘M0yv’ that was part of the gang’s arsenal.
The popular malware researchers Michael Gillespie and Fabian Wosar confirmed to BleepingComputer that they are decryption keys are legitimate and allow to decrypt files encrypted by the three ransomware families for free.
Emsisoft has released a decryptor a free decryption tool for the Maze, Egregor, and Sekhmet ransomware
The world relies on technology. So, a strong cybersecurity program is more important than ever. The challenge of achieving good cyber hygiene can be especially acute for small- and medium-sized businesses. This is particularly true for those with fully remote or hybrid work environments. Add to the mix limited resources and limited talent focused on cybersecurity, and the challenges can seem overwhelming.
Considering this, we’ve simplified things down to three key elements of a strong cybersecurity program. You need to know how to assess, remediate, and implement security best practices at scale. In more detail, this means:
Assessing your organization’s current cybersecurity program and its prioritization
Remediating endpoints at scale, bringing them into compliance with security best practices
Implementing cybersecurity policies and monitoring them to stay in compliance
1. Assess your organization’s current cybersecurity program
Taking the first step toward better cyber hygiene means understanding where your organization stands today. Conduct an honest assessment of your strengths and weaknesses in order to prioritize where to focus your efforts for your cybersecurity program. The challenge here is finding the right bar to measure yourself against. There are several frameworks that will do the job. Thus, it can be daunting to figure out which one is the right fit, especially if this is the first time you’re doing an assessment. Starting with the CIS Controls and CIS Benchmarks can help take the guesswork out of your assessment and provide peace of mind that you’re covering all of your bases.
Here’s what makes these two sets of best practices especially useful:
They tell you the “what” and the “how”: Many frameworks tell you what you should do, but not how to do it. CIS best practices give you both.
They are comprehensive and consensus-based: CIS best practices are developed in collaboration with a global community of cybersecurity experts. They’re also data-driven as explained in the CIS Community Defense Model.
They are mapped to other industry regulatory frameworks: CIS best practices have been mapped or referenced by several other industry regulatory requirements, including: NIST, FINRA, PCI DSS, FedRAMP, DISA STIGs, and many others. This means you can get the proverbial “two birds with one stone” by assessing against CIS best practices.
The CIS Controls are a prioritized and prescriptive set of safeguards that mitigate the most common cyber-attacks against systems and networks. The CIS Benchmarks are more than 100 configuration guidelines across 25+ vendor product families to safeguard systems against today’s evolving cyber threats. Both are available as free PDF downloads to help you get started.
2. Remediate endpoints at scale with CIS Build Kits
One of the challenges in applying any best practice framework is dedicating the time and resources to do the work. Luckily, CIS offers tools and resources to help automate and track the assessment process. The CIS Controls Self Assessment Tool (CIS CSAT) helps organizations assess the implementation of the CIS Controls. Additionally, the CIS Configuration Assessment Tool (CIS-CAT Pro Assessor) scans target systems for conformance to the CIS Benchmarks. CIS-CAT Pro Assessor allows you to move more quickly toward analyzing results and setting a strategy to remediate your gaps.
CIS resources and tools are designed to help you move toward compliance with best practices by remediating the gaps. Once you understand where your gaps are and how to fix them, you can use CIS Build Kits to achieve compliance at scale. CIS Build Kits are automated, efficient, repeatable, and scalable resources for rapid implementation of CIS Benchmark recommendations. You can apply them via the group policy management console in Windows, or through a shell script in Linux (Unix,*nix) environments.
Interested in trying out a Build Kit? CIS offers sample Build Kits that contain a subset of the recommendations within the CIS Benchmark. They provide you a snapshot of what to expect with the full CIS Build Kit.
3. Implement cybersecurity policies and monitor for compliance
Lastly, creating strong policies and monitoring conformance helps ensure that an organization is working toward a more robust cybersecurity program. Regularly monitoring conformance over time is critical. It helps you avoid configuration drift, and helps identify any new issues quickly. CIS tools can help monitor conformance and identify gaps.
CIS-CAT Pro Dashboard provides an easy-to-use graphical user interface for viewing CIS Benchmark conformance assessment results over time. Similarly, CIS CSAT Pro enables an organization to monitor implementation of the CIS Controls over time.
A strong cybersecurity program with CIS SecureSuite Membership
Any organization can start improving its cyber hygiene by downloading CIS’s free best practices, like the PDF versions of the CIS Benchmarks. But it’s important to know that you don’t have to go it alone. A cost-effective CIS SecureSuite Membership can be both a solution to your immediate security needs, as well as a long-term resource to help optimize your organization’s cybersecurity program.
