Brewing Cybersecurity Insights

Tag: #CyberCulture

23andMe, and Us?

It is a pleasure to present a collaboration article with Fabrizio Cilli.

As a dedicated cybersecurity enthusiast and pioneer, Fabrizio’s journey has been marked by global experiences, from Rome to the most advanced innovation hubs of North America and Asia, and through historical transformative projects in the Middle East. At Telecom Italia, he played a key role in the early days of Security Operations Centers (SOC), setting the stage for leadership positions that influenced cybersecurity advancements across sectors.

Leading as the Chief Information Security Officer (CISO) at Open Fiber, Fabrizio was pivotal in building a robust cybersecurity framework from scratch, marking achievements like the formation of XIRT (Any Incident Response Team) and striving for ISO 27001 certification. His work extended globally with renowned firms such as Datamat, Accenture, RESI/IPS, and EMC, where he focused on integrating cloud security, managing mergers and acquisitions, conducting due diligence, and safeguarding critical infrastructure.

A passionate advocate for the integration of artificial intelligence in cybersecurity, Fabrizio collaborated with the Italian Digitalization Team (Team Digitale) and co-founded the collective CISOs4AI (together with yours truly) and other great minds, underlining his commitment to harnessing AI for overcoming security challenges. His career is a testament to overcoming challenges, pushing boundaries, and fostering innovation, with a clear mission to cultivate a security-first mindset, drive technological empowerment, and ensure cybersecurity serves as a foundation of trust and resilience in our digital age.

So without further ado…

23andMe, and Us?

It all started from a response letter by 23andMe legal department, after CISO and some other directors had sold their stock options before the incident disclosure.

Facing an onslaught of lawsuits, 23andMe is denying liability for millions of users’ genetic records leaked last fall.In a letter sent to a group of users suing the company obtained by TechCrunch, lawyers representing the biotech company laid out a case that users were to blame for any data that may have been exposed.

It would be fantastic to have oversight and complexity requirements in place. Requiring multiple authentication factors has always been a key tool to prevent breaches from occurring. Companies like Microsoft, Google, Amazon, telecoms, banks, insurers, and healthcare providers all carefully control account access. They do this not just for prevention, but also to demonstrate maximum diligence. This is in a context where co-responsibility between companies and users is inevitable.

And if the responsibility of the external user is passed on as a “charter of rights and duties” (perhaps in terms and conditions between company and user), should we then consider that in a company, if it is discovered that a breach originated from a weak password (one of those in the annual most common lists) of an employee user, the latter falls into a scope of “bad faith” such as to stimulate an investigation for administrative liability? 

I mean, how much can responsibility be shifted to the user, given current standards for verifying the suitability of access control and administration measures (even more so for administrative accesses)?

Let’s talk about it, but if I think about Uber and SolarWinds, and then focus on 23andMe, and all the hospital ransomwares lately…I get a headache.

So if at the italian occurrence of attack to ASL1 L’Aquila, we understand that “it all started from a user with a weak password” or in the attack to MediBank Australia, a “user” propagated the attack, do we charge the 5 billion AUS Dollars to them and just move on? 👀😅

Such cases and similar situations, which we all know too well (and some scenarios we have experienced together, with some fellow CISO), where a user just leaves the doors open, what happens to these? Do we chase/investigate our own users? Could they be held responsible for the resulting damage? And on what rule and norm?

I want to clarify: full and robust user responsibility would be a breath of fresh air for most colleagues with millions users, but does this possibility even exist in current practice, that you are aware of? 👀

It is clear that the user who allows an attacker to use a “native” function is not ideal, but every low and slow attack and every APT we fight stems from the fact that we consider the user (I’m getting close to zero “user” trust theory) as potentially malicious or compromised.

So if a Sino-Russian-North Korean or Italo American criminal, with fake documents enters, and with that function manages to view data from thousands of other people, would we not notice? Is the system designed to prevent repeated abuse? Would GDPR minimization, applied to this processing, have required that it not be possible for example to “accumulate” sensitive data like this, but maybe only view genetic closeness, and then request direct contact? How did they design the registry at 23andMe?

