Dark Web Of Cybersecurity Concerns Rising With Gig Economy

The dark web has made a black market gig economy where cybercriminals thrive, and the targets are unsuspecting people, corporations and governments alike. Ntirety CEO Emil Sayegh makes the case for how a comprehensive security posture can mitigate risks and keep organizations from being caught off guard.

 

Dark Web Of Cybersecurity Concerns Rising With Gig Economy

Economic conditions combined with opportunity and technological advancements have set the foundation for the gig economy. Freelance, temporary, and flexible jobs are a noticeable component of our modern economy and so, employer names like Upwork, Uber, Lyft, Fiverr, and many others are as common as traditional jobs now. In technology specifically, we always had freelance developers as well.

Those same economic factors, however, have created a little-known gig-economy for technological skills that include cyber hacking and cybercrime.

Amongst our modern technological landscape, cybersecurity skills are in demand, and we are suffering from a real cybersecurity talent drought with a forecast of 3.5 million cybersecurity jobs unfilled by 2025. The technology employment market is faced with a continual need for personnel and skills to fill its operational needs. Cybersecurity professionals could find themselves fully or fractionally employed in many situations at many organizations. Some of that employment includes what is called “white hat” or ethical hacking – hackers that exploit, test, and report on vulnerabilities of an organization. With the right mix of cybersecurity and continued vigilance, organizations can leverage these kinds of services towards continually improving their cybersecurity posture.

The Underground: Cybercriminal Buyers and Sellers

On the dark web however, any semblance of ethical boundaries goes completely out the window. The dark web is a thriving, active underground network of information exchange that is in no way static and isn’t indexed by search engines, or visible to the casual users. Cybercriminal activities are often traced back to these dark web origins and much of the activity takes place in an underground marketplace that is built around cybercriminal mischief. Much like the gig economy itself, factors such as inflation, world events, social unrest, and opportunity are pushing skilled and opportunistic actors into this market.

The Wild West of Buyers and Sellers

This global cyber underground marketplace features unique wares and services and is driven by buyers and sellers of all types. You won’t find physical buildings, walls, or phone numbers to call. On any given day, you will find open conversations about targets, tactics, and conversations about cyber hacking expertise. Both buyers and sellers need to beware. Buyers need to beware that they are dealing with criminals, and sellers need to beware because the dark web is also frequented by undercover law enforcement and foreign intelligence agencies. Payments are made with trades of information, hacking tools, and difficult to track cryptocurrency. It is about as open as it can be and untraceable as can be, which makes it very attractive for upstarts, would-be buyers, and those looking to make some cash.

A Dark, Dark Market

Dark market operations have grown to become a central component for many upstart international cyber threat operations. Hack wares are becoming more proactive in nature than ever, bolstering a market that is destined to boom in terms of products and services sold, and products and services bought.

Available black hat services available on the dark web include:

  • Hack a website – Looking to buy a hack of a site or web services? This might set you back a couple of hundred US dollars. Need those admin credentials or data? Double that amount.
  • Target a phone or computer – Looking to get to a specific computer or smartphone? A little phishing, payloaded files, or even ransomware will get the job done. Available for any platform.
  • Target a person – This attack incurs perhaps the most effort and prices vary accordingly. However, you can buy a whole lot of trouble for the target of your choice. Services rendered can result in legal problems, reputation problems, or financial compromise for said victim. A recent example of this type of targeting, is the latest rumored high profile compromise alleged to be a hack by underground 4chan users into the iCloud account of Hunter Biden.
  • Records manipulation – Need something changed? Social engineering and technological compromise could be your ticket. Official school transcripts, address verification, and any number of records can be changed as requested.
  • Email hacks – There are many ways to get into your average email account, meaning you can buy this service along with the choice of quietly spying on an account, simple access, or creating copies of all the data inside of a mailbox’s contents. The infamous hack in 2016 of then presidential candidate Hillary Clinton’s emails may have cost her the presidency.
  • DDoS attacks – A Distributed Denial-of-Service (DDoS) attack is a type of cyber-attack in which hackers render a network of computers unavailable to the users by flooding the targeted system with requests. You can typically choose to pay for targeted DDoS attacks in one-hour time increments, for as long as you want. Countless options abound as you can just name your target, begin and end dates, and level of attack bandwidth.
  • Social attacks – You can buy a hijack of a targeted social account for the right price. Hackers have been doing this one for years, with high-profile hacks against major corporations on properties like Twitter, Facebook, and more.

Cyberweapons for Sale

You can also buy, trade, and sell data – including military-made cyberweapons that are available on the dark web. In fact, the market was already going in this direction when the United Arab Emirates was exposed targeting human rights activist Ahmed Mansoor in 2016. The virtually impossible-to-detect iPhone spyware tool they used was called Pegasus, made by an Israeli group known as the NSO Group. The Pegasus spyware is classified as a weapon by Israel and any export of the technology must be approved by the government. It is only approved to be sold to governments, and not private enterprises but invariably falls in the wrong hands. Reports of this spyware potentially implicated it in a number of attacks across the world targeting human rights activists and journalists such as murdered Saudi dissident Jamal Khashoggi. Pegasus is the iOS variant for Apple devices while the Android variant is called “Chrysaor.” It is similar in nature to the original Trojan viruses that were used to spy on computers, except this spreads via text messages and targets mobile devices. Back in 2014, a group known as Hacking Team, based out of Italy, was also found selling specific spyware to other country’s intelligence agencies. Each of these incidents involved hackers for hire, custom tools, and nation-state entities.

The Unprepared Will Fall

With illicit activities on the rise, an inevitable logical outcome is that many more unprepared organizations will face cyber disasters. In the face of yet another growing threat condition, the case for comprehensive security systems only become stronger by the day. Continuous monitoring, detection, and recovery are components of the comprehensive security solution where so many organizations will fall short.

