Category: Cybersecurity Culture

How to Keep You Safe Online

September 18, 2023 / CyberSec_Cafe / 0 Comments

Proactive Measures for Cyber Safety

Over the years, many have approached me with questions about online security, reflecting a growing concern in our digital age. The importance of safeguarding one’s personal identity online truly cannot be overstated. Not only does good cyber hygiene benefit individuals, but it also extends to the organizations where they work. When people grasp the basics of cybersecurity, they’re better equipped to apply these principles in their professional environments, fortifying the digital defenses of their companies. With cyber threats becoming more frequent and increasingly sophisticated, it’s imperative for everyone to adopt proactive measures to protect their digital identities.

Here are some guidelines to ensure your online safety:

Think Before You Click: More than 90% of successful cyber-attacks start with a phishing email. If you encounter a link you don’t recognize, trust your instincts and think before you click.
Use Strong Passwords and change default ones: Until we can move to passwordless avoid common passwords like “password” or “123456”. Ensure your password is long (at least 14 characters especially if MFA is not enabled), unique, and randomly generated. Consider using a password manager to generate and store unique passwords. Many devices, including modems and routers, come with default passwords. Always change these to unique, strong passwords to prevent unauthorized access. This applies also to your mobile device, use a PIN/passcode (not your date of birth or “0000” or “1234”)
Use Multi-Factor Authentication (MFA): MFA provides an additional layer of security by requiring two or more verification methods. We already discussed how to choose one method, for instance here. This applies also to your mobile device, secure it with biometric feature (e.g. fingerprint or face recognition).
Stay Updated: Ensure all your software, including the operating system, is up-to-date. Cybercriminals often exploit vulnerabilities in outdated software. Whenever you receive notifications for software updates, install them promptly. Even better, turn on automatic updates.
Be Cautious with Software: If you didn’t actively seek out a software, an app or browser add-on, don’t install it. Conversely, uninstall software or applications you no longer use. This approach not only declutters your system but also reduces potential entry points for cyber threats.
Avoid public or untrusted WIFIs: avoid those WIFIs especially when accessing or providing sensitive information, such as bank accounts, online shopping, etc. The same applies also for and unknown or untrusted storage devices, such as USBs, that can be used to transfer malware on to your device. Avoid those as well.
Consider Using a VPN: Virtual Private Networks (VPNs) encrypt data transmitted between your device and the server. This ensures that your online activities remain private and secure, especially if you really need to use public Wi-Fi networks. However, not all VPNs are created equal. It’s essential to choose a trusted provider, as VPNs are entirely based on trust. You must be aware of the data protection laws of the VPN provider’s home country and any potential extra-legal pressures they might face.
Ensure your valuable data is stored in an appropriate location and backed up regularly. Cybercriminals may encrypt your data so they can extort money from you. If you do become a victim of this, it is often impossible to decrypt the data, so you will have to rely on backups. To avoid this ensure valuable data is stored on approved secure storage services (not shared widely and encrypted) and backed up in the event of loss or damage.
Bookmark Important Sites: Instead of clicking on email links that seem to come from trusted organizations, use bookmarks in your web browser to access important sites. This reduces the risk of landing on a phishing site.
Don’t overshare on social media: Scammers often use social media to gather information about people. They may use this information to guess your passwords, use it in a social engineering scam, or impersonate you when applying for credit cards, bank loans, or even commit crimes. Also regularly review your social media access settings to understand who can see information you share and ensure it is restricted appropriately.

What do you think? Are these all the steps we should take to ensure our online safety?

Do you follow all these best practices? Share your thoughts and experiences in the comments below!

Sources:

The Rising Stakes for Cybersecurity Accountability

June 28, 2023 / CyberSec_Cafe / 0 Comments

An Analysis of the SEC notice to SolarWinds CISO and CFO

The Rising Stakes for Cybersecurity Accountability — Image by Bing Image Creator

The cybersecurity landscape is witnessing an unprecedented shift. The recent move by the U.S. Securities and Exchange Commission (SEC) to issue Wells Notices to the CFO and CISO of SolarWinds is a bellwether of this change.

A Wells Notice is a communication from the SEC indicating that it has made a preliminary decision to recommend enforcement action against the recipient, although it is not a formal charge of wrongdoing or a final determination of violation.

The SEC’s decision suggests a new emphasis on individual accountability within organizations for cybersecurity management and incident disclosure. However, this development also shines a light on a complex challenge: the multifaceted and collective nature of cybersecurity.

Why is this significant?

