Article | August 30, 2021
As President Biden prepared to meet with Russian President Putin this past week in a high-profile summit in Geneva, Switzerland, cyber-attacks originating from criminals within Russia were near the top of a list of contentious issues on the agenda.
However, there were important events that received minimal media attention that strengthened the U.S. President’s position. President Biden walked into those meetings with something new and bold: the strong backing of NATO countries on a series of new cyber commitments.
In a NATO Summit held in Brussels on June 14, 2021, the heads of state and government participating in the meeting of the North Atlantic Council reaffirmed their unity and commitments on a long list of mutual defense topics. And there was also a major new commitment discussed in the press release — cyber-attacks against critical infrastructure within any NATO member country were now on the table. That is, online (Internet-based) attacks could result in the same response as physical attacks (with guns and bombs.)
Yes, this is a very significant global development which highlights another way that the physical world and online world are merging fast, with ramifications in both directions.
HOW DID WE GET TO THIS MOMENT?
The ransomware attacks that recently struck critical infrastructure companies such as Colonial Pipeline and JBS resulted in more than just long lines for gas and meat price hikes. It raised alarm bells in countries all over the globe regarding the susceptibility of the majority of countries to ransomware and other forms of malware.
These ransomware incidents led to NATO’s new Comprehensive Cyber Defense Policy. The big news: Cyber-attacks against critical infrastructure might (on a case-by-case basis) now trigger the famous Article 5 clause. “The Parties agree that an armed attack against one or more of them in Europe or North America shall be considered an attack against them all and consequently they agree that, if such an armed attack occurs, each of them, in exercise of the right of individual or collective self-defense recognized by Article 51 of the Charter of the United Nations, will assist the Party or Parties so attacked by taking forthwith, individually and in concert with the other Parties, such action as it deems necessary, including the use of armed force, to restore and maintain the security of the North Atlantic area. …”
Here are two sections I’d like to highlight from last week’s communiqué (take special notice of section in bold):
“In addition to its military activities, Russia has also intensified its hybrid actions against NATO Allies and partners, including through proxies. This includes attempted interference in Allied elections and democratic processes; political and economic pressure and intimidation; widespread disinformation campaigns; malicious cyber activities; and turning a blind eye to cyber criminals operating from its territory, including those who target and disrupt critical infrastructure in NATO countries. It also includes illegal and destructive activities by Russian Intelligence Services on Allied territory, some of which have claimed lives of citizens and caused widespread material damage. We stand in full solidarity with the Czech Republic and other Allies that have been affected in this way.
“Cyber threats to the security of the Alliance are complex, destructive, coercive and becoming ever more frequent. This has been recently illustrated by ransomware incidents and other malicious cyber activity targeting our critical infrastructure and democratic institutions, which might have systemic effects and cause significant harm. To face this evolving challenge, we have today endorsed NATO’s Comprehensive Cyber Defence Policy, which will support NATO’s three core tasks and overall deterrence and defence posture, and further enhance our resilience. Reaffirming NATO’s defensive mandate, the Alliance is determined to employ the full range of capabilities at all times to actively deter, defend against and counter the full spectrum of cyber threats, including those conducted as part of hybrid campaigns, in accordance with international law. We reaffirm that a decision as to when a cyber-attack would lead to the invocation of Article 5 would be taken by the North Atlantic Council on a case-by-case basis. Allies recognize that the impact of significant malicious cumulative cyber activities might, in certain circumstances, be considered as amounting to an armed attack. We remain committed to act in accordance with international law, including the UN Charter, international humanitarian law and international human rights law as applicable. We will promote a free, open, peaceful and secure cyberspace, and further pursue efforts to enhance stability and reduce the risk of conflict by supporting international law and voluntary norms of responsible state behavior in cyberspace.”
MEDIA COVERAGE OF NATO ANNOUNCEMENTS
Global media coverage leading up to this NATO Summit was rather limited, especially when compared to the U.S.-Russia Summit and many of President Biden’s other European meetings – such as the G7 Summit and the his meeting with Queen Elizabeth II.
Nevertheless, Meritalk offered this article: “Cybersecurity, Ransomware Climb Policy Ladder at NATO, G-7 Meetings,” which said, “cybersecurity in general, and ransomware in specific, climbed high onto the ladder of major policy issues at both the weekend meeting of G-7 nations this weekend, and the NATO Summit that concluded on June 14.
