Nabil Hannan

Nabil Hannan is a Managing Director at NetSPI. He leads the company’s advisory consulting practice, focusing on helping clients solve their cyber security assessment, and threat & vulnerability management needs. His background is around building and improving effective software security initiatives, with deep expertise in the financial services sector. He has over 13 years of experience in cyber security consulting from his tenure at Cigital/Synopsys Software Integrity Group, where he has identified, scoped, and delivered on software security projects (architectural risk analysis, penetration testing, secure code review, malicious code detection, vulnerability remediation, mobile security assessments, etc.). Nabil has also worked as a Product Manager at Research In Motion/BlackBerry and has managed several flagship initiatives and projects through the full software development life cycle.
More by Nabil Hannan
WP_Query Object
(
    [query] => Array
        (
            [post_type] => Array
                (
                    [0] => post
                    [1] => webinars
                )

            [posts_per_page] => -1
            [post_status] => publish
            [meta_query] => Array
                (
                    [relation] => OR
                    [0] => Array
                        (
                            [key] => new_authors
                            [value] => "65"
                            [compare] => LIKE
                        )

                    [1] => Array
                        (
                            [key] => new_presenters
                            [value] => "65"
                            [compare] => LIKE
                        )

                )

        )

    [query_vars] => Array
        (
            [post_type] => Array
                (
                    [0] => post
                    [1] => webinars
                )

            [posts_per_page] => -1
            [post_status] => publish
            [meta_query] => Array
                (
                    [relation] => OR
                    [0] => Array
                        (
                            [key] => new_authors
                            [value] => "65"
                            [compare] => LIKE
                        )

                    [1] => Array
                        (
                            [key] => new_presenters
                            [value] => "65"
                            [compare] => LIKE
                        )

                )

            [error] => 
            [m] => 
            [p] => 0
            [post_parent] => 
            [subpost] => 
            [subpost_id] => 
            [attachment] => 
            [attachment_id] => 0
            [name] => 
            [pagename] => 
            [page_id] => 0
            [second] => 
            [minute] => 
            [hour] => 
            [day] => 0
            [monthnum] => 0
            [year] => 0
            [w] => 0
            [category_name] => 
            [tag] => 
            [cat] => 
            [tag_id] => 
            [author] => 
            [author_name] => 
            [feed] => 
            [tb] => 
            [paged] => 0
            [meta_key] => 
            [meta_value] => 
            [preview] => 
            [s] => 
            [sentence] => 
            [title] => 
            [fields] => 
            [menu_order] => 
            [embed] => 
            [category__in] => Array
                (
                )

            [category__not_in] => Array
                (
                )

            [category__and] => Array
                (
                )

            [post__in] => Array
                (
                )

            [post__not_in] => Array
                (
                )

            [post_name__in] => Array
                (
                )

            [tag__in] => Array
                (
                )

            [tag__not_in] => Array
                (
                )

            [tag__and] => Array
                (
                )

            [tag_slug__in] => Array
                (
                )

            [tag_slug__and] => Array
                (
                )

            [post_parent__in] => Array
                (
                )

            [post_parent__not_in] => Array
                (
                )

            [author__in] => Array
                (
                )

            [author__not_in] => Array
                (
                )

            [ignore_sticky_posts] => 
            [suppress_filters] => 
            [cache_results] => 
            [update_post_term_cache] => 1
            [lazy_load_term_meta] => 1
            [update_post_meta_cache] => 1
            [nopaging] => 1
            [comments_per_page] => 50
            [no_found_rows] => 
            [order] => DESC
        )

    [tax_query] => WP_Tax_Query Object
        (
            [queries] => Array
                (
                )

            [relation] => AND
            [table_aliases:protected] => Array
                (
                )

            [queried_terms] => Array
                (
                )

            [primary_table] => wp_posts
            [primary_id_column] => ID
        )

    [meta_query] => WP_Meta_Query Object
        (
            [queries] => Array
                (
                    [0] => Array
                        (
                            [key] => new_authors
                            [value] => "65"
                            [compare] => LIKE
                        )

                    [1] => Array
                        (
                            [key] => new_presenters
                            [value] => "65"
                            [compare] => LIKE
                        )

                    [relation] => OR
                )

            [relation] => OR
            [meta_table] => wp_postmeta
            [meta_id_column] => post_id
            [primary_table] => wp_posts
            [primary_id_column] => ID
            [table_aliases:protected] => Array
                (
                    [0] => wp_postmeta
                )

            [clauses:protected] => Array
                (
                    [wp_postmeta] => Array
                        (
                            [key] => new_authors
                            [value] => "65"
                            [compare] => LIKE
                            [compare_key] => =
                            [alias] => wp_postmeta
                            [cast] => CHAR
                        )

                    [wp_postmeta-1] => Array
                        (
                            [key] => new_presenters
                            [value] => "65"
                            [compare] => LIKE
                            [compare_key] => =
                            [alias] => wp_postmeta
                            [cast] => CHAR
                        )

                )

            [has_or_relation:protected] => 1
        )

    [date_query] => 
    [request] => SELECT   wp_posts.* FROM wp_posts  INNER JOIN wp_postmeta ON ( wp_posts.ID = wp_postmeta.post_id ) WHERE 1=1  AND ( 
  ( wp_postmeta.meta_key = 'new_authors' AND wp_postmeta.meta_value LIKE '{7d43f6547bbd001961e1a0e712ce98971d6849caf5733fb5bd2522401248e1da}\"65\"{7d43f6547bbd001961e1a0e712ce98971d6849caf5733fb5bd2522401248e1da}' ) 
  OR 
  ( wp_postmeta.meta_key = 'new_presenters' AND wp_postmeta.meta_value LIKE '{7d43f6547bbd001961e1a0e712ce98971d6849caf5733fb5bd2522401248e1da}\"65\"{7d43f6547bbd001961e1a0e712ce98971d6849caf5733fb5bd2522401248e1da}' )
) AND wp_posts.post_type IN ('post', 'webinars') AND ((wp_posts.post_status = 'publish')) GROUP BY wp_posts.ID ORDER BY wp_posts.post_date DESC 
    [posts] => Array
        (
            [0] => WP_Post Object
                (
                    [ID] => 25984
                    [post_author] => 65
                    [post_date] => 2021-07-20 07:00:00
                    [post_date_gmt] => 2021-07-20 12:00:00
                    [post_content] => 

Cybersecurity leaders hold one of the most difficult positions today, as they’re often tasked with protecting an entire organization from sophisticated threats with limited resources. I recently sat down with founding partner and CTO at Security Curve Diana Kelley on the Agent of Influence podcast, a series of interviews with industry leaders and security gurus where we share best practices and trends in the world of cybersecurity and vulnerability management, to discuss key challenges and opportunities security leaders face today. Read on for highlights from our conversation around communicating cybersecurity ROI, building an application security program, inclusivity in the cybersecurity industry, and more. 

Nabil: Connecting and conveying a particular message to the C-suite is a common challenge across the security industry. What has worked well for you when communicating ROI or asking for budget from leadership? 

Diana: Cybersecurity ROI can be tough to communicate. First, remember, if you're going to the executives or presenting to the C-suite, you have to look at the world through their lens. We tend to, as technical people, look at it through our lens – which is okay for our understanding, but it is the fiduciary responsibility of the stakeholders of the company to make it profitable. It is important to always think about that, think about how security translates to profitability. Do not go into a leadership or board meeting with technical detail, go in there with “this is what it means” or “this is how it impacts our bottom line.” 

Second, do not dismiss the fact that their lens is different, as if it is somehow denigrated. The craziest thing I’ve experienced was a technical person in front of a board of directors say, “I'm the risk expert here.” They may have been the technical risk expert, but they didn't understand that the job of the board is risk assessment. It's a different lens of risk assessment, focused on business and profit, but it's still risk. 

People always say to speak in the language of business. The way to do this in practice is to remember their lens of profitability, remember that risk is about business risk, and then tie your technical risk in a business way that isn't deeply technical, but is very strong and powerful. You can also share examples, such as, “Did a similar customer lose money due to a competitor having the same problem?” or “Is there new legislation coming down the pipeline that's going to change our implementation and strategy?”

Finally, do not forget to engage leadership in the decision-making process. You want to avoid being demanding, which often happens after a breach or audit. Early on, engage with leadership and communicate the security issues, what it could mean to your profitability, and explain how the security team can help improve or protect the business in the future. Most importantly, ask if they agree that the investment is a good way to spend the organization’s money and ensure you have a consensus. 

 For more on how to showcase ROI of cybersecurity read NetSPI’s Five Metrics to Showcase the ROI of Pentesting

Nabil: Let's talk about application security. What insight would you give people as they try to decide what frameworks they should use and how to navigate the different options out there?

Diana: Organizations must get an application security program in place – a secure software development lifecycle (SSDLC). This is the most critical part. As far as frameworks go, BSIMM is a good option to understand what other companies that look like you are doing in terms of application security. It allows organizations to have a maturity model to build towards. 

Have a framework in place to start implementing an application security program, create standards for your developers, and start application security testing early on. Identify your application security requirements and understand the threat model so that you can start to build and think about the test harness as soon as possible. It's more important to start implementing rather than focusing on which framework you choose.

It concerns me that now we're getting into this big shift in the enterprise where we're no longer writing code from the ground up, we're doing a lot of low-code no-code. This is fantastic in terms of what we're able to build and how quickly we're able to build it. But companies that are now creating low-code no-code solutions are using a lot of functions and libraries and they are not thinking about it as custom-built code. 

I've heard many times, “we don't actually build any applications.” Then, you start talking to the company and you find out that they have many scripts that are pulling in functions from the cloud, they're using cool tools like Zappy or Airtable, but they're giving access into parts of their data sets, and they don't realize those scripts are code. I'm hopeful that companies don’t solely have an application security program in place, but also an understanding that they need to extend this program to the low-code no-code serverless world that we are moving towards.

Nabil: A lot of the work that you do is focused on inclusivity in the security industry. What advice do you have for security leaders looking for new talent?

Diana: With Women in Cybersecurity (WiCyS) specifically, we’re very focused on bringing women into cybersecurity, but there are many different non-profits out there that are looking at cohorts and sectors that have not been involved in cybersecurity in the past. I think security leaders could benefit from getting involved with these organizations to look for internships for externships.

It's very common for leaders to say, we can't find any diverse talent and we had to hire somebody who looks like everybody else because there were no other candidates. Often, it's not that you didn't look far enough or hard enough. And that may be because they're not in your network. If your network doesn't extend out broadly to different groups of people, then work to expand it. 

Be open to people that may not have college degrees, as every job in cybersecurity doesn't necessarily need a four-year liberal arts degree. Maybe there is somebody who has recently graduated from high school that's completed the right training. Rethink what you know, how you're hiring, who you're hiring, open that aperture wider, and work with those communities that are encouraging inclusivity. 

Another tip is to think critically about how you’re writing job descriptions. There is research that shows that women will not apply for a job unless they match about 90% of the criteria or higher, whereas men will apply if they only match 50%. If you write a job description that includes every experience and skill under the sun because you want to get great resumes, what you’re actually doing is turning off the candidates who are reading that job description and believe that, if they don't have 90 percent or 100 percent of the criteria, they're not going to be eligible for the job. Rethink your job descriptions: do not gender the job descriptions and make sure that they're not overstuffed. Write it for what are you looking for and focus on what is important. You’ll be surprised at the resumes it brings in.

Listen to Agent of Influence Episode 30 featuring Diana Kelley
[post_title] => Q&A: Diana Kelley Discusses ROI, Application Security, and Inclusivity [post_excerpt] => Read this blog to learn security expert Diana Kelley’s insights on communicating cybersecurity ROI, how to build an appsec program, and hiring for inclusivity. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => diana-kelley-roi-application-security-inclusivity [to_ping] => [pinged] => [post_modified] => 2021-07-19 16:37:46 [post_modified_gmt] => 2021-07-19 21:37:46 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=25984 [menu_order] => 4 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [1] => WP_Post Object ( [ID] => 25942 [post_author] => 65 [post_date] => 2021-07-16 17:06:17 [post_date_gmt] => 2021-07-16 22:06:17 [post_content] =>

On July 16, 2021, NetSPI Managing Director Nabil Hannan was featured as a guest contributor for TechTarget:

At the end of the day, for those of us on DevSecOps teams, it is all about managing risk, even in the highly regulated healthcare industry. Compliance around medical records and privacy concerns is a driver, so development and security professionals must take aggressive steps to prioritize risk management as the healthcare industry continues to be a frequent target of bad actors. According to Gartner, the worldwide end-user spending on public cloud services is forecasted to grow 18.4% in 2021 to a total of $304.9 billion, up from $275.5 billion in 2020. "The pandemic validated the cloud's value proposition," Gartner Research Vice President Sid Nag said.

The monetary loss from cybercrime goes beyond just affecting healthcare with an estimated $945 billion cost in 2020, according to McAfee. For those working in the healthcare industry, realize that a 2020 breach analysis report by IBM and Ponemon Institute found that healthcare breaches were the costliest. In other words, not managing risk is expensive.

Gartner also reported COVID-19 forced organizations to preserve cash and optimize IT costs, support and secure a remote workforce, and ensure resiliency. And the cloud became a convenient means to address all three. If this scenario sounds familiar to your organization, the following are four insights to consider that will help to protect data in the cloud.

Read Nabil's 4 tips for secure cloud migration on TechTarget's SearchSecurity: https://searchsecurity.techtarget.com/post/4-healthcare-risk-management-tips-for-secure-cloud-migration

[post_title] => TechTarget: 4 healthcare risk management tips for secure cloud migration [post_excerpt] => From improving the security posture and updating threat modeling to securing cloud data, learn about four risk management tips for healthcare organizations migrating to cloud. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => techtarget-4-healthcare-risk-management-tips-for-secure-cloud-migration [to_ping] => [pinged] => [post_modified] => 2021-07-16 18:05:42 [post_modified_gmt] => 2021-07-16 23:05:42 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=25942 [menu_order] => 5 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [2] => WP_Post Object ( [ID] => 25569 [post_author] => 65 [post_date] => 2021-06-15 07:00:00 [post_date_gmt] => 2021-06-15 07:00:00 [post_content] =>

It is amazing how much the cybersecurity industry has grown and evolved over the years. If you just look back even just a couple of years, the strategic conversations we were having have certainly changed. The space is evolving, and each of us in the industry are having to evolve with it to stay current. One area that has evolved greatly over time is risk management, specifically the role of the Chief Risk Officer.

To dig deeper on its evolution, I sat down with CEO and founder of Risk Neutral Jeff Sauntry on the Agent of Influence podcast, a series of interviews with industry leaders and security gurus where we share best practices and trends in the world of cybersecurity and vulnerability management. Read on for highlights from our conversation around risk management, the role of the Chief Risk Officer, and more.

Nabil: Let's start by talking about risk management. How did you make that transition from cybersecurity to risk management?

Jeff: For me, it was a natural evolution to upskill my vocabulary as I started interacting with more senior business leaders and board members. When the board members and the C-suite have normal discussions, they're still discussing challenges and opportunities, but they're speaking in terms of risk, cost, and outcomes. In cybersecurity, we're often discussing threats and consequences. Something was getting lost in translation, so I decided to build on my strong technical and cybersecurity background and dig into risk management and the ability to become a more effective communicator.

Nabil: What would you say are some of the key characteristics that make someone great at risk management?

Jeff: My whole career had risk management components to it, but I did not yet understand risk as an empirical domain. That’s one of the reasons I chose to make this pivot. I also made the investment of time and resources to go to Carnegie Mellon and get my Chief Risk Officer certification. What was great about that is I went from being very myopic, maybe talking about technology, operational, or compliance risk, and then opening my eyes to the fact that there are five major risk categories that every business has to worry about: Strategic risk – which is by far the most important if you don't get that one right, nothing else matters – then operational, finance, compliance, and then reputational risk comes into play if any of the first four fail.

Nabil: Tell me more about your experience at Carnegie Mellon.

Jeff: Most of us in cybersecurity are very familiar with some of the great work Carnegie Mellon has done with the maturity model of Capability Maturity Model Integration (CMMI), the insider threat program, and they have been a great partner with the government in terms of coming up with funded cybersecurity programs. I was familiar with the quality of the Carnegie Mellon products and insights, and when I read the curriculum, I thought to myself, “this is going to be really awesome.” One thing I wanted to avoid was that I didn't want the course to be comprised of completely fintech leaders. For a lot of people fintech and financial services firms lead the way in terms of Chief Risk Officers and managing risk from a quantifiable perspective. But I knew the risk domain was much bigger and I wanted to be a well-rounded risk professional. Having a very broad group of peers in my cohort really helped me as well as the caliber of instructors that they brought in that could talk about the different ways to look at risk. I feel that I can now talk about enterprise risk management programs and not have such a myopic view around cybersecurity-, technology-, or compliance-related risk.

Nabil: Do you think the way organizations approach cybersecurity risk today needs to evolve?

Jeff: One hundred percent! It's one of those things that you're embarrassed about because you've been part of the problem for so long. We have to take a hard look in the mirror. I've looked back at some of the conversations I’ve had and they're almost cringeworthy. Given the knowledge I have gained in the last two years about risk management, I wish I could go back and redo conversations with certain clients. 

Nabil: From your experience, how has the role of the Chief Risk Officer evolved?

Jeff: A big part of this evolution is the cybersecurity profession. In general, cybersecurity is very focused on technical skills. That's naturally how a lot of us come up through our profession and education. But, it's even more important to understand that if you can't explain the outcome of your results or your findings, it's not going to resonate with clients. It's as if you never did a security engagement if you can't get the message or the impact across. That's where I think the risk management professional is evolving. Improving soft skills that so that cybersecurity risk can have a seat at the table rather than someone coming in to tell them that the sky is falling. The Chief Risk Officer has to be a true peer to the rest of the C-suite, they should even have a solid line into the board of directors. Most companies should think about having a dedicated Risk Management Committee at the management level that's complemented by one at the board level so that risk gets the right amount of time and attention. Then, you’ll have people with the right skill set in the room having the right discussions. 

One of the important things that came out the financial services industry is that they found if you embed risk managers structurally within each business unit there to please their boss and rubber stamp high risk decisions, it can end badly. This is part of what got us into the problem of the big financial meltdown in 2008/2009. It should have been a canary in the coal mine moment for risk management as a profession to say, “you have to be very careful about allowing the Chief Risk Officer to operate independently.” They need the right reporting structures and shouldn’t be allowed to be fired on a whim because they raised their hand and said, “I think this is a little too risky for us.” So, I think the evolution of the chief risk officer is at a very exciting point in time right now.

Nabil: Let's talk a little bit about your advisory board work. Do you have any advice for others who are looking to work in that capacity?

Jeff: You need to be very pragmatic, just like you would plan your secondary education and your master's degree in your career. From a board journey perspective, it's very much the same thing. You should start with an organization that you’re passionate about in order to understand: What are the procedures? What are the roles that are played? What are the different committees? Then, as you decide that you want to pursue service on a private board or a public board, think about the additional skill sets that you may need related to your fiduciary responsibilities and insurance and what are some of the personal and professional liabilities. Set a game plan for yourself, make some investments of time and money, and really figure out what it takes to be a board professional. I think it's very worthwhile. People with a strong technical and cybersecurity background definitely have something to contribute to advisory boards from a cognitive diversity perspective as organizations face digital transformations and threats from a wider range of actors each year.

Nabil: You are a scuba instructor and a captain of the US Merchant Marines. What parallels do you draw between being a scuba instructor or captain and risk management?

Jeff: All of us have something to learn from an environmental, social, and governance perspective. One of the reasons I'm a merchant marine captain is that people covet what they know. I thought it was extremely important to get people under the water and really understand things like what plastics are doing to our oceans to understand that, yes, the stuff you throw out your car actually does make it into environments that we care about.

Everything related to instructing scuba is about risk management. The standards they have for teaching, how many students you can have per instructor, the burden being on the instructor to determine whether it's safe to do certain things, the insurance I have to carry – all that stuff is designed to minimize risk to the students and staff. It's incredible how they handle violations of policy. There's a professional journal and if somebody does something wrong, they put it out there for everyone to learn from. 

The reality is when you take those people out onto the ocean and you're responsible for them, you need to bring them back healthy and safe. This comes down to a couple thing: What experiences do I bring to those situations based on the training I've had on the water? What is the quality of the vessel and the equipment that I'm relying on to help me deal with those situations? How prepared am I for this situation? And those are the three things as a captain that you can control.  

Those core concepts resonate with cybersecurity well. How prepared are you to do the job you've been asked to do as part of a team? How well have you prepared your organization to deal with a specific threat? That prudent mindset of being a good steward for the people you're responsible for resonates with people in cybersecurity as well.

Agent of Influence - Episode 026 - The Evolution of Risk Management and the Chief Risk Officer - Jeff Sauntry
[post_title] => The Evolution of the Chief Risk Officer [post_excerpt] => Read highlights from a cybersecurity podcast featuring Jeff Sauntry. We discuss risk management, the role of the Chief Risk Officer, and more. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => evolution-chief-risk-officer [to_ping] => [pinged] => [post_modified] => 2021-06-15 14:16:48 [post_modified_gmt] => 2021-06-15 14:16:48 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=25569 [menu_order] => 18 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [3] => WP_Post Object ( [ID] => 25326 [post_author] => 65 [post_date] => 2021-05-11 07:00:00 [post_date_gmt] => 2021-05-11 07:00:00 [post_content] =>

The scope of healthcare data is remarkable. It’s no wonder healthcare cybersecurity is a growing concern as security professionals are challenged by managing and protecting the immense amount of personally identifiable information (PII) and protected health information (PHI) housed in their systems. 

Introduce a public health pandemic to the threat landscape, and the healthcare data management and security challenge grows exponentially. In 2020, more than 29 million healthcare records were breached due to the 25 percent year-over-year increase in healthcare data breaches, according to HIPAA Journal’s analysis of the U.S. Department of Health and Human Services healthcare breach data figures. 

During the 2021 Cyber Security Hub Healthcare Summit, NetSPI managing director Nabil Hannan and RxMx senior director of engineering Jesse Parente sat down to discuss the world of healthcare data management – notably, how to manage sensitive data securely. They explore the healthcare industry’s regulatory pressures and share insights on how to collect, store, and manage healthcare data securely and look at your data security program holistically using threat modeling and design review initiatives. Additionally, with the pandemic as a catalyst for digital transformation in the healthcare industry, cloud adoption has soared. Nabil and Jesse discuss the benefits of the cloud for data management, along with its security considerations. 

Continue reading for highlights from the discussion or watch the full session online here

In a compliance driven industry, such as healthcare, why is risk-based security so critical?

Jesse Parente: Risk-based security in general, regardless of the industry, is critical. At the end of the day, security is about managing risk. The easiest, and the most obvious answer in healthcare is, it can cost you if you're not focusing on risk. I was looking into the 2020 breach analysis report by IBM and Ponemon Institute and healthcare breaches were the costliest. That's mostly due to the fact that it's a very regulated market. You've got laws like HIPAA, which was formed and assigned in 1996, so it's rather old now. And it's actually a fairly low bar if you think about it. For example, encryption was considered an optional item back then. But in 2009, the HITECH Act was signed into law, and that gave HIPAA some teeth: Breach notification requirements and additional fines for non-compliance. There were almost 730 reported breaches in the last two years. If you do some simple math, that's about a breach a day… reported breaches. Now, the average cost per record is about $150-$200 and the average number of records exposed or lost was over 3,000. It's costly to not focus on risk. 

Nabil Hannan: Speaking of breaches and the data involved, ultimately securing personal data is important. People understand why their personal, non-public data should be kept private. If someone else has that information, they could easily impersonate you and ruin things like your credit, or your records, or even steal your identity. And that's a problem. But we also want to think about healthcare data and the complexities that surround it. For example, there are a lot of children whose data go into medical systems because they go see the doctor. But for a lot of non-adults, when that happens, their parent’s information is also associated with that record. Now you have multiple people whose information is available, their insurance information, home address, financial information in many cases. The importance of securing personal data, especially in the medical field, becomes exponentially more important because of the complexities of your family and relatives whose data may also be associated with your personal records. And the challenge there too, is personal information is something that you can't easily change. If you, for example, were part of a breach where an attacker accessed your credit card number, you can call up the company and immediately change that number and a new card sent to you. If your social security number gets breached, you can't change that. Or if your home address is breached, you're not going to move in order to change that. There are certain data types that are permanent and cannot be changed, data that presents a higher risk if breached – data that is often found in healthcare systems. 

How can healthcare IT and security leaders securely collect, store, and manage data?

Jesse: Before you even collect data or store it or manage it, it's really important to understand what the data is. Also, there's a concept of minimum necessary. Do you need this data? You have to do an analysis to understand what the data is and if it is sensitive. Classifying data is a really important piece when you're going to collect and store it. Additionally, pay attention to where that data goes downstream. This is the management aspect of it. Do the vendors that you work with need or have access to some of this data? In 2013, there was a final Omnibus ruling, which was an addition to HIPAA, and this essentially held business associates or vendors that you work with, accountable for non-compliance as well. So, you also have an obligation to make sure that your vendors are doing the right thing, when it comes to collecting, storing, and securing healthcare data.

Nabil Hannan: There is the actual safe way to store and manage data and then there's the part of making sure you have the data that's relevant, and you're only storing and managing the data that you truly need to maintain your business functionality. A significant amount of breaches lately, over the last five years or so, happened because of simple misconfigurations of data storage. So often we see that you may have data stores, such as Amazon S3 buckets, that are meant to be private and internal, but because of the misconfiguration, they're publicly available to the internet. Understanding what you're collecting and how it needs to be stored and, then, have automation and processes regularly checking to ensure that the attack surface that your data is exposed to is managed correctly is really important. That's ultimately the first step: Making sure you have processes in place to ensure that you're not inadvertently making a configuration change that leaves you exposed. 

What can healthcare organizations do now to evaluate their current security posture?

Nabil: There are a lot of common security tactics that healthcare organizations are using today. They are performing regular security scans using automated tools, making sure that their external attack surface is not easily reachable by script kiddies that are also running similar tools on the internet, performing penetration tests with manual humans testing and breaching systems to identify exploitable areas. To take these initiatives to the next level, start looking at things that tools and automation cannot identify, which is design flaws. To describe this, I typically use home inspection as a parallel. If you've bought a house, you've probably completed a home inspection. A person shows up and they inspect the house at a basic level, checking the locks, windows, insulation, furnace, roof, etc. to see if they work. But looking at a home from the outside in, you cannot truly determine if the house was designed properly. To understand if the load bearing wall has enough support or not, or to understand if the studs are spaced correctly or not, they have to look at the blueprint and look at the internals of how the house was designed. Similarly, for any system, you have to look at the threat model and how the different components of a system interact with each other. Threat modeling is so important because it is a manual process. Tools are not able to tell you what the greatest risks are. It requires a human to think critically and be clever. With threat modeling, you’re identifying what the assets are in your systems and the threat actors that you should care about. Based on that, you define the threat vectors that the attackers would use to try and get to your assets. With this information, you can start assigning trust zones within your systems and determine how those interactions occur and review whether you have the right controls in place, like authentication, authorization, encryption, error handling and logging and things of that nature. I think threat modeling is the next step we need to take as an industry because there is a whole different classification of vulnerabilities and issues that come from the design side. Empirically, we see 50 percent of security issues are at the design level and 50 percent are what we call bugs. We have to start doing threat modeling to uncover the inner workings of how our systems are working and interacting together and whether they pose a threat.