Firstly, it demonstrates an increased scrutiny of companies’ responses to cyberattacks. In this case, the SEC alleges that SolarWinds violated certain provisions of U.S. federal securities laws in its cybersecurity disclosures, public statements, and internal controls following the cyberattack in 2020, which affected thousands of customers globally.

Secondly, this is unusual because a Wells Notice is typically sent to a company itself, not individuals within the company. Wells Notice are usually reserved for CEOs or CFOs in cases of Ponzi schemes, accounting fraud, or market manipulation.

This development suggests that the SEC might be moving towards holding individuals, particularly CISOs, more accountable for managing cybersecurity and disclosing cyber incidents. One possible violation that a CISO might commit is a failure to disclose material information, such as failing to disclose the gravity of an incident or failing to do so in a timely manner. This is a trend confirmed by the the previous conviction of Uber’s CISO and his sentence.

However, some cybersecurity professionals argue that attributing blame solely to the CISO or CFO might not always be fair or accurate, because…

… Cybersecurity management typically involves various stakeholders

In today’s digitized world, a Chief Information Security Officer (CISO) plays an essential role far beyond just implementing and managing security measures. The CISO’s duty also involves making other CXOs accountable for their part in cybersecurity. This includes ensuring that for instance that:

HR make sure that the resources completes the necessary security training,
Risk Management keeps cyber risks within defined thresholds,
Finance aligns the security budget with mitigation strategies (that in turn are based on the organization strategies and risks),
IT oversees the secure development and maintenance of applications.
…

But what happens when risk acceptance is chosen as the path forward?

If a CXO or the CEO decides to accept a risk, they should be accountable for that decision. It is crucial that such risk acceptance is well-documented and tracked.

I assume that in SolarWind and Uber incidents top management might have wanted to take a risk acceptance decision but didn’t want it to be documented (I assume because I personally saw this happening).

Conversely, a too accommodating CISO who fails to enforce necessary security measures might find themselves, and put their organization, in the firing line.

The Challenge of Execution

An important yet often overlooked aspect of cybersecurity is the actual execution of security measures. Even when a CISO or security leader gives orders for security actions, the implementation may not always follow through, especially if the person responsible isn’t part of the cybersecurity team. These orders may go unfulfilled due to conflicting priorities, and performance objectives that do not include security are not helping.

This state of affairs points to the need for organizations to align their objectives across departments and ensure that security is a shared priority. Without this alignment, the cybersecurity of the organization remains fractured and vulnerable.

No matter how robust the cybersecurity measures are, it’s impossible to prevent all cyberattacks. I think that the sophistication of the SolarWind attack is a great example of that.

Risk mitigation doesn’t aim for 100% security—residual risks are inevitable. Therefore, managing risks effectively within acceptable thresholds becomes the primary goal. This goal underlines the need for comprehensive risk management strategies that involve all stakeholders in an organization. Let’s not forget that security is just one of many goals of an organization, which also has to do business, and too much security might make the company non-competitive.

The Road Ahead

The SEC’s move towards increased individual accountability in cybersecurity could have profound implications for how organizations manage cybersecurity risks. However, it’s essential for organizations (and governments) to remember that cybersecurity is a collective responsibility. It requires coordinated efforts across departments and roles.

This reality makes the role of the CISO even more critical. They need to bridge the gap between different stakeholders and ensure a holistic approach to cybersecurity. While the SEC’s move might bring with it new challenges and pressures, it also presents an opportunity: to reaffirm the collective responsibility of cybersecurity, reinforcing that it is a task that falls on everyone’s shoulders within an organization.

A persisting question I have is: what should a CISO do if the CEO orders them not to disclose material information and to avoid documenting this decision?

A CISO who blindly follows such orders risks becoming a Scapegoat Officer, serving as a convenient fall guy in the aftermath of a cyber incident rather than actively improving the security posture of their organization. And he/she might not be inclined to do so if they will be put behind bars for that.

That’s a real pickle, so a second question arise: what a government should do to avoid it?

Maybe foresee a sort of Whistle-blowing channel for CISOs that would guarantee a criminal shield in case of situations like the SolarWind and Uber ones?

Last question, what would happen if the company uses a vCISO or a CISO-as-a-Service?

Navigating this new landscape will be challenging, but with clear communication, well-defined roles, and a shared commitment to security, organizations can rise to the occasion. It’s not just about preventing the next big cyberattack—it’s about fostering a culture of shared responsibility and vigilance that permeates every level of the organization. In this era of increasing cyber threats, there is no other way forward.

