Enterprise Risk Management (ERM) introduces effective risk management (RM) by attacking the issues differently to assess and remediate risks that affect the business. It takes a more robust approach than traditional Risk Management.

Traditional Risk: Business unit leaders, directors, and managers were responsible and accountable for risks in their respective departments. An example is the CFO, or Comptroller is responsible for risks relating to business cash flow and finance. This approach is very siloed.  Having some type of Risk management is better than not having it, but this approach does have its shortcomings:

• Unidentified risks that don’t fit nicely within a silo. Risks can be anywhere, and sometimes they do not necessarily align with the organizational chart resulting in unidentified risks.

•  Some risks may span multiple business units. If one leader identifies the risk the business may not understand its true impact and likelihood if it spans multiple departments.  An example of this would be a privacy law that affects Spain for example. If the compliance officer ranks this as very low risk because there is no business/consumers or data from Spain residents. However, down the hall in another c-suite office, there are ongoing talks about a possible partnership with a platform in that same country.

•  Silo risk owners may address a risk in their domain but not understand that the mitigations of their risk can affect another department.  A classic example is an IT change that mitigates some technical risks but impacts usability for other departments. This leads to frustration, confusion and ‘shadow IT’

•  Traditional risk typically focused on internal risks. ERM focuses on external factors as well

  Holistic Top-Down Enterprise Risk Management

Enterprise Risk Management attempts to fill these gaps by incorporating a holistic, all-hands-on-deck approach to risk management. EMR is a top-down approach that starts from a strategic approach that trickles down to the operational level (Beasley, 2016).

 ERM begins with an understanding of what the organization is trying to achieve short and long term. Identifying all assets (people, technology, data, solutions, networks) ranking those assets, identifying risks and then ultimately remediation and monitoring. It is key to understand that top management and key staff are involved in this process, not just a department leader.  

 Identify all risks. Whereas with traditional risk management, risks that fall out of a department can be missed, EMR focuses on strategy, compliance, operations, and tactics to attempt to address all risks (internal and external).  

The output of EMR should be a risk register that clearly identifies the enterprise's top risks that identify:

• Risk identification number

• Owner, responsible, and accountable parties

• Risk description

• Risk Remediation

• Risk milestones

• Key Risk Indicators

EMR takes a more holistic approach to risk management and incorporates all levels of the business (strategy, tactical, operational). EMR focuses on internal and external risks. EMR is a cycle and not a project; the focus is always on understanding the business's top threats, their remediations if they are being implemented, and how effective those mitigations are.  This approach is the next step in the evolutionary process of risk management and provides one of the most impactful and thorough methods for risk management.

Written by:

Carlos Neto 1/9/2023

References:

Beasley , M. (2016). What is enterprise risk management? - North Carolina State University. NC State . Retrieved January 10, 2023, from https://erm.ncsu.edu/az/erm/i/chan/library/What_is_Enterprise_Risk_Management.pdf

The primary purpose of cyber espionage groups and advanced persistent threats (APTs) is to gather sensitive information covertly from target organizations or individuals. This information can include a wide range of data, such as intellectual property, trade secrets, military plans, political intelligence, and more.

APTs are called "advanced" because they use advanced tactics and techniques to infiltrate and compromise target systems. They are called "persistent" because they often maintain a long-term presence on a target's systems to continue gathering information.

Cyber espionage groups and APTs are often sponsored by governments or other organizations, and they may target a wide range of sectors, including government, military, finance, and more. The information they gather can be used for various purposes, including military advantage, economic gain, and political leverage.

Here are a few things you will need to know to understand this blog:

• Compromise: When a system or network is compromised, an unauthorized party has gained access to it. This could be due to a security vulnerability or a successful cyber attack.

• Cyber espionage: Cyber espionage refers to the practice of collecting sensitive information covertly through the use of computer networks and the internet, often for military or political purposes.

• Exploit: An exploit is a vulnerability or weakness in a computer system, network, or application that can be exploited by an attacker to gain unauthorized access or perform other malicious actions.

• Ransomware: Ransomware is malware that encrypts a victim's files, making them inaccessible until a ransom is paid to the attacker.

• Breach: A breach is an incident in which a security system or protocol has been successfully attacked or bypassed.

• Phishing: Phishing is a type of cyber attack that involves tricking people into revealing sensitive information, such as login credentials or financial information, by pretending to be a legitimate entity. This is often done through fake emails or websites.

Known Cyber Espionage Group and Advanced Persistent Threats

There are many known cyber espionage groups and advanced persistent threats (APTs) that have been identified by cybersecurity researchers. Some examples include:

• APT1 (also known as Comment Crew or Shanghai Group): A Chinese APT that has been active since 2004 and has been linked to several high-profile cyber espionage campaigns.

• APT28 (also known as Fancy Bear or Sofacy Group): A Russian APT that has been active since at least 2007 and has been linked to cyber espionage campaigns against governments, military organizations, and other high-value targets.

• APT29 (also known as Cozy Bear or The Dukes): Another Russian APT that has been active since at least 2008 and has been linked to cyber espionage campaigns against a wide range of targets, including government agencies, think tanks, and political organizations.

• APT3 (also known as Gothic Panda or UPS Team): A Chinese APT that has been active since at least 2010 and has been linked to cyber espionage campaigns against a wide range of targets, including governments, military organizations, and businesses.

• APT10 (also known as Stone Panda or MenuPass Group): A Chinese APT that has been active since at least 2010 and has been linked to cyber espionage campaigns against a wide range of targets, including governments, military organizations, and businesses.

Cyber Espionage Group and Advanced Persistent Threats Tools

Cyber espionage groups and advanced persistent threats (APTs) use various tools and techniques to infiltrate and compromise target systems. These can include:

Malware: APTs often use malware to infect and compromise target systems. This can include viruses, trojans, worms, ransomware, and other types of malicious software.

Spearphishing: APTs may use spearphishing attacks to trick target individuals into revealing sensitive information or installing malware. Spearphishing attacks are highly targeted and often involve using fake emails or websites that appear legitimate.

Vulnerabilities: APTs may exploit vulnerabilities in software or systems to gain access to a target's systems. This can include known vulnerabilities that have not been patched, as well as zero-day vulnerabilities (vulnerabilities that are unknown to the vendor and have not yet been patched).

Command and control servers: APTs may use command and control servers to remotely control the malware they have deployed on a target's systems and to exfiltrate stolen data.

Custom tools: APTs may use custom tools developed specifically for their operations. These tools may be designed to evade detection or to perform specific tasks, such as stealing specific types of data or taking control of systems.

How to Protect System Form Cyber Espionage Groups and Advanced Persistent Threats?

Here are a few steps that organizations and individuals can take to protect their systems from cyber espionage groups and advanced persistent threats (APTs):

• Keep software and systems up to date: Make sure to apply the latest security updates and patches for all software and systems. This can help to close known vulnerabilities that could be exploited by APTs.

• Use antivirus and firewall software: Install and regularly update antivirus and firewall software to help protect against malware and other threats.

• Use strong, unique passwords: Use strong, unique passwords for all accounts and do not reuse passwords across different accounts.

• Enable two-factor authentication: Use two-factor authentication, which requires a second form of authentication in addition to a password, whenever possible. This can help to protect against attacks that rely on stolen passwords.

• Be cautious of emails and links: Be cautious of emails and links, particularly those that come from unknown sources. Do not click on links or download attachments from untrusted sources, as they may contain malware.

• Educate employees: Educate employees about the risks of cyber attacks and teach them how to recognize and avoid suspicious emails and other threats.

• Conduct regular security assessments: Conduct regular security assessments to identify vulnerabilities and to ensure that security measures are effective.

Are you worried about cyber espionage?

CyberSecOp managed services help organizations by providing the expertise and resources; we are a specialized cybersecurity provider for organizations that may not have the in-house expertise or resources to manage their cybersecurity effectively.

Some common types of managed services in the context of APTs and cyber espionage may include:

• Threat intelligence and monitoring: Offer real-time monitoring for APTs and other threats, as well as analysis of threat intelligence data.

• Vulnerability management: Offer services to help organizations identify and address vulnerabilities in their systems and applications.

• Security incident response: Offer support to organizations in responding to security incidents, including providing guidance on how to contain and mitigate the effects of an attack.

• Security testing and assessment: Providers may offer services to help organizations assess the effectiveness of their current security measures and identify areas for improvement.

CyberSecOp use MITRE ATT&CK to help organizations better understand the tactics, techniques, and procedures used by attackers and design more effective defenses against them. We also use it in relation to incident response, allowing organizations to quickly identify what stage of an attack they are dealing with and take appropriate action.

Using MITRE ATT&CK to provide services, it helps your clients improve their cybersecurity posture and defend against cyber attacks. This could involve providing guidance on how to implement controls to mitigate specific attack techniques, conducting assessments to identify vulnerabilities and areas for improvement, or providing incident response support.

