Charles Horton
- Explore industry expert predictions on what’s in store for cybersecurity in 2022.
- Cyber-attacks have remained a key concern throughout the COVID-19 pandemic. With 2021 now over, what does the new year have in store for cybersecurity?
- We’ve collected predictions from industry experts, including HelpSystems’s Joe Vest, Gemserv’s Andy Green and more.
With many businesses continuing to work from home where possible and settling into a more hybrid style of work, cybersecurity has been a key concern across a range of industries.
Here, we’ve collected opinions from industry experts on what they predict 2022 has in store for cybersecurity.
Travis Hoyt, CTO at NetSPI
Attack surface management: “As organisations continue to become more reliant on SaaS technologies to enable digital transformation efforts, the security perimeter has expanded. Organisations now face a new source of cybersecurity risk as cybercriminals look to exploit misconfigurations or vulnerabilities in these SaaS technologies to wage costly attacks. In 2022, we can expect that organisations will become more focused on SaaS posture management and ensuring that their SaaS footprint is not left open as a vector for cyberattacks. This trend will be further accelerated by the insistence of insurance providers that organisations have a detailed understanding of their SaaS deployments and configurations, or face higher premiums or even a refusal of insurance altogether.”
Next generation architectures open new doors for security teams: “Interest in distributed ledger technology, or blockchain, are beginning to evolve beyond the cryptocurrency space. In 2022, we’ll begin to see the conversation shift from bitcoin to discuss the power blockchain can have within the security industry. Companies have already started using this next generation architecture, to better communicate in a secure environment within their organisations and among peers and partners. And I expect we’ll continue to see this strategy unfold as the industry grows.”
CFOs will make or break ransomware mitigation: “For too long, companies have taken a reactionary approach to ransomware attacks – opting to pay, or not pay, after the damage has already been caused. I expect to see CFOs prioritising conversations surrounding ransomware and cyber insurance within 2022 planning and budgetary meetings to develop a playbook that overalls all potential ransomware situations and a corresponding strategy to mitigate both damage and corporate spend. If they don’t lead with proactivity and continue to take a laggard approach to ransomware and cyber insurance, they are leaving their companies at risk for both a serious attack and lost corporate funds.”
Florindo Gallicchio, Managing Director and Head of Strategic Solutions at NetSPI
Cybersecurity budgets will rebound significantly from lower spend levels during the pandemic: “As we look to 2022, cybersecurity budgets will rebound significantly after a stark decrease in spending spurred by the pandemic. Ironically, while COVID-19 drove budget cuts initially, it also accelerated digital transformation efforts across industries – including automation and work-from-home infrastructure, which have both opened companies up to new security risks, leading to higher cybersecurity budget allocation in the new year. Decisions are being made in Fortune 500+ companies with CFOs on the ground, as these risk-focused enterprises understand the need for larger budgets, as well as thorough budgeted risk and compliance strategies. Smaller corporations that do not currently operate under this mindset should follow the lead of larger industry leaders to stay ahead of potential threats that emerge throughout the year.”
Charles Horton, Chief Operations Officer at NetSPI
Company culture could solve the cybersecurity hiring crisis: “It’s no secret that cybersecurity, like many industries, is facing a hiring crisis. The Great Resignation we’re seeing across the country has underscored a growing trend spurred by the COVID-19 pandemic: employees will leave their company if it cannot effectively meet their needs or fit into their lifestyle. From a retention perspective, I expect to see department heads fostering a culture that’s built on principles like performance, accountability, caring, communication, and collaboration. Once this team-based viewpoint is established, employees will take greater pride in their work, producing positive results for their teams, the company and themselves – ultimately driving positive retention rates across the organisation.”
Nabil Hannan, Managing Director at NetSPI
2022 is the year for API security: “In 2022, we will see organisations turn their attention to API security risks, deploying security solutions and conducting internal audits aimed at understanding and reducing the level of risk their current API configurations and deployments create. Over the past few years, APIs have become the cornerstone of modern software development. Organisations often leverage hundreds, and even thousands, of APIs, and ensuring they are properly configured and secured is a significant and growing challenge. Compounding this issue, cyberattackers have increasingly turned to APIs as their preferred attack vector when seeking to breach an organisation, looking for vulnerable connection points within API deployments where they can gain access to an application or network. For these reasons, securing APIs will be a top priority throughout 2022.”
The Skills Shortage Will Continue Until Hiring Practices Change: “In 2022 the cybersecurity skills gap will persist, but organisations that take a realistic approach to cybersecurity hiring and make a commitment to building cybersecurity talent from the ground up will find the most success in addressing it. The focus in closing the skills gap often relies on educating a new generation of cybersecurity professionals through universities and trade programs, and generally encouraging more interest in young professionals joining the field. In reality, though, these programs will only have limited success. The real culprit behind the skills gap is that organisations often maintain unrealistic hiring practices, with cybersecurity degrees and certification holders often finding untenable job requirements such as 3+ years of experience for an entry level job.”
[post_title] => TechRound: Cybersecurity Predictions for 2022 [post_excerpt] => On January 25, 2022, Travis Hoyt, Florindo Gallicchio, Charles Horton, and Nabil Hannan were featured in TechRound's 2022 Cybersecurity Predictions round up. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => techround-cybersecurity-predictions-for-2022 [to_ping] => [pinged] => [post_modified] => 2023-01-23 15:10:56 [post_modified_gmt] => 2023-01-23 21:10:56 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=27239 [menu_order] => 315 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [2] => WP_Post Object ( [ID] => 27036 [post_author] => 67 [post_date] => 2021-12-27 15:09:48 [post_date_gmt] => 2021-12-27 21:09:48 [post_content] =>On December 27, 2021, NetSPI COO Charles Horton was featured as a guest writer for Help Net Security. Read the full article below or online here.
+ + +
For security teams scrambling to secure their organizations against Log4j exploitation, one of the first and most challenging tasks is understanding where Log4j exists within their environment. Without this understanding, any remediation efforts will be hamstrung from the get-go. Of course, this type of asset management can prove exceedingly difficult as Log4j is represented across thousands of products.
Still, even missing one vulnerable instance of Log4j can leave an organization at risk, which is why discovery is one of the most important steps in the remediation process. Below are four easy-to-implement vulnerability discovery strategies that can be used to assess an environment for vulnerable Log4j implementations.
Conduct full port vulnerability scanning
First, organizations should perform full port vulnerability scanning with service fingerprinting enabled. Scanning tools like Nmap can allow security teams to identify commonly abused protocols like HTTP and Remote Method Invocation (RMI). Vulnerability scanning tools can also identify RMI services that are hosted by Java applications. Teams can also conduct server layer vulnerability scanning with tools like Nessus or Nexpose to identify vulnerable Log4j instances by injecting into the top HTTP Header injection points. This process should take minimal effort if executed from a single location.
To go a step further, experts can use the Nessus or Nmap output to configure a tool such as EyeWitness, WitnessMe, or Aquatone to perform a screen scraping of available websites. This will help create a catalog of websites to review, which can then be used to identify web applications that may need to be targeted for more thorough testing. Once the list of web applications has been generated, teams can use a tool like Burp Suite Pro with the Log4Shell Scanner plugin to identify vulnerable Log4j instances. This is accomplished by injecting exploitable strings to initiate callbacks to the user into all the dynamic elements of the web application it can map.
Target files unique to Log4j
Log4j is open source, which means its use in applications is widespread due to it being free, practical, easily distributed, and modifiable. However, the open-source nature of Log4j can also prove useful in the discovery stage. Security teams can easily download Log4j and create an inventory of all the files that are used by the package, and from there target files that are unique to Log4j.
Once this inventory is developed, security teams could leverage it with endpoint detection and response (EDR), file integrity monitoring (FIM), and configuration management tools that already exist in an organization’s security environment to identify vulnerable instances of Log4j. Additionally, in theory, the same inventory could be used as a dictionary against web servers. By utilizing this strategy, security teams can make efficient use of existing automation tools, saving time and resources that can then be used on the actual task of remediation.
Collaborate with your development teams
Security is everyone’s responsibility. To ensure an organization is truly secure, security and developer teams must work together. Comprehensive insight is needed to successfully mitigate Log4j risks. This process requires in-depth collaboration with business units and development teams to ensure that all Log4j instances are truly uncovered. In some cases, this can be a challenge when there are “black boxes” on an organization’s networks that have no clear owner.
Security teams must first work with development teams to create a list of all internally developed applications and the associated application owners. Then they must connect with the application owners and determine if a given application utilizes Log4j. For those that do, the security team and application owners will need to work together to apply the required patches. While this strategy requires a more hands-on approach, it will offer significant benefits in terms of remediating some of the more difficult to find Log4j implementations.
