InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
Penetration testing has been one of the industries that are relatively slow adopters of automation. As security firms started automating many parts of the cybersecurity process including scanning and threat intelligence updates, security testing for some time was still mostly about traditional methods.
“In the past few years, the use of automation in many spheres of cybersecurity has increased dramatically, but penetration testing has remained stubbornly immune to it,” as noted CISO Alex Haynes explains in an article exploring the potential of AI replacing humans in this field.
This is perfectly understandable, considering that penetration testing needs to be thorough and supervised by experts. Many of its parts are repetitive, but they require the scrutiny of human cybersecurity professionals to be carried out effectively. AI and machine learning technology has yet to reach a level advanced enough to competently handle the complexities of security testing.
However, the past years have produced excellent examples of solutions that take advantage of automation. These pen-testing platforms employ automation in specific areas that make excellent sense. These existing solutions provide convincing evidence of the benefits of automation in this field of cybersecurity.
Consumers seem somehow unable or unwilling to protect themselves. But our research reveals an interesting knock-on effect from this: consumers welcome organizations who take the security initiative – and actively move their business to them.
Good security is good for business
This situation is a huge opportunity for organizations to make security a differentiator. Our research reveals that consumers value companies they perceive as more secure, with 64% saying they would recommend a large organization that they think makes a big effort to keep their data secure. A business with clearly visible cybersecurity will reassure consumers and create confidence in its digital products and services, carving itself a competitive advantage.
The fundamentals of a formal, effective application security plan should start with business objectives, tools, processes and most of all, data, with the primary driver for securing applications focused on protecting data.
While it is important to surgically address the insecurities in a mission-critical application, it is equally important to continuously upskill the development and security teams, and create a culture where security is not looked at simply a ‘check-the-box’ item.
According to Setu Kulkarni, vice president of strategy at WhiteHat Security, the first step is to identify the right inflection points for injecting application security.
“CISOs need to recognize that no SDLC is built the same and no application is at the same level of maturity within its life cycle,” he said. “We have learned that testing applications continuously in production is critical to identify the real, exploitable vulnerabilities that create the maximum risk of being breached in production.”
Kulkarni noted one way to (almost always) ensure that security does not become an afterthought is to “top & tail” – in other words, make sure that your team gets a voice when the exit criteria is being defined during the requirements phase, and make sure the team is testing in pre-production and production.
“Everything in between is really a negotiation based on the maturity of the SDLC and the application itself. The most consequential best practice is to ensure that the Dev, Sec and Ops teams get accurate and actionable insight from the AppSec tests that are executed,” he said. “After all, the only way to eventually have security operate at the speed of DevOps is through some level of automation, and the efficacy of automation is directly proportional to the accuracy of the data used to drive the automation.”
Doug Dooley, COO of Data Theorem, pointed out that the business driver for AppSec is about privacy, trust and reputation that is directly tied to the brand of those who build and publish the applications.
He noted traditional AppSec testing focused on static and dynamic application security testing, including static application security testing (SAST) and dynamic application security training (DAST).
“However, with a more modern application stack, AppSec programs are starting to factor in third-party risks introduced by open source and software development kits, covered by software composition analysis,” Dooley explained.
Further, cloud-native applications make infrastructure services just another software extension of the application buildout, so many AppSec programs increasingly add cloud security tools, such as cloud security posture management (CSPM).
Provides a process and roadmap for any company to develop its unified Cybersecurity and Cyber Resiliency strategies. It demonstrates a methodology for companies to combine their disassociated efforts into one corporate plan with buy-in from senior management that will efficiently utilize resources, target high risk threats, and evaluate risk assessment methodologies and the efficacy of resultant risk mitigations. The book discusses all the steps required from conception of the plan from preplanning (mission/vision, principles, strategic objectives, new initiatives derivation), project management directives, cyber threat and vulnerability analysis, cyber risk and controls assessment to reporting and measurement techniques for plan success and overall strategic plan performance. In addition, a methodology is presented to aid in new initiative selection for the following year by identifying all relevant inputs.
“This is the tour de force on designing, implementing and maintaining a modern cyber security and resiliency program. This book is a necessity for all information security and resiliency professionals.” – Howard Taylor, CISO of Radware
OUTLINE
This book lays out a systematic process for developing corporate strategy in the area of cyber (meaning IT) security and resilience.
In its 10th annual Risk Barometer, Allianz found that cyber incidents ranked third in a list of the most important global business risks for the upcoming year, coming in second behind risks stemming from the pandemic itself. We can expect cyber incidents to increase in frequency and sophistication as cyber criminals continue to leverage the various security lapses that accompany remote workforces.