We cannot stop this scary underground surge, but with a comprehensive security posture, we can wield the tools to detect, mitigate, slow down, and even stop these attacks in their tracks.

This article was originally published in Forbes, please follow me on LinkedIn.  

Answering The Problems Of CIO Turnover

The CIO role has become increasingly paramount as modern organizations’ technology has become increasingly complex and unique. But, within the responsibilities of this role, companies are struggling with turnover rates. In this article, Ntirety CEO Emil Sayegh delves into the turnover of this critical position.


Across industries, we commonly talk about the lifecycle of products, computers, and software, yet we rarely hear about the life cycles of the Chief Information Officer (CIO). When it comes to technology, modern organizations are as complex as they are unique, and it comes down to the CIO to navigate through a wide sea of technology that reaches into every aspect of the organization. With an increasingly heightened importance on the execution of transformative information technology projects, the turnover rates for the CIO position are becoming a challenge for organizations across the spectrum.

Amidst the technological climate of business today, the expectations for organizational success have never been closer to the actions of technology executives and the leadership they provide. Thanks to the rapid evolution of technologies, the role of the CIO has progressively shifted from the person responsible for running IT, to the purchaser of selected services or technologies, to that of a tactical technology strategist. The CIO can affect the very DNA of an organization, making it better, faster, and more able—or sometimes quite the opposite, unfortunately.

The Come and Go of CIOs

Across the Fortune 500, the issue of high turnover rates, even at the executive level, is hardly an industry secret. CIOs average from three to five years of tenure according to various industry reports, making consistency in IT delivery a challenge widely felt throughout the organization. This heightened criticality—combined with the rapid nature of the technology business as well as global technology skills shortages—are all factors that lead to this relatively high degree of CIO turnover. Incumbent CIOs face continual performance reviews from their CEOs and sometimes their company boards. They also have career aspirations; they get poached often and may just get burned out. The overall direction of a company can shift, as we saw with the COVID-19 pandemic, and fresh initiatives create demands for the CIOs and their teams to fulfill. Turnover is rampant when change is about, and change comes with the territory of business and technology.

The Whys of CIO Turnover

The CIO faces challenges across the board, and there are various factors that lead to turnover in this position:

  • Security breaches – A significant security incident has the power to alter and end careers
  • Project failures – Including misses on deadlines, budget, and objective fulfillment
  • Burnout – Accelerated timelines, bureaucratic resistance, and resources challenges
  • Uninteresting work – When the grass is greener somewhere else and the technology goals do not match what the CIO wants to do

Technology executives also report that when they leave on their own terms, they have achieved a state where technology is on the right trajectory, even without their presence. They also share that they have achieved all that they wanted in their scenarios.

Who is Right and Who is Wrong?

Analyzing these overall factors, it is difficult to choose a side. Organizations need capable and experienced executives which means the search for talent can never stop. In some cases, the union between exec and organization can decay. What is more useful is to characterize successful CIOs.

Regardless of tenure, the successful CIO has positioned themselves into a position of an essential nature. Around the office, this is easy to spot. Peers, leaders, and co-workers will naturally gravitate to an effective CIO. They lead through clear missions, and they recognize how to leverage technologies to drive improvements across the organization, create and capitalize on opportunities, and help manage costs. In various scenarios, CIOs are also able to deliver competitive intelligence that is actionable and useful to the organization’s goals. The successful CIO continuously learns on the job and balances risk factors, budgets, utility, and more in new technology scenarios.

Building and Creating Great CIO Stories

Striving for reduced CIO turnover is an exercise in improving outcomes and creating consistency. Whether from the position of the CEO, the board or the CIO, the responsibilities of this critical position are essential to the health of the organization and specific goals can help reduce the short-nature transitions and satisfaction.

  • Think BIG – the CIO should envision the big picture and act with essential intent. Establish that critical connection between bytes, results, and opportunities. Remote work, IoT and AI systems, rapid application development, and global capabilities are just a few of the difference-making journeys that CIOs must embark on.
  • Tap the Untapped: The untapped capabilities for the average organization are essentially limitless. With innovation and proven cloud technologies powering enterprise sails, a lone CIO can be the catalyst that raises the bar across business units and delivers transformative value to the organization.
  • The Customer Experience: The modern technological needs feature an intense focus on user and employee experiences, profitability and 24x7x365 availability that depend on rapid, flexible technologies in addition to well-run operations. The CIO needs to lead this charge with innovation as the technological heart that drives everything forward.
  • “Goldilocks” Partners to Mitigate Challenges – When the challenge is technical, or a security failure, specialized partnerships always produce better results than internal efforts. Find partners that match your needs and can take full ownership, rather than piecemeal. Treat partners well and you can invoke their full knowledge and networks. Bigger is not always better, and too small is often too risky.
  • Recognize Your Top Solution is People – Technology isn’t everything. In fact, it’s not even the first thing—people are. Develop. Coach. Work together. Include end users, developers, IT, and leadership as you work down this route.
  • Focus on Acceleration – At every turn, opportunities through technology and services can change the game and help you achieve goals. Going it alone can be thrifty, but rarely fully delivers.
  • Resolve Conflicts – The waters will rise, the milk might spoil, things might seem destined to go wrong. Navigate these challenges with elegance by finding the best possible solutions.

From CIO 1.0 to CIO 2.0

The Chief Information Officer will further move forward from day-to-day operations to picking up innovation, becoming de facto Chief Innovation Officer formally or informally. With each passing year, the role of CIOs becomes increasingly important to the core operations of a company. With everything that has happened these last two years, technology is more critical today than ever and as we roll into the future, there is no stopping this critical shift. Enterprise goals and achievements are contingent on the success of modern technologies.

