Cyber Hygiene

Hi readers, this Security and Tech insights newsletter issue focuses on the urgency for cyber hygiene in an increasingly risk digital landscape. Also, please be sure to see the section on upcoming events of interest in cybersecurity.

Thanks, Chuck Brooks https://www.dhirubhai.net/in/chuckbrooks/

CYBER HYGIENE: A KEY INGREDIENT FOR CYBERSECURITY SUCCESS

CO-AUTHORED WITH PAUL FERRILLO & GEORGE PLATSIS

Cyber Hygiene: A Key Ingredient for Cybersecurity Success | BIZCATALYST 360°

You would not be unjustified to feel as though?the cyber ecosystem is becoming increasingly harder to manage with the continued spread and sophistication of ransomware. And you would not be faulted for wondering “what gives?” as you try new solutions to fend off attacks.?Therefore, it is worth remembering that some of the best tactics are not flashy and purported “silver bullets” but rather, some basic work and maintenance that often gets looked over or neglected.

Strong cyber defense postures?require?good cyber hygiene if an organization wishes to remain resilient against attacks.

The Ransomware Threat Surge

Today’s attacks are not coming and going.?Rather, they are “surging” and that overload is causing havoc. Here is what one recent blogger said regarding the attack surge:

Ransomware attack strategists continue to target zero-day vulnerabilities, execute supply chain attacks, fine-tune vulnerability chaining, and search for vulnerabilities in end-of-life products to improve the odds their ransomware attacks will succeed. Ivanti’s?Ransomware Spotlight Year-End Report?illustrates why ransomware became the fastest-growing cyberattack strategy in 2021 and into 2022. There’s been a 29% growth in ransomware vulnerabilities in just a year, growing from 223 to 288 common vulnerabilities and exposures (CVEs).

Last year, SonicWall recorded a 148% surge in global ransomware attacks (up to 495 million), making 2021 the worst year the company has ever recorded. The company also predicted 714 million attempted ransomware attacks by the close of 2021, a 134% increase over last year’s totals. Organizations pay an average of $220,298 and suffer 23 days of downtime following a ransomware attack, further damaging their businesses, brands, and customer relationships.[1]

We would argue that Good cyber hygiene should be the first line of defense in light of the surge in ransomware attacks and other serious cyber-attacks.

What is good cyber hygiene? It’s a combination of things that hopefully will leave the company in the best position possible to both fend on attack, and if attacked, be able to come back up to normal operations with as little downtime as possible. Hours instead of days. Days instead of weeks. And finally, maintaining the ability to work through the disruption, even if in a degraded state.?Here is a non-exhaustive list of factors that we consider to be good cyber hygiene:

1. Multi-factor authentication

The main benefit of MFA is to limit the possibility of unauthorized access. Usernames and passwords are not going anywhere, but poor password hygiene means accounts are vulnerable to brute force attacks, credential stuffing attacks, and open to theft. Billions of credentials sit on the dark web available for purchase, in some cases, for paltry amounts. Enforcing “always-on” MFA through additional physical controls or temporary secondary codes makes life for a cybercriminal more difficult, and sometimes, slow them down enough is also enough for them to elsewhere for their nefarious acts.?Indeed, “A hacker or unauthorized user may be able to steal a password or buy it on the dark web, but for them to gain access to a second authentication factor is slim and requires much more effort. Consequently, MFA stops most bad actors before they can enter your systems and gain access to your data.”[2].

MFA is not perfect. But it helps.?A lot.

1. Identity and access management

Identity and access management (“IAM”) ensures that only the right people and job roles in your organization can access the tools they need to do their jobs. Through single sign on applications, your organization can manage employee apps without having them log into each app as an administrator. Identity and access management systems enable your organization to manage a range of identities including people (e.g. employees), software, and hardware like robotics and IoT devices.?The two questions for organizations to ask under IAM principles are 1) is the user who he or she says they are when accessing the network whether in the office or remotely and 2) does the user have only the?least?amount of access he or she needs to do their appointed job. Least privileged access is more likely to be checked manually because people change, and jobs change. Getting both questions “right” is critically important to good cyber hygiene. There is a third factor that needs consideration also: privacy.?It is to want some sort of biometric measure, as an example, but the moment you do that, you hold personal identifiable information (PII) and that comes with its own set of challenges.

