One year ago, malicious nation-state actors targeted JBS USA, the world’s largest meat supplier and a critical player in critical infrastructure. This global corporation processes roughly one-fifth of the nation’s meat supply, and overnight, its facilities were forced to shut down, severely impacting the global supply chain. The organization quickly remediated the attack to mitigate any long-term damage to the global food market. However, this came at a price, with JBS paying the attackers a steep $11 million ransom. 

The JBS ransomware attack underscores a critical flaw in our thinking: threats related to the security of our critical infrastructure go beyond high visibility sectors like transportation, oil, and gas – any organization that provides goods or services is at risk.  

However, while the possibility of attacks may be growing given an ever-changing attack surface and heightened threat environment, the tactics malicious actors deploy are not necessarily new. In fact, they’re likely using basic techniques to enter corporate networks, remain undetected, identify weak links, and demand whatever ransom will get them access to funds in the quickest manner possible. 

As we reflect on the JBS ransomware attack, here are some simple ways organizations across all facets of critical infrastructure can better bolster their networks against malicious activity.  

For advice on ransomware detection and prevention, read our guide. 

1. Proactive: Patch Your Systems 

The best way to deter malicious actors from entering corporate systems is to close every potential window for entry, starting with the ones that generate the most risk to your business. With hacking techniques evolving every day, cybercriminals are finding ways to get around even the most complex security features.  

Every company, regardless of size or industry, must take a proactive approach to their security measures, harnessing resources like breach and attack simulation or continuous penetration testing to identify, validate, and prioritize vulnerabilities on internal, internet facing, and cloud-based IT infrastructure. Then, take the necessary steps to patch all vulnerabilities.  

While automated tools should play a role in this process, as they ensure 24/7 coverage, businesses must not forget the power of human intellect and experience in the vulnerability management process. To improve critical infrastructure cybersecurity efforts, IT teams must leverage their skilled teams, or partner with a trusted-third party penetration testing firm, to complement their technology solutions and fix vulnerabilities more frequently and strategically. To understand what to look for when choosing a penetration testing company, view our tip sheet. 

2. Proactive: Use Multi-factor Authentication 

To combat the growing threat of critical infrastructure cybersecurity attacks, multi-factor authentication (MFA) methods must become common protocol. MFA requires users to validate their identity in two or more ways to gain access to corporate assets like accounts and resources.  

While this may seem like a standard, straightforward practice, authentication protocols still serve as a challenge for security leaders. There are often restrictions as to what IT can and cannot implement as forms of authentication within an organization, and they’re also limited in what their users will easily adopt in a short period of time. When building a strong authentication program, leaders should consider the following: 

• Use user behavior analysis to improve your authentication practices. Anytime you detect abnormal user behavior, require them to re-authenticate. Build authentication directly into your application behavior monitoring capabilities.
• Establish policies for safe password storage. Use what works best for your organization. This is the most important step in any authentication strategy.
• Require users to set strong, complex passwords. NIST publishes guidelines on password best practices that users should follow.
• Practice the Principle of Least Privilege to limit access to sensitive information. 

3. Proactive: Limit Network Access 

Every corporate user does not require access to all aspects of the network. The more people with access to sensitive information, the greater the exposure risk.  

CISA’s Principle of Least Privilege states that “A subject should be given only those privileges needed for it to complete its task,” and “If a specific action requires that a subject’s access rights be augmented, those extra rights should be relinquished immediately upon completion of the action.” 

This extra layer of security ensures that unsuspecting employees do not unintentionally give hackers access to important information that could deploy a critical infrastructure attack, should they become victim to a phishing attack. 

4. Reactive: Do Not Pay the Ransom 

The U.S. government recommends that businesses do not pay ransoms – regardless of the circumstance – as this payment does not actually guarantee that a business will get its data back after the ransom is paid.  

Instead of working with the malicious party, organizations should contact law enforcement to get their data back and their systems online. While this may take longer than paying a ransom, it will help deter the hackers from striking again, as they will be left without any monetary gain – which is their primary goal. 

Today, all aspects of our critical infrastructure are at risk. The onus is on businesses residing in priority sectors to establish multi-faceted proactive security strategies to mitigate both potential ransomware attacks, and potential disruption if they do fall victim to attack.  

We must make it as hard as possible for cybercriminals to carry out their plans. If they can’t access critical infrastructure data in the first place, they can’t demand ransom, and our day-to-day society is less likely to be subjected to chaos and disruption. 