Jesse: I think what organizations can do to evaluate their posture is get a baseline. There are tons of ways to do this with frameworks and certifications. One of my favorites is the Cloud Security Alliance, an organization that's purpose built to support the transition to the cloud. They have something called the Cloud Controls Matrix that helps organizations align to various frameworks, whether that’s NIST, ISO27001, or HIPAA. When it comes to data, oftentimes the software world is pushing these activities to the left, or the idea of shifting left, and that means doing these security-based activities earlier on in a software development lifecycle. A great example is threat modeling. In the design phase, understand what your threats are and figure out ways to mitigate them. In the cloud, we’re shifting, too. The four walls and the castle approach of securing a perimeter, those days are gone. There is this shift in the landscape changes as well, as we now see a lot of organizations operating partially in the cloud. Because the data is potentially publicly available, we have to find ways to identify where the data is, where the data is going to go, and how to secure it. There are many cloud providers out there, and with that there are many services to help you manage the data and have visibility into the cloud. And for me, that visibility is one of the key things that has helped my organization manage healthcare data securely. Organizations not leveraging the cloud do not necessarily have that visibility. The last thing to remember is that we need to hold our vendors accountable, understand their security posture and what activities are they doing to help secure the data we share.

How has the pandemic triggered the increased adoption in the cloud?

Jesse: Almost overnight, many organizations were forced to have data and resources available remotely and externally accessible. VPNs were overloaded and people scrambled to find a physical space to work outside of the office. The cloud was – and is – an opportunity to make things available. As we saw in our viewer poll, 42 percent of participants are operating partially in the cloud. It’s clear people are experimenting with the cloud and this comes with its own challenges, as organizations haven't had the opportunity to fully vet and evaluate the cloud. Remember, we should consider cloud providers vendors and need to evaluate them as such – and that requires time. That's the challenge that's missing from this rush to make things available and it can create serious problems.

Nabil: There is another gap in our knowledge as employees don't necessarily know how their organization manages its data. It may be completely invisible to us on whether an organization increased adoption of the cloud. And that's how it should be. The whole purpose of cloud-based systems is the ability to scale as needed and have elasticity. Teleconferencing systems are a good example of this. The reason Zoom could support the huge demand of users as the pandemic started was because of the cloud. If they were not using cloud infrastructure for their systems, they would not have been able to support the large number of users because it was not expected or planned. And then there are security considerations to think about too. Just because you're in the cloud and the cloud providers are providing you with certain baseline of security controls and protection, that doesn't mean that you don't have to think about security anymore. Ensure you understand the implications of your transition from a traditional data center deployment to the cloud, and ensure you're maintaining regular best practice initiatives around things like configuration reviews, design reviews, and threat modeling. Be sure to understand the risk implications of the decisions you're making. 

healthcare data protection in a pandemic driven world
[post_title] => Q&A: How to Securely Manage Healthcare Data [post_excerpt] => Explore the world of healthcare data management – notably, how to manage sensitive data securely with threat modeling and cloud security. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => how-to-securely-manage-healthcare-data [to_ping] => [pinged] => [post_modified] => 2021-05-11 14:02:11 [post_modified_gmt] => 2021-05-11 14:02:11 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=25326 [menu_order] => 31 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [4] => WP_Post Object ( [ID] => 25314 [post_author] => 2 [post_date] => 2021-04-13 07:01:55 [post_date_gmt] => 2021-04-13 07:01:55 [post_content] =>

This session was originally shown at Cyber Security Digital Summit's online event for Healthcare and Life Sciences.

In this session, NetSPI’s Nabil Hannan and RxMx’s Jesse Parente will explore the world of healthcare data management – notably, how to manage sensitive data securely. 

Delve into the healthcare industry’s regulatory pressures and the biggest cyber threats it faces today, then hear insights on how to:

  • collect, store, and manage your data securely
  • look at your data security program holistically (threat modeling and secure design review)

Lastly, with the pandemic as a catalyst for digital transformation in the healthcare industry, cloud adoption has soared. Nabil and Jesse will discuss the benefits of the cloud for data management and review its security considerations.

[post_title] => Healthcare Data Protection in a Pandemic-Driven World [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => healthcare-data-protection-in-a-pandemic-driven-world [to_ping] => [pinged] => [post_modified] => 2021-06-02 08:51:13 [post_modified_gmt] => 2021-06-02 08:51:13 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=webinars&p=25314 [menu_order] => 10 [post_type] => webinars [post_mime_type] => [comment_count] => 0 [filter] => raw ) [5] => WP_Post Object ( [ID] => 24626 [post_author] => 2 [post_date] => 2021-04-07 22:07:45 [post_date_gmt] => 2021-04-07 22:07:45 [post_content] =>

In this presentation, NetSPI COO Charles Horton and Managing Director Nabil Hannan explore the evolution of “as a Service” offerings, and how these offerings are being applied successfully in application security programs. If you are working with the right partner, “as a Service” should go far beyond the traditional automated or cloud-based delivery models for both technology and expertise. When applied correctly, it can dramatically influence how internal resources and capital are directed and deployed and can provide the needed support to continue to improve and evolve your application security program and collapse timeframes for remediation. Unlike a traditional “as a Service” technology solution, AppSec as a Service combines both technology and human talent that is packaged for quick and easy consumption. 

Through this discussion, learn:

  • the core criteria that define an “as a Service” partnership
  • the different options in an AppSec as a Service offering
  • how AppSec as a Service can help you improve and evolve your application security program

As these offerings continue to increase and more vendors jump on the “as a Service” bandwagon, this webinar should serve as a guide to help organizations evaluate potential providers and ensure they are getting the most out of their relationship.

[post_title] => A Key Ingredient in a World Class Application Security Program: AppSec as a Service [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => a-key-ingredient-in-a-world-class-application-security-program-appsec-as-a-service [to_ping] => [pinged] => [post_modified] => 2021-06-02 08:51:26 [post_modified_gmt] => 2021-06-02 08:51:26 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=webinars&p=24626 [menu_order] => 8 [post_type] => webinars [post_mime_type] => [comment_count] => 0 [filter] => raw ) [6] => WP_Post Object ( [ID] => 24961 [post_author] => 65 [post_date] => 2021-04-06 07:00:18 [post_date_gmt] => 2021-04-06 07:00:18 [post_content] =>

On April 6, 2021, NetSPI Managing Director Nabil Hannan was featured in TechTarget:

Chief information security officers, or CISOs, around the world have come to learn from the SolarWinds manual supply chain attack that insider threats are a real issue, one that must be prioritized in 2021. The breach also brings to light an underdiscussed application security challenge: developers writing malicious code that can later be exploited.

The frequency and financial impacts of insider threats have grown dramatically in the past two years. In a recent Ponemon Institute report, the overall average cost of insider threats per incident increased by 31% from $8.76 million in 2018 to $11.45 million in 2020. In addition, the number of incidents has increased by a staggering 47% in just two years, from 3,200 in 2018 to 4,716 in 2020.

Building off the lessons learned from the SolarWinds breach, here are six steps CISOs can take to prevent insider threats.

  1. Change your mindset around your threat landscape

  2. Employ threat modeling

  3. Map out potential insider threat exposure

  4. Enact a proactive and ongoing insider threat detection governance program

  5. Define risk scenarios and escalation steps

  6. Push for holistic solutions for long-term protection

Read the full article here: https://searchsecurity.techtarget.com/post/6-ways-to-prevent-insider-threats-every-CISO-should-know

[post_title] => TechTarget: 6 ways to prevent insider threats every CISO should know [post_excerpt] => On April 6, 2021, NetSPI Managing Director Nabil Hannan was featured in TechTarget. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => techtarget-6-ways-to-prevent-insider-threats-every-ciso-should-know [to_ping] => [pinged] => [post_modified] => 2021-04-19 22:06:27 [post_modified_gmt] => 2021-04-19 22:06:27 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=24961 [menu_order] => 37 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [7] => WP_Post Object ( [ID] => 23762 [post_author] => 65 [post_date] => 2021-03-30 07:00:25 [post_date_gmt] => 2021-03-30 07:00:25 [post_content] =>

NetSPI Managing Director Nabil Hannan was featured on the Open Web Application Security Project (OWASP) Portland, Oregon Chapter podcast. During the interview, Nabil and the hosts, David Quisenberry and John L. Whiteman, discuss mentorship, advice for entry-level pentesters, security hiring amid the cyber security skills shortage, advice for companies building a security program, cyber security policy, and more. Listen to the full episode or continue reading for highlights from the conversation.

John: A lot of people in our chapter want to be pentesters. What advice do you have for them, especially coming from your direction as a consultant?
Nabil: When I built a pentesting practice, I was tasked with hiring and training a team of pentesters. The saying I picked up from that experience is, “I can teach someone to be smart, but I can’t teach someone to be clever.” So, if you want to be a pentester, truly a pentester that’s finding interesting and unique things, it requires you to think creatively and think outside the box. The technical part of pentesting can be learned or acquired, or you can get help, but it ultimately is someone that is clever who succeeds at pentesting.

John: Are there certain security domains that we simply don't have enough skilled people for?
Nabil: Today, there is demand for security professionals in general across every domain. It is evident that we have a shortage in security expertise across the board. Security is still in its infancy. If you want to get in, regardless of which area, whether you want to test autonomous cars, or mobile applications, or medical devices, there’s a need for security in all of those things. What I would recommend to people is, figure out what you are truly interested in and figure out if there is an area or a domain that really excites you. Find something that you understand and are passionate about and decide if the security aspect is a fit for you.

John: Has there ever been a time where you have been challenged with communicating results or recommendations to clients that may have differing levels of security understanding?
Nabil: It’s a common situation that we find ourselves in. You have to speak the right language for your audience. And if you are not doing that, it can be a challenge. It’s even more challenging when you have multiple levels of people in your audience that have varying degrees of technical or security understanding.

An example that comes to mind is a secure code review assessment I completed where we found cross site request forgery (CSRF). Nobody seemed to pay attention to it because we rated it medium severity given you had to be authenticated to really do any harm. The leadership team came to us, and said, let us know if you find anything critical, then we will decide if we need to push the production date. We replied, the vulnerability may not be critical, but it can still cause a lot of damage. To communicate the severity of the damage effectively we decided to create a proof of concept to show the impact and we were able to effectively show how easy it would be to exploit that vulnerability. As a result, they pushed their deployment to focus on remediation and better secure the application, based on our recommendation.

John: Its exploits that speak louder than words, if you just give two-dimensional bug numbers or risk rating, it doesn’t mean anything until you bring it to life as what you did here.
Nabil: As a consultant, your job is to help people understand what the true impact is based on the business that is being supported. Make sure you’re speaking the right language, the right message, and the impact defined from the business perspective and the technical perspective.

David (aka: Quiz): We often get asked by the young people in our chapter, do you need to have some time as a developer before going into something like pentesting?
Nabil: There are two ways to think about it. I come from a software development background and when I look at vulnerabilities, I can dissect them by really understanding the inner workings of the software and where it failed. If you don’t have software development experience, you can still be a tester. You can still run scripts, you can probably still run tools, and you can learn basic scripting to build automation and identify vulnerabilities. If you want to be an application pentester, chances are if you have a better understanding of how software systems are built, it will give you an advantage in coming up with creative ways to make those systems break. Is it a requirement? I don’t think so. But some of the best pentesters I know do come from a software development background.

John: What advice do you have for companies building a security program?
Nabil: Being in the security space, people naturally think security is the most important thing. That being said, when trying to figure out what’s the right security strategy for your organization, you first have to learn how the business makes money. That’s the first thing you need to learn as a security professional.

Then, align your security practices and efforts to enable the business to be better versus thinking of security as something separate. Organizations that are more immature or just getting started with security often view it as a roadblock or cost center, something that is going to only slow them down. But more mature practices adopt security culture over time and incorporate it into their processes. They learn do it in a way where it enables the business. This allows you to have a program that is mature, with security integrated. Understand the appetite for the organization and what threshold of risk you are willing to take when designing and defining the program. Try as hard as possible to make security a part of the process without it becoming a friction point for the business to function. For example, trigger out-of-band activities for security reviews in an automated fashion that won’t block your business flow and understand your risk appetite and have the ability to stop a business process from going forward if it is too risky. Being able to build that level of culture, communication, buy-in, and metric alignment is key.

John: …Should this process start with policy?
Nabil: Policy comes from somewhere even more important. It comes from your customers. Ask what security expectations your customers have. Then, depending on the business, there’s also regulation and compliance. Based on these two components, you need the right structures of leadership and culture to get buy-in across the organization to make security a part of your regular workflow versus it being a separate function.

Quiz: A challenge I have had this past year, is ensuring our security conversations are communicated correctly to others… product, customers, engineering, leadership, etc.
Nabil: Human behavior is something that I am fascinated by – how people can react to the same message but deliver it differently.

At NetSPI, our Resolve™ threat and vulnerability management platform is used by many of our customers internally to track and communicate their program metrics and dashboarding. If you start showing metrics like number of open vulnerabilities by business unit, it creates a very different effect than if you were to name the open vulnerabilities with the leader of that business unit. It builds a sense of competition to be better. When we work with customers to build threat and vulnerability management programs, security champions, or training curriculum, we try to focus on the human element of it to get people excited to improve their security posture rather than see it as a hinderance.

Quiz: What were your favorite Agent of Influence podcast episodes to date?
Nabil: My favorite was the first podcast episode I did with Ming Chow, a professor at Tufts University. We talked about computer science and education around security and we even touched around interesting topics such as, how he feels about teaching someone who could potentially do bad things.

During the episode with the former CISO of the CIA Bob Bigman, he provided really great insights around the life of the CISO, what they do, and what they have to live through. He helped define and change the focus of the CISO career.

Jeff Williams, the CTO of Contrast Security was a good one, too. Him and I recently did a joint webinar, How to Streamline AppSec with Interactive Pentesting.

And Quiz, I’m not saying this because you're on this interview, but your interview was great too. Especially the book recommendations near the end. I had friends reach out the day it posted telling me how much they enjoyed the interview.

[post_title] => Lessons Learned Building a Penetration Testing Program: OWASP Portland, OR Podcast with NetSPI’s Nabil Hannan [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => owasp-application-security-podcast [to_ping] => [pinged] => [post_modified] => 2021-04-14 17:23:59 [post_modified_gmt] => 2021-04-14 17:23:59 [post_content_filtered] => [post_parent] => 0 [guid] => http://www.netspi.com/?p=23762 [menu_order] => 40 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [8] => WP_Post Object ( [ID] => 25007 [post_author] => 2 [post_date] => 2021-03-19 16:12:47 [post_date_gmt] => 2021-03-19 16:12:47 [post_content] =>

This session was originally shown at InfoSec Finance Connect 2021.

Keeping pace with the threat landscape has become a constant challenge for financial services organizations. Tapping into their years of financial security leadership, Navy Federal Credit Union’s Larry Larsen, BMO Harris’ Yi Li, and NetSPI’s Nabil Hannan assess the current threat landscape and share invaluable advice on how to protect your organization.  

Watch this on-demand presentation from the InfoSec Finance Connect virtual conference to hear expert insights on:

  • Which security threats are on the rise – and why 
  • Recent financial breaches, such as Equifax and Capital One, and what other financial companies can learn from the incidents
  • The importance of threat intelligence and how financial institutions can stay informed of the current environment 
  • How companies can defend against the ever-changing threat landscape with a stable and systematic approach 
  • How to determine the right security activities for your organization 
  • The persistence and prevalence of phishing and business email compromise (BEC) 
[post_title] => Assessing The Threat Landscape And How To Protect Your Organization in 2021 [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => assessing-the-threat-landscape-and-how-to-protect-your-organization-in-2021 [to_ping] => [pinged] => [post_modified] => 2021-06-02 08:51:55 [post_modified_gmt] => 2021-06-02 08:51:55 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=webinars&p=25007 [menu_order] => 12 [post_type] => webinars [post_mime_type] => [comment_count] => 0 [filter] => raw ) [9] => WP_Post Object ( [ID] => 22992 [post_author] => 2 [post_date] => 2021-03-11 07:00:38 [post_date_gmt] => 2021-03-11 07:00:38 [post_content] =>

There simply isn’t enough time and resources to perform pentesting on everything developed in the worlds of Agile and DevOps where release cycles occur daily – or even faster.

Discover what next-generation pentesting looks like when combined with interactive application security testing (IAST). Attendees will learn:

  • Why pentesting shouldn’t compete with other AppSec testing tools and waste time with things already thoroughly tested
  • How pentesters should partner with development teams to gain deeper insights into individual applications
  • How pentesting can be adapted to modern application complexities such as APIs, microservices, etc.
  • How pentesting should be combined with security instrumentation for tracking data flows, control flows, backend connections, etc.
  • And more!
[post_title] => How to Streamline AppSec with Interactive Pentesting [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => how-to-streamline-appsec-with-interactive-pentesting [to_ping] => [pinged] => [post_modified] => 2021-06-02 08:52:10 [post_modified_gmt] => 2021-06-02 08:52:10 [post_content_filtered] => [post_parent] => 0 [guid] => http://www.netspi.com/?post_type=webinars&p=22992 [menu_order] => 14 [post_type] => webinars [post_mime_type] => [comment_count] => 0 [filter] => raw ) [10] => WP_Post Object ( [ID] => 23129 [post_author] => 65 [post_date] => 2021-03-09 14:02:00 [post_date_gmt] => 2021-03-09 14:02:00 [post_content] =>

Now that the dust has settled on the recent Oldsmar, Florida water treatment facility breach, let’s take a deeper look at some of the lessons we can learn from the incident.

For those unfamiliar with the breach, on February 5, hackers accessed a Florida water facility that treats water for around 15,000 people near the Tampa area. The hackers were able to increase the amount of sodium hydroxide, or lye, distributed into the water supply, which is dangerous to consume at high levels. Luckily, there was an attendant that noticed the suspicious behavior and reported it, mitigating the breach without consequence.

They gained access to the computer system through TeamViewer, a popular remote access software application commonly used for remote desktop control, screen sharing, online meetings, and file transfers. Third party IT support is a common use case for TeamViewer and, according to its website, it has been installed on over 2.5 billion devices today. There has not been confirmation on how the attacker got ahold of the remote access system credentials, but we can speculate that an employee of the water facility fell victim to a social engineering attack, such as phishing.

Given the breach itself was not sophisticated and its impact was minimal, many in the cyber security community are surprised that this is making national headlines. But it is the potential of what could have happened that is causing a panic – and rightfully so.

Investigative journalist Brian Krebs interviewed a number of industrial control systems security experts, and discovered that there are approximately 54,000 distinct drinking water systems in the U.S. Of which, nearly all of them rely on some type of remote access to monitor and/or administer these facilities. Additionally, many of these facilities are unattended, underfunded, and do not have 24/7 monitoring of their IT operations. In other words, this type of breach is likely to happen again and, if we don’t take the necessary security considerations into account, the consequences could be devastating.

The industrial control systems and utilities notoriously prioritize operational efficiencies over security. This is a wakeup call for the industry to start looking at their systems from a security and safety perspective. To get started, here are the key lessons I learned from the incident.

Lessons Learned from the Florida Water Facility Breach

Many of the reports written about the breach are centered around remote access. That is not surprising as the security concerns of remote access and host-based security have escalated amid COVID-19. Host-based security represents a large attack surface that is rapidly evolving as employees continue to work disparately.

Think back to March 2020. Organizations needed to get people online fast and began enabling Remote Desktop Protocol (RDP) which is known to be vulnerable. Cyber security firm Kapersky found that the number of brute force attacks targeting RDP rose sharply after the onset of the coronavirus pandemic. Further, internet indexing service Shodan reported a 41 percent increase in RDP endpoints available on the internet as the virus began to spread. When determining the type of remote access to give systems the decision should be based on the level of security desired and which type of remote access is deemed appropriate.

That being said, in my opinion there is more to learn from this incident beyond the remote access system vulnerabilities.

It is critical to analyze your security program holistically

These systems are complex and require a design-level review to understand what could go wrong rather than completing ad hoc security assessments that look at the technology separately.

For example, say you performed an assessment of your desktop images and are notified that you have TeamViewer installed as a potential risk. This is something that is likely to get written off as a valid use case because it is how the IT team accesses the computer to troubleshoot operational issues remotely. Unless you assess all the systems involved in the environment and how they work together, it can be difficult to understand the risk your organization faces.

This is where threat modeling and design reviews prove vital. According to software security expert Gary McGraw, 50 percent of application security risks come in the form of software design flaws that cannot be identified by automated means. Threat modeling and design reviews leverage human security experts to evaluate your program in its entirety and provide you with an understanding of the current level of security in your software and its infrastructure components. Threat modeling in particular analyzes attack scenarios, identifies system vulnerabilities, and compares your current security activities with industry best practices. And with a design review, you gain clarity on where security controls exist and make strategic decisions on absent or ineffective controls.

Defense in depth is non-negotiable

The software the facility uses to increase the amount of sodium hydroxide should have never been able to reach dangerous levels in the first place. When software is developed, it should be built with security and safety in mind. For example, the maximum threshold should be an amount of sodium hydroxide that is safe, not one that is potentially life-threatening.

What if it was a disgruntled employee that decided to change the amount of sodium hydroxide? Or if the technology attendant had been bribed? The outcome of the situation would have looked much different.

It’s a best practice in security to create as much segregation in your operational technology (OT), or technology that physically moves things, and information technology (IT), the technology that stores and manages data, to avoid incidents that could result in physical harm. To achieve this, defense in depth is essential.

Defense in depth is a cyber security approach that layers defensive controls to ensure that, if one control fails, there will be another to prevent a breach. Authentication and access management are protections at the front line of a defense in depth strategy and a critical security pillar for industrial control systems and utilities. For systems or tasks that can have a detrimental impact if breached, add multiple layers of authentication so that not one computer or one individual can carry out the task. Additionally, adopting the concept of Least Privilege, or only allowing employees access to the minimum number of resources needed to accomplish their tasks, would be a good practice to implement industry wide.

We are not prepared for disaster scenarios

We are reliant on the use of outdated systems that are not prepared for certain disaster scenarios. For an industrial control system to experience downtime, it does not require an adversary to compromise a system. Look at what happened with the Texas winter storm. No one expected the weather to get that bad, but we could have better prepped our systems for it.

That is the challenge with utilities and industrial control systems. If you are not preparing for adversaries in tandem with natural disasters and other unforeseen circumstances, you could have major issues to deal with in the long run.

Another key factor to consider is time. When something goes wrong, coming up with the easiest, least expensive, and most feasible solution isn’t possible because of time constraints. And with water, heat, electricity, energy, or gas companies the pressure of time is mounting because they are critical part of our lives. Say your furnace in your home breaks when it is below freezing out. You typically have two options: have someone come out and evaluate the situation, wait weeks for the part, and fix the existing furnace or buy a new one and have it installed in days. To avoid frozen pipes and infrastructure issues, most would choose the fastest option. In a recent study, those who did not test their disaster recovery plan cited time and resources as the biggest barriers.

At utility facilities, there remains a lack of awareness around cyber security. Regular tabletop exercises that simulate a crisis scenario are necessary when working with systems this complex.

The three key learnings discussed in this blog should work in concert with one another. Use the findings from your holistic security assessment and dust off your disaster recovery and incident response plans to remediate your biggest security and safety gaps – and, in turn, strengthen your defense in depth.

[post_title] => Key Takeaways from the Florida Water Facility Hack [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => florida-cyber-security-water-utilities-breach [to_ping] => [pinged] => [post_modified] => 2021-04-14 17:24:23 [post_modified_gmt] => 2021-04-14 17:24:23 [post_content_filtered] => [post_parent] => 0 [guid] => http://www.netspi.com/?p=23129 [menu_order] => 45 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [11] => WP_Post Object ( [ID] => 21951 [post_author] => 65 [post_date] => 2021-02-26 07:00:53 [post_date_gmt] => 2021-02-26 07:00:53 [post_content] => On February 26, 2021, NetSPI Managing Director Nabil Hannan was featured in TechTarget: We're in the midst of a cybersecurity staffing crisis. Many major news outlets, such as The New York Times, have reported that unfilled jobs in the industry are expected to reach up to 3.5 million this year – leaving existing security teams stretched thin and burnt out. To make matters worse, attackers have increased their activity since the beginning of the pandemic and continue to take advantage of the prolonged crisis. In this new year, CISOs everywhere will need to shift their talent management practices in order to attract new candidates to the field and prevent employee burnout. How? Here are a few ideas.
  1. Invest in training for new employees
  2. Match people to the job, set goals and mentor
  3. View your project managers through a new lens
  4. Be careful with incentives
  5. Enable automation
  6. Encourage more people to enter cybersecurity
Read the full article here: https://searchsecurity.techtarget.com/post/6-ways-to-prevent-cybersecurity-burnout [post_title] => TechTarget: 6 ways to prevent cybersecurity burnout [post_excerpt] => On February 26, 2021, NetSPI Managing Director Nabil Hannan was featured in TechTarget. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => techtarget-6-ways-to-prevent-cybersecurity-burnout [to_ping] => [pinged] => [post_modified] => 2021-04-14 05:27:21 [post_modified_gmt] => 2021-04-14 05:27:21 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=21360 [menu_order] => 47 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [12] => WP_Post Object ( [ID] => 21246 [post_author] => 65 [post_date] => 2021-02-09 07:00:53 [post_date_gmt] => 2021-02-09 07:00:53 [post_content] =>

Media throughout the world have reported on the SolarWinds manual supply chain attack which has created concern about cyber security and software vulnerabilities among businesses and government entities alike. What hasn’t been in the headlines outside of the cyber security world is the need to not only plan and test for external threats, but CISOs must also start prioritizing efforts around abating insider threats. In the case of the SolarWinds attack, malicious code was inserted somewhere within the supply chain as part of a software update, which then was made available to all SolarWinds customers. This insider attack has to-date impacted hundreds of private companies and government agencies. CISOs must lead their organizations in preventing both external and internal cyber security threats.

Thwarting External and Internal Threats – A Two-Pronged Approach

Protecting against internal threats should be the first prong in a threat detection program. The SolarWinds breach brings to light this under-discussed application security challenge: developers writing malicious code which can later be exploited. And while this isn’t the only means that inside threat actors can wreak havoc on an organization, the frequency and financial impacts of insider threats—defined as a careless or negligent employee or contractor; a criminal or malicious insider; or a credential thief—has grown dramatically in just the past two years. In a recent Ponemon Institute study, the overall average cost of insider threats per incident increased by 31% from $8.76 million in 2018 to $11.45 million in 2020. In addition, the number of incidents has increased by a staggering 47% in just two years, from 3,200 in 2018 to 4,716 in 2020. This data shows that insider threats are still a lingering and often under-addressed cyber security threat within organizations, compared to external threats.

Thwarting external threats is the second prong of a threat detection program. As explored in-depth in our whitepaper, How to Build the Best Penetration Testing and Vulnerability Management Program, the reality is that cyber security breaches today from outside the organization are inevitable and put companies at grave risk. One of the key cyber security weaknesses is the lack of continuous penetration testing and patching. This can turn into the “Achilles heel” of any organization’s security posture if not addressed and implemented properly. Organizations should think of pentesting as the final security gate. It ensures all other security controls and applications are working as designed from a security standpoint, an approach that is not often adopted by organizations with young or immature application security programs.

Further, organizations with a mature security program understand that point-in-time pentesting is not the best option for securing their applications and networks. You cannot test yourself to be more secure. New code and configurations are released every day; a continuous penetration testing approach can help test an entire system in totality and delivers results to customers around the clock, enabling them to manage their vulnerabilities easier and more efficiently.

Now, let’s focus on the steps to take to prevent insider threats. To do so, I believe that CISOs need a shift in vision. Most companies prioritize external threats but give a blanket of trust to the people within the organization. Now, in large part because of SolarWinds, it is apparent that organizations have to change this mindset.

Changing Your Mindset Around Your Threat Landscape

Threat modeling needs to first be adopted more widely to understand the organization’s threat landscape. It is essential to identify who would want to attack a system, and where the assets are, in order to understand the appropriate attack vectors, and to best enable the appropriate security controls. In my opinion, this involves a mindset shift. The biggest change is in moving from only looking for vulnerabilities to also looking for suspicious or malicious code. Let’s define the two threats. With a vulnerability, the threat actor interacts with the attack surface in a way that exploits a weakness. With malicious code, the threat actor is either choosing or creating the attack surface and functionality because they have control over the system internally. So, instead of the threat actor exploiting vulnerabilities in the attack surface, now the threat actor creates the attack surface and exercises the functionality that he or she implements. Given that, threat modeling should study potential threat to both vulnerabilities and malicious code, as the harm from both could cost an organization millions. Doing one type of threat modeling without the other can set your organization up with a false sense of security.