Shore up your vendor risk management
Third-party software providers have proven one of the main sources of cybersecurity risk for organizations over the past decade. Log4j is no exception. Security teams must communicate with vendors to determine Log4j’s relation to external applications, determine which vendors and services leverage Log4j, whether those organizations have taken the necessary steps for discovery and remediation, and whether they’ve tested their networks for successful exploitation or instructions.
Communication with vendors to this effect should be started as soon as possible so teams will know which services they might need to isolate or cease using, as well as how that might affect their organization’s functionality or services in turn.
Log4j discovery is the first hurdle
The ubiquitous nature of Log4j presents a clear challenge for cybersecurity experts, and with many security teams already short-staffed, finding all possible vulnerabilities seems like an insurmountable challenge. Establishing a discovery strategy is the first step in overcoming the challenge. With a straightforward strategy and clear communication and collaboration, teams can and will continue to protect the organizations they serve.
[post_title] => Help Net Security: 4 practical strategies for Log4j discovery [post_excerpt] => On December 27, 2021, NetSPI COO Charles Horton was featured as a guest writer for Help Net Security. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => help-net-security-log4j-discovery [to_ping] => [pinged] => [post_modified] => 2023-01-23 15:10:59 [post_modified_gmt] => 2023-01-23 21:10:59 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=27036 [menu_order] => 324 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [3] => WP_Post Object ( [ID] => 26665 [post_author] => 53 [post_date] => 2021-11-12 12:30:08 [post_date_gmt] => 2021-11-12 18:30:08 [post_content] =>What’s next for enterprise security professionals? No one can know for certain, but NetSPI’s expert bench of security pros – pulling from their decades of cybersecurity leadership and daily conversations with some of the world’s most prominent organizations – have a few ideas as to where the industry is headed.
Watch our 2022 cybersecurity predictions webinar, where our panel will tackle some of the most debated topics of the past 365 days and predict how each will evolve in the new year and beyond. Topics include:
- The cybersecurity hiring crisis
- Application security program maturity
- Attack surface management
- The evolution of ransomware
- Cybersecurity budget allocation
- And next generation architectures (see: blockchain)
[wonderplugin_video iframe="https://youtu.be/rLcwnJAO5Qo" lightbox=0 lightboxsize=1 lightboxwidth=1200 lightboxheight=674.999999999999916 autoopen=0 autoopendelay=0 autoclose=0 lightboxtitle="" lightboxgroup="" lightboxshownavigation=0 showimage="" lightboxoptions="" videowidth=1200 videoheight=674.999999999999916 keepaspectratio=1 autoplay=0 loop=0 videocss="position:relative;display:block;background-color:#000;overflow:hidden;max-width:100%;margin:0 auto;" playbutton="https://www.netspi.com/wp-content/plugins/wonderplugin-video-embed/engine/playvideo-64-64-0.png"]
[post_title] => 2022 Cybersecurity Predictions:What to Expect in the New Year [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => 2022-cybersecurity-predictions-what-to-expect-in-the-new-year [to_ping] => [pinged] => [post_modified] => 2023-06-22 20:39:36 [post_modified_gmt] => 2023-06-23 01:39:36 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=webinars&p=26665 [menu_order] => 51 [post_type] => webinars [post_mime_type] => [comment_count] => 0 [filter] => raw ) [4] => WP_Post Object ( [ID] => 26651 [post_author] => 67 [post_date] => 2021-11-11 07:36:00 [post_date_gmt] => 2021-11-11 13:36:00 [post_content] =>
On November 11, 2021, NetSPI COO Charles Horton was featured in an article written by David Marshallfor VMblog.com. Read the full article below or online here.
Seventy-two percent of tech/IT workers are considering quitting their job in the next year. This shortage is leaving some business leaders uncertain and anxious. Below, you will find commentary from 6 leaders from various technology companies such as Raytheon, Ease, and Fuze, among others. They offer insights on trends they are seeing at their own companies as well as advice to navigate or mitigate future issues.
++
Sandra Slager, COO, Mindedge Learning
"Work location flexibility is the biggest paradigm shift of the pandemic for technical professionals and technology companies alike. Companies who have made this shift have likely built the communications and systems infrastructure to cast a nationwide net in their search for top talent. Similarly, talented tech workers-engineers, cybersecurity security experts, programmers, and the like- can extend their job hunt to more cities. To keep top talent, work location flexibility sits as the foundation. Companies must also be prepared to layer on competitive wages and bonuses, but also a corporate culture that genuinely cares about staff well-being which manifests in any number of benefits such as generous vacation time, paid family leave, and even tuition reimbursement."
Jon Check, Senior director of cyber protection solutions, Raytheon Intelligence & Space
"Given the current climate, we should not be surprised by the high resignation rates we're seeing in the technology sector. The gap within the cybersecurity industry is especially clear; there's a shortage in the workforce, which means that many people are being stretched thin and expected to wear multiple hats- and maybe more than they can handle. This leads to feelings of burnout and dissatisfaction. With a market that is now favoring employees, people are going to look for new opportunities that offer more benefits and a better work-life balance.
I coined the term Cyberlandia as the ideal workplace culture within cybersecurity teams, where operations are at the optimum state of cyber readiness, with happy team members who feel empowered to face whatever threats they encounter. However, we can only make employees happy if everyone's thoughts are valued and voice is heard, only then will we truly start to deliver what they need to thrive. Technology leaders should be opening two-way communication lines so that employees feel comfortable voicing their opinion on what needs to shift: team structure, changes to work schedules, training opportunities - and the list could go on.
We also need to react to the great resignation by looking for talent where we have failed to in the past, to both close the talent gap and diversify the workforce. Women and minorities currently underrepresented in cybersecurity positions. To combat this, technology companies can offer tuition reimbursement, scholarships, and student loan repayment programs as a tangible way to make sure that individuals of all backgrounds can help us fill the technology shortage that will continue to grow unless we create a more welcoming, inclusive and flexible workplace culture."
Stephen Cavey, Co-founder, Ground Labs
"The great resignation poses a significant challenge to many organizations, but in particular, to technology companies, especially IT and cybersecurity teams. These organizations are already challenged to stay abreast of the latest trends and threats, not to mention ensuring an organization's defenses are maintained. Often, these expectations and pressures leave IT and security teams feeling overwhelmed.
We are seeing major digitization efforts happening across technology companies in tandem with the "Great Resignation." Within most teams, there are manual tasks that can be completed more efficiently with innovations in automation and improved workflow. To help alleviate employee burnout, leaders should ask: Have I done everything in my power to make my employees' work life better? Acknowledging the situation and taking steps to better understand and improve your team's workload is a critical first step to holistically address potential burnout that may be happening. In addition to helping employees manage workload, tech leaders should check in with employees to confirm whether they feel they have enough training, mentorship and support to succeed.
With the pandemic still in motion, leaders must also take into consideration employees' personal wellbeing. Do all employees work in a role where they need to be measured on the basis of a 9 to 5 workday? Could you evaluate them on their deliverables and the quality of their work - and openly offer flexibility and let them know it's ok if they need to take time to care for themselves or someone else. In this new remote by default world, being proactive in looking out for your team is not only critical for their wellbeing but might just help reduce the likelihood of your team being impacted by the Great Resignation that is happening at present."
Mari Kemp, SVP of HR, Ease
"The 2021 talent market is ten times more competitive than it was a year ago and we've seen bargaining power shift from employers to employees. employees are winning. This is the first time in decades we've seen employees have power over their employers and the results are astounding. Employees are demanding more from their employers in terms of benefits, work-life balance, and culture. Employers can no longer dictate that their staff return to the in-office setting, and those that do risk losing employees.
Furthermore, the Great Resignation has drastically changed the way companies handle recruitment, onboarding, retention, and off-boarding. Moving forward, recruitment efforts will become more reliant on internal networks and may increase referral bonuses, in addition to increased marketing and branding efforts. As for onboarding, retention, and off-boarding, companies will need to welcome employee engagement and stay close to their people emotionally instead of physically. By meeting with departments individually, conducting employee surveys, and utilizing available employee data, companies can understand why employees are staying or leaving. Additionally, employee data such as age and demographics can aid in retention as it provides a snapshot of how to adjust current healthcare and benefit options.
Wellness in the workplace will be a major issue for companies in 2022, a recent Microsoft study showed that the average American's work week has gotten 10% longer during the pandemic. To combat burnout, companies need to encourage employees to create boundaries and a better work-life balance. Additionally, managers and department heads alike need to ensure that they are not rewarding employees that are failing to create these boundaries."