Upon reviewing the scenarios between the organization and its CIO, it is clear that objectives are critical and opportunities to evolve the organization drive this relationship. Just as the universe of technologies is boundless and without limits, the CIO can unleash growth through continually questioning, solving, and delivering toward their individual goals and those of the organization.

Check out this piece, originally published in Forbes  and follow me on LinkedIn.

Rising global tensions put us a few lines of code away from a significant cyber event

Cyberthreats are dominating the news headlines. Ntirety CEO Emil Sayegh highlights the current ever-changing cyber landscape and how we can better protect our cyber infrastructures. 

Rising global tensions put us a few lines of code away from a significant cyber event 

Reflecting on the threats and targets that we are most concerned with given the Russia-Ukraine war, cybersecurity is now the front line of our country’s wellbeing. Cyber threats endanger businesses and individuals — they can affect supply chains, cause power grid failures, and much more. 

This growing environment of risks and increasingly aggressive adversaries demand our readiness, yet our national response continues to be largely reactive to threat conditions. History shows how a small event built on daisy-chained circumstances can kick off a catastrophe, or even a shooting war. 

As the war in Ukraine endures and as countries around the world align, a rising threat emerges from Russian sources, adversarial states, unscrupulous opportunists, and a shadow world of 5th column provocateurs. An 800% increase in activities was observed in the first 48 hours of the invasion alone, and scanning and probes on domestic network infrastructures are reaching historic highs. 

Cyber vs kinetic warfare 

This is a heightened condition of hostilities that will continue and extend beyond physical engagements. We must confront the fact that globally sourced cyberattacks are the essence of modern warfare. It is simpler, cheaper, and more impactful to run a cyberattack campaign than a traditional kinetic act of war. 

Cyberattack campaigns make strategic military sense since they are designed to impact communications, impact energy, cripple a population, military readiness, or make any number of dire situations worse. This is why we see intelligence agencies either directly or indirectly involved in cyberwarfare. 

As Russia becomes more isolated from the rest of the world, it is believed that even in the aftermath of current conflicts its leaders, intelligence agencies, and even rogue groups of unemployed hackers will be more apt to deploy cyberattacks, either in retaliation or simply for monetary gain. 

China has targeted the United States for decades and they have done so on every possible front. From the military, to business, to finance, to the global race for resources, China has leveraged every possible point using tools such as political influence, market manipulation, cyber intrusions, partnerships, and military threat. 

Throughout the industry, we can track countless advanced attacks and backdoors to their efforts. In the crosshairs of this force are state departments, contractors, and any organization it can hook itself into. In many cases, their aim is a lot more everlasting, as it is industrial espionage and the theft of intellectual property in addition to ransoms. 

Rebuilding Security 

We are in a position where even a minor escalation of cyberattack characteristics could cripple this nation and cause massive impacts on life and property. Our response positioning must equal and exceed the specter of the overall threats, and our readiness must be comprehensive. 

In addition to the ongoing Congressional efforts to improve our national cybersecurity, we must add the following tasks to the national cybersecurity mission: 

  • Fix the damage. We must put a priority on funding new security initiatives, with an emphasis on new technologies, the growth of intelligent protection, and services that can augment the baseline of overall security posture.
  • Training a nation Quality training systems must be made readily available that address modern kill-chain awareness, attack simulations, and advanced countermeasure techniques.
  • Greater collaboration We must expand the efforts of the Cybersecurity and Infrastructure Security Agency (CISA) to work with the community beyond early warning systems, and to help model comprehensive cybersecurity protection systems by leveraging technologies and services.
  • Pursue criminal activities We must continue to bring cases of cyber theft, cyberespionage, and cyberattack to the point of grand jury indictment. We need these cases as assets in defending our digital sovereignty, even when they will not result in fines or jail time.

Building a secure digital future is an essential task that demands success, and it should be one of our core missions as a nation. We must take measures to improve cybersecurity through increased knowledge, better technologies, and tactics that are built for the modern range of cyberthreat conditions. 

From mobile endpoints to applications, to identity, and onward to the cloud and infrastructure combined, safeguarding critical assets is a comprehensive task that requires the highest possible prioritization. The recent history of cyber-driven disruptions to critical services thus far has only been indicative of warnings of what could happen. 

We must face the threat that we are only a few lines of code away from a very significant event. Our readiness must improve immediately. 

 

Check out this piece, originally published in The Last Watchdog, here and follow me on LinkedIn. 

Cybersecurity Maturity Models Can Be Immature

Cybersecurity maturity models are a great starting point for businesses to understand their most important cyber needs. This piece from Ntirety CEO Emil Sayegh notes the importance of going above and beyond the minimum recommendations to avoid the costly consequences. 

Cybersecurity Maturity Models Can Be Immature 

Like many things in life, cybersecurity posture is a spectrum of states in maturity. Cybersecurity Maturity Model Certifications (CMMC) are all the rage now in IT departments. You can be at one end of the spectrum of cybersecurity maturity, the other end of the spectrum, or maybe somewhere in the middle. The National Institute of Standards and Technology (NIST) and CMMC have defined those security maturity models in five distinct stages. You even often hear some IT departments proudly declare that they are a level three or four or five in terms of their security maturity. We can analytically categorize the levels that compose these security states, and that is a good thing. However, some of these states assume reasonably well-known threat patterns. The challenge is that even with the best possible security posture, novel threats can bring the entire security structure crashing down. This is one of the driving conditions that make a comprehensive cyber security approach an operational and technological necessity. 