Potential Insider Threat Exposure

Job ResponsibilityPossible exposure area for threat activity
Administration or OperationsLocal area network, high access credentials, production systems
DevelopersDesign and source code; Application configurations; Third-party libraries and deployment descriptors
Control ManagementBinaries (susceptible to repackaging); Code promotion from QA to production; Encryption keys

Additionally, how you go about detecting a threat like the SolarWinds supply chain attack is vastly different from traditional pentesting, code review, or other vulnerability detection techniques. It not only requires a different type of lens on how you look at software to identify these issues, but it also requires a complete change in your organization’s internal threat detection governance process. Altogether, dealing with a threat issue once it’s identified is not as simple as going back to the developers asking them to fix them. Unfortunately, your developers could be the adversary.

Putting in Place a Proactive and Ongoing Internal Threat Detection Governance Program

To put in place a proactive and ongoing threat detection governance program you’ll first have to get buy-in from the leadership team. After all, at its core, malicious code review is a process where you theoretically treat those within your operations who have privileged access as threats. And secondly, you’ll need to educate the leadership team regularly on the scope of your malicious code review engagements. While finding malicious code is difficult and the probability is small, the risk of an insider threat is on the rise. In fact, Forrester research predicts that this year, 33% of data breaches will be caused by insider incidents.

Importantly, all of your malicious code review efforts have to be done in secrecy, involving only small teams you trust completely. It has to be a covert operation where you don’t notify or give knowledge to stakeholders in the software supply chain. They should never know that you are implementing a process to look through their code with a lens of trying to identify code that looks suspicious and potentially malicious.

Risk Scenarios and Escalation Steps to Take

Once your malicious code review regimen is in process and suspicious activity is detected, there are escalation steps that can be put in place to mitigate risk. Consider the following:

  1. Suspicious, But Not Malicious: You find something that looks suspicious or malicious but that can’t be exploited, and it may have even be left my mistake. Escalation Step: In this case, you may do nothing.
  2. Circle of Trust Invitation: You find something that looks suspicious, but you can’t get confirmation on whether it is malicious or not. Escalation Step: This is where you have to build a relationship with a trusted developer or someone from a developer organization who you can trust and can bring into your circle of trust to verify that suspicion.
  3. Passive Monitoring: You’ve found suspicious code but choose a monitoring stance. Escalation Step:This is where you do additional logging in production or potentially add some type of data layer protection that you can trigger so you can passively monitor if there’s a point in time when someone is trying to exploit the suspicious line of code.
  4. Active Suppression: You find suspicious or malicious code and work to suppress it. Escalation Step: This is where you actively either write a rule within your firewall, build a compensating function or do some type of dependency injection or weaving to actively stop that suspicious code from ever being executed.
  5. Commencement of an Executive Event: You find malicious code and have identified its source, whether it be a sole insider threat, a whole team of suspicious actors, or find threats that involve a particular department, country or line of business. Escalation Step: This step has nothing to do with software, but it has everything to do with safeguarding your organization. You will need to involve your organization’s leadership and execute some sort of severe executive level event which could include terminations of implicated employee(s) or contractors and may even involve law enforcement.

A Caveat: Another challenge with supply chain attacks: they may never happen at the code level—they may happen in the process of a piece of code being elevated from development to production. Therefore, analysis both at the code level and also at the binary level is warranted to get information in artifacts from operations themselves.

Looking holistically at supply chain attacks, the security industry does not yet have a complete solution. Long term, we need to examine how the industry approaches the evaluation and risk acceptance of third-party solutions, which could come in the form of changes to compliance requirements around least privilege, auditing, and integrity checks.

However, with many studies and news reports pointing to a continuing rise in both external and insider threats—in number of incidences, time to contain, and cost implications – it’s essential for us to begin taking immediate steps as a part of the holistic solution. It’s imperative that CISOs advance leadership support in the development and implementation of a two-pronged threat detection and governance program that involves both malicious code review and vulnerability management initiatives. With breaches often costing organizations millions of dollars, there’s no time to waste.

[post_title] => The Need to Prevent Insider Threats, as Revealed by the SolarWinds Cyber Security Breach [post_excerpt] => CISOs must prioritize efforts around preventing insider threats in the supply chain. Read this article to learn how to detect and prevent insider attacks. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => whats-next-and-new-with-netspi-resolve-2 [to_ping] => [pinged] => [post_modified] => 2021-04-14 00:45:42 [post_modified_gmt] => 2021-04-14 00:45:42 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=21246 [menu_order] => 52 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [13] => WP_Post Object ( [ID] => 21947 [post_author] => 65 [post_date] => 2021-02-08 07:00:48 [post_date_gmt] => 2021-02-08 07:00:48 [post_content] =>

On February 8, 2021, NetSPI Managing Director Nabil Hannan was featured in TechTarget:

Ransomware attack simulations, accessing enterprise logs and pen testing software code are among the best practices cybersecurity pros suggest following the SolarWinds breach.

Forensics teams are still investigating how hackers were able to exploit SolarWinds' patching system to attack numerous high-profile commercial and governmental organizations, including Microsoft and the U.S. Department of Justice, as well as other customers of the security monitoring software vendor. At the same time, experts from a range of security service providers -- including those offering penetration testing, vulnerability scanning and software code reviews -- advise businesses to act now to shore up their own enterprise security.

The SolarWinds breach was first revealed in late 2020 -- although the attacks may have begun in 2019 -- and now includes the discovery of two backdoors created by malware. The first, named Sunburst, has been linked to numerous supply chain infections and nation-state attacks, and the second, named Supernova, is not a supply chain attack, but rather malware that required the exploitation of a vulnerability in the Orion software program recently patched by SolarWinds. U.S. government and cybersecurity experts are still uncovering the damage caused by the two infections.

Security service providers suggest the following list of five lessons learned to help organizations ward off or detect a SolarWinds-type hack. These best practices also lessen the "threat noise" across the enterprise, enabling a company to quickly identify and handle suspicious behavior.

Don't rely on internal developers to test internally developed software

Developers should not have the final say on how secure their code is. They are not security experts, and they might be the ones who inserted malicious code, intentionally or not, according to Nabil Hannan, managing director at pen testing provider NetSPI. "To uncover a SolarWinds type of issue, you have to think differently than a developer would about what you are looking for, including who has access to your systems," he said. "How can a developer determine another developer's true intent for putting code in the system and how it will behave? He can't." Hannan recommended forming a group of trusted executives and senior managers to work with an external testing firm. When developers are done with their reviews or completed updates, the group sends it to the testers to look for malicious code and insider threats. "We examine the source code and binaries, looking at executables and comparing what is published versus what is in the source code," he said. Testers search for backdoors, time bombs, Trojan horses and signature patterns. "If there are differences, we will report back to the group in a discreet way and work with them to mitigate the issues." Hannan said having this practice and these controls in place are helpful when there is a management shakeup, a disgruntled developer leaves or a merger or acquisition is about to take place.

Read the full article here: https://searchsecurity.techtarget.com/feature/5-cybersecurity-lessons-from-the-SolarWinds-breach

[post_title] => TechTarget: 5 cybersecurity lessons from the SolarWinds breach [post_excerpt] => On February 8, 2021, NetSPI Managing Director Nabil Hannan was featured in TechTarget. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => techtarget-5-cybersecurity-lessons-from-the-solarwinds-breach [to_ping] => [pinged] => [post_modified] => 2021-04-14 05:28:08 [post_modified_gmt] => 2021-04-14 05:28:08 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=21280 [menu_order] => 54 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [14] => WP_Post Object ( [ID] => 21946 [post_author] => 65 [post_date] => 2021-01-22 07:00:00 [post_date_gmt] => 2021-01-22 07:00:00 [post_content] => On January 22, 2021, NetSPI Managing Director Nabil Hannan was featured in TechTarget: When you hear the term "pen testing," what do you envision? A web app test done with a dynamic scanning tool? A test done by a human being who's digging deep to replicate what an attacker would do in the real world? What about the term "network pen testing?" An automated discovery of your network infrastructure resulting in a pages-long report on what assets you have? A real-life person examining how your network is architected in order to flesh out vulnerabilities? Depending on who you ask, each of the responses above could be right. And therein lies the conundrum. There's no standardized lexicon in the cybersecurity world and it's causing confusion among independent and organizational security professionals alike. For organizations, the challenge is using the right terminology so they can seek out and price comparable services to meet their security needs, as well as understand exactly what they're consuming from the security professionals they engage. For cybersecurity professionals, the hurdle lies in understanding just what an organization needs and expects to accomplish its security goals. And, if your industry is compliance-focused, regulatory drivers will also determine what type of assessments your company must perform, making it critical that you get your terminology right. Read the full article here: https://searchsecurity.techtarget.com/post/Standardize-cybersecurity-terms-to-get-everyone-correct-service [post_title] => TechTarget: Standardize cybersecurity terms to get everyone correct service [post_excerpt] => On January 22, 2021, NetSPI Managing Director Nabil Hannan was featured in TechTarget. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => techtarget-standardize-cybersecurity-terms-to-get-everyone-correct-service [to_ping] => [pinged] => [post_modified] => 2021-04-14 05:28:11 [post_modified_gmt] => 2021-04-14 05:28:11 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=21127 [menu_order] => 58 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [15] => WP_Post Object ( [ID] => 20831 [post_author] => 65 [post_date] => 2021-01-12 07:00:07 [post_date_gmt] => 2021-01-12 07:00:07 [post_content] =>

Starting, or even refining, a cyber security program can be daunting. Because a security program is as individual as an organization and must be built around business objectives and unique security aspirations, there’s no one-size-fits all solution and the number of tools and services available can overwhelm. The good news is that, if you’re about to embark on a security journey, the following activities will set you on the right path.

Define Your S-SDLC Governance

No matter what security techniques you end up using, you must start by defining your Secure Software Development Lifecycle (S-SDLC) governance security gates and incorporate them into your SDLC. For each gate definition, make sure you collect information needed to determine whether a component passes or fails before the software can advance to the next phase of development. For example, before promoting your application from the coding phase, you might want to do a static analysis scan. If that scan reveals a critical vulnerability, you’ll want to prevent your application from being promoted to the testing phase. Instead, report that vulnerability to the development team, who then must resolve the problem to the degree that the piece of software passes the next static analysis scan without revealing any more critical vulnerabilities. Only then do you advance your application to the testing phase.

For governance rules to be effective, you have to build a collaborative culture within your development organization and communicate and evangelize about these processes. Make sure everyone involved is aware of, and understands, the expectations to which they’re being held.

Secure Design Review

Secure Design Review (SDR) is a broad term with many different definitions. It can refer to high level, pen and paper exercises to see if there are common issues with the application being developed. It can also mean a deep analysis complete with full blown threat models. Or anything in between. Regardless of your approach, SDR allows your organization to catch vulnerabilities at the design level to adopt better security controls. SDR allows organizations to start adopting a culture of security by focusing on developing secure by design frameworks or libraries that create opportunities to efficiently implement re-usable security features as appropriate. A positive outcome? Peace of mind.

Penetration Testing and Security Testing as Part of QA

Penetration testing to assess internal and external infrastructures, often driven (but not exclusively) by governance or compliance regulations, is one of most common activities involved in cyber security programs. Note: It often requires expertise that you might not have inhouse as you get your security efforts underway. Fortunately, there are plenty of firms out there that are really good at it, and outsourcing may be your best option – especially for assets that meet mission-critical risk thresholds. Ultimately, penetration testing’s biggest value for your new security program is that it will reveal just how secure your SDLC is, which you defined in the previous steps.

Security testing is also typically performed by outside experts. However, if you have a group internally who’s already doing some sort of testing – like functional testing or QA testing – it’s easy to introduce basic concepts that allow them to test for vulnerabilities. For example, when your QA testers are building test cases, encourage them to adopt techniques like constantly building edge and boundary test cases. At a bare minimum, this will assess your application from an input validation, and output encoding perspective.

If you’re doing pentesting, look at the results and build test cases based on them into your QA workflow as well. As an example, verbose error messages should be examined. How many times have you tried to log into an app, mistyped the password and received an error message along the lines of: “Your user ID is right, but your password is wrong.” A message like that can give an attacker information they can use to brute force all possible passwords to effectively determine which are valid and which aren’t.

Interactive Application Security Testing (IAST) is gaining popularity quickly and is a rising star amongst application security testing and discovery techniques. Because it is instrumented into running the application on the server side, it can report issues that are truly exploitable, which results in the IAST tool reporting little to no false positives.

Create a Threat and Vulnerability Management Process

To improve your risk posture, it is advisable that organizations create a threat and vulnerability management process. In other words, a process to measure the rate at which you’re identifying vulnerabilities and the rate at which they’re being addressed. Next, create a centralized system to manage the vulnerabilities themselves – and build metrics to be sure you’re getting the right business insights into your program.

Before we go further, let’s clarify what metrics and measurements are, as there can be a lot of confusion around what each term means. Measurement is a fact or number used to quantify something. A metric is usually a combination of measurements, frequently a ratio, that provides business intelligence. For example, “I had three cups of coffee today” is just a measurement. My blood/caffeine ratio, however, would be a metric. The fact that I had three cups of coffee today doesn’t tell me much. But the amount of caffeine in my blood tells me something that might be important.

Read about how CISOs can work with CFOs to identify metrics that are meaningful to leadership.

To take the example a step further, people sometimes will take raw data, such as the number of vulnerabilities found, and use that to measure their success. Wrong! You have to build key performance indicators (KPIs) and key risk indicators (KRIs) that are based on your business risks. Use your KPIs and KRIs to develop metrics that will guide you in your application security journey.

Initially, you might be able to only build metrics on coverage, such as the percentage of your applications portfolio that is currently being tested. Over time you can build more mature metrics to determine things like holistic policy compliance and later, look at effectiveness metrics for things like penetration testing and secure code review. Lastly, when you are heavily focused on remediation and reducing

Develop Application Security Standards

Chances are, you have security policies that you need to adhere to, whether established internally, by regulatory bodies or even customers. It is important to unify them to build application security standards applicable to your business and SDLC practices. Then, enforce them with automation whenever possible. For example, you might want to customize static analysis or dynamic analysis tools so they understand what your standards are. These tools will trigger an alert when a certain security standard isn’t being met.

Various automation tools and techniques are available that can improve the quality and security of the software that you’re implementing, including:

  1. SAST – Static analysis security testing
  2. DAST – Dynamic application security testing
  3. IAST – Interactive application security testing
  4. RASP – Real-time application self protection
  5. SCA – Software composition analysis

For a deeper dive into these tools, check out this Cyber Defense Magazine article, starting on pg. 65.

Identify and Inventory Open Source Risk

Open source code is everywhere. It’s convenient, replicatable and efficient to use. Many developers employ it. With open source code, however, you need to maintain a heightened awareness of possible security risks.

Maintain an inventory of all open code that you’re using throughout your organization. While those components might not currently pose a risk today, or be known to contain vulnerabilities, some type of zero day vulnerability could be discovered on a particular component. The moment that happens, you need to identify: 1) whether you’re using the component that’s vulnerable, and 2) know where you’re using it and whether your software is now exploitable. You’ll also want to track any possible licensing conflicts as early as possible to avoid legal headaches.

The Longest Journey...

… begins with the first step. If the application security journey you’re about to embark on feels like the epic trek of a lifetime, don’t worry. These six security activities will start you on solid footing and help you navigate along the way.

[post_title] => Six Activities to Jump Start Your Application Security Journey [post_excerpt] => Start or refine your application security and pentesting journey with these six best practices from the cybersecurity experts at NetSPI. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => six-cyber-security-activities-jumpstart-security-journey [to_ping] => [pinged] => [post_modified] => 2021-04-14 06:37:15 [post_modified_gmt] => 2021-04-14 06:37:15 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=20831 [menu_order] => 60 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [16] => WP_Post Object ( [ID] => 20678 [post_author] => 65 [post_date] => 2021-01-05 07:00:09 [post_date_gmt] => 2021-01-05 07:00:09 [post_content] =>

Application Security is a crucial component to all software development today. At least, it should be as cyber security concerns continue to grow at the same furious pace as the number of apps out there. However, here at NetSPI, we talk with a lot of software development teams who haven’t yet adopted a security mindset, thereby placing not only their programs at risk of cyber-attacks, but their entire organizations as well.

If you’re fighting resistance within your organization to incorporate security measures into the software development life cycle (SDLC), this blog post is for you. We’re going to set straight four of the most common myths and misconceptions we hear among those who don’t have robust application security processes in place.

Myth #1 – An application security team is optional

On the contrary – an application security team today is a must. Someone within your organization should own the function. The good news is that you don’t need a big team to manage it. In fact, we’ve seen programs that work really well with small teams – even teams composed of just one person, in some cases.

Another must: enable an application security culture and nurture that culture across the entire organization, paying special attention to key stakeholders who contribute to your application development lifecycle. Some companies foster an application security philosophy with a security champions program, where leaders in the software applications organization are nominated to advocate on behalf of the application security team. The beauty of this approach is that you have team members within your software engineering organization who can accelerate and fix vulnerabilities quickly. In many cases, they can help reduce the number of vulnerabilities your applications have in the first place. The best side-effect of this approach is that you start organically evangelizing a culture of application security within your organization.

Myth #2 – My organization is too small to have an application security team

This belief is especially common among startups. As intimated above, no organization is too small to focus on application security, mainly because it isn’t just about finding vulnerabilities. You can start by creating governance processes that define security measures and that guide implementation of a secure SDLC, such as:

  • Introduce technologies at different points during your SDLC to ensure you capture vulnerabilities early, before a hacker or attacker can exploit your software.
  • Integrate security concepts into your software by building application security-specific requirements that become part of your software before a single line of code is even written.
  • Create security use cases (also known as misuse and abuse cases) and build functional requirements that focus on security concepts. Then, make sure that your developers have access to those requirements and implement the software against them.
  • Educate developers on defensive programming techniques to be able to build software that is naturally resilient to attacks.

Myth #3 – Because we love DevOps and we’re an Agile organization, we can’t have an application security team

Organizations that feel this way usually believe that security teams slow things down. However, security doesn’t have to slow you down when you use the right tools and processes at the right times; and a relatively new concept known as DevSecOps can help. DevSecOps is a culture in which security is integrated between the development and operations functions to close the gap between the development, security, and operations teams, three roles which are historically siloed. If these three roles are required to work more collaboratively, a shared responsibility for application security is created, which enables a DevOps and/or an Agile organization to introduce security as a frictionless component of all processes. Ultimately, the objective is to make security-driven decisions and execute security actions at the same scale and speed as development and operations decisions and actions. To succeed with this approach, an organization must adopt a DevSecOps culture.

Myth #4 – Application security teams will slow us down

As mentioned above, application security doesn’t have to be a hinderance. If you’re using best practices and building good quality software, security is an inherent part of that. Most software performs better and is more efficient when it’s developed securely in the first place. When you adopt a security mindset, your SDLC will flow smoothly, enable you to build better software and can even save you money in the long run.

Concerned about your application’s security? Learn more about our application security penetration testing.

Getting started with application security:

Best practice dictates the introduction of appropriate touchpoints throughout each phase of your process.

Education, for example, is a good first step:

  • Educate your product managers and business analyst(s) on common security vulnerabilities and real-world scenarios of how these security vulnerabilities had a severe impact on an organization, so they can help guide security requirements for your software and always be security conscious.
  • Educate developers on defensive programming to make sure they implement software that is naturally resilient against vulnerabilities.
  • Educate your teams who are involved with testing and deployment to detect vulnerabilities using various techniques like manual penetration testing, adversarial simulations or red teaming activities.

Learn more about secure code review and building application security into your software development lifecycle.

Second, during the planning phase, create security requirements, or benchmark your program, so that you can understand how mature your organization’s SDLC is, from a security perspective, and so that you can take educated steps to evolve and elevate it over time.

Third, in the design phase, construct your software so that it is naturally resilient to attacks. When you’re building use cases, be sure to add misuse and abuse cases. An example of a misuse/abuse case would be when an attacker tries to “brute force” all possible usernames and passwords into those fields in a login page. You can address such a case by making the software automatically lock an account after multiple wrong tries. You should also create a velocity or anti-automation check to prevent an automated tool and scripts from brute-forcing its way into compromising your application.

During the coding phase, you can not only educate your coders on writing secure code, you also can employ techniques like static analysis, manual code review, and composition analysis to identify vulnerabilities early in your SDLC.

In the testing phase, you have the opportunity to leverage manual penetration testing, dynamic scanning, and build risk-based test cases based on the misuse and abuse cases defined earlier.

Lastly, in the deployment phase, test your detection controls, perform adversarial simulations and red teaming activities. Consider manual penetration testing or implement technologies like RASP to offer continuous protection of an application even if a perimeter is breached.

Because in today’s world software is everywhere – from refrigerators and coffeemakers to medical equipment and data farms – application security is becoming ever-more complex and increasingly critical. Every software development organization, no matter how large or small, must focus on application security to protect its products, the end users and, ultimately its own organization.

For more information, watch my presentation at the recent Cyber Security Summit or contact us to learn how you can get started on your own application security journey.

[post_title] => Four Application Security Myths – Debunked [post_excerpt] => Application Security is a crucial component to all software development today. At least, it should be as cyber security concerns continue to grow [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => our-application-security-myths-debunked [to_ping] => [pinged] => [post_modified] => 2021-04-14 12:53:06 [post_modified_gmt] => 2021-04-14 12:53:06 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=20678 [menu_order] => 62 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [17] => WP_Post Object ( [ID] => 20687 [post_author] => 65 [post_date] => 2020-12-11 07:00:09 [post_date_gmt] => 2020-12-11 07:00:09 [post_content] => On December 11, NetSPI Managing Director Nabil Hannan was featured in TechTarget: At the end of the day, cybersecurity is a financial issue. Breaches can result in significant financial loss and reputational damage. Consider these statistics:
  • The global average cost of a data breach is $3.86 million, according to the "Cost of a Data Breach Report 2020," with the U.S. having the highest average at $8.64 million.
  • Another report found that insider threats are the most expensive category of attack to resolve, costing an average of $243,101. And this number is increasing.
  • Lastly, in just the first six months of 2020, 3.2 million records were exposed in the 10 biggest breaches – eight of the breaches occurred at medical or healthcare organizations. Healthcare was deemed the costliest industry by the "Cost of a Data Breach Report" with the average cost of a breach reaching $7.13 million.
Now forget those statistics; push them aside. While it's important to understand the financial aftermath of a breach, security teams need to uncover more proactive methods for communicating the value of their investments with organizational leadership to get buy-in (and funding) upfront. However, communicating the return on investment (ROI) of a security program, in which the results are not always tangible, has proven to be a challenge for security leadership. The shift to a more proactive security program assessment can only occur if the chief information security officer (CISO) first has a greater voice at the table in the boardroom. As the individual most responsible for ensuring information assets and technologies are adequately protected, the CISO can serve as a bridge between the highly technical voices in infosec and other C-suite executives who are more financially, operationally or innovation focused. And who among the C-suite can make this shift a reality? The chief financial officer (CFO). CISOs need to establish a stronger relationship with their CFO and financial team to better communicate the value of existing, and future, security investments. Here are three ways – and reasons why – the CISO and CFO should work more closely together. Read the full article here: https://searchsecurity.techtarget.com/post/3-reasons-why-CISOs-should-collaborate-more-with-CFOs [post_title] => TechTarget: 3 reasons why CISOs should collaborate more with CFOs [post_excerpt] => On December 11, NetSPI Managing Director Nabil Hannan was featured in TechTarget. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => techtarget-3-reasons-why-cisos-should-collaborate-more-with-cfos [to_ping] => [pinged] => [post_modified] => 2021-04-14 05:29:27 [post_modified_gmt] => 2021-04-14 05:29:27 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=20687 [menu_order] => 67 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [18] => WP_Post Object ( [ID] => 20601 [post_author] => 2 [post_date] => 2020-12-02 10:31:59 [post_date_gmt] => 2020-12-02 16:31:59 [post_content] =>

This session was originally for the Fall 2020 Cyber Security Digital Summit.

Has your organization considered IAST, RASP, etc. solutions as part of your program, and what has your experience been so far?

Understanding the value provided by different types of vulnerability detection and exploit prevention technologies that are available today is critical to every security organization. This discussion will focus around Interactive Application Security Testing and Real-time Application Self Protection.

  • What is IAST, and how does it complement Pentesting, DAST, and SAST?
  • What is RASP, and why is it challenging to deploy at scale?

Watch this on-demand webinar to:

  • Better understand capabilities of new emerging technologies that detect security vulnerabilities in software
  • Better understand the strengths and weaknesses of some of the new techniques
  • Learn how organizations are using these techniques at scale
  • Review challenges around adding yet another piece of technology to the ecosystem
[post_title] => The Adoption of Emerging AppSec Technology [post_excerpt] => Watch our on-demand session from Cyber Security Digital Summit, "The Adoption of Emerging AppSec Technology: A Possible Shift to the Right." [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => the-adoption-of-emerging-appsec-technology-cyber-security-digital-summit [to_ping] => [pinged] => [post_modified] => 2021-06-02 08:54:00 [post_modified_gmt] => 2021-06-02 08:54:00 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=webinars&p=20601 [menu_order] => 20 [post_type] => webinars [post_mime_type] => [comment_count] => 0 [filter] => raw ) [19] => WP_Post Object ( [ID] => 20355 [post_author] => 65 [post_date] => 2020-11-17 07:00:01 [post_date_gmt] => 2020-11-17 07:00:01 [post_content] =>

In a recent episode of Agent of Influence, I talked with Jeff Williams, a celebrity in the cyber security space. Jeff is the co-founder and Chief Technology Officer of Contrast Security where he developed IAST. He was also previously the co-founder and CEO of Aspects Security and was a founder and major contributor to OWASP where he created the OWASP Top 10 – among other things.

I wanted to share some of his insights in a blog post, but you can also listen to our interview here, on Spotify, Apple Music or wherever you listen to podcasts.

Critical Responsibilities of Cyber Security Consultants

Jeff believes that critical to a career in cyber security is the knowledge of security defenses and security vulnerabilities. You actually have to learn how defenses are supposed to work. Your job as a security consultant in a lot of respects is to make sure those defenses are in place and that they're working the way they're supposed to. Therefore, understanding how they're supposed to work is critical. Jeff sees a lot of consultants who read a document about how a security defense is supposed to work, and they assume that that's how it does work. But that’s often not the case.

The other piece you really have to understand is how vulnerabilities work. And not just in theory – you actually have to work through them, exploit them, and learn how they work. Jeff believes that if you know about these vulnerabilities only in theory, you know nothing about them. You really have to dig in and make sure they work.

You can use things like WebGoat, which Jeff created, to start to understand them, but you should go back and recreate them. And it's not going to work the first time, you're going to have to experiment around and figure out how to make it work – which is part of the job.

Effectively Communicating Vulnerability Findings

Learning how to write up vulnerabilities is almost as important as being able to find them. It’s really important to be able to communicate your findings and get people to take action. Jeff said he’s read a number of vulnerability write ups that are so bad because they're too technical and don't describe the risk, especially the risk from a business context.

Ultimately your work goes to waste if you can't effectively communicate with others what you found and the importance of what you found.

You can read more in this article Jeff wrote on LinkedIn.

The Necessity and Benefits of IAST (Interactive Application Security Testing)

Jeff was having trouble getting their customers to succeed in their application security programs. They were getting some results and fixing some vulnerabilities, but it was a lot of work to get there. He wrote a paper a number of years ago called Enterprise Java Rootkits, and the question was: what could a malicious developer do inside a major financial enterprise? Everything in that paper is still valid today – and it's terrifying. One of the techniques that he looked at was instrumentation, and dynamically instrumenting an app from within that same app.

This paper got Jeff thinking about instrumentation and if it could be used for good. It struck him that this was a way of getting inside the running application and watching it run. He realized he could watch a SQL injection vulnerability from soup to nuts. He could see the data come in, track that data through the application, see it get combined into a SQL query, see that query then get sent to the database, and check back on that path to see if the data went through the right defenses.

