A Cybersecurity Primer for The C-Suite, SMBS, and Organizations

In this issue of Security & Tech Insights we explore strategies, policies, tools, and advice to better fortify cybersecurity for companies (and home offices).

Thanks for reading -- we are now over 30,000 subscribers! Best, Chuck Brooks

PS Kindly also follow me on LinkedIn and Twitter

LinkedIn:

Twitter: (5) Chuck Brooks (@ChuckDBrooks) / Twitter

A C-Suite Must: Cyber Expertise

https://skytopstrategies.com/articles/5236

?By?Chuck Brooks, Skytop Contributor?/?November 15th, 2022

?_________________________________________________________

Companies Cannot Be Disconnected?

In the past year, escalating cyber-attacks on corporations, infrastructure, and organizations have created an environment of uncertainty and, in some cases, panic over the implications of data breaches. In today’s changing digital ecosystem, companies can no longer afford to remain disconnected from the reality of breaches and cyber-threats. There is too much at stake in terms of business operation interruption, decline in productivity, impaired reputation, and there is also a major responsibility to ensure protection of client data and privacy.

The Cyber Threat Environment for Business

In 2021, Cyber-attacks ticked up in both numbers and cost for companies. An Accenture report found that there were on average 270 attacks (unauthorized access of data, applications, services, networks, or devices) per company over the year, an increase of 31% compared with 2020 (State of Cybersecurity Report 2021 | 4th Annual Report | Accenture). The management consulting firm McKinsey estimates that at the current rate of growth, damage from cyberattacks will amount to about $10.5 trillion annually by 2025—a 300% from 2015 levels. A new survey reveals that there is a $2 trillion market opportunity for cybersecurity technology and service providers.New survey reveals $2 trillion market opportunity for cybersecurity technology and service providers | McKinsey

Unprepared and Slow to Act

Despite the trends of greater frequency, sophistication, lethality, and liabilities associated with incursions, industry management has been mostly unprepared and slow to act at becoming more cyber secure. As companies are increasingly under cyber-attack, there is an urgency for the C-Suite to respond with greater focus on protecting assets as we approach the new year.

A succinct summation that explains the reasons for internet vulnerability and the cybersecurity challenges was provided by Joel Brenner, the former counsel to the National Security Agency:

“The Internet was not built for security, yet we have made it the backbone of virtually all private-sector and government operations, as well as communications. Pervasive connectivity has brought dramatic gains in productivity and pleasure but has created equally dramatic vulnerabilities. Huge heists of personal information are common, and cyber-theft of intellectual property and infrastructure penetrations continue at a frightening pace.”?Nations everywhere are exploiting the lack of cybersecurity – The Washington Post

Unprotected Hybrid Work Reality?

Compounding the volatility of the cyber-threat environment in 2021 and 2022 was the reality that businesses were forced into a remote work or hybrid work reality because of COVID-19. That led to essentially millions of connected offices. It is estimated that nearly half the U.S. labor force is still working from home. Home offices are not as protected as the fortified office sites that have more secure firewalls, routers, and access management run by its security teams. Remote work has created new opportunities for hackers to exploit vulnerable employee devices and networks.

Keeping Up with the Threat is a Challenge?

The research firm ThoughtLab studied the security practices and performance of 1,200 companies in 13 industries and the public sector across 16 countries. For its report titled “Cybersecurity Solutions for a Riskier World”, ThoughtLab concluded that “As cyberattacks grow in both number and sophistication, organizations are increasingly under the gun to protect themselves from compromise. Though companies have responded by upping their security budgets and adopting more advanced defenses, keeping up with the threats that will surface over the next few years will be a challenge.

A Rise in Attacks

In 2021, the average number of cyberattacks and data breaches increased by 15.1% from the previous year. Over the next two years, the security executives polled by ThoughtLab see a rise in attacks from social engineering and ransomware as nation-states and cybercriminals grow more sophisticated. The main causes of these attacks will come from misconfigurations, human error, poor maintenance, and unknown assets.

Keeping Up with Digital Transformation

Furthermore, according to ThoughtLab, 41% of the executives don’t think their security initiatives have kept up with digital transformation. More than a quarter said that new technologies are their biggest security concern. And just under a quarter cited a shortage of skilled workers as their largest cybersecurity challenges.?Cybersecurity Solutions for a Riskier World – ThoughtLab (thoughtlabgroup.com)

Ransomware

The current state of cyber-affairs is an especially alarming one because ransomware attacks are growing not only in numbers, but also in the financial and reputational costs to businesses and organizations.

Currently, ransomware, mostly via phishing activities, is the top threat to both the public and private sectors. Ransomware allows hackers to hold computers and even entire networks hostage for electronic cash payments. In the recent case of Colonial Pipeline, a ransomware attack disrupted energy supplies across the east coast of the United States.

Ransomware is not a new threat (it has been around for at least 15 years) but it has become a trending one largely because criminal hackers can get paid in cryptocurrencies that are difficult to trace. And many operate in countries with tacit government approval of their hacking activities that makes criminal hackers more difficult to be found and prosecuted. According to the Treasury Department’s Financial Crimes Enforcement Network, in 2021, U.S. banks and financial institutions reported a record surge in ransomware payments with almost 1,500 filings valued at a total of nearly $1.2 billion. The total represented a 188% increase from 2020. US ransomware payments surge to $1.2B in 2021.?US ransomware payments surge to $1.2B in 2021: Treasury | Cybersecurity Dive

The inter-connectivity of digital commerce and expanding attack surfaces have enhanced the utility of ransomware as a cyber weapon of choice for bad actors. Like bank robbers, cybercriminals go where the money is accessible. And it is now easier for them to reap benefits from extortion.