When I say data is the lifeblood of a company I mean it seriously. If the lifeblood becomes poisoned, or too much comes out, the plant dies. 🌵🏜️

And then the dilemma: if one of “our” internal users blatantly violates a policy, procedure, and playbook, and leaves admin admin, while doing the ceremonial of an HSM, and we basically lose all our secrets?

Are we (the company) or is the user (colleague) administratively responsible? (And here the insurance systems on AdS come into play…)

It is certainly a good debate.

But in the end I believe there are various safe passes, both for users and colleagues, when it comes to access and management of technologies and privileges imposed on them.

The “good family man” remains the company, the multitude of individuals who manage the systems are its own, with its procedures and internal and external regulations. It is not a 1-to-1 relationship with the user, it is a many-to-1 or many-to-many relationship.

The Regulations we advertise, and for which we request flags, signatures etc., exist precisely to ensure they are not violated, due to boredom and lack of reading or reconciliation.

The Countermeasures we implement guarantee controls, and verify that the healthy behaviors we ask to assume are assumed, by those who use our systems and services, preventing them from circumventing them to facilitate the user experience.

Of course it is true that if we do not solve the problem of “passwords”, it is like having a low cipher forced by incompatibility, and not being able to apply a patch for life…

Perhaps this is what Sam Altman is aiming for with his WorldCoin startup: the full and unequivocal recognizability of the user… Will he make it?

And how will 23andMe end up?

There is very much at stake and an ongoing court case, that didn’t really start on the best terms.

Now, I don’t mean to make light of this situation, but the reality is that: Cybersecurity maturity needs to be embedded in a company’s very DNA. It requires integration, communication, and transparency primarily between the business itself and its clients.

Or it won’t work. In a fully digital world, you need fully digital cyber protection. Your business doesn’t sleep, crooks do not sleep, your clients are cycling around the world and guess what? They are not sleeping at the moment.

If it was enough to have “security” across the company, and “secure by design” software, today it’s about having a “secure by design company” and “software security” in place.

Word games? No, it’s the real deal.

You can get wiped out from the market.

And now the bombshell that will make you think: in such a scenario, even your competition can harm your core business by means of criminal hackers.

Resilience, and security by design with zero-trust: it’s worth it.

Exciting Collaborations on the Horizon: Gear Up for Cyber Insights!

Greetings, fellow cyber enthusiast! I’m back!

For those who missed me the reason is to be ascribed to my recent job change.

I’m thrilled to announce that in the next months I will be speaker to a couple of interesting events in Milan. The next one is the 12th of March and of course I’ll talk about AI Cybersecurity.

Back to the main news: in just a few days, I’ll be embarking on a series of captivating collaborations with some esteemed minds in the cybersecurity field in Cybersec.cafe and I’ll be guest of another blog that will be revealed in due time.

Buckle up, because we’re diving deep into valuable insights you won’t want to miss. While I can’t reveal all the surprises just yet, let me assure you that these partnerships will bring together diverse perspectives and a wealth of experience. We’ll be tackling some pressing issues in the world of cyber.

The next guest will be Fabrizio Cilli and he will discuss the 23andMe breach and its implications in terms of shared responsibility in cybersecurity – sorry I won’t disclose more as spoiler is a capital crime nowadays but trust me, you won’t want to miss this!

Stay tuned for further details future announcements.

See you soon!

P.S. Want to be the first to know when the collaborations kick off? Follow me on linkedin and keep an eye out for updates!

The Human Element in Cybersecurity

Moving Beyond Technology

Human Element
Image by Bing Image Creator

The Human Element – Introduction:

When it comes to cybersecurity, most people tend to think it’s all about technology. But guess what? It’s time to break that misconception. In today’s world, cyber threats the weakest link in the security chain is the human element.

You see, we may have fancy technologies, but there’s no magic bullet (despite what many vendors promise). No matter how much we invest in technology, we can still fall prey to cybercriminals who know just how to exploit our human nature.