Cyber breaches in the healthcare industry can have serious consequences, as they can compromise the confidentiality, integrity, and availability of sensitive patient information. These breaches can lead to financial loss, damage to reputation, and regulatory fines for the affected organizations. They can also have serious consequences for patients, including identity theft, financial loss, and harm to their physical and mental health.

According to a survey conducted by the Healthcare Information and Management Systems Society (HIMSS) in 2018, only 36% of healthcare organizations reported having a fully implemented cybersecurity program. The survey also found that only 37% of healthcare organizations had a formal incident response plan in place, and only 29% had regularly scheduled cybersecurity training for employees.

There have been several high-profile healthcare cyber breaches in recent years, including the 2017 WannaCry ransomware attack that affected the National Health Service in the UK and the 2018 breach of the health insurance company Anthem, which exposed the personal information of nearly 79 million individuals.

According to the US Department of Health and Human Services (HHS), the healthcare industry has consistently had the highest number of reported data breaches of any sector. In 2020, the HHS received reports of 1,363 breaches affecting a total of over 36 million individuals. The most common types of breaches reported were hacking/IT incidents (43.8%), unauthorized access/disclosure incidents (33.7%), and theft incidents (22.5%).

It is important for healthcare organizations to implement robust cybersecurity measures to protect patient information and prevent cyber breaches. This includes regularly updating and patching systems, training employees on cybersecurity best practices, and implementing strong passwords and access controls.

high-profile cyber breaches in the healthcare

There have been several high-profile cyber breaches in the healthcare industry in recent years. Some examples include:

• In 2021, the health insurance company Premera Blue Cross announced a data breach that affected over 11 million individuals. The breach occurred in 2014, but was not discovered until 2015. The company discovered that hackers had gained access to its systems and had potentially accessed personal and medical information of its customers.

• In 2020, the healthcare provider UnityPoint Health suffered a data breach that affected over 1.4 million individuals. The breach occurred when an employee fell victim to a phishing attack, which allowed hackers to gain access to the company's systems and potentially view or steal patient information.

• In 2019, the healthcare provider Quest Diagnostics announced a data breach that affected nearly 12 million individuals. The breach occurred when an unauthorized third party gained access to the company's systems and potentially accessed patient information.

• In 2018, the health insurance company Anthem suffered a data breach that affected nearly 79 million individuals. The breach occurred when hackers gained access to the company's systems and potentially accessed the personal and medical information of its customers.

It is important for healthcare organizations to implement robust cybersecurity measures to protect against cyber breaches and prevent the unauthorized access or disclosure of sensitive patient information.

healthcare HIPAA and cyber protection

The Health Insurance Portability and Accountability Act (HIPAA) is a US law that sets standards for protecting certain health information. HIPAA requires covered entities (such as healthcare providers, health plans, and healthcare clearinghouses) and their business associates to implement safeguards to protect the privacy and security of protected health information (PHI).

HIPAA requires covered entities to implement physical, technical, and administrative safeguards to protect PHI. These safeguards include:

• Physical safeguards: measures to secure the physical environment where PHI is stored, such as locking doors and securing servers.

• Technical safeguards: measures to protect against unauthorized access to PHI, such as firewalls, encryption, and access controls.

• Administrative safeguards: policies and procedures to ensure the proper handling of PHI, such as training employees on HIPAA requirements and conducting risk assessments.

HIPAA also requires covered entities to report certain types of breaches of PHI to the Department of Health and Human Services (HHS) and, in some cases, to affected individuals.

It is important for covered entities and their business associates to comply with HIPAA requirements to protect the privacy and security of PHI and prevent cyber breaches. This includes implementing appropriate safeguards and regularly reviewing and updating their HIPAA compliance programs.

LastPass Breach Update

As the months pass, more and more information is becoming apparent regarding the LastPass breach that surfaced last August. What at first was thought to be some source code and technical data theft has turned into a rather sophisticated advanced persistent threat (APT) that affects nearly every user of LastPass. Here are some more details:

Back in August of 2022, a threat actor/s got a hold of some source code and internal technical details about LastPass. The actor/group then used that information to hack a LastPass employee (via social engineering or other means) and attain their credentials and security keys to access a cloud-based storage service. While this cloud-based storage service was logically and physically separated from LastPass's central infrastructure and network, it turns out it stored internal and customer-based information, which the threat actor was able to attain and download.

What kind of data are we talking about exactly? According to LastPass, they could download a backup of customer vault data from the encrypted storage container, which is stored in a proprietary format. This included unencrypted data such as website URLs as well as fully-encrypted data such as usernames and passwords and form-filled data.  

 So, in other words, they have the kitchen sink. They have everything.

 It is important to know that the encrypted data is encrypted with the latest 256-bit AES encryption and does require the customer's master password to decrypt. LastPass does not have knowledge of any customer master password, as stated in their 'zero knowledge' architecture. However, if your master password is weak and does not enforce MFA, you must consider your password compromised. You 

must change your master password and enforce MFA immediately. 

If you have a strong password, you may still be the target of social engineering devised to get your master password. LastPass will never ask for your master password.

If anything, this latest security breach of a significant company is more empirical proof that even the biggest and most secure/compliant organizations are not immune to cyber incidents. Vigilance against social engineering, strong passwords and MFA are some of the layers of defense that can protect against this specific incident.

To Do:

• Change LastPass Master Password to a very strong password or passphrase IMMEDIATELY.

• Enable MFA IMMEDIATELY

• Inventory all the applications and passwords you have in your last pass vault and change those. Start with the most sensitive and work your way down.

• Enable MFA on any application that stores sensitive information- even if it sits behind LastPass

• Change your mindset to be super extra cautious of social engineering emails -but especially any emails that detail this LastPass breach.

Written By: Carlos Neto     12/27/2022

 According to the study, this could have severe consequences for defense contractors, with nearly half losing up to 60% of their revenue if DoD contracts are lost.

"CMMC is a set of commercially reasonable standards to protect data," said CyberSecOp CISO. Organizations must address it as a part of doing business or risk losing the contract. “Nearly nine in ten (90%) of US defense contractors need to meet basic cybersecurity regulatory requirements.

According to the survey, defense contractors still need to implement basic standards. A sampling:

·        35% have security information and event management (SIEM)

·        39% have an endpoint detection response solution (EDR)

·        18% have a vulnerability management solution

·        28% have multi-factor authentication (MFA)

Defense contractors are being targeted by state hackers.

Defense contractors are a popular target for nation-state groups due to the sensitive information they possess about the US military. The Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory in October 2022 highlighting advanced persistent threat (APT) activity detected on a defense organization's enterprise network.

CyberSecOp CISO is concerned that four out of five defense contractors reported a cyber-related incident, with nearly three out of five reporting business loss due to a cyber-related event.

CyberSecOp is a CMMC-AB REGISTERED PROVIDER ORGANIZATION (RPO)

DOD has made an effort to simplify CMMC, but it is undoubtedly still complicated. CMMC is based on several other standards, including DFARS, 800-171, and ISO 27001. Utilizing all the above information security standards make it very challenging for most DOD contractors to copy with CMMC. Get compliant with CyberSecOp CMMC Assessment, Security Program & Advisory Services.

NHTSA is developing a new online guidebook that will help automotive and highway safety stakeholders understand cybersecurity risks and the actions they can take to mitigate them. The guidebook will be an online tool released in phases and updated as new information and resources become available.

The following are some of the topics that will be addressed in the guidebook:

– Cybersecurity risks to vehicles and highway infrastructure

– Methods to reduce cybersecurity risks

– Technologies and processes to secure vehicles and highway infrastructure

– Laws, regulations, and standards related to automotive cybersecurity

– Cybersecurity research and development priorities

The purpose of the NHTSA Automotive Cybersecurity Guide

Vehicles are cyber-physical systems, and cybersecurity vulnerabilities could impact the safety of life. Therefore, NHTSA’s authority would be able to cover vehicle cybersecurity, even though it is not covered by an existing Federal Motor Vehicle Safety Standard. Nevertheless, as amended, motor vehicle and motor vehicle equipment manufacturers are required by the National Traffic and Motor Vehicle Safety Act to ensure that systems are designed to be free of unreasonable risks to motor vehicle safety, including those that may result due to the existence of potential cybersecurity vulnerabilities.

NHTSA believes that it is important for the automotive industry to make vehicle cybersecurity an organizational priority. This includes proactively adopting and using available guidance such as this document and existing standards and best practices. Prioritizing vehicle cybersecurity also means establishing other internal processes and strategies to ensure that systems will be reasonably safe under expected real-world conditions, including those that may arise due to potential vehicle cybersecurity vulnerabilities.