Christian Gallicchio

Technology cannot solve our greatest cybersecurity challenges. At least not on its own. 

Last month, NetSPI held its 2022 Employee Kickoff event in-person after a long two-year hiatus. Nearly 300 employees from across the globe came together in the North Loop neighborhood of Minneapolis, just steps from NetSPI headquarters.  

The day was buzzing with great energy from the get-go as we reunited with our friends and colleagues, met people in-person for the first time, and got to experience firsthand what an incredible workplace culture NetSPI has. 

Amidst the keynotes, build-your-own lego Scan Monster races, and live 90’s rock band, one thing became abundantly clear: the power that comes from bringing people together face-to-face to form relationships, share ideas, and collaborate is unmatched. 

All too often in the high-growth cybersecurity industry, we view technology as the ‘silver bullet’ against today’s threat actors. But at the end of the day, it’s people who will solve the greatest challenges we face. 

Reflecting on the day, I wanted to share four takeaways that highlight the importance of the human impact in the tech industry.

The cyber arms race can only be won through the intersection of technology and talent 

We cannot rely solely on technology to win this cyber “arms race” we’re experiencing today. We often find ourselves myopically focused on technology to solve difficult problems. And while technology and automation are critical, our industry will not thrive on tech alone.  

The only way that the good guys will come out on top is through the intersection of technology and talent. 

Technology should enable humans to do their job in a more effective and efficient way, and we should remember to view it through this lens. For example, during the NetSPI Employee Kickoff Event, we revealed a couple of Resolve updates to our security consultants who use the vulnerability management and penetration testing platform. We updated notification settings to be more customizable and created a portal for all project kickoff documentation and tracking. These are fairly simple and administrative updates, but it nearly resulted in a standing ovation for our product and development teams. 

Again, technology enables humans to do what they do best. In this case, we found a way to limit notifications and streamline a mundane process to free up our pentesters’ time, enable them to do the work they enjoy, and ultimately find more business-critical vulnerabilities for our clients. 

As we’re all aware, recruiting and retaining a team with the right cyber talent is incredibly hard in a market where unemployment is 0%. But simply assembling a team with the right technical skills is far from enough. It is vital to tackle cybersecurity with empathy, curiosity, and creativity – all traits that only humans can possess. 

“Culture eats strategy for breakfast” 

Peter Drucker stated, “Culture eats strategy for breakfast.” And he was right. 

Culture and values define who you are. They drive innovation in technology, how teams collaborate, and the service clients receive and how they perceive you. 

NetSPI Chief Revenue Officer Alex Jones said it well in his keynote, “Values represent whatever is important to YOU.” Work is important… and so is everything else. Employees should get to spend time doing what they enjoy in and outside of the workplace. Once organizations recognize this, it becomes much easier to embrace a values-driven culture. 

A strong culture requires teams working authentically and in concert with each other, a task that became increasingly difficult during a global pandemic that sent most organizations, including NetSPI, to operate fully remote. 

I believe we have underestimated the power of in-person, human connection. Bringing 300 people together in-person certainly had its risks, but it was immediately evident how valuable the human connection was in driving collaboration and building relationships – and in turn improving the customer experience and the team’s performance. 

Collaboration and diverse perspectives are key to solving the most difficult challenges 

In cybersecurity and at NetSPI, we solve client challenges every day, often for the largest organizations in the world. We succeed at solving the most difficult of these challenges when collaboration and diverse thoughts reign. 

One thing I noticed at the event was that sales didn’t cling to their sales peers, services didn’t cling to their services peers, leadership didn’t cling to their fellow leaders. Although it can be difficult, breaking down departmental silos within an organization can cultivate idea sharing and welcome new perspectives across the organization. This event helped us make big strides toward that goal. 

Allowing everyone to have a seat at the table and feel comfortable speaking up and sharing their ideas is something that we value greatly at NetSPI. After all, diverse thought fuels innovation. 

In-person events can help you uncover the Purpose that your team will rally around 

After the event, I challenged myself to think hard about what my employees really care about. What can I do as a leader to deliver on that purpose and adhere to my employee’s values? Am I creating a workplace environment that allows them to adhere to their values? 

These events tend to be a wakeup call around a greater mission. And a presentation from our philanthropic partner, the Masonic Children’s Hospital, did just that. 

The Director of Development at the Hospital, Nicholas Engbloom, shared a powerful story about Minnesota Gopher placeholder Casey O’Brien and his journey battling cancer. For those unfamiliar with Casey, I’d encourage everyone to listen to his story.  