Whether it is NIST or CMMC, the five levels of cybersecurity maturity shape up like this: 

  • In the first level, the organization is vulnerable. A lack of preparedness is the most palpable description, along with a general lack of structure, documentation, or processes.
  • At the second level, an organization becomes more aware, but they are still reactive. They can repeat basic efforts, and they have basic documentation of processes available but only in a reactionary manner. This organization can respond in the timeframe of a few days, but they are vulnerable to data loss, operational gaps, and financial impact.
  • Level three marks the beginning of effective security measures. Typically constructed from security, compliance, and regulatory efforts, along with a greater establishment of tight security processes. Security policies and technologies are deployed and are available in documentations for the most critical environments. General assurance of the environment is established, typically including the existence of backups and repeatable issue mitigation. In this scenario, rapid event awareness is the vehicle for enablement, reducing response to hours and sometimes minutes while there is a significant minimization of potential financial loss.
  • The next level escalates to a continually compliant state based on external requirements and internal operational standards. The entire environment is managed, logged, and reviewed on a routine basis and continuous monitoring helps eliminate regulatory penalties and awareness of operations across each discipline.
  • The highest level in this security maturity level is the optimized proactive posture where information security processes are a model of continual improvement. These processes are tightly integrated with information from throughout the environment, offering feedback, external information, and research, and they can introduce needs-based process updates to better serve the organization. Organizations at this level are able to respond in real time, and they can significantly reduce data and application breaches.

Prepared but Still Exposed 

While these five levels sound good, there are still massive risks from novel threats that can make much of the level two and level three preparedness become obsolete, and perhaps severely compromise even a level four organization. A Zero-Day attack is an unforeseen event that bypasses previously established standard security measures. This makes it difficult for security systems and software providers alike, as they don’t know what threat signature might trigger alarms or not— leaving their products vulnerable in the process. 

During a Zero-Day attack, all that preparedness can be undermined as even a limited opportunity slips through the cracks, unknown and unopposed. Preparing for Zero-Day attacks is critical, with a foundation of: 

  • Being proactive
  • Maintaining good data backups
  • Monitoring traffic, security incidents, and accounts
  • Keeping systems up to date
  • Zero-Trust implementation

Zero-Day Blinders and Zero-Day Finders 

A key disadvantage of operating as a single organization with a single infrastructure is reduced visibility. In terms of Zero-Day vulnerabilities, a lone organization may only be subject to a single attack at a given time. This makes it easy to lose sight of looming dangers that are continuously present and just as dangerous. 

Among the benefits of leveraging a massive infrastructure, and a adopting the mission to go beyond the final level of security maturity into Zero-Day conditions, is the ability to see incoming threats across different channels, organizations, industries, and geographies. The imperative of Zero-Day threats across a scaled base requires never-ending active identification and hunting of threats throughout the infrastructure. 

When we speak of comprehensive security, it incorporates everything from process to technology to detection monitoring to recovery. It encompasses everything from designing, building and operating the entirety of the IT environments. Absent this complete approach, even proactive organizations cannot rely on their maturity model designation as a crutch against threats. When the significant risk of Zero-Day threats is unacceptable, no stone can be left unturned. 

 

Check out this piece, originally published in Security Magazine, here and follow me on LinkedIn.  

Citing cyberthreats: Why we should be worried

Complacency is not an option when it comes to cybersecurity. Ntirety CEO Emil Sayegh highlights prominent cyberthreats we are facing today in the following piece. 

 

Citing cyberthreats: Why we should be worried 

In the wake of global conflicts, significant concerns about the security of critical domestic cyber operations have dominated the news. Yet, despite all the urgent alerts and notices, after several weeks of escalated scenarios of aggression, it seems the “big one” hasn’t quite hit. On one hand, our power is still on, our water still flows, and our kids can still walk over to the campus ATM and check their balances. Have our adversaries been holding back? Or is something else happening? Threat activity levels are higher than ever, and it is more likely that cyber chaos is lying in wait. Remember the peace of the Western Front — this is the time to worry the most. 

There is little debate that the primary channel for conflicts in the world today is rooted in offensive cyber capabilities. In recent years, attacks from nation-states and state-sponsored groups have surged and include corporate espionage, ransomware schemes, supply chain software breaches, fundraising for terrorist activities, and more. At times it seems that cybersecurity is a cat and mouse epic battle. 

 The U.S. is The Target 

Let’s be clear; it is not just Russia. Even the slightest indication of undermining security is an opportunity for adversaries and foes. China, Iran, North Korea, and even other actors that claim to be technically our allies will not let an opportunity for technological chaos go to waste. This is our modern Roman arena, and we are not viewed as the lions — we are viewed as the bait, and almost everybody is coming at us. 

One simple fact of these threats is that a history of successful attacks begets continued attacks. Attack vectors, techniques, and tools are shared in private corners of the web. Successful campaigns also create digital wealth-based cryptocurrency schemes that can wage war, sponsor terrorist groups, and spawn new attacks and new attackers. 

 Russian Capability 

Russian offensive cyber operations are highly advanced, and we have seen how many experts have tracked the SolarWinds attack of 2020 to suspected Russian sources. This incident was a sophisticated infiltration of a major software supplier, and the discovery of this incident affected thousands of clients. Operations at that scale take time — incorporating full-cycle targeting, social engineering, payload, and surveillance over the course of many months. 

 From the beginning of the war in Ukraine, cyberattacks were first. A prelude to the land attack, these operations destructively took out government agencies, banking facilities, and other critical offices. These were official military actions, but Russia also wields a hidden force of citizens that will see cyber hacking as a form of patriotism and survival as the world continues to pressure economic sanctions upon the country. Attacks could persist for years beyond the cessation of violence. 

