Anatomy of a Comprehensive Security Response

The frontlines of current cyber threat conditions are an interesting combination of rogue threat actors, state-sponsored groups, and Advanced Persistent Threats (APTs). Their intrusions are characterized by stealth, patience, and slow burn endeavors that are well-funded towards their missions. Namely, these threats are focused on evading detection, reconnaissance, and weaponization in a specialized sequence of escalated changes. Even with multiple layers of technical protection, activities still occur on the most privileged networks. This is an account of how a recent incident in a protected environment was uncovered through diligence and forensic review.  

If you could visualize a successful cyberattack in review, you would see that the journey is a lot like skipping across stones in a river. Here, we are going to dissect such an attack.  The object of cybersecurity protections is to review every stone and successfully stop attacks at every possible point. Uncovering threats can rely on automated detection, artificial intelligence, and alerting to varying degrees. However, information uncovered from these scenarios requires analysis and a threat disposition by actual trained and qualified human beings. 

Anatomy of the Incident 

Let us dissect an actual security incident, so we can gain an appreciation of what it takes to mitigate these millions of incidents that happen every day.  

  • In the pre-dawn hours of a recent morning, the Ntirety Security Operations Center (SOC) received the first of series of behavioral threat alerts for an endpoint system within a client’s environment.  
  • The alert triggered a disposition of a potential network ransom event. 
  • An immediate investigation into this system was launched where it was discovered that a portion of the files on the system were encrypted. 
  • The investigation further showed that the operating system was functional, with no observable impact. 
  • Tier 2 SOC personnel initiated an immediate network containment action to isolate the threat and prevent any possible further lateral movement. 
  • Tier 2 SOC personnel continued to scan logs and immediate network connections for signs of further propagation. As the investigation continued, these findings were negative.  
  • The SOC initiated a Root Cause Analysis and determined that the initial Point of Entry for this ransomware attack initiated from an unpatched, externally facing server that DID NOT have standard security products installed 
  • This server was scheduled for decommissioning. Further, an administrator account for this system had been exploited and had been using a weak, 8-character password that had no history of updates. 
  • The affected server was completely compromised, with evidence of complete system encryption.  
  • A ransomware note and additional tracking evidence showed the attack was most likely Crylock ransomware, a new variant of Cryakl ransomware.  
  • Further investigation uncovered that the attacker(s) were able to log in and install software to maintain remote persistence on the server.  
  • System and Security event logs were unable to be recovered, indicating the logs were scrubbed. 

With the successful compromise in place, the attack attempted to escalate, moving laterally to the endpoint system where our detection tools were able to catch it before any further damage could be done.  

As an epilogue, the customer received guidance and recommendations towards decommissioning the server as soon as possible, wiping and imaging the affected workstation, network isolation, strong password enforcement practices, and installation of our advanced security tools throughout all systems in their environment.  

The Comprehensive Response 

Client environments have all kinds of interesting facets to them that can affect overall security. Sometimes there is a bit of baggage, such as a legacy operating system or application that has no available updates or is tied down to legacy by means of licensing, contract, or a functional gap. That legacy OS was the first problem. Missing security tools were the next issue.  

From there, we have an unpatched public-facing system, weak and unmanaged privileged passwords, and an open network hop that allowed the attempt to laterally propagate. You can call that an unfortunate mix of vulnerabilities that could have led to a major problem.  

However, comprehensive practices came through in the detection of anomalous events at the first point possible. Our SOC sprang into action, according to plans, and we were able to fully ascertain this situation and prevent any further incidents. You can see how one unprotected system the potential for significant impact has, but by layering detection and response throughout the environment, we can mitigate the unknown.  

The goals of the Ntirety SOC and application of comprehensive security principles have common targets. We are focused on minimizing the impact of incidents and breaches on our client organizations. To minimize impact, we are focused on responding to incidents quickly and reducing the time it takes to detect and enact our responses. By effectively remediating security conditions and maintaining security baselines throughout our client environments, we work towards preventing major incidents from occurring.  

Detection, analysis, investigation, and remediation are some of the milestone capabilities of our comprehensive defensive systems. In the current and future climate of threat conditions, this is the best available path to uncovering the unknown, to reveal hidden threats and adversarial activities, and to identify attacks before they scale.  

Why Security Maturity is Necessary for Your Business

A security maturity model is a set of characteristics that represent an organization’s security progression and capabilities. According to CISOSHARE, Key Processing Areas (KPAs) in a security maturity model are practices that help improve a security infrastructure 

These KPAs include:  

  • Commitment to perform  
  • Ability to perform  
  • Activities performed  
  • Measurement and analysis of the results
  • Verifying the implementation of processes  

Levels of security maturity range from 1 to 5, with the lowest level of security maturity being one and the highest level of security maturity being five. Various industries lie within these levels, depending on their security needs. The retail industry typically falls under Levels 2 or 3, manufacturing falls between 3 to 5, while Fintech and Healthcare are between levels 4 and 5 due to the high levels of compliance needed in these industries.  

Ntirety details these levels of security maturity by detection, response, and recovery times:  

  • Level 1 (Vulnerable)  
  • Time to Detect: Weeks/months  
  • Time to Respond: Weeks  
  • Time to Recovery: unknowable
  • Recovery Point: unknowable
  • Compliance: None  
  • Level 2 (Aware & Reactive)  
  • Time to Detect: Days
  • Time to Respond: Hours
  • Time to Recovery: 1-2 Days
  • Recovery Point: <2 days data loss
  • Compliance: Internal Objectives

  

  • Level 3 (Effective)  
  • Time to Detect: Hours  
  • Time to Respond: Minutes  
  • Time to Recovery: Hours  
  • Recovery Point: <24 hours data loss
  • Compliance: Internal & 3rd party  

 

  • Level 4 (Compliant)  
  • Time to Detect: Minutes  
  • Time to Respond: Minutes
  • Time to Recovery: Hours
  • Recovery Point: <6 hours data loss
  • Compliance: Internal & 3rd party  

 

  • Level 5 (Optimizing)
  • Time to Detect: Immediate
  • Time to Respond: Immediate
  • Time to Recovery: Immediate
  • Recovery Point: <15 min data loss
  • Compliance: Internal & 3rd party  

How Ntirety Helps With Security Maturity: 

With over 20 years of industry experience, Ntirety understands how to support a business’s cybersecurity maturity needs and follow the necessary processes to ensure a smooth transition into IT transformation.  