It was clear how much the story and our partnership with the Masonic Children’s Hospital resonated with and empowered our employees. It showed me how powerful it is for our employees to rally around a greater sense of Purpose and give back to the community. I’m excited to ramp up our philanthropic activities with the hospital and other organizations this year. 

Investments that you make as an organization to bring your team members together have incredible Return on Investment (ROI) – and that’s just the ROI we can measure. To other cybersecurity business leaders considering an all-employee in-person event, I couldn’t recommend it more.  

People are the key to solving the world’s biggest cybersecurity challenges. And the organizations that are enabling employees through tech and creating a values-driven workplace culture will be the ones leading the charge. 

I’ll leave you with some incredible dance moves, courtesy of the NetSPI team. Check out this video recap for highlights from the NetSPI 2022 Employee Kickoff:

Want to join us next year? NetSPI is hiring!

Aaron Shilts

This is part two of our blog series that delves into cybersecurity for the financial services industry.

In part one, we discuss the current state of financial services cybersecurity, the challenges the industry faces, and opportunities for banks and other financial institutions to better protect their organizations.

In this part, we explore measurable and actionable metrics banks can track to craft a powerful cybersecurity story tailored to their regulators and leadership peers. We’ll also discuss opportunities to improve those metrics and address key challenges CISOs experience when building mature programs.

Let’s dive in.

Three Cybersecurity Metrics to Help Financial Institutions Tell Their Story to Regulators

The rise in cyberattacks against financial institutions means heightened scrutiny from bank regulators and more stringent compliance requirements. So, how can banks provide a thorough assessment of their security program to show regulators that they’re meeting regulatory requirements – and are keeping consumers and their data safe?

We can achieve that by identifying and keeping track of cybersecurity metrics that tell a powerful story.

These metrics are critical in two scenarios: to communicate your security program maturity and compliance to financial services industry regulators and to your leadership team/board to make the case for additional budget or resources.

When using metrics, keep in mind context over time is a key success factor for communication on trends. And consider the alignment with other metrics used to measure overall business success.

Cybersecurity metrics are historically challenging to determine as they don’t correlate directly to revenue or profit gain and are often proactive in nature. However, if you choose wisely they can help you benchmark your current cybersecurity program and show how your investments have impacted your organization over time.

To set a solid metric foundation, consider these three key cybersecurity metrics:

1. Asset footprint: Anything that gives an accurate depiction of all your assets may be considered your asset footprint. This includes ephemeral assets (e.g., auto scaling compute or containers) and the number of endpoints per dollar of assets under control. For example, in endpoint management, you’re managing the number of devices, servers, or systems that are trying to access your company’s network. Taking inventory of all endpoints provides you with a better view of your security posture and how much it costs to manage your assets. The caveat is that this method works now, but not ideal for measuring your assets moving forward.
2. Time to remediation: How long does it take to fix your critical vulnerabilities? What is the time it took to identify critical issues from discovery to vulnerability remediation? Being able to track this context over time provides an overall assessment of your risk profile. A scenario to consider: if your company doubles in size but the number of vulnerabilities remains the same or has increased, you need to investigate that.
3. Percentage of revenue that makes up your cybersecurity budget: What percentage of the overall organizational revenue is being spent on cybersecurity? Is that spend increasing, but the number of vulnerabilities, security incidents, fraud reports, etc. remaining the same? Keeping track of your budget relative to your security outcomes can indicate the health of your program and areas that may require reevaluation.

For metric number three, you’ll need to partner with your CFO and finance team to track your progress over time. But for metrics one and two, it will be critical to formulate a plan to capture and improve these metrics to prepare for your next audit or budget meeting. Here are three ways to accomplish this:

• To measure and improve your asset footprint, leverage Attack Surface Management (ASM): ASM identifies and detects all known, unknown, and potentially vulnerable assets across your attack surface whenever there is exposure – not just what’s internet facing but in B2B network connections or peered cloud services too. ASM enables a comprehensive view of your environment from the outside in.
• To measure and improve time to remediation, leverage Penetration Testing as a Service (PTaaS): PTaaS combines technology with human expertise to find critical vulnerabilities that tools and traditional pentesting processes miss. The key here will be to work with a partner that can orchestrate and manage your vulnerabilities in a dynamic platform that allows you to track your remediation progress over time (see: NetSPI Resolve).