The automotive cybersecurity environment is dynamic and is expected to change continually and, at times, rapidly. NHTSA believes that the voluntary best practices described in this document provide a solid foundation for developing a risk-based approach and important processes that can be maintained, refreshed, and updated effectively over time to serve the needs of the automotive industry

Some key areas of focus would be:

1. Properly secure all vehicle systems and data in transit and at rest.

2. Implement security controls to prevent, detect, and respond to threats and vulnerabilities.

3. Educate and train employees on cybersecurity risks and best practices.

4. Regularly test and monitor systems to ensure they are functioning properly and effectively.

5. Maintain knowledge of emerging security threats and develop strategies to protect against them. 6. Respond to and investigate any potential security breaches.

7. Prepare and deliver security awareness training to employees.

8. Maintain and update records of security breaches and the measures taken to mitigate them.

9. Keep up to date with developments in security systems and trends.

10. Monitor compliance with security policies and procedures and report any deviations.

11. Perform any other security-related duties as required

Cybersecurity Best Practices for Modern Vehicles

Leadership Priority on Product Cybersecurity

The automotive industry needs to create corporate priorities and foster a culture that is prepared and able to handle increasing cybersecurity challenges.

Along this line, NHTSA recommends that companies developing or integrating safety-critical vehicle systems prioritize vehicle cybersecurity and demonstrate management commitment to doing so with the following actions:

•     Allocating dedicated resources within the organization focused on researching, investigating, implementing, testing, and validating product cybersecurity measures and vulnerabilities;

•     Facilitating seamless and direct communication channels though organizational ranks related to product cybersecurity matters; and

•     Enabling an independent voice for vehicle cybersecurity-related considerations within the vehicle safety design process.

Information Sharing

Executive Order 13691 – Promoting Private Sector Cybersecurity Information Sharing strongly encourages the development and formation of industry-specific Information Sharing and Analysis Organizations and calls on private companies, nonprofit organizations, executive departments, agencies, and other entities to “share information related to cybersecurity risks and incidents and collaborate in as close to real-time as possible.”

Vulnerability Reporting/Disclosure Policy

NHTSA supports additional mechanisms for information sharing, such as a vulnerability reporting/disclosure program. These have been effective in other sectors and would likely benefit the motor vehicle industry. Automotive industry members should consider creating their vulnerability reporting/disclosure policies or adopting policies used in other sectors or technical standards. Such policies would provide any external cybersecurity researcher with guidance on how to disclose vulnerabilities to organizations that manufacture and design vehicle systems.

A vulnerability reporting/disclosure policy should inform cybersecurity researchers how a company plans to interact with them. In general, the company’s expectations for the relationship between companies and cybersecurity researchers should be described in detail and publicly available.

Vulnerability / Exploit / Incident Response Process

The automotive industry should have a documented process for responding to incidents, vulnerabilities, and exploits. This process should cover impact assessment, containment, recovery and remediation actions, and the associated testing.

This process should clearly outline the roles and responsibilities of each responsible group within the organization and specify any internal and external coordination requirements. The process should be designed to ensure rapid response without sole dependence on any single person.

The automotive industry should periodically define metrics to assess its response process's effectiveness. In addition, companies should document details of each identified and reported vulnerability, exploit, or incident. These documents should include information that extends from onset to disposition with sufficient granularity to enable response assessment.

Self-Auditing

In addition to implementing a cybersecurity process based on a sound systems engineering approach, the automotive industry should document the cybersecurity process details to allow for auditing and accountability. Such documentation may include the following:

•     risk assessments,

•     penetration test results,

•     organizational decisions.

Further, such documents should be retained through the expected life span of the associated product. Persistent documents (such as cybersecurity requirements) should follow a robust version control protocol and be revised regularly as new information, data, and research results become available.

Risk Assessment

The automotive industry should develop and use a risk-based approach to assessing vulnerabilities and potential impacts and consider the entire supply chain of operations. This approach should involve an ongoing risk management framework to assess and mitigate risk over time.

At a minimum, organizations should consider cybersecurity risks to safety-critical vehicle control functions and PII. For example, a risk assessment process and the associated documentation should consider the following questions as suggested in the following modification of the documented NIST and CIS.

Penetration Testing and Documentation

The automotive industry should consider extensive product cybersecurity testing, including penetration tests. These tests should include stages that deploy qualified testers who have not been part of the development team and are highly incentivized to identify vulnerabilities.

All reports resulting from these penetration tests should be maintained as part of the internal documentation associated with the cybersecurity approach. Documentation should identify the testers, their qualifications, and their recommendations.

These penetration testing reports should also document the disposition of detected cybersecurity vulnerabilities. If a vulnerability is fixed, the details of the fix need to be documented. If a vulnerability is not addressed, the reasoning behind the acceptability of the underlying risk should be documented as well. In addition, the penetration testing reports should note the authorized approving authority for each vulnerability.

Self-Review

The automotive industry should establish procedures for internal review and documentation of cybersecurity-related activities. This will assist companies in better understanding their cybersecurity practices and determining where their processes could benefit from improvement. One suggested approach is for the automotive industry to produce annual reports on the state of their cybersecurity practices. These annual reports could discuss the current state of implemented cybersecurity controls, findings from self-auditing activities, and records maintenance. Information concerning the corporate structure related to cybersecurity and all other cybersecurity efforts would be valuable information for stakeholders and consumers.

Fundamental Vehicle Cybersecurity Protections

The following recommendations are based on what NHTSA has learned through its internal applied research as well as from stakeholder experiences shared with NHTSA. These recommendations do not form an exhaustive list of actions necessary for securing automotive computing systems, and all items may not be applicable in each case. These protections serve as a small subset of potential actions which can move the motor vehicle industry toward a more cyber-aware posture.

Limit Developer/Debugging Access in Production Devices

Software developers have considerable access to ECUs. Such ECU access might be facilitated by an open debugging port or a serial console. However, developer access should be limited or eliminated if there is no foreseeable operational reason for the continued access to an ECU for deployed units.

If continued developer access is necessary, any developer-level debugging interfaces should be appropriately protected to limit access to authorized privileged users. Physically hiding connectors, traces, or pins intended for developer debugging access should not be considered a sufficient form of protection.

Control Keys

Any key (e.g., cryptographic) or password which can provide an unauthorized, elevated level of access to vehicle computing platforms should be protected from disclosure. Any key obtained from a single vehicle’s computing platform should not provide access to multiple vehicles.

1.1.3        Control Vehicle Maintenance Diagnostic Access

Diagnostic features should be limited as much as possible to a specific mode of vehicle operation which accomplishes the intended purpose of the associated feature. Diagnostic operations should be designed to eliminate or minimize potentially dangerous ramifications if they are misused or abused outside of their intended purposes.

For example, a diagnostic operation that may disable a vehicle’s brakes could be restricted to operating only at low speeds. In addition, this diagnostic operation might not disable all brakes at the same time, and/or it might limit the duration of such diagnostic control action.

Control Access to Firmware

In many cases, firmware precisely determines the actions of an ECU. Extracting firmware is often the first stage of discovering a vulnerability or structuring an end-to-end cyberattack.

Developers should employ good security coding practices and tools that support security outcomes in their development processes.

Many platforms may be able to support whole disk encryption of external non-volatile media. In this case, encryption should be considered a useful tool in preventing the unauthorized recovery and analysis of firmware.

Firmware binary images may also be obtained from a firmware updating process. Organizations should reduce opportunities for a third party to obtain unencrypted firmware during software updates.

Limit Ability to Modify Firmware

Limiting the ability to modify firmware would make it more challenging for malware to be installed on vehicles. For example, using digital signing techniques may make it more difficult and prevent an automotive ECU from booting modified/ unauthorized and potentially damaging firmware images. In addition, firmware updating systems that employ signing techniques could prevent the installation of a damaging software update that did not originate from an authorized motor vehicle or equipment manufacturer.

Control Proliferation of Network Ports, Protocols and Services

The use of network servers on vehicle ECUs should be limited to essential functionality only and services over such ports should be protected to prevent use by unauthorized parties. Any software listening on an internet protocol (IP) port offers an attack vector that may be exploited. Any unnecessary network services should be removed.

Use Segmentation and Isolation techniques in Vehicle Architecture Design.

Privilege separation with boundary controls is important to improving the security of systems. Logical and physical isolation techniques should be used to separate processors, vehicle networks, and external connections as appropriate to limit and control pathways from external threat vectors to cyber-physical features of vehicles. Strong boundary controls, such as strict white list-based filtering of message flow between different segments, should be used to secure interfaces.

Control Internal Vehicle Communications

Critical safety messages could directly or indirectly impact the operations of a safety-critical vehicle control system.

Sending safety signals as messages on common data buses should be avoided when possible. For example, providing an ECU with dedicated inputs from critical sensors eliminates the common data bus spoofing problem.

If critical safety information must be passed across a communication bus, this information should reside on communication buses segmented from any vehicle ECUs with external network interfaces. A segmented communications bus may also mitigate the potential effects of interfacing insecure aftermarket devices to vehicle networks.

