Category Archives: Awareness

Facebooks fall from grace…..its just the beginning

This week I finally felt jubilation due to the Facebook story. Not that I want to celebrate in anyones down fall that is not it all but for years I have been telling people the dangers of using this service. Many laughed and poked fun at me and even told me I watched too many James Bond movies.

Well, I think what is really scary is that this incident only skims the surface to the true problem. What are all these social media and cloud services companies doing with our data? Even all telecom providers collect all your internet access traffic and sell this for money. Yes my friends we are fully monitored welcome to 1984.

I hope this serves as a wake up call to users globally you really need to think about what a “free” service is really about. The “free” aspect is your data, companies have to make money and you better determine what you are giving up before you jump in. Start with their privacy policy and then look at the data they are collecting or possibly collection. For example, pictures, conversations, even your mood that day, everything is up for grabs. If this information was leaked would it cause any damage to you or those close to you.

It is also refreshing to see so many people wake up to the fact that their privacy matters. And it does! In many ISO meetings, we constantly have members saying individuals don’t care about their privacy anymore. I have been arguing the opposite position. Many users just don’t understand the implications of the data being captured, analyzed and sold. Now they do…..or at least they are waking up to it.

Now the next issue that is bound to be exposed is Google and all the data they collect on school kids. As many school boards use Google due to operational cost and most kids use this platform for email and all documents, who is buying this access and usage data? These are the questions we need to be asking as parents, educators and regulators. This will be next data breach we find ourselves involved in.

Facebooktwittergoogle_plusredditpinterestlinkedin

The Security Poverty Line

What is the security poverty line? It is a baseline of a company not implementing the correct security controls to mitigate their risks. Simply put, most companies do not invest enough effort in determining what their ‘real’ risk is and instead buy into vendor ideas and concepts.

For example, about 20 years ago many companies used to have significant capital budgets to purchase equipment for their businesses. Since then, many companies have started to use leasing vehicles to gain control of costs to capital expenditure. As with all business, it is about making a profit and, as such, security has always seen a barrier to increasing that bottom line.

Security is equated to sizeable expense the organization cannot possibly take on. It is better to be compromised and pay the ransom and loose customer confidence. It might be a small impact if we just spend more money on marketing to cover it up. These are the cost trade offs that are being made in business globally. Some are waking up to it, but many are not.

I believe we have been asking the wrong questions of our companies and executives. Many executives get freaked out when the topic of cyber security is raised. Many are scared of this elephant in the room and they chose not to make a decision — which in itself is a decision. The question should become: What can I do to ensure the company I run will remain operational and relevant after a cyber incident?

What many executives and managers fail to realize is they are responsible for protecting their client and employee information. As such, they are putting their organization below the poverty line.

The poverty line characteristics that companies should have as a minimum to protect their organization:

a. Quantifying the cyber risks for the organization.
b. A policy and procedure base that reflects the quantified cyber risks.
c. A risk management process that deals with ongoing risks.
d. A review process to ensure the controls deployed are adequate to protect against the current risks as they do change over time.
e. Management’s belief that security is important to protecting the overall health of the organization.

If you look at that list, firewall or other technologies were listed for good reason. They are a control. You must determine why the firewall is there and what it is protecting you against. Once deployed you must make sure it is configured correctly or it provides no protection against threats and provides a false sense of security. This happens way too often. This can be said about many of the security solutions sold, many are misconfigured to not protect against the risk that was presumed.

When you look at the corporate landscape, most companies live below the poverty line when it comes to cyber security . Many do not even do the bare minimum as they believe it is too difficult to overcome and scoff at their chances of being targeted. We have already seen the number of executives who had this same mind set and now are unemployed. Living below the poverty line puts your organization, your staff and your customers at significant risk and we need to start doing something about it.

I believe the only way this is going to change is if the our governments start to regulate mandatory security controls in all organizations regardless of size or sector. We had to change our mindset regarding seat belts in the 70’s to protect vehicle occupants, now we have to change our mindset for cyber security and unfortunately it is only path forward.

Facebooktwittergoogle_plusredditpinterestlinkedin

Connecting the Dots for SMBs & Cybersecurity

Does your company’s private network speed ever feel like a VPN? Did someone (other than your IT director) reset your password? Have you been reading emails from the Nigerian Prince? If you’ve answered yes, it’s possible your company has fallen victim to a cyber attack.

If you’re a multinational tech giant, you’re probably fine (probably). But if you’re a SMB, cyber attacks can destroy priceless data and ravage your bottom line.