For a company to appraise their security maturation with Ntirety, the first step is to have a conversational assessment with our team to determine the security gaps in your business’s cyber infrastructure. Our team can see where your business lies in the security maturity framework and compare it to your goals by answering some questions. Whether it is a particular industry vertical that your company falls under, you are adopting best practices within your IT infrastructure operations, or it is a board mandate, we can help formulate a plan based on your business’s needs.  

Following an assessment, the Ntirety team can detail how to improve Protection, Recovery, and Assurance. Ntirety’s Guidance Level Agreements (GLAs) can help improve these areas by optimizing availability, security, performance, and costs. Ntirety is committed to securing the “entirety” of your environment through solutions that identify, inventory, and protect the entire target environment. Ntirety’s Compliant Security Framework covers the security process from establishing your security design & objectives through protection, recovery, and assurance of compliance to your security requirements.  

One mistake we often see with companies is the idea of doing it themselves being a safer option. While resourcing a cybersecurity solution internally may seem more manageable, it can be far more costly and take away from other essential business functions. Here are the top 7 reasons to outsource security:  

  1. Finding and maintaining a talented SIEM/SOC team is expensive
  2. The benefit of trends and detection of other customers
  3. Accessing more threat intelligence and state of the art technology
  4. Long-term Return on Investment
  5. Outsourcing lowers the Risk of conflict of interest between departments
  6. Enhancing efficiency to concentrate on your primary business
  7. Scalability and flexibility 

For more details on securing your cyber infrastructure, watch our most recent webinar and schedule an assessment with us today. 

Building An Industry Response To Ransomware

While your business may have a disaster recovery plan in place, it is equally if not more important to proactively put security measures in place to defend your cyber infrastructure from ransomware and similar threats. The following piece is by Ntirety CEO Emil Sayegh originally published in Forbes. 

 

Building An Industry Response To Ransomware 

The term ransomware will often trigger a detectable response in even the most hardened security professional, especially as the industry sees an 800% increase in cyberattacks in the early days of the Russia-Ukraine war. This well-known digital blight carries so much impact that the appropriate response to the word itself is justified. Year after year, we can see that the rate and scale of ransomware attacks are skyrocketing, and recent attacks on Samsung and Nvidia illustrate an even more rapid acceleration —thankfully, the response to ransomware is also on the way up. One of the actionable ways that the threat is being addressed is through proposed legislative acts. 

A First Try: Ransomware Disclosure Act 

Among the most significant legislative measures proposed in the last few months is the Ransom Disclosure Act. On the surface, this governmental initiative, like many other initiatives, seems like a great idea, until you dig into it. The provisions in the act create a 48-hour window in which a company that has paid a cyber ransom must report various details about that payment. The disclosure mandate includes information on the amount paid, the date of the occurrence(s), the type of currency used, and any available data about the parties that made the ransom demand. This information is then sanitized by the U.S. Department of Homeland Security (DHS) and published on a public website. Still unquantified are the prospective penalties of non-compliance with the Act. 

From an enforcement perspective, it cannot be denied that there is a deficiency of active data that could assist in criminal implications and recovery. Rapid, detailed information can make a big difference in the ability for governmental agencies to step in, tracking funds and potentially being able to seize ill-gotten proceeds. 

For example, there was a partial but significant ransom recovery that occurred after the ransom payment in the case of the Colonial Oil Pipeline event. The Colonial incident was a major attack that had considerable national impact and publicity. Due to the publicity, federal agencies were involved in the response, and the partial financial recovery speaks for itself. Should similar actions be the response framework for all attack incidents? There are many practical points to debate in the matter, starting with whether the governmental authorities have the mandate, resources and capability to pursue these cases adequately and in a fulsome way. 

Disclosure Flaws 

While we all want actionable intelligence to maintain a level of awareness, the public aspects of this Act are cause for some legitimate concerns. Over the course of events, as they are publicly disclosed, it is possible that the proposed DHS site could amount to a ransomware leaderboard. This could add the unintended effects of increased ransoms, increased ransomware cybercriminal participants, increased volume of attacks and increased severity of successful attacks across the board. Here are some key flaws in this proposed reporting requirements by DHS: 

  • Public disclosure could result in the creation of successful ransom intelligence that cybercriminals can use by correlating data. It is possible to unintentionally disclose industry information, date, and time information, ransom amounts, and preferred payment methods. Even with the company names redacted from this base of information, cybercriminals can glean the identity of the biggest “scores” from public news, service information, and countless methods of dark web underground chatter.
  • The collection of information proposed in the act only focuses on the impact of the attack upon targeted companies. Once published, an incident could serve as a reference point for unknown public and financial repercussions.
  • Compliance and the roll out of a reporting program could lengthen the duration of disruption, extending the time needed to return to operations.
  • There doesn’t appear to be a history of successful piloting of such a system, including the impact on an industry.
  • Rival global cyber-gangs could derive intelligence from successful attacks, and fine tune their strategies.

What About False Security? 

Starting with Cyber-liability insurance, beware of a false sense of security. Ransom payments should be exceedingly rare and even nonexistent. This should never be part of a response plan even if you have cyber liability insurance, but these principles somehow persist. Publication of these flawed decisions serve to highlight the prevalence of unfortunate planning and a perceived lack of available ransomware responses. 