Critical safety messages, particularly those passed across non-segmented communication buses, should employ a message authentication scheme to limit the possibility of message spoofing.

Log Events

An immutable log of events sufficient to reveal the nature of a cybersecurity attack or a successful breach should be maintained and periodically scrutinized by qualified maintenance personnel to detect trends of cyber-attack.

Control Communication to Back-End Servers

Widely accepted encryption methods should be employed in any IP-based operational communication between external servers and the vehicle. Consistent with these methods, such connections should not accept invalid certificates.

Control Wireless Interfaces

In some situations, it may be necessary to exert fine-grained control over a vehicle’s connection to a cellular wireless network. The industry should plan for and design-in features that could allow changes in network routing rules to be quickly propagated and applied to one, a subset, or all vehicles.

Education

NHTSA believes that an educated workforce is crucial to improving the cybersecurity posture of motor vehicles.

The NHTSA guide can be found here.

Aftermarket device manufacturers should consider that their devices are interfaced with cyber-physical systems, and they could impact the safety of life. Even though the system's primary purpose may not be safety-related (e.g., telematics device collecting fleet operational data), if not properly protected, it could be used as a proxy to influence the safety-critical system behavior on vehicles. Aftermarket devices could also be brought on to all ages and types of vehicles with varying levels of cybersecurity protection on the vehicle side of the interface. Therefore, these devices should include strong cybersecurity protections on the units since they could impact the safety of vehicles regardless of their intended primary function.

Cybersecurity risks are common in the digital age, but we should not allow them to limit our business goals. Cybersecurity consulting and security breaches have gradually become critical parts of the IT department. We cannot tackle cyber threats without the expertise of cybersecurity consultants or cybersecurity breach experts.

Whether starting from scratch or looking to improve your existing cybersecurity resources, hiring a qualified cybersecurity consultant or security breach expert is always a good idea first.

Cybersecurity Vulnerabilities, Exploits, and Threats

Cybersecurity vulnerabilities are more likely to occur when old software versions are in use. Cybercriminals may exploit any software bugs they find. They may even write malware to specifically target older applications, which are less secure and easier to hack than their newer counterparts.

If you want to protect your company from cyber attacks, here are a few ways:

• Use the latest version of any application that is essential for your business (e.g., antivirus software);

• Have an expert conduct regular audits and penetration tests;

• Install operating system patches as soon as possible;

• Train employees on cybersecurity best practices;

• Strengthen network defenses by having an active firewall, two-factor authentication, and strong passwords policies in place;

• Let employees know what they can do to keep their devices safe at home and work.

• Implement ransomware backup best practices

Cyber Risk Mitigation Solution

When considering an organization's cyber security approach, the initial needle-moving goal should not be to avoid all risks, but instead, the strategy should contemplate how much security and what type of risk level is appropriate for different vulnerabilities.

The vulnerability analysis techniques present an opportunity for organizations to address the weaknesses in their current system and security framework. The flaw-based techniques help in assessing risks, hypothesizing breach points as well as benefits and disadvantages produced as a result of these risks. The damage potential (DP) technique offers this kind of precise information about vulnerable areas within cyber-systems that are commonplace features of computers and mobile devices.

Companies are getting hit by ransomware attacks, but there are things that both companies and employees can do to protect themselves by hiring an organization like CyberSecOp to implement a robust security program.

Security breaches can have disastrous effects as they potentially expose sensitive data to hackers. Companies are advised to plan their security measures in a preventive way and commit to these methods. The response should also be planned in order to restore the state prior to or minimize the damage caused by a security breach effectively.

Governmental agencies are investing in cybersecurity.

Cybersecurity has become a major issue. Governmental agencies are investing in the cybersecurity domain and focusing on security advancements. For example, Cybersecurity Strategy 2020 and expanding U.S. Cyber Task Force under DHS relate to this area of security and address the broad scope of cyber threats to federal networks, systems, or communications infrastructure identify priorities for cyber risk management, ensure persistent attention to counterterrorism with respect to cyberspace policymaking, execution baseline resilience against digital interference, reduce interstate conflict over jurisdictional responsibilities related to cybersecurity matters by improving key information-sharing practices among relevant federal entities in order to promote operational coordination on cybersecurity matters.

What is Cybersecurity Awareness Month?

Cybersecurity Awareness Month was founded in 2004 as a collaborative effort between the government and private industries to raise awareness about digital security and empower everyone to protect their personal information from digital forms of crime. It also aims to increase the resiliency of the country during a cyber threat.

Cybersecurity Awareness makes the community more aware to recognize, reject and report threats. Organizations can protect their users from being scammed and safeguard the organization.

When is Cybersecurity Awareness Month? 

October is known as National Cybersecurity awareness month. It's an international campaign.

What is the history behind Cybersecurity Awareness Month?

In 2004 the President of the United States and Congress declared October to be Cybersecurity Awareness Month, helping individuals protect themselves online as threats to technology and confidential data become more commonplace. The Cybersecurity and Infrastructure Security Agency (CISA) and the National Cybersecurity Alliance (NCA) lead a collaborative effort between government and industry to raise cybersecurity awareness nationally and internationally.

 Facts and figures

• 42% of schools have students or employees that circumvent cybersecurity protections (Impact My Biz)

• Nearly three-quarters (74%) of ransomware attacks on higher education institutions succeeded due to a lack of awareness (Inside Higher Ed)

• Ransomware attacks on U.S. schools and colleges cost $6.62b in 2020 (darkreading)

  • 95% of cybersecurity breaches are caused by human error. (World Economic Forum)

  • 69% of Companies’ Are Increasing Their Investments in Their Cybersecurity Budgets (Global digital Trust insights report

  • APWG (Anti Phishing Working Group) Reports That Website Phishing Attacks Have Tripled Since Early 2020

  • 88% of Businesses Experienced a Ransomware Attack

What are some examples of past Cyber-attacks?

The most recent well-known attack was the Colonial Pipeline (May 2021). The pipeline from Houston to the southeastern United States suffered a ransomware attack that took over key components of the computer software used to control the pipeline. This attack was singlehandedly the largest attack on oil and gas infrastructure in U.S. history. The attack led to panic buying of gasoline in the southeast, which caused shortages in some areas. Anthem (2015) a U.S. healthcare company, sustained what at the time was the biggest data breach in U.S. history. Hackers gained access to patient names, Social Security numbers, birthdays, addresses, emails, employment information and salary data.

The National Basketball Association (NBA) was hit with a cyberattack in 2021. In mid-April of 2021, the hacker group Babuk claimed to have stolen 500 GB of confidential data concerning the Houston Rockets. Babuk warned that these confidential documents, including financial info and contracts, would be made public if their demands were not met. As of this posting, no ransom payments have been made.

REvil, the same hacker group made headlines in July with an attack on Kaseya. Kaseya manages IT infrastructure for major companies worldwide. Similar to the attacks on Colonial Pipeline, this hack could potentially disrupt key areas of the economy on a large scale.

REvil carried out this attack by sending out a fake software update through Kaseya’s Virtual System Administrator, which infiltrated both Kaseya’s direct clients as well as their customers. According to REvil, one million systems were encrypted and held for ransom. Kayesa, stated that around 50 of their clients and around 1000 businesses were impacted. REvil demanded $70 million in bitcoin. To illustrate the impact of the cyber-attack, Coop, a Swedish supermarket chain, was forced to close 800 stores for a full week.

Soon after the attack, the FBI gained access to REvil’s servers and obtained the encryption keys to resolve the hack. Fortunately, no ransom was paid, and Kaseya could restore its clients' IT infrastructure. Although it started as one of the biggest ransomware attacks of the year, the situation was salvaged in the end.

 How should you and others stay safe?

·         Always use Antivirus

·         For younger kids use Parental Controls

·         Never download random files or software

·         When you can Use Two factor authentication

·         Keep your software up to date

·         Complex Passwords

·         Don’t click on any links or attachments in texts, emails, or social media posts

·         Don’t connect to unfamiliar Wi-Fi networks

·         Only visit secure websites (HTTPS)

·         Try not to overshare information (social media)

·         Use a VPN

The new head of the FBI’s San Antonio office stated that ransomware attacks in particular have skyrocketed as more of us work and go to school from home. And when it comes to ransomware, the FBI focuses on critical infrastructure: anything that involves national security or the economy.

“We don't advise companies to pay ransoms,” Rich says. “However, even if they do, we still ask them to let us know what's happening because if they report it to us, and report it to us early, we can help identify who the threat actor is.”

10 Ransomware Prevention and Recovery Tips 

Quick steps you can take now to PROTECT yourself from the threat of ransomware:

1. Use antivirus software at all times
Set your software to automatically scan emails and flash drives.

2. Keep your system patched and up to date 
Run scheduled checks to keep everything up-to-date.

3. Block access to the ransomware site
Use security products or services that block access to known ransomware sites.

4. Restrict Application
Configure operating systems or use third-party software to allow only authorized applications on computers.