If you see that path, if you see data come in, and go into a query without being escaped or parameterized, then that's pretty good evidence that you've got a SQL injection vulnerability, so he started playing around with it and tested it on WebGoat.

He shared about the first time he found the SQL injection in WebGoat without doing anything other than adding the agent and using the application normally. He watched the log spitting up, and then saw this thing that said: SQL injection detected. That magic has stayed with him to this day.

It's amazing to watch instrumentation work. It's like finding all this fantastic information out of your application without any extra work.

IAST is also seamless from a development perspective. It happens in the background and in real time. You don't have to have a security background or security awareness to be able to do this.

Noisy Cricket: Strengths and Weaknesses of Static Analysis and IAST

Jeff shared that OWASP decided they didn't really know what static tools were good at and bad at, so they wanted to measure it. To do that, they created this huge test suite, almost 3,000 test cases, half of which are false positives and half of which are true positives. Then they run a static tool against it, get the report from the static tool, feed it into the benchmark, and it will score the report and create charts to show the strengths and weaknesses.

It's a low bar; none of these tests are particularly difficult. But what is surprising is how poorly the static tools do on things like data flow problems and all the injections (including command injection, SQL injection, XSS, LDAP, etc.). In response to that, the static vendors started changing their products to do better against the benchmark, which was one of the intentions of the benchmark project: set a bar so that products could get better.

Jeff noted, however, that the strategy the static tools chose was to not miss any true vulnerabilities, but basically not care about false positives. As a result, the static tools increased their identification of true positives, but at the same time, added false positives.

In response to this, Jeff wrote a tool called Noisy Cricket that finds all the true positives without caring about false positives. Basically, it says any place you use SQL, that's SQL injection, any place you use encryption, that's a weak encryption. It reports all the results. And when you look at the results of Noisy Cricket, they're not that different from what the static vendors are producing. It was kind of a joke, but also demonstrates that finding all the true positives without caring about false positives provides zero value. The only value happens when you find true positives with low false positives. That's how you measure the value and that’s how the benchmark project scores tools.

Jeff believes there has to be a balance and static tools have never been able to improve in that direction. They can only bias their findings towards finding true positives or towards only reporting true vulnerabilities.

IAST is a great solution because of the nature of the analysis and the fact that it produces results that are not very noisy with low rates of false positives. Meanwhile, static analysis by nature, out of the box is extremely noisy and shows a lot of false positives, but there is the opportunity to fine tune and customize your static analysis capability. It can be a lot of work to get it to a point where you reduce the false positives to an acceptable rate, but there is value in both. The low false positive rate is one of the reasons though that IAST really shines against static analysis techniques.

However, for certain use cases, static analysis is exactly the right tool. For example, if you're a security researcher, and you're tasked with finding new and interesting kinds of vulnerabilities, static can be a real powerful tool. In addition, if you get good at writing custom static rules, you can search your code for things that are custom to your code.


To listen to the full podcast, click here, or you can find Agent of Influence on Spotify, Apple Music, or wherever you listen to podcasts.

[post_title] => The Power of Instrumentation to Automate Components of Vulnerability Testing – from the Creator of IAST [post_excerpt] => In a recent episode of Agent of Influence, I talked with Jeff Williams, a celebrity in the cyber security space. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => the-power-of-instrumentation-to-automate-components-of-vulnerability-testing-from-the-creator-of-iast [to_ping] => [pinged] => [post_modified] => 2021-04-14 06:38:20 [post_modified_gmt] => 2021-04-14 06:38:20 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=20355 [menu_order] => 78 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [20] => WP_Post Object ( [ID] => 20195 [post_author] => 2 [post_date] => 2020-10-26 10:38:20 [post_date_gmt] => 2020-10-26 15:38:20 [post_content] =>

This session was originally for the Cyber Security Summit.

In order for an organization to have a successful Application Security Program, there needs to be a centralized governing Application Security team that’s responsible for Application Security efforts. In practice, we hear many reasons why organizations struggle with application security, and here are four of the most common myths that need to be dispelled:

  1. An Application Security Team is Optional
  2. My Organization is Too Small to Have an Application Security Team
  3. I Cannot Have an Application Security Team Because We Are a DevOps/Agile/Special Snowflake Shop
  4. An Application Security Team will Hinder Our Ability to Deliver/Conduct Business

This session will cover taking a strategic approach to application security.

[post_title] => Getting Started on Application Security [post_excerpt] => Watch our webinar from Cyber Security Summit, "Getting Started on Application Security," by NetSPI's Managing Director, Nabil Hannan, on-demand now. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => getting-started-on-application-security-cyber-security-summit [to_ping] => [pinged] => [post_modified] => 2021-06-02 08:54:11 [post_modified_gmt] => 2021-06-02 08:54:11 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=webinars&p=20195 [menu_order] => 24 [post_type] => webinars [post_mime_type] => [comment_count] => 0 [filter] => raw ) [21] => WP_Post Object ( [ID] => 19486 [post_author] => 65 [post_date] => 2020-10-13 07:00:51 [post_date_gmt] => 2020-10-13 07:00:51 [post_content] =>

In a recent episode of Agent of Influence, I talked with John Markh of the PCI Council. John has over 15 years of experience in information security, encompassing compliance, threat and risk management, security assessments, digital forensics, application security, and emerging technologies such as AI, machine learning, IoT, and blockchain. John currently works for the PCI Council and his role includes developing and evolving standards for the emerging mobile payments technologies, along with technical contributions and effort surrounding penetration testing, secure application, secure application lifecycle, and emerging technologies such as mobile payment technologies, cloud, and IoT.

I wanted to share some of his insights in a blog post, but you can also listen to our interview here, on Spotify, Apple Music, or wherever you listen to podcasts.

About the PCI (Payment Card Industry) Council

The PCI Council was established in 2009 by several payment brands to create a single framework that would be acceptable to all those payment brands to secure payment or account data of the merchants and service providers in that ecosystem. Since then, the PCI Council has created many additional standards that not only cover the operational environment, but also device security standards such as the PCI PTS standard and security standards that cover hardware security modules and point to point encryption solutions. The Council is in the process of developing security standards for various emerging payment technologies. The mission of the council is to allow secure payment processing by all stakeholders.

Over the years, a number of the security requirements created by the Council have been enhanced to ensure the standard does not become obsolete but keeps up with the current threats to the payment card industry as a whole. For example, PCI DSS, which was the very first standard created and published by the Council, has evolved and had numerous iterations since its publication to account for evolving threats.

The standards built by the PCI Council are built in a way to address threats that directly impact the payment ecosystem. They are not all-encompassing standards. For example, organizations that operate national infrastructure or electricity grids will find some security requirements that will be applicable to them, but the standards will not address all the risks that are applicable to them. The PCI Council standard is focused on the payment ecosystem.

The Evolution of the Payment Card Industry

John shared how people want convenience – not just in payment, but in every aspect of their life. They want convenience and security. So, payments will evolve to accommodate that.

Even today, there are stores where you put items you want to purchase in your shopping bag and you walk out. Automation, artificial intelligence, machine vision, and biometric systems that are installed in that store will identify the products you have put in your bag and deduct the money from your pre-registered account completely seamlessly.

There are also pilot stores in Asia where you still have to check out at the grocery store, but to pay, you just look at a scanner, which identifies you through iris scan to verify your identity, and then payment is process from a pre-registered account.

Many appliances are also becoming connected to the internet, so it is possible that in the future, a refrigerator will identify that you run out of milk, purchase the milk to be delivered to you, and perform the payment on your behalf. You could soon wake up with a fresh gallon of milk on your doorstep that was ordered by your refrigerator.

And of course, mobile is everywhere. More and more people have smartphones – and smartwatches – and with that comes the convenience of paying using your device. Paying by smart device is way simpler and in these times of COVID-19, it’s also contactless. I think we will see more and more technologies that allow this type of payment. It will still be backed by a credit card behind the scenes, but the form factor of your rectangular plastic will shift to other form factors that are more convenient and seamless.

There are also “smart rings” that can perform biometric authentication of the wearer of the ring. You can load payment cards and transit system cards into the ring, for example. So, when you want to pay or take the train, you just tap your ring to the NFC-enabled reading device, and you're done.

Convenience will drive innovation. Innovation will have to adapt to meet security standards and it will also drive new security standards to ensure that the emerging technologies are secure.

Innovation and Privacy

In order to have seamless payments, the system still needs some way to validate who you are. If you use a chip and pin enabled card, you authenticate yourself by entering a pin, which is a manual process. But John noted, it's far more seamless to use iris scans, but to do that, you need to surrender something of yours to the system so the system can identify that you are you.

Right now, the standards are focusing on protecting account data, but maybe in the future, there will be a merge between standards that focus on protecting account data and standards that protect biometric data.

People have several characteristics that identify us for the duration of our lifetime since they don't change much, including fingerprints and iris scans. It's difficult to say whether a choice of fingerprint or iris scan is the right choice for consumer authentication or not. At the end of the day, the payment system needs to authenticate you. If the system is using characteristics that cannot be changed, then it also needs to have additional inputs into making sure that it's not a fraudulent transaction.

For example, payment authentication could be a combination of your fingerprint and the mobile device you're using. If it is a known mobile device that belongs to you, the system could accept the transaction that was authenticated by your fingerprint plus additional information collected from your device, such as the fact that it belongs to you and there is no known malware on the device. If you were using your fingerprint on a new device, the system could identify that the fingerprints match, but recognize it's a new device or the device might have some suspicious software on it, in which case the system will ask you to enter your PIN or to provide additional authentication. It will be a more elaborate system that takes numerous characteristics of the transaction and its environment into account before the transaction is processed.

Challenges of Making the Phone a Point of Sale (POS)

One area of focus for the PCI Council are mobile payment platforms. As John said, business owners want to be able to install an app on mobile devices and be able to take payments through that – creating an instant point of sale. However, the fact that the phone is not controlled by an enterprise, and people can install a variety of applications on their phones (some of which might be malware) puts tremendous risk on the entire payment processing system.

While this enables business owners to sell to more people, especially those who don’t have cash and only have credit cards or smart devices, it also creates an additional system for potential fraud.

John said the PCI Council is focused on a way to make mobile payment platforms more secure. As such, the Council has already published two standards.

  • The Software-based PIN Entry on COTS (SPoC) standard enables solution providers to develop an app along with a small hardware dongle. The purpose of the hardware dongle is to read card information while the phone becomes a point of sale and device for consumers to enter their pin to authenticate consumers.
  • The second standard the PCI Council has released is Contactless Payments on COTS (CPoC™). In this case, it’s just an application that the merchant can download to their phone that would make sure the phone is reasonably secure by performing various attestations of the phone and application, and allow merchants to instantly transform their phone into a point of sale. In some emerging markets, there is no payment infrastructure that exists where you can walk into a bank and get a merchant account, or it may take a very long time. With the mobile payment technologies, you can basically become a merchant immediately.

As I have personally seen, having the ability to make financial transactions in parts of the world that don't have a lot of infrastructure through mobile devices has dramatically changed people's livelihood. And we need to make sure that it’s being done securely.

To listen to the full podcast, click here, or you can find Agent of Influence on Spotify, Apple Music, or wherever you listen to podcasts.

[post_title] => The Payment Card Industry: Innovation, Security Challenges, and Explosive Growth [post_excerpt] => In a recent episode of Agent of Influence, Nabil Hannan talked with John Markh of the PCI Council. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => payment-card-industry-innovation-security-challenges-explosive-growth [to_ping] => [pinged] => [post_modified] => 2021-04-14 10:07:45 [post_modified_gmt] => 2021-04-14 10:07:45 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=19486 [menu_order] => 87 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [22] => WP_Post Object ( [ID] => 19891 [post_author] => 65 [post_date] => 2020-10-07 07:00:50 [post_date_gmt] => 2020-10-07 07:00:50 [post_content] => On October 7, NetSPI Managing Director Nabil Hannan and Product Manager Jake Reynolds were featured in Cyber Defense Magazine: With Continuous Integration/Continuous Deployment (CI/CD) increasingly becoming the backbone of the modern DevOps environment, it's more important than ever for engineering and security teams to detect and address vulnerabilities early in the fast-paced software development life cycle (SDLC) process. This is particularly true at a time where the rate of deployment for telehealth software is growing exponentially, the usage of cloud-based software and solutions is high due to the shift to remote work, contact tracing software programs bring up privacy and security concerns, and software and applications are being used in nearly everything we do today. As such, there is an ever-increasing need for organizations to take another look at their application security (AppSec) strategies to ensure applications are not left vulnerable to cyberattacks. Read the full article for three steps to get started – starting on page 65 of the digital magazine here. [post_title] => Cyber Defense Magazine: 3 Steps to Reimagine Your AppSec Program [post_excerpt] => On October 7, NetSPI Managing Director Nabil Hannan and Product Manager Jake Reynolds were featured in Cyber Defense Magazine. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => cyber-defense-magazine-3-steps-to-reimagine-your-appsec-program [to_ping] => [pinged] => [post_modified] => 2021-05-04 17:08:43 [post_modified_gmt] => 2021-05-04 17:08:43 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=19891 [menu_order] => 88 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [23] => WP_Post Object ( [ID] => 18888 [post_author] => 65 [post_date] => 2020-10-06 07:00:26 [post_date_gmt] => 2020-10-06 07:00:26 [post_content] =>

In a recent episode of Agent of Influence, I talked with Cassio Goldschmidt, Head of Information Security at ServiceTitan about the evolution of security frameworks used to develop software, including key factors that may affect one company’s approach to building software versus another. Cassio is an internationally recognized information security leader with a strong background in both product and program level security.

I wanted to share some of his insights in a blog post, but you can also listen to our interview here, on Spotify, Apple Music or wherever you listen to podcasts.

Key Considerations When Developing Software

As Goldschmidt noted, one of the first security frameworks that was highly publicized was Microsoft STL, and a lot of security practitioners thought it was the way to develop software, and it was a one size fits all type of environment. But that is definitely not the case.

Goldschmidt said that when SAFECode (Software Assurance Forum for Excellence and Code), a not for profit was created, it was a place to discuss how to develop secure code and what the development lifecycle should be among those companies and at large. But – different types of software and environments require different approaches, and will be affected by a variety of factors at each business, including:

  1. Type of Application: Developing an application that is internet facing or just internet connected, or software for ATM machines, will influence the kind of defense mechanisms you need and how you should actually think about the code you’re developing.
  2. Compliance Rules: If your organization has to abide by specific compliance obligations, such as PCI, for example, they will in some ways dictate what you have to do. Like it or not, you will need to follow some steps, including looking at the OWASP Top 10 and make sure you are free of any cross-site scripting or SQL injections.
  3. The Platform: The architecture for phones and the security controls you have for memory management are very different from a PC, or what you have in the data center, where people will not be able to actually reverse engineer things. It's something you have to take into consideration when you are deciding how you are going to review your code and the risk that it represents.
  4. Programming Language: Still today a lot of software is developed using C++. Depending on the language you use, you may not have the proper support for cross site scripting, so you have to actually make sure that you're doing something to compensate for the flaws of the language.
  5. Risk Profile: Each business has its own risk profile and the kind of attacks they are willing to endure. For example, DDoS could be a big problem for some companies versus others, and for some companies, even if they have a data breach, it might not matter as much as for other companies depending on the type of business. For example, if you’re in the TV streaming business and a single episode of Game of Thrones leaks, it likely won’t have a big impact, but if you’re in the movie business and one of your movies leaks, then that will likely affect revenue for that movie.
  6. Budget: Microsoft, Google, and other companies with large budgets have employee positions that don't exist anywhere else. For example, when Goldschmidt was at Symantec, they had a threat research lab, which is a luxury. Start-ups and many other companies might not have this and might need to use augmented security options.
  7. Company Culture: The maturity of the culture of the company also matters quite a bit as well. Security is not just a one stop activity that you can do at a given time, but something that ends up becoming part of your culture.

Today, there are a lot of tools and resources in the market such as Agile Security by O’Reilly that will tell you how to do things in a way that really fit the new models that people are using for developing code.

Security Software Versus Software Security

Security software is the software used to defend your computer, such as antivirus, firewalls, IDS, and IPS. These are really important, but that doesn’t mean they are necessarily secure software or that they were actually developed with defense programming in mind. Meanwhile, secure software is software developed to resist malicious attacks.

Goldschmidt said he often hears that people who make security software don't necessarily make secure software. In his experience though, security software is so heavily scrutinized that it eventually becomes secure software. For example, antivirus software is a great target for hackers because if an attacker can get in and disable that antivirus, they can ultimately control the system. So, from his experience, security software does tend to become more secure, although it’s not necessarily true all the time.

One inherent benefit I’ve noticed for companies developing security software is that they’re in the business of security, so the engineers and developers they’re hiring are already very savvy when it comes to understanding security implications. Thus, they tend to focus on making sure at least some of the most common and basic issues are covered by default, and they're not going to fall prey to basic issues.

If an individual doesn’t have this experience when they join a company developing security software, it becomes part of their exposure and experience since they are spending so much time learning about viruses, malware, vulnerabilities, and more. They inherently learn this as part of their day to day – it’s almost osmosis from being around other developers who are constantly thinking about it.

One of my mentors described the difference between security software and secure software to me this way: Security software is software that's going to protect you as the end user from getting breached. Software security is making sure that your developers are developing the software in a manner that the software is going to behave when an attacker is trying to make it misbehave.

Goldschmidt and I also spent time discussing the cyber security of the Brazilian elections. You can listen to the podcast here to learn more.

[post_title] => The Evolution of Security Frameworks and Key Factors that Affect Software Development [post_excerpt] => In a recent episode of Agent of Influence, I talked with Cassio Goldschmidt, Head of Information Security at ServiceTitan about the evolution of security frameworks [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => the-evolution-of-security-frameworks-and-key-factors-that-affect-software-development [to_ping] => [pinged] => [post_modified] => 2021-04-14 06:41:19 [post_modified_gmt] => 2021-04-14 06:41:19 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=18888 [menu_order] => 89 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [24] => WP_Post Object ( [ID] => 19884 [post_author] => 65 [post_date] => 2020-10-01 07:00:57 [post_date_gmt] => 2020-10-01 07:00:57 [post_content] => On October 1, NetSPI Managing Director Nabil Hannan was featured in TechTarget: During the Black Hat 2020 virtual conference, keynote speaker Matt Blaze analyzed the security weaknesses in our current voting process and urged the infosec community – namely pentesters – and election commissions to work together. His point: Testers can play an invaluable role in securing the voting process as their methodology of exploring and identifying every possible option for exploitation and simulating crisis scenarios is the perfect complement to shore up possible vulnerabilities and security gaps. Read the full article here. [post_title] => TechTarget: 3 common election security vulnerabilities pros should know [post_excerpt] => On October 1, NetSPI Managing Director Nabil Hannan was featured in TechTarget. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => techtarget-3-common-election-security-vulnerabilities-pros-should-know [to_ping] => [pinged] => [post_modified] => 2021-04-14 05:30:28 [post_modified_gmt] => 2021-04-14 05:30:28 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=19884 [menu_order] => 90 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [25] => WP_Post Object ( [ID] => 19349 [post_author] => 65 [post_date] => 2020-09-29 07:00:08 [post_date_gmt] => 2020-09-29 07:00:08 [post_content] =>

In a recent episode of Agent of Influence, I talked with Miles Edmundson, a 30-year veteran in the IT and Information Security space. Miles started as a security consultant, was Carlson Company's first global Information Security Manager, worked for the largest crop insurance company in the world, and served as both the CISO for Ceridian as well as the US CISO for Equinity. His last 12 to 14 years have been in the financial services industry. I wanted to share some of his insights in a blog post, but you can also listen to our interview here, on Spotify, Apple Music, or wherever you listen to podcasts.

“Exploring” the Network Neighborhood

To start, Miles shared an interesting story about how he first stumbled into and became interested in cyber security.

He was curious about how networks worked and saw an icon on his desktop that said, “network neighborhood.” He clicked on that and it took a while to populate, but he started to see over 2500 different systems. As he was looking at them, he realized he was seeing the entire client server system for all of Weyerhaeuser, his employer at the time. It became clear to him that there was a consistent naming convention by location, job title, etc., and so, within about 30 minutes, he was able to find the CFO’s machine and access sensitive information, including executive salaries. He reported the finding to their IT team, but this was the beginning of his career in cyber security.

Miles shared this as a lesson to security teams everywhere that exposing sensitive information doesn't always require having a very high degree of skill. There's a misconception that you have to be super skilled to break into systems, but in many cases, there are simple misconfigurations that can cause a lot of these problems and don’t require a lot of skill for someone to break.

Where to Focus When Starting a New Senior Level Position

In the early 2000s, Miles made the transition from consulting to being a practitioner, first joining Carlson Company as the Global Information Security Manager. He was the only person on this team in a brand new role and his budget the first year was $100k, which was already earmarked for a specific project. He was at Carlson for three years and by the time he left, the department budget had increased to $3.5M.

I’m always curious to ask CISOs and senior cyber security leaders about how they start in a role and prioritize areas of focus. Miles has two key areas of focus when he starts new senior level positions, which are obviously dependent on audit findings, regulatory issues, number of employees, budget, and more:

  1. He always wants to see org charts to know who’s who and how to reach out to different people so he can start trying to build relationships with people.
  2. He also wants to see any audit reports or regulatory reports to understand the underlying issues the organization needed to focus on.

Keys to Relationship Building

Relationship building is extremely important, not only for your personal success, but also the success of your team and entire company.

Miles shared a story from the book, Good to Great by Jim Collins about people who are excellent in their field. One of the people highlighted was a hotel housekeeper, who when interviewed, didn't say she was a housekeeping person at a hotel chain, but rather that she was a representative of her company, and she wanted to ensure that people were having a wonderful time at her facility – and she was doing all she could to make that happen.

When Miles was asked what he did at Carlson Company, he would often say that he helped promote world understanding, because Carlson was a leading player in international travel and he thought it was critically important for people to know that the world is much bigger than his local area.

Miles also cultivated relationships by asking questions – and listening to the answers. He didn't tell.

He was very conscious to be a good representative of his organization, his company, his state, and his country.

Biggest Challenge Facing CISOs Today

Keeping up.

Miles believes the biggest challenge facing CISOs is simply keeping up with all the requirements. In many respects, the role is responsible for juggling a number of different items all at the same time, and receiving constant requests from regulators, compliance teams, auditors, and customers. And CISOs have to meet these requests all while being constrained by budgets, personnel, talent, and more.

In addition, CISOs are effectively on call 24/7/365.

Advice for CISOs

Over the years, Miles has subscribed to a couple quotes that he shared that could be good advice for many things.

The first was from Teddy Roosevelt, President of the United States from 1901 to 1909, and he said, “Do what you can where you are with what you have.” Miles noted that you can only do so much with what you have – and so, do that.

The next quote is from Winston Churchill during World War II, and the paraphrased quote is, “Never, never, never give up.” This served Miles well in his career and he passed it along as advise to senior leaders.

To listen to the full podcast, click here, or you can find Agent of Influence on Spotify, Apple Music, or wherever you listen to podcasts.

[post_title] => The Biggest Challenge Facing CISOs Today – and the Key to Winning [post_excerpt] => In a recent episode of Agent of Influence, Nabil Hannan talked with Miles Edmundson, a 30-year veteran in the IT and Information Security space. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => biggest-challenge-facing-cisos-today-key-to-winning [to_ping] => [pinged] => [post_modified] => 2021-04-14 10:06:39 [post_modified_gmt] => 2021-04-14 10:06:39 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=19349 [menu_order] => 91 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [26] => WP_Post Object ( [ID] => 19786 [post_author] => 2 [post_date] => 2020-09-10 14:52:02 [post_date_gmt] => 2020-09-10 19:52:02 [post_content] =>

This session was originally shown at Black Hat USA 2020.

A successful Application Security Program requires a happy marriage between people, processes, and technology.

Watch this on-demand session to:

  • Learn how leading organizations use different discovery techniques as part of their AppSec program
  • Understand strengths and weaknesses of common AppSec vulnerability discovery technologies
  • Adopt techniques that make security frictionless for your developers as they embrace a DevSecOps culture
  • Learn how functional your application security program can be with a “makeover” to:
    1. Enhance your reporting to empower leadership to optimize your appsec program
    2. Improve your vulnerability ingestion, correlation, and enrichment
    3. Increase your speed to remediation
[post_title] => Extreme Makeover AppSec Edition [post_excerpt] => Did you miss Black Hat USA 2020? Watch our webinar, "Extreme Makeover: AppSec Edition," by NetSPI's Managing Director, Nabil Hannan, and Product Manager, Jake Reynolds, on-demand now. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => extreme-makeover-appsec-edition-black-hat-2020 [to_ping] => [pinged] => [post_modified] => 2021-06-02 08:54:24 [post_modified_gmt] => 2021-06-02 08:54:24 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=webinars&p=19786 [menu_order] => 26 [post_type] => webinars [post_mime_type] => [comment_count] => 0 [filter] => raw ) [27] => WP_Post Object ( [ID] => 19658 [post_author] => 65 [post_date] => 2020-08-12 07:00:58 [post_date_gmt] => 2020-08-12 07:00:58 [post_content] => On August 12, NetSPI Managing Director Nabil Hannan was featured in TechTarget: There's a reason why a computer virus is called a "virus," as they have many similarities to medical viruses. Notably, as medical viruses can have a severe impact on your personal health, a computer virus can severely impact the health of your business. In today's digital world, a computer virus, a "wormable" remote code execution vulnerability designed to persistently replicate and spread to infect programs and files, can begin causing damage in minutes. Sound familiar? According to the CDC, the virus that causes COVID-19 spreads very easily and sustainably, meaning it spreads from person-to-person without stopping. With COVID-19 top of mind and making headlines across the globe, CISOs should now take the time to make observations about viruses outside of the technology industry and see how they apply to cybersecurity strategies. So, what exactly can security teams learn from studying medical viruses to ensure the health of a business' systems and applications? Here are three key considerations. Read the full article here. [post_title] => TechTarget: What cybersecurity teams can learn from COVID-19 [post_excerpt] => On August 12, NetSPI Managing Director Nabil Hannan was featured in TechTarget. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => techtarget-what-cybersecurity-teams-can-learn-from-covid-19 [to_ping] => [pinged] => [post_modified] => 2021-04-14 05:30:32 [post_modified_gmt] => 2021-04-14 05:30:32 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=19658 [menu_order] => 100 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [28] => WP_Post Object ( [ID] => 19612 [post_author] => 65 [post_date] => 2020-08-11 07:00:51 [post_date_gmt] => 2020-08-11 07:00:51 [post_content] =>

Black Hat looked different this year as the security community gathered on the virtual stage, due to COVID-19 concerns. “Different” doesn’t necessarily carry a negative connotation: the shift not only addressed public safety concerns, but also enabled the security community to critically think about the way we do work in our digital-centric world, particularly at a time where we are increasingly reliant on technology to stay connected.

When scrolling through the countless briefings available, it was clear that politics and COVID-19 remain top-of-mind. So, let’s start with the biggest topic of the week: election security.

Takeaway #1: Securing the Vote Relies on Collaboration… and Testing

Matt Blaze, a Georgetown University security researcher, kicked off the conference with a keynote titled, Stress-Testing Democracy: Election Integrity During a Global Pandemic. In the past, the industry has had conversations about securing voting machines themselves, but this year, the discussions were centered on online and mail-in voting mechanisms and the hacking of the process. Matt shared, “our confidence in the [election] outcome increasingly depends on the mechanisms that we use to vote.” And this year, we are tasked with scaling up mail-in voting mechanisms.

Blaze looked at software as the core of the election security framework, noting that “software is generally hard to secure, even under the best circumstances.” Though we expect a majority of votes to be made via paper ballot, software will still be used in every facet of the election system, from pre-election (ballot definition, machine provisioning) to post-election (tallying results, reporting, audits, and recounts). So, what is the industry to do?

