Critical Infrastructure Security: 1 Year After the JBS Ransomware Attack

One year ago, malicious nation-state actors targeted JBS USA, the world’s largest meat supplier and a critical player in critical infrastructure. This global corporation processes roughly one-fifth of the nation’s meat supply, and overnight, its facilities were forced to shut down, severely impacting the global supply chain. The organization quickly remediated the attack to mitigate any long-term damage to the global food market. However, this came at a price, with JBS paying the attackers a steep $11 million ransom. 

The JBS ransomware attack underscores a critical flaw in our thinking: threats related to the security of our critical infrastructure go beyond high visibility sectors like transportation, oil, and gas – any organization that provides goods or services is at risk.  

However, while the possibility of attacks may be growing given an ever-changing attack surface and heightened threat environment, the tactics malicious actors deploy are not necessarily new. In fact, they’re likely using basic techniques to enter corporate networks, remain undetected, identify weak links, and demand whatever ransom will get them access to funds in the quickest manner possible. 

As we reflect on the JBS ransomware attack, here are some simple ways organizations across all facets of critical infrastructure can better bolster their networks against malicious activity.  

For advice on ransomware detection and prevention, read our guide. 

1. Proactive: Patch Your Systems 

The best way to deter malicious actors from entering corporate systems is to close every potential window for entry, starting with the ones that generate the most risk to your business. With hacking techniques evolving every day, cybercriminals are finding ways to get around even the most complex security features.  

Every company, regardless of size or industry, must take a proactive approach to their security measures, harnessing resources like breach and attack simulation or continuous penetration testing to identify, validate, and prioritize vulnerabilities on internal, internet facing, and cloud-based IT infrastructure. Then, take the necessary steps to patch all vulnerabilities.  

While automated tools should play a role in this process, as they ensure 24/7 coverage, businesses must not forget the power of human intellect and experience in the vulnerability management process. To improve critical infrastructure cybersecurity efforts, IT teams must leverage their skilled teams, or partner with a trusted-third party penetration testing firm, to complement their technology solutions and fix vulnerabilities more frequently and strategically. To understand what to look for when choosing a penetration testing company, view our tip sheet. 

2. Proactive: Use Multi-factor Authentication 

To combat the growing threat of critical infrastructure cybersecurity attacks, multi-factor authentication (MFA) methods must become common protocol. MFA requires users to validate their identity in two or more ways to gain access to corporate assets like accounts and resources.  

While this may seem like a standard, straightforward practice, authentication protocols still serve as a challenge for security leaders. There are often restrictions as to what IT can and cannot implement as forms of authentication within an organization, and they’re also limited in what their users will easily adopt in a short period of time. When building a strong authentication program, leaders should consider the following: 

  • Use user behavior analysis to improve your authentication practices. Anytime you detect abnormal user behavior, require them to re-authenticate. Build authentication directly into your application behavior monitoring capabilities.
  • Establish policies for safe password storage. Use what works best for your organization. This is the most important step in any authentication strategy.
  • Require users to set strong, complex passwords. NIST publishes guidelines on password best practices that users should follow.
  • Practice the Principle of Least Privilege to limit access to sensitive information. 

3. Proactive: Limit Network Access 

Every corporate user does not require access to all aspects of the network. The more people with access to sensitive information, the greater the exposure risk.  

CISA’s Principle of Least Privilege states that “A subject should be given only those privileges needed for it to complete its task,” and “If a specific action requires that a subject’s access rights be augmented, those extra rights should be relinquished immediately upon completion of the action.” 

This extra layer of security ensures that unsuspecting employees do not unintentionally give hackers access to important information that could deploy a critical infrastructure attack, should they become victim to a phishing attack. 

4. Reactive: Do Not Pay the Ransom 

The U.S. government recommends that businesses do not pay ransoms – regardless of the circumstance – as this payment does not actually guarantee that a business will get its data back after the ransom is paid.  

Instead of working with the malicious party, organizations should contact law enforcement to get their data back and their systems online. While this may take longer than paying a ransom, it will help deter the hackers from striking again, as they will be left without any monetary gain – which is their primary goal. 

Today, all aspects of our critical infrastructure are at risk. The onus is on businesses residing in priority sectors to establish multi-faceted proactive security strategies to mitigate both potential ransomware attacks, and potential disruption if they do fall victim to attack.  