5. Restrict personally owned devices on work networks
Organizations should restrict or prohibit access to official networks from personally-owned devices.

6. Restricting Administrative Privileges
Use standard user accounts vs. accounts with administrative privileges whenever possible.

7. Avoid using personal applications
Avoid using personal applications and websites – like email, chat, and social media – from work computers.

8.  Beware of Unknown sources 
Don't open files or click on links from unknown sources unless you first run an antivirus scan or look at links carefully.

Ransomware Readiness Recovery Tip

Steps you can take now to help you RECOVER from a future ransomware attack:

9. Have an Incident Response Plan

Develop and implement an incident recovery plan with defined roles and strategies for decision making. 2 Carefully plan, implement, and test a data backup and restoration strategy – and secure and isolate backups of important data. Have a team of incident response professionals on retainer to quickly respond in the event of a breach. 

10. Have Backup & Restore capability

Create a business continuity plan, and maintain an up-to-date list of internal and external contacts for ransomware attacks, including law enforcement.

• Recovery Strategies

• Business impact analysis

There is a lot more not covered in this article like incident response tabletop exercise, ransomware negotiation, and ransomware payment.

Hackers continue to exploit Apache Log4j Security Flaws which was discovered on December 17, 2021. CISA issued Emergency Directive (ED) 22-02: Mitigate Apache Log4j Vulnerability directing federal civilian executive branch agencies to address Log4j vulnerabilities—most notably, CVE-2021-44228. The Emergency Directive requires agencies to implement additional mitigation measures for vulnerable products where patches are not currently available and requires agencies to patch vulnerable internet-facing assets immediately, thereby superseding the broader deadline in BOD 22-01 for internet-facing technologies.

Hackers including Chinese state-backed groups have launched more than 840,000 attacks on companies globally since last Friday, according to researchers, through a previously unnoticed vulnerability in a widely used piece of open-source software called Log4J.

What is Log4j vulnerability?

Log4j is a piece of open-source code enabling system administrators to handle and record errors. However, a disastrous vulnerability in the protocol has made masses of systems susceptible to cyberattacks.

The zero-day vulnerability termed ‘Log4Shell’ takes advantage of Log4j’s allowing requests to arbitrary LDAP (Lightweight Directory Access Protocol) and JNDI (Java Naming and Directory Interface) servers, allowing attackers to execute arbitrary Java code on a server or other computer or leak sensitive information.

In other words, hackers can exploit Log4Shell to install malicious software or enable data theft. Because of Log4j’s omnipresence, the threat is global and massive. . Apache products that are affected by Log4j.

Hackers exploit Log4j Security Flaws New reported Hacks.

On August 27, 2022, Iranian Hackers Exploits Unpatched Log4j 2 of an Israeli Organizations

"After gaining access, Mercury establishes persistence, dumps credentials, and moves laterally within the targeted organization using both custom and well-known hacking tools, as well as built-in operating system tools for its hands-on-keyboard attack,"

September 9, 2022, Lazarus Exploits Log4j 2 of Energy Companies in US, Canada, & Japan

Threat intelligence company Cisco Talos says the cybercriminals group targeted certain energy providers in the three countries between February and July 2022. Lazarus used the Log4j vulnerability — reported last year — to gain access to the servers and deployed Vsingle, Yamabot malware, alongside a new entrant — dubbed MagicRat — to establish a seamless connection.

The research published by Cisco Talos on Thursday states that the MagicRat malware attributed to Lazarus is a remote access trojan used for reconnaissance and stealing credentials.

Vsingle is used to execute arbitrary code from remote networks and can be used to download plugins. According to the researchers, Lazarus has been using it for reconnaissance, manual backdooring, and exfiltration. The other one, Yamabot, is a Golang-based malware that uses HTTP requests to communicate with command-and-control servers.

Log4j Remediation

Remediation is a critical step to ensure that attackers do not exploit vulnerable Log4 assets in your environment as most organizations have multiple Java-based applications in their environment. Most Java-based applications use Log4J; the scope of this problem is significant.

Wait for the Vendor to Release a Log4j Patch

Many of the applications installed in your environment are developed by vendors. As with any application, these third-party applications may be vulnerable to Log4Shell. Most vendors will test their application(s) to ensure that they are not weak for Log4Shell and, if they are, will release a patch to fix the vulnerability. The CyberSecOp Red team can help you identify Log4J vulnerabilities so you can plan effectively and we will working the vendors to remediate them.

During war time, critical vulnerabilities can arise out of nowhere. It can be stressful and time-consuming to deploy emergency patches, and security teams often lack the resources and visibility needed to quickly identify, triage, and resolve vulnerabilities in a timely manner.

Company Overview

Through its products and solutions, CyberSecOp offers cyber security tools, such as network, email, and mobile security as well as forensic investigation following a breach. As stated by the business:

The landscape of cyber threats is quickly changing. Organized threat actors are laser-focused on hacking systems and stealing data using sophisticated attacks that are tailored to compromise a specific target and evade traditional signature-based defenses, a key component of what currently constitutes basic cyber hygiene, instead of the broad scattershot attacks of the past.

SolarWinds Supply Chain Against US Agencies

The recent SolarWinds attack made the entire world aware of the danger of a cyber supply chain attack, or an attack on or through the vendors or suppliers of your company. It is becoming increasingly apparent that your business and its data are only as secure as the weakest link among your suppliers, even if you take all the necessary precautions to secure your own computer systems. This risk includes potential computer system attacks as well as the possibility of a disruption to the operations of your suppliers.

Common Risks for Supply Chains

Many risks can cause supply chain disruption, and those threats can have severe consequences for your business. Some of the more common risks are:

Cybersecurity Risks

Hackers can enter your supply chain and then move throughout your firm. Cybersecurity breaches can also wreak havoc on your day-to-day operations. So information security should be at the forefront of your mind when considering new vendors.

Compliance Risks

You’ll need to make sure your vendor can meet any regulatory compliance requirements your company has, which will subsequently affect your supply chain. For example, suppose a vendor bribes foreign government officials on your behalf. In that case, your company will be charged with violating the U.S. Foreign Corrupt Practices Act and all the legal ramifications that it entails.

Financial Risks

When collaborating with other companies, the risk of financial loss is always present. For example, if your contractor goes bankrupt or faces its own supply issues, this could have significant economic consequences for you and your organization.

Reputational Risks

Reputational risk is the most unpredictable type of risk because incidents that affect your reputation might happen out of nowhere. Damage to your contractors’ reputations can also harm yours, so consider reputational risk when choosing providers.

Cyber Supply Chain Principles and Supply Chain Risks

NIST identifies primary principles to consider for successful C-SCRM. These considerations are comprehensive and broadly apply to critical infrastructure, business processes, and intellectual property.

Understand the Security Risks Posed by Your Supply Chain

Examine the specific dangers that each supplier exposes you to, the products or services they provide, and the value chain as a whole.

Supply chain risks come in a variety of shapes and sizes. A supplier, for example, may not have enough security, may have a hostile insider, or its employees may not correctly handle your information. Gather sufficient information to better evaluate these security concerns, such as an insider data collection report or risk assessment.

Develop Your Organizational Defenses With “Assume Breach” in Mind

Assuming a breach means an organization approaches its cybersecurity posture by anticipating that its networks, systems, and applications are already compromised. Treating an internal network as if it’s as open as the internet readies the system for various threats and compromises.

Set Minimum Security Requirements for Your Suppliers

You should establish minimum security requirements and metrics for suppliers that are justified, proportionate, and achievable. Make sure that these standards reflect not only your evaluation of security risks but also the maturity of your suppliers’ security arrangements and their capacity to achieve the requirements you’ve set.

Minimum requirements should be documented and standardized to streamline enforcement. This technique will help you lower your effort and prevent giving these parties unnecessary work.

Cybersecurity is a People, Process, and Technology Problem

People, processes, and technology are the triad of solving problems. Supply chain management also focuses on these three areas to enhance supply chain performance, make it more secure, and do more with less.

Look at the Entire Landscape

There are multiple security standards that interact with each other in a variety of cybersecurity frameworks and best practices. A few examples are the NIST Cybersecurity Framework (CSF), Center for Internet Security (CIS) Controls, and the International Organization for Standardization (ISO) series.

To be efficient and flexible, your C-SCRM should follow the guidelines established by your third-party risk management program. That is especially important today, where outsourcing is common. Always remember that your C-SCRM program is only as good as the data security provided by your least secure third- or fourth-party supplier.

Encourage the Continuous Improvement of Security within Your Supply Chain

Encourage your vendors to keep improving their security measures, emphasizing how this will help them compete for and win future contracts with you.

Advise and support your suppliers as they seek to make these improvements. Allow your suppliers time to achieve improvements but require them to provide you with timelines and project plans.

