Date |
Topic |
Update |
2022 |
|
|
Dec 2022 |
Critical year-end message
re implementing
Zero Trust |
While we have extolled the virtues of automated and fully tested backups, they only repair after-the-fact ransomware attacks when data is encrypted or lost. I.e., if the data you have is sensitive (financial, personal or legal information) it is imperative that the information is not leaked or sold – which likely will be even after ransom payments are made. This is a going-out-of-business strategy. It’s why exfiltration of data prevented by implementing a comprehensive Zero Trust Strategy whose goal is prevention of data exfiltration.. |
Dec 2022 |
Web Application Vulnerabilities |
Web Application attacks have been known for years but several instances of attacks not caught by Web Application Firewalls have resulted in SQL injection attacks. With SQL Databases being the norm on the web it has become critical to ensure verification of updated software. |
Dec 2022 |
More on Cameras |
Anker’s Uefy Cameras claims of privacy, encryption and other security were debunked by the Verge. You have been warned. |
Dec 2022 |
U.S. bans more Chinese network devices. |
Following the recent discovery of malware in Chinese company Hikvision’s popular camera products (about 80,000 being deployed), the US government have banned import and use of their products joining other Chinese companies such as Huawei, ZTE, etc. which were previously singled out by the US government. |
Dec 2022 |
Gone – Vishing |
This one you don’t have to worry about – well until it surfaces next week as something else. This scam may have begun as well-intentioned or not but it offered a service for users to disguise their callerID. However, ispoof.com or hackers using it reputedly chalked up over $120m of illicit revenues over two years until the FBI and Eurpol shut them down and arrested 100+ hackers mostly in Europe. But the idea may resurface elsewhere. |
Nov 2022 |
Black Phishday Alert |
Friday is a traditional day for Fish n’ Chips but this is Black Friday and Phish is on the menu but the chips are down on your security. Expecting to see great deals from your favorite stores and up to the moment delivery tracking info? Of course you are. However, about one in six delivery emails and about one in 25 “shopping sites” are malicious. So don’t touch that dial. Apology for the weak puns. |
Nov 2022 |
Delegate Don’t Abdicate |
This is a possible solution to the complex problem of delegating to outside agencies, software companies, Sales CRMs, Physical Security Companies device vendors, etc.
Since this is a problem of endless/recurring loss of control, the recommendation is that all contracts for purchase or partnership etc., put the responsibility on the provider to warranty that their service is responsible for any security issues or outcomes that arise from its use. |
Nov 2022 |
Update1: Crypto1 |
With the bankruptcy of FTX and the evaporation of Sam Bankman-Fried’s $26 billion fortune, could the route to easy illicit money be on the verge of collapse? Will it be replaced by “the check’s in the mail.” Is this good news? |
Nov 2022 |
Update2: Crypto2 |
In the “Causes” section of the book, I covered the move to the Cloud, Covid generated distributed workforces, etc., but I just realized that I did not cite Crypto currency as a cause since its presence is key. i.e. it’s what has allowed Bad Actors to easily collect ransomware payments that was never present before. But wait there’s more , see the above. |
Nov 2022 |
Update 3: Phishing as a Service |
A few weeks ago this page covered the arrival of Phishing as a Service. Just a month later there has been a dramatic increase in the use of PhaaS reported. Akamai reported 299 Phishing as a Service tools kits (that means many times that number using these tool kits to initiate phishing attacks.) Good Grief. |
Nov 2022 |
CISA announces Cybersecurity “Performance” Goals |
First the good news. It’s great that the government is really serious about cybersecurity. Now the confusing news. CISA (the U.S. government’s Cybersecurity and Infrastructure Security Agency) has published “The Cross-Sector Cybersecurity Performance Goals (CPGs).” for critical networks. If you are expecting to see a list of latency and CPU requirements that ensure minimal delay while ensuring defense to attack, then you may be disappointed and go to dictionary.com to look up “Performance.” Rather, the CPGs “strive to address this need by providing an approachable common set of IT and OT cybersecurity protections that are clearly defined, straightforward to implement, and aimed at addressing some of the most common and impactful cyber risks.” None the wiser? Well, before you click on the link and download these purely voluntary goals, then I’d like to wish you good luck! Visit https://www.cisa.gov/cpg to be enlightened (or not). |