We must make it as hard as possible for cybercriminals to carry out their plans. If they can’t access critical infrastructure data in the first place, they can’t demand ransom, and our day-to-day society is less likely to be subjected to chaos and disruption. 

Ready to get proactive against ransomware attacks? Connect with NetSPI today to learn more about our ransomware attack simulation services.

VMblog: 4 Years of GDPR: Expert Commentary Shared

On May 25, 2022, NetSPI Managing Director, Steve Bakewell, was featured in an article in VMblog called 4 Years of GDPR: Expert Commentary Shared. Preview the article below, or read the full article online.


Wednesday, May 25th marks the four year anniversary of the EU-wide General Data Protection Regulation (GDPR) enforcement. It comes as a timely reminder to all of us about the importance of data privacy as an increasing number of cyberattacks continue to take place. 

To commemorate the milestone during this anniversary period, a few industry experts from various companies have shared their expertise and thoughts with VMblog.

Steve Bakewell, Managing Director EMEA, NetSPI:

“On the fourth anniversary of the GDPR, it’s fair to say the legislation has impacted both consumers and companies alike. Consumers are more aware of the value of their personal data and how companies collect and use it, which is increasingly informing the choices they make as well as the brands and services they trust. Data breach notification rules have increased transparency and cookie warnings are everywhere, yet remain inconsistent. This lack of consistency is being addressed by the EU within its wider ePR (ePrivacy Regulation) update, which serves as an example that regulations tend to change over time.

Companies have done a lot of work to bring their systems and processes inline with the GDPR, but it is a continuous exercise. In the same way regulations change, so does technology. For example, the increasing uptake in cloud services has resulted in more data, including personal data, being collected, stored and processed in the cloud.

Moving forward, companies should be confident they have mapped out the data lifecycle for the organisation, including what it is, where it is, how it is collected, stored, processed and deleted. Understand and implement both privacy and security requirements in systems handling the data, then test accordingly across all systems, on-prem, cloud, operational technology, and even physical, to validate controls are effective and risks are correctly managed.”

Read the full article online.


VentureBeat: The State of the GDPR in 2022: Why So Many Orgs are Still Struggling

On May 25, 2022, NetSPI Managing Director, Steve Bakewell, was featured in an article in VentureBeat called The State of the GDPR in 2022: Why So Many Orgs are Still Struggling. Preview the article below, or read the full article online.


Today marks the fourth anniversary of the EU’s General Data Protection Regulation (GDPR), which originally came into effect in May 2018, and forced organizations to rethink the way they collect and store data from EU data subjects. 

The GDPR gave consumers the right to be forgotten, while mandating that private enterprises needed to collect consent from data subjects in order to store their data, and prepare to remove their information upon request. 

However, even years after the legislation went into effect, many organizations are struggling to maintain regulatory compliance while European regulators move toward more stricter enforcement actions. 

For example, Facebook is still having difficulties complying with the GDPR, with Motherboard recently discovering a leaked document revealing that the organization doesn’t know where all of its user data goes or how it’s processed. 

Of course the challenge of GDPR compliance isn’t unique to Facebook. In fact, AmazonWhatsApp, and Google, have all had to pay 9-figure fines to European data protection authorities. 

But why are so many organizations failing to comply with the regulation? The answer is complexity.

Why GDPR Compliance is an Uphill Battle 

The widespread movement of organizations toward cloud services over the past few years has increased complexity on all sides. Organizations use applications that store and process customer data in the cloud, and often lack the visibility they need to protect these assets. 

“Companies have done a lot of work to bring their systems and processes in line with the GDPR, but it is a continuous exercise. In the same way regulations change, so does technology,” said Steve Bakewell, managing director EMEA of penetration testing provider NetSPI

“For example, the increasing uptake in cloud services has resulted in more data, including personal data, being collected, stored and processed in the cloud,” Bakewell said. 

With more data stored and processed in native, hybrid, and multicloud environments, enterprises have exponentially more data to secure and maintain transparency over, that’s beyond the perimeter defenses and oversight of the traditional network. 

Organizations like Facebook that can’t pin down where personal data lives in a cloud environment or how it’s processed inevitably end up violating the regulation, because they can’t secure customer data or remove the data of subjects who’ve given consent. 

Read the full article online.


