Back How HR Leaders Can Promote Cybersecurity Among Their Distributed Workforce

On April 29, 2021, NetSPI Chief Operating Officer (COO) Charles Horton was featured in an article on

One in four Americans will work remotely in 2021, according to Upwork’s Future Workforce Pulse Report. The report also forecasts that by 2025, 36.2 million Americans will be working remotely, an 87% increase from pre-pandemic levels. The Covid-19 pandemic has dramatically shifted the way we work today, a trend that many are predicting will continue. So, whose job is it to ensure employees are following security protocols while working from home and, in turn, keeping the organization safe from malicious cybercriminals?

The security and IT teams are responsible for putting in place the right security strategies and technologies, but they are not the only ones responsible for cybersecurity. HR leaders also have a critical role to play in securing the remote workforce.

4 Steps HR Pros Can Take to Improve Security

  1. Establish trust between the security team and other employees
  2. Work with your security team to help manage access to sensitive data
  3. Collaborate on security awareness training
  4. Develop and enforce security policies

Want more details on the four steps HR professionals can take to improve security? Read the full article.


Prioritize Threat Modeling and Pre-Social Engineering to Foster a Security Culture

Working as a security leader at startups, I have found that security is often an afterthought. This mindset is pervasive in the startup community given security can be expensive. Every company has to balance the level of security they have with an understanding of their responsibilities to the data, the types of data they have, what level of data they have, etc. but, above all, they must ensure that the company is sustainable. In other words, you can’t spend more than you make.

It is important to understand what an organization’s risk appetite is and how much they are willing to spend on security. With startup security or any organization with a less mature security program, significant impact can be made by changing people’s mindset on security. For example, if your engineers think “we can push security to the end,” what they actually need is better education on how they can start bringing security in sooner so that in the end it does not become a huge overhaul, or worse, a massive breach.

So, how does one get started? There are two core tactics that will help foster a security culture: threat modeling and “pre-social engineering.” NetSPI Managing Director Nabil Hannan and host of the Agent of Influence podcast recently sat down with me to discuss this very topic. From the conversation, here are my recommendations on how to leverage threat modeling and pre-social engineering to effectively prioritize security in your organization and create a security culture.

Start with a two-pronged approach of threat modeling and frameworks

When building a security program, I generally like to work from the outside in terms of tooling and from the inside out in terms of people. To build trust with the people in your organization, an inside out mindset is critical. To achieve this, I suggest starting with threat modeling and frameworks.

Frameworks, or a system of standards, guidelines, and best practices to manage cybersecurity risk, are a great way to know what the bones of your skeleton (security program) look like so that you know where to add the muscles (controls, technology). In tandem with frameworks, threat modeling is a great starting point. It allows you to understand what data you have, where it is, how it can be attacked, where your vulnerabilities are, and much more. Threat modeling helps you figure out where to start based on what presents the most risk. At a bare minimum, it helps you define who you’re trying to protect against – and that information in invaluable.

Additionally, some companies don’t yet understand the data they should be worried about. Which data is valuable, and in what ways? Threat modeling helps identify how specific data can be used by threat actors and can help organizations distinguish the realistic, big picture ramifications if the data is compromised.

What is pre-social engineering?

The idea behind pre-social engineering is to work with the people in your organization to make sure they remain kind and helpful to customers but are very skeptical of people asking for assistance from outside, and even inside, the company.

A lot of organizations find value in phishing their employees. To a point, I agree with using phishing as a security awareness tactic, however, today’s phishing emails are so sophisticated and difficult to tell apart from real emails that security teams who are very skeptical fall for them. For a great example of how sophisticated social engineering has become, watch this live vishing attempt from DEF CON.

Over time, I believe it has become a demotivational way to earn trust. If an employee fails a social engineering engagement, they are disciplined by spending valuable time on retraining. Pre-social engineering is an effective way to establish trust between security and the rest of the organization.

Along with your annual or quarterly security training of course, send out digestible information related to the latest threats to encourage people to familiarize themselves with security. In my opinion, approachability is one of the most effective characteristics of a successful security leader. You don’t want your employees to be afraid to approach you with a security suspicion out of fear they will get in trouble. As a part of pre-social engineering, reward your employees when they communicate with the security team.