However, something that has changed recently is how business leaders and boards of directors are viewing cyber risk. While previously seen as an issue solely for security and technology leaders to manage, executives are now pressuring security departments to financially quantify cyber risks facing their organizations.
In fact, a recent survey of 100 senior security professionals found that 70% of respondents have received pressure to produce cyber risk quantification for their business. Further, half of the respondents reported they have a lack of confidence in their ability to communicate and report the financial impacts of cyber risks, with a quarter saying they do not have a cyber risk quantification technology deployed at their company.
Why are executives pressuring CISOs to start financially quantifying cyber risk for their business? This process allows CISOs to identify and rank risk scenarios that are most critical to their enterprise, based on factors such as which attacks would have the biggest financial impact, and how equipped the company is to defend itself against any given attack.
Automated risk quantification makes this process even easier, removing the guesswork out of these decisions and streamlining the process of getting to actionable information. The potential for human error and subjectivity are removed completely from the equation.
Previously, security leaders have relied on theoretical models of risk like the Common Vulnerability Scoring System (CVSS). Even with this system, it can be difficult to prioritize the vulnerabilities that rank highest in terms of severity. This is even more challenging for leaders across the enterprise who may be unfamiliar with this system. Cyber risk quantification provides security leaders with a way to communicate the most pressing cyber threats facing a company that do not rely on a scoring system that is incomprehensible to anyone outside of the security department.
By assigning a dollar value to potential cyber incidents, business leaders have better visibility into the most pressing – and costly – threats facing the enterprise. With this information, the business and security teams can align their efforts and prioritize the largest risks, rather than dedicating resources to lower priority risks.
Teams can focus their efforts on ensuring the business has adequate controls and processes in place to defend against the costlier risks and make additional investments accordingly. It can also make it easier for leaders and boards to justify spending more time or money to proactively defend against certain risks.
For CISOs, cyber risk quantification also provides an easier way to communicate the value of their work to leadership. Security leaders can calculate the return on investment of their tools and teams in the context of risk reduction for the enterprise. This gives leaders better visibility into the risks facing their organizations in terms that are understandable and actionable. Conversely, cyber risk quantification can help to identify any issues with an organization’s existing cybersecurity program and measure improvement over time.
Overall, shifting to this type of risk-led approach for cybersecurity will result in data-driven and actionable insights that will allow leaders across all business departments to understand and act on the most critical cyber risks facing their enterprise.
We know that attacks are going to continue, whether they’re state-sponsored or cyber criminals, and it is critical for an enterprise to have a comprehensive view into your risk landscape. Now is the time for security leaders to adopt cyber risk quantification and more easily demonstrate how cybersecurity organizations are protecting their business operations from disruption and catastrophic harm.
Organisations have had to overcome countless challenges during the pandemic, but one that has continued to cause headaches is IT security for home workers.
A remote workforce comes with myriad dangers, with employees relying on their home networks – and sometimes their own devices – and without the assurance of a member of your IT team on hand if anything goes wrong.
But unlike many COVID-19 risks, these issues won’t go away when life eventually goes back to normal. Home working will remain prominent even when employees have the choice to return to the office, with a Gartner survey finding that 47% of organizations will give employees the choice of working remotely on a full-time basis.
Meanwhile, 82% said that employees would be able to work from home at least one day a week.
As such, organisations should reconsider if they’re under the assumption that the defences they’ve implemented to protect remote workers are temporary.
Robust, permanent defences are required to tackle the array of threats they face. We explain how you can get starting, including our remote working security tips, in this blog.
Online work increases cyber security risks
Without the security protections that office systems afford us – such as firewalls and blacklisted IP addresses – and increased reliance on technology, we are far more vulnerable to cyber attacks.
The most obvious risk is that most of our tasks are conducted online. After all, if something’s on the Internet, then there’s always the possibility of a cyber criminal compromising it.
They might attempt to do this by cracking your password. This could be easier than ever if you’re reusing login credentials for the various online apps you need to stay in touch with your team.
Meanwhile, according to CISO’s Benchmark Report 2020, organizations are struggling to manage remote workers’ use of phones and other mobile devices. It found that 52% of respondents said that mobile devices are now challenging to protect from cyber threats.
You can find more tips on how to work from home safely and securely by taking a look at our new infographic.
This guide explains five of the most significant risks you and your organisation face during the coronavirus crisis.
Alternatively, attackers could send phishing emails intended to trick you into either handing over your details or downloading a malicious attachment containing a keylogger.
The dangers of phishing should already be a top concern, but things are especially perilous during the coronavirus crisis.
