Cyber Risk Governance Insights | March 11, 2024

WEEK IN HEADLINES

NATION STATE - Like Terminator, USBs Rise Again

Nation-state cyber threat groups are revisiting USBs as a potent weapon for infiltrating highly guarded government organizations and critical infrastructure. Previously overshadowed by internet-based attacks, USBs are making a comeback, providing a physical bypass to security measures at sensitive institutions. Major threat actors from Russia, China, and beyond are leveraging USBs for BYOD cyberattacks, emphasizing the resurgence of this unconventional attack vector.

GOVERNMENT - Top US Cybersecurity Agency Hacked: Critical Systems Offline

US Cybersecurity and Infrastructure Security Agency (CISA) responsible for cybersecurity recently discovered a breach, leading to the shutdown of two key computer systems. The affected systems facilitated information sharing among federal, state, and local officials and contained security assessments for chemical facilities. The hack exploited vulnerabilities in widely used virtual private networking software, emphasizing the need for robust incident response plans and software updates.

FINANCIAL SERVICES - Commission Faces Data Breach Crisis

Jersey’s Financial Services Commission suffered a data breach that allowed access to non-public names and addresses, owing to misconfiguration in a third-party supplied registry system. The firm assured that its corporate network was not compromised.

PERSONNEL - Dark Side Hustle

Disgruntled cybersecurity professionals , including code developers and AI experts, are moonlighting as cybercriminals on the dark web. Unsatisfactory wages and burnout risk drive them to offer services such as creating chatbots, phishing frameworks, and more. Even voice actors, impacted by AI, are turning to social engineering ops for extra income.

RETAIL - Credential Stuffing Attack: Passwords at Risk

PetSmart , the pet retail giant, has alerted customers about a recent credential stuffing attack. Cybercriminals exploited reused passwords to gain unauthorized access to user accounts. PetSmart promptly inactivated affected passwords and advised users to reset them. Vigilance in using strong, unique passwords remains crucial to thwart such attacks.

FINANCIAL SERVICES - New APT Group Targets Financial Entities

A previously undisclosed threat actor named Lotus Bane has emerged, targeting a financial entity in Vietnam. This advanced persistent threat group, active since at least 2022, shares techniques with OceanLotus (APT32), emphasizing the need for heightened vigilance in the face of cyberattacks.

?INSIGHTS & EXPERT PERSPECTIVES

RISK MANAGEMENT - Security Metrics You Should Present to the Board

The authors suggested that with the latest SEC Cyber Rules, companies should emphasize the importance of their CISOs to effectively communicate cybersecurity risks to boards using clear and understandable metrics . Key performance indicators (KPIs) should be leveraged to track the success of security programs and be presented in a way that is easy for boards to comprehend. The article explores specific metrics that CISOs can track across various categories to gain insights into their cybersecurity posture.

1. Communicate cyber risks using clear and understandable metrics.
2. KPIs should track the progress of security programs and be presented in a way that is easy to comprehend.
3. Key metrics to track include:

• Percentage of data encrypted.
• Number of phishing emails clicked.
• Time to Detect and Time to Resolve security incidents.

INSIGHTS: The SEC's requirement that companies, through their CISOs and boards of directors, increase transparency around cyber risks, security controls, and governance which should speed up breach disclosure to investors.? Multiple reports find the biggest cyber risk to organizations are the employees.? People are the cause of 80-95% of all cyber incidents. This vulnerability is also the least expensive to address at less than a Starbucks per employee per month.? There are some who claim that Security Awareness Education program efficacy can be hard to measure, but if you're not educating your employees, you certainly are not improving nor becoming more secure against a ransomware attack.? Some may also argue that focusing too much on metrics can take away from the bigger picture of cybersecurity, and it's more important to have a comprehensive security strategy, rather than just tracking metrics and that collecting and analyzing security metrics which they see as a time-consuming and expensive process.

As Peter Drucker said, "what gets measured gets managed," he actually warned against focusing on pointless metrics. The key is to choose measurements that improve the achievement of your business objectives. ?

Netswitch would disagree about the complexity of tracking metrics, we developed UNITY Risk Indicator for cyber risk governance data visualization in easier to understand information and not just acronymic data. A key part of managing cyber risk is improvements measured over time, proving to yourself, your customers, and your cyber insurance provider that you're improving, a secure partner, and a low risk to yourself and others.

Netswitch evidenced the value and cost savings of key metrics like Mean Time To Detection and Resolution (MTTD and MTTR).? We helped a customer achieve a MTTD that evidenced they became 87% more effective, and their MTTR showed they became 73% faster in resolving their incidents. These metrics proved the value in their cyber investments as their organization was more effective, had more production up time, and customers are taken care of.

Level Up Your Cyber Resilience - We Can Help

Fast and Comprehensive Risk Assessment at Your Fingertips

Experience our fully automated Security And Risk Assessment (SARA) that acts as your 3rd party auditor.

SARA provides an unbiased audit of your technical and risk controls.

Discover gaps, reorient resources, and prioritize your network.

Reach out to Netswitch for more details.

Stay Informed with Our LinkedIn Live Events

Join our regular LinkedIn Live Events designed to provide insights that will elevate your cyber risk awareness.

We aim to foster communication and collaboration among stakeholders - Business Executives, Technologists, and Governors – to align technical controls with GRC objectives and improve processes.

Stay updated about future events by following Netswitch Events on LinkedIn .

Jumpstart Your Cyber Journey with Our “Quick Start” Program

Sign up for our “Quick Start” Pilot Program and take a significant step towards reducing control misalignment, meeting GRC requirements, and improving cyber resilience.

Understand your risk level in cybersecurity and governance at no cost.

Contact Netswitch on LinkedIn for more information and to schedule a demo.

Join the LinkedIn CyberRisk Governance Group

Consider joining your peers in the fast-growing LinkedIn group dedicated to CyberRisk Governance.

The group aims to assist technologists, risk and compliance managers, and business leaders in understanding and lowering their CyberRisk.

Interested in joining us? Here’s the link to our group: https://www.dhirubhai.net/groups/13991569

?

DISCLAIMER: Any articles, information, or links are provided by Netswitch for reference only. While we strive to keep the information and links correct and safe, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability, or availability with respect to the website or the information, articles, or related graphics contained on the destination website. Any reliance on such information is therefore strictly at your own risk.