1. Strong password management

In 2020Verizon reported via its annual?Data Breach Investigations Report?(DBIR) that 81% of hacking-related data breaches involved either stolen or weak passwords. Businesses should accept that a strong password policy is one of the best lines of?defense against unauthorized access?to their critical infrastructure.?And for goodness sake, a good password is not “password” or “0123456.”?If you use one of these passwords, you will not “pass go” and you will not “collect 200 dollars.”

There are practical remedies to get beyond that bad habit of using easy passwords to crack. Do not use default passwords on your devices and when you do create passwords make them complicated. Consider making them long or using phrases with letters, numbers, and characters. Also, do not use the same password for multiple accounts. Make it difficult for hackers to get in with one try. Make their challenges more difficult by using multifactor or biometric authentication such as a fingerprint, facial recognition, or texts to verify it is you when you sign in. And if you want to make things less stressful on your memory (we all forget our passwords), consider using a security token and/or password manager.

1. Timely updating and patching your network

Remember when Patch Tuesday meant a computer screen full of vulnerabilities that needed to be patched?. Well, for many of today’s companies, Patch Tuesday has now rolled into “patch Wednesday” as organizations need to determine which vulnerabilities apply to their ecosystem and which to begin patching first.???There is nothing glamorous about patch and vulnerability management, but it needs to be done.?So, CISOs, get those resources to support the function, as you don’t want to be at the helm of a company that gets hacked because a known patch was not applied.[3]

1. Regular employee training consisting of phishing and social?media training.

“Phishing, malware, and denial-of-service attacks remained the most common causes for data breaches in 2021. Data from Dark Reading’s latest?Strategic Security Survey?that more companies experienced a data breach over the past year due to phishing than any other cause. The percentage of organizations reporting a phishing-related breach is slightly higher in the 2021 survey (53%) than in the 2020 survey (51%). The survey found that malware was the second biggest cause of data breaches over the past year, as 41% of the respondents said they experienced a data breach where malware was the primary vector.”[4]

Given that phishing is one of the leading causes of data breaches, phishing testing should come standard in employee training nowadays?Training modules can be pre-programmed at the network level and done regularly (quarterly is great, if you have the resources). Does testing work? According to one report, it is not perfect, but it is effective to lessen the chances that an employee will click on the link or attachment contained is a phishing email.[5]

Your second line of employee training should be social media training from the perspective of protecting the organization. This sort of training is dedicated to keeping your employees safe while perusing the internet and to make them more “aware” that not every post they make to their Facebook account regarding their job or workplace is wise or safe. Indeed one article describes the problem really well: “All photos and videos shared from workplaces can contain sensitive information that employees don’t even realize they are sharing. Posting pictures and videos is a personal brand to many. They post dozens of times a day without ever realizing the security fallout or the threat of personal and business identity theft. And they don’t realize it’s a problem because it isn’t a focus of cybersecurity awareness training. It’s an issue across every industry, across every type of workplace.”[6]

Given the creativity of attackers, social media training is a critical addition to your cyber employee training regimen.?Without such training, employees can run the risk of clicking on the “wrong” website or popup or disclosing private company data or intentions. Train them not to do either one.

?No one is invulnerable to a crafty phish, but steps can be taken to lessen the chances and costs of a breach. For one thing, do not click on any attachment you do not know, and even if you think you know it, double-check and verify the sender. Beware of visually appealing pop-ups on your computer too. Cybercriminals are sophisticated and creative. An easy rule to follow is to automatically discard any communications asking you for personal information. Chances are you are not the recipient of long-lost funds found in an obscure bank account, nor did you randomly win a contest.?If something is too good to be true, it likely isn’t.

1. Maximizing the utility of logs

?“If you can’t see it, then you can’t find it.[7]”

Logs are powerful assets that can be used to detect anomalous behavior. Yes, it is a heavy lift to review, but an organization can leverage automation and integrate security analytics.[8]?????Just remember, you need to strike balance with your privacy program also.