Enterprise Security Tech: GDPR Fourth Anniversary – Experts Share How Far We’ve Come and What We’re Still Missing

On May 25, 2022, NetSPI Managing Director, Steve Bakewell, was featured in an article in Enterprise Security Tech called Experts Share How Far We’ve Come and What We’re Still Missing. Preview the article below, or read the full article online.


May 25 marks four years since the introduction of GDPR, a law that completely transformed how organizations collect, store and protect user data. We heard from cybersecurity and privacy experts on how GDPR impacted the industry and their current thoughts on the law today and how it might impact the future.

Steve Bakewell, Managing Director EMEA, NetSPI

“On the fourth anniversary of the GDPR, it’s fair to say the legislation has impacted both consumers and companies alike. Consumers are more aware of the value of their personal data and how companies collect and use it, which is increasingly informing the choices they make as well as the brands and services they trust. Data breach notification rules have increased transparency and cookie warnings are everywhere, yet remain inconsistent. This lack of consistency is being addressed by the EU within its wider ePR (ePrivacy Regulation) update, which serves as an example that regulations tend to change over time.

Companies have done a lot of work to bring their systems and processes inline with the GDPR, but it is a continuous exercise. In the same way regulations change, so does technology. For example, the increasing uptake in cloud services has resulted in more data, including personal data, being collected, stored and processed in the cloud.

Moving forward, companies should be confident they have mapped out the data lifecycle for the organisation, including what it is, where it is, how it is collected, stored, processed and deleted. Understand and implement both privacy and security requirements in systems handling the data, then test accordingly across all systems, on-prem, cloud, operational technology, and even physical, to validate controls are effective and risks are correctly managed.”

Read the full article online.


Technology Cannot Solve Our Greatest Cybersecurity Challenges, People Can

Technology cannot solve our greatest cybersecurity challenges. At least not on its own. 

Last month, NetSPI held its 2022 Employee Kickoff event in-person after a long two-year hiatus. Nearly 300 employees from across the globe came together in the North Loop neighborhood of Minneapolis, just steps from NetSPI headquarters.  

The day was buzzing with great energy from the get-go as we reunited with our friends and colleagues, met people in-person for the first time, and got to experience firsthand what an incredible workplace culture NetSPI has. 

Amidst the keynotes, build-your-own lego Scan Monster races, and live 90’s rock band, one thing became abundantly clear: the power that comes from bringing people together face-to-face to form relationships, share ideas, and collaborate is unmatched

All too often in the high-growth cybersecurity industry, we view technology as the ‘silver bullet’ against today’s threat actors. But at the end of the day, it’s people who will solve the greatest challenges we face. 

Reflecting on the day, I wanted to share four takeaways that highlight the importance of the human impact in the tech industry.

The cyber arms race can only be won through the intersection of technology and talent 

We cannot rely solely on technology to win this cyber “arms race” we’re experiencing today. We often find ourselves myopically focused on technology to solve difficult problems. And while technology and automation are critical, our industry will not thrive on tech alone.  

The only way that the good guys will come out on top is through the intersection of technology and talent. 

Technology should enable humans to do their job in a more effective and efficient way, and we should remember to view it through this lens. For example, during the NetSPI Employee Kickoff Event, we revealed a couple of Resolve updates to our security consultants who use the vulnerability management and penetration testing platform. We updated notification settings to be more customizable and created a portal for all project kickoff documentation and tracking. These are fairly simple and administrative updates, but it nearly resulted in a standing ovation for our product and development teams. 

Again, technology enables humans to do what they do best. In this case, we found a way to limit notifications and streamline a mundane process to free up our pentesters’ time, enable them to do the work they enjoy, and ultimately find more business-critical vulnerabilities for our clients. 

As we’re all aware, recruiting and retaining a team with the right cyber talent is incredibly hard in a market where unemployment is 0%. But simply assembling a team with the right technical skills is far from enough. It is vital to tackle cybersecurity with empathy, curiosity, and creativity – all traits that only humans can possess. 

“Culture eats strategy for breakfast” 

Peter Drucker stated, “Culture eats strategy for breakfast.” And he was right. 

Culture and values define who you are. They drive innovation in technology, how teams collaborate, and the service clients receive and how they perceive you. 