He suggested that election committees prepare for a wide range of scenarios and threats and work towards software independence, though most don’t have the appropriate budgets to do so – a problem all too familiar to the security industry. Because of this, he encouraged the IT community to volunteer their time and become more involved with their local election efforts, specifically, testing the software and machines for vulnerabilities. In a way, he opened the door for ethical hackers, like our team at NetSPI, to get involved. An encouraging call to action that proved realistic during Black Hat occurred when voting machine maker ES&S and cybersecurity firm Synack announced a program to vet ES&S’ electronic poll book and new technologies - a call for “election technology vendors to work with researchers in a more open fashion and recognize that security researchers at large can add a lot of value to the process of finding vulnerabilities that could be exploited by our adversaries,” according to WIRED.

Continuing the narrative of election security, the day two keynote from Renee DiResta, research manager at the Stanford Internet Observatory informed Black Hat attendees of how to use information security to prevent disinformation in mass media (social media, broadcast, online publications). She explained how influence campaigns can skew not only voting results, but also perceptions of companies and, larger-scale, entire countries and governments. She reiterated that disinformation is indeed a cybersecurity problem that CISOs can’t ignore. In another humbling call to action for the security testing community, DiResta suggested, “we need to do more red teaming around social [media] and think of it as a system and [understand] how attacks can impact operations.” Read more about the keynote on ThreatPost.

Takeaway #2: The Importance of Application Security Has Heightened in 2020

Let’s start with healthcare. Amid the current public health pandemic, healthcare systems continue to be a top target for adversaries due to the sensitive and confidential patient records they hold. During Black Hat, the security industry shined a light on some of the various areas of weakness that can be exploited by an attacker. A big one? Healthcare application security.

One conversation that stuck out to me was from the Dark Reading news desk: HealthScare: Prioritizing Medical AppSec Research. In the interview, Seth Fogie, information security director at Penn Medicine, explains why healthcare application vulnerabilities matter in the day-to-day business of providing patient care. He recommends that the security and healthcare communities should have a better line of communication around AppSec research and testing efforts. He would like to see more security professionals asking healthcare administrators which other applications, including third-party vendors, they can assess for vulnerabilities. I agree with his recommendation to raise awareness for application testing in healthcare security as it would add value to the assessments already in effect and ultimately the overall security posture for the organization.

Then, there are web applications, such as virtual meeting and event platforms, that have seen a surge in popularity. Released at Black Hat, researchers found critical flaws in Meetup.com that showcased common gaps in AppSec. Researchers explained how common AppSec flaws cross site scripting and request forgery (both tied to the platform’s API) could have resulted in threat actors redirecting payments and other malicious actions. This is just one example showcased at Black Hat that showed the heightened AppSec risks amid COVID-19, as we continue to shift in-person activities to online platforms.

With NetSPI a Black Hat sponsor, myself and my colleague Jake Reynolds hosted a 20-minute session on revamping application security (AppSec) programs: Extreme Makeover: AppSec Edition. During the session, we explored the various options for testing [SAST, IAST, SCA, manual] and the challenges that exist in current AppSec testing programs and how to “renovate” an AppSec program to ultimately increase time to remediation. Watch the session to learn, through one centralized platform, how to remodel your AppSec program to achieve faster remediation, add context to each vulnerability, enable trends data and reporting functions to track and predict vulnerabilities over time, and reduce false positives.

Takeaway #3: Our Connected Infrastructure Is Vulnerable

As in years past, the Internet of Things (IoT) again took over Black Hat conversations. This year, the research around IoT vulnerabilities proved fascinating. Showcasing the potential impact of IoT infiltration was at the core of the research. Here are some examples:

  • Security researchers at the Sky-Go Team, found more than a dozen vulnerabilities in a Mercedes-Benz E-Class car that allowed them to remotely open its doors and start the engine.
  • Researchers with the Georgia Institute of Technology described how certain high-wattage Internet-connected devices such as smart air-conditioners and electric-vehicle (EV) chargers could be used to manipulate energy markets.
  • And perhaps the most interesting, and alarming: James Pavur, an academic researcher and doctoral candidate at Oxford University, used $300 worth of off-the-shelf equipment to hack satellite internet communications to eavesdrop and intercept signals across the globe.

All these examples highlight how much complexity goes into building systems today. As we continue to increase complexity and inter-connectivity, it becomes more challenging to properly protect these systems from being compromised. At NetSPI, we are constantly working with our clients to help them build well-rounded cyber security initiatives. It’s well understood today that just performing penetration testing near the end of a product’s lifecycle before going to production isn’t adequate from the perspective of security. It’s important to understand various business objectives and implement proper security touchpoints throughout a product’s lifecycle. Vulnerability detection tools have come a long way in the past decade or so. With significant advances in products like SAST, DAST, RASP, IAST, SCA, etc., integrating these tools into the SDLC in earlier phases have been a common approach for many organizations. The true challenge however is determining how to make security as frictionless as possible with the overall product development lifecycle. NetSPI works continually with clients to help them build and implement strategy around their security program based on their business objectives and risk thresholds.

Takeaway #4: We’re Learning More About Securing the Remote Workforce

Lastly, many cloud, container, and remote connection-related sessions were held during the conference. Many of them highlighted the need to reinforce security practices pertaining to remote work, or telecommuting – not surprising, given the state of today’s workforce amid the pandemic.

Black Hat research from Orange Cyber Defense demonstrated that VPN technologies ordinarily used by businesses to facilitate remote access to their networks are “poorly understood, improperly configured and don't provide the full level of protection typically expected of them.” The researchers attribute the vulnerabilities to a common scenario where the remote worker is connected to Wi-Fi that is untrusted, insecure or compromised. Watch this video interview with the researchers via Security Weekly.

It's an ever-evolving issue that has warranted additional focus this year and the industry is continuing to learn best practices to achieve a secure remote connection. I would consider this topic a silver lining to the pandemic. It has forced the security industry to learn, better understand, and serve as counsel to organizational leaders on the security considerations that come with scaling up remote workers. A great starting place for remote connection security? Read my recent blog post: Keeping Your Organization Secure While Sending Your Employees to Work from Home.

While we certainly missed the face-to-face connections and networking opportunities, the virtual conference was an invaluable opportunity to hold urgent security conversations around election mechanisms, healthcare systems during the pandemic, application security, the growing remote workforce, and connected devices and infrastructures.

While these were my key takeaways, there were many more discussions that took place – and DefCon continues today with prerecorded presentations and live streamed Q&As and panels on Twitch. Want to explore more Black Hat 2020 news? Check out this Black Hat webpage. We hope to see you next year, hopefully in-person!

[post_title] => Black Hat 2020: Highlights from the Virtual Conference; Calls to Action for the Industry [post_excerpt] => Black Hat looked different this year as the security community gathered on the virtual stage, due to COVID-19 concerns. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => black-hat-2020-highlights-from-virtual-conference-calls-to-action-for-industry [to_ping] => [pinged] => [post_modified] => 2021-04-14 00:52:14 [post_modified_gmt] => 2021-04-14 00:52:14 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=19612 [menu_order] => 101 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [29] => WP_Post Object ( [ID] => 19648 [post_author] => 65 [post_date] => 2020-08-11 07:00:34 [post_date_gmt] => 2020-08-11 07:00:34 [post_content] => On August 11, NetSPI Managing Director Nabil Hannan was featured in Security Boulevard: Offensive security measures like penetration testing can help enterprises discover the common vulnerabilities and exploitable weaknesses that could put an them at risk of costly cybersecurity incidents. By pitting white hat hackers against an organization’s deployed infrastructure, organizations can gain a better understanding of the flaws they should fix first—namely the ones most likely to be targeted by an everyday criminal. However, over the years penetration testing services have evolved to be extremely automated and limited in scope. Armed with scanning tools and limited rules of engagements, pen testers tend to focus purely on the technical vulnerabilities within a given system, platform, or segment of the network. Pen tests are usually conducted over short durations of time and their resultant reports offer up recommendations on fixes that architects or developers can make to code and configuration. Read the full article here. [post_title] => Security Boulevard: 12 Hot Takes on How Red Teaming Takes Pen Testing to the Next Level [post_excerpt] => On August 11, NetSPI Managing Director Nabil Hannan was featured in Security Boulevard. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => security-boulevard-12-hot-takes-how-red-teaming-takes-pen-testing-next-level [to_ping] => [pinged] => [post_modified] => 2021-04-14 05:30:39 [post_modified_gmt] => 2021-04-14 05:30:39 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=19648 [menu_order] => 102 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [30] => WP_Post Object ( [ID] => 19525 [post_author] => 65 [post_date] => 2020-08-04 07:00:23 [post_date_gmt] => 2020-08-04 07:00:23 [post_content] =>

Distributed Denial of Service (DDoS) attacks have gained celebrity status during COVID-19. In the first quarter of 2020, DDoS attacks in the U.S. rose more than 278% compared to Q1 2019 and more than 542% compared to Q4 2019, according to Nexusguard’s 2020 Threat Report. This increase in attacks is correlated with the increased dependency on remote internet access and online services as many organizations’ workforces continue to work from home amid COVID-19 concerns. With the dependency on remote internet access comes an increased need for Internet Service Providers (ISPs) to monitor and mitigate irregular activity on their networks before it results in server outages or loss of critical resources, data, or money. But ISPs aren’t the only ones that need to be proactive as DDoS attacks continue to rise – their customers will face the same problems if proactive security measures are not in place.

Learning from others: Amazon Web Services (AWS) successfully thwarted the largest DDoS attack ever recorded on its infrastructure, internet infrastructure firms Akamai and Cloudflare fended off record-breaking DDoS attacks in June, and online gaming platforms are being targeted as attackers figure out how to further monetize DDoS attacks (see: GGPoker). These recent attacks underscore how similar vulnerabilities and weaknesses can easily propagate across many organizations since there’s a tendency of reusing similar technologies to support business functions, such as widespread use of open source code or network hardware. Additionally, it’s also common that simple misconfigurations issues can result in breaches that have significant business impact.

It’s important to understand that there are two common forms of DDoS attacks:

  1. Application layer attacks where attackers try to overload a server by sending an overwhelming number of requests that end up overtaking much of the processing power.
  2. Network layer attacks where attackers try to overwhelm network bandwidth and deny service to legitimate network traffic.

The ultimate goal of both techniques is to overwhelm a particular business, service, web app, mobile app, etc. and keep them from being accessible to legitimate access requests from the intended users/customers. This is extremely challenging to manage since the attacks come from compromised machines or ‘bots’ in a very distributed fashion, which makes blocking those requests using simple filtering techniques unrealistic.

Many web application firewall vendors have DDoS mitigation solutions available for customers to buy, but that shouldn’t be the only step that organizations should rely on. Defense in depth, or an approach to cyber security in which defensive tactics are layered to ensure back up measures in the case that another security control fails, is key for all security concepts. Here are five techniques organizations can layer on to stop DDoS attacks:

  1. Penetration Testing – Although it’s difficult to properly simulate full-scale DDoS attacks during a penetration test, it’s important to do regular third-party testing that simulates real-world attacks against your infrastructure and applications. A proactive penetration testing approach will allow organizations to be prepared for when the time comes that they’re actually under attack. Tip: Implement Penetration Testing as a Service (PTaaS) to enable continuous, always-on vulnerability testing.
  2. Vulnerability Management and Patching – Ensure that all your systems have been properly updated to the latest version and any relevant security and/or performance patches have been applied. A proper patching and vulnerability management process will ensure this is happening within a reasonable timeframe and within acceptable risk thresholds for the business.
  3. Incident Response Planning – Build a team whose focus is on responding in an expedited fashion with the appropriate response. This team’s focus needs to be on ensuring they can minimize the impact of the attack and ensure they can trigger the appropriate processes to ensure that communications with customers and internal teams are happening effectively. More on incident response planning here.
  4. Traffic Anomaly Monitoring – Make sure there’s proper monitoring taking place across all network traffic to set off alerts if any abnormal behavior is detected from suspicious sources, especially if they are from geographies that don’t make normal business sense.
  5. Threat Intelligence and Social Media – Keep an eye on threat intel feeds and social media for any relevant information that may help predict attacks before they happen, allowing organizations to plan accordingly.

DDoS is just one of many cyberattack methods that have increased due to COVID-19 remote working dependency. As networks continue to expand, we are opening new entry points to attackers to secure footholds and cause critical damage – pointing to the need for continuous evaluation of security strategies.

My overarching advice? Go beyond the baseline security measures, such as a firewall, and implement a proactive security strategy to identify and remediate vulnerabilities, monitor network activity, plan for a breach as they become more inevitable, and connect with the security community to stay on top of the latest threat intel.

[post_title] => The Rise of DDoS Attacks and How to Stop Them [post_excerpt] => Distributed Denial of Service (DDoS) attacks have gained celebrity status during COVID-19. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => the-rise-of-ddos-attacks-and-how-to-stop-them [to_ping] => [pinged] => [post_modified] => 2021-04-14 00:52:20 [post_modified_gmt] => 2021-04-14 00:52:20 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=19525 [menu_order] => 104 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [31] => WP_Post Object ( [ID] => 19329 [post_author] => 65 [post_date] => 2020-07-21 07:00:05 [post_date_gmt] => 2020-07-21 07:00:05 [post_content] =>

In a recent episode of Agent of Influence, I talked with Mike Rothman, President of DisruptOps. Mike is a 25-year security veteran, specializing in the sexy aspects of security, such as protecting networks, protecting endpoints, security management, compliance, and helping clients navigate a secure evolution in their path to full cloud adoption. In addition to his role at DisruptOps, Mike is Analyst & President of Securosis. I wanted to share some of his insights in a blog post, but you can also listen to our interview here, on Spotify, Apple Music, or wherever you listen to podcasts.

The Evolving Perception of the Cyber Security Industry

Mike shared the evolution of the cyber security industry from his mom’s perspective – twenty years ago, his mom had no idea what he did – “something with computers.” Today, though, as cyber security and data breaches have made headline news, he can point to that as being what he does – helping companies prevent similar breaches.

Cyber security has become much more visible and has entered the common vernacular. A lot of people used to complain that nobody takes the industry seriously, nobody cares about what we're doing, and they marginalize everything that we're talking about. But that has really flipped, because now nobody's marginalizing anything about security. We have to show up in front of the board and talk about why we're not keeping pace with the attackers and why we're not protecting customer data to the degree that we need to. Security has become extremely visible in recent years.

To show this evolution of the industry, Mike noted he’s been to 23 out of last 24 RSA conferences, but when he first started going to the show, it was in a hotel on top of Nob Hill in San Francisco, and there were about 500 people in attendance, most of whom were very technical. Now the conference has become a huge staple of the industry with 35,000-40,000 people attending each year. (Read our key takeaways from this year’s RSA Conference.)

As many guests on the Agent of Influence podcast have noted, the security industry is always evolving; there's always a new challenge or a new type of methodology that’s being adopted. However, at the same time, there are also a lot of parallels of things that don’t change. For example, a lot of the new vulnerabilities and things that are being identified today are ultimately still the same type of vulnerabilities we've been finding for the longest time – there's still injection attacks, they just might be a different type of injection attack. I personally enjoy looking at things that are recurring and are the same, but just look and feel different in the security space, which makes it interesting.

What Does Cloud Security Really Mean?

Mike started to specialize in cloud security because he says he just got lucky. A friend of his, Jim Reavis founded the Cloud Security Alliance and wanted to offer a certification in cloud security, but he had no way to train people so they could obtain the certification. Jim approached Mike and Rich Mogull to see if they could build the training curriculum for him. As Mike and Rich considered this offer, they realized they A) knew nothing about cloud and B) knew nothing about training!

That was 10 years ago, and as they say… the rest is history. Mike and Rich have been teaching cloud security for the past 10 years, including at the Black Hat Conference for the past five years and advising large customers about how to move their traditional data center operations into the cloud while protecting customer data and taking advantage of a number of the unique characteristics of the cloud. They’ve also founded a company called DisruptOps, which originated from research Mike did with Securosis that they spun out into a separate company to do cloud security automation and cloud security operations.

As Mike says, 10 years ago, nobody really knew what the cloud was, but over time, people started to realize that with the cloud, you get a lot more agility and a lot more flexibility in terms of how you can provision, and both scale up and contract your infrastructure, giving you the ability to do things that you could never do in your own data center. But as with most things that have tremendous upside, there's also a downside. When you start to program your infrastructure, you end up having a lot of application code that's representative of your infrastructure, and as we all know – defects happen.

One of the core essential characteristics of the cloud is broad network access, which means you need to be able to access these resources from wherever you are. But, if you screw up an access control policy, everybody can get to your resources, and that's how a lot of cloud breaches happen today – somebody screws up an access control policy to a storage bucket that is somewhere within a cloud provider.

[embed]https://youtu.be/yOwxk8YajoE[/embed]

Data Security and the Cloud

DisruptOps’ aim is to get cyber security leaders and organizations to think about how they can start using architecture as the security control as we move forward. By that he means, you can build an application stack that totally isolates your data layer from your compute layer from your presentation.

These are things you can't do in your data center because of lateral movement. Once you compromise one thing in the data center, in a lot of cases, you've compromised everything in the data center. However, in the cloud, if you do the right thing from an isolation standpoint and an account boundary standpoint, you don't have those same issues.

Mike encourages people to think more expansively about what things like a programmable infrastructure, isolation by definition, and default deny on all of your access policies for things that you put into the cloud would allow you to do. A lot of these constructs are kind of foreign to people who grew up in data center land. You really must think differently if you want to set things up optimally for the cloud, as opposed to just retrofitting what you’ve been doing for many years to fit the cloud.

Driving Forces Behind Moving from Traditional Data Centers to the Cloud

  1. Speed – Back in the day, it would take three to four weeks to get a new server ordered, shipped, set up in the rack, installed with an operating system, etc. Today, if you have your AWS free tier application, you can have a new server using almost any operating system in one minute. So, in one minute, you have unbounded compute, unbounded storage, and could set up a Class B IP network with one API call. This is just not possible in the data center. So there's obviously a huge speed aspect of being able to do things and provision new things in the cloud quickly.
  2. Cost – Depending on how you do it, you can actually save a lot of money because you're not using the resources that you had to build out in order to satisfy your peak usage; you can just expand your infrastructure as you need to and contract it when you're not using those resources. If you're able to auto scale and scale up and scale down and you build things using microservices and a lot of platform services that you don't have to build and run all the time in your environment, you can really build a much more cost effective environment in order to run a lot of your technology operations.
    However, Mike said, if you do it wrong, which is taking stuff you already paid for and depreciated in your data center and move it into the cloud, that becomes a fiasco. If you're not ready to move to the cloud, you end up paying by the minute for resources that you've already paid for and depreciated.
  3. Agility – If you have an attack in one of your technology stacks, you just move it out, quarantine it, build a new one, and move your sessions over there. Unless you want to have totally replicable data centers, you can't do this in a data center.

There are a lot of architectural, agility, cost, global capabilities, elasticity to scale up and down, and other reasons to take advantage of the capabilities of the cloud.

Resources to Get Started in the Cloud

Mike recommended the below resources and tools for people looking to learn more about the cloud:

  1. Read The Phoenix Project by Gene Kim, which Mike considers the manifesto of DevOps. Regardless of whether your organization is in the cloud or moving to the cloud, we're undergoing a cultural transformation on the part of IT that looks a lot like DevOps. Some organizations will embrace the cloud in some ways, and other organizations will embrace it in others. The Phoenix Project will give you an idea in the form of a parable about what is possible. For example, what is a broken environment and how can you embrace some of these concepts and fix your environment? This gives you context for where things are going and what the optimal state looks like over time.
  2. Go to aws.amazon.com and sign up for an account in their free tier for a year and start playing around with it by setting up servers and networks, peering between things, sending data, accessing things via the API, logging into the console, and doing things like setting up identity access management policies on those resources. Playing around like this will allow you to get a feel for the granularity of what you can do in the cloud and how it's different from how you manage your on-prem resources. Without having a basic understanding of how the most fundamental things work in the cloud, moving to the cloud will be really challenging. It is hard to understand how you need to change your security practice to embrace the cloud when you don't know what the cloud is.
  3. Mike also plugged their basic cloud training courses which give both hands on capabilities, as well as background to be able to pass the Certificate of Cloud Security Knowledge certification. You’ll be able to both talk the language of cloud and play around with Cloud.

To listen to the full podcast, click here, or you can find Agent of Influence on Spotify, Apple Music, or wherever you listen to podcasts.

[post_title] => Cloud Security: What is it Really, Driving Forces Behind the Transition, and How to Get Started [post_excerpt] => In a recent episode of Agent of Influence, Nabil Hannan talked with Mike Rothman, President of DisruptOps. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => cloud-security-driving-forces-behind-transition-how-to-get-started [to_ping] => [pinged] => [post_modified] => 2021-04-14 00:52:39 [post_modified_gmt] => 2021-04-14 00:52:39 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=19329 [menu_order] => 109 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [32] => WP_Post Object ( [ID] => 19262 [post_author] => 65 [post_date] => 2020-07-09 07:00:47 [post_date_gmt] => 2020-07-09 07:00:47 [post_content] => On July 9, 2020, NetSPI Managing Director Nabil Hannan was featured in Dark Reading. Google "pen testing return on investment (ROI)" and you will find a lot of repetitive advice on how to best communicate the value of a pen-testing engagement. Evaluate the costs of noncompliance penalties, measure the impact of a breach against the cost of a pentest engagement, reduce time to remediation, to name a few. While all of these measurements are important, pen testing provides value beyond compliance and breach prevention, even through a financial lens. Let's explore the critical steps to successfully define and communicate ROI for security testing. Read the full article here. [post_title] => Dark Reading: Pen Testing ROI: How to Communicate the Value of Security Testing [post_excerpt] => On July 9, 2020, NetSPI Managing Director Nabil Hannan was featured in Dark Reading. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => dark-reading-pen-testing-roi-how-to-communicate-the-value-of-security-testing [to_ping] => [pinged] => [post_modified] => 2021-04-13 00:06:51 [post_modified_gmt] => 2021-04-13 00:06:51 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=19262 [menu_order] => 112 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [33] => WP_Post Object ( [ID] => 19208 [post_author] => 65 [post_date] => 2020-06-23 07:00:11 [post_date_gmt] => 2020-06-23 07:00:11 [post_content] =>

I was recently a guest on the CU 2.0 podcast, where I talked with host, Robert McGarvey about enabling a remote workforce while staying secure during the COVID-19 pandemic and how the pandemic has actually inspired digital transformation in some organizations.

I wanted to share some highlights in a blog post, but you can also listen to the full interview here.

Security Implications of Decisions Made to Enable a Remote Workforce

In spring 2020, when the COVID-19 pandemic first started, a lot of organizations weren't quite ready to enable their employees to work from home. It became a race to get people to be functional while working remote, and security was an afterthought – if that. During this process, a lot of companies started to realize they had limitations in terms of how much VPN licensing they had or that they had a lot of employees who were required to work in the office so didn’t have laptops they could take home.

For many companies, when they started working remote in early spring, they thought it would be for a relatively short time. As such, many are just now starting to realize they haven't truly assessed the risk they're exposing themselves to. Only now, two to three months later, are many starting to focus their efforts on understanding the security implications of the decisions they made this past spring to enable a remote workforce.

For example, companies have limited licenses for virtual desktops, virtual images or even operating systems and versions of operating systems that they’re using. To quickly get employees access to their work systems and assets from home, a lot of companies ended up re-enabling operating systems that they had previously disabled, including bringing back Windows XP, Windows 7, and Windows 8 machines that they had stopped using. There are challenges to this, including not having proper patches and updates for issues that are discovered. If you have operating systems that are outdated, they have certain known vulnerabilities that could be exploited. Many companies made certain decisions from a business perspective, but are now asking what type of security risk they’ve exposed ourselves to.

It’s important to understand the basic principles of security, and make sure you're thinking through those as you enable your workforce to be more effective while working from home. Organizations have to strike the balance between their business objectives, the function they’re trying to accomplish, and the security risks they’re exposing themselves to.

There’s also a lack of education around remote access technologies. For example, when you're working from home, you need to ensure you're always connected to your organization's VPN when you're browsing the internet or doing work-related activities, because that traffic then can’t be intercepted and viewed by anyone else on the internet.

It’s critical to use the right technologies correctly and enable things like multi-factor authentication. With multi-factor authentication, if a hacker has your password, at least they don't have that second factor that comes to you via email, text message, phone call, or an authenticator application.

I strongly believe that today we must have multi-factor authentication enabled on everything. It's almost negligent of an organization to not enable multi-factor authentication, especially given how much prevalence we've seen with passwords being breached or organizations with database breaches where their employees’ or their clients’ username and passwords have been exposed.

The Weakest Link in Today’s Technology Ecosystem: People

The weakest link in today's technology ecosystem is the human element.

As soon as the COVID-19 pandemic started, we noticed there was a significant increase in phishing emails and scams that attackers started deploying and that they were very specifically geared towards the COVID-19 pandemic itself. Some examples include:

  • Emails pretending to be from your doctor's office with attachments that have certain steps that you need to take to prevent yourself from getting the virus or supporting your immune system.
  • Emails supposedly from your business partners with FAQ attachments containing details around what they were doing to protect their business from a business continuity perspective during the pandemic.
  • Emails from fake employees claiming they had contracted the virus and the attachment contained lists of people they had come in contact with.
  • Emails pretending to be from HR, letting people know that their employment had been terminated, and they needed to click on a link to claim their severance check.

Spam filters are only upgraded once they see the new techniques attackers are using. Much of the language in these phishing emails was around COVID-19 language that they hadn’t seen before, so they weren’t being caught in spam filters – and many people fell victim to a lot of these attacks. Once this happens, you’re exposed to potential ransomware. Once one employee downloads a file onto their machine containing malware, that can eventually propagate across your whole network to other machines that are connected. And, like the real virus, this can propagate very fast and hide its symptoms until a certain time or a particular event that triggers a payload.

There are a lot of similarities between a medical virus and a computer virus, but the biggest difference in the digital world is that the spreading of the virus can happen exponentially faster, because everything moves faster on the internet.

COVID-19: Inspiring Digital Transformation

I believe there needs to be an increased focus on education around the importance of cyber security going beyond the typical targeted groups. Everyone within an organization is responsible for cyber security – and getting that broad understanding and education to all employees is key.

We’re seeing a lot of transformation today in terms of how we work and how the norm is going to change given this situation. As such, there needs to be increased awareness around security across the board, given the pandemic. People have to be the first step to making sure that they're making good and sensible decisions before they take any specific action online. There are a lot of very simple hygiene related things that are missing today that needs to be done better – and people just need better education around these items.

Additionally, I believe organizations are going to take steps to make sure that they're doing things like enabling multi-factor authentication for their employees to connect remotely and making sure that VPN access is required for you to work on your machine if you’re remote.

Cloud-based software is also going to be key and in fact, I can't imagine organizations being very successful at sending people to work from home if they weren't leveraging the cloud to quickly scale their ability to serve their employees and their customers in a different format.

In many ways, COVID-19 has inspired a lot of transformation and innovation in how we approach the work culture. People are also becoming more aware of what actions they're taking online and thinking about security implications of the actions that they're taking.