“The increasing importance of cybersecurity on the national stage tracks with U.S. policy in recent months, including federal government responses to major software supply chain cyber assaults and ransomware attacks against U.S. critical infrastructure sector companies that are believed to have originated from organizations based in Russia. President Biden has promised to confront Russian President Vladimir Putin with cybersecurity and ransomware issues when the two leaders meet on June 16. …”
Also, Info security Magazine ran an excellent piece entitled: “NATO Warns it Will Consider a Military Response to Cyber-Attacks,” which said, “NATO has warned it is prepared to treat cyber-attacks in the same way as an armed attack against any of its allies and issue a military response against the perpetrators.
“In a communique issued by governments attending the meeting of the North Atlantic Council in Brussels yesterday, the military alliance revealed it had endorsed a Comprehensive Cyber Defence Policy, in which a decision will be taken to invoke Article 5 “on a case-by-case basis” following a cyber-attack. Under Article 5 of the NATO treaty, first signed in 1949, when any NATO ally is the victim of an armed attack, it will be considered an attack on all alliance members, who will theoretically take any actions necessary to defend that ally….”
When I posted this NATO cyber topic on LinkedIn, the responses were all over the map. You can join that discussion here.
Here are a few comments worth noting:
Michael Kaiser, president and CEO at Defending Digital Campaigns: “Attribution better be 110 percent.”
Paul Gillingwater, management consultant, Chaucer Group: “A cyber counter-attack *is* a military response. It's now one battlefield, from sea, land, air, space to cyberspace. Next: your AI will be trying to persuade my AI that it was actually a pacifist.”
Kaushik (Manian) Venkatasubramaniyan, project manager, Global Business Research (GBR): “These kind of cyber-attacks targeting hospitals etc. are acts of war anyway.”
FINAL THOUGHTS ON IMPORTANCE OF NATO ANNOUNCEMENT
For many years, cyber pros have been talking about a “Cyber 9/11” or “Cyber Pearl Harbor.” Many experts still believe that those major cyber incidents are inevitable.
Still, “smaller” cyber-attacks are now happening all the time all over the world — with very serious consequences. Bad actors are asking for larger ransoms and causing more harm. Ransomware is evolving, and future cyber-attacks may not be ended by paying a ransom to the cyber criminals.
With many cyber-attacks against governments, hospitals and now critical infrastructure like gas pipeline companies and food processing plants taking place, new government actions were a must. These ransomware attacks via different types of malware are becoming more frequent and serious, and are a growing global challenge for public- and private-sector leaders.
Many questions must be answered quickly, such as: Where are the “red lines” that cannot be crossed? Once the lines are identified, what happens if they are crossed? When does a cyber-attack become an act of war?
Make no mistake, NATO’s new policy on cyber-attacks against critical infrastructures is a big deal. Expect more ransomware attacks to occur and those global commitments for action to be tested in the years ahead.
Article Orginal Source:
Article | June 2, 2021
Cyber Security has quickly evolved from being just an IT problem to a business problem. Recent attacks like those on Travelex and the SolarWinds hack have proved that cyber-attacks can affect the most solid of businesses and create PR nightmares for brands built painstakingly over the years. Investing in cyber security training, cyber security advisory services and the right kind of IT support products, has therefore, become imperative in 2021.
Investing in cyber security infrastructure, cyber security certification for employees and IT solutions safeguards businesses from a whole spectrum of security risks, ransomware, spyware, and adware.
Ransomware refers to malicious software that bars users from accessing their computer system, whereas adware is a computer virus that is one of the most common methods of infecting a computer system with a virus. Spyware spies on you and your business activities while extracting useful information. Add social engineering, security breaches and compromises to your network security into the mix, and you have a lethal cocktail.
Article | June 18, 2021
In this modern world of technology, ensuring information security is very important for the smooth running of any organization. Unfortunately, there are many information/cyber security threats, including malware, ransom ware, emotet, denial of service, man in the middle, phishing, SQL injection, and password attacks. Whatever your business is, no doubt, it can collapse your business and your dreams. However, the severity of its after-effects depends upon the type of business you do.
As information security threat has become a hurdle for all organizations, companies must implement an effective information security management system. In 2019 alone, the total number of breaches was 1473. It is increasing every year as businesses are doing digital transformation widely. Phishing is the most damaging and widespread threat to businesses, accounting for 90% of organizations' breaches.