1. A robust backup program is critical to recovery.

The use of ransomware forces a change to backup strategies.?If backups are left on the network, as they often are, they are just at risk to the malware as any other piece of data on your network.?Similarly, if your backups are too close to your production environment, even a natural disaster can leave you with useless or inaccessible backups.??Therefore, not only recovering within a certain amount of time is essential to define, but so is where you are backing up (accessibility), what you are backing up, how far you are backing up (atrophy), and what you are doing about testing your backups.

Conclusion

There is no “perfect” cyber hygiene method.?Rather, find what is right for your organization.?Also, do not underestimate the importance of an assessment either, especially if you are unclear on where you stand on the breach readiness maturity scale.?Good cyber hygiene may allow you to catch an actor in the act, or improve your employee’s ability to spot something on their own that can be reported.?And if all other measures fail, a strong backup strategy gives you a little peace of mind, even if recovery does come with frustration.?Perfect is the enemy of good enough, so do not let an eternal search of the “perfect” solution slow you down as you improve your cyber hygiene stance.?It’s good business.

?see?thecyberavengers.com?for more free, commonsense cyber advice!

---------------------------------------------------------------------------------------------------------------

Renew cyber hygiene strategies for 2022

By?Jayati Kataria?December 6, 2021

Renew cyber hygiene strategies for 2022 - Cyber Series

Cybersecurity is no more a one-dimensional fight. The attack surface and vectors have grown dramatically every year. We walked into 2021 with a list of critical infrastructures including IT infrastructure, websites, clouds, code, containers and it goes on. While there are software programs to help cybersecurity teams, the technology seems to be falling behind the malicious intentions of hackers that are getting mightier with every new attack.?

In a recent?survey of enterprise IT security executives, 77% of respondents agreed that IT vulnerabilities had impacted their businesses in the last year. And in the other?research, 73% of security professionals acknowledged that they still depend on spreadsheets to manage security hygiene. This resulted in 70% of them acknowledging that security hygiene and posture management had become more difficult over the past two years with the growing attack surfaces.

We asked the leading cybersecurity expert – Chuck Brooks (one of the top 5 Cybersecurity Exec to Watch, top leader and influencer in “who’s who in cybersecurity“ named by Onalytica and top cybersecurity expert in Thinkers360) to throw some light on the significance of cyber hygiene.?

In your opinion, how has cybersecurity evolved in the last two years?

There have been rapid changes in the information technology landscape. In the past two years, the capabilities and connectivity of cyber devices and communications has grown exponentially, especially with the proliferation of billions of Internet of Things devices. There are growing and more sophisticated threats includes are emanating from criminal enterprises and adversarial nation-states who are collaborating more closely. Also, emerging technologies such as machine learning and artificial intelligence have been added to the cyber tool chest and used by both hackers and defenders. And with the ability to get compensated via cryptocurrencies that are difficult to track, hackers have elevated ransomware attacks.

The other overwhelming factor has been the impact of the pandemic. COVID-19 usurped the digital landscape forcing organizations to adapt to a remote working paradigm with little notice and preparation. Hackers targeted remote workers because they were easy to infect via phishing and other means, and less protected than they would be in a more cyber-secure office environment. They took advantage of the lack of patching, unsecured portals, routers, devices, and open Wi-Fi often used by remote workers.

How can companies weave cybersecurity and trust into the people and processes in their organizations?

It needs to be a C-Suite Priority and pushed down to all employees. The bottom line is that almost every type of business, large and small, touches aspects of cybersecurity whether it involves law, finance, transportation, retail, communications, entertainment, healthcare, or energy. Cyber threats are ubiquitous. Cybersecurity requires expertise but unfortunately, there is a dearth of qualified cybersecurity workers and it is rare to have such capabilities internally for most small and medium-sized businesses. Ideally, a company should plan on having accessible insights from a blend of internal and outside subject matter experts. It is always useful for executive management to get perspectives and ideas from experts on the outside. Employees should also be trained to recognize and cyber threats. They should also follow NIST risk management frameworks that offer industry-specific advice and knowledge to help keep companies more cyber secure.

While Governments across nations are coming together to tackle cyber risks, how important is ‘individual cyber hygiene?