Organisations should also be concerned about remote employees using their own devices.
This might have been unavoidable given how quickly the pandemic spiralled and the suddenness of the government’s decision to implement lockdown measures.
Still, where possible, all work should be done on a corporate laptop subject to remote access security controls. This should include, at the very least, 2FA (two-factor authentication), which will mitigate the risk of a crook gaining access to an employee’s account.
This ensures that the necessary tools are in place to defend against potential risks, such as anti-malware software and up-to-date applications.
It also gives your IT team oversight of the organisation’s IT infrastructure and allows it to monitor any malicious activity, such as malware and unauthorised logins.
Control the risk
Any organisation with employees working from home must create a remote working policy to manage the risks.
It includes guidance on storing devices securely, creating and maintaining strong passwords, and an acceptable use policy for visiting websites that aren’t work-related.
Organisations should also explain the technical solutions they’ve implemented to protect sensitive data and how employees can comply. For example, we recommend applying two-factor authentication to any third-party service that you use.
Although it shouldn’t be a concern during the lockdown, your remote working policy should also address the risks that come with employees handling sensitive information in public places.
For example, when business goes back to normal, staff may well use company devices in places such as trains and cafés, where opportunistic cyber criminals can lurk without drawing attention to themselves.
Security incidents are just as likely to occur even if there isn’t a malicious actor. Consider how often you hear about employees losing their laptop, USB stick or paperwork.
Coronavirus: your biggest challenge yet
Disruption caused by COVID-19 is inevitable, and you have enough to worry about without contending with things like cyber security and compliance issues.
Unfortunately, cyber criminals have sensed an opportunity amid the pandemic, launching a spate of attacks that exploit people’s fear and uncertainty.
Therefore, it’s more important than ever to make sure your organisation is capable of fending off attacks and preventing data breaches.
To help you meet these challenges, we’ve put together a series of packaged solutions. Meanwhile, most of our products and services are available remotely, so we don’t need to be on-site to carry out things like security testing.
One virus is enough to worry about. Take action now to protect your business. Implement cyber security measures that help you respond to cyber attacks.
“Application security was traditionally very low on CISOs’ priority list but, as the attacks targeting applications increase in frequency, it’s getting more attention,” Eugene Dzihanau, Senior Director of Technology Solutions at EPAM Systems, told Help Net Security.
“The application layer is quickly becoming more exposed to the outside world, drastically increasing the attack surface. Applications are deployed on the public cloud, mobile phones and IoT devices. Also, applications process a lot more data than before, making them a more frequent target of an attack.”
In addition to that, modern applications and tech stacks are evolving and becoming increasingly complex – applications are integrating more external dependencies and are becoming very interconnected through API calls. The increased complexity significantly increase the chance of security issues
“SAST scan results are massive, with very little insight into prioritizing fixes for critical or exploitable vulnerabilities. DAST rarely brings desired results without additional steps; the out of the box crawlers can rarely traverse the modern web applications,” he explained.
“This leaves glaring gaps in the security of deployment pipelines, security defects on the architecture level and third party/open source dependencies checks.”
“SAST scan results are massive, with very little insight into prioritizing fixes for critical or exploitable vulnerabilities. DAST rarely brings desired results without additional steps; the out of the box crawlers can rarely traverse the modern web applications,” he explained.
“This leaves glaring gaps in the security of deployment pipelines, security defects on the architecture level and third party/open source dependencies checks.”
CYBERSECURITY: It’s not just a good idea. Register to learn more.
Please join Mary Ellen Seale, Founder/CEO of NCSS, Peter Levett, Chief of Staff from the cybersecurity firm SecureCircle, and Phil Bandy, CISO Sharevault from the safety of your desk on Thursday, March 4th at 9am PST as our experts explore this ongoing threat and offer best practices for mitigation.
If cybersecurity is part of your strategic plan for 2021, and it should be, then you might want to check out the National Cybersecurity Society (NCSS).
The National Cybersecurity Society is a community of participating technology professionals focused on helping small businesses stay safe online. The NCSS is a non-profit organization that provides cybersecurity education, awareness and advocacy to its small businesses members, specifically cybersecurity education tailored to the needs of the small business owner. The NCSS assists its small business members in assessing their cybersecurity risk, distributes threat information to members so that they will be more knowledgeable about the threats facing their business, and provides advice on the type of services needed to stay safe online. You know cybersecurity is important, but where do you start? What organizational assets do you need to protect? Is it only your IT assets? Is it your IP?