 

Attack Signals Not Stopping 

The first quarter of this year is behind us, and we are already seeing high activity in the number of novel methods emerge as well as a heightened and accelerated scale of cyber threat activities across the board. The company I lead has collected an 800% increase in threat activities since the war first started, and it is not abating in any sense of the word. We continue to work with high-level government agencies on a frequent basis to help protect the ecosystem of companies within our client base and beyond. 

We have the Okta situation, new Android malware, reports of suspected Russian and Chinese capabilities to defeat two-factor authentications, and specific failure incidents, such as the report of a major storage provider going through the permanent loss of customer data. If it isn’t clear already, it one day will be — flaws and human interaction can weaken technology, but technology combined with the commitment to thorough security practices can close significant gaps. 

 There is definitive proof that global criminal and perhaps intelligence syndicates are driving this increased activity and the day of the lone hacker is history. Such is a global cyberwar. Companies cannot withstand this escalating onslaught alone. We must take up arms to protect what is ours. This is an invasion of an entirely different kind, and we must protect the homeland in the cloud, on our keyboards, our television, and mobile devices.     

   Preparation and Targets 

We have so much to protect. First, our military and economic foundation are highly dependent on digital terrestrial and satellite technologies. The protection of the backbone is critical, and these are primary targets. However, the frontlines in this battle are everywhere we go, everywhere we live, and so right away and urgently, our national base of cyber readiness must get up to speed on security matters. 

 Only a comprehensive security strategy will solve this once and for all, but until then, we can steel ourselves from this persistent wave of threats with basic actions: 

  •       Lockdown networks and systems
  •       Implement tested and validated backups
  •       Implement Multi-Factor Authentication
  •       Patch systems and software
  •       Turn on monitoring and alerting (everywhere)

 On a personal level, pay attention to your passwords. Change them often and make them complex. Implement multi-factor everywhere possible. Keep aware of phishing attempts, malicious links, and every form of cybersecurity responsibility you bear for yourself and the companies you work for.   

 It is the natural order of things that big-name companies are going to hold a higher target value. Russia, like many other nations that wield cyber threat operations, is in a position where it can completely rely on symbolic victories in its cyber attack campaigns. You can count Coca-Cola, Exxon/Mobil, and even Tesla as organizations that are probably on heightened alert due to their very public business decisions launched in response to Russia’s attack.   

 The Silver Lining 

Industry awareness of these threats has improved, and the fact that we have survived this long ties back to the hardening throughout the industry following two years of pandemic-driven challenges. The fires of that digital chaos and the improved response are positive historical touchstones. We will find that only a complete lifecycle of comprehensive security can protect what is truly essential. 

 Eventually, the Russian crisis on the ground will pass, but another crisis is looming. Silent digital attacks are a prelude to greater actions, and the stillness is a false sign of security. Russia, China, and other global adversaries are stacked up for a global confrontation, hoping that the weakest target may precipitate our fall.  

 

 Check out this piece, originally published in Security Magazine, here and follow me on LinkedIn.  

Anatomy of a Comprehensive Security Response

The frontlines of current cyber threat conditions are an interesting combination of rogue threat actors, state-sponsored groups, and Advanced Persistent Threats (APTs). Their intrusions are characterized by stealth, patience, and slow burn endeavors that are well-funded towards their missions. Namely, these threats are focused on evading detection, reconnaissance, and weaponization in a specialized sequence of escalated changes. Even with multiple layers of technical protection, activities still occur on the most privileged networks. This is an account of how a recent incident in a protected environment was uncovered through diligence and forensic review.  

If you could visualize a successful cyberattack in review, you would see that the journey is a lot like skipping across stones in a river. Here, we are going to dissect such an attack.  The object of cybersecurity protections is to review every stone and successfully stop attacks at every possible point. Uncovering threats can rely on automated detection, artificial intelligence, and alerting to varying degrees. However, information uncovered from these scenarios requires analysis and a threat disposition by actual trained and qualified human beings. 

Anatomy of the Incident 

Let us dissect an actual security incident, so we can gain an appreciation of what it takes to mitigate these millions of incidents that happen every day.  

  • In the pre-dawn hours of a recent morning, the Ntirety Security Operations Center (SOC) received the first of series of behavioral threat alerts for an endpoint system within a client’s environment.  
  • The alert triggered a disposition of a potential network ransom event. 
  • An immediate investigation into this system was launched where it was discovered that a portion of the files on the system were encrypted. 
  • The investigation further showed that the operating system was functional, with no observable impact. 
  • Tier 2 SOC personnel initiated an immediate network containment action to isolate the threat and prevent any possible further lateral movement. 
  • Tier 2 SOC personnel continued to scan logs and immediate network connections for signs of further propagation. As the investigation continued, these findings were negative.  
  • The SOC initiated a Root Cause Analysis and determined that the initial Point of Entry for this ransomware attack initiated from an unpatched, externally facing server that DID NOT have standard security products installed 
  • This server was scheduled for decommissioning. Further, an administrator account for this system had been exploited and had been using a weak, 8-character password that had no history of updates. 
  • The affected server was completely compromised, with evidence of complete system encryption.  
  • A ransomware note and additional tracking evidence showed the attack was most likely Crylock ransomware, a new variant of Cryakl ransomware.  
  • Further investigation uncovered that the attacker(s) were able to log in and install software to maintain remote persistence on the server.  
  • System and Security event logs were unable to be recovered, indicating the logs were scrubbed. 

With the successful compromise in place, the attack attempted to escalate, moving laterally to the endpoint system where our detection tools were able to catch it before any further damage could be done.  

As an epilogue, the customer received guidance and recommendations towards decommissioning the server as soon as possible, wiping and imaging the affected workstation, network isolation, strong password enforcement practices, and installation of our advanced security tools throughout all systems in their environment.  