Charles Horton, COO, NetSPI
"The Great Resignation we're seeing across the country has underscored a growing trend spurred by the COVID-19 pandemic: employees will leave their company if it cannot effectively meet their needs or fit into their lifestyle. While many are turning to innovative technologies to drive growth and retain employees, this effort alone will not solve the problem at-hand. Talent is now a business' main asset, and corporate leadership must invest in it accordingly.
First, invest in entry level employees. With the Great Resignation pulling talent to new companies and new career paths, it's more important than ever for companies to build a strong pipeline of emerging talent that can grow within the company, and in turn, keep retention rates high. Since security is a complex and sometimes challenging field to break into, organizations should develop entry level training programs that lower the barriers to entry and set junior employees up for long term success within the company.
Second, organizations must adjust their cultural mindset. While the tech and cybersecurity industries have historically been individual sports, companies win as teams, and they must operate as so. Department heads should foster a culture that's built on principles like performance, accountability, caring, communication, and collaboration. Once this team-based viewpoint is established, employees will take greater pride in their work, producing positive results for their teams, the company and themselves - ultimately driving positive retention rates across the organization."
Brian Day, CEO, Fuze
"As the Great Resignation continues, employees are seeking opportunities that provide more flexibility. A recent survey showed that 75% of all workers believe flexible work should be a standard practice, not a benefit, and 67% would consider finding a new job for greater flexibility.
Technology companies should be thinking about how to transform into employee-first organizations in order to both attract and retain talent. At Fuze, I'm continuing to give my employees the choice to dictate their own schedules and encourage our global workforce to remain working from home if that's what's best for them. In addition, we are taking an intentional laggard approach to our office re-opening, and are slowly re-opening each regional office based on local guidance and vaccination rates. While the Great Resignation remains a challenge, business leaders must realize that when they establish work-from-home policies, employees' preferences and feelings go hand-in-hand with that process. When employees' priorities are taken into consideration, businesses can avoid the impacts of a second wave of the "Great Resignation" and maintain an overall happier and engaged workforce, while also driving better business results."
[post_title] => VMblog.com: 6 Tech Leaders Share their Outlook on the Great Resignation and how to React [post_excerpt] => On November 11, 2021, NetSPI COO Charles Horton was featured in an article written by David Marshall for VMblog.com. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => 6-tech-leaders-share-their-outlook-on-the-great-resignation-and-how-to-react [to_ping] => [pinged] => [post_modified] => 2022-12-16 10:51:46 [post_modified_gmt] => 2022-12-16 16:51:46 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=26651 [menu_order] => 352 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [5] => WP_Post Object ( [ID] => 26559 [post_author] => 67 [post_date] => 2021-10-04 10:06:00 [post_date_gmt] => 2021-10-04 15:06:00 [post_content] =>On October 4, 2021, NetSPI COO Charles Horton was featured in an article in Twin Cities Business:
In the digital age, a ransomware family can be as destructive as an old school Mafia family. In June, meat processor JBS paid an $11 million ransom to cybercriminals after its plants, including one in Worthington, were shut down by a cyberattack.
It followed a May episode in which Colonial Pipeline Co. paid a $4.4 million ransom to hackers so it could resume the flow of fuel on the East Coast.
“Ransomware is evolving and it’s becoming more sophisticated,” said Charles Horton, COO of NetSPI. “You don’t have just singular threat actors looking for weaknesses.”
Minneapolis-based NetSPI started marketing a new cybersecurity service in June just as businesses large and small were rattled by the scale and brazen nature of those attacks.
October has been Cybersecurity Awareness Month since it was launched in 2004 by the U.S. Department of Homeland Security and the National Cyber Security Alliance. In recent years, cyberattacks have been elevated as a top concern of business executives, because of the damage being done by cyberthieves and the need to constantly identify and combat new threats.
President Joe Biden issued a statement on Friday addressing the topic. “I am committed to strengthening our cybersecurity by hardening our critical infrastructure against cyberattacks, disrupting ransomware networks, working to establish and promote clear rules of the road for all nations in cyberspace, and making clear we will hold accountable those that threaten our security,” Biden said.
Often a web of people works together to attack a business, a nonprofit, or a public agency. First come the malware creators, Horton said. Then other bad actors “go out and find the vulnerabilities, which could be different than the groups that actually execute the ransomware.” He noted these players are “chained together” in an operating model.
Horton said some businesses have a false sense of security about what level of protection their current cybersecurity systems provide.
‘Ransomware attack simulation’
“The gap that we found is with event monitoring tools,” he said. “They only identify a very low percentage of the most common attacks.” NetSPI now offers a “ransomware attack simulation” service.
NetSPI’s product mimics the “tactics, techniques and procedures” used by ransomware attackers, so more threats can be detected, Horton said. “When they do [find them], alerts just start firing off and a customer or a business can execute their response plan.”
“Breach and attack simulation” is a new market segment in cybersecurity, in which companies can test their ability to block ransomware attacks, according to a 2021 report from global advisory firm Gartner.
NetSPI sells its new technology-enabled service directly to customers. NetSPI provides cybersecurity offerings to nine of the 10 top banks in the United States, Horton said. What it will charge for the simulation service depends on the depth and breadth of the attack simulation assessment.
“We are up to more than 200 different attack plays that we can run on a daily basis in a business environment,” Horton said, which are designed to prevent attackers from installing malware, accessing data, and then demanding a hefty ransom.
Read the rest of the Twin Cities Business article here: https://tcbmag.com/blocking-cybercriminals-from-accessing-company-data/
[post_title] => Twin Cities Business: Blocking Cybercriminals from Accessing Company Data [post_excerpt] => A Minneapolis-based business has introduced a service to mimic ransomware attacks, so companies can uncover vulnerabilities in their cybersecurity. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => twin-cities-business-blocking-cybercriminals-from-accessing-company-data [to_ping] => [pinged] => [post_modified] => 2022-12-16 10:51:50 [post_modified_gmt] => 2022-12-16 16:51:50 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=26559 [menu_order] => 361 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [6] => WP_Post Object ( [ID] => 25831 [post_author] => 67 [post_date] => 2021-07-07 07:00:00 [post_date_gmt] => 2021-07-07 12:00:00 [post_content] =>Upon the onset of COVID-19, many organizations went from protecting a few offices, to protecting anywhere from hundreds or even thousands of satellite offices as employees headed home to work. IT and security teams were challenged to quickly – and securely – enable their colleagues to work outside of the office perimeter.
According to a recent Glassdoor survey of employed U.S. adults, 72 percent said they are ready to return to their company's office, with 45 percent expecting to return to the office in some capacity this summer.
What does ‘in some capacity’ mean? Well, the pandemic has reimagined where and how work gets done. PwC’s US Remote Work Survey found that employees are anticipating a hybrid work model, in which they will be required to go into the office no more than three days each week. With the growing hybrid workforce, comes its own IT and security challenges, including managing security patches and updates, ensuring security within home environments, and monitoring user behavior.
In a CIO round table discussion, Microsoft security architect Wayne Anderson pointed to user behavior as one of the biggest cybersecurity risks of today’s hybrid workforce. I couldn’t agree more. As with any crisis, the COVID-19 pandemic has created a mass amount of confusion among employees – and in turn an increase in social engineering attempts. Just look at the results of the 2021 Verizon Data Breach Investigations Report. Over the past year, 85 percent of breaches involved a human element and social engineering attacks topped the list of attack patterns.
Now, the hybrid workforce and the imminent return to the office presents new opportunities for sophisticated social engineering attacks. Successful social engineering scenarios could include:
- A malicious link or attachment embedded in emails outlining realistic return to office protocols.
- Contacting the help desk to enroll a new multifactor token for the VPN.
- Gaining physical access after an attacker convinces the office manager or colleagues that it is their first day at the office.
To help prevent employees from falling victim and maintain secure social interactions, here are five considerations to pay close attention to:
- The hiring process did not stop over the past year. When your employees return to the office, there will be new faces and names. During this time of transition, there should be a heightened sense of awareness for your physical security. Remind employees of physical security protocols and have an established method of identity verification to confirm employment of new faces. Follow the same identity verification methods regardless of the communications channel: phone, email, and in-person.
- Audit your physical security procedures. Who owns physical keys to the office space, access credentials, employee badges and ID cards, etc.? Audit who has access to what and ensure you disable access that is no longer needed.
- Practice the principle of least privilege. Least privilege means enforcing the minimal level of user rights that allow an employee to perform their role. For example, marketing should not have access to client financial data. Restrict access for each employee to limit the breadth and impact of a social engineering attack.