The Internet of Things

The Internet of Things (IoT) broadly refers to devices and equipment that are readable, recognizable, locatable, addressable, and/or controllable via the internet. The growth of the Internet of Things has completely changed the dynamics and the size of the expanding cyber-attack surface. Because of a lack of cybersecurity on IoT devices, hackers have a multitude of options to breach cyber-defense and exfiltrate data. “By 2025, it is expected that there will be more than 30 billion IoT connections, almost 4 IoT devices per person on average and that also amounts to trillions of sensors connecting and interacting on these devices.?State of the IoT 2020: 12 billion IoT connections (iot-analytics.com)

IoT malware has increased by 77% year to date, even exceeding as much as 12 million detections between January and June 2022.?2022 Cyber Threat Report Details Growing Trends | TechRepublic

Having visibility and being able to protect the connected devices of IoT is quite a challenge for business. The United States Government Accountability Office issued an assessment of the status and security issues surrounding the Internet of Things. The GAO identified the following type of attacks as primary threats to IoT: Denial of Service, Malware, Passive Wiretapping, Structured Query Language Injection, Wardriving, and Zero-day exploits.?Internet of Things: Status and implications of an increasingly connected world | U.S. GAO

Software Supply Chain

Cyber-attackers will always look for the weakest point of entry and mitigating third-party risk is critical for cybersecurity. Supply chain cyber-attacks can be perpetrated from nation-state adversaries, espionage operators, criminals, or hacktivists. Their goals are to breach contractors, systems, companies, and suppliers via the weakest links in the chain. This is often done through taking advantage of poor security practices of suppliers, embedding compromised (or counterfeit) hardware and software, or from insider threats within networks. According to a recent survey by Anchore, more than three in five companies were targeted by software supply chain attacks in 2021. The survey of 428 executives, directors, and managers in IT, security, development, and DevOps found that the organizations of nearly a third of the respondents (30%) were either significantly or moderately impacted by a software supply chain attack in 2021. Only 6% said the attacks had a minor impact on their software supply chain.

Ensuring that the supply chain is not breached including the design, manufacturing, production, distribution, installation, operation, and maintenance elements is a challenge to all companies.

Of special concern is third party risk. Conducting vulnerability assessments and filling operational gaps with cybersecurity tools are avenues being employed to ensure integrity.

Moving To The Cloud

Many companies are rapidly transitioning into a cloud and hybrid cloud world and computing is certainly moving closer to the edge. It is important to work closely with your cloud provider,?know what data you need to protect and encrypt, and have an incident response plan in case you get breached. Clouds are not inherently risky, but companies need to recognize they have to evaluate provider policies and capabilities to protect their vital data. The use of the cloud and hybrid clouds enables implementation of dynamic policies, faster encryption, drives down costs, and provides more transparency for access control (reducing insider threats). When viewed from a security administrator perspective, optimized security in the cloud mitigates the risk of hackers getting key access to data.

Emerging Technologies

The advent of emerging and fused technologies 5G, IoT (and Industrial IoT) will pose significant operational and regulatory challenges to industry. Companies and institutions will look to automation and orchestration technologies such as machine learning, deep learning, artificial intelligence, and other analytic tools to mitigate gaps on ubiquitous platforms.

Automation, combined with artificial and machine intelligence, is an emerging and future cybersecurity pathway. Artificial intelligence (AI) is really going to be a big catalyst for cybersecurity. It will enable real-time threat detection and real-time analysis. Companies will be able to monitor what is in their system, and who may be doing things that are anomalies.

While AI and ML can be important tools for cyber-defense, they can also be a double-edged sword. While they can be used to rapidly identify threat anomalies and enhance cyber defense capabilities, they can also be used by threat actors. Adversarial nations and hackers are already using AI and MI as tools to find and exploit vulnerabilities in threat detection models. They do this through a variety of methods. Their preferred ways are often via automated phishing attacks that mimic humans, and with malware that self-modifies itself to fool or even subvert cyber-defense systems and programs.

Cyber criminals are already using AI and ML tools to attack and explore victims’ networks. Small businesses, organizations, and especially healthcare institutions who cannot afford significant investments in defensive emerging cybersecurity tech such as AI are the most vulnerable.

Geopolitical Threats

Another factor to consider is the geopolitical threat of state sponsored cyber-attacks. The Russian invasion of Ukraine has put companies allied with Ukraine on edge of potential attacks.

In a study by the Cybersecurity firm Venafi, over 1,100 security decision makers (SDMs) globally found that 66% of organizations have changed their cybersecurity strategy as a direct response to the conflict between Russia and Ukraine, while nearly two-thirds (64%) suspect their organization has been either directly targeted or impacted by a nation-state cyber attack.?The (Nation) State of Cyber: 64% of Businesses Suspect They’ve Been Targeted or Impacted by Nation-state Attacks (yahoo.com)

The Department of Homeland Security’s CISA organization issued a warning and established a campaign called Shields Up to increase awareness among corporations to the threat of state sponsored cyber-attacks. “ Russia’s invasion of Ukraine could impact organizations both within and beyond the region, to include malicious cyber activity against the U.S. homeland, including as a response to the unprecedented economic costs imposed on Russia by the U.S. and our allies and partners. Evolving intelligence indicates that the Russian Government is exploring options for potential cyberattacks. Every organization—large and small—must be prepared to respond to disruptive cyber incidents.”?Shields Up | CISA

Russia is not the only threat to industry as North Korea, Iran, and China are regularly involved in nefarious cyber-activities against the West. CISA offers excellent advice for companies on how to better protect against growing geopolitical threats:

Recommended actions include:

Reduce the likelihood of a damaging cyber intrusion

· Validate that all remote access to the organization’s network and privileged or administrative access requires multi-factor authentication.