Let’s take a look at some stats: it takes most businesses somewhere between 100 and 200 days to detect an attack and to make matters worse, most SMBs find out from a third party. That means stolen data (that’s likely long gone forever) and damaged customer relationships. In addition, SMBs only have a 40 percent probability of staying in business after a security breach which are odds Han Solo wouldn’t even take.

These days, whether you sell Apple phones or apple pies your company has an attack surface. An attack surface can be anything from the Internet, to technology, to an employee and no matter how big your company may be, you need to be prepared.

You have been compromised. Now what?

In the event that your network has been attacked, react urgently but do not panic. Instead, have a plan in place. Ideally you have developed your plan before the attack, but often that is not the case.

In 2016, more than 375 million new unique malware variants were discovered globally. Cyber criminals are continuously finding new ways to breach security systems, so make sure your plan is malleable. After a cyber attack, here is the recommended plan of action:

  1. Identify the target systems and determine the data that was compromised, hopefully you had a backup of your data to be able to restore. Now perform a full system backup at the bit level to capture all files and current system state. If possible, disconnect from your network but leave the power on to preserve the system state.
  2. Take your cloned systems disks and use them for forensics in a protected environment or hand them over to your cyber security partner for analysis.
  3. Have your operating system rebuilt from scratch. At this point, you have no idea whether or not a back door has been installed. Assume that it has.

In a cyber attack, there is both a technical and human component to its path of destruction. While you work to get the technical side under control, contact your legal team and make them aware of the situation.

Start dusting off that PR handbook.

Public relations is something often neglected by SMBs. It’s important to notify your PR team as soon as possible after an attack. If you don’t have one, get one. Whether that means hiring one full time or on contract is entirely up to you.

In any business, do not try to downplay the situation. Equifax learned this the hard way when they chalked up their massive breach to “Criminals exploited a U.S. website application vulnerability to gain access to certain files.” In a blizzard of negative publicity, the story snowballed with the breach ultimately costing them close to $70 million in fourth quarter profits. Given time, the company’s hit to brand credibility will indicate its true losses.

Another PR mistake is deflecting liability. Many company executives have taken a stroll down ‘Blame Game Lane’, which almost always leaves them on the wrong side of the tracks. In 2016, Wells Fargo was fined $185 million for creating two million fake customer accounts and their CEO immediately took to blaming his 5,300 employees. By not admitting fault, one of the largest banks in the world put its internal and external reputation in serious jeopardy.

“The greatest victory is the one that requires no battle.” – Sun Tzu, The Art of War

While larger companies typically survive, it’s no wonder SMBs go out of business so fast. Cyber attacks cost time and money, both of which SMBs can’t afford to lose. Many still fail to evaluate their cyber security risks, however, boardrooms are smartening up. It’s even been a topic in NAFTA discussions. Develop a security protocol and be proactive in testing and quantifying your risks. Businesses of all sizes should test their systems and perform ‘war games’ to prepare for an attempted breach.

Put simply, two words can save your business from a cyber attack: be proactive. The most common means of cyber incursion is social engineering – using people to voluntarily but unknowingly allow a cyber attack to occur such as providing physical access or handing over system passwords. Train your employees, learn to recognize the signs of a breach and avoid opening emails from unknown sources.

Cybersecurity is unfamiliar territory for most companies these days, but one worth exploring. As you continue to evaluate your company’s security controls, just know we can help you connect the dots.

Written by: DarkKnight

Facebooktwittergoogle_plusredditpinterestlinkedin

NAFTA Cyber Security Framework

As part of the NAFTA discussions it looks like the US is looking to add a cyber security component in the mix. Finally a great idea in a trade agreement! The basis for this is quite clear given the interconnected world we live in and the fact that all Canadian Internet traffic is routed to the US. We have to ensure that one country is not in a position to bring the downfall of another due to weak security practices.

Given the current state of cyber security practices in Canada by most SMB’s this will serve as a good wake up call to get your security house in order if you want to sell to the US. Based on the current wording companies would have to demonstrate the implementation of an accepted cyber security framework within the organization.

What does these mean? From the top down, executives are responsible enough to have implemented the necessary security management system to measure and mitigate cyber risk within their respective organizations. I am not going to provide all the nuts and bolts to how to do this but would “highly” recommend you get a copy of ISO/IEC 27001/27002 and build your plan to implement a Information Security Management System (ISMS). Don’t let the information part of the name fool you, this standard has been written to fully consider the cyber elements of any organization regardless of sector.

The best place to buy this is from our friends at CSA Group in Canada. They actually offer a Security bundle that contains all the base standards to get you started at a very reason price.