NetSPI Chief Revenue Officer Alex Jones said it well in his keynote, “Values represent whatever is important to YOU.” Work is important… and so is everything else. Employees should get to spend time doing what they enjoy in and outside of the workplace. Once organizations recognize this, it becomes much easier to embrace a values-driven culture. 

A strong culture requires teams working authentically and in concert with each other, a task that became increasingly difficult during a global pandemic that sent most organizations, including NetSPI, to operate fully remote. 

I believe we have underestimated the power of in-person, human connection. Bringing 300 people together in-person certainly had its risks, but it was immediately evident how valuable the human connection was in driving collaboration and building relationships – and in turn improving the customer experience and the team’s performance. 

Collaboration and diverse perspectives are key to solving the most difficult challenges 

In cybersecurity and at NetSPI, we solve client challenges every day, often for the largest organizations in the world. We succeed at solving the most difficult of these challenges when collaboration and diverse thoughts reign. 

One thing I noticed at the event was that sales didn’t cling to their sales peers, services didn’t cling to their services peers, leadership didn’t cling to their fellow leaders. Although it can be difficult, breaking down departmental silos within an organization can cultivate idea sharing and welcome new perspectives across the organization. This event helped us make big strides toward that goal. 

Allowing everyone to have a seat at the table and feel comfortable speaking up and sharing their ideas is something that we value greatly at NetSPI. After all, diverse thought fuels innovation. 

In-person events can help you uncover the Purpose that your team will rally around 

After the event, I challenged myself to think hard about what my employees really care about. What can I do as a leader to deliver on that purpose and adhere to my employee’s values? Am I creating a workplace environment that allows them to adhere to their values? 

These events tend to be a wakeup call around a greater mission. And a presentation from our philanthropic partner, the Masonic Children’s Hospital, did just that. 

The Director of Development at the Hospital, Nicholas Engbloom, shared a powerful story about Minnesota Gopher placeholder Casey O’Brien and his journey battling cancer. For those unfamiliar with Casey, I’d encourage everyone to listen to his story.  

It was clear how much the story and our partnership with the Masonic Children’s Hospital resonated with and empowered our employees. It showed me how powerful it is for our employees to rally around a greater sense of Purpose and give back to the community. I’m excited to ramp up our philanthropic activities with the hospital and other organizations this year. 

Investments that you make as an organization to bring your team members together have incredible Return on Investment (ROI) – and that’s just the ROI we can measure. To other cybersecurity business leaders considering an all-employee in-person event, I couldn’t recommend it more.  

People are the key to solving the world’s biggest cybersecurity challenges. And the organizations that are enabling employees through tech and creating a values-driven workplace culture will be the ones leading the charge. 

I’ll leave you with some incredible dance moves, courtesy of the NetSPI team. Check out this video recap for highlights from the NetSPI 2022 Employee Kickoff:

Want to join us next year? NetSPI is hiring!

Love where you work! NetSPI is Hiring!

Security Magazine: The Do’s and Don’ts of Communicating a Data Breach

On May 23, 2022, NetSPI Head of Product, Cody Chamberlain, published an article in Security Magazine called The Do’s and Don’ts of Communicating a Data Breach. Preview the article below, or read the full article online.


Data breaches are occurring more frequently than ever before, even when organizations have the best security precautions in place. According to the Identity Theft Resource Center’s 2021 Data Breach Report, data breaches rose 68% from the previous year, reaching the highest number ever reported. That said, while a cyberattack may be out of an organization’s control, one thing it can and should control is how it communicates a breach.

Many corporations have developed canned responses to breaches along the lines of “We identified a breach of our systems, and you have been identified as being impacted. Your security is of the utmost importance to us, so we’re providing you with free monitoring.” 

However, more sophisticated and impactful breaches need a more detailed response plan. One that focuses on getting systems back online and defines what steps the organization will take to prevent another breach from occurring. There are three key elements to implementing a successful data breach communication strategy; an incident response plan, consistent communication, and transparency. 

Lean into the Incident Response Plan

An incident response plan is one of the most critical components of the customer notification process, as it enables an organization to acknowledge they’ve fallen victim to an attack, but also take ownership and focus on the customer.

Following a data breach, the customer ultimately wants to know three things: if their data has been stolen, the risk to the data at the time of the incident, and if they need to take additional action with the government or law enforcement to assist in the investigation. 