Numerous industry reports show that there is a false sense of security in ransom payment. Close to half of the companies that pay ransoms discover that their recovered data is corrupted. As we saw in the case of Ukraine, suspected Russian hackers used wiper code to completely destroy key data in banks and key governmental organizations. If, during the course of the attack, data made its way outside the company, that data is now “out in the wild” and there are no ransom-backed guarantees about what happens to that data. Further insult to injury, reports show that most organizations that are hit once with ransomware and pay a ransom will experience a second, likely-related ransomware attack. 

Bad Ideas and Good Ideas 

On the frontlines, organizations must continue to break free of the mentality and false sense of security that relies on outdated security such as cybersecurity insurance, vulnerability scanning, signature detection, and VPN systems. Instead, companies that are prepared to prevent ransomware threats must implement security measures that are comprehensive and full spectrum across the data center, cloud, endpoint, and applications. 

Actions against ransomware gangs such as the arrest of the REvil gang by Russia, and the extradition of the alleged REvil Ukrainian Hacker from Poland are a good thing, but insufficient if done as one-time events, as more sophisticated gangs will quickly pop up. Reporting programs such as what is proposed in the Ransom Disclosure Act have the potential to provide great advantages for a new breed of cybercriminals. This information should be privileged as the public focus carries too many unknown implications. Public information should instead be focused on identifying information about the attackers when available and figuring out their apprehension and prosecution. More detailed information should be passed on only to a group of private companies that are entrusted to fight cyber-criminals, while protecting the privacy of the victims. 

This First Step is Critical 

Time will tell what becomes of this proposed measure and how much traction it will gain. It is an indication of an important first step into these matters. With some tweaking and industry partnership, it could possibly be the right step in the right direction. 

In any case, the industry will continue to drive towards improvements in the defense and prevention of ransomware incidents but needs proper Governmental leadership. This type of partnership between industry and government is the best path for prevention of incidents in the first place. 

As we build up these improvements, organizations will be looking at both next level and first level steps to address these novel and continued threats including threat model strategy, multiple-layer security, advanced anti-ransomware technology suites, and behavior-based incident detection. While many of these disciplines are needed now, the cybersecurity talent drought persists driving a need for outsourcing and security partnerships. 

 

Check out this piece, originally published in Forbes, here and follow me on LinkedIn.

Freight Trains, Russia-Ukraine, Log4J And Supply Chain Attack Madness

The current conflict between Russia and Ukraine has undeniably captured the attention of countries all around the world. Our thoughts and prayers go out to the people of Ukraine, and we hope that there will soon be peace. It is crucial that we promote cybersecurity best practices always, but especially now as cyberattacks have increased drastically due to this conflict. This piece by Ntirety CEO Emil Sayegh was originally published in Forbes on February 1, 2022.  

 Freight Trains, Russia-Ukraine, Log4J, And Supply Chain Attack Madness 

We have all seen the images of the train tracks in California littered with boxes due to the systemic attacks by organized gangs of criminals. These attacks on our supply chain left train tracks resembling third-world garbage dumps as cargo containers were being raided with impunity, leaving a heap of strewn boxes in their wake. The train attacks delayed much-needed shipments to stores with empty shelves, as well as essential packages needed by businesses and consumers from all walks of life, at the exact moment when all of us were trying to deal with the resurgent Omicron virus. 

In the same way that physical attacks on trains have been on law enforcement minds, cyber-attacks against the software supply chain are on many cyber security professionals’ minds. These threats are perhaps not as visible, but nonetheless are a sleeping national disaster if left unchecked. A variety of factors have created a growing and consistent attack vector for the enterprise to deal with, especially considering the Russia and Ukraine geopolitical tension. Rumor is that if the US imposes sanctions on Russia, Russia will retaliate by mounting a concerted cyber-attack on US supply chain infrastructures. Regardless of the geopolitical situation, we are on the horizon of a hyper-escalated future of supply chain attacks, and it is critical that security strategies focus on comprehensive security and not point solutions.  

A Very Big Attack Hammer 

The enterprise is still stinging from recent high-profile supply chain attacks such as the SolarWinds breach. It did not take long for this threat condition to evolve. Successful attacks against SolarWinds caught significant attention in a supply chain attack that allowed the hackers to further select and target some of SolarWinds’s specific client targets such as Microsoft, FireEye, and US government agencies. Later, a ransomware attack against Kaseya, an IT management software tool, disrupted operations for many managed service providers and their clients. Even more recently, even more commotion emerged when a vulnerability was found in Log4j, a ubiquitous but obscure piece of monitoring software. The trend of one attack to many victims is a theme that continues in the headlines.  

What has happened in these and many other cases, is significant. By compromising the virtual supply chain, criminal threat actors have managed to breach centralized services, software, and platforms to get a foothold into target organizations causing considerably more damage than the California physical train attacks, and without even getting out of their chair. Once there, the cyber threat actor goes on to widespread infiltration of customers and clients of the original victim. For the attacker, one successful breach means that the economy of impact can be scaled out to hundreds, even thousands of victims, saving time and effort making it more lucrative, and less risky than physically raiding freight trains. 

Simple Attacks, Big Results 

Even scarier, most of these incidents happen through very basic attacks. While many of the high-profile attacks were sophisticated in their planning and execution, the technical measures used to achieve the attacks were not sophisticated at all. These attacks exploit common weaknesses including: 

  • Certificate comprise
  • Open-source vulnerabilities
  • Exploiting unpatched libraries and executables
  • Compromised accounts
  • Exploited firmware
  • Malware and Ransomware
  • Phishing

Further, with an arsenal of well-established and easily consumable nefarious methodologies, most cyber supply chain attacks are easily replicated. Simple and cheap, the characteristics of novel supply chain attacks are a significant problem that is bound to grow because as you will see, cyber chaos success begets imitation, and it will not be long before significant numbers of cybercriminal groups get on board the supply chain attack train.  