This article lets you understand what ISMS is and how it can be effectively implemented in your organization.
Information Security Management System (ISMS)
According to ISO/IEC 27001, Information Security Management System (ISMS) refers to various procedures, policies, and guidelines to manage and protect organizations' information assets. In addition, the system also comprises various other associated resources and activities frameworks for information security management.
Organizations are jointly responsible for maintaining information security. People responsible for security in an organization ensure that all employees diligently meet all policies, guidelines, and other objectives regarding protecting information. Also, they safeguard all assets of the organization from external cyber threats and attacks.
The goal and objective of the system are to protect the confidentiality, integrity, and availability of assets from all threats and vulnerabilities. Effectively implementing an information security management system in your organization avoids the possibility of leaking personal, sensitive, and confidential data and getting exposed to harmful hands. The step-by-step implementation of ISMS includes the process of designing, implementing, managing, and maintaining it.
Implementing ISMS in Organizations
The standard for establishing and maintaining an information security management system in any organization is ISO 27001. However, as the standard has broad building blocks in designing and implementing ISMS, organizations can shape it according to their requirements.
Effectively implementing ISMS in organizations in compliance with ISO 27001 lets you enjoy significant benefits. However, an in-depth implementation and training process has to be ensured to realize these benefits comprehensively. Therefore, let us look into how an information security management system can be successfully implemented in your organization.
The first step in implementing ISMS is identifying the assets vulnerable to security threats and determining their value to your organization. In this process, devices and various types of data are listed according to their relative importance. Assets can be divided across three dimensions: confidentiality, integrity, and availability. It will allow you to give a rating to your assets according to their sensitivity and importance to the company.
Confidentiality is ensuring that the assets are accessed by authorized persons only.
Integrity means ensuring that the data and information to be secured are complete, correct, and safeguarded thoroughly.
Availability is ensuring that the protected information is available to the authorized persons when they require it.
Policies and Procedures and Approval from the Management
In this step, you will have to create policies and procedures based on the insights you got from the first step. It is said to be the riskiest step as it will enforce new behaviors in your organization. Rules and regulations will be set for all the employees in this step. Therefore, it becomes the riskiest step as people always resist accepting and following the changes. You also should get the management approval once the policies are written.
Risk assessment is an integral part of implementing an Information Security Management System. Risk assessment allows you to provide values to your assets and realize which asset needs utmost care. For example, a competitor, an insider, or a cybercriminal group may want to compromise your information and steal your information. With a simple brainstorming session, you can realize and identify various potential sources of risk and potential damage. A well-documented risk assessment plan and methodology will make the process error-free.
In this step, you will have to implement the risk assessment plan you defined in the previous step. It is a time-consuming process, especially for larger organizations. This process is to get a clear picture of both internal and external dangers that can happen to the information in your organization.
The process of risk treatment also will help you to reduce the risks, which are not acceptable. Additionally, you may have to create a detailed report comprising all the steps you took during the risk assessment and treatment phase in this step.
If you want effectively implement all the policies and procedures, providing training to employees is necessary. To make people perform as expected, educating your personnel about the necessity of implementing an information security management system is crucial. The most common reason for the failure of security management failure is the absence of this program.
Once policies and procedures are written, and necessary training is provided to all employees, you can get into the actual process of implementing it in your organization. Then, as all the employees follow the new set of rules and regulations, you can start evaluating the system's effectiveness.
Monitoring and Auditing
Here you check whether the objectives set were being met or not. If not, you may take corrective and preventive actions. In addition, as part of auditing, you also ensure all employees are following what was being implemented in the information security management system. This is because people may likely follow wrong things without the awareness that they are doing something wrong. In that case, disciplinary actions have to be taken to prevent and correct it. Here you make sure and ensure all the controls are working as you expected.
The final step in the process of implementing an information security management system is management review. In this step, you work with the senior management to understand your ISMS is achieving the goals. You also utilize this step to set future goals in terms of your security strategy.
Once the implementation and review are completed successfully, the organization can apply for certification to ensure the best information security management practices.
Organizations benefit from implementing and certifying their information security management system. The organization has defined and implemented a management system by building awareness, training employees, applying the proper security measures, and executing a systematic approach to information security management. Thus implementation has the following benefits:
Minimized risk of information loss.