?· Ensure that software is up to date, prioritizing updates that address known exploited vulnerabilities identified by CISA.

· Confirm that the organization’s IT personnel have disabled all ports and protocols that are not essential for business purposes.

· If the organization is using cloud services, ensure that IT personnel have reviewed and implemented strong controls outlined in CISA’s guidance. Sign up for CISA’s free cyber hygiene services, including vulnerability scanning, to help reduce exposure to threats.

Take steps to quickly detect a potential intrusion

· Ensure that cybersecurity/IT personnel are focused on identifying and quickly assessing any unexpected or unusual network behavior. Enable logging in order to better investigate issues or events.

· Confirm that the organization’s entire network is protected by antivirus/anti-malware software and that signatures in these tools are updated.

· If working with Ukrainian organizations, take extra care to monitor, inspect, and isolate traffic from those organizations; closely review access controls for that traffic.

Ensure that the organization is prepared to respond if an intrusion occurs

· Designate a crisis-response team with main points of contact for a suspected cybersecurity incident and roles/responsibilities within the organization, including technology, communications, legal and business continuity.

· Assure availability of key personnel; identify means to provide surge support for responding to an incident.

· Conduct a tabletop exercise to ensure that all participants understand their roles during an incident.

Maximize the organization’s resilience to a destructive cyber incident

· Test backup procedures to ensure that critical data can be rapidly restored if the organization is impacted by ransomware or a destructive cyberattack; ensure that backups are isolated from network connections.

· If using industrial control systems or operational technology, conduct a test of manual controls to ensure that critical functions remain operable if the organization’s network is unavailable or untrusted.?Shields Up | CISA?

Needed New Corporate Mindset and Cybersecurity Expertise

Cybersecurity at the leadership level requires effective communication with the board and management team. The CISO, CTO, CIO, and executive management must align strategies, collaborate, and regularly assess their information security programs, controls, and safety of networks.

A recent Gartner survey found that eighty-eight percent of Boards of Directors (BoDs) view cybersecurity as a business risk, as opposed to a technology risk, according to a new survey, and that only 12% of BoDs have a dedicated board-level cybersecurity committee.

“It’s time for executives outside of IT to take responsibility for securing the enterprise,” said Paul Proctor, distinguished research vice president at Gartner. “The influx of ransomware and supply chain attacks seen throughout 2021, many of which targeted operation- and mission-critical environments, should be a wake-up call that security is a business issue, and not just another problem for IT to solve.”?Gartner Survey Finds 88% of Boards of Directors View Cybersecurity as a Business Risk

Cybersecurity Subject Matter Experts

Keeping up with cybersecurity threats is often daunting and requires a special effort. Cybersecurity Subject Matter Experts (SMEs) can assist in vulnerability assessments, recommend best in breed cybersecurity technologies and vendors. In IT terms this may include operational components of encryption, biometrics, smarter analytics, and automated network security, informed risk management software, cyber certifications and training, network monitoring, and incorporating NextGen layered hardware/software technologies for the enterprise network, payload, and endpoint security. It is best if the plan is calibrated by outside SMEs for specific cybersecurity requirements.

Cybersecurity SMEs can also be utilized for compliance, (GDPR expertise), and a whole host of other issues related to policy and industry specializations. Whether it be bolstering the internal IT security team of a law firm, or recommending potential technological solutions and protocols, SMEs can augment efforts. In addition, there are managed service providers (MSPs) who can also offer holistic cybersecurity services depending upon budgets and needs.

Simulation and Penetration Testing and Validation

One area that is critical for preparedness is simulation and penetration testing. Testing?is a key starting point for everyone operating on the new digital landscape, and especially businesses who are most at risk from increasingly sophisticated hackers. The testing and validation testing process is all about finding issues before they get to production and contaminate networks and devices. But it needs to be continual, as threats morph and new code is often added to platforms. While new code is a threat, many applications and programs may already be operating on legacy systems that include flaws and access points that can lead to breaches. Therefore, legacy code needs to be reviewed for patches along with any new code as part of a vulnerability and validation testing.

In addition to penetration testing, companies should employ simulation as a key element of their cybersecurity preparedness. Unfortunately, penetration tests are often prohibitive for small and medium sized businesses and can miss potential exploits. A process called?breach and attack simulation (BAS) can effectively lower the barriers to testing and improve the capabilities of vulnerability scans and penetration tests.

By launching simulated attacks across the various security tools that are deployed by an organization, the effectiveness of web application firewalls, email filters, and endpoint security can be tested. Tests can also check if security policies and controls are properly configured, a common way for hackers to breach.

According to Cymulate CEO and cofounder Eyal Wachsman, a leading company in simulation preparedness, “companies are increasing spend on security solutions that protect across the cyber kill chain. However, it’s important to test the set-up and effectiveness of these solutions frequently because things can quickly change in technology. It’s possible for gaps to appear in your defenses unexpectedly and it only takes one opening for hackers to get into your network. Continuous security validation leaves nothing to chance.”??https://www.nextbigfuture.com/2020/07/cymulate-looks-to-make-cybersecurity-testing-the-norm-for-organizations.html

From Passivity To Preparedness

The bottom line is that the mindset of the C-Suite and corporate cybersecurity needs to change from passivity to preparedness. In the past decade, the cybersecurity focus and activities by both government and industry have been predominantly reactive to whatever is the latest threat or breach. As a result, containing the threats was difficult because at the outset, defenders were always at least one step behind. That mindset has been changing due to a major series of intrusions and denial of service attacks that exposed a flawed approach to defending data and operating with passive preparedness.

