Cybersecurity Maturity Models Can Be Immature

Cybersecurity maturity models are a great starting point for businesses to understand their most important cyber needs. This piece from Ntirety CEO Emil Sayegh notes the importance of going above and beyond the minimum recommendations to avoid the costly consequences. 

Cybersecurity Maturity Models Can Be Immature 

Like many things in life, cybersecurity posture is a spectrum of states in maturity. Cybersecurity Maturity Model Certifications (CMMC) are all the rage now in IT departments. You can be at one end of the spectrum of cybersecurity maturity, the other end of the spectrum, or maybe somewhere in the middle. The National Institute of Standards and Technology (NIST) and CMMC have defined those security maturity models in five distinct stages. You even often hear some IT departments proudly declare that they are a level three or four or five in terms of their security maturity. We can analytically categorize the levels that compose these security states, and that is a good thing. However, some of these states assume reasonably well-known threat patterns. The challenge is that even with the best possible security posture, novel threats can bring the entire security structure crashing down. This is one of the driving conditions that make a comprehensive cyber security approach an operational and technological necessity. 

Whether it is NIST or CMMC, the five levels of cybersecurity maturity shape up like this: 

  • In the first level, the organization is vulnerable. A lack of preparedness is the most palpable description, along with a general lack of structure, documentation, or processes.
  • At the second level, an organization becomes more aware, but they are still reactive. They can repeat basic efforts, and they have basic documentation of processes available but only in a reactionary manner. This organization can respond in the timeframe of a few days, but they are vulnerable to data loss, operational gaps, and financial impact.
  • Level three marks the beginning of effective security measures. Typically constructed from security, compliance, and regulatory efforts, along with a greater establishment of tight security processes. Security policies and technologies are deployed and are available in documentations for the most critical environments. General assurance of the environment is established, typically including the existence of backups and repeatable issue mitigation. In this scenario, rapid event awareness is the vehicle for enablement, reducing response to hours and sometimes minutes while there is a significant minimization of potential financial loss.
  • The next level escalates to a continually compliant state based on external requirements and internal operational standards. The entire environment is managed, logged, and reviewed on a routine basis and continuous monitoring helps eliminate regulatory penalties and awareness of operations across each discipline.
  • The highest level in this security maturity level is the optimized proactive posture where information security processes are a model of continual improvement. These processes are tightly integrated with information from throughout the environment, offering feedback, external information, and research, and they can introduce needs-based process updates to better serve the organization. Organizations at this level are able to respond in real time, and they can significantly reduce data and application breaches.

Prepared but Still Exposed 

While these five levels sound good, there are still massive risks from novel threats that can make much of the level two and level three preparedness become obsolete, and perhaps severely compromise even a level four organization. A Zero-Day attack is an unforeseen event that bypasses previously established standard security measures. This makes it difficult for security systems and software providers alike, as they don’t know what threat signature might trigger alarms or not— leaving their products vulnerable in the process. 

During a Zero-Day attack, all that preparedness can be undermined as even a limited opportunity slips through the cracks, unknown and unopposed. Preparing for Zero-Day attacks is critical, with a foundation of: 

  • Being proactive
  • Maintaining good data backups
  • Monitoring traffic, security incidents, and accounts
  • Keeping systems up to date
  • Zero-Trust implementation

Zero-Day Blinders and Zero-Day Finders 

A key disadvantage of operating as a single organization with a single infrastructure is reduced visibility. In terms of Zero-Day vulnerabilities, a lone organization may only be subject to a single attack at a given time. This makes it easy to lose sight of looming dangers that are continuously present and just as dangerous. 

Among the benefits of leveraging a massive infrastructure, and a adopting the mission to go beyond the final level of security maturity into Zero-Day conditions, is the ability to see incoming threats across different channels, organizations, industries, and geographies. The imperative of Zero-Day threats across a scaled base requires never-ending active identification and hunting of threats throughout the infrastructure. 

When we speak of comprehensive security, it incorporates everything from process to technology to detection monitoring to recovery. It encompasses everything from designing, building and operating the entirety of the IT environments. Absent this complete approach, even proactive organizations cannot rely on their maturity model designation as a crutch against threats. When the significant risk of Zero-Day threats is unacceptable, no stone can be left unturned. 