Standing Up to the Threats 

The ultimate takeaway from this growing threat breaks down to a highlight of focus. First, recognize that every organization and industry are stacked up against very different challenges. Then, recognize that slowly, the supply chain industry is working to update systems and platforms to help address this threat – using the latest dynamic principles of comprehensive security in a cloudified age. These organizations must escalate their efforts to defend their products in a coming storm of activity. There is a staggering amount of interdependence between all the components of a cyber supply chain. These companies must also position themselves to provide rapid response when needed, on behalf of their clients.  

Protect Your House 

As individual as organizations can be, every organization has a unique digital supply chain. We are all in this boat together, and so we must also focus on analyzing and protecting against these threats. We have built upon services, platforms, software, and other digital components that came from somewhere.  

The prescription for these threat conditions is a comprehensive security strategy and implementing the protections of continual analysis, introspective monitoring, and integrity enforcement of our own digital systems as well as the realm of digital outside our clouds that have been allowed into the organization. Focus on threat modeling, adaptive strategy, and risk-focused assessment. Increase security presence, monitoring, and controls at every phase of the software life cycles as well as throughout the library of digital platforms and tools. 

The Must-Do Mission of our Times 

There is no excuse for enterprise systems to linger unpatched, unreviewed, and unmonitored or for security systems to depend on outdated missions and technology. Considering the technology and services available today, actionable security data must be “in-the-moment” because stale information can only provide weak, ineffective and potentially misguided benefits. Preparation for the unknowable means investment in technology, investment in people and investment in robust services that can blunt these nefarious threats. 

The historical precedent is out there. The significant breach events have occurred. It cannot be ignored that the market for simple attack tools and methods are cheap and easy to implement, and are actually much easier than a freight train heist. Everybody likes a winning program (including hackers), and a boon of cyber disruption success means that shifting attack efforts onto the supply chain will continue to be a top mission. 

 

Check out this piece, originally published in Forbes, here and follow me on LinkedIn.

The Imminent Death And Rebirth Of Cyber Insurance

For insurance companies, it is important to predict all possible outcomes within their realm of protective services. This is not the path cyber insurance has followed, making it somewhat unreliable.  The following piece, The Imminent Death and Rebirth Of Cyber Insurance, from Ntirety CEO Emil Sayegh was originally published in Forbes. 

 We wake up every day to a pattern of record ransoms being paid as well as record increases in cyber-insurance cost. The Bloomington School District in Illinois published its cyber-insurance renewal costs and reported a whopping 334% increase in premiums. Faced with challenges, it is common knowledge that businesses must continually evolve due to circumstances such as opportunity, missions, and risks. The cyber insurance industry is no different. In this climate of record ransoms and cyber incidents, these challenges are creating a shift in insurance market conditions signaling that cyber insurance will fade towards demise as we know it. While this seems like a bad thing, there is a silver lining in all this. 

 Mounting Ransom Costs 

We are living in the greatest period of data vulnerability in history. There are risks everywhere, all of which carry significant financial burdens including ransomware, downtime, compliance fines, and data loss. The global pandemic opened opportunities for threat actors to escalate their attacks and seize, causing dramatic increases in ransomware attacks alone. Amid the shifting security haze of 2020, the consumer GPS company Garmin paid a significant $10 million in ransom and the tales of ever-increasing ransoms go on. While the average cost of a data breach now hovers around $4.24 million, organizations routinely find their insurance only covers about 40 percent of the costs incurred due to a cyber incident.  

 The Trend was Not a Friend  

Cyber insurance is built on the careful analysis and management of risks in a present-day environment. It is unimaginable to think of a scenario where the cyber insurance industry is not challenged by the rising challenges and costs of cyber-crime now. Reported cyber losses continually reach into figures in the billions of dollars. Each month is a record now. Meanwhile, the historical loss data continues to shift according to changes and escalation of risks. There is a palpable element of unpredictability that does not work well for the cyber insurance market and those looking for coverage.  

One can reasonably wonder how the cyber insurance industry got this wrong. How did they miss this trend? After all, insurance relies on heavy predictive analytics based on historical data. Sadly, in this case, the historical trend was far from predictive. The calculus was based on historical patterns of small-time hackers or lone wolves looking to get a quick hack of a hit. However, in the last two years, all of this has changed at such a pace, that the cyber insurance industry was caught ill-prepared. What is now driving the acceleration of costs, attack volume, and social engineering are nation-state threat groups. These new hacker groups are incredibly well organized. Organizations of cybercriminals from around the world who are demonstrably sponsored or ignored by their respective governments. What this means is that in addition to financial gain to sustain their operations, the disruption of the target’s operations is also their constant and perhaps primary goal. Attacks on infrastructure, military, and business entities have been continually associated with outside countries, such as the SolarWinds attack discovered in 2020.  

One way of looking at this tells the tale of a dying industry, slammed by rising challenges and costs and a lack of interest to back cyber liabilities. For example, it is easy to draw a line between ransomware-related claims and capacity throughout the industry. As it stands, just a small sample of losses within the industry could quickly wipe out the premiums collected well ahead of time. This is classified as unbearable risk within the pool and in insurance terms, losses are not acceptable.  

 Indemnification and Comprehensive Security to the Rescue 

In addition to the array of risks, one must now consider whether the state of cyber insurance constitutes an additional risk to the organization. The stakes are high and legal conditions abound. New coverage and rising renewal rates are a major concern. Premiums are rising by 10 to 20 fold, and that is if a renewal is even available. Enterprises are left exposed, or have to pay exorbitant premiums. The answer lies in going back to the fundamentals of minimizing heavy reliance on cyber insurance through a comprehensive security framework. Comprehensive security frameworks provide better security outcomes and a better posture for the insured. Furthermore, enterprises can leverage the indemnification provided by their cybersecurity provider in lieu of getting their own cyber insurance coverage. However, in order to do that, organizations need to embrace a comprehensive security approach. There is no wiggle room on that. 