You’ll get access to:
CIS-CAT Pro Assessor and Dashboard
CIS CSAT Pro
CIS Build Kits
CIS Benchmarks in various formats (Microsoft Word, Microsoft Excel, XCCDF, OVAL, XML) and more
Get the most out of CIS best practices for your cybersecurity program by signing up for a cost-effective CIS SecureSuite Membership.
Information risk management is the process of identifying the ways an organisation can be affected by a disruptive incident and how it can limit the damage.
It encompasses any scenario in which the confidentiality, integrity and availability of data is compromised.
As such, it’s not just cyber attacks that you should be worried about. Information risk management also includes threats within your organisation – such as negligent or malicious employees – as well as residual risks.
For example, the framework can help you address misconfigured databases, software vulnerabilities and poor security practices at third parties.
In this blog, we take a closer look at the way information risk management works and how organisations can use its guidance to bolster their security defences.
Why is information risk management important?
In the face of ever-growing cyber threats, it can be difficult for an organisation to protect its information assets.
Last year, the World Economic Forum listed cyber crime alongside COVID-19, climate change and the debt crisis as the biggest threats facing society in the next decade. It’s clear, then, that organisations need a plan for identifying and addressing security risks.
With an information risk management system, organisations gain a better understanding of where their information assets are, how to protect them and how to respond when a breach occurs.
One way it does this is by forcing organisations to not only identify but also assess their risks. This ensures that organisations prioritise scenarios that are most likely to occur or that will cause the most damage, enabling them to make informed decisions in line with their security budget.
How risk management works
To understand how risk management programmes work, we need to take a closer look at what ‘risk’ actually is.
In an information security context, risk can be defined as the combination of a vulnerability and a threat.
As we’ve previous discussed, a vulnerability is a known flaw that can be exploited to compromise sensitive information.
These are often related to software flaws and the ways that criminal hackers can exploit them to perform tasks that they weren’t intended for.
They can also include physical vulnerabilities, such as inherent human weaknesses, such as our susceptibility to phishing scams or the likelihood that we’ll misplace a sensitive file.
This is different from a threat, which is defined as the actions that result in information being compromised.
So, to use the examples above, threats include a criminal hacker exploiting a software flaw or duping an employee with a bogus email.
When a threat meets a vulnerability, you get a risk. In the case of the criminal hacker phishing an employee, the risk is that the attacker will gain access to the employee’s work account and steal sensitive information. This can result in financial losses, loss of privacy, reputational damage and regulatory action.
A risk management system helps organisations identify the ways in which vulnerabilities, threats and risks intertwine. More importantly, it gives organisations the ability to determine which risks must be prioritised and identify which controls are best equipped to mitigate the risk.
Start protecting your business
At the heart of risk management is the risk assessment. This is the process where threats and vulnerabilities are identified. Organisations can use the result of the assessment to plan their next moves.
With vsRisk, you’ll receive simple tools that are specifically designed to tackle each part of the risk assessment.
This software package is:
Easy to use. The process is as simple as selecting some options and clicking a few buttons.
Able to generate audit reports. Documents such as the Statement of Applicability and risk treatment plan can be exported, edited and shared across the business and with auditors.
Geared for repeatability. The assessment process is delivered consistently year after year (or whenever circumstances change).
Streamlined and accurate. Drastically reduces the chance of human error.
The heightened risk of cyberattacks on businesses is being compounded by significant recruitment and retention issues within cybersecurity teams, making businesses more vulnerable to potential attacks, according to a research from ThreatConnect.
With the number of data breaches in 2021 soaring past that of 2020, there is added pressure on cybersecurity teams to keep businesses secure. The research has found a concerning level of staff turnover, skills shortages, burnout, and low staff morale, pointing towards depleted reserves trying to manage the growing risk.
Cybersecurity teams recruitment and retention issues
Senior decision-makers across the US report an average security staff turnover rate of 20%.
64% of senior decision-makers have seen a rise in turnover over the past year.
43% of US respondents attribute a lack of skills as the biggest barrier for recruitment.
1 in 5 US respondents are considering quitting their jobs in the next six months.
57% of US respondents have experienced an increase in stress over the past six months.
The COVID-19 pandemic has created what many are calling the Great Resignation, which has affected all industries for the past two years. Employees, specifically those in the security industry, are now being expected to do more with less.