 

Check out this piece, originally published in Security Magazine, here and follow me on LinkedIn.  

Cybersecurity Challenges in a Nutshell

Computer security researcher Dan Farmer once said, If security were all that mattered, computers would never be turned on, let alone hooked into a network with literally millions of potential intruders.” This is not reality because as individuals and businesses we rely on these devices. 

The mindset must be changed about where cybersecurity falls on a business priority list. Cyber incidents most often occur because a cybersecurity plan was not set in place prior to an incident. Cybercriminals around the world are deploying ransomware in our cyber infrastructures. after hours or over the weekend so that by the time the effects of it are seen, the damage is done through a phishing attack email or another form of exploitation.  

It is critical to be proactive when it comes to cybersecurity and already have defenses in place before bad actors reach your cyber infrastructure. Cybercrime has (unfortunately) cost companies trillions of dollars a year according to Cybersecurity Ventures 

$6 Trillion USD A YEAR 

$500 Billion A MONTH 

$115.4 Billion A WEEK 

$16.4 Billion A DAY 

$684.9 Million AN HOUR 

$11.4 Million A MINUTE 

Most recently, ransomware groups and criminal enterprises from Russia have been able to operate in their country with no chance of going to jail because it fits with the desires of the country’s leadership. If this leniency on cybercrime remains in countries like this, we cannot rest knowing our cyber infrastructures are not safe. 

Small to medium businesses are at a high risk for ransomware attacks and often cannot fully recover afterwards. 71% of cyberattacks happen to businesses that have less than 500 employees. 

Implementing Zero-Trust and having visibility into attacks and resiliency in order to mitigate the damage is critical in moving forward for any business. Frequent patching is another key operational strategy for defending against attacks-a prime example of insufficient patching would be the recent log4j incident. Without proper patching, organizations remain vulnerable to external entities.  

Additionally, phishing is one of the top ways that cybercriminals enter IT infrastructures, and without proper training, employees and their organizations are vulnerable. Phishing accounts for 90% of data breaches. Through these phishing campaigns, bad actors can steal passwords, install malware to access/control the system, or ransomware to immediately shutdown the business. Weak or stolen passwords make up 81% of breaches according to the Data Breach Investigations Report. This is why it is important to create strong passwords and change them often along with implementing two-factor authentication.  

Vice President and Global Chief Information Security Officer Stéphane Nappo of Groupe SEB said, “The five most efficient cyber defenders are: Anticipation, Education, Detection, Reaction and Resilience. Do remember: “Cybersecurity is much more than an IT topic.” 

For more details on how to secure your cyber infrastructure watch our most recent webinar and schedule an assessment with us today. 

New Year, But Classic Literature Never Goes Out of Style

The new year brings a chance to reset, restart, and set goals while reflecting on the past year’s accomplishments. With each coming year, new technological advancements are made, but we cannot forget our history or we are doomed to repeat it. 

 Reflecting on how our past and present often overlap in unexpected ways in two of his 2021 Forbes articles, Ntirety CEO Emil Sayegh references classic literature pieces, showing how their timeless themes provide a familiar perspective to modern-day cybersecurity issues. Explore these themes and perspectives from his articles  Never Truly Quiet On The ‘Western Front’ and Who Will The Cybersecurity Bells Toll For? highlighted below.. 

 Never Truly Quiet On The ‘Western Front’ 

First released in the late 1920s, the novel All Quiet on the Western Front was publicly burned, banned, derided, and censored for its “anti-war” and “unpatriotic” messages. Set in the final weeks of World War I, the story swings heavily on the contrast between false security and the realities of war. Today, we are talking about a different war that is dynamically morphing between a physical war and cyber war.  A real cyber war has been raging on the front lines of computer networks for a while and we must remain vigilant to the fact that an eerie silence may be the biggest threat of all.  

All Quiet on the Western Front was described as the most loved and hated novel about war; its messages threatened Nazi ideologies, sparking riots, mob attacks, and public demonstrations, yet it inspired an Academy Award-winning 1930 movie adaptation. Author Erich Maria Remarque may not have foreseen its full impact, but the story is laced with imagery describing starving soldiers, the brutally indiscriminate nature of (then) modern weapons, lost limbs, poison gas, and death—lots of death.  