Social engineering has the highest likelihood for compromise within any organization because the attack takes advantage of empathy. It is essential to understand that no matter how good your security is, adversaries will always find a gap. If they can get the right person, at the right time, with the right story they’re going to get in.

In the security industry we often hear, “people are your weakest link.” On the contrary, I believe they’re your strongest line of defense. For more on how to leverage threat modeling and pre-social engineering to prioritize a security culture, listen to my full interview with Nabil. Or you can find Agent of Influence on Spotify, Apple Music, or wherever you listen to podcasts.


Vaccine Security is Not Exclusive to Pfizer, Moderna, and Johnson & Johnson: Here’s Why

Unless you’re Pfizer, Moderna, or Johnson & Johnson, you may not consider your biotech or pharmaceutical organization a lucrative target for cyberattacks as COVID-19 vaccine production and distribution ramps up. However, it is important to note that the larger, well known organizations in the vaccine pipeline are well funded and staffed and have the ability to prioritize cyber security – and sophisticated adversaries know this well. In turn, this makes smaller organizations involved in vaccine development, distribution, and administration a prime target.

Notably, we expect to see increased threat activity among the small to midsized biotech organizations that are collecting patient data or have access to vaccine research and development (R&D) information. Whether or not your organization is working directly or indirectly with the COVID-19 vaccine, there’s a lot to learn from the security concerns and activity to date. In this article, we explore the motivations for vaccine cyber security threats, reasons why biotech organizations should prioritize security, and pragmatic steps organizations can take now to proactively prepare for imminent attacks.

The vaccine security threat landscape

Cybercrime is known to increase amid chaos or crisis, when people are the most vulnerable. And the COVID-19 pandemic is certainly no exception. Large-scale data breaches increased 273 percent in the first quarter of 2020 versus 2019. The U.N. Security Council reported a massive 350 percent increase in phishing websites in the first quarter of 2020, many targeting hospitals and healthcare systems. And now, capitalizing on the vaccine rollout, the number of phishing attacks targeting the healthcare industry increased by 189 percent from December 2020 to February 2021.

There are three realistic motivations for adversaries as it pertains to vaccine security: 1) the theft of personal health data, 2) to compromise business systems, and 3) to access intellectual capital. To gain a better understanding of the threat landscape, let’s take a deeper look at each scenario.

To steal sensitive health data:

Protected health information (PHI) includes identifiable information in a person’s health data records, such as health details, date of birth, Social Security number, fingerprints, and even financial information. Given biotech firms are working with patients to develop and test vaccines in a medical setting, they are also responsible for managing and securing PHI. PHI can be used by adversaries for identity theft, medical fraud, access computer networks, and to learn more about the capabilities and processes of an organization for future large-scale attacks.

To access intellectual capital:

An approved vaccine is a very valuable source of intellectual capital. COVID-19 vaccine production data is extremely valuable today as the global race to administer vaccines continues. Biotech firms house a lot of intellectual capital, from R&D information to vaccine formulas to testing and drug trial data, making them a lucrative target. According to research from F5, “threat actors in this case are advanced cyber attackers, either working for or hired by nation states. This makes them the most capable and well-resourced threat that organizations could face.”

In early 2021, the European Medicines Agency (EMA), a regulatory agency tasked with vaccine assessments and approvals for the EU, found that hackers stole COVID-19 vaccine data belonging to Pfizer and BioNTech. Further, leveraging intellectual capital for misinformation is another key motivator. The data in the EMA breach had been leaked online only after manipulating the exfiltrated data to undermine public trust in the vaccine.

To compromise business systems:

Whether it’s a ransomware attack on a healthcare organization or an attack on the vaccine appointment scheduling software, adversaries could also aim to interfere with business operations in the vaccine pipeline. Biotech firms have a critical role to play in ensuring the security of its partners.

Third-party security is a major challenge for healthcare organizations – and one that is very relevant to vaccine rollouts. A 2020 survey of healthcare CISOs, CIOs, and other C-suite leaders discovered that four out of five organizations experienced a cybersecurity breach precipitated by a third-party vendor over the past year.

Right now, there are many third-parties working hand-in-hand with biotech firms to coordinate the rollout of the COVID-19 vaccine, from logistics and transportation to the on-site distribution locations. How can we ensure each organization involved follows the right security protocols? A recent example of a third-party breach attempt is the targeted attacks on cold storage company Americold and global firm Miltenyi Biotec. The companies were targeted with cyberattacks in an apparent attempt to disrupt the vaccine supply chain.