Being proactive is not just procuring technologies and people. It also means adopting a working industry and government framework that would include tactical measures, encryption, authentication, biometrics, analytics, and continuous diagnostics and mitigation, as they may apply to specific circumstances. Other priorities include information sharing, securing the Internet of Things (IoT), protection of critical infrastructures, and expanding workforce training to mitigate the shortage of cybersecurity.

Cyber Resilience After an Intrusion

Cyber resilience after an intrusion is an area that must be further developed in response protocols, training of information security personnel, and deployment of redundant and automated technologies. Remediation is important to continuity, no matter what, because breaches will happen. The incorporation of best practices and the lessons learned from the various and many corporate breaches over the past few years is certainly valuable data for both industry and government in terms of prevention, recovery, and continuity.

A Successful Cyber Threat Consequences Strategy

In a core sense, a successful cyber threat consequences strategy is really about risk mitigation and incident response. A risk management strategy requires stepping up assessing situational awareness, information sharing, and especially resilience planning. It is critical to be aware of the morphing threat landscape and plan contingencies for all potential scenarios.

Security breaches can and will happen, but there are guiding pathways for cybersecurity– vulnerabilities can be lessened, and often mitigated. This can be done via gap analysis and comprehensive planning to better understand the how, why, and where of cyber vulnerabilities.

Plans that are successful most often start from the leadership at the top of companies and organizations, commonly referred to as the C-suite. To carry out plans and rectify potential cybersecurity damage waiting to happen, it is paramount for the C-suite to bring cybersecurity expertise to the Boards of Directors and Advisory Boards.

A successful C-suite cyber threat strategy requires stepping up activities to assess situational awareness, future risk, information sharing, and especially resilience planning. It is imperative for companies to create contingency plans for business continuity, disaster recovery, and incident response plans. It is also important that they create cultures of employee and stakeholder awareness so there is a basic understanding of cyber hygiene and the myriad of digital threats.

Cybersecurity Expertise at a Board Level

Without C-Suite subject matter expertise on policies, best practices, regulations, liability, technologies, and the many other issues associated with cybersecurity, companies will remain largely unprepared. In view of the recent trends of cyber-attacks, the imperative of bringing the best and brightest cybersecurity expertise to board-level roles needs to become a higher priority. As the threats and cost of breaches continue to escalate in the corporate landscape, getting outside help to bolster the C-Suite’s cybersecurity preparedness is a sensible option.

Chuck Brooks, President of Brooks Consulting International, is a globally recognized thought leader and subject matter expert on Cybersecurity and Emerging Technologies. LinkedIn named Chuck as one of “The Top 5 Tech People to Follow on LinkedIn.” He was named by Thomson Reuters as a “Top 50 Global Influencer in Risk, Compliance,” and by IFSEC as the “#2 Global Cybersecurity Influencer.” He was featured in the 2020 Onalytica “Who’s Who in Cybersecurity” – as one of the top Influencers for cybersecurity issues. He was also named one of the Top 5 Executives to Follow on Cybersecurity by Executive Mosaic. He is also a Cybersecurity Expert for “The Network” at the Washington Post, Visiting Editor at Homeland Security Today, Expert for Executive Mosaic/GovCon, and a Contributor to FORBES. He has also been a featured author in technology and cybersecurity blogs & events by IBM, AT&T, Microsoft, Cylance, Xerox, Malwarebytes, General Dynamics Mission Systems, and many others. He recently presented to the G20 on Energy Cybersecurity.

Chuck is on the Faculty of Georgetown University where he teaches in the Graduate Applied Intelligence and Cybersecurity Risk Programs. In government, Chuck was a “plank holder” at The Department of Homeland Security (DHS) serving as the first Legislative Director of The Science & Technology Directorate at the Department of Homeland Security. He served as a top Advisor to the late Senator Arlen Specter on Capitol Hill covering security and technology issues on Capitol Hill. He has an M.A from the University of Chicago and a B.A. from DePauw University.

-----------------------------------------------------------------------------------------------------------

A Cybersecurity Risk Management Strategy for the C-Suite

There are several encompassing security strategies to evaluate, depending on your requirements and threat posture.

By Chuck Brooks

?There is rarely a day that goes by when we do not hear of a cyber breach. Often the target is small and medium companies, and the result of a cyber-attack can mean loss of operations or even going out of business.

The reality is that a new era of exponential digital connectivity propelled by the COVID-19 pandemic has changed the security paradigm to employees working from hybrid and remote offices. Also, the threats have grown along with the connectivity. The growing and sophisticated cyber-threat actors include various criminal enterprises, loosely affiliated hackers, and adversarial nation states.?The cyber threat is so pervasive that it is estimated to cost the world $10.5 trillion annually by 2025.?Cybercrime To Cost The World $10.5 Trillion Annually By 2025 (cybersecurityventures.com)

In our current digital environment, every company is now a reachable target, and every company, large or small, has operations, brand, reputation, and revenue pipelines that are potentially at risk from a breach.?What should the C-Suite do?

The C-Suite needs to address the new realities and prioritize cybersecurity. Executives can no longer view security, both physical and cyber, as a cost accounting item. It needs to be prioritized as an investment in people, processes, and technologies. It really needs to be part of the company culture from top down.

The bottom line is that almost every type of business, large and small, touches aspects of cybersecurity whether it involves law, finance, transportation, retail, communications, entertainment, healthcare, or energy. Cyber threats are ubiquitous, and they can be an existential event for companies and the C-Suite urgently needs to have a plan.