When you initiate your cyber program focus on conducting your risk assessments, your action/mitigation plan and getting those policies and processes nailed down, and most of all education and awareness will be a key element of your success.

Keep in mind that this will not be easy but the benefits will help you sell your solutions to the US and will help protect your digital assets. What else could you ask for?

Facebooktwittergoogle_plusredditpinterestlinkedin

What does the WikiLeaks announcement mean to you?

I doubt you missed it but this week but WikiLeaks announced some very serious allegations on how vulnerabilities are being used by government agencies to compromise devices then use the devices to listen to conversations and capture all data from those devices. Do I have your attention now?

If you have one of following pay attention:

a. An iPhone
b. An Android phone and/or based device (this category is very wide)
c. Windows
d. Smart TV
e. Home IoT devices
f. Fake versions of security software from McAfee, Kaspersky, and Sophos

The list goes on and on. This truly represents a significant president  that an intelligence organization has infiltrated and created a platform to compromised systems for spying. I for one am not surprised. Why????

1. Many companies do not have SDLCs that include security testing and those that do only do the minimums they are required for their particular industry.

2. Many do not threat model or conduct aggressive pen-testing that is required for many of these products.

3. Executives are more inclined to release an insecure product to get revenues versus doing the right thing and securing it from the get go. Go to many startup incubators, they only think about security and privacy when they hit several 1000 of users or larger companies start asking about the security posture. Many of the folks that fund these start-ups consider security a “patching” problem. They want their money so get the product to point where someone is going to pay big dollars for it and we can walk away.

4 .Vendors are not required to provide any assurance to their products. This is why IoT in the consumer and business markets is a bounty of either compromised or to be compromised devices that are used in pivot attacks.

So how do you protect yourself and your organization in this wild west of vulnerable software? Consider the data you collect, store and process then how it is touched by the known vulnerable products listed above. Now, start to remove your critical data from these platforms until the patches and fixes can be provided. Start asking vendors and service providers those uncomfortable questions:

a. How do you securely test and design your software or solution? Prove it!
b. Do you provide free upgraded and patches to your products?
c. When was the last time you experienced a data breach?
d. How is your source code protected and evaluated against backdoors and compromises?
e. What security training do you provide your staff on a regular basis?
f. What 3rd party evaluations have you had conducted against your products?
g. What is your vulnerability disclosure policy?

The answers to these questions are going to give you a good sense to the security posture of the vendor. If they cannot answer these immediate or have to go check. Walk away! A company that has instilled a culture of security will have the answers to all members of staff.

Additionally, I would recommend that you stay off public WiFi networks as these are used to hunt for victims. Stop making it easy for governments to gain access to your devices. This includes corporate confidential and IP data because they take that too. Harden your device as much as you can and use a IPSec VPN to project your data in transit. Finally, encrypt all your stored data. If your systems are compromise you need to have that additional level of protection.

Facebooktwittergoogle_plusredditpinterestlinkedin

The Smart City Under Attack – CBoC Presentation

I recently got an opportunity to speak at the Conference Board of Canada’s Securing the Smart City of the Future. It was great to be able to speak to those dealing with the daunting challenge of managing the issues related to security, privacy and safety risks while still providing smart city services.

It is clear that the potential benefits of fully-connected smart cities fed by sensors and data are significant especially when seen in the advance of the Internet of Things (IoT). These benefits could tackle some of the greatest problems with urbanization such as traffic congestion, inefficient use of energy, and pollution. As great as these potential benefits are so are the risks and unanswered questions that the integration of new technology brings. Countries looking to implement smart city initiatives need to have a national policy that mandates aspects of security, privacy and safety. This policy should include the following as a minimum:

  • Requirements for an Information Security Management System (ISMS).
  • City breach plans for emergency services, vendors, citizens, etc.
  • Security tested components and solutions that are validated prior to release.
  • “Assurance” from solution providers and vendors for their products/services.
  • Buyers requesting that products and solutions be evaluated.
  • Demand Threat & Risk Assessment (TRAs) and Privacy Impact Assessments (PIAs) for all solutions prior to deployment by City Managers.
  • Respect for the privacy of citizens.

The security breaches in the recent past and the ongoing increase in cyber attacks and crime have made one thing very clear: In building the smart cities of tomorrow we need to be smart! Bearing this in mind, what is the biggest barrier to smart city entry?