Nov 2022 |
New MEF Zero Trust Specification |
For the last two years I have been privileged to be a contributor to a new industry specification approved for publication on 10/25/2022. “MEF 118: Zero Trust Framework for MEF Services.” It recognizes the key ZT principles and strategies and specifies the attributes augmenting MEF services to implement Zero Trust functionality. To access this significant addition to service provider services was published today 11/3/22. Access to the linked piece by editor Ralph Santoro is https://bit.ly/3zJsCVT. The PDF of MEF 118 can be found on the MEF site. |
Nov 2022 |
Zero Trust goes mainstream |
The U.S. government has made it mandatory for all federal agencies to adopt zero-trust by 2024. The National Institute of Standards and Technology (NIST) has also been told to build a playbook for the private sector. Hopefully, this playbook consists of lots of use cases. Gartner apparently anticipates spending on zero-trust to more than double between now and 2025 to $1.674 billion – thought it doesn’t say if that’s a system or component revenue or how it equates principles and strategy into market dollars? NIST has had an architecture for several years, check out the reference pages. |
Oct/Nov 2022 |
New Edition of the Book published. |
Halloween seemed the right day to publish the third edition of my paperback and eBook containing the latest on Holistic Cybersecurity. Check it out om Amazon at https://amzn.to/3P7xb1U. |
Oct/Nov 2022 |
Passkey Update |
Passkey’s (intended to obsolete passwords) new web site showing that latest on this controversial initiative is worth checking out. Passkey.dev gives the updated info. It is critical that authentication and identity managers are delegated carefully vetted outsourced companies, since passkey security will fail – as was seen in November 2022 |
Oct 2022 |
Privacy Law Chaos |
The UK has made the Privacy laws and hence the attacks on web sites even more chaotic for multinationals by announcing it will be joining Japan, South Africa and others in replacing the EUs GDPR legislation with a home grown version. Good grief. |
Oct 2022 |
More Crypto Troubles |
Binance Cryptocurrency platform hack lost $570m earlier this month as covered by Reuters. Related to this the Zcash blockchain DDoS attack consisted of blasting of bogus transactions. |
Oct 2022 |
The Very Latest on Zero Trust |
Fresh from the Zero Trust panel at ONUG Fall on (10/20/22) is our new summary of Zero Trust shown a the foot of the cybyr.com home page. |
Oct 2022 |
Exponential Organizations |
Given that only 25% of large and midsize companies have Cybersecurity as an executive imperative, the role of Exponential Organization methodology to introduce disruptive technologies such as Holistic Cybersecurity is critical. At the October 13th ExO All Hands meeting this key connection was explored. For more on how ExO methodology overcomes an organization’s resistance to change – click here. |
Oct 2022 |
Network Cloud |
An all-new podcast covering Services, Connections and Security for the Network Cloud. Leaders from ONUG’s Network Cloud working group discuss critical network strategies that will affect an organization’s digital transformation. Click to view the podcast. |
Oct 2022 |
Government Initiatives |
October is Cybersecurity Awareness Month with government initiatives to be found at Cybersecurity and Infrastructure Security Agency (CISA) and the National Cybersecurity Alliance (NCA). Five pretty basic actions but it’s all about starting with the weakest links. |
Sept/Oct 2022 |
Ransomware as a Service |
You may encounter LockBit3.0. Lockbit2.0 was reportedly responsible for 1000+ attacks. A precocious group offering a Ransomware as a Service (for all!) is just the tip of this RaaS and PhaaS (see below) pandemic. Unsurprisingly, there are many (100+) RaaS groups stealing code from each other. The point of this post is that to alert you to the escalation of tools to create attacks that are falling into the hands of unskilled criminals. Like other pandemics, mutations of attacks can be expected. Prevention of Phishing is the best approach but not infallible. If impacted, we suggest searching for services that will help. |