Comprehensive security approaches can manifest through full spectrum security programs that provide protection, recovery, and assurance services that minimize risks. 

  • Protecting data means protecting data everywhere, all the time— including the perimeter, malware detection, finding threats, ensuring encryption and access. 
  • The benefits of recovery include virtualized and ready-access redundancy/restoration of systems that are available in any type of disaster including a breach. 
  • Building out an assurance program means life cycle assessments of security, compliance, logging, and the integrity of compliance within a given environment. 

In a challenging threat and cyber-insurance environment, comprehensive security augments risk aversion and minimizes reliance on more stringent insurance scenarios. 

 A New Dawn for Cyber Insurance 

Cyber insurance has and will adapt to these conditions, and we will see this evolution include demands for improved cyber-hygiene and exclusions that will shield insurance companies from providing coverage when the insured fails to maintain high security standards. We see that in the home insurance industry when security alarms actually reduce the premiums. Similarly, the cyber insurance industry, while nascent, will mature. It has just emerged from two years of nightmare losses and a risk climate that was hard for them to anticipate. You can expect specific adaptations ahead and an emphasis towards better education and improved cybersecurity practices. The rebirth of cyber insurance is in the cards, but it will be in combination with proper, responsible security planning and comprehensive security strategy. 

 

Check out this piece, originally published in Forbes, here and follow me on LinkedIn

Security in a Non-Secure Environment

As a newly minted CISO, I have been injecting myself into the Ntirety environment, talking security at every corner of the company.  I come from a deep IT/security background where I have seen many companies fall prey to the ever-increasing cyber threat landscape.   

 Sad Tales Abound 

In my previous roles with Hewlett Packard Enterprise and the FBI, I would often speak with companies before and after they had been breached.  One of my saddest experiences was with a prospective SMB customer who was concerned about security in his environment but wasn’t sure where to start.  We discussed various options including the deployment of a Firewall or maybe a security assessment to help him determine where the “right place to start” was.   

 He was non-committal, and we departed the meeting agreeing to meet again in a few months to see where he was in his decision.  I was concerned because I felt his corporate network was exposed and the threats against his company were rising as his company became more successful and lucrative.  

 You can imagine my horror when his company was hit with a ransomware attack six weeks after our conversation.  I sent my corporate contact an email expressing my desire to help in any way. Could I have done more?  Could I have been more convincing?  I don’t know, but my desire is to assist every customer in any way possible. I want every customer’s environment to be more secure than when I first met them.   

 Basic Security First 

What is the proper order to assist a customer in an insecure environment?  It feels like a “Chicken-or-the-Egg” conversation – do we secure the environment and then do a security assessment, or do we start with a security assessment and then see what we need to secure.  I feel like I have come down in the camp of basic security first, then let’s assess.   

 One of the first conversations I have with any customer is a request for the customer to assess their  security on a scale from 1-5 with a 1 being almost completely insecure.  If a company rates themselves as a 1 or 2, that means they know they are not secure or very easy to compromise.  I feel like we should immediately discuss how to get them some form of security before talking about a security assessment:  At a minimum some firewall protection and maybe multi-factor authentication but in this case, my experience has shown that the low-hanging fruit security gaps become easy targets.   

 This may go against conventional wisdom, and I have often been the champion of the security assessment first, but I worry that by delaying any action on securing an environment, we may leave the door open too long for an enterprising criminal to exploit another company.  The thought of another company being victimized while I am trying to help them is too much.  Let’s move the minimum security bar higher in all of our environments and make the criminals’ job that much harder.

Cyberthreats Are Turning Assets Into Liabilities

For a business, assets are anything that can be marketed and sold, while liabilities are debts that must be paid. The sooner organizations understand the potential of company assets turning into liabilities, proactive action can be taken to protect the business. Board members, owners, CEOs, investors, and CFOs need to heed this call to action. Ntirety CEO Emil Sayegh discusses the importance of recognizing these dangers in this piece, originally published in Forbes, Cyberthreats Are Turning Assets Into Liabilities. 

Cyberthreats Are Turning Assets Into Liabilities

 In the world of business technologies, the prevailing pace of evolution is directly aligned with increased technology investments, yet security incident headlines reinforce how for a good chunk of that history, security was nearly an afterthought. Protecting the organization’s information assets was seen as something for IT to do while it focused on ensuring applications and storage were up and available. Well, cybercriminals apparently didn’t get the memo about whose job it was to protect data; they kept busy looking for ways into the network, stealing data, and holding hostage everything from (very) private pictures to financial records. Earlier this year, conference software provider Zoom found themselves in a position of misplaced trust and paid a hefty price to the tune of $85 million, following their repeated crashes in 2020. 

IT Assets and Liabilities 

Every organization has information technology assets on one side of the ledger and liabilities on the other side. In the simplest context, IT assets are properties of an organization that includes software and hardware. Users outside and inside the organization get value out of these assets and rely on their integrity and availability. The right technology, when used properly, is an enabler of business growth and profitability. Gaps in diligence and cybersecurity planning, however, can make these assets leap from one side of the ledger to the other into liabilities. The offenses can include gaps in training, ongoing support, upgrade planning, cybersecurity programs, user training, and more.  Liabilities are the weak points throughout the chain that affect the value of the asset to the business. 

Zoom Out 

Over the course of the global pandemic, Zoom became a household name – exploding in use by schools, students, businesses, and more. Due to lockdown restrictions, this tool filled a significant need, making things such as classrooms, weddings, memorial services, court proceedings, and fitness classes a new virtual possibility.  

The enormous spike in users increased attention on the program’s security and privacy flaws. Eventually, a class action lawsuit came along, alleging that Zoom violated users’ privacy rights. Zoom agreed to pay $85 million to settle the case. The allegations included sharing personal data with Facebook, Google, and LinkedIn, while allowing “Zoom-bombing,” the practice of hackers disrupting meetings with inappropriate language, pornography, and other disturbing content. 