- Allow only authorized devices on your corporate network. As people go back and forth from home offices to corporate offices, ensure that personal or BYOD (bring your own device) devices are enrolled into your IT asset management program and only provision access where necessary.
- Regularly test your employees with social engineering penetration tests. Real adversaries attempt to trick employees into exposing sensitive information every day. Make sure your employees are receiving the proper security awareness training and understand your organization’s procedural security controls. Social engineering penetration tests can include phishing assessments, vishing assessments, and on-site social engineering.
NetSPI’s social engineering security consultants practice empathy and collaboration during every assessment. Empathy is critical in social engineering because it is important to recognize that the employees being tested are human, and social engineering aims to manipulate human behavior. It is imperative to not punish an employee for clicking on a malicious link, rather, inform them to correct the behavior in a proactive, positive way. Collaboration is key to a successful engagement. At project kick off we work with our clients to identify key social engineering scenarios to avoid as well as employees that should or should not be targeted.
While user behavior may be one of the biggest risks to a hybrid workforce, it is also one of your greatest assets to defend against adversaries. If you can inform employees on how to practice the best behaviors to prevent social engineering attacks, you will stay one step ahead of adversaries at a pivotal point in time: the return to the office.
What is ransomware?
Ransomware is a type of malware, or malicious software. When infected with ransomware, organizations lose access to their systems and data, and cybercriminals demand a ransom in exchange for releasing the data. In more technical terms, adversaries encrypt your data and require you to pay nominal amounts of money for the decryption key. Typically, a ransom note pops up on a computer explaining the terms of the ransom, including the cost, form of payment, and deadline.
Not only is the threat of ransomware growing, but the impact of ransomware is also increasing. Attacks are becoming more sophisticated, and requested payments are getting larger. Here are five key ransomware trends to pay attention to right now:
Ransomware trends:
- The ransomware-as-a-service (RaaS) model is on the rise. With RaaS, attackers do not write the malware, they purchase and spread it. Commissions are paid to the developers for the use of the malware.
- Remote worker entry points are being targeted much more, including remote desktop, employee access gateways, and VPN access portals.
- Operational technology is a prime target. According to IBM Security X-Force, 41% of all ransomware attacks targeted organizations with operational technology (OT) networks.
- Email phishing, admin interfaces, and exploits are common entry points, and drive-by downloads (malvertising, force download, or exploit browser) are becoming more popular.
- Many threat actors that deploy ransomware attempt to disable backup/recovery capabilities, so victims are forced to pay if they want access to their systems and data.
Is my organization a good target for ransomware?
Every organization is susceptible to a ransomware attack, but there are a few considerations to be aware of that may increase your chance of falling victim.
- Are you in an industry that frequently is targeted by ransomware? It’s common for ransomware families to target multiple organizations in a particular industry given the attack surfaces are similar.
- Does your organization prioritize security? There are a few industries that have notoriously underfunded security programs, including higher education, startups, and small businesses.
- Does your organization store and manage high-value data? The higher value the data is, the greater the appetite for ransomware attacks. It’s more likely an organization will pay the ransom to get its data recovered if the data is extremely sensitive. Read: Healthcare’s Guide to Ryuk Ransomware.
How does ransomware work?
Step 1: Getting in | Adversaries can get into a network in numerous ways. Here are four vectors used to gain initial access:
- Phishing links and attachments.
- Using weak or default credentials to log into single factor remote management interfaces and desktop platforms such as Citrix, Remote Desktop, and VPN access points.
- Exploitation of common security vulnerabilities, including SQL injection, broken authentication, broken access control, and insufficient logging and monitoring.
- Unintentional download and execution of malware through obfuscation and/or social engineering techniques (drive-by downloads, malvertising, forced download, or browser exploits).
Step 2: Privilege escalation | Once in, adversaries work to exploit bugs, design flaws, or configuration oversights in an operating system or application to gain access to protected databases, file shares, and business sensitive data.
Step 3: Find and exfiltrate sensitive data | Attackers leverage well known techniques to quickly identify servers that may contain sensitive data and upload the data to systems on the internet.
Step 4: Ransomware deployment | Now it is time to deploy the malicious ransomware code. Ransomware can take many forms, including: locker (uses screen locking to block basic computer functions), wiper (deletes files on a timer), or crypto (encrypts important data and often includes a kill switch to delete data if the ransom is not paid by a specific time).
Step 5: Get paid for the decryption key | Often ransomware attackers request the ransom is paid in Bitcoin. Once paid, the likelihood of recovering the money is low. Even when money is returned, you’re not likely to get all of it back. For example, in 2021 the FBI recovered $2.3 million of the $5 million from the Colonial Pipeline attackers.
Step 6: Extort additional money by threatening to publish exfiltrated data | Adversaries exfiltrate sensitive data early in the ransomware deployment process so that, even if a ransom is paid, they can continue to threaten the organization and make more money.
Should I pay the ransom?
This is not a yes or no question – it depends on the industry regulations, the complexity of the situation, and the business risk. Payments entice bad actors and enable ransomware attacks to continue. Right now, no one is outright prohibiting direct ransomware payments or ransomware insurance claims. If we do not see new regulations restricting ransomware payment, hopefully, we will see governments offering some subsidies to small and medium businesses that can’t afford to partner with security firms but may be considered high-risk targets.
Best practices for ransomware protection.
While we wait for the global cybersecurity community to work toward a solution, organizations must get proactive about their cybersecurity efforts. Here are seven best practices to follow to protect your organization from a ransomware attack:
- Employee awareness, namely phishing prevention and education.
- Limit your external attack surface. Evaluate what you expose to the internet.
- Access management: Multi-factor authentication, strong passwords, and least privilege.
- Review and test your data backup plan often.
- Perform regular penetration testing to identify and remediate your vulnerabilities.
- Put your incident response plan, crisis communications and management plan, and business continuity plans to the test.
- Practice ransomware resiliency. The more proactive your security efforts, the better you will be able to prevent, detect, and recover from a ransomware attack. Download NetSPI’s ransomware prevention and detection checklists.
While we wait for the global cybersecurity community to work toward solutions, ransomware resiliency planning is going to become a priority for everyone. For more detailed insight on ransomware attacks, how ransomware works, and how to prevent and detect ransomware, download our Ultimate Guide to Ransomware Attacks.
On June 25, 2021, NetSPI Chief Operating Officer Charles Horton was featured in an Inc article:
It's tempting to think the average cyber extortionist has bigger fish to fry than your small business. Last month alone, hackers targeted the largest petroleum pipeline in the United States, Ireland's national health service, the city of Gary, Indiana, and numerous other big targets.
But while they may receive less attention, 50 to 70 percent of ransomware attacks are aimed at small and medium-sized companies, Secretary of Homeland Security Alejandro Mayorkas said during a U.S. Chamber of Commerce event in May. And changes in business practices, accelerated by the pandemic, have left small businesses even more vulnerable.
In ransomware attacks, cyber criminals use malware to take over and encrypt a victim's files and data, effectively holding the data hostage until they're paid to release it. The recent surge in remote work was a golden opportunity for hackers, who took advantage of out-of-date VPNs and unsecured home networks.
The consequences of a ransomware attack on a small company aren't as wide-ranging as those on a hospital or a public utility, but the result for the victim can be more crippling. An estimated 60 percent of small businesses fail within six months of an attack, according to the National Cyber Security Alliance. For the companies that do recover, repeat ransomware attacks are increasingly common: Roughly 80 percent of victims are hit a second time, according to a report from Boston-based cybersecurity firm Cybereason.
Small businesses are attractive targets because they typically lack the budget and resources to prevent, identify, respond to, and recover from threats. There are, however, some simple methods that can help, says Charles Horton, chief operating officer of cybersecurity firm NetSPI. Here are a few things he and other experts say you should know about ransomware.
To learn more, read the full article here: https://www.inc.com/amrita-khalid/ransomware-hackers-crime-cybersecurity-tips.html
In this presentation, NetSPI COO Charles Horton and Managing Director Nabil Hannan explore the evolution of “as a Service” offerings, and how these offerings are being applied successfully in application security programs. If you are working with the right partner, “as a Service” should go far beyond the traditional automated or cloud-based delivery models for both technology and expertise. When applied correctly, it can dramatically influence how internal resources and capital are directed and deployed and can provide the needed support to continue to improve and evolve your application security program and collapse timeframes for remediation. Unlike a traditional “as a Service” technology solution, AppSec as a Service combines both technology and human talent that is packaged for quick and easy consumption.