Listen to and act on any issues arising from performance monitoring, incidents, or bottom-up supplier reports that imply current approaches aren’t functioning as well as they should.

Best Practices for Cyber Supply Chain Risk Management

An organization can employ a variety of best practices in its C-SCRM program. Best practices improve the ability to identify and mitigate potential risks over time. In addition, these practices include remediation steps to apply if you experience a data breach.

Here is a list of some of the best practices to keep in mind as you set to work on your cyber supply chain risk management program:

• Security requirements need to be defined in requests for proposals (RFP). In addition, use security questionnaires to hone in on the current standards practiced by each bidder.

• An organization’s security team must assess all vendors, and you must remediate vulnerabilities before sharing information, data, or goods and services with them.

• Engineers must use secure software development programs and keep up-to-date on training.

• Software updates need to be available to patch systems for vulnerabilities, and they must be downloaded and installed in real time.

• Dedicated staff that is assigned to ongoing supply chain cybersecurity activities.

• Implement and enforce tight access controls to service vendors.

The new NIST guidance reflects the increased attention companies are paying to manage cyber supply chain risks. It is a useful resource for enterprises of all sizes, though some of the recommendations may be too burdensome or complex for smaller organizations to reasonably adopt. Small businesses may lack the sufficient purchasing power to require their suppliers to complete certifications or participate in contingency planning, as NIST suggests, and may not have the resources to create internal councils and intricate review procedures.

Why are cybersecurity consultants in demand?  

We are surrounded by a vast universe of information in this day and age of information technology. Most of this information is available in digital form over the internet, which is a global computer network accessible to all. As a result, security is a significant concern. Security of data available on the internet is known as cybersecurity worldwide. Today, cybersecurity is critical, especially in light of the numerous incidents of data theft that have occurred at large organizations such as Yahoo, Facebook, Google+, and Marriott International. Cyberattacks such as Spyware and Ransomware pose significant challenges. It should come as no surprise that large IT organizations worldwide are spending millions of dollars to ensure the safety and security of their systems and hire security consultants at a rapid pace to manage their systems and comply with new regulations.

What does a cybersecurity consultant do?

A cybersecurity consultant's job is to identify vulnerabilities in an organization's computer systems, network, and software, then design and implement the best security solutions for that company's needs. If a cyberattack occurs, your clients will seek your advice on how to respond and mitigate the damage.

The fastest what to become a cybersecurity consultant is by getting one or two of the following security certifications.

Certifications

Consider at least one of the following certifications to stay ahead of the competition and earn more revenue with better contracts:

• Certified Information Systems Security Professional (CISSP) CISSP certification covers the definition of IT architecture and the designing, building, and maintaining a secure business environment using globally approved security standards. This training also handles industry best practices ensuring you're prepared for the CISSP certification exam.

• Global Information Assurance Certification (GIAC) GIAC certification ensures that cybersecurity professionals meet and demonstrate specific levels of technical proficiency. You’ll get hands-on training in the latest cybersecurity skills across various roles, meaning you can put your certification expertise to work immediately.

• Certified Information Systems Auditor (CISA) is a certification and a globally recognized standard for appraising an IT auditor's knowledge, expertise, and skill in assessing vulnerabilities and instituting IT controls in an enterprise environment.

• Certified Information Security Manager (CISM) CISM certification is the globally accepted standard of achievement in this area. The uniquely management-focused CISM certification ensures holders understand business and know how to manage and adapt technology to their enterprise and industry. Since its inception in 2002, more than 30,000 professionals worldwide have earned the CISM to affirm their high level of technical competence and qualification for top-caliber leadership and management roles.

• CompTIA Security+  is the first security certification IT professionals should earn. It establishes the core knowledge required of any cybersecurity role and provides a springboard to intermediate-level cybersecurity jobs.

What is the Difference Between Computer Security and Cyber Security?

Cybersecurity and computer security are frequently confused as synonyms, according to the public. It's not accurate, though. Even though both of these phrases are commonly used when discussing how to safeguard and boost the effectiveness of the IT infrastructure, there are a few significant distinctions between them. 

Computer security deals with protecting endpoints, such as desktops, laptops, servers, virtual machines, and IaaS, from malware and other threats. Cybersecurity, however, deals with safeguarding data against unauthorized access, such as that from hackers. Read the full article about the differences.

What can a Cyber Security Consultant Do for Your Business?

It is critical to keep business assets safe from criminals. There is no excuse for leaving a company and its shareholders vulnerable to attack at a time when people are dedicated to breaking into IT systems for profit and malicious intent. Choosing the right IT security services provider can reduce risk, lower costs, and boost customer confidence. You must act quickly because the bad guys have already begun.

This article provides advice on how to increase Outlook productivity, improve security, and get the most out of this critical program. We can assist you in protecting your account if you receive a link in an email that appears to be from your bank but isn't fake notifications from social networking sites or malicious advertisements. We stay up to date on the latest scams, so you don't have to. Though we protect your account from a variety of threats, there are several steps you can take to keep your account and personal information safe.

Outlook Security Tips

1. Outlook user Email Security Tips

• If you see a yellow safety bar at the top of your message, then the message contains blocked attachments, pictures, or links to websites. Ensure you trust the sender before downloading any attachments or images or clicking any links. Emailing the sender to verify they intended to send you an attachment is also a good practice for any attachments you're not expecting.

• A red safety bar means that the message you received contains something that might be unsafe and has been blocked by Outlook.com. We recommend that you don't open those email messages and delete them from your inbox.

• When you add an address to your Outlook safe sender’s list, all messages you receive from that address go right to your inbox. Adding a sender to your blocked sender’s list sends messages from that address to your Junk email folder.

• If the URL that appears in the address bar when you sign in doesn't include login.microsoftonline.com or login.live.com, you could be on a phishing site. Don't enter your password. Try to restart your browser and navigate to login.microsoftonline.com or Outlook.com again. If the problem continues, check your computer for viruses.

2. Use multi-factor authentication.         

• Multi-factor authentication (MFA) also known as two-step verification, requires people to use a code or authentication app on their phone to sign into Outlook and Microsoft 365, and is a critical first step to protecting your business data. Using MFA can prevent hackers from taking over if they know your password.

3. Protect your administrator accounts.

• Administrator accounts (also called admins) have elevated privileges, making these accounts more susceptible to cyberattacks. You'll need to set up and manage the right number of admin and user accounts for your business. We also recommend adhering to the information security principle of least privilege, which means that users and applications should be granted access only to the data and operations they require to perform their jobs.

4. Use preset security policies.  

• Your subscription includes preset security policies that use recommended settings for anti-spam, anti-malware, and anti-phishing protection.

5. Protect all devices.    

• Every device is a possible attack avenue into your network and must be configured properly, even those devices that are personally owned but used for work.

  • Help users set up MFA on their devices

  • Protect unmanaged Windows and Mac computers

  • Set up managed devices (requires Microsoft 365 Business Premium or Microsoft Defender for Business)

6. Train everyone on email best practices.       

• Email can contain malicious attacks cloaked as harmless communications. Email systems are especially vulnerable because everyone in the organization handles email, and safety relies on humans making consistently good decisions with those communications. Train everyone to know what to watch for spam or junk mail, phishing attempts, spoofing, and malware in their email. 

7. Use Microsoft Teams for collaboration and sharing.

• The best way to collaborate and share securely is to use Microsoft Teams. With Microsoft Teams, all your files and communications are in a protected environment and aren't being stored in unsafe ways outside of it.

  •   Use Microsoft Teams for collaboration.

  • Set up meetings with Microsoft Teams

  •   Share files and videos in a safe environment 

8. Set sharing settings for SharePoint and OneDrive files and folders.

• Your default sharing levels for SharePoint and OneDrive might be set to a more permissive level than you should use. We recommend reviewing and if necessary, changing the default settings to better protect your business. Grant people only the access they need to do their jobs. 

9. Use Microsoft 365 Apps on devices. 

• Outlook and Microsoft 365 Apps (also referred to as Office apps) enable people to work productively and more securely across devices. Whether you're using the web or desktop version of an app, you can start a document on one device and pick it up later on another device. Instead of sending files as email attachments, you can share links to documents that are stored in SharePoint or OneDrive. 

10. Manage calendar sharing for your business.

• You can help people in your organization share their calendars appropriately for better collaboration. You can manage what level of detail they can share, such as by limiting the details that are shared to free/busy times only.

11. Maintain your environment.

• After your initial setup and configuration of Microsoft 365 for business is complete, your organization needs a maintenance and operations plan. As employees come and go, you'll need to add or remove users, reset passwords, and maybe even reset devices to factory settings. You'll also want to ensure people have only the access they need to do their jobs.