Crossing the Line into Liability 

Executives are now on notice that they need to treat cybersecurity as a business risk. They need to know more than just how susceptible their organization is to attack. They also need to understand what is at risk, including its assets, and they must recognize when they become liabilities. That’s not always straightforward since companies often use the same technology for both corporate and personal tasks. A recent survey by research firm Gartner found that 29% of employees in organizations with end-user devices allowed workers to connect their own personally owned devices (including laptops, tablets and smartphones) to the network – with less than half of them restricting access solely to business or work purposes.  

A comprehensive approach to cybersecurity should include monitoring software updates across the entire business, not just for IT systems but every aspect of the commercial software supply chain, from development through deployment onto production networks.  

Protecting software assets and products of an organization requires a comprehensive security approach. This includes building a plan upon the components of a proactive security foundation and practices which start with four steps that can create a more secure cyber infrastructure:  

  • Identify threats through an audit
  • Secure your application environments through a ground up security solution including Secure DevOps and Zero Trust
  • Set up a recovery mechanism in case of a hack
  • Build an assurance program that enables future compliance and resilience

Zoom In 

Clients of Zoom and other similar software services must recognize the inherent risk contained in the practices of the service they choose to implement. Organizations can satisfy regulatory requirements for preventing or minimizing data breaches while also mitigating their vulnerability footprint through proper implementation of security measures for software.   

In addition, security teams have to start working with business units across the enterprise on how they manage vendor relationships. In order for InfoSec experts to do their job properly, they need to scrutinize all third-party components that are introduced into systems – whether that’s commercial off-the-shelf software or any type of service that gets connected. 

 

Check out this piece, originally published in Forbes, here and follow me on LinkedIn. 

New Year, But Classic Literature Never Goes Out of Style

The new year brings a chance to reset, restart, and set goals while reflecting on the past year’s accomplishments. With each coming year, new technological advancements are made, but we cannot forget our history or we are doomed to repeat it. 

 Reflecting on how our past and present often overlap in unexpected ways in two of his 2021 Forbes articles, Ntirety CEO Emil Sayegh references classic literature pieces, showing how their timeless themes provide a familiar perspective to modern-day cybersecurity issues. Explore these themes and perspectives from his articles  Never Truly Quiet On The ‘Western Front’ and Who Will The Cybersecurity Bells Toll For? highlighted below.. 

 Never Truly Quiet On The ‘Western Front’ 

First released in the late 1920s, the novel All Quiet on the Western Front was publicly burned, banned, derided, and censored for its “anti-war” and “unpatriotic” messages. Set in the final weeks of World War I, the story swings heavily on the contrast between false security and the realities of war. Today, we are talking about a different war that is dynamically morphing between a physical war and cyber war.  A real cyber war has been raging on the front lines of computer networks for a while and we must remain vigilant to the fact that an eerie silence may be the biggest threat of all.  

All Quiet on the Western Front was described as the most loved and hated novel about war; its messages threatened Nazi ideologies, sparking riots, mob attacks, and public demonstrations, yet it inspired an Academy Award-winning 1930 movie adaptation. Author Erich Maria Remarque may not have foreseen its full impact, but the story is laced with imagery describing starving soldiers, the brutally indiscriminate nature of (then) modern weapons, lost limbs, poison gas, and death—lots of death.  

False Sense of Security: Peace Before Death 

On the frontlines of computing, there is a false and persistent sense of security among CIOs, company boards, and most security professionals that reminded me of the end of this novel. Over the years, the phrase “all quiet on the Western Front” has been adopted in innumerable contexts to mean a lack of visible change or stagnation. It seems this is where many organizations are stuck today under this false sense of security. 

The final moments of the novel are (spoiler) deceivingly peaceful, contrasting with the overarching setting of war and its effects. It is in these moments, in the last “situation reports” from the military frontlines, where a false state of calm and security that belied the coming death of the story’s protagonist. It seems like the most important lessons in life must be learned time and again. 

That Silence You Hear is a Sign 

Across the landscape of organizations, there is a definite cyber war raging, and I am not talking about Call of Duty. You don’t have to read news headlines for very long to see that there are casualties all around us. There is an enemy lurking and there are no rules to hold them back. Defensively natured as cybersecurity practices can be, there are offensive principles that are a necessary part of the posture. That begins with an understanding that there is always a calm before the storm; and in today’s climate, we cannot afford the reassuring sense that all is well at any given point in time.  

Let us set the stage of this sea of “calm”: 

  • APT – In the age that followed the global pandemic, nothing in cybersecurity stopped that entire time. Advanced Persistent Threats (APT) continued and according to countless reports and breaches, they have accelerated.  
  • Mobile – Reports also show that mobile threats to the web and applications have gained more traction under new campaigns. 
  • Diversity – Hacker creativity is at an all-time high, with actors bringing in waves of zero-day threats into supply chain software attacks, phishing, and ransomware. Experienced groups and new players are combining forces and found new nearly undetectable ways to exchange information. 
  • Maximum Impact – Fueled and inspired by changing workforce composition as well as user behaviors, attacks today are designed to express maximum impact, driven by geo-political goals and financial gains.  

All the while, threat visibility has proven itself to be riddled with blindspots as hacks and incident reports continue to show compromised detection, a gap in understanding, and shortcomings in proper security practices. To add to these factors, technology continues to change, accelerate, and evolve—on both sides, while a crisis of talent resources continues. We can also see that intrusion incidents lead to ad hoc approaches to security funding, adding ineffective layers to cybersecurity health especially when spending tails off when all seems well.  