[post_title] => COVID-19: Evaluating Security Implications of the Decisions Made to Enable a Remote Workforce [post_excerpt] => Nabil Hannan was featured on the CU 2.0 podcast with host, Robert McGarvey, and talked about enabling a secure, remote workforce during COVID-19 [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => covid-19-evaluating-security-implications-of-the-decisions-made-to-enable-a-remote-workforce [to_ping] => [pinged] => [post_modified] => 2021-04-14 00:52:52 [post_modified_gmt] => 2021-04-14 00:52:52 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=19208 [menu_order] => 117 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [34] => WP_Post Object ( [ID] => 19198 [post_author] => 65 [post_date] => 2020-06-16 07:00:42 [post_date_gmt] => 2020-06-16 07:00:42 [post_content] => On June 16, 2020, NetSPI Managing Director Nabil Hannan was featured in TechTarget. What do NVIDIA's Jensen Huang, Salesforce's Marc Benioff and Microsoft's Satya Nadella have in common? They were all deemed the greatest business leaders of 2019, according to Harvard Business Review's "The CEO 100" list. But another commonality they share is that each have had mentors to help guide them through their careers in technology and get them to where they are today. Mentorship is critical in every industry but given the immense opportunity for career growth in the cybersecurity industry today, having the right guidance is a must. The industry faces many challenges from a staffing perspective -- from the skills shortage to employee burnout -- making the role of a mentor that much more important as others navigate these challenges. While mentorship is often considered subjective, there are a few best practices to follow to ensure you're establishing a solid foundation in the mutually beneficial relationship, not only to help new talent navigate the industry, but also to help strengthen the industry as a whole. First, let's explore what to look for when hiring new cybersecurity talent. Read the full article here. [post_title] => TechTarget: Invest in new security talent with cybersecurity mentorships [post_excerpt] => On June 16, 2020, NetSPI Managing Director Nabil Hannan was featured in TechTarget. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => techtarget-invest-in-new-security-talent-with-cybersecurity-mentorships [to_ping] => [pinged] => [post_modified] => 2021-04-14 05:31:49 [post_modified_gmt] => 2021-04-14 05:31:49 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=19198 [menu_order] => 119 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [35] => WP_Post Object ( [ID] => 19184 [post_author] => 65 [post_date] => 2020-06-16 07:00:02 [post_date_gmt] => 2020-06-16 07:00:02 [post_content] =>

Common Myths Around Application Security Programs

In order for an organization to have a successful Application Security Program, there needs to be a centralized governing Application Security team that’s responsible for Application Security efforts. In practice, we hear many reasons why organizations struggle with application security, and here are four of the most common myths that need to be dispelled:

1. An Application Security Team is Optional

Just like everything else, there needs to be dedicated effort and responsibility assigned for Application Security in order for an Application Security Program to be successful. Based on our experience and evidence of successful Application Security Programs, all of them have a dedicated Application Security team focused on managing Application Security efforts based on the organization’s business needs.

2. My Organization is Too Small to Have an Application Security Team

A small organization is no excuse to avoid doing Application Security activities. Application security cannot be an after-thought or something that’s bolted on when needed. It needs to be an inherent property of your software and having focus and responsibility for Application Security in the organization will help prevent and remediate security vulnerabilities.

3. I Cannot Have an Application Security Team Because We Are a DevOps/Agile/Special Snowflake Shop

Just because your business or your development processes are different from others, doesn’t mean that you don’t have a need for Application Security, nor does it mean that you cannot adopt certain application security practices. There are many opportunities in any type of an SDLC to inject application security touchpoints to ensure that business objectives or development efforts are not hindered by security, but rather are enhanced by security practices.

4. An Application Security Team will Hinder Our Ability to Deliver/Conduct Business

In our experience, we have seen that more secure applications are typically better in all perspectives – performance, quality, scalability, etc. Application Security activities, if adopted correctly will not hinder your organization or team’s ability to conduct business but will in fact provide a competitive advantage within your business vertical.

Why Do You Need an Application Security Program?

Defect Discovery – Organizations typically start their application security journey in defect discovery efforts. The two most common discovery techniques used are Penetration Testing and Secure Code Review to get started discovering security vulnerabilities and remediating them appropriately.

Defect Prevention – An Application Security Program’s goal is not only to help proactively identify and remediate security issues, but also to avoid security issues from being introduced.

Understanding Risk – In order to identify an organization’s risk posture, it’s necessary to identify what defects exist, and then determine the likelihood of these defects being exploited and the resulting business impact from successful exploitation. Organizations need to understand how the defects identified actually work and determine what components of the organization and business are affected by the identified defects.

Getting Started with Defect Discovery

There are many different techniques of defect discovery, and each has its own set of strengths, weaknesses, and limitations in what they can identify. Certain techniques are also prone to higher levels of false positives than others. There’s also factors such as speed at which these techniques can be implemented and how quickly results can be made available to the appropriate stakeholders which need to be considered when implementing a particular defect discovery technique in an organization. Ultimately, all of the techniques do have certain areas of overlap in terms of the types of defects that they can identify, and all the techniques do complement each other.

Discovery Technique #1 - Penetration Testing

Penetration Testing is the most popular defect discovery technique used by organizations and is a great way to get started if you have had no focus towards Application Security in the past. Pentesting allows an organization to get a baseline of the types of vulnerabilities that their applications are most likely to contain. There’s a plethora of published materials on known attacks that work and it’s easy to determine what to try. When performing penetration testing, the type of testing varies significantly based on the attributes of the system being tested (web application, thick client, mobile application, embedded application, etc.).

Execution Methods

Technology/Tool Driven
  • Multiple commercial and open source tools available
  • DAST tools are widely available while IAST tools are maturing and gaining adoption
  • Cost, tool capability, customizability, deployment options, features, etc. are factors to consider
Outsourced Manual Penetration Testing (Third-Party Vendor)
  • Many options available
  • NetSPI provides a wide range of Penetration Testing services at varying levels of depth
  • Available on-demand and easy to scale
  • Driving factors to consider – cost, scalability, quality, scheduling logistics, trust, delivery model maturity, etc.
In-House Manual Penetration Testing
  • Hard to find good talent
  • Harder to retain good talent long-term
  • Impossible to scale

Discovery Technique #2 - Secure Code Review

Secure Code Review is often mistaken for Code Review that development teams typically do in a peer review process. Secure Code Review is an activity where source code is reviewed in an effort to identify security defects that may be exploitable. There are plenty of checklists on common patterns to look for or certain coding practices to avoid (hardcoded passwords, usage of dangerous APIs, buffer overflow, etc.). There are also various development frameworks that publish secure coding guidelines that are readily available. Some organizations with more mature Secure Code Review practices have implemented secure by design frameworks or adopted hardened libraries to ensure that their developers are able to avoid common security defects by enforcing the usage of the organization’s pre-approved frameworks and libraries in their development efforts.

Execution Methods

Technology/Tool Driven
  • Multiple commercial and open source SAST tools available
  • Cost, tool capability, customizability, false positive rates, deployment options, features, etc. are factors to consider
  • Triaging scan results can be costly and time consuming given the nature of SAST scanning and the high false positive rates
Outsourced Manual Secure Code Review (Third-Party Vendor)
  • Many options available
  • NetSPI provides a wide range of Secure Code Review services at varying levels of depth
  • Available on-demand and easy to scale
  • Driving factors to consider – cost, scalability, quality, scheduling logistics, trust, delivery model maturity, etc.
In-House Manual Secure Code Review
  • Hard to find good talent
  • Harder to retain good talent long-term
  • Impossible to scale
  • Inconsistent results – even if it's the same person on a different day
  • Checklists help, but results vary significantly based on the reviewer's capabilities

Defect Discovery is Just the Beginning

It’s important to remember that defect discovery is more than just the two techniques discussed here. In the scheme of your Application Security Program, the effort towards defect discovery is just a part of your application security program. In addition to defect discovery, you need to consider the following (and much more):

  • What does it mean for your organization to have a Secure SDLC from a governance perspective?
  • How are you going to create awareness and outreach for your SDLC to ensure the appropriate stakeholders know what their roles and responsibilities are towards application security?
  • What key processes and technology do you need to put in place to ensure everyone is capable of performing the application security activity that they’re responsible for?
  • How are you going to manage software that’s developed (and/or managed) by a third party (augmenting vendor management to reduce risk)?

Application Security Governance and Strategy

Application security governance is a blueprint that is comprised of standards and policies layered on processes that an organization can leverage in their decision-making processes in their application security journey.

Organizations have started adopting a Secure SDLC (S-SDLC) process as part of their software development efforts, and this tends to vary greatly between organizations. Ultimately, the focus of the S-SDLC is to ensure that vulnerabilities are detected and remediated (or prevented) as early as possible.

Many organizations unfortunately have not defined their application security governance model, and as a result, lack a proper S-SDLC. Without the proper processes in place, it’s challenging, if not impossible to have oversight of the application security risks posed to all the applications in an organization’s application inventory.

Ultimately, we’ve observed that regardless of where the governance function is implemented (software engineering, centralized application security team, or somewhere else), there needs to be dedicated focus on application security to get started on the journey to reducing risk faced from an application security perspective.

The Trifecta of People, Process and Technology

1. Application Security Team (People)

Organizations need to assign responsibility for application security. In order to do this, it’s important to establish an application security team that is a dedicated group of people who are focused on making constant improvements to an organization’s overall application security posture and as a result, protect against any potential attacks. Organizations that have a dedicated application security team are known to have a better application security posture overall.

2. Secure SDLC/Governance (Process)

Clear definition of standards, policies, and business processes are key to having a successful application security strategy. The S-SDLC ensures that applications aren’t created with vulnerabilities or risk areas that are unacceptable to the organization’s business objectives.

3. Application Security Tools and Technology

There’s a plethora of open source and commercial technologies available today that all leverage different defect discovery techniques to identify vulnerabilities in applications. DAST, SAST, IAST, SCA, and RASP are some of the more common types of technologies available today. Based on the business goals, objectives, and the software development culture, the appropriate tool (or combination of tools) needs to be implemented to automate and expedite detection of vulnerabilities as accurately and early as possible in the SDLC.

Taking a Strategic Approach to Application Security

In order to grow and improve, organizations need to have an objective way to measure their current state, and then work on defining a path forward. Leveraging the appropriate application security framework to benchmark the current state of the application security program allows organizations to use real data and drive their application security efforts more strategically towards realistic application security goals.

Standard frameworks also allow for re-measurements over time to objectively measure progress of the application security program and determine how effective the time, effort, and budget being put towards the application security program are.

As the application security capabilities mature, so does the amount and quality of data that is at the organization’s disposal. It’s important to ensure that the data collection is automated and proper application security metrics are captured to determine the effectiveness of different application security efforts, and also measure progress while being able to intelligently answer the appropriate questions from executive leadership and board members.

NetSPI’s Strategic Advisory Services

NetSPI offers a range of Strategic Advisory Services to help organizations in their application security journey.

Regardless of where you are in your application security goals and aspirations, NetSPI provides:

  • Application Security Benchmarking – Measure the current state of your application security program and understand how your organization compares to other similar organizations within the same business vertical.
  • Application Security Roadmap – Understand the organization’s application security goals and build a realistic roadmap with key timely milestones.
  • Application Security Metrics – Based on the organization’s application security program, understand what data is available for collection and automation, allowing for definition of metrics that allow the application security team to answer the appropriate questions to help drive their application security efforts.
[post_title] => Getting Started on Your Application Security Journey [post_excerpt] => In order for an organization to have a successful Application Security Program, there needs to be a centralized governing team that’s responsible for all efforts. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => getting-started-on-your-application-security-journey [to_ping] => [pinged] => [post_modified] => 2021-04-14 06:41:41 [post_modified_gmt] => 2021-04-14 06:41:41 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=19184 [menu_order] => 120 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [36] => WP_Post Object ( [ID] => 19230 [post_author] => 2 [post_date] => 2020-06-02 13:49:41 [post_date_gmt] => 2020-06-02 13:49:41 [post_content] => Your employees were probably working from home more and more anyway, but the COVID-19 situation has taken work from home to a whole new level for many companies. Have you really considered all the security implications of moving to a remote workforce model? Chances are you and others are more focused on just making sure people can work effectively and are less focused on security. But at times of crisis – hackers are known to increase their efforts to take advantage of any weak links they can find in an organization’s infrastructure. Host-based security represents a large surface of attack that continues to grow as employees become increasingly mobile and work from home more often. Join our webinar to make sure your vulnerability management program is covering the right bases to help mitigate some of the implicit risks associated with a remote workforce. [post_title] => Host-Based Security: Staying Secure While Your Employees Work from Home [post_excerpt] => Watch this on-demand webinar to make sure you are vulnerability management program is covering the right bases to help mitigate some of the implicit risks associated with a remote workforce. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => host-based-security-staying-secure-while-your-employees-work-from-home-2 [to_ping] => [pinged] => [post_modified] => 2021-06-02 08:55:51 [post_modified_gmt] => 2021-06-02 08:55:51 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=webinars&p=19230 [menu_order] => 31 [post_type] => webinars [post_mime_type] => [comment_count] => 0 [filter] => raw ) [37] => WP_Post Object ( [ID] => 19027 [post_author] => 65 [post_date] => 2020-06-02 07:00:12 [post_date_gmt] => 2020-06-02 07:00:12 [post_content] =>

Online Shopping Behavior and E-Commerce Transformation

By this point it’s clear that organizations and every individual has to make changes and adapt their day-to-day activities based on the weeks of lock-down that everyone has faced due to the Coronavirus.

All of a sudden, there’s a surge of people using mobile applications and online payments to order food, medicine, groceries, and other essential items through delivery. Due to social distancing requirements that are in place, the interactions between retailers and consumers have shifted drastically. We all know that people are heavily dependent on their mobile devices, even more so today than ever before. New studies show that “72.1% of consumers use mobile devices to help do their shopping” and there’s been a “34.9% increase year over year in share of consumers reporting online retail purchases.”

Businesses have been drastically impacted during the pandemic, and they’re also adapting to be able to conduct business online more than ever before. In these efforts, there’s been an increase in using online payments through the use of credit card transactions because they are preferred since they’re contact-less compared to cash transactions (which add a higher likelihood of the Coronavirus spreading through touch).

Given the increased use of online credit card payments, organizations need to ensure that they’re compliant with the Payment Card Industry (PCI) Data Security Standard – referred to as PCI DSS. The current version of the PCI-DSS is version 3.2.1 which was released in May 2018.

The Spirit of PCI DSS

PCI DSS is the global data security standard which all payment card brands have adopted for anyone that is processing payments using credit cards. As stated on their website, “the mission is to enhance global payment account data security by developing standards and supporting services that drive education, awareness, and effective implementation by stakeholders.”

Payment card data is highly sensitive, and in the case cardholder data is stolen or compromised, it’s quite a hassle to deal with that compromise. Attackers are constantly scanning the internet to find weaknesses in systems that store and process credit card information.

One well-known credit card breach was in late 2013 when a major retailer, had a major breach. This attack brought to the foreground the importance of ensuring proper segregation of systems that process credit card payments from other systems that may be on the same network.

PCI DSS wants to ensure that any entity that is storing or processing credit card information are following the minimum bar when it comes to protecting and segregating credit card information.

I am not going to go into detail about each and every PCI DSS requirement, but focus this post around how we at NetSPI help our clients with their journey towards PCI compliance.

NetSPI’s Role in Our Clients’ PCI Compliance Journey

First of all, it’s important to note that at the moment, NetSPI has made the business decision not be a PCI “Approved Scanning Vendor” (ASV) or a PCI “Qualified Security Assessor” (QSA). You can find the PCI definitions for these at the PCI Glossary. Given NetSPI’s business objectives, our focus is on deep dive, high quality technical offerings instead of having an audit focus that is required in order to be an ASV or a QSA.

That being said, we are extremely familiar with PCI DSS requirements and work with some of the largest banks and financial institutions to enable them to become PCI compliant (and meet other regulatory pressures) by helping them in their efforts to develop and maintain secure systems and applications, and regularly testing their security systems and processes.

We’ll go deeper into some of the specific PCI requirements that we work closely with our customers on, and describe our service offerings that are leveraged in order to satisfy the PCI requirements. In almost all cases, NetSPI’s service offerings go above and beyond the minimum PCI requirements in terms of technical depth, scope, and thoroughness.

PCI Requirements and Services Mapping

PCI at a high level provides a Security Standard that’s broken down as shown in the table below that’s been published in their PCI DSS version 3.2.1.

PCI DSS Requirement 6.3

Incorporate information security throughout the software-development lifecycle.

NetSPI Offerings Leveraged by Clients

NetSPI is an industry-recognized leader in providing high quality penetration testing offerings. NetSPI’s offerings around Web Application, Mobile, and Thick Client Penetration Testing services are leveraged by clients to not only satisfy PCI DSS Requirement 6.3, but also go beyond the PCI requirements as elaborated on in their requirement 6.5.

PCI DSS Requirement 6.5

Verify that processes are in place to protect applications from, at a minimum, the following vulnerabilities:

  • Injection Flaws
  • Buffer Overflows
  • Insecure Cryptographic Storage
  • Insecure Communications
  • Improper Error Handling
  • Cross-site Scripting
  • Cross-site Request Forgery
  • Broken Authentication and Session Management

NetSPI Offerings Leveraged by Clients

NetSPI’s Web Application, Mobile, and Thick Client Penetration Testing services go above and beyond looking for vulnerabilities defined in the list above. The list of vulnerabilities in this particular requirement is heavily driven by the OWASP Top Ten list of vulnerabilities. NetSPI’s service offerings around Application Security provides at a minimum OWASP Top Ten issues, but typically goes above and beyond the OWASP Top Ten list of vulnerabilities.

PCI DSS Requirement 6.6

For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods:

  • Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes
  • Installing an automated technical solution that detects and prevents web-based attacks (for example, a web application firewall) in front of public-facing web applications, to continually check all traffic.

NetSPI Offerings Leveraged by Clients

NetSPI’s Web Application Penetration Testing offerings are highly sought after by our clients. In particular, at NetSPI we work closely with seven of the top 10 banks in the U.S., and are actively delivering various levels of Web Application Penetration Testing engagements for them. Customers continue to work with us because of the higher level of quality that they see in the output of the work we deliver, which is typically credited to the use of our Penetration Testing as a Service delivery model which is enabled by our Resolve ™ platform.

PCI DSS Requirement 11.3

Implement a methodology for penetration testing:

  • A penetration test must be done every 12 months.
  • The penetration testing verifies that segmentation controls/methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE.
  • Methodology includes network, server, and application layer testing.
  • Includes coverage for the entire CDE perimeter and critical systems. Includes testing from both inside and outside the network.

NetSPI Offerings Leveraged by Clients

NetSPI provides both Internal and External Network Penetration Testing services. When customers request an assessment that they want to leverage the results to satisfy PCI requirements, NetSPI provides customers with deliverables that are tailored to be provided to our client’s QSA to satisfy PCI requirements. In cases where the Cardholder Data Environment (CDE) is located in the Cloud, then NetSPI Cloud Penetration Testing goes above and beyond the minimum PCI Stanrdard’s testing requirements.

[post_title] => E-Commerce Trends During COVID-19 and Achieving PCI Compliance [post_excerpt] => By this point it’s clear that organizations and every individual has to make changes and adapt their day-to-day activities based on the weeks of lock-down [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => e-commerce-trends-during-covid-19-and-achieving-pci-compliance [to_ping] => [pinged] => [post_modified] => 2021-04-14 00:53:44 [post_modified_gmt] => 2021-04-14 00:53:44 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=19027 [menu_order] => 123 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [38] => WP_Post Object ( [ID] => 19011 [post_author] => 2 [post_date] => 2020-05-27 12:00:20 [post_date_gmt] => 2020-05-27 17:00:20 [post_content] =>

Each year, thousands of merger and acquisition (M&A) applications are approved. While M&As are growing in popularity, they aren’t risk free. According to West Monroe Partners, 40 percent of acquiring businesses discovered a high-risk security problem after an M&A was completed.

During this on-demand webinar, NetSPI Managing Director, Nabil Hannan will dive into critical vulnerability management considerations for your M&A activity, including:

  • The added layer of concern that comes with digital communications channels
  • Knowing which assets the acquirer is responsible for
  • Common M&A security red flags to look out for
  • How to obtain complete visibility into true risk exposure during an M&A
[post_title] => Vulnerability Management Best Practices for Mergers & Acquisitions [post_excerpt] => During this on-demand webinar, NetSPI Managing Director, Nabil Hannan, will dive into critical vulnerability management considerations for your M&A activity. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => webinars-vulnerability-management-best-practices-for-mergers-acquisitions-on-demand [to_ping] => [pinged] => [post_modified] => 2021-06-02 08:57:03 [post_modified_gmt] => 2021-06-02 08:57:03 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=webinars&p=19011 [menu_order] => 22 [post_type] => webinars [post_mime_type] => [comment_count] => 0 [filter] => raw ) [39] => WP_Post Object ( [ID] => 18835 [post_author] => 65 [post_date] => 2020-05-26 07:00:02 [post_date_gmt] => 2020-05-26 07:00:02 [post_content] =>

In a recent episode of Agent of Influence, I talked with Sean Curran, Senior Director in West Monroe Partners’ Technology Practice in Chicago. Curran specializes in cybersecurity and has over 20 years of business consulting and large-scale infrastructure experience across a range of industries and IT domains. He has been in the consulting space since 2004 and has provided risk management and strategic advice to many top-tier clients. Prior to consulting, Curran held multiple roles with National Australia Bank.

I wanted to share some of his insights in a blog post, but you can also listen to our interview here, on Spotify, Apple Music or wherever you listen to podcasts.

Cybersecurity Challenges of COVID-19

From Curran’s perspective, the COVID-19 pandemic has created a lot of challenges for organizations, many of which weren’t prepared for this situation. For example, some organizations primarily used desktop computers and now their employees are being asked to work from home without laptops, which is particularly hard at a time when hardware is difficult to source.

In addition, many companies had processes in place that they never tested – or their processes were too localized. While many companies are prepared to withstand a disaster in one location – for example, Florida in case of a hurricane – COVID-19 has affected the entire world, and organizations weren’t prepared to withstand that. The widespread global impact is why most companies’ disaster recovery and business continuity plans are failing.

The same thing goes for cyberattacks – they aren’t localized to a particular building or region, which is a challenge when most companies are only set up to lose a single building or a single data center.

As during other similar situations, we have seen an increase in cyberattacks during the COVID-19 pandemic, meaning organizations are not only having to implement their business continuity plans on a very broad scale, but also ensure cybersecurity during a heightened period of attacks.

What Makes an Organization Prone to a Security Breach?

People. Budget. And more. Sometimes it’s just that the organization is focused on the wrong things. Or they still believe that security is the security team’s responsibility – but it’s everyone's responsibility.

Curran has seen organizations with a small number of employees and low budgets do some really amazing things, showing it comes down to the capability of the individuals involved and how interested they are in security.

Organizations also need to strike a balance of protecting themselves from old attack methods while thinking about what the next attack method might be. Attackers are very good at figuring out what security teams are looking at, ignoring it, and moving on to the next delivery mechanism. At the same time, ignoring an old attack method isn’t necessarily the right approach either because we do see attackers re-using old schemes when people have moved on and forgotten about it – or combining several old attack methods into a new one.

Key Steps After a Breach

It’s critical to first understand the point at which your employee fell victim to the virus. The day the antivirus program alerts you that you have a virus isn't necessarily the day you got the virus.

Then you need to understand what the virus did when someone clicked on a link. Was it credential stealing or malware dropping?

To understand this, you can use toolboxes, which allow you to drop an email, an application or point to a website, and the toolbox will tell you what the virus did. Curran uses a tool called Joe’s Sandbox.

Once you understand what the virus did, you can determine next steps. For example, if it was credential stealing, you need to think about what those user credentials have access to. It’s critical to think holistically here – if the user gave away internal credentials, are they re-using those for personal banking platforms or a Human Resources Information System (HRIS)? People tend to think myopically around active directory, but Curran argues that we need to start thinking beyond that, especially as we start using cloud services.

Curran pointed out that social communication is happening on almost every platform, including Salesforce, Slack, and more. Everything has a social component to it, meaning also that there's a new delivery mechanism that attackers could start to use.

It’s critical for organizations to start thinking more holistically about how they prepare for and respond to a security breach. For many organizations, the COVID-19 pandemic has created a perfect storm of trying to implement business continuity plans that weren’t tested or up to the task, while also ensuring security during a heightened time of cyberattacks.

To listen to the full podcast, click here, or you can find Agent of Influence on Spotify, Apple Music, or wherever you listen to podcasts.

[post_title] => Why Organizations Should Think More Holistically About Preparing for and Responding to a Security Breach [post_excerpt] => In a recent episode of Agent of Influence, Nabil Hannan talked with Sean Curran, Senior Director in West Monroe Partners’ Technology Practice in Chicago [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => why-organizations-should-think-more-holistically-about-preparing-for-and-responding-to-a-security-breach [to_ping] => [pinged] => [post_modified] => 2021-04-14 00:53:48 [post_modified_gmt] => 2021-04-14 00:53:48 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=18835 [menu_order] => 125 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [40] => WP_Post Object ( [ID] => 18949 [post_author] => 65 [post_date] => 2020-05-13 07:00:25 [post_date_gmt] => 2020-05-13 07:00:25 [post_content] => On May 13, 2020, NetSPI Managing Director Nabil Hannan was featured in Credit Union Journal. As COVID-19 stay-at-home orders begin to lift, people who have the capability to do business from home are being encouraged to do so – and credit unions are no exception. Throughout the pandemic, organizations have had to put business disaster recovery (BDR) and business continuity plans (BCP) to the test – and in tandem, we’ve seen an increased emphasis on cybersecurity resiliency. Cybersecurity concerns have risen over the past couple of months as attackers continue to take advantage of the situation. Notably, the Zeus Sphinx banking trojan has returned, phishing attacks are up 350%, and the growing remote workforce has increased the use of potentially vulnerable technologies. Read the full article here. [post_title] => Credit Union Journal: Credit unions must step up cybersecurity during coronavirus [post_excerpt] => On May 13, 2020, NetSPI Managing Director Nabil Hannan was featured in Credit Union Journal. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => credit-union-journal-credit-unions-must-step-up-cybersecurity-during-coronavirus [to_ping] => [pinged] => [post_modified] => 2021-04-14 05:32:00 [post_modified_gmt] => 2021-04-14 05:32:00 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=18949 [menu_order] => 130 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [41] => WP_Post Object ( [ID] => 18644 [post_author] => 65 [post_date] => 2020-05-05 07:00:53 [post_date_gmt] => 2020-05-05 07:00:53 [post_content] =>

In a recent episode of Agent of Influence, I talked with Anubhav Kaul, Chief Medical Officer at Mattapan Community Health Center near Boston about not only some of the medical challenges they are facing during COVID-19, but also some of the software and security challenges. I wanted to share some of his insights in a blog post, but you can also listen to our interview here, on Spotify, Apple Music, or wherever you listen to podcasts.

COVID-19 Impacts on Telemedicine

Telemedicine has been available and used for multiple years and takes many different forms. For example, your doctor calling you on the phone and updating you on your results is telemedicine, receiving results through an electronic portal is telemedicine, or receiving feedback from your provider over a text message platform is telemedicine.

However, COVID-19 has drastically changed many doctors’ reliance on telemedicine to be the primary platform for how they provide care to their patients. According to Kaul, 90 percent of care being delivered by Mattapan is currently being delivered via telemedicine, including treatment of chronic conditions and urgent concerns. This has been made possible largely because the payers, both public and private, recognized the essential need of working in the current climate and have been able to help Mattapan receive reimbursement for providing telemedicine-based care.

The challenges Mattapan is currently experiencing are mostly around adoption of video and phone technology enabling remote treatment, since many clinicians have never had training on how to conduct effective telemedicine appointments.

In addition, while there is a tremendous amount of care that can be provided to patients without physically seeing them, the ability to be in the presence of patients and evaluate them in person is sometimes irreplaceable. In part to combat this challenge, Mattapan is leveraging medical devices to help manage certain conditions by patients from home, many of which automatically send data directly to doctors as it’s collected, including devices to measure blood pressure, glucose, weight, and more.

Kaul has also noticed that doctor-patient relationships, like so many relationships, are struggling with the lack of social connection, one of the most gratifying parts of providing care in person. With new technological developments, people are in general more distracted by their technology from the person right in front of them, including doctors when seeing patients. This may even be exacerbated as doctors leverage telemedicine to provide treatment and try to connect with patients over video and phone.

Staying Secure While Providing Remote Treatment

Providers have always had to focus on ensuring their communications with patients are secure and HIPAA compliant. Many clinicians want to provide the best care to their patients, which may sometimes mean giving out their cell phone numbers to patients or texting their patients to allow for accessibility of care. While they have every intention of doing the right thing for the patient, these are not necessarily considered safe modes of communicating with patients. They may be easy and accessible, but there is a level of risk when it comes to using unofficial platforms.