·????????Adopt an Industry-Specific Cyber-Risk Management Strategy

Create a corporate risk management strategy and vulnerability framework that identifies digital assets and data to be protected. A risk assessment can quickly identify and prioritize cyber vulnerabilities so that you can immediately deploy solutions to protect critical assets from malicious cyber actors while immediately improving overall operational cybersecurity.

Risk management strategies should include people, processes, and technologies. This includes protecting and backing up business enterprise systems such as financial systems, email exchange servers, HR, and procurement systems with new security tools (encryption, threat intel and detection, firewalls, etc.) and policies. That risk management approach must include knowing your inventory and gaps, integrating cybersecurity hygiene practices, procuring, and orchestrating an appropriate cyber-tool stack. It should also include having an incident response plan in place if you do get breached.

There are several encompassing security strategies to evaluate, depending on your requirements and threat posture. These include:

Security by Design?is really the initiation point of a risk management process – especially if you are a software or hardware developer concerned with security. In an article in United States Cybersecurity magazine, cybersecurity expert Jeff Spivey provided an excellent working definition: “Security by Design ensures that security risk governance and management are monitored, managed, and maintained on a continuous basis. The value of this ‘holistic’ approach is that it ensures that new security risks are prioritized, ordered, and addressed in a continual manner with continuous feedback and learning.”?Security by Design | United States Cybersecurity Magazine (uscybersecurity.net)

Defense in Depth.?A variety of strong definitions exist for defense in depth in the security community.?A NIST publication defines the?defense-in-depth concept as “an important security architecture principle that has significant application to industrial control systems (ICS), cloud services, storehouses of sensitive data, and many other areas. We claim that an ideal defense-in-depth posture is ‘deep,’ containing many layers of security, and ‘narrow,’ the number of node independent attack paths is minimized.”?Measuring and Improving the Effectiveness of Defense-in-Depth Postures | NIST

Zero trust (ZT) is the term for an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources. A zero-trust architecture (ZTA) uses zero-trust principles to plan industrial and enterprise infrastructure and workflows. Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the internet) or based on asset ownership (enterprise or personally owned). Authentication and authorization (both subject and device) are discrete functions performed before a session to an enterprise resource is established. Zero trust is a response to enterprise network trends that include remote users, bring your own device (BYOD), and cloud-based assets that are not located within an enterprise-owned network boundary. Zero trust focuses on protecting resources (assets, services, workflows, network accounts, etc.), not network segments, as the network location is no longer seen as the prime component to the security posture of the resource. This document contains an abstract definition of zero-trust architecture (ZTA) and gives general deployment models and use cases where zero trust could improve an enterprise’s overall information technology security posture.?Zero Trust Architecture | NIST

These three pillars of cybersecurity risk management need not stand alone. In fact, they all should be incorporated together in cybersecurity framework strategy to identify gaps, mitigate threats, and build resilience in the case of an inevitable cyberattack.

Please see my article in?Forbes:?Combining Three Pillars Of Cybersecurity (forbes.com)

Good industry specific sources for adaptive risk management frameworks can be found at?NIST:??https://www.nist.gov/cyberframework/

And at?MITRE:?MITRE Engage: A Framework and Community for Cyber Deception | The MITRE Corporation

·????????Test, Simulate, and Identify Gaps to New Real World Cyber Threats with Risk-Based Metrics

Penetration testing is a good practice, but most have not been able to keep current to the cyber-threat ecosystem. Cyber breaches are not a static threat and criminal hackers are always evolving in tactics and capabilities. The evolving cyber threats can make traditional testing methods inadequate. Cyber criminals are now using stronger evasion techniques?that can even stop running if malware detection software runs. Injection of code and manipulation of memory space as exploit kit is injected in the target system; often these criminals use stolen certificates that are sold underground or on the dark web to bypass anti-malware detection and around machine learning code. Some are going one step further using fileless, living-off-the-land attacks?that use steganography to encrypt and hide many types of malicious software.

Scalability of testing tools deliver enormous data, all of which needs to be correlated and prioritized in terms of metrics. Tasks take time, and CISOs are often dealing with more data than they have people to analyze it. CISOS need real-time reports that can provide quantifiable security KPIs to measure and track security performance.

Because of the sophisticated and growing attack surface being exploited by hackers, testing needs to go beyond traditional vulnerability scanners and manual penetration testing. It also needs to be automated to keep up with the pace of change in the evolving cyber landscape. Simulation testing fills that gap. In simulations, results can be immediate, can be performed frequently, and they do not rely on the skill level of the tester that can be a weak point that leads to vulnerabilities.

Simulation combined with penetration testing is a good avenue to consider. Specifically, breach and attack simulation (BAS) technology can be used for both cloud and on-premises environments. Simulated attacks also enable the security blue team to assess and fine-tune their detect, alert, and respond capabilities through integrations with existing security programs and systems including vulnerability management, EDRs, SIEM, SOAR and GRC systems. Via BAS, companies can verify how efficiently virtual fences are able to guard their systems and can also spot potential leaks that need to be fixed. The need for modernization and digital transformation will drive demand for continuous testing and attack path management tools used in cybersecurity simulation solutions.

·????????Build a Cybersecurity Leadership Team for Cyber Defense and Incident Response

Cybersecurity at the C-Suite level requires effective communication with the board and management team. The CISO, CTO, CIO, and executive management must align strategies, collaborate, and regularly assess their information security programs, controls, and safety of networks. They must be cross-disciplined and should be capable of creating an Incident response framework that includes mitigation, and business continuity planning, and secure back-up protocols in case networks and devices are compromised. The leadership team should also coordinate continual security training for employees.