A Time to Act 

When things seem calm, follow these general guidelines and remember that only the paranoid survive a cyber war like this one: 

  • Actively and proactively leverage multiple sources of Threat Intelligence and trusted resources to monitor the latest methods, tools, tactics, and keep a watchful eye on the roost on a daily or even hourly basis. 
  • Always verify and never trust. It is always a good time for zero-trust authentication and a zero trust posture throughout the organization. This protects systems outside and inside the “castle.” 
  • Detect, investigate, respond, and remediate issues on every endpoint, application, service, and server system. Commit to timely and near instant responses. 
  • Spin up more security awareness training to help minimize social engineering, phishing, and other user-focused attacks. 
  • If you can’t do these items on your own, and very likely you won’t, engage partners that specialize in a comprehensive security posture. 

All is Not Quiet  

North, south, east, west, up, down, or sideways—all is not quiet, or well, on the security front (and it never should be). Don’t hide the truth with skin-deep positive “situation reports” and always verify. Embark on a comprehensive security strategy that starts with the honest identification of your environment’s threats, then work to secure your environments comprehensively. After these two first basic steps, it is critical to also prepare for the eventuality of a breach with a fully vetted disaster recovery strategy. The final step is to continually assure and ensure that there are no gaps in your security posture through an assurance and compliance program that takes new threat vectors, and compliance requirements into account. Remember, there’s a massive storm out there even if you don’t see it or hear it. Silence is not golden, it’s a false sign of security. Let’s take lessons from All Quiet on the Western Front and avoid the horrors of an actual war.  

Who Will The Cybersecurity Bells Toll For? 

 From Room 511 in a famed Cuban hotel, the iconic writer Ernest Hemingway authored some of his most acclaimed works. One of his most famous books was For Whom the Bell Tolls, which was completed in 1940. Inspired by his observations in Spain during the Spanish Civil War, Hemingway weaved the tale of a loss of innocence, psychological and physical trauma, death, and human nature during times of war. The work was revolutionary and controversial as it deconstructed romanticized wartime concepts of bravery and contrasted them with the sheer impact of then-modern weapons. It even inspired the Metallica song “For Whom the Bell Tolls,” as a lyrical adaptation of a particular scene from the book. There are various interesting parallels from this story to the modern world we currently live in and more specifically the cybersecurity arena.  

The bell toll is a symbol of death, which carries a dark theme throughout the novel. From beginning to end, most of its characters manage to consider their own potential deaths or inflicting death upon others. This heavy tone and the plot narrative between fascists and the forces of resistance provided the perfect setting for the Second World War, which was brewing at the time the book was released.  

A Setting Reimagined 

The knowledge of historical works allow us to better navigate our present and future. As the saying goes, “If we do not learn from history, we are doomed to repeat it.” The lessons from Hemingway’s novel translate very well to our world today, and more specifically to the cyberwar that is raging now. The bells keep tolling for the daily victims of hackers, while we have unfortunately become apathetic due to the frequency of those attacks. In cyber warfare, we may not always be able to see the enemy with our own eyes, but the threats and actors are as real as they come. The bell could arrive for anyone, at any time, when we least expect it. 

Joining the Resistance 

The Spanish fascists from the story are a lot like the organized cybercriminal gangs of today. Sponsored, nefarious, and destructive in their ways, today’s misguided hackers seem to fancy themselves as guerilla forces, yet they are nothing but the makings of a Big Brother criminal network. The companies that try to defend themselves from this coordinated system of attacks fulfill the role of the “Resistance.” Organizations that are fighting back today must be resourceful and diligent in tactics. They should put themselves in a position to also refuse to acquiesce to the impact of a ransomware incident, just as we saw with the catastrophic attack against Ireland’s Health Service Executive (HSE) organization. HSE joined the “resistance” and refused to pay the ransom, as they had a disaster recovery plan in place. In another extreme, we witnessed the twin sagas of the Colonial Pipeline along the JBS meat producer plant and how, faced with little choice, these two organizations cowardly paid massive ransoms in hopes of recovering data and operations.  

A Wasteland of Attacks and the Endless Wave 

The main story-derived lesson for organizations today  comes straight out of the title. It doesn’t matter who you are or what your security budget is, you cannot successfully assume that the bell will only “toll” for someone else. Just ask FireEye, SolarWinds, Kaseya, or even Peloton. You can even ask the federal government itself regarding some of its disclosed and undisclosed hacks. Here is the simple reality: 30,000 websites and applications  are hacked every day with an attempted attack happening every 39 seconds. This industry is filled with conversations and false narratives of the latest security product lineups, cyber capabilities and reports of how attacks were averted.  The reality is that security standards are obsolete the moment they are released. The security landscape is evolving daily, and very few static standards are going to guard against zero-day, novel threats. 

Not an Island 

It can be safely stated and significantly inspired by Hemingway that “no man is an island,” and similarly that no company stands alone. It is not revolutionary to state that anyone can be a target, but at what point does targeting become real and inspire preparation, budgeting, and deploying best of breed safeguards? Far too often, we are called to address this question after the facts of a breach become clear. It is not too late for the community or for any company to mind the bells of attack. 

Every organization holds the opportunity to mature security and privacy programs and be fully aware and best positioned for the modern challenge of cybersecurity by leveraging facts, expertise, monitoring, and knowledge about what is vulnerable about their digital presence and valuable. The realization is that when data drives actions and security is comprehensively implemented throughout a formless and endless perimeter, you can escape the trap of false security “standards.”  

Beyond the Chaos 

It all starts with an identification of gaps and threats and securing against those threats. Disaster recovery planning follows, since no matter the security measures, the enemy may still break through the defenses. The journey of cybersecurity cannot be complete without an assurance program that maps to the never ending quest to find ways to stay a step ahead of the enemies and ahead of our personal limiting concepts. An awakening must happen through the sharing of the phenomenal cybersecurity statistics that line the battlegrounds of today. From the frontlines of cybersecurity, there are so many close calls and so many seemingly minor events that can be the first of a chain of “perfect storm” events that lead to a major security incident. This happens thousands of times per day.  

All the while, strewn among the spent tools of cyber warfare are targets that defy simple definitions. No business domain is immune, and it matters little whether an attack is launched against large or small organizations, profit or not for profit, public or private. No one is safe—plan accordingly. 