Using encrypted emails and online patient portals to send text messages are more secure options, even if they may not be as convenient for clinicians and patients.

Even outside of a pandemic situation, doctors and clinics will always face this security challenge that sometimes stands in conflict: trying to protect the patient's information and trying to protect the patient’s health by providing accessible care. And at the same time, not putting themselves or their clinic at risk when using unsecure modes of communication.

Mattapan uses Epic, an Electronic Medical Record (EMR) system that is integrated with Zoom technology to provide telemedicine via video and which allows patients to send pictures that are then uploaded into their patient portal and medical record. However, most visits will continue to be phone-based, primarily because of accessibility. While getting people to adopt new technology is always a challenge, Mattapan is working to increase video adoption to give all their patients the full functionality that that medium provides.

As Mattapan and clinics around the world leverage new technology and medical devices to treat patients remotely, they don’t necessarily know the security threats these technology solutions pose because they’ve never used them before, especially to this extent. While hospital IT and security teams are working to quickly test and set up these systems, there are risks associated.

[embed]https://youtu.be/qxLObXu9OCI[/embed]

As a clinician, Kaul is not necessarily constantly thinking about security risks, but more about the most accessible way to provide care to Mattapan’s patients. He sees this time as presenting an opportunity in the market for telemedicine software solutions and medical devices, so that doctors can continue to treat patients remotely – and even offer broader and improved treatments.

I’ve completed a fair number of security assessments for electronic medical devices and organizations that build hardware leveraged by doctors, and in my experience, doctors hate security because it interferes with their ability to conduct the job at hand. And in certain cases, the job at hand takes significantly higher priority than the potential security risks. For example, I don't think any doctor wants to have to enter a password before they can use a surgical device, because sometimes every second matters when it comes to the life of a patient.

Increasing Challenges of Patient Authentication

Another challenge when it comes to treating patients remotely is that of patient authentication. For example, you may be trying to monitor the blood pressure of your patient and you send them home with a device that’s continually sending data back, but how do you know that data is for your patient and not their child, sibling or someone else? Kaul acknowledges that there’s no easy way to authenticate this and it’s very easy for patients to cheat the system if they want to. These are challenges that need more focus and attention, of which they’re probably not getting right now because usability is taking a much higher priority than security.

Mattapan is focused on making sure any patient interactions they’re having are as reliable as possible, especially during this time. However, there are unique challenges. For example, sometimes they rely on talking with family members of people who can’t speak English, but maybe that family member doesn’t have full jurisdiction about their health care information and making decisions about their health care. These types of scenarios are opportunities for software and medical device companies to fill, but they may not be given the highest priority at this time.

Prescribing Prescriptions Virtually

Doctors have long been able to electronically prescribe most medications, but during the COVID-19 pandemic, they are also allowed to prescribe other medications that previously required a paper prescription, including controlled substance pain medications, certain psychiatric medications, and medications meant to treat addictions.

Being able to prescribe controlled substances electronically has made the process more accessible, especially in these current times, but it has also added security challenges. These challenges include making sure that the patient is properly identified, and they are receiving the prescriptions in a secure manner from the pharmacy. This level of accessibility is great for the patient and for the provider, but certain guidelines have been adopted to make sure this is done in a standardized fashion and to make sure that doctors are still connecting with these patients over the phone or video to see how their care is going, whether it's for pain management or treating them for addiction-based disorders.

During these uncertain times, doctors and hospitals are working to increase accessibility of care, but with accessibility comes the responsibility of making sure that parameters of appropriately treating patients are in place – along with the appropriate security measures.

To listen to the full podcast, click here, or you can find Agent of Influence on Spotify, Apple Music, or wherever you listen to podcasts.

[post_title] => Overcoming Challenges of COVID-19 with Telemedicine and New Technology Solutions [post_excerpt] => In a recent episode of Agent of Influence, Nabil Hannan talked with Anubhav Kaul, Chief Medical Officer at Mattapan Community Health Center near Boston [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => overcoming-challenges-of-covid-19-with-telemedicine-and-new-technology-solutions [to_ping] => [pinged] => [post_modified] => 2021-04-14 00:54:00 [post_modified_gmt] => 2021-04-14 00:54:00 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=18644 [menu_order] => 133 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [42] => WP_Post Object ( [ID] => 18559 [post_author] => 65 [post_date] => 2020-04-28 07:00:33 [post_date_gmt] => 2020-04-28 07:00:33 [post_content] =>

Physical Distancing, Yet Connecting Virtually

We find ourselves living the COVID-19 pandemic, abruptly switching to a work from home model with virtual meetings becoming the norm. By now, unless you’re living under a rock, you’ve heard about people using the Zoom videoconferencing service.

Given that everyone is trying to shelter-in-place/social distance to stop the spread of the virus, the popularity of using Zoom for video calls with groups of people has become extremely popular. Given Zoom’s popularity, there’s been a spike in the usage of Zoom’s video conferencing capabilities for both professional and personal meetings as an avenue for multiple people to have face-to-face video conference calls.

Unfortunately for Zoom, given the spike in usage, there’s also been a rise in the number of security vulnerabilities that keep getting reported with Zoom’s software. This has resulted in Zoom focusing all their development efforts to sort out security and privacy issues with their software.

Let’s explore some of the most popular vulnerabilities that are being discussed and see if we can make sense of them and the impact that they’re going to have if exploited.

Zoom Security Concerns

Zoombombing

This term has gained a lot of popularity. Derived from the term “photo-bombing,” zoombombing refers to when a person or multiple people join a zoom meeting that they’re not invited to and interrupt the discussion in some sort of vulgar manner (e.g. sharing obscene videos or photos in the meeting).

There are a few reasons why this is possible:

  • Meetings with Personal IDs – Zoom gives each user a personal ID, and you can use those IDs to quickly start a Zoom meeting at any given time. Because this ID is static and doesn’t change, zoombombers will keep iterating through all possible personal IDs until they get one that has an active meeting going on and they can join.
  • Meetings not requiring passwords – Users can set up meetings that don’t require a password, so if a zoombomber figures out the meeting ID, and there’s no password for that meeting, then they can join the meeting.
  • Lack of rate limiting – Zoom didn’t seem to have any type of rate limiting that would limit a machine from trying to access meetings.

There are steps a user can take to prevent their meetings from getting zoombombed, including:

  • Generate a new meeting ID for every meeting instead of using your static Personal ID
  • Make sure your meeting has a password (this is now enabled by default)
  • Enable the waiting room, so you have to give users permission to join before they can join the meeting

A Lack of True End-to-End (E2E) Encryption

Zoom does do E2E encryption, but it’s not doing the necessary encryption on the video conference piece. If you’re just using Zoom for social interactions and non-business meetings, and there’s nothing sensitive being shared, you probably don’t care about this too much.

There is encryption happening on the transport layer, but the encryption isn’t true E2E because Zoom can still decrypt your video information. What you basically have is the same level of protection as you would from having interactions with any website that you’re interacting with over HTTPS (with TLS).

When Zoom refers to E2E encryption, they mean all of their chat functionality is protected with true E2E encryption.

The reason you don’t see true E2E encryption for other platforms either is because it is really challenging to do. If you look at other services available like WhatsApp and FaceTime that allow group video calls, they limit how many participants you can have on a call at a time and don’t scale like Zoom does, where currently in the Zoom Gallery View you can see video from up to 49 participants at the same time.

Details around the use of encryption in Zoom can be found here.

China Being Able to Eavesdrop on Zoom Meetings

There’s been a lot of discussion around the issue that the Chinese government can force Zoom to hand over keys and as a result, they would be able to decrypt and view Zoom conversations because a few of the key servers that were used to generate encryption keys were located in China.

It needs to be noted that Zoom does have employees in China and runs development and research operations from there. That being said, most of Zoom’s key servers are based in the U.S. and if there are subpoenas from the FBI or other agencies, then Zoom would be required to hand over the keys (FISA warrant).

To summarize, if you’re just having regular video calls with your family and friends and there’s nothing that’s sensitive in nature being discussed on these calls, you probably shouldn’t worry too much about this issue.

Your Private Chat Conversation Isn’t Really Private

During a zoom meeting, when you send a private chat to someone in that meeting through Zoom, even though it cannot be exposed to anyone else immediately, but after the meeting if the host decides to download the transcript for that meeting, they will have access to both the chats that occurred in public and was sent to everyone in that meeting, along with any private chat message that may have been exchanged between two people privately.

This isn’t necessarily surprising that a host/admin would have access to all chat transcripts, but to sum this one up, if you’re chatting about something privately with someone during the meeting, don’t talk about something or say something that you wouldn’t want others to see or find out about.

Zoom Mimics the OS X Interface to Gain Additional Privileges

When Zoom is being installed, the app requires some additional privileges to complete the process, and so the app installer prompts the user for their OS X password. The message presented to the user is very deceiving since the messages says “System needs your privilege to change” while asking for the administrator credentials to be entered.

It’s challenging to determine whether this is truly malicious or not, because we can’t get into the heads of the developers to determine the true intent – but this trick is commonly used by malware to gain additional privileges.

This in itself isn’t as big of an issue since it happens to take place while a user is intentionally installing the software on their own machine. There are scenarios where attackers could somehow convince their target to install Zoom, and then leverage any vulnerabilities in Zoom itself to cause damage. While not impossible, it’s a little far-fetched.

Zoom Can Escalate Privileges to ‘Root’ on Mac OS

I’m not going to spend too much time going over the technical details of how this can be done, but you can find all the details you want on Patrick Wardle’s blog.

What I want to emphasize here is that this requires someone to already have access to your system to be able to exploit it. If an attacker has physical access to your computer, you have other things to worry about because they basically “own” your machine at this point – they can do whatever they want – time and skill permitting of course. And if there’s some malware that’s exploiting this Zoom issue on your computer, guess what, the malware is already on your machine, and probably has root (or close to root) access anyway because you somehow inadvertently gave it additional privileges to install itself on your machine.

Attackers Can Steal Your Windows Credentials Through the Windows Zoom Application

This is a vulnerability where an attacker can send you a chat message with a UNC link. The Windows app was converting the UNC links into clickable links just like they would with web links. So a link like “ \\ComputerName\Shared Folder\mysecretfile.txt ” would get converted to a web link like “www.netspi.com.” By clicking the link, a user would have their Windows credentials (the username and the password hash) sent to the attacker.

I want to re-iterate the importance of not clicking on links that you don’t trust, or don’t know where it’s really going. It’s important for everyone to be vigilant against clicking on untrusted links just like they would with email phishing. This is no different.

This issue has reportedly been fixed by Zoom on April 1, 2020, as long as you update to the latest version of the Zoom application on Windows.

Source: https://blog.zoom.us/wordpress/2020/04/01/a-message-to-our-users/

What Does This Mean for You?

There’s a lot to digest here, and given Zoom’s popularity in recent times, it’s not surprising that more and more issues are getting reported because researchers are focusing on these issues more, and attackers are trying to take advantage of any little issue that can be exploited on an app that a majority of the population may be using.

The bottom line on how you should use Zoom really depends on your use case. If you’re using it for informal, personal, social purposes and there’s nothing of sensitive nature that you’re worried about, Zoom will serve you just fine. On the other hand, if you need to have sensitive business-related discussions or need to use a communication channel to discuss something that’s top secret, then it’s probably best to avoid Zoom, and use known secure methods of communication that have been approved and vetted by your business/organization.

[post_title] => Zoom Vulnerabilities: Making Sense of it All [post_excerpt] => We find ourselves abruptly switching to a work from home model with virtual meetings becoming the norm on videoconferencing services, like Zoom [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => zoom-vulnerabilities-making-sense-of-it-all [to_ping] => [pinged] => [post_modified] => 2021-04-14 00:54:06 [post_modified_gmt] => 2021-04-14 00:54:06 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=18559 [menu_order] => 136 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [43] => WP_Post Object ( [ID] => 18374 [post_author] => 65 [post_date] => 2020-04-15 07:00:12 [post_date_gmt] => 2020-04-15 07:00:12 [post_content] => On April 15, 2020, NetSPI Managing Director Nabil Hannan was featured in BAI Banking Strategies. The mass relocation of financial services employees from the office to their couch, dining table or spare room to stop the spread of the deadly novel coronavirus is a significant data security concern, several industry experts tell BAI. But they add that it is a challenge that can be managed with the right tools, the right training and enduring vigilance. Read the full article here. [post_title] => BAI Banking Strategies: Work from home presents a data security challenge for banks [post_excerpt] => On April 15, 2020, NetSPI Managing Director Nabil Hannan was featured in BAI Banking Strategies. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => bai-banking-strategies-work-from-home-presents-a-data-security-challenge-for-banks [to_ping] => [pinged] => [post_modified] => 2021-04-14 05:32:10 [post_modified_gmt] => 2021-04-14 05:32:10 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=18374 [menu_order] => 140 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [44] => WP_Post Object ( [ID] => 18287 [post_author] => 65 [post_date] => 2020-04-14 07:00:40 [post_date_gmt] => 2020-04-14 07:00:40 [post_content] =>

In the inaugural episode of NetSPI’s podcast, Agent of Influence, Managing Director and podcast host, Nabil Hannan talked with Ming Chow, a professor of Cyber Security and Computer Science at Tufts University about the evolution of cyber security education and how to get started in the industry.

Below is an excerpt of their conversation. To listen to the full podcast, click here, or you can find Agent of Influence on Spotify, Apple Music, or wherever you listen to podcasts.

Nabil Hannan

What are your views and thoughts on how actual education in cyber security and computer science has evolved over the last couple of decades?

Ming Chow

I think one thing that is nice, which we didn't have, is this: ten or twenty years ago, if we wanted to learn Java, for example, or about databases, or SQL, you had to go buy a book from your local tech bookstore or we had to go to the library. That doesn't have to happen now. There's just so much information out there on the web.

I think it’s both a good and a bad thing. Now, with all this information readily available, it feels like that content and information is much more accessible. I don't care if you're rich or poor, it really leveled the playing field in terms of the accessibility and the availability of information.

At the same time, there is also the problem of information overload. I'll give you two good examples. Number one: I've had co-workers ask me, “What's the best book to use for python?” That question, back in the day when we had physical books was a lot easier to answer. Making a recommendation now is a lot harder. Do you want a physical book? Are you looking for a publisher? Are you looking for an indie publisher? Are you looking for a website? Are you looking for an electronic form? Now, there are just way too many options.

Now it's even worse when it comes to cyber security and information security. There are a lot of people trying to get into cyber security and a common question is how to get started. If you ask 10 experts that question, you’ll get 10 different answers. This is one of the reasons why, especially for newcomers, that it’s hard to understand where to get started. There are way too many options and too many avenues.

Nabil Hannan

Right, so people get confused by what's trustworthy and what's not, or what's useful versus what isn't.

Ming Chow

And, what makes this worse is social media because a lot of people in cyber security are on Twitter and there’s also a community on Facebook. This has both pros and cons, of course. You have community, which is great, but at the same time, there is just more information and more information overload.

But, there is one thing that hasn't changed in cyber security education – or lack thereof – and computer science curricula since 2014. I don't see much changed in computer science curricula at all. I still see a lot of students walking out of four years of computer science classes who don't know anything about basic security, not to mention about cross site scripting and SQL injection. Here we are in 2020 and there are still many senior developers who don’t know about these topics.

Nabil Hannan

Let's say you have a student who wants to become a cyber security professional or get into a career in cyber security. What's your view on making sure they have a strong foundation or strong basics of understanding of computer science? What do you tell them? And how do you emphasize the importance of knowing the basics correctly?

Ming Chow

Get the fundamentals right. Learn basic computer programming and understand the basics. It makes absolutely no sense to talk about cyber security if you don't have the fundamentals or technical underpinnings right. You must have the basic technical underpinnings first in order to understand cyber security. Because you see a lot of people talkabout cyber security – they talk and talk and talk – but half of the stuff they say makes no sense because they don't have the basic underpinnings.

That's why I tell brand new people, number one, get the fundamentals right. You must get those because you're going to look like a fool if you talk about cyber security, but you don't actually have any knowledge of the basic technical underpinning.

Nabil Hannan

The way I tell people, that is, it's important for you to know how software is actually built in order for you to learn or figure out how you're going to break that piece of software. So that's how I iterate the same thing. But yes, continue please.

Ming Chow

Number two is to educate yourself broadly. Let me explain why that's important. You want to have the technical underpinnings, but you also want to educate yourself broadly – take courses in calligraphy, psychology, political science, information warfare, nuclear proliferation, and others.

Educate yourself broadly, because cyber security is a very broad field. I think that's something that many people fail to understand. A lot of people, especially in business, think that cyber security is just targeted toward technology. A lot of people think cyber security is IT’s responsibility. But of course, that's not true, because things like legal and HR have huge implications for cyber security. You have to educate yourself broadly because sometimes the answer is not technical at all.

Nabil Hannan

I think some of the most successful people that I've seen in this space are usually very adaptable – they learn to adapt to different situations, different scenarios, different cultures, different environments. And, technology is always evolving and so are the actual security implications of the evolving technology. Some of the basics and foundations may still be similar, but the way to approach certain problems ends up being different. And the people who are most adaptable to those type of changing and evolving scenarios tend to be the most successful in cyber security, from what I've seen.

Ming Chow

I think it's a huge misnomer for any young person who is studying and trying to get into security. Cyber security is not about the 400-pound hacker in the basement. It's also not hunting down adversaries or just locking yourself in a room, isolating yourself in a cubicle, writing code that would actually launch attacks.

Nabil Hannan

So, you're saying it's not as glamorous as Hollywood makes it seem in their movies like Hackers and Swordfish?

Ming Chow

I think the most legit show is Mr. Robot because they actually vet out real security professionals for that show.

Now, I want to go back into something you said about the software engineering role. Probably one of the best ways to get into cyber security is to follow one of these avenues: software development, software engineering, help desk, network administration, or system administration. And the reason is because when you're in one of those positions, you will actually be on the front lines and see how things really work.

Nabil Hannan

Things in practice are so different than things in theory, right? So, that's what you really got to learn hands on.

To listen to the full podcast, click here, or you can find Agent of Influence on Spotify, Apple Music, or wherever you listen to podcasts.

[post_title] => The Evolution of Cyber Security Education and How to Break into the Industry [post_excerpt] => In the inaugural episode of NetSPI’s podcast, Agent of Influence, Managing Director and podcast host, Nabil Hannan talked with Ming Chow [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => the-evolution-of-cyber-security-education-and-how-to-break-into-the-industry [to_ping] => [pinged] => [post_modified] => 2021-04-14 00:54:19 [post_modified_gmt] => 2021-04-14 00:54:19 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=18287 [menu_order] => 141 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [45] => WP_Post Object ( [ID] => 17711 [post_author] => 65 [post_date] => 2020-04-08 07:00:51 [post_date_gmt] => 2020-04-08 07:00:51 [post_content] => On April 8, 2020, NetSPI Managing Director Nabil Hannan was featured in Credit Union Times. Given the hundreds of merger and acquisition applications approved each year by the NCUA, M&As remain an appealing strategy for growth. However, in today’s cyberworld, merging with another company also means adopting another company’s network infrastructure, software assets and all the security vulnerabilities that come with it. In fact, consulting firm West Monroe Partners reported that 40% of acquiring businesses discovered a high-risk security problem after an M&A was completed. A case in point: In the early 2000s, I was part of a team heavily involved during and after the merger of two large financial institutions. We quickly came to the realization that the entities had two completely different approaches to cybersecurity. One had a robust testing program revolving around penetration testing (or pentesting) and leveraged an industry standard framework to benchmark its software security initiative annually. The other did not do as much penetration testing but focused more on architecture and design level reviews as its security benchmarking activity. Trying to unify these divergent approaches quickly brought to the surface myriad vulnerabilities that required immediate remediation. However, the acquired entity didn’t have the business cycle or funding needed for the task, which created a backlog of several hundred thousand issues needing to be addressed. This caused delays in the M&A timing because terms and conditions had to be created. Both parties also had to agree to timelines within which the organizations would address identified vulnerabilities and the approach they would take to prioritize remediation activities accordingly. Read the full article here. [post_title] => Credit Union Times: Vulnerability Management Considerations for Credit Union M&As [post_excerpt] => On April 8, 2020, NetSPI Managing Director Nabil Hannan was featured in Credit Union Times. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => credit-union-times-vulnerability-management-considerations-for-credit-union-mas [to_ping] => [pinged] => [post_modified] => 2021-04-14 05:32:11 [post_modified_gmt] => 2021-04-14 05:32:11 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=17711 [menu_order] => 142 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [46] => WP_Post Object ( [ID] => 18106 [post_author] => 65 [post_date] => 2020-04-07 07:00:03 [post_date_gmt] => 2020-04-07 07:00:03 [post_content] =>

The Internet is a hacker’s playground. When a hacker is looking for targets to attack, they typically start with the weakest link they can find on the perimeter of a network – something they can easily exploit. Usually when they find a target that they can try to breach, if the level of effort becomes too high or the target is sufficiently protected, they simply move on to the next target.

The most common type of attackers are called “Script Kiddies.” These are typically inexperienced actors that simply use code/scripts posted online to replicate a hack or download and use software like Metasploit to try to run scans against systems to find something that breaks. This underscores the need for making sure that the perimeter of your network and what’s visible to the outside world is properly protected so that even inadvertent scanning by Script Kiddies or tools being ran against the network don’t end up causing issues.

Testing the External Network

In most cases, it seems like all the focus and energy goes to the network perimeter that is externally facing from an organization. Almost all the organizations we work with have a focus on, or automated scanners that are regularly testing the external facing network. This is an important starting point because usually vulnerabilities within the network are easily detected and there are many tools out there at the hackers’ disposal allowing them to easily discover vulnerabilities in the network. It’s very common for attackers to regularly scan the Internet network space to try to find vulnerabilities and determine what assets they are going to try to exploit first.

Organizations have processes or automations that regularly scan the external network looking for vulnerabilities. Depending on the industry an organization falls into, there are regulatory pressures that also require a regular cadence of security testing.

The Challenge of Getting an Inventory of All Web Assets

Large organizations that are rapidly creating and deploying software commonly struggle to have an up-to-date inventory of all web applications that are exposed to the Internet at any given time. This is due to the dynamic nature in which organizations work and have business drivers that require web applications to be regularly deployed and updated. One common example is organizations that heavily use web applications to support their business needs, particularly for marketing purposes where they deploy new micro-sites on a regular basis. Not only are new pages deployed regularly, but with today’s adoption of the DevOps culture and Continuous Integration (CI) / Continuous Deployment (CD) methodology being adopted by so many software engineering teams, almost all applications are regularly being updated with code changes.

With changes happening on the perimeter where web applications are exposed and updated all the time, organizations need to regularly scan their perimeter to discover what applications are truly exposed, as well as if they have any vulnerabilities that are easily visible on the outside to attackers that may be running scanning tools.

Typically, organizations do have governance and processes to perform regular testing of applications in non-production or production-like UAT environments, but many times, testing applications in production doesn’t happen. Although doing authenticated security testing in production may not always be feasible depending on the nature and business functionality of a web application, performing unauthenticated security scanning of applications using Dynamic Application Security Testing (DAST) tools can be done easily – after all, the hackers are going to be doing it anyways, so might as well proactively perform these scans and figure out ahead of time what will be visible to the hackers.

The Need for Unauthenticated DAST Scanning Against Web Applications in Production

Given these challenges, it’s important for organizations to seriously consider whether it makes sense to start performing unauthenticated DAST scanning against all their web applications in production on a periodic basis to ensure that vulnerabilities don’t make it through the SDLC to production.

At NetSPI, for our assessments we typically use multiple DAST scanning tools to perform assessments, leveraging both open source DAST scanners and commercial DAST scanning tools.

What Does NetSPI’s Assessment Data Tell Us?

Given our experience in web application assessments, we looked at data from the last 10,000 vulnerabilities identified from web application assessments, and the most common issues are Security Misconfiguration (28%) and Sensitive Data Exposure (23%). Full analysis of the data is in the graphs below.

Given how Security Misconfiguration is the most common vulnerability that we tend to find, it highlights how these misconfigurations could accidentally also be moved into production. This shows why it’s so important to periodically test all web applications in production for common vulnerabilities.

Key Takeaways

  1. Testing your external network is a good start and a common practice in most organizations.
  2. Keeping an up-to-date inventory of all web applications and Internet facing assets is challenging.
  3. Companies should periodically perform DAST assessments unauthenticated against all web applications in production.
  4. Data from thousands of web application assessments shows that Security Misconfiguration and Sensitive Data Exposure are the most common types of vulnerabilities found in web applications.
[post_title] => Through the Attacker's Lens: What Is Visible on Your Perimeter? [post_excerpt] => The Internet is a hacker’s playground. When a hacker is looking for targets to attack, they typically start with the weakest link they can find on the perimeter of a network [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => through-the-attackers-lens-what-is-visible-on-your-perimeter [to_ping] => [pinged] => [post_modified] => 2021-04-14 00:54:24 [post_modified_gmt] => 2021-04-14 00:54:24 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=18106 [menu_order] => 143 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [47] => WP_Post Object ( [ID] => 18001 [post_author] => 65 [post_date] => 2020-03-30 07:00:50 [post_date_gmt] => 2020-03-30 07:00:50 [post_content] =>

Pandemics Happen: You Can’t Predict a Crisis

A worldwide pandemic broke out, and your employer is asking you to work from home instead of coming into the office. Well, you’re not alone. This is the situation that many people have found themselves in during this Covid-19 pandemic.

Although it may seem like no big deal at first, working from home daily for an extended period of time is vastly different than going into the office every day. For some, the line of work-life balance gets even more blurred than before.

The hurdles of working from home tend to amplify in our current situation when people are trying to work from home and have their children at home (instead of at school) all day too. People try to make light of the situation they’re in by posting some really funny posts on social media like the one from Jason White:

This is truly the new normal for all of us, and there’s no certainty as to how much longer this pandemic is going to force people to work from home.

Luckily for us, today we are extremely well connected via the Internet and leveraging cloud-based software solutions/Software-as-a-Service (SaaS), Virtual Private Networks (VPN), Virtual Desktops Infrastructure (VDI), etc., makes it easy for some organizations to enable their workforce to work effectively from home.

This pandemic is also the first time many of these organizations are actually executing their Business Disaster Recovery (BDR) and Business Continuity Plans (BCP). Businesses are quickly learning from the challenges since these plans are very different when they’re being documented theoretically versus when they’re being executed in a real-time crisis.

Getting Comfortable With “The New Norm”

Let’s face it, as humans since the beginning of time, we’ve always had to adapt to different challenges. This is no different. This might be the new normal for a while, until we figure out how to get this pandemic under control.

I’ve been very fortunate at various parts of my career to have the experience of working from home or starting a consulting practice from scratch in a new geographic region – where at the beginning, there’s no office to work out of.

Here are a few things that have worked well for me and allowed me to work effectively from home, and during a time of crisis like a pandemic, how not to feel isolated.

1. Create a Dedicated Space for Work

It’s important to create a separate area for you to dedicate to work. Ideally you want a space where you can close the door and seclude yourself for taking phone calls, conference calls, video conferences, or just shutting out any distractions when you need to get some work done.

This is important as you can create a virtual boundary for when you’re working and when you’re not. Force yourself to leave this space when you take breaks (whether it be to get some coffee, go for a walk, grab lunch, etc.). This allows you to mimic some of the social norms that you’d have while at the office – like taking a bathroom break, walking to the kitchen to grab a coffee or going out for lunch with your coworkers – where you end up leaving your actual workspace multiple times during the day to let your mind take a break from work.

2. Get Your Technology Set Up Properly

Ergonomics is important, but so is getting actual equipment and connectivity that will allow you to be most effective while working from home. There are plenty of resources online discussing how to set up your workspace with proper ergonomics that fit your needs. I would like to focus on the technology side of things, where certain equipment can make your life significantly less stressful when working from home.