The NCSS website provides several helpful guides to get you started on your cybersecurity journey. At the top of the list is simply understanding and identifying what is vital to protect. It starts with employing a Risk Assessment Methodology This involves identifying your organizational assets (people, information, technology, facilities) and assigning the responsibility of those assets in order to protect them appropriately.
Once organizational assets are defined, the next step is to define the relationship between those assets and the high-value services they support. This requires a process that examines and validates this relationship through periodic reviews. Lastly, it requires your organization to maintain and sustain an inventory of these assets and high-value services. It’s important to keep this information up to date and modified when circumstances or events change.
STEP 1: INVENTORY
Create an inventory of your people – not just your employees, but your suppliers and partners, the data you need to run your business, the technology assets you need (computers, servers – the entire infrastructure), and the facilities needed to house and operate your business.
STEP 2: HIGH-VALUE SERVICES
Create a list of high-value services that keep your business functioning – logistics, financial, service delivery, assembly, manufacturing. Define what are the key services you need – those services that if lost, delayed or compromised would impact your business.
STEP 3: MAPPING
Create a mapping of people, data, technology and facilities to the high-value services they support. Define the relationship between these assets and the high-value services. Validate the relationship through periodic reviews. As an example, if the supplier for your medical equipment changes, and this supplier has been identified as key personnel, have you updated your mapping relationships? Did you review the contract with the new medical supplier to determine if anything has changed that would affect your service delivery? Leveraging your people to take responsibility for certain high-value services and keeping the critical information current is key to protecting your assets.
STEP 4: INVENTORY PLAN
A plan is only useful if it is kept current and up-to-date. Schedule an annual inventory and mapping exercise to ensure that the protection mechanisms you employ support valid assets. A good rule of thumb: Once a year.
STEP 5: CONTINUITY PLAN
A sound business strategy includes continuity plans. For all your high-value services that depend on critical people, data, technology and facilities, you will need a contingency plan in place in the event any of these assets is compromised. The NCSS also has helpful resources on how to develop a Continuity Plan.
If you’d like to learn more about The NCSS and best practices for cybersecurity for your business, please join ShareVault for our upcoming webinar on cybersecurity. For this webinar we’ve assembled a panel of cybersecurity experts (including the founder of The National Cybersecurity Society) to discuss the current cyberthreat landscape, the bad actors, and best practices for preventing a devastating breach that could cost your company millions.
The panel includes Mary Ellen Seale, Founder/CEO of NCSS, Peter Levett, Chief of Staff from the cybersecurity firm SecureCircle, and Phil Bandy, ShareVault’s Chief Information Security Officer who formerly provided information security to NASA.
DISC InfoSec providescost effective Cybersecurity:CISO as a Service (CISOaaS)
A Chief Information Security Officer (CISO) is an executive responsible for cybersecurity. Many medium-sized organizations need a CISO but don’t have the budget for one. A Fractional CISO/ vCISO can deliver the value of a full-time CISO without the same level of investment.
Why do you may need one?
Lower your organizational cybersecurity risk with industry expert leadership.
Supplement your team with InfoSec program, policy and process experts to solve your most pressing needs.
Prioritize your cybersecurity investments with quantitative decision making.
vCISO for your Interim CISO needs.
vCISO program can put you on a path to success with your compliance initiatives, such as a NIST CSF compliance or ISO 27001 certification.
DISC InfoSec also performs technical control assessment such as (Web Application testing) which is imperative to your compliance and ISO 27001 certification process.
In short, as a CISOaaS we do all the legwork so you can focus on running your business.
Our vCISO advisory services are available to support the security/ technology leadership of your organization to implement and improve security and risk posture in today’s heightened security averse landscape.
If you are interested to know more about how can we assist you in your latest InfoSec and compliance project, schedule a short call on our calendar.
No patients were affected, but the incident was another reminder of the risks in the increasingly common assaults on healthcare computer networks.
A Philadelphia company that sells software used in hundreds of clinical trials, including the crash effort to develop tests, treatments and a vaccine for the coronavirus, was hit by a ransomware attack that has slowed some of those trials over the past two weeks.
The attack on eResearch Technology, which has not previously been reported, began two weeks ago when employees discovered that they were locked out of their data by ransomware, an attack that holds victims’ data hostage until they pay to unlock it. ERT said clinical trial patients were never at risk, but customers said the attack forced trial researchers to track their patients with pen and paper.
The newly published Building Security in Maturity Model provides the software security basics organizations should cover to keep up with their peers.
As application security methodology and best practices have evolved over more than a decade, the Building Security in Maturity Model (BSIMM) has been there each year to track how organizations are making progress. BSIMM11, released last week by Synopsys, is based on the software security practices in place at 130 different firms across numerous industries, including financial services, software, cloud, and healthcare.