Cyber Hygiene is an essential element for any company or individual. Strong passwords, multifactor authentication and knowing not to click on a phish can be accomplished by the basics. Most successful malware attacks are the result of human negligence. Individual cyber hygiene can make someone less of an easy target for a hacker. Some other important advice is to make sure you backup your valuable data, preferably on another device segmented from the targeted PC or phone. If you are a small business or an individual, it is not a bad idea to invest in anti-phishing software. It adds another barrier. I also recommend monitoring your social accounts and credit accounts to see if there are any anomalies on a regular basis.

Like Chuck mentions, every business, big or small, touches upon the aspects of cybersecurity today. The world leaders are coming to understand how cybersecurity is a big issue and how crucial the adoption of cyber hygiene is becoming. In the wake of such efforts, Panasonic Corp. is aiming to introduce a security system for automakers to prevent cyberattacks amid the launch of more vehicles that offer various services via the internet. While Google announced investing $10 billion in a multi-year effort to strengthen cybersecurity across the U.S. earlier this year.

Cyber hygiene falls short when it comes to tackling the needs of modern businesses, distributed and remote workforces and everyday evolving modern vulnerabilities. The?Balbix?survey observed that 80% of organizations plan to increase spending for security hygiene and posture management within the next 18 months. We truly hope that 2022 will see a modernised risk-based approach that caters to modern cyber hygiene programs more effectively and efficiently.

---------------------------------------------------------------------------------------------------------------

Protecting Your Data

The Cyber-Hygiene Mantra

Chuck Brooks

President?| Brooks Consulting International

The Cyber-Hygiene Mantra - United States Cybersecurity Magazine (uscybersecurity.net)

National?Cybersecurity Awareness Month is a good time for everyone to review the importance of the basics of defending their data and devices from cyber-attackers. Cyber-hygiene is a starting point to build those fortifications.?

Back in 2017, Congress passed legislation (HR3010) called “Promoting Good Cyber Hygiene Act of 2017”.??It was introduced to implore the National Institute of Standards and Technology (NIST), the Federal Trade Commission (FTC), and the Department of Homeland Security (DHS) to establish baseline best practices for industry.?

The legislation stated that the list of best practices established … “shall be published in a clear and concise format and made available prominently on the public websites of the Federal Trade Commission and the Small Business Administration.” It also recommended including “other standard cybersecurity measures to achieve trusted security in the infrastructure.” The legislation helped establish best practices for good cyber-hygiene, authentication, and cooperation. While the legislation was voluntary, it served as a progenitor of an expanding trend of public/private cooperation and cybersecurity awareness.?

In 2021, the cybersecurity ecosystem has become even more dangerous with the increased level and sophistication of phishing and ransomware attacks targeting critical infrastructure,?along with large, small, and medium businesses. Keeping up with those and other cybersecurity threats can be daunting, especially with the rapid evolvement of the Internet of Things (IoT) and emerging technologies such as Artificial Intelligence (AI) and 5G coming on-line. However, there are measures any business and individual can undertake to make themselves less of a target for attackers and more resilient in case of a breach.?

*The #CyberAvengers are a group experienced professionals who have decided to work together to promote cybersecurity awareness. They?are?Paul Ferrillo, Chuck Brooks, Kenneth Holley, George Platsis, George Thomas, Shawn Tuma and Christophe Veltsos.

The following checklist was created by the #CyberAvengers. The Checklist covers the basics of cybersecurity hygiene and provides a handy reference (and reminder) of what we should be doing for National Cybersecurity Awareness Month and for every month of the year.?

THE #CYBERAVENGERS CYBER-HYGIENE MANTRA:

1. Update and patch your networks, OS, and devices promptly.?“Critical” is “critical” for a reason; do it within 72 hours of release.
2. Train your employees (and yourself!) on how to detect spear-phishing attempts and what best social media practices are.?Quarterly training can reduce the risk by up to 90% in most cases!
3. Use multi-factor authentication.?We have effectively reached the age of password uselessness due to our poor habits.?Passwords slow down bad guys who do not know what they are doing.?Biometric solutions are great but proceed with caution if you go this route because you now have data management and privacy concerns that must be addressed.
4. Back up regularly (daily if feasible).?Where possible, use the “1, 2, 3” Backup rule: 1, a segmented backup on site, 2, one off-site, and 3, one in the cloud.?No need to pay the ransom if you have a clean back up ready to be uploaded to your system.
5. Be cautious with older systems.?Yes, you can repair them, and we are fully cognizant that the upfront capital cost is something some cannot afford.?But the critical issue becomes support (patches) for these system stops.?If these systems are past their “patch life” they become big fat juicy targets for hackers.
6. Following on from the last point, sometimes the best answer is the cloud.?There is State-of- the Art hardware and software there and cloud migrations have become easier, especially over the last two years.?The cloud is not a savior.?We admit that. And it comes with other issues, such as needing to learn what your obligations and responsibilities are, ensuring you have robust agreements with your vendors, and knowing the third-party sources that?will have access to your information.
7. Know how your intrusion detection and prevention system works (if you have no clue what we are talking about, find somebody who does).??Is it signature-based??Perhaps it is behavioral based???Maybe it is both??New cyber threats require new tools.?This is where machine learning, cognitive computing, AI, automation, and orchestration all come into play (yes, we have positive bias towards these systems but only when done in tandem with all other techniques we have been discussing).?Internet data traffic is just becoming bonkers.?No human can do this on their own.?We have reached the zettabyte age.??What’s a zettabyte you ask??That’s 1,000,000,000,000,000,000 bytes.??
8. If you cannot do much of what we suggested, consider a Managed Service Provider (MSP) or a Managed Security Service Provider (MSSP).?We know cybersecurity is not everybody’s cup of tea, but one ransomware attack on a SMB could be crushing.?There are options out there to help you.?Sure, it costs money, but you are buying peace of mind.?Do your homework and find the right solution for you.
9. Do you drive your car without insurance??Cyber insurance is not mandatory yet, but it may be in the future.?And chances are if you are doing a lot of what we are suggesting, you will be on the low end of premium payments.
10. Know the new threats, the trends of the changing cyber-threat ecosystem. New technologies (such as Artificial Intelligence/Machine Learning) can be used as both defensive and offensive tools. Read, discuss, and keep abreast of recent and future cyber-attacks on social media, in publications, and with #CyberAvengers.?

While there is no easy panacea for addressing all cybersecurity threats, it costs little and clearly makes sense to maintain strong cyber-hygiene.?#CyberAvengers Cyber-hygiene recommendations are a working framework that will help mitigate risks.

---------------------------------------------------------------------------------------------

AT&T Cybersecurity??Blog

Two cybersecurity hygiene actions to improve your digital life in 2021

by|??Chuck Brooks

It is that time of year again where we start planning resolutions for the coming year. A good start is putting cybersecurity on the top of the list whether you are a business or individual. According to a University of Maryland?study, Hackers attack every 39 seconds, on average 2,244 times a day. It may be even higher now that more of us are working remotely because of Covid19 and the attack surface has greatly expanded in numbers and vulnerability. Clearly, with the plethora of breaches, spams, and ransomware we already experienced in 2020, we need to be better prepared in 2021.

What are a couple of cybersecurity hygiene action upgrades that will improve outcomes in 2021??

#1 Passwords

Poor passwords have always been viewed as the low hanging fruit for hackers as the easiest way into the crown jewels of data. Yet, many still use common passwords such as #132456 #password, or birthdays that pose little barriers to letting the bad guys access your accounts, In fact, a UK National Cyber Security Centre 2019?survey?analysis discovered that?23.2 million victim accounts from all parts of the world used 123456 as a password. Another 7.8 million data breach victims chose a 12345678 password. More than 3.5 million people globally picked up the word "password" to protect access to their sensitive information.

Now that we have all become creatures of social media, hackers can use social engineering tactics by exploring your social media accounts that often highlight pet names (quite often used as passwords - I admit I have been guilty of that too) or other identifiable items that may give clues to passwords and interests. What is particularly alarming is that there are algorithmic programs that can also utilize public social sites and marketing information to “guess” passwords.?

Actions: remedies are easy to get beyond that bad habit of using easy passwords to crack. Do not use default passwords on your devices and when you do create passwords make them complicated. Consider making them long or using phrases with letters, numbers and characters. Also, do not use the same password for multiple accounts. Make it difficult for hackers to get in with one try. Make their?challenges more difficult by using multifactor or biometric authentication such as a fingerprint, facial recognition, or texts to verify it is you when you sign in. And if you want to make things less stressful on your memory (we all forget our passwords), consider using a security token and/or password manager. The bottom line is that secure passwords are a basic step to stronger cyber hygiene.