The Conti ransomware gang hit the nail on the head last year when they said, “we also need to focus on the human part of our attacks. Our targets invest millions of dollars in security technologies, but they often overlook the human element. We will continue to exploit this weakness to our advantage.”” It’s a wake-up call to understand that in the traditional triad of People, Processes, and Technology, People are (and have been in probably the last 10 years) the center stage in cybersecurity.

So, buckle up and keep reading as we dive into the role of the human factor in cyber attacks.

The Exploitation of Human Vulnerabilities:

Cybercriminals are crafty. They know that humans are easier to manipulate than sophisticated security technologies. They also look for a ROI on their investments, so they will use whatever is the cheaper approach to reach their goal. So, they use psychological tricks like phishing and social engineering to exploit our weaknesses and gain unauthorized access to sensitive information. They send convincing email scams, impersonate trusted entities, and even dig up personal details from social media to trick us into revealing confidential data or compromising system security.

Still think that cybersecurity is all about fancy technology?

You took a look at the latest latest ENISA Threat Landscape. You saw that the top threats include ransomware and malware—definitely techie stuff. But guess who unwittingly lets those threats in? Yep, it’s people.

Now let me tell you, the Ponemon Institute’s Cost of Data Breach report is an eye-opener. In their “Initial attack vectors” section, they highlight the prevalence and cost of human-related attack vectors. Stolen or compromised credentials accounted for 19% of breaches, costing an average of $4.50 million. Phishing, at 16% of breaches, topped the list as the costliest initial attack vector, with an average cost of $4.91 million. Business email compromise was another initial vector among cyber attackers.

If you look closely, you’ll notice that every issue, even seemingly technical ones like “Vulnerability in third-party software,” ultimately comes down to human error. After all, who coded the software with the vulnerability or who didn’t define or apply a patching process? That’s right, a human.

Moving Towards a People-Centric Approach:

So, what can we do about it? Well, it’s time for organizations to start adopting a people-centric approach to cybersecurity. My recipe consist in building a “Cyber Culture”! This means understand what are the Cyber behaviors we want to influence, providing comprehensive training programs to raise cybersecurity awareness among employees and promoting a culture of vigilance and responsible behavior. We gotta teach everyday users about common cyber threats, show them how to spot suspicious activities, and encourage good practices like creating strong passwords and keeping software up to date.

But it’s not just about training. Organizations need to share real-world examples of cyber attacks, so people can see the real risks out there. By making everyone feel responsible for cybersecurity, we turn our workforce into a first line of defense against cyber threats.

And here’s a secret: investing in the human factor is not only cheaper, but it’s also way more effective than splurging on fancy technology. I mean, sure, we still need the right tools, but without a strong Cyber Culture, we’re like a castle with a moat but no guards. It just doesn’t work! I will write an article on this topic in the future.

So why isn’t a a People-Centric approach that widespread?

Many people still think that cybersecurity is all about technology. They believe it’s a technical issue that only (nerdy) IT folks (with glasses and a hoodie) can handle. The problem is that cybersecurity specialists often are really technical to start with so they neglect the crucial human elements.

And here’s another kicker: reporting lines within organizations often make things worse. Cybersecurity teams end up aligned with IT departments, who are mainly focused only on technical risks!

I know I’m digressing this is another topic: the need of having an effective, diverse and multidisciplinary Cyber team.

But the truth is, investing in Cyber Culture, in our people, is the key to success. It’s not only more cost-effective, but it’s also more impactful in preventing and mitigating cyber threats. So I think it’s time to break the cycle!

Conclusion:

it’s time we realized that cybersecurity is not just about technology. People play a crucial role, and cybercriminals know it. By adopting a people-centric approach, building a strong Cyber Culture, and empowering employees to be active defenders, organizations can level up their defense against cyber threats.

So, let’s remember that we’re not alone in this fight. It’s not just about fancy tech; it’s about us, the people. Together, we can create a safer digital world. Let’s do this!

© 2024 CyberSec.Cafe