The practices were measured by the model’s proprietary yardstick, which lumps 121 different software security metrics into four major domains: governance, intelligence, secure software development lifecycle (SSDL) touchpoints, and deployment. Each of these domains are further broken down into three practice categories containing numerous activities that slide from simple to very mature.
Similar to previous reports, BSIMM11 shows that most organizations are at the very least hitting the basics — including activities like performing external penetration testing and instituting basic software security training across development organizations. The following are the most common activities cited for each practice category, providing an excellent yardstick for the bare minimum that organizations should be doing to keep up with their peers.
The mass transition to working from home clearly shows the best technologies for a secure and convenient remote environment.
Users receive the maximum security benefits by connecting to virtual desktops from thin clients.
A thin client is a terminal-mode device. It often doesn’t even have any internal storage, being just a box that connects to a server and lets users connect a monitor and peripheral devices (configuration may vary depending on the specific model). The thin client does not process or store any work data.
Of course, a thin client requires a good communications channel. In recent years, however, that’s not much of a hurdle.
Communication between a thin client and a server is usually conducted over an encrypted protocol, solving the problem of the unreliable network environment.
Source: Thin clients from a security perspective
2020 Security Playbook
1) Data discovery
2) Compartmented Data Access
3) Move to thin client
4) Increase focus on AAA
ISO/IEC 27701:2019 provides guidance on data protection, including how organizations should manage personal information, and helps demonstrate compliance with privacy regulations around the world, such as the GDPR.
The Standard integrates with the international information security management standard ISO/IEC 27001 to extend an ISMS (information security management system), enabling an organization to establish, implement, maintain and continually improve a PIMS (privacy information management system).
Improve your privacy information management regime
Co-written by Alan Shipman, an acknowledged expert in the field of privacy and personal information and the project editor of ISO/IEC 27701, this pocket guide will help you understand the basics of privacy management, including:
What privacy information management means
How to manage privacy information successfully using a PIMS aligned to ISO/IEC 27701
Key areas of investment for a business-focused PIMS and
How your organization can demonstrate the degree of assurance it offers with regard to privacy information management.
An unnamed U.S. federal agency was hit with a cyber-attack after a hacker used valid access credentials, authorities said on Thursday.
While many details of the hack weren’t revealed, federal authorities did divulge that the hacker was able to browse directories, copy at least one file and exfiltrate data, according to the Cybersecurity & Infrastructure Security Agency, known as CISA.
The hacker implanted malware that evaded the agency’s protection system and was able to gain access to the network by using valid access credentials for multiple users’ Microsoft 365 accounts and domain administrator accounts, according to authorities.
Tracking allows the companies to improve their algorithm and app experience, but this experience comes at the cost of your digital data. In this guide, we’re going to focus on the search engines and browsers that you’ll want to use if you care about your online privacy.
Popular search engines and browsers do a great job at finding and browsing content on the web, but can do a better job at protecting your privacy while doing so.
With your data being the digital currency of our times, websites, advertisers, browsers, and search engines track your behavior your on the web to deliver tailored advertising, improve their algorithms, or improve their services.
Privacy-focused search engines
Below are the best privacy-focused search engines that do not track your searchers or display advertisements based on your cookies or interests.
Chinese Hackers Working w/ Ministry of State Security Charged w/ Global Computer Intrusion Campaign
httpv://www.youtube.com/watch?v=b8zhLOnXDdY&ab_channel=TheJusticeDepartment
The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics
The infoseccers strongly advised against paying the criminals:
Paying a ransom does not guarantee decryption of data. Open source reporting indicates several instances where an entity paid the ransom but the keys to decrypt the data were not provided. The ACSC has also seen cases where the ransom was paid, the decryption keys were provided, but the adversary came back a few months later and deployed ransomware again. The likelihood that an Australian organizations will be retargeted increases with every successful ransom payment.
It is generally much easier and safer to restore data from a backup than attempting to decrypt ransomware affected data.
“Many of these [attacks] could have been avoided or substantially mitigated by good cyber security practices,” sighed the ACSC in the report (PDF, 18 pages), which covered the months July 2019-June 2020.
How to recover your system from a Ransomware attack
httpv://www.youtube.com/watch?v=kJuibb9QaWk&ab_channel=CSO
![The Smartest Person in the Room: The Root Cause and New Solution for Cybersecurity by [Christian Espinosa]](https://m.media-amazon.com/images/I/41KIWmjt6sL.jpg)