Check out these case studies to learn how two banks leveraged penetration testing to address the unique challenges financial firms face:

• NetSPI Addressing Financial Services Security Challenges Head-On
• NetSPI Testing Highlights Security Flaws for Leading Financial Services Firm

How to Articulate the Need for Budget

One of the challenges that we personally experienced in our roles as in-house security leaders and CISOs is the need to articulate budgetary needs to the leadership team and the board.

You need money and resources to employ the right people and acquire the necessary tools to protect your organization, right? This is correct, but you also need to recognize that the metrics you’re currently sharing may not align with the priorities of the CEO or the board. This gets even more challenging when the CEO or board hasn’t funded these initiatives historically.

So, what are ways you can effectively approach this?

First, understand that it’s not about confronting the board or the CEO. It’s about empowering them to articulate the risks they’re willing to take (e.g., risk of a possible breach, exposing consumer PII, etc.)

It’s important to engage with your leadership team and spend the time building this relationship so you both are aligned with the security or control posture of the organization. Security leadership should never operate in a silo.

Second, don’t tell half the story, tell the whole story. Explain how your budget decisions align with the company’s priorities: generating revenue, achieving company goals, maintaining a positive public reputation, etc. Articulate your metrics in the terms and language they understand to effectively tell you cybersecurity maturity story and make the case for additional support.

For more on this topic, read How To Eliminate Friction Between Business and Cyber Security.

Strategic Cybersecurity for Financial Institutions

More than ever, it’s important to be strategic when improving cybersecurity in the financial industry. Here are two things to consider to set you on the right path toward security program maturity:

• Tool overload and alert fatigue. Be mindful of purchasing capabilities you can’t manage or extract the value from. Why? Because you’re going to have to find the people to address all the data you aggregate. This lack of alert coverage and response could result in hesitancy from your leadership team or regulators.
• Technical leaders vs. security leaders. When you hire, ensure that your technical team also understands security and why it matters to your business. Someone with a technical background may not truly grasp security concepts and strategy. Ensure you have a balanced team that can help you articulate your metrics as outlined above.

If there is one thing we want you to take away from this blog post, it is this: financial cybersecurity is an ongoing effort – it is a not a point-in-time commitment. Continuous improvement is essential to telling your cybersecurity story – and the metrics you choose to measure and the way you communicate them will be the backbone of that story.

Travis Hoyt

Norman Kromberg

What is the typical authentication setup for personal online accounts? The username and password. 

For too long, we have depended on this legacy form of authentication to protect our personal data. As more people rely on the internet to manage their most important tasks — online banking, applying for loans, running their businesses, communicating with family, you name it — many companies and services still opt for the typical username and password authentication method, often with multi-factor authentication as an option, but not a requirement.  

To combat the sophisticated attacks of hackers today, multi-factor authentication methods must be considered the bare minimum. [For those unfamiliar with the concept, multi-factor authentication, or MFA, requires the user to validate their identity in two or more ways to gain access to an account, resource, application, etc.] Then, starting on that foundation, security leaders must consider what other identity and access management practices can they implement to better protect their customers? 

For more insights on this global challenge, we spoke with authentication expert Jason Soroko, CTO-PKI at Sectigo, during episode 40 of the Agent of Influence podcast to learn more about the future of multi-factor authentication, symmetric and asymmetric secrets, digital certificates, and more. Continue reading for highlights from our discussion or listen to the full episode, The State of Authentication and Best Practices for Digital Certificate Management. 

Symmetric Secrets vs. Asymmetric Secrets  

The legacy username and password authentication method no longer offers enough protection. Let’s take a deep dive into symmetric secrets and asymmetric secrets to better understand where we can improve our processes. 

Symmetric secrets are an encryption method that use one key for both encrypting and decrypting a piece of data or file. Here’s a fun anecdote that Jason shared during the podcast: “Let’s say you and I want to do business. We agree that I could show up at your door tomorrow and if I knock three times, you will know it’s me. Well, somebody could have overheard us having that conversation to agree to knock three times. It’s the same thing with a username and password. That’s a shared symmetric secret.” 

According to Jason, the issue with this method is that the secret had to be provisioned out to someone or, in today’s context, keyed into memory on a computer. This could be a compromised endpoint on your attack surface. Shared secrets have all kinds of issues, and you only want to utilize them in a network where the number of resources is extremely small. And we should no longer use them for human authentication methods. 

Instead, we need to shift towards asymmetric secrets.   