The incident response plan should provide accurate and timely information that accounts for all these customer questions and keeps their best interests in mind. This plan must be communicated and adopted beyond security and IT teams by a crisis management team that extends across all departments. Every person in the communications chain must report their findings to the executive level for all angles and aspects of the breach to be considered. 

An organization must also proactively work with legal and finance teams to understand which regulatory bodies, government entities, and insurance agencies to notify. Once all information is made clear, the organization can convey the details of the incident to the customer in a quick and straightforward manner, and, in high-profile situations, present the case to the public. 

Read the full article online.


Cybersecurity for Financial Institutions—Part 2: Metrics

This is part two of our blog series that delves into cybersecurity for the financial services industry.

In part one, we discuss the current state of financial services cybersecurity, the challenges the industry faces, and opportunities for banks and other financial institutions to better protect their organizations.

In this part, we explore measurable and actionable metrics banks can track to craft a powerful cybersecurity story tailored to their regulators and leadership peers. We’ll also discuss opportunities to improve those metrics and address key challenges CISOs experience when building mature programs.

Let’s dive in.

Three Cybersecurity Metrics to Help Financial Institutions Tell Their Story to Regulators

The rise in cyberattacks against financial institutions means heightened scrutiny from bank regulators and more stringent compliance requirements. So, how can banks provide a thorough assessment of their security program to show regulators that they’re meeting regulatory requirements – and are keeping consumers and their data safe?

We can achieve that by identifying and keeping track of cybersecurity metrics that tell a powerful story.

These metrics are critical in two scenarios: to communicate your security program maturity and compliance to financial services industry regulators and to your leadership team/board to make the case for additional budget or resources.

When using metrics, keep in mind context over time is a key success factor for communication on trends. And consider the alignment with other metrics used to measure overall business success.

Cybersecurity metrics are historically challenging to determine as they don’t correlate directly to revenue or profit gain and are often proactive in nature. However, if you choose wisely they can help you benchmark your current cybersecurity program and show how your investments have impacted your organization over time.

To set a solid metric foundation, consider these three key cybersecurity metrics:

  1. Asset footprint: Anything that gives an accurate depiction of all your assets may be considered your asset footprint. This includes ephemeral assets (e.g., auto scaling compute or containers) and the number of endpoints per dollar of assets under control. For example, in endpoint management, you’re managing the number of devices, servers, or systems that are trying to access your company’s network. Taking inventory of all endpoints provides you with a better view of your security posture and how much it costs to manage your assets. The caveat is that this method works now, but not ideal for measuring your assets moving forward.
  2. Time to remediation: How long does it take to fix your critical vulnerabilities? What is the time it took to identify critical issues from discovery to vulnerability remediation? Being able to track this context over time provides an overall assessment of your risk profile. A scenario to consider: if your company doubles in size but the number of vulnerabilities remains the same or has increased, you need to investigate that.
  3. Percentage of revenue that makes up your cybersecurity budget: What percentage of the overall organizational revenue is being spent on cybersecurity? Is that spend increasing, but the number of vulnerabilities, security incidents, fraud reports, etc. remaining the same? Keeping track of your budget relative to your security outcomes can indicate the health of your program and areas that may require reevaluation.

For metric number three, you’ll need to partner with your CFO and finance team to track your progress over time. But for metrics one and two, it will be critical to formulate a plan to capture and improve these metrics to prepare for your next audit or budget meeting. Here are three ways to accomplish this:

  • To measure and improve your asset footprint, leverage Attack Surface Management (ASM): ASM identifies and detects all known, unknown, and potentially vulnerable assets across your attack surface whenever there is exposure – not just what’s internet facing but in B2B network connections or peered cloud services too. ASM enables a comprehensive view of your environment from the outside in.
  • To measure and improve time to remediation, leverage Penetration Testing as a Service (PTaaS): PTaaS combines technology with human expertise to find critical vulnerabilities that tools and traditional pentesting processes miss. The key here will be to work with a partner that can orchestrate and manage your vulnerabilities in a dynamic platform that allows you to track your remediation progress over time (see: NetSPI Resolve).

Check out these case studies to learn how two banks leveraged penetration testing to address the unique challenges financial firms face:

How to Articulate the Need for Budget

One of the challenges that we personally experienced in our roles as in-house security leaders and CISOs is the need to articulate budgetary needs to the leadership team and the board.