The biggest barrier seems to be security and privacy of the sensors and data – the very things that make a city smart. The concern seems to be around data breach and how to minimize the exposure of the sensors in-field. However, in the past year or so there seems to have been a shift in the mind set of what is more important: a $5 sensor or the data we collect on people and objects. Clearly the data protection is more important. An example would be smart city projects in Canada that want to provide more real-time information to citizens about services and conditions. It requires them to track citizens to offer this service which means that there are substantial privacy concerns. The client can share lots of data but if it becomes compromised the city collecting it is liable under new legislation in Canada. Cities are taking the time to understand the risks and prepare for the eventuality of data breach and invasion of privacy.

You can see presentation that I gave below. As always if you have any questions about the presentation, please do not hesitate to contact us for clarification.

 

CB0C A Smart City Under Attack – TwelveDot

Facebooktwittergoogle_plusredditpinterestlinkedin

RIoT Control – A Book Review

riot-control

Coming soon to a bookstore (or Kindle) near you is… a first of a kind book on how to approach security for the Internet of Things (IoT). This book is an assessment of how to control and manage Risk and the Internet of Things – RIoT Control. It is targeted at executives, engineers and architects either responsible for considering or implementing IoT solutions within their organizations. It is also a useful read for entrepreneurs, risk managers, security practitioners, businesses line managers and anyone not interested in the operational details of IoT security but wanting to understand the problem.

I was fortunate and honoured that Tyson Macaulay, the author, asked me to be a reviewer of this book. In the process I was able to learn even more about this increasingly important topic for cyber security practitioners. Tyson and I have been working together for several years on IoT security under ISO and have represented Canada internationally for over five years to create the baseline considerations (or controls) that should be considered for IoT implementations. Over this time I have realized how broad a topic IoT is, how challenging its issues are and how complex some of the solutions are for some sectors.

Implementing cyber security controls in some of sectors is not going to be easy to say the least. Companies are going to have to shift their mindset to building an adaptive and strong “culture” of cyber security in order to be able to succeed in IoT. One of the key barriers to adoption right now is security and privacy considerations. Product and service providers are going to have to prove to customers that their products are both designed and tested to a specific security level. The daily news of products or solutions that have been compromised is proof positive of the need to secure these solutions comprehensively. Even the NSA and FBI are hiring highly skilled hackers to be able to compromise networks and data of users of IoT solutions.

RIoT Control walks the reader through the process of IoT cyber security considerations and gives many useful examples to help the reader better understand the concepts. It provides the necessary background and details that designers and implementers need to consider for new IoT products and solutions. And yes, security and privacy need to be considered at the design and concept stage.

The list of the chapters contained in the book are:

Chapter 1 – Introduction to IoT

Chapter 2 – Anatomy of IoT

Chapter 3 – Requirements and Risk Management

Chapter 4 – Business and Organizational Requirements

Chapter 5 – Operational and Process Requirements Framework

Chapter 6 – Safety Requirements in the IoT

Chapter 7 – Confidentiality and Integrity

Chapter 8 – Availability and Reliability Requirements

Chapter 9 – Identity and Access Control Requirements

Chapter 10 – Usage Context and Environmental Requirements

Chapter 11-  Interoperability, Flexibility and Industrial Design Requirements

Chapter 12 – Threats and Impacts to the IoT

Chapter 13 – RIoT Control

I hope you enjoy reading this book as much as I did. In this book Tyson has done a great job of explaining the business and security concepts of IoT to executives, architects, engineers and anyone else responsible for IoT in a comprehensive way. In doing so he provides the necessary background for building a cyber security IoT practice and ensures that customers are provided a higher level of assurance to products and services they are selecting for IoT.

If  you want to buy this  book, for your convenience, here is the link to RIoT Control on Amazon.

 

Facebooktwittergoogle_plusredditpinterestlinkedin

Cyber Canucks EP 4: Perceived Barriers to Security for SMBs

We hope you enjoy episode 4 in our series of podcasts on cybersecurity

Hosts: Cid Parato and Faud Khan

Topics of this episode:

– Cost of implementing Security – the cost is too high but how much does it cost after you’ve been breached
Lack of skilled Personnel – difficulty in finding the right people
– Physical Security –  often overlooked when thinking about cybersecurity
– We are too small we don’t need security – all organizations need security. Cyber criminals are now targeting smaller companies because they don’t consider security a priority
– Educate Staff –  All staff need to be educated about cybersecurity, breaches commonly occur from within

For more details please follow us on Twitter @TwelveDotSec and if you have any questions or comments please reach out to us at http://twelvedot.com/contact-us/.

A big Thx goes out to Jack Wiles for sound editing.

Facebooktwittergoogle_plusredditpinterestlinkedin