The Comprehensive Response 

Client environments have all kinds of interesting facets to them that can affect overall security. Sometimes there is a bit of baggage, such as a legacy operating system or application that has no available updates or is tied down to legacy by means of licensing, contract, or a functional gap. That legacy OS was the first problem. Missing security tools were the next issue.  

From there, we have an unpatched public-facing system, weak and unmanaged privileged passwords, and an open network hop that allowed the attempt to laterally propagate. You can call that an unfortunate mix of vulnerabilities that could have led to a major problem.  

However, comprehensive practices came through in the detection of anomalous events at the first point possible. Our SOC sprang into action, according to plans, and we were able to fully ascertain this situation and prevent any further incidents. You can see how one unprotected system the potential for significant impact has, but by layering detection and response throughout the environment, we can mitigate the unknown.  

The goals of the Ntirety SOC and application of comprehensive security principles have common targets. We are focused on minimizing the impact of incidents and breaches on our client organizations. To minimize impact, we are focused on responding to incidents quickly and reducing the time it takes to detect and enact our responses. By effectively remediating security conditions and maintaining security baselines throughout our client environments, we work towards preventing major incidents from occurring.  

Detection, analysis, investigation, and remediation are some of the milestone capabilities of our comprehensive defensive systems. In the current and future climate of threat conditions, this is the best available path to uncovering the unknown, to reveal hidden threats and adversarial activities, and to identify attacks before they scale.  

6 Reasons Why Entrepreneurs Should Take Security Seriously

Being an entrepreneur involves some serious hustle in order to make a dream a reality. While it can be tempting to handle everything on your own, cybersecurity requires teamwork.  Read this piece from Ntirety CEO Emil Sayegh, originally published in Forbes, to learn more about why cybersecurity should always be a part of an entrepreneur’s strategy. 

 6 Reasons Why Entrepreneurs Should Take Security Seriously 

 Of all the rules and advice available about running your own business, the best pertains to what mistakes to avoid. At the top of the list of mistakes to avoid  as an entrepreneur, you should not do everything yourself. 

 By default, when an individual chooses to do something, they are choosing not to do something else. Yet despite that simplicity, the inclination to do it all in entrepreneur mode is tempting. We want to know every brick of our business and we are willing to ascribe to the icon of hard work and high rewards. The reality is, there is too much on the line and you could be doing other things that you are much better at. It’s a powerful choice that separates leaders from the rest of the pack. In his book  Good To Great, Jim Collins calls it level V leadership, a level we all aspire to be at. 

 Choosing what your organization does and does not do is one of the most critical leadership tasks imaginable. This choice applies to our most precious digital assets as well. Information needs to get where it needs to get in a way that is safe. 

 You are not an expert at everything in technology even if you are a technologist at heart. If you try, you end up doing less than you could have done on a much more valuable task. Once you can afford it, hiring experts has tremendous advantages, especially when you regain time and opportunities in doing so. 

 When it comes to IT security, however, you just can’t face these challenges alone. Cybersecurity is not a finish line initiative where you can roll out a tool of some sort and call it a day. The threats are ever-changing and escalating, meaning that protecting your business means keeping a continual watch on your assets and you must never let your guard down towards the ever-evolving vulnerabilities. The risks are just too great to “roll your own.” 

 These are the top reasons why, as an entrepreneur, your IT security should be taken seriously. 

 

  1. Impossible Task: Across the globe, more than 30,000 websites are hacked daily. A new attack happens somewhere every 39 seconds. More than 300,000 new pieces of malware are created each day. DDoS attacks, malicious apps, phishing, zero-day attacks, and other security concerns threaten every business, even the small ones. Your adversaries are not individuals but nation states, criminal organizations, and hive-minded hackers. No entrepreneur can do this alone and just because an incident has not happened to you, it does not make you immune. 
  2. Reputation: Nobody is immune to the damage of reputation that comes in the wake of a cyber incident. Consider the value and reputation loss for companies like Solar Winds, FireEye, and others, and the association with their founders, executives, and company boards. 
  3. Financial Losses: An incident can wreck your finances for good. Between recovery efforts, penalties, and loss of income, a cyber incident can affect a small company’s bottom line significantly. A 2017 Ponemon Institute study put the average cost for small businesses at $500,000 per incident. This calculation only scratches the surface of legal costs, compliance penalties for HIPAA, GDPR, lost revenue due to downtime, etc. 
  4. Losing the Board and Investors: The Board of Directors and investors have a stake in the sanctity of the business. There is nothing like a cybersecurity incident and a chain of business ownership crisis to put one at odds with these critical business advocates. The perceived savings of executing your own security is simply not worth it. 
  5. Endanger Employees: Taking on security alone can endanger your employees, who are your most important asset, through the theft of employee data, including sensitive HR files, dates of birth, financial information, and more. 
  6. Financial Theft: Cyber thieves, in many manifestations, are out there. Whether it’s a lone hacker, a team of criminals, or a nation-state organization, there are high values placed on the extraction of financial data and the methods being used are crafty, escalating, and unpredictable. 

 At the risk of repetition, understand that entrepreneurs know their businesses, but they are not experts at everything. When the likes of security giants like FireEye fall to modern, sophisticated cyberattacks as we’ve seen in recent news, you should get a sense of how critical it is to not take on the challenge of cybersecurity alone. Focus on the things you do best, and stop doing the things you shouldn’t be. 

 Check out this piece, originally published in Forbes, here and follow me on LinkedIn

Why Security Maturity is Necessary for Your Business

A security maturity model is a set of characteristics that represent an organization’s security progression and capabilities. According to CISOSHARE, Key Processing Areas (KPAs) in a security maturity model are practices that help improve a security infrastructure 

These KPAs include:  

  • Commitment to perform  
  • Ability to perform  
  • Activities performed  
  • Measurement and analysis of the results
  • Verifying the implementation of processes  

Levels of security maturity range from 1 to 5, with the lowest level of security maturity being one and the highest level of security maturity being five. Various industries lie within these levels, depending on their security needs. The retail industry typically falls under Levels 2 or 3, manufacturing falls between 3 to 5, while Fintech and Healthcare are between levels 4 and 5 due to the high levels of compliance needed in these industries.  