Top 10 Microsoft Outlook Tips to Boost Productivity

12. Create folders to organize your emails.

• This is the apparent first step if you want to simplify how you use email. However, it may also be the most difficult, particularly if your inbox is overloaded. Even so, it makes the most sense to organize your emails into a user-friendly folder system so that you won't have to spend hours sifting through hundreds of emails in search of the one you're looking for. An easy-to-use folder system will also encourage you to respond to each email as it comes in rather than putting it off till later all the time.

13. Utilize the simple email templates provided by Outlook.

• Save one of the emails as a template if you frequently write the same type of message so that you may conveniently access it in the future when you're ready to use that previously saved form. 

14. Accept the web-based future of Outlook.

• Most of the email, calendar, and contact infrastructure is moved to a web-based view in Outlook Office 365, and other recent versions of the program so that it can be accessed on any device. Even sending brief notes amongst coworkers is straightforward with Microsoft's Send email software for cellphones, which also enters all the communications into your Microsoft Outlook history for convenient archiving and access.  

15. Adjust desktop notifications so that you only receive critical messages.

• If you get a notification every time a message arrives in your inbox, you'll be distracted. But you don't want to miss important emails, so disable desktop alerts in File > Options > Mail Options, then create a custom rule to only display alerts for messages sent to you by specific contacts. 

16. Make a folder for frequently used searches.

•  Looking for a specific folder among a hundred can be time-consuming if you still do so by typing words or phrases into the search field above the message list. You can, however, make the job easier by creating a "Search" folder for frequently searched terms.

  •  To make one, go to the "Folder" tab and right-click on "Search Folder.

What is the Difference Between Computer Security and Cyber Security?

Cybersecurity and computer security are frequently confused as synonyms, according to the public. It's not accurate, though. Even though both of these phrases are frequently used when discussing how to safeguard and boost the effectiveness of the IT infrastructure, there are a few significant distinctions between them.

Computer security deals with protecting endpoints, such as desktops, laptops, servers, virtual machines, and IaaS, from malware and other threats. Cybersecurity, however, deals with safeguarding data against unauthorized access, such as that from hackers.

The Difference Between Computer Security and Cyber Security

What computer security?

In terms of computer security, we're talking about the hardware and software security of a standalone computer. Maintaining stand-alone machines with the latest updates and proper patches is one of the most critical aspects of computer security.

Protecting your actual desktop and laptop computers as well as other hardware is the focus of computer security. Additionally, these systems need to be appropriately updated and patched. Yet by safeguarding the data kept on your networks, computers, printers, and other devices, cyber security can cover all of these operations. All connected digital devices are safe.

What is Cyber security?

Cybersecurity is the process of preventing unauthorized access to your company's sensitive data and systems through the incorporation of security protocols. Cyber threats must be reduced not only from a business standpoint but also to prevent fines related to data loss. Cyber security is intended to safeguard your digital footprint, to put it simply.

Your systems can be hacked by cybercriminals as well. If found to be insecure, they can easily mine and profit from selling your data on the dark web. For midsized businesses without a sizable PR and legal team at their disposal, a data breach can result in irreparable harm in the form of high regulatory fines, loss of reputation, and diminished customer trust, all of which are challenging to overcome. The size of a company has no bearing on a hacker's behavior. To see what they can catch, they want to cast the widest net they can.

Data is the most crucial element in either case. Your business has valuable consumer and proprietary data. The value of data is understood by cyber criminals. Threat actors are constantly looking for the most exposed systems. A lot of small businesses are simple targets. The use of mobile devices to access corporate data is growing, which increases security risks. Employees invite cybercriminals into the organization when they check their work email off the company network. When you collaborate with the CyberSecOp group that provides cyber security services, you will have professionals on your side to manage and mitigate advanced and persistent threats.

Information Security, Cybersecurity, IT Security, and Computer Security

The terms can frequently be used interchangeably. Computers handle data. Information technology includes the area of IT security, which typically relates to computers. As I said, computer security. Protecting systems from cyber threats is the definition of cybersecurity. Merriam-Webster describes "cyber" as "of, related to, or involving computers or computer networks."

Information security is what IT security is about information technology. Computer science is the parent of information technology. IT is the practical application of computer science, primarily for servers, PCs, supercomputers, data centers, and other endpoints. When referring to business, the terms information security, computer security, and cybersecurity can all be used interchangeably.

What is a sandbox, and why do you need one to analyze malware?

A sandbox is an isolated computer and network environment designed for analyzing software behavior. This environment is typically designed to run risky files and determine whether those files pose a malware threat. Some sandboxes are also designed to examine URLs to determine whether they are suspicious and could lead to malware infection. Modern sandboxes enable businesses and individuals to test any type of file, including Microsoft Office files, PDF files, and executable files.

VirusTotal Malware Analysis Tool 

Virus Total is an online service that uses antivirus engines and website scanners to analyze suspicious files and URLs in order to detect different types of malware and malicious content. It provides an API through which users can access the data generated by VirusTotal.

Cyber security and professionals use the free VirusTotal online service, but there is also a paid version that allows you to analyze files or URLs in order to identify malware detectable by antivirus engines, and it is one of the most popular in the community, so we decided to get a piece of that action.

Joe Sandbox Malware Analysis Tool

The free version of Joe Sandbox enables users to send files, browse a URL, download and execute a file or submit a command line. It works for Windows operating systems, macOS, Android, Linux, and iOS, making it a complete solution for customers with a large variety of operating systems in their IT infrastructure.

The only Windows systems accessible in the free version are a Windows 7 64-bit virtual machine and a Windows 10 64-bit physical machine. Other systems are available in the Cloud Pro service. Not many sandboxes offer the possibility of running files in a real physical system, which is one of the greatest features of Joe Sandbox.

ANY.RUN Malware Analysis Tool

ANY.RUN sandbox supports parsing public submissions. In this manner, an analyst can first search the database for any known indicator of compromise (IOC) and malware to see if it has already been publicly analyzed and then obtain the results. It contains millions of public submissions and is updated daily.

ANY.RUN's free version allows users to send files or URLs to a Windows 7 32-bit virtual machine, while the paid version allows users to send files to Windows Vista, Windows 8, and Windows 10.

The most powerful feature of ANY.RUN is the ability to interact in real-time with the virtual environment that runs the suspicious file or URL. Once a file is submitted, the user has 60 seconds to interact with the entire environment (or more on paid plans). This is a fantastic feature when analyzing malware that waits for specific user actions before running any payload. Consider malware that quietly waits for the user to launch a specific application (such as a browser) or to click on a dialog box. This is where the sandbox comes in handy.

What are some alternatives?

When comparing VirusTotal and Joe Sandbox, Any.Run you should also take into the following products.

• Cuckoo Sandbox - Cuckoo Sandbox provides a detailed analysis of any suspected malware to help protect you from online threats.

• Hybrid-Analysis.com - Hybrid-Analysis.com is a free malware analysis service powered by payload-security.com.

• Jotti - Jottis malware scan is a free online service that enables you to scan suspicious files with several...

• Metadefender - Metadefender, by OPSWAT, allows you to quickly multi-scan your files for malware using 43 antiviruses.

• Falcon Sandbox - Submit malware for analysis with Falcon Sandbox and Hybrid Analysis technology. CrowdStrike develops and licenses analysis tools to fight malware.

What is Malware Analysis? Malware analysis is the process of determining the behavior and intent of a suspicious file or URL. The analysis' output aids in the detection and mitigation of a potential threat. Reverse engineering, sometimes called back engineering, is a process in which software, machines, aircraft, architectural structures, and other products are deconstructed to extract design information from them. Often, reverse engineering involves deconstructing individual components of larger products. Reverse engineering malware involves disassembling (and sometimes decompiling) a software program. Through this process, binary instructions are converted to code mnemonics (or higher-level constructs) so that engineers can look at what the program does and what systems it impacts.

What is cyber security?

Cybersecurity refers to the practices and technologies used to protect computers, networks, and devices from cyber-attacks and threats. Cybersecurity is critical because it helps to ensure the confidentiality, integrity, and availability of information and systems. Cyber attacks can come in many forms, such as malware, ransomware, phishing, and Denial of Service (DoS) attacks. They can have serious consequences, including the theft of sensitive data, the disruption of business operations, and the loss of money. To protect against these threats, organizations, and individuals can use a variety of cybersecurity measures, such as firewalls, antivirus software, and strong passwords. It is also essential to educate users about how to recognize and avoid cyber threats and to keep software and systems up to date with the latest security patches.

What are Cyber Security Services?

There are many different types of cybersecurity services that organizations and individuals can use to protect themselves against cyber threats. Some examples of cybersecurity services include:

1. Managed security services: These services provide ongoing monitoring and protection of an organization's networks and systems by a team of cybersecurity experts.

2. Network security: This type of service protects an organization's networks from external threats, such as hackers and malware.

3. Cloud security: This service helps to secure an organization's data and applications that are hosted in the cloud.

4. Email security: This service helps to protect against threats that are transmitted through email, such as phishing attacks and spam.