Cybercrime has increased significantly over the past year, making digital protection for businesses both more important and more difficult to achieve. Companies cannot afford to lose any security team members with cybercrime increasing so rapidly.
“In today’s digital ecosystem it is crucial that security employees receive adequate training, support, and resources needed to work efficiently in their jobs,” said Adam Vincent, CEO of ThreatConnect. “As employee turnover increases in this sector, it creates a vicious cycle that impacts a company’s performance and ability to mitigate cyber risks.”
“This makes it even more difficult for security teams to fulfill the company’s needs. Organizations must look at these numbers and recognize that there is more that can be done to protect their employees and in turn, the welfare of their company.”
More than 3,600 network-attached storage (NAS) devices from Taiwanese company QNAP have been infected and had their data encrypted by a new strain of ransomware named Deadbolt.
Devices attacked by the Deadbolt gang are easy to recognize because the login screen is typically replaced with a ransom note, and local files are encrypted and renamed with a .deadbolt extension.
The threat actor behind the attacks is extorting not only the owners of the NAS devices but also the QNAP company itself.
According to a copy of the ransom note, device owners are told to pay 0.03 Bitcoin ($1,100) to receive a decryption key to unlock their files, while in an second note, the hackers demand 5 Bitcoin ($1.86 million) from QNAP to reveal details about the supposed zero-day vulnerability they have been using to attack its users, and another 50 Bitcoin ($18.6 million) to release a master decryption key that unlock all of the victims’ files.
For its part, QNAP was quick to formally acknowledge the attacks in a blog post on Wednesday, hours after hundreds of users started flocking to its support forum to report finding their files encrypted.
In the first days following the attack, the company has been telling users to disconnect devices from the internet and, if not possible, at least disable features such as port forwarding and UPnP on their routers, to prevent attackers from connecting to the NAS systems.
An attacker can exploit a vulnerability in Polkit’s pkexec component, tracked as CVE-2021-4034, that affects all major Linux distributions to gain full root privileges on the system. The good news is that this issue is not remotely exploitable, but if an attacker can log in as any unprivileged user, it can allow to gain root privileges.
The flaw, dubbed PwnKit, was introduced more than 12 years ago (May 2009) since the initial commit of pkexec, this means that all the versions are affected.
Polkit (formerly PolicyKit) is a component used to controll system-wide privileges in Unix-like OS. It allows non-privileged processes to communicate with privileged processes. polkit also allow to execute commands with elevated privileges using the command pkexec followed by the command intended to be executed (with root permission).
Researchers from Qualys Research Team have discovered a memory corruption vulnerability in SUID-root program polkit.
“The Qualys Research Team has discovered a memory corruption vulnerability in polkit’s pkexec, a SUID-root program that is installed by default on every major Linux distribution.” reads the post published by Qualys.”Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host. Qualys security researchers have been able to independently verify the vulnerability, develop an exploit, and obtain full root privileges on default installations of Ubuntu, Debian, Fedora, and CentOS. Other Linux distributions are likely vulnerable and probably exploitable.”
“This vulnerability is an attacker’s dream come true” explained Qualys:
pkexec is installed by default on all major Linux distributions (we exploited Ubuntu, Debian, Fedora, CentOS, and other distributions are probably also exploitable);
pkexec is vulnerable since its creation, in May 2009 (commit c8c3d83, “Add a pkexec(1) command”);
any unprivileged local user can exploit this vulnerability to obtain full root privileges;
although this vulnerability is technically a memory corruption, it is exploitable instantly, reliably, in an architecture-independent way;
and it is exploitable even if the polkit daemon itself is not running.
Experts pointed out that it is very easy to exploit the flaw, while Qualys doesn’t plan to release a PoC for this issue other experts are already working on releasing it.
Bleeping Computer reported that a working exploit was publicly released less than three hours after Qualys published the technical details for PwnKit. BleepingComputer has compiled and tested the available exploit, which proved to be reliable as it gave us root privileges on the system on all attempts.
Microsoft said today that it has observed a destructive attack taking place in Ukraine where a malware strain has wiped infected computers and then tried to pass as a ransomware attack, but without providing a ransomware payment and recovery mechanism.
“At present and based on Microsoft visibility, our investigation teams have identified the malware on dozens of impacted systems and that number could grow as our investigation continues,” the Microsoft Threat Intelligence Center said in a blog post late Saturday night.
The OS maker said the affected systems belong to multiple government agencies, non-profits, and information technology organizations, all based in Ukraine.