False Sense of Security: Peace Before Death 

On the frontlines of computing, there is a false and persistent sense of security among CIOs, company boards, and most security professionals that reminded me of the end of this novel. Over the years, the phrase “all quiet on the Western Front” has been adopted in innumerable contexts to mean a lack of visible change or stagnation. It seems this is where many organizations are stuck today under this false sense of security. 

The final moments of the novel are (spoiler) deceivingly peaceful, contrasting with the overarching setting of war and its effects. It is in these moments, in the last “situation reports” from the military frontlines, where a false state of calm and security that belied the coming death of the story’s protagonist. It seems like the most important lessons in life must be learned time and again. 

That Silence You Hear is a Sign 

Across the landscape of organizations, there is a definite cyber war raging, and I am not talking about Call of Duty. You don’t have to read news headlines for very long to see that there are casualties all around us. There is an enemy lurking and there are no rules to hold them back. Defensively natured as cybersecurity practices can be, there are offensive principles that are a necessary part of the posture. That begins with an understanding that there is always a calm before the storm; and in today’s climate, we cannot afford the reassuring sense that all is well at any given point in time.  

Let us set the stage of this sea of “calm”: 

  • APT – In the age that followed the global pandemic, nothing in cybersecurity stopped that entire time. Advanced Persistent Threats (APT) continued and according to countless reports and breaches, they have accelerated.  
  • Mobile – Reports also show that mobile threats to the web and applications have gained more traction under new campaigns. 
  • Diversity – Hacker creativity is at an all-time high, with actors bringing in waves of zero-day threats into supply chain software attacks, phishing, and ransomware. Experienced groups and new players are combining forces and found new nearly undetectable ways to exchange information. 
  • Maximum Impact – Fueled and inspired by changing workforce composition as well as user behaviors, attacks today are designed to express maximum impact, driven by geo-political goals and financial gains.  

All the while, threat visibility has proven itself to be riddled with blindspots as hacks and incident reports continue to show compromised detection, a gap in understanding, and shortcomings in proper security practices. To add to these factors, technology continues to change, accelerate, and evolve—on both sides, while a crisis of talent resources continues. We can also see that intrusion incidents lead to ad hoc approaches to security funding, adding ineffective layers to cybersecurity health especially when spending tails off when all seems well.  

A Time to Act 

When things seem calm, follow these general guidelines and remember that only the paranoid survive a cyber war like this one: 

  • Actively and proactively leverage multiple sources of Threat Intelligence and trusted resources to monitor the latest methods, tools, tactics, and keep a watchful eye on the roost on a daily or even hourly basis. 
  • Always verify and never trust. It is always a good time for zero-trust authentication and a zero trust posture throughout the organization. This protects systems outside and inside the “castle.” 
  • Detect, investigate, respond, and remediate issues on every endpoint, application, service, and server system. Commit to timely and near instant responses. 
  • Spin up more security awareness training to help minimize social engineering, phishing, and other user-focused attacks. 
  • If you can’t do these items on your own, and very likely you won’t, engage partners that specialize in a comprehensive security posture. 

All is Not Quiet  

North, south, east, west, up, down, or sideways—all is not quiet, or well, on the security front (and it never should be). Don’t hide the truth with skin-deep positive “situation reports” and always verify. Embark on a comprehensive security strategy that starts with the honest identification of your environment’s threats, then work to secure your environments comprehensively. After these two first basic steps, it is critical to also prepare for the eventuality of a breach with a fully vetted disaster recovery strategy. The final step is to continually assure and ensure that there are no gaps in your security posture through an assurance and compliance program that takes new threat vectors, and compliance requirements into account. Remember, there’s a massive storm out there even if you don’t see it or hear it. Silence is not golden, it’s a false sign of security. Let’s take lessons from All Quiet on the Western Front and avoid the horrors of an actual war.  

Who Will The Cybersecurity Bells Toll For? 

 From Room 511 in a famed Cuban hotel, the iconic writer Ernest Hemingway authored some of his most acclaimed works. One of his most famous books was For Whom the Bell Tolls, which was completed in 1940. Inspired by his observations in Spain during the Spanish Civil War, Hemingway weaved the tale of a loss of innocence, psychological and physical trauma, death, and human nature during times of war. The work was revolutionary and controversial as it deconstructed romanticized wartime concepts of bravery and contrasted them with the sheer impact of then-modern weapons. It even inspired the Metallica song “For Whom the Bell Tolls,” as a lyrical adaptation of a particular scene from the book. There are various interesting parallels from this story to the modern world we currently live in and more specifically the cybersecurity arena.  