#2?Phishing?

Phishing is the tool of choice for many hackers. Phishing is commonly defined as a technique of hackers to exfiltrate your valuable data, or to spread malware. Anyone can be fooled by a targeted phish, especially when it appears to be coming as a personal email from someone higher up the work chain, or from a bank, organization or a website you may frequent. Usually the phishing malware comes via email attachments but can also be web-based. According to an analysis by Webroot, 46,000 new phishing sites are created every day and 1.385 million new, unique phishing sites are created each month. At a more granular level, the firm Wandera says that a new phishing site launches every 20 seconds.?

Advances in technologies have made it easier for hackers to phish. They can use readily available digital graphics, apply social engineering data, and a vast array of phishing tools, including some automated by machine learning. Phishing is often accompanied by ransomware and a tactic for hackers is to target leadership at companies or organizations (spear-phishing) because they usually have better access to valuable data and make ready targets because of lack of training.?

Actions: No one is invulnerable to a crafty phish, but steps can be taken to lessen chances and costs of a breach. For one thing, do not click on any attachment you do not know, and even if you think you know it, double check and verify the sender. Beware of visually appealing pop ups on your computer too. Cybercriminals are sophisticated and creative. An easy rule to follow is to automatically discard any communications asking you for personal information. Chances are you are not the recipient of long lost funds found in a obscure bank account, nor did you randomly win a contest.?If something is too good to be true, it likely isn’t.?

Some other important advice is to make sure you backup your valuable data, preferably on another device segmented from the targeted PC or phone. If you are a small business or an individual,?it is not a bad idea to invest in anti-phishing software. It adds another barrier. I also recommend monitoring your social accounts and credit accounts to see if there are any anomalies on a regular basis.?And if you are with a larger company, consider getting anti-phishing training. Companies often use gamification for employees to?enhance cybersecurity awareness (and can make learning fun).

Conclusion

These are just two basic cyber hygiene actions that anyone can take to make their digital identities more secure. Certainly, there are many other steps that should be instituted for a layered and more holistic zero trust defense. For example, some things you can do is regularly update security patches, install firewalls, secure your routers, wifi, and use virtual private networks (VPNs).?

For better protection also consider adding antivirus & intrusion detection software to your devices.?Another means of protection to contemplate is to store your data in the cloud where it can also be agile and encrypted. For many of these security implementations and applications I suggest using professionals in the field who can determine gaps and requirements through risk management vulnerability assessments. There are also some excellent managed service providers who can outsource and coordinate your cybersecurity needs.?

Next year please be aware of the benefits of using strong passwords and how to avoid the phish in the cyber threat landscape. Hopefully these two steps alone will make 2021 a safer year.?

----------------------------------------------------------------------------------------------

A Scoville Heat Scale For Measuring Cybersecurity

by Chuck Brooks

Scoville Scale. Image credit: Depositphotos, enhanced by CogWorld

Source: COGNITIVE WORLD on FORBES

The?Scoville Scale?is a measurement chart used to rate the heat of peppers or other spicy foods. It can also can have a useful application for measuring cybersecurity threats. Cyber-threats are also red hot as the human attack surface is projected to reach over 6 billion people by 2022. In addition, cyber-crime damage costs are estimated to reach $6 trillion annually by 2021. The cybersecurity firm RiskIQ states that every minute approximately 1,861 people fall victim to cyber-attacks, while some $1.14 million is stolen. In recognition of these alarming stats, perhaps it would be useful to categorize cyber-threats in a similar scale to the hot peppers we consume.

I have provided my own Scoville Scale-like heat characterizations of the cyber threats we are facing below.

Data Breaches:?According to Juniper Research, over The Next 5 Years, 146 Billion Records Will Be Breached. The 2017 Annual Data Breach Year-end Review?(Identity Theft Resource Center) found that 1,946,181,599 of records containing personal and other sensitive data that have been in compromised between Jan. 1, 2017, and March 20, 2018. The true tally of victims is likely much greater as many breaches go unreported. According to the?Pew Research Center,?a majority of Americans (65%) have already personally experienced a major data breach.? On the Scoville scale, data breaches, by the nature of their growing exponential threat can be easily categorized at a?“Ghost Pepper” level.