 

Classic literature remains relevant because of its timeless themes that even after a decade or  a century still stands and can be related to modern people. History may repeat itself, and we must continue to prepare for any possible scenario in the cyber field. 

Schedule an assessment with us today to learn more about preventative security measures you can take to secure your cyber environment.

Readying For Regulation Response To Cyber Incidents – Forbes Article by Ntirety CEO Emil Sayegh

Recently, utility companies have been a major target for hackers, and critical infrastructure has been put at stake. As these cyberattacks have increased, taking action to keep bad actors away from our cyber environments must be a top priority. For industries such as utilities that provide services to almost all of us, we must all do our part to ensure security is enforced. 

 Ntirety CEO Emil Sayegh emphasizes the importance of the United States government’s involvement in protecting the ever-growing cyberspace, and the businesses and people whose lives could drastically change. The following piece, Readying For Regulation Response To Cyber Incidents, was originally published in Forbes.

Readying For Regulation Response To Cyber Incidents

In the wake of a prolonged season of significantly impactful cyberattacks, new regulations have arrived on the scene and we can expect more to soon follow. Good, bad, and ugly, regulations are a natural governmental response to significant situations that carry national implications. For now, the focus is on pipeline operators. But with so much vulnerability in the wild, a lack of overall standards -and also the fact that so much is at stake -cyber regulation is on a trajectory of growth, and may also find itself on a collision course across many more sensitive industries.

Back in May, the world was shocked when the Colonial Pipeline Company revealed that it was a victim of a ransomware attack. The immediate response was to halt operations in order to contain the attack. Five days later, operations resumed, but not before fuel prices on the East Coast of the U.S. skyrocketed and fuel shortages crippled the Eastern Seaboard.

Regulatory Response

The same day that operations resumed, President Biden signed an Executive Order on “Improving the Nation’s Cybersecurity.” Moving from voluntary participation to mandated compliance, some 100 pipeline operations had to formally designate a 24/7 cybersecurity coordinator and report confirmed and potential incidents to the Cybersecurity and Infrastructure Security Agency (CISA) under the new directives.

In late July, the rules tightened up from there with further regulations. The specific details that accompany this mission have not been fully revealed to the public, but some elements have been shared about the program. Participants will need:

  • To develop a cybersecurity contingency and recovery plan
  • Conduct a cybersecurity architecture design review
  • To implement mitigation measures to protect against cyberattacks immediately

In addition, the regulations have a bit of a bite to them, leveraging potential fines that can amount to close to $12,000 per day for each violation.

The Regulatory Trajectory

The age of self-driven, voluntary standards and industry participation is beginning to change as a response to the rash of successful attacks against critical organizations. With solid research and preparation, the implementation of these forthcoming compliance measures could possibly roll out smoothly. It is also likely that challenges will be felt throughout the industries affected by new compliance measures. Revisions and updates will follow, as already exhibited in the pipeline industry.

For most, compliance and regulation are not completely new territory, however the horizontal rollout and application to formerly voluntary industries will carry some challenges along for the ride. New technologies, cutting-edge standards, and continual assessment are not always associated with the considerably comprehensive publications of ordinary regulations.

Rolling out successful cybersecurity regulations in a comprehensive effort is going to require awareness on the contextual history of regulations as well as measures to keep regulations up-to-date and achievable.

Preparing Now

Based on technical and operational components, the gold standard reference point throughout the industry are the standards set forth by CISA. Organizations can get ahead of these and create a better security baseline by assessing cybersecurity policies and procedures and updating them as necessary.

Among the advancing best security practices and technologies, prepare to assess and incorporate:

  • Updated backup and recovery tools and processes
  • Risk prioritization exercises
  • Secure cloud service practices
  • Segmenting networks
  • Multi-factor authentication
  • Zero trust capable architecture
  • Robust endpoint management
  • Enterprise threat mapping
  • Data encryption at rest and in transit

Every environment is different, with different realities to consider.

It can be difficult to turn down the background noise of emerging products, industry buzzwords, and marketing smoke. With so much to navigate, I cannot blame anyone that has completely tuned out. But please don’t. Silence is not bliss in this case. Most companies are ill-equipped to deal with this threat alone and must find competent cybersecurity partners. This movement has already started-this is a clarion call and moment of action on every digital front. Cybersecurity is becoming an imperative across the land.

Happy Thanksgiving – A Message from Ntirety CEO Emil Sayegh

Thanksgiving has always been one of my favorite holidays. What is not to like? Good food, good time with family, cool weather, and college football. Also, there is no pressure associated with exchanging gifts. Although Black Friday is around the corner, I prefer to not partake in it, and I always let the glow that comes from the Thanksgiving Holiday permeate the whole weekend. 

Thanksgiving marks a time to show appreciation to all those that have helped us and made our lives a bit easier. While this holiday is traditionally celebrated in North America, the message of giving thanks and reflecting on the past year’s accomplishments is important in many more cultures around the world. It is always important to and take a step back to look at the joys in everyday life. First and foremost, I would like to thank the customers, partners, and employees of Ntirety for the amazing success we had in this past year despite the pandemic and all the turbulence that came with it. I personally am thankful for our partners and customers who have enabled us to continue to grow. Thanks to them, and our amazing team, we will only continue to reach new heights and remain as the premier Comprehensive Security Services provider. 

I hope that each of you get to spend the entire Thanksgiving weekend surrounded by family and friends, taking a well-deserved break. For our customers, partners, and members of the Ntirety team that are working this weekend, I am grateful for your dedication and drive. I extend a huge thanks to you for being there for all of us to enable us to take a break. During this Thanksgiving season, certainly thank your friends and family who are special to you, as well as others that may not be as close. Kindness and gratitude start one step at a time. Let’s spread the love and gratitude around.  

I am thankful for all of you!  

Happy Thanksgiving.