The bell toll is a symbol of death, which carries a dark theme throughout the novel. From beginning to end, most of its characters manage to consider their own potential deaths or inflicting death upon others. This heavy tone and the plot narrative between fascists and the forces of resistance provided the perfect setting for the Second World War, which was brewing at the time the book was released.  

A Setting Reimagined 

The knowledge of historical works allow us to better navigate our present and future. As the saying goes, “If we do not learn from history, we are doomed to repeat it.” The lessons from Hemingway’s novel translate very well to our world today, and more specifically to the cyberwar that is raging now. The bells keep tolling for the daily victims of hackers, while we have unfortunately become apathetic due to the frequency of those attacks. In cyber warfare, we may not always be able to see the enemy with our own eyes, but the threats and actors are as real as they come. The bell could arrive for anyone, at any time, when we least expect it. 

Joining the Resistance 

The Spanish fascists from the story are a lot like the organized cybercriminal gangs of today. Sponsored, nefarious, and destructive in their ways, today’s misguided hackers seem to fancy themselves as guerilla forces, yet they are nothing but the makings of a Big Brother criminal network. The companies that try to defend themselves from this coordinated system of attacks fulfill the role of the “Resistance.” Organizations that are fighting back today must be resourceful and diligent in tactics. They should put themselves in a position to also refuse to acquiesce to the impact of a ransomware incident, just as we saw with the catastrophic attack against Ireland’s Health Service Executive (HSE) organization. HSE joined the “resistance” and refused to pay the ransom, as they had a disaster recovery plan in place. In another extreme, we witnessed the twin sagas of the Colonial Pipeline along the JBS meat producer plant and how, faced with little choice, these two organizations cowardly paid massive ransoms in hopes of recovering data and operations.  

A Wasteland of Attacks and the Endless Wave 

The main story-derived lesson for organizations today  comes straight out of the title. It doesn’t matter who you are or what your security budget is, you cannot successfully assume that the bell will only “toll” for someone else. Just ask FireEye, SolarWinds, Kaseya, or even Peloton. You can even ask the federal government itself regarding some of its disclosed and undisclosed hacks. Here is the simple reality: 30,000 websites and applications  are hacked every day with an attempted attack happening every 39 seconds. This industry is filled with conversations and false narratives of the latest security product lineups, cyber capabilities and reports of how attacks were averted.  The reality is that security standards are obsolete the moment they are released. The security landscape is evolving daily, and very few static standards are going to guard against zero-day, novel threats. 

Not an Island 

It can be safely stated and significantly inspired by Hemingway that “no man is an island,” and similarly that no company stands alone. It is not revolutionary to state that anyone can be a target, but at what point does targeting become real and inspire preparation, budgeting, and deploying best of breed safeguards? Far too often, we are called to address this question after the facts of a breach become clear. It is not too late for the community or for any company to mind the bells of attack. 

Every organization holds the opportunity to mature security and privacy programs and be fully aware and best positioned for the modern challenge of cybersecurity by leveraging facts, expertise, monitoring, and knowledge about what is vulnerable about their digital presence and valuable. The realization is that when data drives actions and security is comprehensively implemented throughout a formless and endless perimeter, you can escape the trap of false security “standards.”  

Beyond the Chaos 

It all starts with an identification of gaps and threats and securing against those threats. Disaster recovery planning follows, since no matter the security measures, the enemy may still break through the defenses. The journey of cybersecurity cannot be complete without an assurance program that maps to the never ending quest to find ways to stay a step ahead of the enemies and ahead of our personal limiting concepts. An awakening must happen through the sharing of the phenomenal cybersecurity statistics that line the battlegrounds of today. From the frontlines of cybersecurity, there are so many close calls and so many seemingly minor events that can be the first of a chain of “perfect storm” events that lead to a major security incident. This happens thousands of times per day.  

All the while, strewn among the spent tools of cyber warfare are targets that defy simple definitions. No business domain is immune, and it matters little whether an attack is launched against large or small organizations, profit or not for profit, public or private. No one is safe—plan accordingly. 