Microsoft said it has not yet identified the distribution vector or if the attack spread beyond the original Ukrainian targets.
The attack does not appear to be at the same scale and virality as the NotPetya and BadRabbit wiper events that targeted Ukrainian organizations in June and November 2017, respectively, and then spread all across the world.
Just like the NotPetya and BadRabbit wipers, Microsoft said that this recent one also comes with a component that overwrites a computer Master Boot Record (MBR) and prevents them from booting.
The malware corrupts files, rewrites MBR, hides as ransomware
The malware, which Microsoft calls WhisperGate, then replaces the boot-up screen with a ransom note, which, according to Microsoft, includes a ransom fee, a Bitcoin address to receive payments, and a Tox ID to get in contact with the attackers.
In case victims manage to restore their MBR and their boot-up sequence, Microsoft says the malware also corrupts files with a certain extension by overwritting their contents with a fixed number of 0xCC bytes up to a total file size of 1MB.
“After overwriting the contents, the destructor renames each file with a seemingly random four-byte extension,” Microsoft said.
) in the Log4j library to gain access to VMware Horizon systems.
The ransomware gang started its operations on December 27, 2021, and has already hacked the corporate networks of two organizations from Bangladesh and Japan respectively. The gang has also set up a leak site on the Tor network where it will publish files stolen to the victims that will not pay the ransom.
Researchers from MalwareHunterteam first spotted the ransomware family, once encrypted a file, the ransomware appends the ‘.nightsky‘ extension to encrypted file names.
In early January, threat actors started targeting VMware Horizon systems exposed on the Internet. VMware has addressed Log4Shell in Horizon with the release of 2111, 7.13.1, 7.10.3 versions, but unfortunately many unpatched systems are still exposed online.
On Monday, Microsoft posted a warning about a new campaign from a China-based actor it tracks as DEV-0401 to exploit the Log4Shell vulnerability on VMware Horizon systems exposed on the internet, and deploy Night Sky ransomware.
We have observed a China-based ransomware operator that we’re tracking as DEV-0401 exploiting the CVE-2021-44228 vulnerability in Log4j 2 (aka #log4shell) targeting internet-facing systems running VMWare Horizon. https://t.co/6GOdRwRTjk
— Microsoft Security Intelligence (@MsftSecIntel) January 11, 2022
Here are some resolutions to follow to ensure your organization safely navigates the new hybrid office model.
1. Increase security awareness. The human factor is always the weakest link in cybersecurity. CISOs must stretch communications skills and create new channels to deliver education about information security. They must expand messages beyond phishing warnings to include topics such as laws and regulations that connect security with the business. Information privacy is a key topic.
2. Know who is connecting. Throughout the pandemic, the challenge of secure connectivity has been persistent. The bottom line is that secure VPN, single sign-on, and two/multi factor authentication are a must to validate and only allow in authentic users. Access and security logs must be carefully analyzed to identify any suspicious activity.
3. Secure VPNs and patch updates. VPNs hit the headlines at the start of the pandemic because many companies reinstated VPNs that were previously disabled without patching them first. Hackers took advantage of the situation, scanning for devices that they could exploit. Routine patching must be part of the security model and must be a top priority when it comes to safeguarding a business with work-from-home employees.
4. Secure the cloud. The cloud and “on demand” models have become hugely important for helping users access the applications they need to do work from anywhere. While this shift to the cloud has its productivity benefits, it has not come without its security challenges. It is important to remember that cloud environments are not automatically secure when they are first created. Securing them requires knowledge and time. To keep business safe, security controls must span all environments – providing 360-degree application protection for both the application surface and the cloud application infrastructure.
5. Know your suppliers. The SolarWinds vulnerability highlighted the need for companies to thoroughly evaluate the tools and services they integrate into their operations. This includes the careful installation and configuration of the product or service, tracking patches and new releases from the vendor, and monitoring for any suspicious behavior. In a highly sensitive environment, some companies may choose not to use third-party products or services.
6. Know the enemy. From nation-state attacks and climate hacktivists to disgruntled employees, security teams need to understand the techniques, tactics, and procedures used by malicious actors. By getting to know their adversaries, security will be better prepared to detect and evict threat actors who might be targeting their environment. Many security companies issue threat alerts that can be used to gather the latest intel to inform a security strategy. Continuous monitoring and analysis are required to detect and respond to these threats as soon as possible.
7. Maintain visibility. Companies need to make sure they can maintain visibility and consistency of security control posture across a collection of platforms, infrastructures, and technologies. Having visibility and control via security and development dashboards is a must. These dashboards should provide actionable analytics, automation, and customized controls.