Through this discussion, learn:
- the core criteria that define an “as a Service” partnership
- the different options in an AppSec as a Service offering
- how AppSec as a Service can help you improve and evolve your application security program
As these offerings continue to increase and more vendors jump on the “as a Service” bandwagon, this webinar should serve as a guide to help organizations evaluate potential providers and ensure they are getting the most out of their relationship.
[wonderplugin_video iframe="https://youtu.be/W6JoXUFHlR8" lightbox=0 lightboxsize=1 lightboxwidth=1200 lightboxheight=674.999999999999916 autoopen=0 autoopendelay=0 autoclose=0 lightboxtitle="" lightboxgroup="" lightboxshownavigation=0 showimage="" lightboxoptions="" videowidth=1200 videoheight=674.999999999999916 keepaspectratio=1 autoplay=0 loop=0 videocss="position:relative;display:block;background-color:#000;overflow:hidden;max-width:100%;margin:0 auto;" playbutton="https://www.netspi.com/wp-content/plugins/wonderplugin-video-embed/engine/playvideo-64-64-0.png"]
[post_title] => A Key Ingredient in a World Class Application Security Program: AppSec as a Service [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => a-key-ingredient-in-a-world-class-application-security-program-appsec-as-a-service [to_ping] => [pinged] => [post_modified] => 2023-06-22 19:51:57 [post_modified_gmt] => 2023-06-23 00:51:57 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=webinars&p=24626 [menu_order] => 60 [post_type] => webinars [post_mime_type] => [comment_count] => 0 [filter] => raw ) [11] => WP_Post Object ( [ID] => 24952 [post_author] => 67 [post_date] => 2021-03-19 07:00:50 [post_date_gmt] => 2021-03-19 07:00:50 [post_content] => On March 19, 2021, NetSPI Chief Operating Officer (COO) Charles Horton was featured in RSA Conference: Navigating how to reap the benefits of automation and when to use manual processes is an age-old cybersecurity challenge. How can organizations achieve efficiencies without the support of automated technologies? How can they ensure they’re getting the most thorough coverage without the human touch? In my opinion, it isn’t an either-or. Organizations need both automation and manual strategies to ensure their assets are protected from cyberattacks, and there is much to learn from the penetration testing community. Pentesting is a great example of the importance of collaboration, not only between humans, but also between humans and machines. Penetration testing can be a balance of automation and manual efforts so that a cybersecurity program pays dividends. Read the full RSAC article to better understand the benefits (and potential limitations) of using the different approaches alone and learn how to strike balance between automation and manual efforts. [post_title] => RSA Conference: Striking the Balance between Automation and the Human Touch in Penetration Testing [post_excerpt] => On March 19, 2021, NetSPI Chief Operating Officer (COO) Charles Horton was featured in RSA Conference. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => rsa-conference-striking-the-balance-between-automation-and-the-human-touch-in-penetration-testing [to_ping] => [pinged] => [post_modified] => 2022-12-16 10:50:57 [post_modified_gmt] => 2022-12-16 16:50:57 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=24952 [menu_order] => 420 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [12] => WP_Post Object ( [ID] => 21949 [post_author] => 67 [post_date] => 2021-02-23 07:00:39 [post_date_gmt] => 2021-02-23 07:00:39 [post_content] =>It is fairly straightforward, yet its meaning and value can vary. Formally defined, as a Service refers to a subscription-based delivery model designed to give customers maximum flexibility with little to no overhead. The same concept applies in cyber security, where we often see vendors managing a particular piece of technology for a customer that can also include services.
The as a Service delivery model has seen a tremendous evolution over the years and now takes many forms, from the foundational Software as a Service (SaaS) to the emerging Penetration Testing as a Service (PTaaS) – and there’s even a term for Anything as a Service (XaaS). The adoption of the delivery model continues to expand. Analysts expect the market to grow 24% by 2024 and Gartner anticipated that all new software providers and the majority of existing vendors would offer subscription-based business models by the end of 2020.
NetSPI recently launched Application Security (AppSec) as a Service to help organizations manage and mature their application security programs. To navigate the evolving landscape and better understand its value, this blog explores what it really means to deliver something as a Service and why an as a Service partnership for application security is valuable.
Four core attributes of an 'as a Service' partnership
It’s important to note that by purchasing something as a Service, it does not necessarily mean that you are outsourcing that product or service to a third party. The terms are often used interchangeably; however, they differ greatly. Recognizing the differences between outsourcing and entering an as a Service partnership is key to understanding the true value of the delivery model.
There are four key components that define an as a Service offering and contribute to the success of the program. The core attributes of an as a Service partnership are as follows:
- Collaboration: A successful partnership enables collaboration and information sharing between vendor and client on a much deeper level. Because the vendor should serve as an extension of a client’s team, they receive internal context that allows them to provide the needed technical depth, while also driving efficiency through technology innovation.
- Scalability: The ability to scale up or down to meet capacity and performance requirements is core to an as a Service partnership. It is essential for your vendor partner to work with you to forecast capacity needs and allocate necessary resources. Vendors should not only have the capability to scale up during a time of need, but also to redirect capacity to other areas at times where demand is less significant.
- Automation: Process automation helps free up your team members’ and vendor partners’ time to focus on more strategic initiatives. Any as a Service offering should incorporate some level of automation. For example, with NetSPI’s AppSec as a Service, automation and tools are deployed to support manual testers in finding application vulnerabilities that tools alone cannot.
- Continuity: Relationships such as an as a Service partnership need to be continuous to be most effective. Having continuity in your vendor partnership allows for greater understanding of business processes, the threats an organization is most likely to face, and techniques for preventing cyber-attacks. A long-standing relationship also supports trending data collection to track progress over time.
The value of Application Security as a Service
When I talk about an “as a Service partnership”, I mean that NetSPI, a partner, is working inside of a client’s program as an extension of their team.
With an AppSec as a Service partnership, clients gain dedicated technology and leadership that supports a scalable team of application security testers. It is a modular and scalable approach to application security comprised of multiple components that may be deployed as a complete program or individually, integrating with existing processes and technologies. We invest significant time, resources, and budget into onboarding our experienced consulting team into the client environment where there are specific nuances and requirements. Oversight and crosschecks are done to ensure expectations are met, to identify areas within the parameters of the project that may require more attention, and to report back to the client-side leadership with findings we uncover.
Throughout the partnership, there are touchpoints at the executive, technical, and project levels. At the executive level, we look at the metrics, communications, and structures in place to align to the program thematically. At the technical level, there is collaboration around process, technology toolsets, and ways to automate in a high-volume environment. And at the project level, we evaluate our resource planning, communications, and alignment with the client-side team.
There are many ways an organization can benefit from an as a Service partnership for its application security program. Here are a few to note:
- Add context to an environment. AppSec as a Service enables organizations to gain context inside of their applications by deepening their insight through technical testing and collaboration. The delivery model helps both client- and vendor-side teams better understand the attack surface to target its weaknesses.
- Reduce time managing expectations. Create more meaningful touchpoints inside of an organization and build trust by not having to manage multiple vendors, doing different things, through different processes. Having one single source of truth for all application security activities, one that is integrated into your program nevertheless, eliminates chaos around remediation.
- Support during staffing shortages. My colleague, Florindo Gallicchio said it best in his 2021 predictions. He wrote, “Cyber security leaders will be challenged by filling roles that require candidates with mid- to senior- level experience – and entry level job openings will continue to be in high demand. Because of this, companies will need to do more with fewer people. This will result in increased adoption of program-level partnerships with third parties or using vendors to fill in-house positions at scale.”
- Identify the right metrics. Goal alignment is clear-cut with AppSec as a Service given the vendor is aware of the day-to-day application security activities, has a direct line of sight into the goals and objectives of the program, and understands a business’s most valuable – and vulnerable – assets. Given this enhanced insight and context, your partner can help identify which metrics to track to communicate program progress and Return on Investment (ROI) to leadership team.
Whether it is application security, penetration testing, software, infrastructure, or anything, an as a Service delivery model can provide immense value to any organization. As these offerings continue to evolve and more vendors jump on the as a Service bandwagon, use the above criteria to evaluate potential providers to ensure you’re getting the most out of your relationship.
If your organization is currently leveraging the cloud, there’s a good chance you are either using Amazon Web Services (AWS) or Microsoft Azure. Together, these two products make up 51% of the market share for cloud service providers. Given the way many cloud adoption programs operate, you might be using both. No matter which platform you’re on, it is important to note that each cloud provider has its own security considerations.
First, we should cover some background around cloud computing and security. With traditional on-premise models, security teams have access to established tools, technologies, and methodologies for dealing with security events in the environment. The cloud on the other hand, has relatively fewer security tools, resources, and established procedures available, as well as an overall higher probability for data to be exposed if a mistake is made.