Malware:?According to Forrester Research’s 2017 global security survey, there are 430 million types of malware online—up 40 percent from just three years ago. The Malware Tech Blog cited that 100,000 groups in at least 150 countries and more than 400,000 machines were infected by the Wannacry virus in 2017, at a total cost of around $4 billion. Malware is ubiquitous and we deal with it. It is a steady?“Jalepeno Pepper”?on the scale.

Ransomware:? Cybersecurity Ventures predicts that ransomware damage costs will rise to $11.5 billion in 2019?with an attack occurring every 14 seconds. According to McAfee Lab's Threat Report covering Q4 2017, eight new malware samples were recorded every second during the final three months of 2017. Cisco finds that Ransomware attacks are growing more than 350 percent annually. Experts estimate?that there are more than 125 separate families of ransomware and hackers have become very adept at hiding malicious code. Ransomware is scary and there is reason to panic, seems like a?”Fatali Pepper.”

Distributed Denial of Service (DDoS):???In 2016, DDoS attacks were launched against a Domain Name System (DNS) called Dyn. The attack directed thousands of IoT connected devices to overload and take out internet platforms and services.? The attack used a simple exploit of a default password to target home surveillance cameras and routers. DDoS is like a?“Trinidad Pepper”?as it can do quick massive damage and stop commerce cold. DDoS is particularly a frightening scenario for the retail, financial. and healthcare communities.

Phishing:??Phishing is a tool to infect malware, ransomware, and DDoS. The 2017 Ponemon State of Endpoint Security Risk Report?found that 56% of organizations in a survey of 1,300 IT decision makers identified targeted phishing attacks as their biggest current cybersecurity threat. According to an analysis by Health Information Privacy/Security Alert, 46,000 new phishing sites are created every day. According to Webroot, An average of 1.385 million new, unique phishing sites are created each month. The bottom line is anyone can be fooled by a targeted phish. No one is invulnerable to a crafty spear-phish, especially the C-Suite. On the Scoville Scale, Phishing is prolific, persistent, and often causes harm. I rate it at the?“Habanero Pepper”?level.

Protecting The Internet of Things:??The task of securing IoT is increasingly more difficult as mobility, connectivity and the cyber surface attack space grows. Most analysts conclude that there will be more than 20 billion connected Internet devices by 2020. According to a study conducted in April of 2017 by The Altman Vilandrie & Company, neary half of U.S. firms using The Internet of Things experienced cybersecurity breaches.??Last year, Symantec noted that IoT attacks were up 600 percent. Analysts predict 25 percent of cyber-attacks in 2020 will target IoT environments. Protect IoT can be the “Carolina Reaper”?as everything connected is vulnerable and the consequences can be devastating.

Lack of Skilled Cybersecurity Workers:?Both the public and private sectors are facing major challenges from a dearth of cybersecurity talent. As companies evolve toward digital business, people with cybersecurity skills are becoming more difficult to find and more expensive for companies to hire and keep.?A report out from Cybersecurity Ventures estimates there will be 3.5 million unfilled cybersecurity jobs by 2021. A 2017 research project by the industry analyst firm Enterprise Strategy Group?(ESG ) and the Information Systems Security Association (ISSA) found that 70 percent of cybersecurity professionals claimed their organization was impacted by the cybersecurity skills shortage. On the Scoville Scale, I rate the skills shortage as a?“Scotch Bonett,”?dangerous but perhaps automation, machine learning and artificial intelligence can ease the pain.

Insider Threats:?Insider threats can impact a company’s operational capabilities, cause significant financial damages, and harm a reputation. The?IBM Cyber Security Index found that 60% of all cyber- attacks were carried out by insiders.? And according to a recent Accenture HfS Research report 69% of enterprise security executives reported experiencing an attempted theft or corruption of data by insiders over one year. Malicious insider intrusions can involve theft of IP, social engineering; spear-phishing attacks, malware, ransomware, and in some cases sabotage. Often overlooked, insider threats correlate to a?“Red Savina Habanero.”