8. Balance the load. Companies need sufficient capacity to balance the load on the network and scale to meet the needs of remote workers. After all, there is no point in having a secure network if every time it is accessed by large numbers of employees it fails because it can’t cope with demand. Since employee productivity depends on applications being available and accessible, CISOs must find appropriate solutions that provide business continuity. Those with multiple data centers should use global load balancing to ensure availability across data centers and the cloud.
CISOs have much to address moving forward in the new year. Fortunately, these eight resolutions can help ensure continuous improvements for safely navigating the new (out-of-) office reality.
Ambassador Middendorf delivers a seminal book for understanding military competition in an era of great-power competition. No one who is serious about the future security, prosperity and freedom of America should neglect this essential read.
Ambassador Bill Middendorf makes one unambiguous argument in his new book, The Great Nightfall: Why We Must Win the New Cold War. America won’t survive and thrive in an era of great-power competition without a strong, dominant military. There is one reason for that. China.
Middendorf has given a full lifetime of service to the nation, from his days at sea during World War II to diplomatic assignments and government posts. Among the latter, a turn as Secretary of the Navy. He was instrumental in designing the naval forces that completely outmatched the Soviets during the Cold War. Today, he remains America’s maritime Henry Kissinger, the nation’s preeminent thinker on naval modernization.
In The Great Nightfall, Middendorf deconstructs great-power competition. Regardless of how many internet trolls, little green men, bank accounts and businesses a state controls, it’s not enough to make the state a great power. That requires real military power.
Without the capacity to physically defend national interests, big states are fat banks waiting to be robbed. In contrast, nations that can defend themselves have a foundation on which to build sustainable diplomatic, economic and political policies. “The Cold War ended,” Middendorf argues in The Great Nightfall, “because we were the strongest military force in the world, backed by a unified NATO and strong allies in the Pacific.”
In short, in great-power competition, force is the coin of the realm. The problem with contemporary competition, Middendorf notes, is that “[t]imes have changed.” China is on a path to challenge the United States for number one.
One of the attributes the great-power competition shares with the Cold War is that our adversaries would prefer to “win without fighting.” In other words, they want to achieve victory without the debilitating costs and risks of direct military conflict. These opponents are predisposed to adopt indirect approaches to whittle-away at the strength and solidarity of the free world. That said, military competition plays an important role in their calculus, particularly for China. Chinese strategy envisions ultimately demonstrating sufficient military dominance that Beijing can intimidate other nations and bend them to its will.
In some ways, the new era of great-power competition resembles a new type of arms race. And, as was the case during the Cold War, there are concerns that the competition could turn into armed confrontation. Indeed, The Great Nightfallmaps out several scenarios—from North Korea to the South China Seas—where great powers could actually come to blows.
The Great Nightfall, however, is fundamentally a book about how the United States can establish conventional and strategic deterrence in the modern world. “This book is not a call for war,” writes the author. “The best way to prepare for war is to be prepared to win it. We need to stop underfunding the military, especially in areas of research, non-conventional war, space, cyberwar, and artificial intelligence. War is changing, and we need to change with it. We cannot expect success fighting tomorrow’s conflicts with yesterday’s weapons.”
Middendorf’s blueprint for protecting America in the twenty-first century stands out in two ways. First, he provides a detailed assessment of how to protect the U.S. capacity to build and sustain a modern military. Here, he addresses issues from research and development, to establishing secure, “clean” supply chains, to ship-building. Second, he delivers a comprehensive overview of future U.S. naval needs.
It is not just his naval service and stint as Secretary of the Navy that lead the ambassador to focus on seapower. Fundamentally, China’s potential as a global threat is rooted in its ability to project maritime power. And naval power, in the modern sense, is multidimensional, linking the ability to sail the seas with undersea warfare, air, space, and cyber operations.
The outstanding contribution of The Great Nightfall is its extraordinarily deep evaluation of all aspects of naval power, covering the nature of the Chinese threats and the appropriate countermeasures. In the end, Middendorf delivers a seminal book for understanding military competition in an era of great-power competition. No one who is serious about the future security, prosperity and freedom of America should neglect this essential read.
![Hybrid Work Management: How to Manage a Hybrid Team in the New Workplace (A super-short book about how to analyze, plan, manage, and evaluate your team’s hybrid work arrangement) by [Hassan Osman]](https://m.media-amazon.com/images/I/41XzC+EMOFL.jpg)