·????????Consider a Cybersecurity Hub

Evolving cybersecurity challenges require strategy and new and collective thinking. One initiative to consider is creating an internal company “Cyber Hub” (CH) to optimize corporate approaches to cybersecurity such as simulation and testing and act as a purple-teaming fusion center.

The benefits of creating a CH could cut across a wide number of different areas. The CH itself should be composed of those who can help steer the company and should include the C-Suite management leadership, the boards, and especially the CISO, CIO, and CTOs. The CH would operate as an internal operational think tank geared toward planning the specifics of mitigating, and being more resilient to, cyber threats, especially from remote and hybrid work.

Having a CH Team to share insights and recommendations could provide an exceptional return on investment at minimum and more likely a value added to ensuring company security and vitality.

For more details on this topic please see my article in?Forbes:?Creating An Internal Cybersecurity Hub Inside Your Company (forbes.com)

·????????Utilize the Board of Directors and Bring in Outside Expertise

For the C-Suite, the easiest way to address cybersecurity knowledge gaps is to have a strong board of directors and/or advisors. Board directors should have a working understanding of risk management (and risk exposure) and have context on the different array of threats and threat actors. Areas of special knowledge for a board should prioritize risk management and cybersecurity as a company imperative that includes incorporating legal compliance, cybersecurity technology solutions and services, training, liability insurance, governance, and policy.

Cybersecurity requires?expertise and experience.?A corporate board should include a blend of internal and outside subject matter experts. It is very useful for executive management to get perspectives and ideas from experts on the outside for situational awareness, technology validation and threat intelligence. This will be especially important as we move forward in digital transformation.

New Horizons

The evolving tech landscape will include artificial Intelligence, machine intelligence, IoT, 5G, and virtual and augmented realities, and quantum computing will have a disruptive impact on business operating models and security during the next decade. The leadership team should have a strong understanding of how best to leverage these tools to optimize future cybersecurity scenarios.

There are many challenges of functioning securely in a changing digital world catalyzed by emerging tech. For industry, it requires constant awareness and restructuring of plans that can detect, prevent, and mitigate changing cyber threats. In the past, much of the cybersecurity focus and activities by industry have been predominantly reactive and viewed as an operating revenue cost. Being proactive is not just procuring technologies and implementing policies, it also means adopting a new security mindset with heightened testing. For the C-Suite it should also include a recognition that cybersecurity risk management is an investment in a company’s future and survival.

------------------------------------------------------------------------------------------------------------

Government and Industry Cooperation: More Important Than Ever for Cybersecurity Awareness

Chuck Brooks

President?| Brooks Consulting International

?Government and Industry Cooperation: More Important Than Ever for Cybersecurity Awareness - United States Cybersecurity Magazine (uscybersecurity.net)

?With another National Cybersecurity Awareness Month upon us, few major things have changed from the past year in terms of threats. As the capabilities and connectivity of cyber devices have grown, so have the cyber intrusions from malware and hackers.?The cyber- threat actor ecosystem has grown in both size and sophistication.?They are also openly collaborating in sharing targets. And tools. The cyber threat actors include various criminal enterprises, loosely affiliated hackers, and adversarial nation states.

Information sharing on threats and risk is one of the most principal functions of government and industry collaboration.

Achieving a full awareness of nefarious actors who operate in the cyber realm and protecting against their capabilities is an arduous task. Clearly, industry cannot respond to growing cyber-threats alone, especially for small and medium businesses who lack the resources and expertise. Increased government and industry cooperation to meet those challenges is a viable course to help mitigate threats and challenges. It is a proven risk management model that makes good sense. In several areas.

Information sharing on threats and risk is one of the most principal functions of government and industry collaboration. Sharing such information helps allow both government and industry to keep abreast of the latest viruses, malware, phishing threats, ransomware, and insider threats.?Information sharing also establishes working protocols for lessons-learned and resilience that is critical for the success of commerce and the enforcement against cyber-crimes.

Both Solar Winds and the Colonial pipeline breaches highlighted the government’s assistance in mitigating breaches and moving toward resilience. Government was directly collaborating with the companies to discover the extent of the breaches and options for amelioration.

Remediation of breaches is important to continuity; no matter what, breaches will happen. The incorporation of best practices and the lessons learned from the various and many corporate breaches over the past few years is certainly valuable data for both industry and government in terms of prevention, recovery, and continuity.

GOVERNMENT TAKES PROACTIVE ROLE WITH INDUSTRY PARTNERSHIPS

The government and industry partnership is being well coordinated via the Cybersecurity and Infrastructure Protection Agency (CISA) of the Department of Homeland Security (DHS). Over the past few years, CISA has taken on a formal and increasingly larger role as the lead civilian agency in government working with industry, and state & local and tribal stakeholders on cybersecurity threats. The proposed 2023 DHS budget has appropriated more than $2.5 billion toward cybersecurity demonstrating the importance of the agency’s role in protecting the homeland in cyberspace, including in the aforementioned areas of information sharing and resilience.

Most significant is that CISA under the leadership of Jen Esterly created the?Joint Cyber Defense Collaborative?(JCDC) last year to fundamentally transform how cyber risk is reduced through continuous operational collaboration between government and trusted industry partners. “The Cybersecurity and Infrastructure Security Agency established JCDC—the Joint Cyber Defense Collaborative—to unify cyber defenders from organizations worldwide. This diverse team proactively gathers, analyzes, and shares actionable cyber risk information to enable synchronized, holistic cybersecurity planning, cyber defense, and response.”?The JCDC also is supported by other government agencies including the FBI, NSA, and U.S. Cyber Command to help drive down risk in partnership with industry.