Making the case for cyber security in biotech, pharma, and other healthcare industries

We recently attended a webinar on medical device security presented by Kevin McDonald, a cyber security advisor for Mayo Clinic. At the end of the discussion Kevin highlighted the core drivers for security investments in healthcare: patient care, revenue loss, and public perception.

Above all, continuation of patient care is the end goal of all security activities in healthcare organizations. Security is put in place to not hinder the quality of care, but to ensure it can continue without interruption from adversaries.

Revenue loss and public perception are fairly self-explanatory for most healthcare organization, but there are some nuances regarding the biotech industry. The goal of many biotech firms is to raise funds and eventually get purchased, and according to Silicon Valley Bank, in 2020 acquisitions of biotech startups increased. If your organization experiences a security breach, your chances and/or valuation may decrease given the increased risk and the reputational damage created.

4 security activities to implement to proactively protect your assets

Once you’re aware of the most likely risks, it’s important to understand the steps you can take to proactively protect your organization and its sensitive data. To get started, here are four activities we recommend:

  • Red teaming: Red team operations allow you to test your security controls and processes for a specific target or goal, such as vaccine formulas or patient social security numbers. Hire a red team or equip your internal red team with the right tools to simulate the stealthy approach a real adversary would take.
  • Detective control testing: Correctly configured detective controls are vital to network security. Test your detective controls against the tactics, techniques, and procedures (TTPs) used by real-world attackers to ensure your layers of
    defense in depth are working as intended.
  • Internal network penetration tests: Given the increase in phishing attempts and the vulnerability of humans in a crisis scenario, it’s likely that sophisticated adversaries will inevitably find a way to access your network. This is where internal network penetration tests prove necessary. An internal network
    penetration test
    evaluates a network for security vulnerabilities and provides actionable recommendations for remediation. It allows an organization to discover where your internal network gaps are before an adversary does.
  • Continuous testing: Often it is the case that an organization’s attack surfaces are only evaluated via a penetration test on an annual basis. Implementing more
    frequent, lighter touch tests
    throughout the year, or when a new technology or partner is added to your infrastructure, helps teams stay up to date on any recently introduced vulnerabilities.

Forbes Technology Council: The Secret To A Successful Cyber Security Acquisition: Culture

On April 7, 2021, NetSPI Chief Technology Officer (CTO) Brady Bloxham was featured in Forbes Technology Council:

It’s no secret that cybersecurity is a lucrative industry for acquisitions. According to CSO Online, deal activity in 2020 did not slow — even in the midst of a pandemic. There are several reasons why an acquisition could occur. From the perspective of an acquiring company, motives can include gaining greater market share, obtaining specialized talent and expanding technical capability — and the list goes on.  

Amid the excitement of an acquisition and the hours of work that go into a post-deal integration process, the perspective of the company being acquired can often get lost in the noise. Given the sheer volume of security industry acquisitions, I wanted to share my advice with other technology entrepreneurs that may be considering an acquisition or at the beginning stages of their journey. 

First, some background. In December 2020, the company I built was acquired. After years of deleting emails from private equity firms, venture capitalists and M&A advisors, I decided it was time to entertain the idea when a company I respected technically reached out. I was extremely proud of what we had built and wanted to reach and impact more businesses with the technologies, services and methodologies that we had built. I felt a personal obligation to find an organization that would align with my goals for the future and that my team would feel proud to be part of.  

How did I do it? Read the full Forbes Technology Council article to learn the four core values I kept top of mind throughout the process.


TechTarget: 6 ways to prevent insider threats every CISO should know

On April 6, 2021, NetSPI Managing Director Nabil Hannan was featured in TechTarget:

Chief information security officers, or CISOs, around the world have come to learn from the SolarWinds manual supply chain attack that insider threats are a real issue, one that must be prioritized in 2021. The breach also brings to light an underdiscussed application security challenge: developers writing malicious code that can later be exploited.

The frequency and financial impacts of insider threats have grown dramatically in the past two years. In a recent Ponemon Institute report, the overall average cost of insider threats per incident increased by 31% from $8.76 million in 2018 to $11.45 million in 2020. In addition, the number of incidents has increased by a staggering 47% in just two years, from 3,200 in 2018 to 4,716 in 2020.