As organizations migrate their resources from on-premise environments to the cloud, significant “technical debt” may also occur. Meaning there may be a lack of understanding around the technical aspects and security risks of the cloud environment. Nevertheless, organizations continue to migrate to the cloud, as its benefits often outweigh potential security concerns. Among the top reasons for cloud adoption is providing access to data from anywhere, disaster recovery, flexibility, and relieving IT staff workloads. These benefits, among others, are why organizations pay and trust cloud providers to host and manage their data and applications – but should they rely on the providers for security?
While both AWS and Azure certainly have robust cloud computing security efforts in place, it is important to understand that cloud security is a shared responsibility among providers and organizations. While cloud providers will provide underlying security for the platform infrastructure, the users of the platform still need to securely configure cloud services. This is where cloud pentesting becomes critical to organizations using the cloud.
Cloud Penetration Testing 101
Cloud penetration testing is used to identify security gaps in cloud infrastructures and provide actionable guidance for remediating the vulnerabilities to improve an organization’s overall cloud security posture and achieve compliance. Testing can differ between cloud platforms and knowledge of the nuances can help your organization reach cloud security maturity.
There are three main components to NetSPI’s cloud pentesting methodology:
- Internal Testing: Testing the internal networks and services, much like you would an on-premise data center or on-premise network for internal virtual network vulnerabilities.
- External Testing: Testing any services that may be exposed to the Internet; Services that are fully run and operated by the cloud provider, like Azure app services, or any network services that may be externally exposed through virtual machines or firewalls.
- Configuration Review: An analysis of the services that are being used in a specific cloud provider to identify misconfigurations, enumerate available services and the network architecture, and learn how everything is being implemented inside of the environment. Notably, configuration review informs internal and external pentesting engagements.
For an introduction to cloud pentesting watch this webinar: Intro to Cloud Infrastructure Penetration Testing.
AWS versus Azure Cloud Pentesting
From an external and internal network pentest perspective, AWS and Azure are fundamentally similar. Some may argue that one or the other is slightly more likely to have external issues arise, but where AWS penetration testing and Azure penetration testing differ greatly is in the configuration review process. Given that they are two separate platforms, they will have different approaches for services configuration.
Let’s start with Azure. As part of the migration to Azure, the on-premise Microsoft network, users, and groups (commonly tied to Office 365) are all transitioned to Azure Active Directory. As this happens, it can create situations where users from the on-premise environment are given direct, or indirect, rights to resources in the cloud. Whether users or administrators are aware, these accounts are now targets for attackers, as the attacker might have an easier time going after a non-administrative account from the internet.
While AWS can integrate (or federate) directly with Active Directory, AWS has its own Identity and Access Management (IAM) platform. The IAM system in AWS can be complicated, and if administrators are not careful, they can easily grant exploitable permissions to IAM users through policies and roles. A common target for privilege escalation in AWS is EC2 instances that are configured with excessively permissioned roles. If an attacker can gain access to the EC2 instance, they can use native AWS technology to escalate their privileges in the account.
Each of the cloud platform’s vulnerabilities can be correlated with the way the identity and authorization policies are applied to the different applications and services hosted in the cloud. NetSPI’s goal during a cloud penetration test is to identify these vulnerabilities and show how these issues could be practically exploited in a cloud environment.
Regardless of the platform, investing time to understand your chosen cloud provider and its architecture will help security teams avoid “technical debt”, and be better prepared to efficiently find and fix vulnerabilities in any of the services specific to each cloud provider. Look for an experienced penetration testing company like NetSPI to test your Azure, AWS, or other cloud infrastructures as part of internal testing, external testing, and configuration review.
Data from the Bureau of Labor Statistics shows that information security professional employment is projected to grow 32% between 2018 and 2028, much faster than the average for all occupations. Those statistics mirror what we are seeing at NetSPI – a demand for information security professionals to create innovative solutions to prevent hackers from stealing critical company assets or intellectual property.
Twenty years ago, the role of a cyber security professional revolved around securing the perimeter. Today, cyber security has evolved and matured, along with the attack landscape. CISOs are responsible for many things, from preventing breaches and instilling ongoing security and vulnerability management programs, to internal/external leadership and even reporting to the board. Learning from the past as we plan for the future, I’m confident that the role of the cyber security team will continue to evolve, making it is imperative that organizations build and invest in a team with staying power.
Humbly speaking, with the tenure of many NetSPI team members at 10 years or more, we are fortunate to be able to offer our clients quality – and consistent – counsel because we have built a mindset around focusing on building teams with staying power. In this blog, I’ll share some insight into NetSPI’s commitment to team building in the hopes that it can provide guidance for your own workplace development (or even to serve as criteria for hiring your third-party testing team).
Hire for Experience, but also for Thirst of Knowledge
After hiring numerous professionals throughout the years, I’ve noted that there are a number of things, beyond experience, that can come together to make a person great in this profession. Someone who is a self-starter or is ambitious, oftentimes is a great team member. Further, an individual who works on projects outside of work or school demonstrates to me a passion for the profession.
Yet, two traits that are more difficult to recognize at first are the more unique soft skills: memory recall and curiosity. Individuals who have memory recall, who can understand patterns and relationships, usually gain an advantage when it comes to thinking like an attacker and recognizing familiar trends, while working as part of a client consulting team. And the highly curious person often has an innate drive to pick things apart, skills that are fundamental to success when the technology landscape becomes more complex by the day and emerging technologies continue to open new doors to hackers. Technology vulnerabilities are there – and a curious person is more apt to see find exposures so remediation can commence.
Interesting Data on Memory: In a Scientific American article, Northwestern University psychologist Paul Reber states that the human brain consists of about one billion neurons, amounting to more than a trillion connections. Neurons combine so that each one helps with many memories at a time, exponentially increasing the brain’s memory storage capacity to something closer to around 2.5 petabytes (or a million gigabytes). For comparison, if your brain worked like a digital video recorder in a television, 2.5 petabytes would be enough to hold three million hours of TV shows. You would have to leave the TV running continuously for more than 300 years to use up all that storage. |
Make Training and Continuing Education Fundamental
Today’s college graduates in the technology or cyber security fields, or even those with just one to two years of experience, have a definite thirst for knowledge. Our organization has found that investing in feeding that knowledge has paid dividends and has manifested in our proprietary NetSPI University.
Each year, through NetSPI University, we take new cyber security talent through a six-month continuous improvement and training program that consists of internal and external educational courses, technical labs, shadowing programs, and cross training. Why do we make this investment? The reason is two-fold. First, it is part of our DNA and culture to continuously improve (truly, at all levels of the organization). Secondly, our ability to outpace attackers is due to our talent and our culture. Our clients respect that, and in some cases, seek out our counsel in putting in place their own training programs. In the long run, organizations benefit from investing in their teams.
Focus on Measures Outside of Just Technology Competencies
In Nabil Hannan’s inaugural edition of his Agent of Influence podcast (with the excellent title of “Cyber Security Education and the Ethics of Teaching Students to Break Things”), he states that “some of the most successful people who he’s seen in cyber security are usually very adaptable – they learn to adapt to different situations, different scenarios, different cultures, different environments.” He goes on to point out that this is critical as technology is always evolving, as are the security implications. I couldn’t agree more. In fact, I think it is a hiring measure – adaptability or agility outside of technical competencies – that is undervalued. I write about the importance of agility here.
What’s more, organizations that provide a framework for performance – meaning evaluation measures on quality, technical depth and outcome – help not only the team member, but the organization as well. But I argue that agility measures should also be part of the framework for performance so that team members can bring their own skills and perspectives to each and every engagement and incorporate their individual style. This not only benefits the employee and the client, but an organization can then apply that individual’s insights across the whole team to make the organization better and smarter. Additionally, organizations need to understand that a dynamic culture, one that puts in place the building blocks to enable people to enjoy working together pays dividend in terms of work product, retention, and recruitment.
In my opinion, cyber security professionals have the best job in the world. They get to ethically hack into some of the largest companies. With that comes responsibility. Because of the importance of the work that cyber security professionals do day in, day out, its critically important that organizations provide opportunities for these talented individuals to grow, stay on the cutting edge, and to lead. A commitment to building a team with staying power through a commitment to training and development of the next generation of security professionals is imperative as the profession continues to grow to meet the growing demands of the job.