In recent years, DHS along with The National Institute of Standards (NIST), has made a growing effort to bring the private sector together with the government, especially to develop information sharing protocols in risk management. In a core sense, a successful cyber threat consequences strategy is really about risk mitigation and incident response. A risk management strategy requires stepping up assessing situational awareness, information sharing, and especially resilience planning. It is critical to be aware of the morphing threat landscape and plan contingencies for all potential scenarios. NIST has been extremely helpful to industry in those areas.

The White House has also heighted government and industry cooperation in various areas including supply chain security, protecting critical infrastructure (most of which is owned by the private sector). In specific regard to critical infrastructure, the underlying goal of collaboration is to help protect against targeted cyber intrusions of the nation’s critical infrastructure, such as financial systems, chemical plants, water and electric utilities, hospitals, communication networks, commercial and critical manufacturing, pipelines, shipping, dams, bridges, highways, and buildings.?

White House and industry cooperation has been primarily aimed at identifying vulnerabilities, ensuring security, and integrating resilience in the public/private cyber ecosystem. The most recent activity by the White House was an executive order formulating a Zero trust strategy for government agencies.?That “trust nothing connected” perspective is also being assimilated in industry.

Congress has supported CISA’s expanded role and involvement with industry. Several bi-partisan bills have bolstered the agency’s integral role in cyber preparedness, response and resilience for both government and industry.

COOPERATIVE RESEARCH AND DEVELOPMENT

Research and development of potentially disruptive cybersecurity technologies is another benefit of government and industry cooperation. The change in the cyber risk environment coinciding with a heightened need for procurement of innovative technologies and services has created a new paradigm for a cybersecurity partnership between government and industry.

Together, government and the private sector can identify products and align flexible product paths, evaluate technology gaps, and help design scalable architectures that will lead to more efficiencies, and fiscal accountability. Bridging R&D spending between the government and private sectors should also allow for a more directed and capable cybersecurity prototype pipeline to meet modern technology requirements.

An enhanced and streamlined government and industry partnership should continue to be a priority for cybersecurity strategies in 2023, as threats can morph, especially with the emergence of technologies such as artificial intelligence, machine learning, 5G, and eventually quantum computing. The partnership needs to be both proactive and adaptive to change as the threat matrix may become increasingly lethal to economic and strategic stability if we remain unaware and unprepared for the potential consequences.?

?-----------------------------------------------------------------------------------------------------------

?HPC PRESENTS A CYBERSECURITY CHEAT SHEET FOR GENERAL COUNSEL AND THE C-SUITE BY LEADING CYBER EXPERT CHUCK BROOKS

HPC Presents A Cybersecurity Cheat Sheet For General Counsel And The C-Suite By Leading Cyber Expert Chuck Brooks - HPC - HIGH PERFORMANCE COUNSEL #HIPCOUNSEL

?A Cybersecurity Cheat Sheet For General Counsel and The C-Suite By Chuck Brooks

The Covid19 pandemic has awakened the globe to our era of global connectivity and has also exposed our vulnerabilities in cyberspace.?As we have transitioned to remote work on our home on secured portals, devices, and personal Wi-Fi, we have become more of a target to cybercrime.?

According to Barracuda networks, The number of coronavirus COVID-19-related email attacks has increased by 667 per cent since the end of February. And between March 1 and March 23, Barracuda researchers detected 467,825 spear phishing email attacks, and 9,116 of those detections were related to COVID-19.

This predicament has caught the attention of C-Suite leadership in industry and agencies. They have had to enact new policies, administer virtual private networks to employees working off site, and gain visibility into their networks and what they need to protect.

The reality is that we are all playing catchup in cybersecurity. The Internet was invented in a government laboratory and later commercialized in the private sector. The hardware, software, and networks were originally designed for open communication. Cybersecurity initially was not a major consideration. That mindset has surely changed due to the explosion of connectivity and commerce on the Internet. According to Statista, last year, the United States experienced 1,244 data breaches and had 446.5 million exposed records.?An FBI IC3?2019 Internet Crime Report indicates that more than $3.5 billion was reported lost as the result of cyber-crimes in 2019 alone.

Corporate board director roles have been traditionally reserved for those with expertise and leadership experience in management and best practices. Cybersecurity expertise historically has not been a primary concern for Directors. but it has become an evolving requirement for accountability in the era of digital connectivity.

The bottom line is that almost every type of business, large and small, touches aspects of cybersecurity whether it involves law, finance, transportation, retail, communications, entertainment, healthcare, or energy. Cyber-threats are ubiquitous. The frequency and maliciousness (including Ransomware and Distributed Denial of Service attacks to networks) of cyber-attacks has become alarming. There are growing cyber-threats to corporate operations, reputation, and theft of IP that not only can affect stock prices, but the viability of a company.

The growing threat of data breaches from hackers has made cybersecurity a global urgency. According to IBM, the cost of an average data breach has now risen to about $4 million.?Varonis reports?that there are approximately 7 million data records compromised each day, and 56 records compromised each second. A Clark School study at the University of Maryland quantified the near-constant rate of hacker attacks of computers with Internet access—every 39 seconds on average.

Dr. Chris Brauer, Director of Innovation in the Institute of Management Studies at Goldsmith’s in London, sums up the state of cybersecurity for board members succinctly: “overcoming the threat boils down to two things: accepting that you will be breached (awareness) and the ability to do something (readiness).”

Targets of the increasing incidence of phishing and other types of social engineering breaches include many corporate giants, such as Target, Anthem, and Yahoo.??Even the federal government has been targeted, most notably the breach at the Office of Personnel Management where 22 million personnel records were taken.