Identity Theft:?Nearly 60 million Americans have been affected by identity theft, according to a 2018 online survey by The Harris Poll.?The reason for the increased rate of identity fraud is clear. As we become more and more connected, the more visible and vulnerable we become to those who want to hack our accounts and steal our identities. We are often enticed via social media or email phishing. Digital fraud and stealing of our identities is all too common and associated closely to data breaches, a?“Chocolate Habanero.”

Crypto-mining and Theft:??Crypto poses relatively new threats to the cybersecurity ecosystem. Hackers need computing power to find and “mine” for coins and can hijack your computer processor while you are online. Hackers place algorithm scripts on popular websites that people innocently visit.? You might not even know you are being hijacked.? Trend Micro disclosed that Crypto-mining malware detections jumped 956% in the first half of 2018 versus the whole of last year. Also, paying ransomware in crypto currencies seems to be a growing trend. The recent WannaCry and the Petya ransomware attackers demanded?payment in bitcoin. On The Scoville Scale, it’s still early for crypto and the threats may evolve but right now a?“Tabasco Pepper.”

Potential Remedies:?Cybersecurity at its core essence is guided by risk management: people, process, policies, and technologies. Nothing is completely invulnerable, but there are some potential remedies that can help us navigate the increasingly malicious cyber threat landscape. Some of these include:

• Artificial Intelligence and Machine Learning
• Automation and Adaptive Networks
• Biometrics and Authentication Technologies
• Blockchain
• Cloud Computing
• Cryptography/Encryption
• Cyber-hygiene
• Cyber Insurance
• Incident Response Plans
• Information Threat Sharing
• Managed Security Services
• Predictive Analytics
• Quantum-computing and Super-Computing
• And … Cold Milk

The bottom line is that as we try to keep pace with rising cybersecurity threat levels, we are all going to get burned in one way or another. But we can be prepared and resilient to help mitigate the fire. Keeping track of threats on any sale can be useful toward those goals.

--------------------------------------------------------------------------------------------------------------

EVENTS

Secure Admission to Upcoming Cyber Security Summits Featuring the FBI, US Secret Service and US DHS/CISA

?Join us for the upcoming Official Cyber Security Summits, rated Top 50 InfoSec Conference Worldwide.

?Register to attend In-Person or Virtually:

?Use code CB2022 to receive up to $100 off registration at

https://CyberSecuritySummit.com

Virtual Admission: Free with Code (regularly $95)

In-Person Admission: $95 with Code (regularly $195) - Includes a Catered Breakfast, Lunch,?Cocktail Reception & Hand Rolled Cigars by Cohiba along with an all-access pass to interactive speaker sessions and technology showcase)

?Earn up to 8 Continuing Education Credits by attending the day in full – either onsite or virtually!

?Learn from Subject Matter Experts from The FBI, U.S. Secret Service, Cybersecurity and Infrastructure Security Agency, U.S. DHS, Darktrace, IBM Security, and many more who will discuss the latest security threats, best cyber hygiene practices, and innovative solutions to protect your business.

?You are welcome to share this invitation with your IT Security Team and other Senior Level colleagues who would benefit from attending this event.

Please note: Admission is for C-Suite/Senior Level Executives, Directors, Managers, and other IT/Cyber Professionals and Business Owners/Leaders. Those in Sales /?Marketing and Students are not permitted.

For event details, visit https://CyberSecuritySummit.com

?If you would like to exhibit and / or speak at the Cyber Security Summit, contact Nancy Mathew / [email protected]

---------------------------------------------------------------------------------------

For information on the event: https://skytopstrategies.com/conferences/385

-------------------------------------------------------------------------------------------------------------

Very Honored to be featured on the cover and have my insights shared in the February 2022 edition of Top Cyber News MAGAZINE published and edited by the amazing Ludmila Morozova-Buss!

The issue also has illuminating articles from global Cybersecurity Leaders such as June Klein, George Platsis, Ken Muir, Angelique "Q" Napoleon, and by Natalia Oropeza, Chief Cybersecurity Officer of Siemens AG. It also has a compilation of excellent cyber quotes by Dr. Pascal Andrei, Gary Hayslip, and Shawn Tuma

Here is the link to the publication:?https://lnkd.in/dQr4hNUG

Please check the issue out and share it with those interested in cybersecurity topics. Thank you !

###