You need money and resources to employ the right people and acquire the necessary tools to protect your organization, right? This is correct, but you also need to recognize that the metrics you’re currently sharing may not align with the priorities of the CEO or the board. This gets even more challenging when the CEO or board hasn’t funded these initiatives historically.

So, what are ways you can effectively approach this?

First, understand that it’s not about confronting the board or the CEO. It’s about empowering them to articulate the risks they’re willing to take (e.g., risk of a possible breach, exposing consumer PII, etc.)

It’s important to engage with your leadership team and spend the time building this relationship so you both are aligned with the security or control posture of the organization. Security leadership should never operate in a silo.

Second, don’t tell half the story, tell the whole story. Explain how your budget decisions align with the company’s priorities: generating revenue, achieving company goals, maintaining a positive public reputation, etc. Articulate your metrics in the terms and language they understand to effectively tell you cybersecurity maturity story and make the case for additional support.

For more on this topic, read How To Eliminate Friction Between Business and Cyber Security.

Strategic Cybersecurity for Financial Institutions

More than ever, it’s important to be strategic when improving cybersecurity in the financial industry. Here are two things to consider to set you on the right path toward security program maturity:

  • Tool overload and alert fatigue. Be mindful of purchasing capabilities you can’t manage or extract the value from. Why? Because you’re going to have to find the people to address all the data you aggregate. This lack of alert coverage and response could result in hesitancy from your leadership team or regulators.
  • Technical leaders vs. security leaders. When you hire, ensure that your technical team also understands security and why it matters to your business. Someone with a technical background may not truly grasp security concepts and strategy. Ensure you have a balanced team that can help you articulate your metrics as outlined above.

If there is one thing we want you to take away from this blog post, it is this: financial cybersecurity is an ongoing effort – it is a not a point-in-time commitment. Continuous improvement is essential to telling your cybersecurity story – and the metrics you choose to measure and the way you communicate them will be the backbone of that story.

NetSPI is the industry leader in pentesting and currently partners with 9/10 top US banks in the nation. Connect with us today for your bank pentesting solutions and needs.

Digital Journal: Safeguarding Data from Dangerous Threats like Ryuk

On May 14, 2022, NetSPI’s VP of Strategic Solutions, Florindo Gallicchio, was featured in the Digital Journal article called Safeguarding Data from Dangerous Threats like Ryuk. Preview the article below, or read the full article online.

To maintain business continuity, each organization should develop a data protection and back-up strategy. To reduce the risk of data loss, firms need to back up files and databases. Firms will also want to back up their operating systems, applications, configuration. This ensures the protection of data from unauthorized access and data corruption throughout its lifecycle.

According to Florindo Gallicchio, Managing Director, Head of Strategic Solutions at NetSPI: “It’s time to acknowledge how critical data backup has become, especially since many ransomware strains attempt to delete backup files, as we witnessed with Ryuk.”

Ryuk is a type of ransomware known for targeting large, public-entity Microsoft Windows cybersystems. Here, the threat actors make sure that essential files are encrypted so they can ask for large ransom.
Expanding on the risks faced by the corporate sector, Gallicchio says: “Most businesses are faced with two significant risks when it comes to backups: the theft and public disclosure of sensitive data, and the disruption of critical business functions.”

In terms of the consequences, Gallicchio says: “If either of these risks occur, organizations could endure devastating consequences. To make sure that doesn’t happen, organizations need to proactively put strategies in place to bolster protection against these threat actors.”

Read the full article online.


DarkReading: Breaking Down the Strengthening American Cybersecurity Act

On May 11, 2022, NetSPI’s COO Charles Horton was featured in the DarkReading article, Breaking Down the Strengthening American Cybersecurity Act. Preview the article below, or read the full article online.


The Cyber Incident Reporting Act, which was signed into law on March 15, is federal legislation aimed at bolstering the ability to prevent and more rapidly respond to cybersecurity attacks. While it won’t take effect until final rules are determined, it’s one of three parts of the Strengthening American Cybersecurity Act that is aimed at bolstering the cybersecurity of critical infrastructure and the federal government. The need for such an act has become intensified by the situation in Eastern Europe, as cyber warfare has proven to be a key and effective attack tactic for Russian nation-states.