The Human Element in Cybersecurity

June 15, 2023 / CyberSec_Cafe / 0 Comments

Moving Beyond Technology

The Human Element – Introduction:

When it comes to cybersecurity, most people tend to think it’s all about technology. But guess what? It’s time to break that misconception. In today’s world, cyber threats the weakest link in the security chain is the human element.

You see, we may have fancy technologies, but there’s no magic bullet (despite what many vendors promise). No matter how much we invest in technology, we can still fall prey to cybercriminals who know just how to exploit our human nature.

The Conti ransomware gang hit the nail on the head last year when they said, “we also need to focus on the human part of our attacks. Our targets invest millions of dollars in security technologies, but they often overlook the human element. We will continue to exploit this weakness to our advantage.”” It’s a wake-up call to understand that in the traditional triad of People, Processes, and Technology, People are (and have been in probably the last 10 years) the center stage in cybersecurity.

So, buckle up and keep reading as we dive into the role of the human factor in cyber attacks.

The Exploitation of Human Vulnerabilities:

Cybercriminals are crafty. They know that humans are easier to manipulate than sophisticated security technologies. They also look for a ROI on their investments, so they will use whatever is the cheaper approach to reach their goal. So, they use psychological tricks like phishing and social engineering to exploit our weaknesses and gain unauthorized access to sensitive information. They send convincing email scams, impersonate trusted entities, and even dig up personal details from social media to trick us into revealing confidential data or compromising system security.

Still think that cybersecurity is all about fancy technology?

You took a look at the latest latest ENISA Threat Landscape. You saw that the top threats include ransomware and malware—definitely techie stuff. But guess who unwittingly lets those threats in? Yep, it’s people.

Now let me tell you, the Ponemon Institute’s Cost of Data Breach report is an eye-opener. In their “Initial attack vectors” section, they highlight the prevalence and cost of human-related attack vectors. Stolen or compromised credentials accounted for 19% of breaches, costing an average of $4.50 million. Phishing, at 16% of breaches, topped the list as the costliest initial attack vector, with an average cost of $4.91 million. Business email compromise was another initial vector among cyber attackers.

If you look closely, you’ll notice that every issue, even seemingly technical ones like “Vulnerability in third-party software,” ultimately comes down to human error. After all, who coded the software with the vulnerability or who didn’t define or apply a patching process? That’s right, a human.

Moving Towards a People-Centric Approach:

So, what can we do about it? Well, it’s time for organizations to start adopting a people-centric approach to cybersecurity. My recipe consist in building a “Cyber Culture”! This means understand what are the Cyber behaviors we want to influence, providing comprehensive training programs to raise cybersecurity awareness among employees and promoting a culture of vigilance and responsible behavior. We gotta teach everyday users about common cyber threats, show them how to spot suspicious activities, and encourage good practices like creating strong passwords and keeping software up to date.

But it’s not just about training. Organizations need to share real-world examples of cyber attacks, so people can see the real risks out there. By making everyone feel responsible for cybersecurity, we turn our workforce into a first line of defense against cyber threats.

And here’s a secret: investing in the human factor is not only cheaper, but it’s also way more effective than splurging on fancy technology. I mean, sure, we still need the right tools, but without a strong Cyber Culture, we’re like a castle with a moat but no guards. It just doesn’t work! I will write an article on this topic in the future.

So why isn’t a a People-Centric approach that widespread?

Many people still think that cybersecurity is all about technology. They believe it’s a technical issue that only (nerdy) IT folks (with glasses and a hoodie) can handle. The problem is that cybersecurity specialists often are really technical to start with so they neglect the crucial human elements.

And here’s another kicker: reporting lines within organizations often make things worse. Cybersecurity teams end up aligned with IT departments, who are mainly focused only on technical risks!

I know I’m digressing this is another topic: the need of having an effective, diverse and multidisciplinary Cyber team.

But the truth is, investing in Cyber Culture, in our people, is the key to success. It’s not only more cost-effective, but it’s also more impactful in preventing and mitigating cyber threats. So I think it’s time to break the cycle!

Conclusion:

it’s time we realized that cybersecurity is not just about technology. People play a crucial role, and cybercriminals know it. By adopting a people-centric approach, building a strong Cyber Culture, and empowering employees to be active defenders, organizations can level up their defense against cyber threats.

So, let’s remember that we’re not alone in this fight. It’s not just about fancy tech; it’s about us, the people. Together, we can create a safer digital world. Let’s do this!