Building off the lessons learned from the SolarWinds breach, here are six steps CISOs can take to prevent insider threats.

  1. Change your mindset around your threat landscape

  2. Employ threat modeling

  3. Map out potential insider threat exposure

  4. Enact a proactive and ongoing insider threat detection governance program

  5. Define risk scenarios and escalation steps

  6. Push for holistic solutions for long-term protection

Read the full article here:


Why Offense in Depth is Vital to Red Team Operations

By now, security leaders understand the importance of defense in depth, or layered security. If one defensive security control fails, there is another to prevent or minimize damage done by an attacker. And it has proven successful: According to a Forrester survey, organizations that implemented defense in depth experienced fewer breaches.

Offense in depth is a lesser-known term than defense in depth, but equally as important. Google “offense in depth” and you will find links to NFL offensive strategies and depth charts before you find content centric to cybersecurity, but the idea isn’t much different. What happens when your star quarterback gets injured? Do you have offensive strategies and solid backups in place? In offensive security, what happens when your red team is detected by an endpoint detection and response (EDR) tool? Do you have the necessary tools and capability to seamlessly recover and continue the operation?

The importance of offensive cyber security

Many organizations tend to operate cyber security defensively or reactively. For example, patching vulnerabilities or implementing a new security tool after experiencing a breach. This is especially true for organizations that belong to an industry with significant regulatory or government compliance pressures, such as healthcare or financial services. Offense in depth, on the other hand, encourages a proactive and adversarial approach to cyber security. And there is room for both in every cyber security strategy.

Defensive programs often focus on regulatory standards, certifications, best practice frameworks, or the latest compliance guidelines required by the auditors. While important, at the end of the day it is imperative to remember that we are not defending against an auditor or a checklist. We are defending against a living, breathing, intelligent adversary that knows how to stealthily penetrate and pivot through a network undetected. Adversaries do not care about our checklists nor whether you passed your audit. They care about one thing: getting in and getting access to the targeted information undetected.

To better defend against real-world threats, an effective offensive testing strategy is critical. Famous football coach Vince Lombardi said, “Practice does not make perfect. Only perfect practice makes perfect.” Again, the sports analogy applies nicely to cybersecurity. The offensive testing we perform must reflect the types of real-world threats our organization faces each day. If not, how can we expect to detect those attacks when they actually occur? To accomplish this, our offensive testing capability must have the maturity and resiliency of real-world attackers. This is why offense in depth is critical to improving defense in depth.

Identify weaknesses in your defense in depth

Just as penetration testing identifies weaknesses in your network, applications, and cloud platforms, offense in depth identifies weaknesses in your defense in depth. Without extensive offensive testing across multiple tools and capabilities, how can we ensure that our defensive security layers are working as intended?

Defense in depth includes a combination of administrative, physical, and technical controls. Your offensive security activities should match those layers to validate controls. To achieve this, you must use sophisticated offensive attack techniques through all phases of an attack chain, including initial access, discovery, pivoting, persistence, privilege escalation, and the often-overlooked data exfiltration. Once weaknesses are identified, work with defensive teams to improve detection capabilities.

Red teams cannot rely on a single tool or approach

Red teams cannot not rely on a single offensive tool or approach when conducting an operation. When a defensive control detects an attack or prevents it from happening, red teams need additional tools and capabilities in their arsenal to adapt on the fly to an engagement – just as real-world attackers would. The more sophisticated, persistent adversaries do not stop their attempts after only hitting the first or second layers of defense.

To think like an adversary and achieve offense in depth, red teams need to understand how to adopt the tactics, techniques and procedures (TTPs) associated with a specific threat actor or threat actor groups. As defense in depth can include dozens of tools, from endpoint detection to firewalls to antivirus, offense in depth requires tools that can leverage defensive evasion techniques, such as syscalls for stealthy code injection, in-memory obfuscation, and logging bypasses (AMSI, ETW, PowerShell, etc.).

You cannot achieve successful defense in depth without good offense in depth – and vice versa. As you develop your defense in depth strategy, also consider implementing offense in depth to support your adversary simulation and red team operations and, in turn, stay a few steps ahead of real-world threats.

Discover why security operations teams choose NetSPI.