[post_title] => How to Build a Cyber Security Team with Staying Power [post_excerpt] => Data from the Bureau of Labor Statistics shows that information security professional employment is projected to grow 32% between 2018 and 2028 [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => how-to-build-cyber-security-team-with-staying-power [to_ping] => [pinged] => [post_modified] => 2021-04-14 00:50:55 [post_modified_gmt] => 2021-04-14 00:50:55 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=19777 [menu_order] => 470 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [15] => WP_Post Object ( [ID] => 18995 [post_author] => 67 [post_date] => 2020-07-07 07:00:25 [post_date_gmt] => 2020-07-07 07:00:25 [post_content] =>Depending on the industry an organization is in, there are a multitude of specific, acronym-heavy rules, regulations, and frameworks which must be adhered to, especially for industries with extremely sensitive and valuable data, including healthcare, banking, and energy. For many years, these compliance-first frameworks – HIPPA for healthcare, PCI-DSS for credit card handling, and NERC-CIP for energy companies, to name a few – were the structure around which IT leaders managed their security programs. To further complicate things, there are multiple compliance-based frameworks that overlap and even others that are specific to the states in which an organization does business, like CCPA. A common example of cyber security compliance? Once a year (typically) organizations are required to have an outside, third party evaluate its programs. Voilà! An organization is secure, right? Not always.
In my opinion, building your security program around a framework for compliance, ensures an organization is compliant, but doesn’t necessarily make it secure. In fact, if you’re simply implementing a security strategy to check a box, it’s likely that your systems are vulnerable to cyber adversaries. While security is foundational in these compliance-based frameworks, historically it was deemphasized for a period of time. But things are changing – specifically, the way we think about security is shifting away from a compliance-first mindset. Big data breaches got the attention of Boards of Directors from a financial (read: fines, lawsuits) and reputational loss standpoint. From a technology standpoint, there’s no longer an inside and outside of the organization and just defending perimeters with firewalls is no longer adequate. And, one more example, with a move away from a waterfall release of applications to a more agile development philosophy, it makes business sense to elevate the frequency of vulnerability assessments, even moving to a continuous, ongoing monitoring of internet-facing attack landscapes to more adequately protect against unauthorized access to an organization’s intellectual property.
Organizations that have a more mature technology footprint are surely interested in doing everything they possibly can to find and fix vulnerabilities. And even in a mature scenario, there’s ample opportunity to put in an action-based framework that ties up to an organization’s controls and security framework. Consider this: the world’s leading research organization, Gartner, found that between 2014-2018 approximately 41 percent of clients had either not selected a framework or had developed their own ad hoc framework. It goes on to show that failure to select any framework and/or build one from scratch can lead to security programs that:
- Have critical control gaps and therefore don’t address current and emerging threats in line with stakeholder expectations.
- Place undue burden on technical and security teams.
- Waste precious funding on security controls that don’t move the needle on the organization’s risk profile.
How can we begin to administer a security-based framework? Quite simply, just begin. It doesn’t have to be perfect from the get-go. Consider it a work in progress. After all, the threat actors, technology assets, and detective controls are constantly changing. Thus, you will need to constantly change and adapt your continuous, always-on security and vulnerability management program. Here are some best practices to help you begin implementing your security-based framework changeover.
- Evaluate the landscape: Determine whether there has been a security framework or controls catalog developed for your specific industry sector. The NIST Cybersecurity Framework is a good place to start. But what happens when there is no industry-specific or government-mandated security framework and control catalog? In this case, security capability maturity and team capacity and capability become the key inputs in selecting your security control framework and control catalog. (Source: Gartner)
- Engage with organizational leadership outside of technology: Develop a scrum planning team with legal, risk, and front-line business unit representatives to help identify discrete regulatory or legislative obligations that need consideration.
- Audit your internal and external environment: Identify the contextual factors that could influence your selection of security framework and control.
- Invest in your people: Admit to technology fatigue and that some significant investments aren’t optimized to meet set objectives or are redundant. Instead, invest in a people-first, pentesting team that can approach security from the eyes of an attacker.
- Develop a plan based on continuous improvement: Combine manual and automated pentesting to produce real-time, actionable results, allowing security teams to remediate vulnerabilities faster, better understand their security posture, and perform more comprehensive testing throughout the year.
Remember: Just because an organization’s cyber security program is compliant, doesn’t mean it is secure. If an organization approaches its security programs from a security-first mindset, most likely it will comply with the necessary compliance rules and regulations. I see compliance as a subset of security, not the other way around.
Back in the mid-1960s, computer experts warned of the inevitability of bad actors trying to access information across computer lines. In fact, InfoSec Institute cites that “at the 1967 annual Joint Computer Conference…more than 15,000 computer security experts, government and business analysts discussed concerns that computer communication lines could be penetrated, coining the term [penetration testing or white hat testing] and identifying what has become perhaps the major challenge in computer communications today.”
Fast forward to 2020 and businesses will find that the pentesting industry is made up of a lot of providers offering vulnerability management services. But does that mean all penetration testing services offer the same results? Simply stated, the answer is no. To help organizations choose the right team for their pentesting and vulnerability management (VM) programs, consider the following four paradoxical attributes that should help CISOs and CIOs select a top penetration testing partner.
Pentesting Should be Agile, Yet Consistent Over Time
It’s important to hire a talented penetration testing team – one that’s able to look at the environment through the eyes of an attacker and bring their insights of technical risk to the table as the environment and technology become more complex over time. The pentesting team needs to be agile to continuously improve and evolve to meet the ever-changing and elevated risk and complexities that your business may face.
While evaluating agility, it’s important to also look at consistency. Does your potential pentesting partner have a team orientation versus just an individual, or outsourced consultant, who owns the knowledge? What if that individual moves on to “greener pastures?” It’s my recommendation that you shouldn’t consider a white hat tester who acts alone. Rather, choose a pentesting team built around a consistent delivery of quality, service, and results, that can be an extension of your internal team and will bring you the foundational support you need in your vulnerability management program.
The Pentesting Process Should be Custom Yet Standard
With 640 terabytes of data tripping around the globe every minute, is it possible to put standards around your vulnerability management program? In my opinion, it’s not only possible, it’s a necessity.
Who you get doesn’t have to be what you get, as people so often think. From project management workflows and practitioner guides to standardized pentest checklists and testing playbooks, at NetSPI we have formalized quality assurance and oversight so we can deliver consistent results, no matter who your assigned NetSPI security consultant is. With these standardized processes in place, when new vulnerabilities are identified, we are able to quickly mobilize and study the attack scenario, and if appropriate, we add that specific vulnerability to our pentest checklists for future assessments.
Having said that, every situation has its nuances. While understanding that no organization is the same, there may be some commonalities between industries, like similar regulatory bodies to comply with, for example. This allows pentesters to put some standardization into their process while allowing for customization and flexibility that is unique to the client environment from a business or technical perspective.
Technology/IT Should be Automated to Increase Manual Pentesting
Automated scanning is foundational to any penetration testing program. It’s how an organization handles the thousands of results from those scans that is crucial as there will be duplicates, false positives, and many, many data points, oftentimes delivered in spreadsheets or PDFs. Your internal security/IT team is then tasked with sifting through, sorting, and evaluating that data. Is that administrative work the best use of their time?
In my opinion, your internal team should focus on finding solutions for effective and fast vulnerability remediation, rather than spending their time heads down in administrative tasks. It’s up to your pentesting team to identify and communicate the priority vulnerabilities, not hand you a document and wish you luck. Look for a penetration testing provider who has tools in place to automate pentest reporting functions and deliver results that can be easily sorted and acted upon so that the majority of human capital investment is focused on finding and fixing vulnerabilities. A favorite quote of mine from NetSPI product manager Jake Reynolds exemplifies the mindset of those individuals working to solve the technical complexities of vulnerability management (VM), “I want to hack and secure the largest companies in the world…I participate in solving real world problems that affect companies and people across the globe."
A Focus on Internal R&D Will Strengthen the Entire Security Community
Being able to collaborate with a team is critical in our client relationships. We instill that collaborative mindset through an intense and immersive training program, NetSPI University, for entry-level security testing talent. Why dedicate so much time to continued education and mentorship? At NetSPI, we are consistently asked to see around corners and penetration test more and more complex environments. So, training and collaboration are key to helping us grow and scale pentesting talent to meet our industry’s evolving needs.
Training and collaboration can’t, and isn’t, just a NetSPI initiative. Collaboration and innovation are key to evolving as an enterprise and as an industry. As I wrote in this blog post, pentesters are intensely creative and have highly curious technical minds, and our team strongly believes that the effort we place in research and development with our colleagues should be shared with the broader security community. Case in point? The NetSPI blog is a treasure trove of information for the pentesting community at large, along with the content on our open source portal.
Final words on this subject: Penetration testing services are the same by definition, but none are created equal. When hiring a penetration testing service provider to test your applications, cloud, network, or perform a red teaming exercise, think beyond whether they can simply identify vulnerabilities. Consider pentesting talent, processes, technology, and culture to ensure you’re getting the most value out of your partnership.