Ntirety details these levels of security maturity by detection, response, and recovery times:  

  • Level 1 (Vulnerable)  
  • Time to Detect: Weeks/months  
  • Time to Respond: Weeks  
  • Time to Recovery: unknowable
  • Recovery Point: unknowable
  • Compliance: None  
  • Level 2 (Aware & Reactive)  
  • Time to Detect: Days
  • Time to Respond: Hours
  • Time to Recovery: 1-2 Days
  • Recovery Point: <2 days data loss
  • Compliance: Internal Objectives

  

  • Level 3 (Effective)  
  • Time to Detect: Hours  
  • Time to Respond: Minutes  
  • Time to Recovery: Hours  
  • Recovery Point: <24 hours data loss
  • Compliance: Internal & 3rd party  

 

  • Level 4 (Compliant)  
  • Time to Detect: Minutes  
  • Time to Respond: Minutes
  • Time to Recovery: Hours
  • Recovery Point: <6 hours data loss
  • Compliance: Internal & 3rd party  

 

  • Level 5 (Optimizing)
  • Time to Detect: Immediate
  • Time to Respond: Immediate
  • Time to Recovery: Immediate
  • Recovery Point: <15 min data loss
  • Compliance: Internal & 3rd party  

How Ntirety Helps With Security Maturity: 

With over 20 years of industry experience, Ntirety understands how to support a business’s cybersecurity maturity needs and follow the necessary processes to ensure a smooth transition into IT transformation.  

For a company to appraise their security maturation with Ntirety, the first step is to have a conversational assessment with our team to determine the security gaps in your business’s cyber infrastructure. Our team can see where your business lies in the security maturity framework and compare it to your goals by answering some questions. Whether it is a particular industry vertical that your company falls under, you are adopting best practices within your IT infrastructure operations, or it is a board mandate, we can help formulate a plan based on your business’s needs.  

Following an assessment, the Ntirety team can detail how to improve Protection, Recovery, and Assurance. Ntirety’s Guidance Level Agreements (GLAs) can help improve these areas by optimizing availability, security, performance, and costs. Ntirety is committed to securing the “entirety” of your environment through solutions that identify, inventory, and protect the entire target environment. Ntirety’s Compliant Security Framework covers the security process from establishing your security design & objectives through protection, recovery, and assurance of compliance to your security requirements.  

One mistake we often see with companies is the idea of doing it themselves being a safer option. While resourcing a cybersecurity solution internally may seem more manageable, it can be far more costly and take away from other essential business functions. Here are the top 7 reasons to outsource security:  

  1. Finding and maintaining a talented SIEM/SOC team is expensive
  2. The benefit of trends and detection of other customers
  3. Accessing more threat intelligence and state of the art technology
  4. Long-term Return on Investment
  5. Outsourcing lowers the Risk of conflict of interest between departments
  6. Enhancing efficiency to concentrate on your primary business
  7. Scalability and flexibility 

For more details on securing your cyber infrastructure, watch our most recent webinar and schedule an assessment with us today. 

Reflecting On The Biggest Crypto Hack Ever

Crypto has been a hot topic in recent news. It is relatively new, and security protocols unfortunately are not a high priority. Read this piece from Ntirety CEO, Emil Sayegh originally published in Forbes for more insight. 

 

Reflecting On The Biggest Crypto Hack Ever 

The gaming and crypto worlds have reacted strongly to the news of a major attack that cost one crypto-gaming network upwards of $625 million in assets. The Ronin hack is among the largest crypto heists in history and when the dust settles, the incident may wear that crown alone. The story of this crypto-gaming company holds valid lessons for any organization that is watching. 

Big Pity for Crypto 

Crypto is known to the masses as an investment vehicle and to some it is known as a payment source for scams and hacks. Since the beginning, crypto has provided a fascinating ride, but bad actors have inevitably been there all along. Along the way, they ruined some parties. 

As it stands, the yearly damage for crypto theft and fraud activity worldwide is estimated at over $10 billion per year (and growing). These statistics have created doubt over secured capabilities in the cryptocurrency industry. The Ronin hack holds clues to that uncertain crypto future. 

Breaking Down the Heist 

Parties behind the Ronin network reported that validator nodes were subverted using hacked private keys, later leveraged to forge crypto withdrawals. These nodes bridged into a popular game known as “Axie Infinity” – notable for its thorough NFT and crypto monetization. The attackers were able to exploit a back door within a node that was part of the network’s validation protections. With unfettered access, the attackers were able to withdraw 173,600 ether and 25.5 million in USDC. Now, the network must hope that government law enforcement agencies can assist in recovering the stolen assets. 

Shortcuts and Bad Decisions 

Sky Mavis, the company behind the Axie Infinity game shared that the attack was possible in part because “immense user load” drove the company to take a self-described “shortcut”. Let’s be clear. This looks like a bad decision that lost sight of the risks. Fixing this specific flaw might be a minor technical affair, but the company must now release a substantial plan that addresses how they technically and philosophically plan to prevent this sort of issue from happening again. In this matter again and again, assets became liabilities, and they were blind to recognizing when that transition occurred. 

Crypto Liabilities? 

If risks continue to be treated this way, by anyone, flawed decisions will continue to be a costly problem. The currency at risk can consist of data, crypto, passwords, cash transactions, or anything you would seemingly want to protect and provide. Let us run down specifics on why this is a growing problem for organizations that rely on crypto assets. 