The increased trust of customers in the company as the company is ISO/IEC 27001 certified.
Developed competencies and awareness about information security among all employees
The organization meets various regulatory requirements.
Frequently Asked questions
What are the three principles of information security?
Confidentiality, integrity, and availability (CIA) are the three main principles and objectives of information security. These are the fundamental principles and the heart of information security.
How does information security management work?
Information security management works on five pillars. The five pillars are assessment, detection, reaction, documentation, and prevention. Effective implementation of these pillars determines the success of the information security management in your company.
What are the challenges in information security management?
Challenges in information security management in your company can be the following:
You can’t identify your most critical data
Policies aren’t in place for protecting sensitive information.
Employees aren’t trained in company policies.
Technology isn’t implemented for your policies.
You can’t limit vendor access to sensitive information.
Article | January 21, 2021
There is a saying, ‘you can fool all the people some of the time and some of the people all the time.’ Given the fact that there is no such thing as 100% security and human nature being trusting, this has been the backbone of many cyber security scams over the past 20 years. Cyber-criminals know that they will always fool some of the people, so have been modifying and reusing tried and tested methods to get us to open malware ridden email attachments and click malicious web links, despite years of security awareness training.
If you search for historic security advice from pretty much any year since the internet became mainstream, you will find that most of it can be applied today. Use strong passwords, do not open attachments or click links from unknown sources. All really familiar advice. So, why are people still falling for modified versions of the same tricks and scams that have been running for over a decade or more? Then again, from the cyber-criminal’s perspective, if it isn’t broken, don’t fix it? Instead, they evolve, automate, collaborate and refine what works. Sound advice for any business!
It is possible though to be in a position where you can no longer fool people, even some of the time, because it is no longer their decision to make anymore. This can be achieved by letting technology decide whether or not to trust something, sitting in between the user and the internet. Trust becomes key, and many security improvements can be achieved by limiting what is trusted, or more importantly, defining what not to trust or the criteria of what is deemed untrustworthy.
This is nothing new, as we have been doing this for years as many systems will not trust anything that is classed as a program or executable, blocking access to exe or bat files. The list of files types that can act as a program in the Microsoft Windows operating system is quite extensive, if you don’t believe me try to memorize this list: app, arj, bas, bat, cgi, chm, cmd, com, cpl, dll, exe, hta, inf, ini, ins, iqy, jar, js, jse, lnk, mht, mhtm, mhtml, msh, msh1, msh2, msh1xml, msh2xml, msi, ocx, pcd, pif, pl, ps1, ps1xml, ps2, ps2xml, psc1, psc2, py, reg, scf, scr, sct, sh, shb, shs, url, vb, vbe, vbs, vbx, ws, wsc, wsf, and wsh. As you can see, it is beyond most people to remember, but easily blocked by technology.
We can filter and authenticate email based on domain settings, reputation scores, blacklists, DMARC (Domain-based Message Authentication Reporting and Conformance) or the components of DMARC, the SPF and DKIM protocols. Email can also be filtered at the content level based on keywords in the subject and body text, the presence of tracking pixels, links, attachments, and inappropriate images that are ‘Not Safe For Work’ (NSFW) such as sexually explicit, offensive and extremist content. More advanced systems add attachment virtual sandboxing, or look at the file integrity of attachments, removing additional content that is not part of the core of the document. Others like ‘Linkscan’ technology look at the documents at the end of a link, which may be hiding behind shortened links or multiple hops, following any links in those documents to the ultimate destination of the link and scan for malware.
Where we are let down though is in the area of compromised email accounts from people that we have a trust relationship and work with, like our suppliers. These emails easily pass through most email security and spam filters as they originate from a genuine legitimate email account (albeit one now also controlled by a cyber-criminal) and unless there is anything suspicious within the email in the form of a strange attachment or link, they go completely undetected as they are often on an allow list. This explains why Business Email Compromised (BEC) attacks are so incredibly successful, asking for payments for expected invoices to be made into a ‘new’ bank account, or urgent but plausible invoices that need to be paid ASAP. If the cyber-criminals do their homework and copy previous genuine invoice requests, and maybe add in context chat based on previous emails, there is nothing for most systems or people to pick up on. Only internal processes that flag up BACS payments, change of bank of details or alerts to verify or authenticate can help. Just remember to double-check the telephone number in the email signature before you call, in case you are just calling the criminal. Also, follow the process completely, even if the person you were just about to call has just conveniently sent you an SMS text message to confirm, as SMS can be spoofed.