 

Classic literature remains relevant because of its timeless themes that even after a decade or  a century still stands and can be related to modern people. History may repeat itself, and we must continue to prepare for any possible scenario in the cyber field. 

Schedule an assessment with us today to learn more about preventative security measures you can take to secure your cyber environment.

Readying For Regulation Response To Cyber Incidents – Forbes Article by Ntirety CEO Emil Sayegh

Recently, utility companies have been a major target for hackers, and critical infrastructure has been put at stake. As these cyberattacks have increased, taking action to keep bad actors away from our cyber environments must be a top priority. For industries such as utilities that provide services to almost all of us, we must all do our part to ensure security is enforced. 

 Ntirety CEO Emil Sayegh emphasizes the importance of the United States government’s involvement in protecting the ever-growing cyberspace, and the businesses and people whose lives could drastically change. The following piece, Readying For Regulation Response To Cyber Incidents, was originally published in Forbes.

Readying For Regulation Response To Cyber Incidents

In the wake of a prolonged season of significantly impactful cyberattacks, new regulations have arrived on the scene and we can expect more to soon follow. Good, bad, and ugly, regulations are a natural governmental response to significant situations that carry national implications. For now, the focus is on pipeline operators. But with so much vulnerability in the wild, a lack of overall standards -and also the fact that so much is at stake -cyber regulation is on a trajectory of growth, and may also find itself on a collision course across many more sensitive industries.

Back in May, the world was shocked when the Colonial Pipeline Company revealed that it was a victim of a ransomware attack. The immediate response was to halt operations in order to contain the attack. Five days later, operations resumed, but not before fuel prices on the East Coast of the U.S. skyrocketed and fuel shortages crippled the Eastern Seaboard.

Regulatory Response

The same day that operations resumed, President Biden signed an Executive Order on “Improving the Nation’s Cybersecurity.” Moving from voluntary participation to mandated compliance, some 100 pipeline operations had to formally designate a 24/7 cybersecurity coordinator and report confirmed and potential incidents to the Cybersecurity and Infrastructure Security Agency (CISA) under the new directives.

In late July, the rules tightened up from there with further regulations. The specific details that accompany this mission have not been fully revealed to the public, but some elements have been shared about the program. Participants will need:

  • To develop a cybersecurity contingency and recovery plan
  • Conduct a cybersecurity architecture design review
  • To implement mitigation measures to protect against cyberattacks immediately

In addition, the regulations have a bit of a bite to them, leveraging potential fines that can amount to close to $12,000 per day for each violation.

The Regulatory Trajectory

The age of self-driven, voluntary standards and industry participation is beginning to change as a response to the rash of successful attacks against critical organizations. With solid research and preparation, the implementation of these forthcoming compliance measures could possibly roll out smoothly. It is also likely that challenges will be felt throughout the industries affected by new compliance measures. Revisions and updates will follow, as already exhibited in the pipeline industry.

For most, compliance and regulation are not completely new territory, however the horizontal rollout and application to formerly voluntary industries will carry some challenges along for the ride. New technologies, cutting-edge standards, and continual assessment are not always associated with the considerably comprehensive publications of ordinary regulations.

Rolling out successful cybersecurity regulations in a comprehensive effort is going to require awareness on the contextual history of regulations as well as measures to keep regulations up-to-date and achievable.

Preparing Now

Based on technical and operational components, the gold standard reference point throughout the industry are the standards set forth by CISA. Organizations can get ahead of these and create a better security baseline by assessing cybersecurity policies and procedures and updating them as necessary.

Among the advancing best security practices and technologies, prepare to assess and incorporate:

  • Updated backup and recovery tools and processes
  • Risk prioritization exercises
  • Secure cloud service practices
  • Segmenting networks
  • Multi-factor authentication
  • Zero trust capable architecture
  • Robust endpoint management
  • Enterprise threat mapping
  • Data encryption at rest and in transit

Every environment is different, with different realities to consider.

It can be difficult to turn down the background noise of emerging products, industry buzzwords, and marketing smoke. With so much to navigate, I cannot blame anyone that has completely tuned out. But please don’t. Silence is not bliss in this case. Most companies are ill-equipped to deal with this threat alone and must find competent cybersecurity partners. This movement has already started-this is a clarion call and moment of action on every digital front. Cybersecurity is becoming an imperative across the land.