1. Cyber liability insurance – It will not cover all your losses. As a matter of fact, the entire cyber insurance industry is being reborn with skyrocketing premiums as it evolves to adapt to heightened threats, ransom amounts, and costs. 

  1. Activity surge – Billions of crypto assets are stolen each year. Reports indicate that the figure is in the tens of billions and growing. Many parties are engaged in these activities, including North Korea which boasted of its $1.7 B of stolen crypto in 2021.
  2. Crypto nature – Crypto happens to be the medium of choice for online crime in part because it is difficult to trace, has no central controlling authority, yet is accessible throughout the world. It is also difficult for law enforcement to recover.
  3. The Private Key is GOLD – The possessor of a cryptocurrency account private key wields total and exclusive control. Stealing a private key is like theft of any other traditional piece of info. Scammers will use any means at their disposal to gain access, including Social Engineering, email scams, phishing, and more.

Safe Crypto for Us 

On a personal level, it makes sense to protect your assets using multi-factor authentication (MFA) for sensitive accounts and integrating your notifications correctly. Any major activities surrounding your account should be tracked, and they should alert you. You should also: 

  1. Protect your secret keys well – this means using strong passwords, combined with MFA. Never share your keys.
  2. Avoid public networks and Wi-Fi – Keep your transactions on secured and trusted networks only.
  3. Strong, unique passwords – Do not use MFA alone, or combined with weak passwords. Never share it.
  4. Keep your crypto secure – Use crypto hardware wallets and never store it on virtual storage.
  5. Make sure your apps and exchanges are secure – If you’re using mobile, review and validate every app and crypto exchange you use for security features and reputation.

Safe Crypto for Business 

When protected by constant security measures, cryptocurrency in the enterprise can be a safe and viable business feature that can be implemented in exchanges, consumer and business transactions, in application features, building a marketplace and more. 

This should not be a surprise, but it turns out that cryptocurrency security is no different than IT security, making it very secure when implemented correctly. At its core, cryptocurrency relies on the blockchain – by design, it features changes and updates that are immutable, publicly distributed, made in multiple copies, and continually validated by means of encrypted key transactions along every step. 

Blockchain alone is great – but when it comes to business, you need reassurances, and you need awareness. These are fundamental components of comprehensive security, which is the way to go in protecting crypto in the enterprise. 

Protecting crypto systems in the enterprise depends on ensuring the base platform is fully safe and secure with a comprehensive security approach. After all, not all platforms are equal. You then must make sure that the security state stays that way, assuring that the internals of your crypto foundation are continuously known. If anything goes wrong or changes, you should know immediately, leading you to another critical lynchpin in comprehensive security – monitoring systems. 

We all expect these sorts of protections to financial transactions. It makes sense for crypto as well, even in a game. 

 

Check out this piece, originally published in Forbes, here and follow me on LinkedIn  

The New Normal for Cybersecurity

Cybersecurity seems to be making news headlines more and more recently. Hackers are becoming more widespread and more efficient with ransomware attacks up 105% from 2020 to 2021 according to the 2022 Cyber Threat Report. With new virtual realms such as the Metaverse close within our reach, it is crucial that proper protocols are set in place. 

For a Security Operations Center (SOC), monitoring customer infrastructure activity and quickly mitigating cyber threats is always a top priority, but it is especially important right now as conflict continues between Russia and Ukraine. Current Advanced Persistent Threats (APTs) and destructive malware includes: 

  1. Disinformation, defacements, Distributed Denial of Service (DDoS) 
  2. Destructive Wiper Communities  
  3. WhisperGate 
  4. HermeticWiper 
  5. IsaacWiper 

 All of the attacks are initiated to spread propaganda or disrupt normal operations for businesses and individuals. The Destructive Wiper Communities are different destructive malware with the intention to erase computer hardware and delete data and programs having crippling results for these businesses.  

 Following the initial attacks on Ukraine, cyberthreats were heightened globally by over 800%. While the Ntirety SOC team have not seen any targeting of Ntirety customers, we know that this could change at any moment, so we remain vigilant. We are continuing to take steps to enhance cybersecurity postures and increase monitoring for cyber threats.  

 Many data breaches can be tracked back to the tiniest flaws such as a weak or stolen password. As cybercriminal groups grow, it can be difficult for security teams to seal the cracks and fix the bugs fast enough. Protecting your business should be an ongoing effort, as there will always be cyberthreats. It is important to have all the right tools and technologies in place working together. 

 Cyber attackers look for access into endpoints- these endpoints are easily readable, readily available, and easy to access. As remote work has become increasingly more common, these endpoints, which were once located in relatively secure buildings, have moved outside of the four walls of an office. From these endpoints, cybercriminals will steal data and take down critical applications. Malicious attacks can include: 

  • Phishing: Users surrender personal information by responding to fake official emails or links to fake websites 
  • Malware: “Malicious software” designed to damage or control IT systems (Example: Ransomware) 
  • Man-in-the-middle attacks: Hackers insert themselves between your computer and the web server 
  • DDoS: “Distributed Denial of Service” A network of computers overload a server with data, shutting it down 
  • Internet of Things & Edge Processing: Rogue data thefts; user error (not encrypting) 
  • SQL Injection Attack: Corrupts data to make a server divulge potentially sensitive information 
  • Cross-Site Scripting: Injects malicious code into a website to target the visitor’s browser 

Attackers are continuing to evolve their game and crowdsource their efforts. They can find vulnerabilities and exploit weak points within cyber infrastructures. With the help of Ntirety’s SOC your business will have eyes on your cyber infrastructure 24x7x365. For more information watch our recent webinar here and stay tuned for the next blog in this series.