[post_title] => Penetration Testing Paradox: Criteria for Evaluating Pentest Providers [post_excerpt] => Since the mid 1960s, computer experts warned of the inevitability of bad actors trying to access information across computer lines [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => the-penetration-testing-paradox-criteria-for-evaluating-providers [to_ping] => [pinged] => [post_modified] => 2024-03-29 17:15:00 [post_modified_gmt] => 2024-03-29 22:15:00 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=18693 [menu_order] => 509 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [17] => WP_Post Object ( [ID] => 17755 [post_author] => 67 [post_date] => 2020-03-17 07:00:40 [post_date_gmt] => 2020-03-17 07:00:40 [post_content] =>Pentesting has attracted a workforce filled with intensely creative and highly curious technical minds. Ironically, however, we see vulnerability management programs advance and accelerate when creativity is paired with a framework that drives quality and consistency. Is this an indication that our industry has matured to the point that the level of innovation is diminishing? Far from it. In fact, the best cybersecurity programs and providers incorporate and embrace both innovation and consistency.
Innovation Remains Mission Critical
First, it’s important to understand that there are a couple ways to define innovation. The first, of course, is through the lens of creativity and disruption. Attackers don’t have any boundaries when it comes to figuring out how to exploit a program or system; neither should cybersecurity teams. Finding new ways to break things is a critical part of the job.
A second way to define innovation is more pragmatic. While companies need to address large volumes of vulnerabilities and develop strategies to remediate them, most security teams are faced with doing more with less due to budget restrictions, lack of resources, and other constraints. The only way to accomplish this is to adopt some level of automation. Moreover, automation is critical for handling mundane or repetitive processes to free up time for humans – pentesters, developers, and others – to exercise their creative minds. As in any industry, automation enables people to perform at their highest potential, and when used correctly, it becomes a force multiplier.
Consistency Plays a Vital Role, Too
As partners to large corporations and other organizations that have extensive testing programs, we must have consistency in our testing approach. When we find a new vulnerability within one client’s environment, our consistent, systematic process enables us to add that one vulnerability to a checklist for each and every test we do in the future, regardless of the individual tester. This process frees up time for our team of pentesters to be more innovative in finding ways to exploit a program or system, while also ensuring as much coverage as possible.
Another way to approach consistency is through more regular testing for vulnerabilities instead of performing a pentest on your network as an annual compliance tool that results in static PDF reports with out-of-date vulnerability information. As a best practice, vulnerability management measures should employ continuous monitoring, with real-time reporting that enables companies to remediate vulnerabilities as quickly as possible. This new paradigm, known as Penetration Testing as a Service (PTaaS), employs both automated scanning and manual tests that dive deeply into applications and networks.
Striking a Balance Between Innovation and Consistency
How our industry maintains the balance between innovation and consistency should start with our people. While it may seem easier to screen for skills versus personality, the goal is to look for people that can not only think like an attacker, but also excel within a framework that supports individual agility, and leads to a consistent and high quality outcome. A tip? Search for individuals who have an interest in information sharing and bettering the larger security community; those who develop new tools (or improve existing tools) and participate in continuous learning in their free time typically have the capability to be extremely innovative. With a well-rounded workforce and mindset, organizations can gain an edge on their competition, disproving the notion that who you get determines the quality of the services delivered.
To be successful in the world of vulnerability management and pentesting, it’s critical that providers offer a balance between creative disruption and methodical, systematic structure. Together, both right-brained and left-brained talent and solutions result in the very best tests that help organizations stay ahead of ever-changing attack surfaces.
[post_title] => Innovation and Consistency: The Right and Left Brain of Vulnerability Management [post_excerpt] => Pentesting has attracted a workforce filled with intensely creative and highly curious technical minds. Ironically, however, we see vulnerability management programs [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => innovation-and-consistency-the-right-and-left-brain-of-vulnerability-management [to_ping] => [pinged] => [post_modified] => 2024-03-29 17:29:47 [post_modified_gmt] => 2024-03-29 22:29:47 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=17755 [menu_order] => 533 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) ) [post_count] => 18 [current_post] => -1 [before_loop] => 1 [in_the_loop] => [post] => WP_Post Object ( [ID] => 27755 [post_author] => 67 [post_date] => 2022-05-11 09:30:00 [post_date_gmt] => 2022-05-11 14:30:00 [post_content] =>On May 11, 2022, NetSPI's COO Charles Horton was featured in the DarkReading article, Breaking Down the Strengthening American Cybersecurity Act. Preview the article below, or read the full article online.
+++
The Cyber Incident Reporting Act, which was signed into law on March 15, is federal legislation aimed at bolstering the ability to prevent and more rapidly respond to cybersecurity attacks. While it won’t take effect until final rules are determined, it’s one of three parts of the Strengthening American Cybersecurity Act that is aimed at bolstering the cybersecurity of critical infrastructure and the federal government. The need for such an act has become intensified by the situation in Eastern Europe, as cyber warfare has proven to be a key and effective attack tactic for Russian nation-states.
Under the Cyber Incident Reporting Act specifically, critical infrastructure operators and federal agencies are required to report cyberattacks to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours, and ransomware payments within 24 hours.
The overarching Strengthening American Cybersecurity Act will update current federal government cybersecurity laws to improve coordination between federal agencies, ensure the government takes a risk-based approach to cybersecurity, and require all civilian agencies to report all cyberattacks to CISA.
Overall, the act demonstrates increased recognition of the need for better policy in place to prevent attacks on a larger scale, and highlights the impact the US government can have on cybersecurity efforts within organizations.
But to truly understand the magnitude of the act's potential impact, we must first gain insight into the current threat environment, while acknowledging the legislation's benefits and limitations. Let's explore.
Cyber Threats Show No Signs of Slowing Down
The recent cyber threats against Ukraine have signaled the need for heightened protection measures, while also demonstrating the large-scale consequences of a cybersecurity attack on an entire country. For example, several Ukrainian government and bank websites were recently offline as a result of a massive distributed denial-of-service (DDoS) attack.
Shortly following these attacks, a new "wiper" malware targeting Ukrainian organizations was discovered on hundreds of machines. These security incidents are suspected to be carried out by Russian cybercriminals, creating a new digital warfare environment that has taken organizations by storm.
One cause for concern for countries that have imposed sanctions against Russia is the potential of cyberattack retaliation. In addition to the escalating geopolitical tension in Eastern Europe, security teams continue to face an overwhelming amount of ransomware attempts, with malicious actors – not just from Russia, but across the world. In fact, approximately 37% of global organizations said they were the victim of a ransomware attack in 2021 — and that figure is only expected to increase this year.
Through the Strengthening American Cybersecurity Act, a new foundation is created for both public and private sector organizations, enabling them to create larger-scale defenses against nation-state actors while better bolstering protection against the continuous cyber threats they grapple with each day.
Continue reading the full article online.
[post_title] => DarkReading: Breaking Down the Strengthening American Cybersecurity Act [post_excerpt] => On May 11, 2022, Charles Horton was featured in the DarkReading article, Breaking Down the Strengthening American Cybersecurity Act. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => darkreading-breaking-down-the-strengthening-american-cybersecurity-act [to_ping] => [pinged] => [post_modified] => 2023-01-23 15:10:38 [post_modified_gmt] => 2023-01-23 21:10:38 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=27755 [menu_order] => 271 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [comment_count] => 0 [current_comment] => -1 [found_posts] => 18 [max_num_pages] => 0 [max_num_comment_pages] => 0 [is_single] => [is_preview] => [is_page] => [is_archive] => [is_date] => [is_year] => [is_month] => [is_day] => [is_time] => [is_author] => [is_category] => [is_tag] => [is_tax] => [is_search] => [is_feed] => [is_comment_feed] => [is_trackback] => [is_home] => 1 [is_privacy_policy] => [is_404] => [is_embed] => [is_paged] => [is_admin] => [is_attachment] => [is_singular] => [is_robots] => [is_favicon] => [is_posts_page] => [is_post_type_archive] => [query_vars_hash:WP_Query:private] => 1fc6810edfd1d92ad97bc4fd7d7521e2 [query_vars_changed:WP_Query:private] => [thumbnails_cached] => [allow_query_attachment_by_filename:protected] => [stopwords:WP_Query:private] => [compat_fields:WP_Query:private] => Array ( [0] => query_vars_hash [1] => query_vars_changed ) [compat_methods:WP_Query:private] => Array ( [0] => init_query_flags [1] => parse_tax_query ) )