Under the Cyber Incident Reporting Act specifically, critical infrastructure operators and federal agencies are required to report cyberattacks to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours, and ransomware payments within 24 hours.

The overarching Strengthening American Cybersecurity Act will update current federal government cybersecurity laws to improve coordination between federal agencies, ensure the government takes a risk-based approach to cybersecurity, and require all civilian agencies to report all cyberattacks to CISA.

Overall, the act demonstrates increased recognition of the need for better policy in place to prevent attacks on a larger scale, and highlights the impact the US government can have on cybersecurity efforts within organizations.

But to truly understand the magnitude of the act’s potential impact, we must first gain insight into the current threat environment, while acknowledging the legislation’s benefits and limitations. Let’s explore.

Cyber Threats Show No Signs of Slowing Down

The recent cyber threats against Ukraine have signaled the need for heightened protection measures, while also demonstrating the large-scale consequences of a cybersecurity attack on an entire country. For example, several Ukrainian government and bank websites were recently offline as a result of a massive distributed denial-of-service (DDoS) attack.

Shortly following these attacks, a new “wiper” malware targeting Ukrainian organizations was discovered on hundreds of machines. These security incidents are suspected to be carried out by Russian cybercriminals, creating a new digital warfare environment that has taken organizations by storm.

One cause for concern for countries that have imposed sanctions against Russia is the potential of cyberattack retaliation. In addition to the escalating geopolitical tension in Eastern Europe, security teams continue to face an overwhelming amount of ransomware attempts, with malicious actors – not just from Russia, but across the world. In fact, approximately 37% of global organizations said they were the victim of a ransomware attack in 2021 — and that figure is only expected to increase this year.

Through the Strengthening American Cybersecurity Act, a new foundation is created for both public and private sector organizations, enabling them to create larger-scale defenses against nation-state actors while better bolstering protection against the continuous cyber threats they grapple with each day.

Continue reading the full article online.


Multi-Factor Authentication: The Bare Minimum of IAM

What is the typical authentication setup for personal online accounts? The username and password. 

For too long, we have depended on this legacy form of authentication to protect our personal data. As more people rely on the internet to manage their most important tasks — online banking, applying for loans, running their businesses, communicating with family, you name it — many companies and services still opt for the typical username and password authentication method, often with multi-factor authentication as an option, but not a requirement.  

To combat the sophisticated attacks of hackers today, multi-factor authentication methods must be considered the bare minimum. [For those unfamiliar with the concept, multi-factor authentication, or MFA, requires the user to validate their identity in two or more ways to gain access to an account, resource, application, etc.] Then, starting on that foundation, security leaders must consider what other identity and access management practices can they implement to better protect their customers? 

For more insights on this global challenge, we spoke with authentication expert Jason Soroko, CTO-PKI at Sectigo, during episode 40 of the Agent of Influence podcast to learn more about the future of multi-factor authentication, symmetric and asymmetric secrets, digital certificates, and more. Continue reading for highlights from our discussion or listen to the full episode, The State of Authentication and Best Practices for Digital Certificate Management

Symmetric Secrets vs. Asymmetric Secrets  

The legacy username and password authentication method no longer offers enough protection. Let’s take a deep dive into symmetric secrets and asymmetric secrets to better understand where we can improve our processes. 

Symmetric secrets are an encryption method that use one key for both encrypting and decrypting a piece of data or file. Here’s a fun anecdote that Jason shared during the podcast: “Let’s say you and I want to do business. We agree that I could show up at your door tomorrow and if I knock three times, you will know it’s me. Well, somebody could have overheard us having that conversation to agree to knock three times. It’s the same thing with a username and password. That’s a shared symmetric secret.” 

According to Jason, the issue with this method is that the secret had to be provisioned out to someone or, in today’s context, keyed into memory on a computer. This could be a compromised endpoint on your attack surface. Shared secrets have all kinds of issues, and you only want to utilize them in a network where the number of resources is extremely small. And we should no longer use them for human authentication methods. 

Instead, we need to shift towards asymmetric secrets.   

Asymmetric secrets, which are used to securely send data today, have two keys: private and public. The public key is used for encryption purposes only and cannot be used to decrypt the data or file. Only the private key can do that. 