5. Endpoint security: This service helps to protect the devices that are used to access an organization's networks and systems, such as laptops and smartphones.

6. Web security: This service helps to protect an organization's website and web-based applications from threats such as malware and hacking.

7. Identity and access management (IAM): This service helps to ensure that only authorized users have access to an organization's systems and data.

8. Compliance and risk management: This service helps organizations to comply with relevant laws and regulations and to manage their cybersecurity risks.

9. Incident response: This service helps organizations to respond to and recover from cybersecurity incidents, such as data breaches and cyber attacks.

What is security compliance?

Security compliance refers to the process of following rules, guidelines, and standards that are designed to protect an organization's information and systems from cyber threats. These rules and standards may be mandated by laws and regulations, or they may be voluntary industry standards. Some examples of security compliance frameworks and standards include:

1. The Payment Card Industry Data Security Standard (PCI DSS): This standard applies to organizations that accept, process, or store credit card payments and is designed to protect against the theft of cardholder data.

2. The Health Insurance Portability and Accountability Act (HIPAA): This law applies to organizations in the healthcare industry and sets standards for protecting patient health information.

3. The General Data Protection Regulation (GDPR): This law applies to organizations that process the personal data of individuals in the European Union (EU) and sets standards for data protection and privacy.

4. The National Institute of Standards and Technology (NIST) Cybersecurity Framework: This framework guides organizations on how to manage and reduce their cybersecurity risks.

5. The International Organization for Standardization (ISO) 27001: This standard provides a framework for an organization's information security management system (ISMS).

Following security compliance standards can help organizations to protect their information and systems from cyber threats and avoid fines and other penalties for non-compliance. It is important for organizations to assess their compliance with relevant standards regularly and to implement measures to address any gaps.

Managed security service providers (MSSPs)

Managed security service providers (MSSPs) are companies that offer a range of cybersecurity services to organizations on a subscription basis. These services may include ongoing monitoring and protection of an organization's networks and systems, incident response, and compliance assistance. MSSPs can help organizations to improve their cybersecurity posture and reduce the risk of cyber attacks in several ways:

1. Expertise: MSSPs typically have teams of cybersecurity experts with the knowledge and experience to identify and mitigate potential threats.

2. Continuous monitoring: MSSPs can provide continuous monitoring of an organization's networks and systems, which can help to identify and respond to threats in real time.

3. Time and cost savings: Outsourcing cybersecurity to an MSSP can save an organization time and resources that would otherwise be spent on in-house cybersecurity efforts.

4. Compliance assistance: MSSPs can help organizations to ensure compliance with relevant security standards and regulations.

By working with an MSSP, organizations can benefit from the expertise and resources of a dedicated cybersecurity team, which can help to improve their overall security posture and reduce the risk of cyber attacks.

CYBERSECURITY & SECURITY RISK ASSESSMENT

Cybersecurity encompasses the functions, actions, processes, tools, and resources utilized in securing one’s digital presence and cyber network of connected systems, data, and devices. It aims to reduce risk to an organization or entity continuously. It is a complex endeavor where the effort is constant, the dangers are abundant, and visibility is key. Visibility is knowledge, its power, and it can be the difference between staying in business or going out of business. It is the difference between making your customers and clients live better or unintentionally much worse, providing for your employees with a good living or adding to unemployment, and focusing on growing your organization or worrying about how to pay regulatory fines. Yes, visibility is all that and more.  

Cybersecurity & Security Risk Assessment Benefits  

Now that we’ve established that visibility is essential, let’s look at what it means in the cyber-realm. Visibility is to cyber what doors, windows, locks, roofs, basements, weapons, and fighting or defensive resources are to a zombie attack. Imagine this: you’re in a big house with many rooms, doors, windows, etc., and you are under a zombie attack. You run and close the garage door, lock the front and back doors, shut the windows, and believe you are safe. But you had no idea the roof is only an inch thick and caves in with the slightest weight or some room somewhere in the house had an extra window, and it’s wide open. Think about how all the effort you put into closing all those other doors and windows just went to waste because you missed one and how important it would have been to have known all of that. Game over, right?! That is the power of visibility. Gain knowledge of every weakness and strength and all factors that can potentially become routes to attack or provide defenses.  

Cyber Attacks Prevention

 In the efforts of ensuring data and systems are protected from cyber-attacks and the plethora of federal, state, and international regulations are met, one of the most powerful tools that provide the needed visibility is a Security Risk Assessment. A Security Risk Assessment conducted by an experienced third party is absolutely key to providing vital visibility into the entire organization’s strengths and weaknesses. But that’s not where a Security Risk Assessment ends. When correctly done, Security Risk Assessments go much further and provide detailed roadmaps to close the identified gaps and maximize the recognized strengths. Security Risk Assessments also hold an organization’s hand and walk them through which gaps pose the most significant risk; and which ones will cost the most or the least. This provides precise risk analysis, ranking all the gaps and risks in detail.   

When a third-party Security Risk Assessment is completed and presented, it should provide comprehensive guidance. The guidance offers complete visibility into all you didn’t know, confirmation of what you may have known, and precise advice on achieving a better and more mature security posture inclusive of all the proactive and reactive measures needed. 

It's no wonder every Security Framework, international, federal, and state regulation involving IT risk management and cybersecurity emphasizes Security Risk Assessments as a must-have. Don’t be blind to potentially devastating gaps in your organization. Contact us and get your Security Risk Assessment. Cyber-attackers are not waiting, and neither should you. 

Author: Carlos Neto

 Attacks on the healthcare industry are on the rise as noted in a recent article published in CYBERSECOP.  Healthcare providers of all sizes are subject to attack and in this case, CHRISTUS Health learned of “unauthorized access” likely similar to 254 ransomware incidents targeting patient care facilities between June 2020 and April 2022 worldwide.  Patients are at risk, both their health and their PII where threat actors can alter and/or add to patient billings with no notice of impropriety.  The true impact will be hard to discern until more time and data are collected but we know one thing for sure, the healthcare industry needs to take cybersecurity as seriously as they do patient care and follow their own advice; Plan, Prevent, Protect and Respond.

Plan – Get a Risk Assessment to identify and understand your cybersecurity vulnerabilities is one of the most critical steps as the awareness will lead to a prioritized remediation plan.  Even a chink in the armor will have your patients, employees, and community concerned as a cyber-attack will likely affect critical operations because the prize is financial data, patient, and employee Personally Identifiable Information (PII).

Prevent - After an assessment is completed, you need a trusted and reliable security cyber organization to assist in leveraging the right framework and controls to be measured by such as HITURST, HITECH, HIPAA and PCI.  These guidelines assist in defining the appropriate critical security controls for effective cyber defense.  These efforts can be awareness training, policy creation & enforcement, and security controls as well as incident response readiness and governance.  It’s a journey, not a sprint.

Protect – Within most remediation plans include investments in endpoint protection dark web monitoring and focusing on digital trust goals to ensure the technology investments already made as well as those in the future work in harmony.  Like a Rubik’s cube, the goal is to have every facet of your organization in order, not just celebrating a single win.  It is important to have a managed security partner to protect your patients, employees, devices, and data with monitored protection systems along with managed & encrypted backups with a Security Operations Center staffed with certified security professionals watching and engaging on your behalf 24x7x365.

Respond – Did you know that a threat actor will live in your ecosystem for an average of 121 days mining sensitive data, passwords, organization charts, and behaviors before acting?  Nearly 95% of ransomware attacks are preventable so what starts as a threat becomes a technology issue, then a business risk issue, and eventually decision-making and communications issue at the board level.  Do you pay the ransomware or not?  Are we able to recover our data?  Has the threat actor accessed our PII?  And equally important is how do you keep from reaching this point again.  Having an incident response assessment and plan might be the one thing you do if you don’t buy into everything else.  You should receive an IT assessment of “how capable are we to thwart an attack?” and “how able are we to recover if breached?”  Buying cyber insurance is not the silver bullet it used to be so having an incident partner who is proactively focused on your company’s sensitive data and reputation is paramount.

Not unlike a hospital, there are two main ways to address cyber security by coming through the Emergency Room or the front door proactively for testing; I recommend the latter.  A proactive health check is the best step to understanding your ability to fight off an attack like a stress test.  The results may drive adjustments in behavior and readiness, such as point endpoint detection, policy creation & enforcement, and security training.  If you enter the ER, then don’t panic because you read this blog and signed up a reputable security partner to react & respond, including quarantining affected systems to prevent the ransom spread, resetting all passwords, checking your backups, activating your existing crisis/DR plans and negotiate with the threat actor if that is the best business decision communicating carefully along the way with detailed documentation.  The moral of this story is that hope is not a strategy, so know your security scorecard and realize cyber readiness is a journey, not a sprint.

Author: Christopher Yula