Sept/Oct 2022 |
MFA Fatigue |
Following recent breaches of Uber’s records it’s become apparent that push notifications you receive on your phone are really just a front for another scam. Eventually, the user succumbs to the MFA requests. This has been termed MFA Fatigue. Do not click on these unless you are certain of the origin and timing. Uber and others have now taken action with more sophisticated notifications to render such scams less potent. |
Sept 2022 |
Phishing as a Service with MFA Bypass |
It was probably inevitable. The emergence of Phishing as a Service (PhaaS) combines middle-man attacks to spoof web sites and defeat Two Factor authentication. This is part of a PhaaS kit from EvilProxy and was discovered by resecurity in their must read article published in September. this tool allows subscribers with little know-how to set up crippling phishing attacks. Expect this to generate more difficult to detect Phishing attacks. |
Sept 2022 |
Hidden Scary Software Supply Chain Problems in Mobile Apps |
Just when you thought they fixed security in the Cloud it’s been discovered by Symantec that thousands of mobile apps using open-source SDKs are infected with code that can reveal your AWS credentials. IoS apps and their supply chains are creating these disastrous vulnerabilities. If you are not concerned, then know that including in these are banking apps that are exposing customer data! Oh, and almost every mobile gaming apps are using the same flawed software. Remember delegate don’t abdicate your security. |
Sept 2022 |
The Bumblebee Loader |
The Bumblebee Loader has recently become the biggest new story on the malware front. Instigated by a single phishing attack, this horrendous new Living-off-the-Land Attack is impacting tens of millions of windows devices. Click the here for the full story. |
Sept 2022 |
Quantum Computing |
The implications of Quantum computing is that nothing (including decrypting nuclear weapon guidance systems – yes we thought that might get your attention) could be more important for world control – if discovered. However, most recent commentary is that it may never happen. The point being invest with caution and focus on other security weak links instead. |
Aug 2022 |
Build in Testing and then actually test it |
This was definitely not emphasized enough in the book. It’s one thing to effect a disaster recovery program to ensure that data is stored offline and even that restores are done and tested to be valid. What also needs to be done is to look at potential data breach, insider threats, etc., and perform dress rehearsals for how you can recover. It does not mean that you will be able to second guess a specific problem but at least there will be a Fire-Drill, a tested and a calmly written process when things do go wrong. (Looks so much better than running around like a headless chicken!) |
Aug 2022 |
Cyber Insurance |
This was covered in the book but it just got worse. Much worse. Lloyds of London (the most influential insurance underwriter) has notified the world in a market bulletin as of March 31st 2023 to exclude nation-state Cybersecurity attacks. This sounds like a complete can of worms since how can it be proved who sponsored your attack??? It certainly makes it important to deploy defense against nation state attacks. this was likely triggered by Merck’s massive successful Cyber Insurance claim. |
Aug 2022 |
New Term Added |
SPIFFE and SPIRE production software methodologies were not included in the book and have been added to the Terminology page. |
Aug 2022 |
Oops, then there were three |
It turns that one of four finalists (SIKE) was cracked due to a vulnerability in its underlying algorithm. |
July 2022 |
Encryption – the end is nigh? |
Maybe not! NIST announced the four finalists of new encryption systems defined to defeat potential Quantum computing (future) encryption cracking algorithms. |
July 2022 |
Phishing |
Strangely the definition was missing in the first edition of the book and is included in the online terminology page |
July 2022 |
Threat Hunting |
Not addressed in the book because it’s become a hyped marketing term, being part of several systems: Wikipedia says it’s a proactive cyber defense activity. It is “the process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions.” It will be included in the online terminology page |