The private key is never shared; it never leaves a secured place (e.g., Windows 10, Windows 11, trusted platform module (TMP), etc.) and it’s what allows the authentication to occur securely. Not only that, but asymmetric secrets don’t require the 123 steps of authentication, improving the user experience overall. The ability for a hacker to guess or steal the asymmetric secret is much more difficult because it is in a secure element, Jason explains. 

Of course, some organizations have no choice but to stick with ancient legacy systems due to financial reasons. But the opportunity here is to complement that legacy authentication method with other controls so you can enhance your authentication system. 

Pitfalls of SMS Authentication 

If you’re considering SMS authentication, I hate to be the breaker of bad news, but that doesn’t offer comprehensive protection. SMS authentication was never built to be secure, and it was never intended to be used the way it is used popularly today. Now, not only do we have the issue of people using a protocol that’s inherently insecure by design, but hackers can easily intercept authentication messages sent via SMS. 

As Jason shared on the podcast, the shocking truth is that SMS redirection is commercially available. It only costs around $16 to persuade the telecommunications company to redirect SMS messages to wherever you want them to go, which shows how easily hackers can obtain messages and data. 

Learn more about telecommunications security, read: Why the Telecoms Industry Should Retire Outdated Security Protocols. 

Three Best Practices for Managing Digital Certificates 

Even with the implementation of multi-factor authentication, how do you know if a person or a device is trustworthy to allow inside your network? 

You achieve that with digital certificates also known as public key certificates. They’re used to share public keys and verify the ownership of a public key to the person or device that owns it. 

With so many people moving to remote work, this only amplifies the number of digital certificates to authenticate each day. It’s important to manage your digital certificates effectively to mitigate the risk of adversaries trying to access your organization’s network. 

For additional reading on the security implications of remote work, check out these articles: 

To get you started toward better digital certificate management, Jason shared these three best practices: 

  1. Take inventory: Perform a proper discovery of all the certificates that you have (TLS, SSL, etc.) to gain visibility into how many you have.
  2. Investigate your certificate profiles: Take into consideration your DevOps certificates, your IoT certificates, etc., and delve into how the certificates were set up, who set them up, how long the bit-length is, and whether is it a proper non-deprecated cryptographic algorithm.
  3. Adapt to new use cases: Look towards the future to determine if you can adapt to new use cases (e.g., can this be used to authenticate BYOD devices or anything outside the Microsoft stack, how will the current cryptographic algorithms today differ in the future, what about hybrid quantum resistance, etc.). 

The Future of Multi-Factor Authentication 

As mentioned at the beginning for this article, multi-factor authentication should be considered the bare minimum, or foundation, for organizations today. For organizations still on the fence about implementing this authentication method, here are three reasons to start requiring it: 

  • A remote workforce requires advanced multi-factor authentication to verify the entities coming into your network.
  • Most cyberattacks stem from hackers stealing people’s username and password. Multi-factor authentication adds additional layers of security to prevent hackers from accessing an organization’s network.
  • Depending on which method your organization utilizes, multi-factor authentication provides a seamless login experience for employees — sometimes without the need for a username or password if using biometrics or single-use code. 

More organizations are choosing to adopt multi-factor authentication and we can only expect to see more enhancements in this area.  

According to Jason, artificial intelligence (AI) will play an important role. Take convolutional neural networks for example. This is a type of artificial neural network (AAN) used to analyze images. If we were to apply convolutional neural networks to cybersecurity, we could train it to identify malicious known binaries or patterns quickly and accurately. Of course, this is something to look forward to in the foreseeable future. 

An area we’ve certainly made much progress on, though, is the ability to use machine learning to determine malicious activity in the credit card fraud detection space. 

Multi-Factor Authentication is Only the First Step 

At a bare minimum, every organization should start with multi-factor authentication and build from there. One-time passwords, email verification codes, or verification links are user-friendly and go a long way in effective authentication.  

Cyberwarfare coupled with a remote workforce and government scrutiny should prompt companies everywhere to bolster their cybersecurity defenses. The authentication methods and best practices Jason Soroko shared with me on the Agent of Influence podcast are a step in the right direction toward protecting your organization, employees, and — most importantly — your customers. 

Put your IAM and authentication processes to the test against real attacker techniques. Explore NetSPI’s red team operations.

Discover how NetSPI ASM solution helps organizations identify, inventory, and reduce risk to both known and unknown assets.