Not all compromised email attacks are asking for money though, many are after user credentials, and contain phishing links or links to legitimate online file sharing services, containing files that then link to malicious websites or phishing links to grant permission to open the file. To give you an idea of the lengths cyber-criminals go to, I’ve received emails from a compromised account, containing a legitimate OneDrive link, containing a PDF with a link to an Azure hosted website, that then reached out to a phishing site. In fact, many compromised attacks are not even on email, as social media is increasingly targeted as well as messaging services or even the humble SMS text message via SIM swap fraud or spoofed mobile numbers. As a high percentage of these are received on mobile devices, many of the standard security defences are not in place, compared to desktop computers and laptops. What is available though are password managers as well as two-factor authentication (2FA) and multi-factor authentication (MFA) solutions which will help protect against phishing links, regardless of the device you use, so long as you train everyone in what to look out for and how they can be abused.
One area I believe makes even greater strides in protecting users from phishing and malicious links is to implement technology that defines what not to trust based on the age of a web domain and whether it has been seen before and classified. It really does not matter how good a clone a phishing website is for Office 365 or PayPal if you are blocked from visiting it, because the domain is only hours old or has never been seen before. The choice is taken out of your hands, you still clicked on the link, but now you are taken to a holding page that explains why you are not allowed to access that particular web domain. The system I use called Censornet, does not allow my users to visit any links where the domain is less than 24 hours old, but also blocks access to any domains or subdomains that have not been classified because no one within the global ecosystem has attempted to visit them yet. False positives are automatically classified within 24 hours, or can be released by internal IT admins, so the number of incidents rapidly drops over a short period of time.
Many phishing or malicious links are created within hours of the emails being sent, so having an effective way of easily blocking them makes sense. There is also the trend for cyber-criminals to take over the website domain hosting cPanels of small businesses, often through phishing, adding new subdomains for phishing and exploit kits, rather than using spoofed domains. I’ve seen many phishing links over the years pointing to an established brand within the subdomain text of a small hotel. Either way, as these links and subdomains are by their very nature unclassified, the protection automatically covers this scenario too.
Other technological solutions at the Domain Name System (DNS) level can also help block IP addresses and domains based on global threat intelligence. Some of these are even free for business use, like Quad9.net and because they are at the DNS level, can be applied to routers and other systems that cannot accept third party security solutions. On mobile devices both Quad9 and Cloudflare offer free apps which involve adding a Virtual Private Network (VPN) profile to your device. Users of public Wi-Fi can be made secure via a VPN, though it’s preferable to have a premium VPN solution on all your user’s mobile devices, as these can be centrally managed and can offer DNS protection as well.
Further down the chain of events are solutions like privileged admin rights management and application allow lists. Here, malware is stopped once again because it is not on a trusted list, or allowed to have admin rights. There is also the added benefit that users do not need to know any admin account passwords, so as a result cannot be phished for something they do not know the answer to. Ideally, no users are working with full administrator rights in their everyday activities, as this introduces unnecessary security risks, but can often be overlooked due to work pressures and workarounds.
Let’s not forget patch management is also key, because it doesn’t matter how good your security solutions are if they can be bypassed because of a gaping hole via an exploit or vulnerability in another piece of software, whether at the operating system or firmware level, or via an individual application. Sure, no system is perfect and remember there is no such thing as 100% security, which is where the Endpoint Detection and Response (EDR) solutions and Security Information and Event Management (SIEM) solutions come into play. These can help minimize the damage through rapid discovery and remediation, hopefully before the cyber-criminals fully achieve their goals.
By harnessing the power of technology to protect us, layering solutions to cover the myriad of ways cyber-criminals constantly attempt to deceive us, we can be confident that emotional and psychological techniques and hooks will not affect technological decisions, as it is a binary choice, either yes or no. The more that we can filter out, makes it less likely that the cyber-criminals will still be able to fool some of the people all the time. This allows security awareness training to focus on threats that technology isn’t as good at stopping, like social engineering tricks and scams. The trick is to spend your budget wisely to cover all the bases and not leave any gaps, which is no easy feat in today’s rapidly changing world.