In spite of this, there is still a lack of awareness and specialized knowledge on most corporate boards. For example, according to a National Association of Corporate Directors (NACD) survey, only 14% of the board members queried expressed a deep knowledge of cybersecurity topics.

The cybersecurity landscape is complex, and it is extremely difficult to encapsulate all the various aspects that may confront a corporate board. Suzanne Vautrinot, President of Kilovolt Consulting and Major General and Commander, United States Air Force (retired), does provide a very good framework for addressing the landscape: “The board’s role is to apply the principles of risk oversight, to advise on strategy and help push to overcome challenges—in this case, cybersecurity gaps and challenges.”

Following that strong lead from General Vautrinot, I developed a condensed “cheat sheet” with themes to hopefully provide boards with insights and impetus to address the cybersecurity threat at the C-Suite level. The four themes include: risk management, responsibility, communication, and expertise.

THE CHEAT SHEET

At its very core, the practice of cybersecurity is?risk management.?It requires being vigilant and encompasses educating employees, identifying gaps, assessing vulnerabilities, mitigating threats, and having updated resilience plans to respond to incidents. Board directors should have a working understanding of risk management (and risk exposure) and have context on the different array of threats and threat actors. They should also be knowledgeable on the guiding axiom of the National Institute of Standards and Technology (NIST) Framework:?Identify, Protect, Detect, Respond, Recover.

Cybersecurity is a?responsibility.?Elements of cybersecurity include policies, processes, and technologies. Every company is unique in culture, mission and capabilities, but in terms of cybersecurity, the management (including board members) and employees are accountable for overseeing those elements. A requirement for every board member should be that cybersecurity must be treated as a company priority.

Cybersecurity’s backbone is effective?communication.?The CISO, CTO, CIO, and executive management must align strategies, collaborate, and regularly assess their information security programs, controls, and safety of networks.??Communication enables readiness by the sharing intelligence on threats and new security innovations. Security awareness training is also an important mandate for everyone at any company, especially the board.

Cybersecurity requires?expertise. Ideally, a corporate board should include a blend of internal and outside subject matter experts. It is always useful for executive management to get perspectives and ideas from experts on the outside. It helps avoid complacency. Areas of special knowledge should incorporate: legal compliance, cybersecurity technology solutions and services, training, liability insurance, governance, and policy. Information security management should include people with an ISO 27001 standard expertise and a knowledge of best practices.. Prudent policy advice necessitates that companies develop strong relationships with government. The recent passage of The Cybersecurity Information Sharing Act promotes public/private cooperation on data threat sharing, especially with the Department of Homeland Security.

Cyber Hygiene.?An essential element for any company or individual. The graphic below by The #Cyberavengers (of which I am a member) illustrates the components of good cybersecurity awareness and hygiene.

--------------------------------------------------------------------------------------------

Creating An Internal Cybersecurity Hub Inside Your Company

by Chuck Brooks

Contributor FORBES

?Creating An Internal Cybersecurity Hub Inside Your Company (forbes.com)

Business and technology concept. Smart office. GUI (Graphical User Interface). Group of?... [+] GETTY

In 2019 more than?16 billion records?were?exposed through data breaches. This trend has continued in the first quarter of 2020 and so far, it has been one of the worst in data breach history. It is logical to say that in our era of increasing digital connectivity, every company’s operations, brand, reputation, and revenue pipelines can be directly threatened by cyber-attacks and breaches.

The dilemma for business is what to do under the growing and increasingly sophisticated global ecosystem cyber-threats. Corporate responsibility not only involves innovation and technological competence, but also protection of corporate assets in this expanding threat environment. Key questions arise for businesses: where should they spend their cybersecurity budgets, who do they hire, how should they evaluate their own vulnerabilities, and what impact will emerging technologies have on helping them achieve their goals?

A smart course of action, an internal company cyber security hub:

Evolving cybersecurity challenges require strategy and new and collective thinking. One initiative to consider is creating an internal company “Cyber Hub” (CH) to optimize corporate approaches to cybersecurity.

The benefits of creating a CH could cut across a wide number of different areas. The CH itself should be comprised of those who can help steer the company and should include the C-Suite management leadership, the Boards, and especially the CISO, CIO, and CTOs. The CH would operate as an internal operational think tank geared towards planning the specifics of mitigating, and being more resilient to, cyber-threats.

Security and Digital Data Protection Concept. Icon graphic interface showing secure firewall?... [+]

?The CH could have the following general operating goals:

1.??????Enhance Industry Competitiveness: Creating a location for the collection of expertise and industry awareness to gather insights into risk management, technology, innovation, access to talent, and compliance trends within security environments.

2.??????Internal Training and Developing In-House Expertise: Creating curricula for training leadership, employees, and partners in risk governance and development of appropriate cultural attitudes towards security.

3.??????Partner Attraction: Identifying and engaging with other businesses to coordinate sales pipelines and explore new go to market opportunities.

4.??????Research and Development: Performing horizon analysis on research and development planning, and assimilation of next gen emerging technologies into company operations.

?5.??????Outreach and Marketing: Providing focused outreach, thought leadership, and media activities to raise awareness of company security capabilities in their products, services, and partner supply chains.

?The internal company cyber hub does not have to be a one size fits all and can be refined by corporate size, industry requirements, and market verticals. The members included in the CH could divide up tasks in accordance with their roles and expertise.??The value of internal collaboration is a good thing for any company. Having a CH Team to share insights and recommendations could provide an exceptional return on investment at minimum and more likely a value added to ensuring company security and vitality.

Follow me on?Twitter?or?LinkedIn.?Check out?my?website.?