Asymmetric secrets, which are used to securely send data today, have two keys: private and public. The public key is used for encryption purposes only and cannot be used to decrypt the data or file. Only the private key can do that. 

The private key is never shared; it never leaves a secured place (e.g., Windows 10, Windows 11, trusted platform module (TMP), etc.) and it’s what allows the authentication to occur securely. Not only that, but asymmetric secrets don’t require the 123 steps of authentication, improving the user experience overall. The ability for a hacker to guess or steal the asymmetric secret is much more difficult because it is in a secure element, Jason explains. 

Of course, some organizations have no choice but to stick with ancient legacy systems due to financial reasons. But the opportunity here is to complement that legacy authentication method with other controls so you can enhance your authentication system. 

Pitfalls of SMS Authentication 

If you’re considering SMS authentication, I hate to be the breaker of bad news, but that doesn’t offer comprehensive protection. SMS authentication was never built to be secure, and it was never intended to be used the way it is used popularly today. Now, not only do we have the issue of people using a protocol that’s inherently insecure by design, but hackers can easily intercept authentication messages sent via SMS. 

As Jason shared on the podcast, the shocking truth is that SMS redirection is commercially available. It only costs around $16 to persuade the telecommunications company to redirect SMS messages to wherever you want them to go, which shows how easily hackers can obtain messages and data. 

Learn more about telecommunications security, read: Why the Telecoms Industry Should Retire Outdated Security Protocols. 

Three Best Practices for Managing Digital Certificates 

Even with the implementation of multi-factor authentication, how do you know if a person or a device is trustworthy to allow inside your network? 

You achieve that with digital certificates also known as public key certificates. They’re used to share public keys and verify the ownership of a public key to the person or device that owns it. 

With so many people moving to remote work, this only amplifies the number of digital certificates to authenticate each day. It’s important to manage your digital certificates effectively to mitigate the risk of adversaries trying to access your organization’s network. 

For additional reading on the security implications of remote work, check out these articles: 

• COVID-19: Evaluating Security Implications of the Decisions Made to Enable a Remote Workforce
• Keeping Your Organization Secure While Sending Your Employees to Work from Home 

To get you started toward better digital certificate management, Jason shared these three best practices: 

1. Take inventory: Perform a proper discovery of all the certificates that you have (TLS, SSL, etc.) to gain visibility into how many you have.
2. Investigate your certificate profiles: Take into consideration your DevOps certificates, your IoT certificates, etc., and delve into how the certificates were set up, who set them up, how long the bit-length is, and whether is it a proper non-deprecated cryptographic algorithm.
3. Adapt to new use cases: Look towards the future to determine if you can adapt to new use cases (e.g., can this be used to authenticate BYOD devices or anything outside the Microsoft stack, how will the current cryptographic algorithms today differ in the future, what about hybrid quantum resistance, etc.). 

The Future of Multi-Factor Authentication 

As mentioned at the beginning for this article, multi-factor authentication should be considered the bare minimum, or foundation, for organizations today. For organizations still on the fence about implementing this authentication method, here are three reasons to start requiring it: 

• A remote workforce requires advanced multi-factor authentication to verify the entities coming into your network.
• Most cyberattacks stem from hackers stealing people’s username and password. Multi-factor authentication adds additional layers of security to prevent hackers from accessing an organization’s network.
• Depending on which method your organization utilizes, multi-factor authentication provides a seamless login experience for employees — sometimes without the need for a username or password if using biometrics or single-use code. 

More organizations are choosing to adopt multi-factor authentication and we can only expect to see more enhancements in this area.  

According to Jason, artificial intelligence (AI) will play an important role. Take convolutional neural networks for example. This is a type of artificial neural network (AAN) used to analyze images. If we were to apply convolutional neural networks to cybersecurity, we could train it to identify malicious known binaries or patterns quickly and accurately. Of course, this is something to look forward to in the foreseeable future. 

An area we’ve certainly made much progress on, though, is the ability to use machine learning to determine malicious activity in the credit card fraud detection space. 

Multi-Factor Authentication is Only the First Step 

At a bare minimum, every organization should start with multi-factor authentication and build from there. One-time passwords, email verification codes, or verification links are user-friendly and go a long way in effective authentication.  

Cyberwarfare coupled with a remote workforce and government scrutiny should prompt companies everywhere to bolster their cybersecurity defenses. The authentication methods and best practices Jason Soroko shared with me on the Agent of Influence podcast are a step in the right direction toward protecting your organization, employees, and — most importantly — your customers. 

Nabil Hannan