First, invest in a strong and reliable Internet connection. High speed Internet has become really affordable, and most organizations that require their workforce to work from home will usually subsidize some (if not all) of your Internet bill. I recommend getting a reliable and fast connection – this will pay dividends in the long run as you have more and more video conference calls and can start using your VOIP setup if your organization has one.

Second, for making phone calls, if I’m at my desk, I typically use my VOIP setup that NetSPI provides all their employees through Microsoft Teams. I have a dedicated work number where people can reach me, and I use it to make calls from my desk (and even sometimes from my smartphone if I’m somewhere with a spotty cell network but I have a strong Wi-Fi connection).

Third, make sure you get a big monitor/display if you can. You’re going to be hunkered down in a small space working, forcing yourself to work on a small laptop screen ends up being very stressful, especially today when all of us are multi-tasking, having an extra monitor is extremely helpful in reducing the amount of back-and-forth between applications. If an extra monitor isn’t viable, for Mac users, you may be able to use your iPad as an extra screen with Sidecar and have an application or window that you use most regularly on there. This will make it so you don’t have to constantly be switching windows. If you cannot have a multiple screen setup, you can still leverage your operating systems features like “Spaces” on a Mac or “Virtual Desktops” on a Windows machine to have multiple screens set up for different purposes (e.g. one screen for things you’re actively working on and a second screen for all communications, like Instant Messaging and email).

Here’s a view of my work-setup at home:

Screens and their usage from left to right:

  • I use my iPad Pro as an extra screen with Sidecar to always have my email on display. I like using a stand (Lamicall tablet stand) for the iPad to help raise it a little closer to the height of the other screens.
  • The main monitor (Dell U3818DW) I use for things I’m actively working on – usually things like document creation, web browsing, news feeds, taking notes, etc. – this is basically my active workspace.
  • My MacBook Pro is on a stand to bring it to an eye-level height for me, and I am usually running my virtual machines to perform scanning work, or security testing as I research new things and try to learn and keep up with new technologies as they evolve in the security space.

You’ll also notice that I have a gel-pad for my wrist that spans my keyboard and my mouse. This is because I did in the past start experiencing aches in my wrists and was worried about getting Carpal Tunnel Syndrome – this has helped tremendously to relieve a lot of stress in my hands and shoulders as well.

I also invested in getting myself a nice webcam (Logitech C920S HD Pro), with a privacy shutter. Currently I work remotely from home – even outside of Covid-19 – so I try to make sure that on all conference calls I have my video turned on. I find that it encourages others to turn on their video too making the virtual meetings feel more intimate and also makes you feel more connected with others on your team. Make sure to try and place the camera close to eye-level and at an angle where it’s facing you directly, if possible. Here are some tips on how to kick your video conferencing game up a notch and look more professional during your video calls. As we get more connected globally, and business today happens across all borders and oceans, video conferencing is going to start being more and more prominent. It’s time we start mastering video conferencing.

Here are some home-office setups from some of our other NetSPI colleagues:

3. Embrace Your New “Co-Workers”

All of a sudden, you’re co-habituating and working with some “creatures” that you would normally be away from while at the office. This may be your children, parents, significant other, cat, dog, duck, gecko, etc.

You need to accept that you’ll be “co-working” together and potentially sharing and intruding on each other’s space from time to time. The sooner you accept it, the less friction you’ll have, and you can plan to share the space peacefully. Be grateful for the extra time that you might have with your family, children or your pets – they are definitely excited to have more time with you.

With family members, make sure you have some way to signal them if you’re in the middle of working on something or if on a conference call and need to avoid distractions. For me, when the door to my home office is closed, my pets and my family members know not to bother me. When the door is open, they are welcome to share space as long as they’re not being overbearing or too distracting.

Pets can also be very therapeutic, especially at a time when you’re physical distancing from everyone and may start feeling isolated. Accept them into your space. Let them sleep at your feet (or on your lap for that lap dog or lap cat). Pet them from time to time and let them know that you appreciate the way they naturally relieve your stress and give you a sense of companionship and support that all humans crave.

At NetSPI we have created a Slack channel called #pets_of_netspi where we all share pictures and videos of our new fuzzy (and some non-fuzzy) “co-workers” that help us get through our day. Here’s just a preview of some of our #pets_of_netspi rockstars:

4. Virtual Lunch and Coffee Video Conferences

Just like you don’t always talk to your coworkers in the office about work, you need to continue harboring both a professional and personal relationship with your colleagues. We discussed how video conferences have become more prominent – not only that, but Microsoft is making Teams available for everyone to help in the face of the Covid-19 pandemic. With technical solutions being at our disposal today, take advantage of this, and schedule virtual lunch meetings or coffee meetings with colleagues. Take a break from work and discuss non-work related topics like you normally would during lunch or coffee.

5. Maintain a Routine

Even though none of your colleagues or boss would know if you didn’t  brush your teeth, stay in your pajamas all day, or even shower for days, it doesn’t mean you should start getting lazy about your regular day to day activities. Make sure you still maintain a regular routine. Things like going to bed and waking up at a consistent time, making  your bed, making yourself a healthy breakfast, taking your dog for a morning walk, exercising, meditating, etc. are all important factors that will make you more effective at your work.

Taking some breaks and setting aside some personal time is always healthy. Pick up meditation or take a quick walk around the neighborhood, text or call your loved ones and check in on how they are doing in this moment of crisis.

Another thing you may want to consider is picking up a new skill or hobby. Now that you have all that extra time from not commuting back and forth from the office, you have no excuse. Always wanted to be able to pick up a guitar and play some sick tunes? Well, now is your chance to start learning and practicing. Want to complete your New Years’ resolution of losing those 15 extra pounds you gained over the holidays? Well, maybe now it’s time to start some workout programs that you can do at home. Maybe you always wanted to better yourself with more education? I’ve actually been spending time taking some free Ivy League courses online on topics that I’ve always been interested in delving into deeper.

6. Organize Virtual Social Events with Your Company or Team

Little things can make a big difference in a team’s morale and also help build camaraderie and a sense of togetherness. Organizing a virtual happy hour or just a video conference call to check-in with everyone and hang out helps reduce the feeling of isolation that everyone is facing from physical distancing.

Last Friday evening right at the end of business hours, we organized a virtual video happy hour event at NetSPI. It was wonderful to see everyone join in, with their favorite beverages in hand, and enthusiasm to see and connect with rest of the team. Some did the video conference from their deck in their backyard, some took it from their home office setup, and one even joined from their kid’s bedroom where he was assembling furniture for his kids. The most amount of excitement actually came when pet owners started showing off their pets to each other, and the pets got to greet their new friends during the video conference. There were various topics that were discussed (completely non-work related) as everyone was facing similar circumstances. People even shared ideas they had for activities they were going to attempt over the weekend while trying to practice social distancing.

7. Over-Communicate

You’re not going to get the opportunity to run into your boss or coworker in the hallway and mention all the cool things you’re working on or the amazing meeting you had with a client or the really amazing discovery you made while doing an assessment – so make sure you’re over communicating and keeping everyone looped in. Send regular status updates to your managers and your teams. As a manager make sure you communicate regularly with your team members to make sure they’re all on track and try to understand if they’re facing any challenges early and try to help sooner rather than later. Keeping your team and your management updated regularly is key to making sure everyone’s on the same page. If you have customers that you interface with regularly, at times like this, the need for regular communication with customers is even more important since your business probably depends heavily on the customers’ current state of business.

Putting It All Together

Remember, you’re not in this situation alone. This working from home situation is turning out to be the new normal. Create a separate workspace dedicated for working. Make sure you get the right technology or accessories to be efficient and effective at your job. Embrace the fact that you’re going to be sharing space and spending more time with your family and pets at home while you’re working. Maintain a routine and stay active both mentally and physically. Set aside time for virtual social activities over video conference. Lastly, make sure you over-communicate and keep everyone looped in on necessary updates.

Hopefully you find these tips helpful as you try to adjust and get acclimated to working from home. If you have comments or other tips that have worked well for you, we would love to hear from you. Share them with us via Twitter by tweeting to @NetSPI with #WorkFromHome.

[post_title] => #WFH – Embracing the New Norm of Working From Home [post_excerpt] => A worldwide pandemic broke out, and your employer is asking you to work from home instead of coming into the office. Well, you’re not alone. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => wfh-embracing-the-new-norm-of-working-from-home [to_ping] => [pinged] => [post_modified] => 2021-04-14 00:55:25 [post_modified_gmt] => 2021-04-14 00:55:25 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=18001 [menu_order] => 146 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [48] => WP_Post Object ( [ID] => 17927 [post_author] => 65 [post_date] => 2020-03-25 07:00:58 [post_date_gmt] => 2020-03-25 07:00:58 [post_content] =>

Enabling Employees to Work from Home

All of a sudden, the world is facing a pandemic, and you are asking all your team members to work from home. Have you really considered all the security implications of moving to a remote workforce model? Chances are you and others are more focused on just making sure people can work effectively and are less focused on security. But at times of crisis – hackers are known to increase their efforts to take advantage of any weak links they can find in an organization’s infrastructure.

I travel significantly for work and have always been fortunate to have a good setup to be able to effectively work from anywhere with a reliable Internet connection. Not everyone is this fortunate, nor do many people have the experience of working remotely until now.

Managing Host-Based Security

Host-based security represents a large attack surface that is rapidly evolving as employees continue to become more mobile. Let’s discuss some key things organizations need to keep in mind as they migrate their teams to be effective while working from home.

1. Education/Employee Training

Before we start talking about technical controls that are important to consider, it’s necessary to start with the people factor. All the technical controls can easily be rendered useless if your team members are not properly trained on security. People need to be trained on how to securely access and manage the organization’s IT assets. With a rise in phishing attacks, it’s important that training not only cover secure ways to access different systems, but also how to avoid potential scams. Education is paramount in making sure that the organization is safe, and people in the organization are not making decisions that can have adverse effects from a security and privacy perspective.

2. Workstation Image Security

Most organizations deploy laptops using a standard set of system images and configurations. The problem with using standard images and configurations is that it becomes challenging to secure a workstation in the event that the laptop is lost, stolen, and/or compromised by a threat actor.

Here are some things to consider while trying to secure laptops and mobile devices:

  • Ensure all workstation images are configured based on a secure baseline.
  • Make sure the secure baselines are managed and updated based on business needs.
  • Track critical operating system and application patches, and ensure that they are applied.
  • Review application and management scripts for vulnerabilities and common attack patterns.
  • Enable full-disk encryption.
  • Perform regular security testing for each workstation image – typically organizations have multiple images that are in use – e.g. Windows 7, Windows 10, MacOS, etc.

3. Virtual Desktop Infrastructure (VDI) Security

Many organizations are moving away from physical laptops and are having their employees access applications and desktops through solutions leveraging VDIs. A common solution that is used widely is provided by Citrix. This allows employees to connect to an organization’s systems by remotely connecting to a virtual desktop server (from their personal computer or mobile device like a tablet or a smartphone) working directly from where the virtual desktop is hosted.

The following are some things that are important to consider in this type of a scenario:

  • Enforce multi-factor authentication (MFA) for all VDI portals and VPN access.
  • Ensure that the VDI is configured so that users cannot exfiltrate data through shared drives, the clipboard, email, websites, printer access, or any other common egress point.
  • Proper access control so users cannot easily pivot to critical internal resources like databases, application servers and domain controllers.
  • Lock down applications to prevent unauthorized access to the operating system resources and ensure that they have the least amount of privileges enabled to function properly.

4. Windows and Linux Sever Security

Unlike laptops/workstations and VDI portals which are directly exposed to the Internet, once an attacker can pivot into the environment, they usually find it trivial to identify Windows and Linux servers on the network to target. Server Operating Systems need to be configured, reviewed and hardened to reduce the attack surface. Vulnerability scanning by itself is usually not enough since it won’t expose vulnerabilities that could be used by authenticated attackers.

5. z/OS Mainframe Security

Windows and Linux servers are typically deployed using standard images, but z/OS mainframe tend to be more unique. In most environments, the mainframe configurations are not centrally managed as effectively as their Windows and Linux counterparts, which is why there are many inconsistencies in how mainframes are configured, leading to vulnerabilities that are often accessible to domain users.

It’s important to consider the following:

  • Check for missing critical application and operating system patches on a regular cadence.
  • Centrally manage and implement z/OS mainframe configurations based on a secure baseline.
  • Check if Active Directory domain users can log into z/OS mainframe applications or have direct access through SSH or other protocols.
  • Periodically perform penetration testing and security reviews of your deployed z/OS mainframes.
[post_title] => Keeping Your Organization Secure While Sending Your Employees to Work from Home [post_excerpt] => All of a sudden, the world is facing a pandemic, and you are asking all your team members to work from home. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => keeping-your-organization-secure-while-sending-your-employees-to-work-from-home [to_ping] => [pinged] => [post_modified] => 2021-04-14 00:55:37 [post_modified_gmt] => 2021-04-14 00:55:37 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=17927 [menu_order] => 149 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [49] => WP_Post Object ( [ID] => 17864 [post_author] => 65 [post_date] => 2020-03-24 07:00:47 [post_date_gmt] => 2020-03-24 07:00:47 [post_content] =>

Similarities Between Computer Viruses and Medical Viruses

There’s a reason why a computer virus is called a “virus” – they have many similarities with medical viruses (like COVID-19) that have a severe impact on your personal health. Just like Coronavirus can hide its symptoms and be contagious for long periods of time before causing any visible damage, a computer virus operates no different.

With how interconnected we are in today’s digital world, a computer virus (a “wormable” remote code execution vulnerability like EternalDarkness that affects Microsoft Server Message Block SMBv3) can start infecting and spreading in a matter of minutes. Typically, these types of virally distributing malware can also keep symptoms hidden, like a real virus, until the exploit payload is executed causing damage to computer systems.

Plenty of Phish in the Sea – Hackers Taking Advantage at a Time of Fear and Uncertainty

It seems like during any time of a disaster, phishing emails increase as well. Hackers take advantage of the human element, especially at a time of fear and uncertainty – like during the major pandemic that we are currently facing. Naturally, due to people’s fears and the seriousness of the pandemic, people are actively seeking as much information as they can to keep themselves, their families, and their loved ones safe. Preying on the human element, hackers are actively sending various types of phishing emails related to the Coronavirus. The volume of these phishing emails have reportedly increased significantly over the last couple of weeks. Some of the most common examples of these phishing emails are fake emails:

  • From a doctor with attachments that claim to have certain steps to avoid Coronavirus and encourages the recipient to share the attachment with family and friends.
  • From business partners with attachments that supposedly contain FAQs regarding the Coronavirus.
  • From company management, a link to a meeting recording discussing Coronavirus and how it’s being handled by the organization – with a malicious link embedded in the email instead of a recording.
  • From a fake employee claiming that an employee in the company has contracted the Coronavirus and attached is an advisory that all employees are encouraged to read.
  • From an organization that is giving away free equipment and protective gear (like masks) and needs the recipient to click on a link to confirm the delivery address.
  • From HR talking about how they are giving extra money to their employees available only during the next few hours.
  • From the IT service desk asking employees to follow a link and take a survey.
  • From the CDC with a malicious link about new confirmed cases in the recipient’s city.

An Ounce of Prevention Goes a Long Way

Taking a little bit of precaution, especially when it comes to getting infected by malware or having your personal data stolen, goes a long way. The headache and hassle of having to deal with a personal data breach or ransomware attack can easily be avoided, if people are vigilant and well informed about determining whether an email is a phishing email or not.

Common Symptoms of a Phishing Email

1. Requesting Private and Personal Information

Just like you don’t expect the prince of some African country to need your banking information to help them move money around, if you’re receiving an email about a pandemic or issue related to a topic focused on the public health, there’s absolutely no reason why they would need to ask you to click on a link to log in with your user credentials or personal details. Just by using some common sense, you should be able to determine that there’s something very phishy about that email. This should be a clear sign that the email is malicious.

2. Unnecessary Sense of Urgency or Fear Mongering

When it comes to sharing information about a pandemic or any crisis, any given agency or legitimate source of information would most likely use language that’s calm and credible. The subject of the email or the body will typically not be something that sounds extra alarming. In the case that the email is actually necessary to convey an urgent message, it won’t require the recipient to click on a link or require the recipient to open an attachment to get the information. Instead a legitimate email would contain the relevant information in the email body itself.

3. Sender’s Email Address is Unfamiliar or Suspicious

Many phishing emails claim to come from organizations that work in an official capacity during the time of the crisis (e.g. World Health Organization or Center for Disease Control). Emails claiming to be from these organizations with multiple attachments or links to additional resources and information regarding the crisis at hand but coming from email addresses ending in @hotmail.com or @aol.com makes absolutely no sense. Hopefully these will be caught by your email spam filter. Unfortunately, some do slip by those filters, and it should be very clear to you that these emails are clearly phishing attempts.

4. Companies Will Usually Use Your Name to Greet You in Emails

Most companies or organizations where you might be a customer, or your doctor’s office for example, will typically have access to some basic information like your name. When they send out communications to you, they will address you with your name instead of a generic salutation like “Dear Client” or “Dear Subscriber.” There are also many cases where hackers will just avoid salutations, especially if they are sending emails offering special deals or requesting the recipient to click on links to go somewhere to potentially get something for free or win something.

5. Poor Spelling and Grammar

Criminals on the internet or fake royal family members from different continents don’t necessarily have the best education, and in many cases, the language in which they are sending out phishing emails may not be their primary language. Therefore, it’s very common that phishing emails will be riddled with spelling errors or poor grammar. Finding oddly structured sentences, weird capitalizations, or just the usage of a completely wrong word or phrase are clear signs of phishing emails.

6. Low Resolution Graphics in Emails

Cybercriminals will often copy and paste graphics for logos in emails from different parts of the Internet. An email claiming to be from the CDC with information about the Coronavirus, but the logo looks a little fuzzy, or tiny, should be a clear red flag that the email is malicious or fake – it’s a clear sign that the sender of the email doesn’t work for the organization they are claiming to be from.

[post_title] => Staying Safe Online During the COVID-19 Pandemic [post_excerpt] => There’s a reason why a computer virus is called a “virus” – they have many similarities with medical viruses (like COVID-19) that have a severe impact on your personal health. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => staying-safe-online-during-the-covid-19-pandemic [to_ping] => [pinged] => [post_modified] => 2021-04-14 00:55:45 [post_modified_gmt] => 2021-04-14 00:55:45 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=17864 [menu_order] => 152 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [50] => WP_Post Object ( [ID] => 16611 [post_author] => 65 [post_date] => 2020-02-18 07:00:17 [post_date_gmt] => 2020-02-18 07:00:17 [post_content] =>

It is very common to hear people make blanket statements like “WhatsApp is secure,” but they rarely truly understand the actual security controls that WhatsApp is providing. In fact, this notion of being “secure” is one of the main reasons why WhatsApp gained so much popularity and built such a big user base.

In today’s world where everything is on the Internet, people tend to crave some privacy, especially when they are communicating with other people and sharing personal conversations, and the fact that WhatsApp offers a secure communication channel where the messages between users are fully encrypted to the point where the company/app that is providing the service cannot see the messages between their users makes people feel a false sense of security when using WhatsApp.

What “Security” is WhatsApp Really Providing?

Let’s first make sure we understand what security control WhatsApp is claiming it provides. WhatsApp uses the Signal protocol. The encryption scheme is simply asymmetric encryption of messages between the users, and the transmission of the encrypted messages are facilitated by a server provided by WhatsApp.

So, the way the message is protected while in transit from the sender to the intended recipient is secure.

What Other Aspects of Security Do People Need to be Mindful Of?

When it comes to security, there’s a lot more involved than just securing the data while it’s in transit. If securing applications were as simple as securing the communication channel, then websites wouldn’t have any vulnerabilities in them once they had implemented SSL, but we know that is not the case. So why would it be any different for WhatsApp, or any other mobile app for that matter?

Just because the communication channel is secure, doesn’t mean that the rest of the application is secure too. What people tend to forget is that the content of the messages that they’re receiving may still be malicious and have a security impact based on the user’s behavior.

Phishing Attacks

Let’s say a user is sent a phishing link, and the user clicks on it to see where it takes them – they will fall victim to the attack just like they would have if they had received the same link via email or any other method. Just like people are told never to click on a link from an email – especially if it’s from someone they don’t know or trust – the same rule applies here.

Malware

Malware is everywhere on the internet, and being able to identify and avoid opening infected files is a common challenge. Just like malware can be downloaded from web-browsing or from opening email attachments, similarly, opening files that may be infected that were received by a messaging app has the same consequences. There are many stories on the news today about how people are affected because they opened a video clip, audio file, etc. and were infected with malware.

The App Itself

The app that you are using, may itself be vulnerable too and allow attackers to remotely execute code on a user’s device. WhatsApp had a buffer overflow vulnerability that allowed attackers to easily execute code on WhatsApp users’ devices. Details of the vulnerability itself can be found on the CVE-2019-11931 page. Almost all users of WhatsApp on Android, iOS, and Windows were affected. This wasn’t the only vulnerability found on WhatsApp, but attackers were able to inject spyware on to phones by exploiting a zero-day vulnerability. The most damaging part of this attack was that it did not require any action to be taken by the user that was being infected. Read more in this article by the Financial Times.

Other than WhatsApp, there are also cases where the app itself was created for secure communications but was designed incorrectly and ended up all over the news. The most recent example that comes to mind is when the French government launched a new message app for their state employees only, but the account sign-up process was flawed, and allowed anyone to sign up and message using the system. Details of the issue can be found here.

Why Should You Care?

People need to understand the consequences of using apps for communication purposes, especially when they may be using these apps for business. Organizations will typically have contracts with service providers like Slack, Microsoft Teams, etc. to have official channels of communication. This allows the organization to securely manage their employee’s communications, and ensure that sensitive information stays secured correctly, both in transit and at rest. In addition, in the event of lost devices, these services allow organizations to remotely delete any sensitive data that may have been stored on the devices themselves.

An example of where there’s serious concern around public officials using WhatsApp for official communications was raised when it was discovered that Jared Kushner may have been using WhatsApp for his official communications. Read more about the concerns here.

Using proper communication channels is very critical when conducting business, given the sensitive nature of almost all communication and data that enables running a successful business.

[post_title] => Why Do People Confuse “End-to-End Encryption” with “Security”? [post_excerpt] => It is very common to hear people make blanket statements like “WhatsApp is secure,” but they rarely understand the actual security controls [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => why-do-people-confuse-end-to-end-encryption-with-security [to_ping] => [pinged] => [post_modified] => 2021-04-14 00:56:08 [post_modified_gmt] => 2021-04-14 00:56:08 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=16611 [menu_order] => 162 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) ) [post_count] => 51 [current_post] => -1 [in_the_loop] => [post] => WP_Post Object ( [ID] => 25984 [post_author] => 65 [post_date] => 2021-07-20 07:00:00 [post_date_gmt] => 2021-07-20 12:00:00 [post_content] =>

Cybersecurity leaders hold one of the most difficult positions today, as they’re often tasked with protecting an entire organization from sophisticated threats with limited resources. I recently sat down with founding partner and CTO at Security Curve Diana Kelley on the Agent of Influence podcast, a series of interviews with industry leaders and security gurus where we share best practices and trends in the world of cybersecurity and vulnerability management, to discuss key challenges and opportunities security leaders face today. Read on for highlights from our conversation around communicating cybersecurity ROI, building an application security program, inclusivity in the cybersecurity industry, and more. 

Nabil: Connecting and conveying a particular message to the C-suite is a common challenge across the security industry. What has worked well for you when communicating ROI or asking for budget from leadership? 

Diana: Cybersecurity ROI can be tough to communicate. First, remember, if you're going to the executives or presenting to the C-suite, you have to look at the world through their lens. We tend to, as technical people, look at it through our lens – which is okay for our understanding, but it is the fiduciary responsibility of the stakeholders of the company to make it profitable. It is important to always think about that, think about how security translates to profitability. Do not go into a leadership or board meeting with technical detail, go in there with “this is what it means” or “this is how it impacts our bottom line.” 

Second, do not dismiss the fact that their lens is different, as if it is somehow denigrated. The craziest thing I’ve experienced was a technical person in front of a board of directors say, “I'm the risk expert here.” They may have been the technical risk expert, but they didn't understand that the job of the board is risk assessment. It's a different lens of risk assessment, focused on business and profit, but it's still risk. 

People always say to speak in the language of business. The way to do this in practice is to remember their lens of profitability, remember that risk is about business risk, and then tie your technical risk in a business way that isn't deeply technical, but is very strong and powerful. You can also share examples, such as, “Did a similar customer lose money due to a competitor having the same problem?” or “Is there new legislation coming down the pipeline that's going to change our implementation and strategy?”

Finally, do not forget to engage leadership in the decision-making process. You want to avoid being demanding, which often happens after a breach or audit. Early on, engage with leadership and communicate the security issues, what it could mean to your profitability, and explain how the security team can help improve or protect the business in the future. Most importantly, ask if they agree that the investment is a good way to spend the organization’s money and ensure you have a consensus. 

 For more on how to showcase ROI of cybersecurity read NetSPI’s Five Metrics to Showcase the ROI of Pentesting

Nabil: Let's talk about application security. What insight would you give people as they try to decide what frameworks they should use and how to navigate the different options out there?

Diana: Organizations must get an application security program in place – a secure software development lifecycle (SSDLC). This is the most critical part. As far as frameworks go, BSIMM is a good option to understand what other companies that look like you are doing in terms of application security. It allows organizations to have a maturity model to build towards. 

Have a framework in place to start implementing an application security program, create standards for your developers, and start application security testing early on. Identify your application security requirements and understand the threat model so that you can start to build and think about the test harness as soon as possible. It's more important to start implementing rather than focusing on which framework you choose.

It concerns me that now we're getting into this big shift in the enterprise where we're no longer writing code from the ground up, we're doing a lot of low-code no-code. This is fantastic in terms of what we're able to build and how quickly we're able to build it. But companies that are now creating low-code no-code solutions are using a lot of functions and libraries and they are not thinking about it as custom-built code. 

I've heard many times, “we don't actually build any applications.” Then, you start talking to the company and you find out that they have many scripts that are pulling in functions from the cloud, they're using cool tools like Zappy or Airtable, but they're giving access into parts of their data sets, and they don't realize those scripts are code. I'm hopeful that companies don’t solely have an application security program in place, but also an understanding that they need to extend this program to the low-code no-code serverless world that we are moving towards.

Nabil: A lot of the work that you do is focused on inclusivity in the security industry. What advice do you have for security leaders looking for new talent?

Diana: With Women in Cybersecurity (WiCyS) specifically, we’re very focused on bringing women into cybersecurity, but there are many different non-profits out there that are looking at cohorts and sectors that have not been involved in cybersecurity in the past. I think security leaders could benefit from getting involved with these organizations to look for internships for externships.

It's very common for leaders to say, we can't find any diverse talent and we had to hire somebody who looks like everybody else because there were no other candidates. Often, it's not that you didn't look far enough or hard enough. And that may be because they're not in your network. If your network doesn't extend out broadly to different groups of people, then work to expand it. 

Be open to people that may not have college degrees, as every job in cybersecurity doesn't necessarily need a four-year liberal arts degree. Maybe there is somebody who has recently graduated from high school that's completed the right training. Rethink what you know, how you're hiring, who you're hiring, open that aperture wider, and work with those communities that are encouraging inclusivity. 

Another tip is to think critically about how you’re writing job descriptions. There is research that shows that women will not apply for a job unless they match about 90% of the criteria or higher, whereas men will apply if they only match 50%. If you write a job description that includes every experience and skill under the sun because you want to get great resumes, what you’re actually doing is turning off the candidates who are reading that job description and believe that, if they don't have 90 percent or 100 percent of the criteria, they're not going to be eligible for the job. Rethink your job descriptions: do not gender the job descriptions and make sure that they're not overstuffed. Write it for what are you looking for and focus on what is important. You’ll be surprised at the resumes it brings in.

Listen to Agent of Influence Episode 30 featuring Diana Kelley
[post_title] => Q&A: Diana Kelley Discusses ROI, Application Security, and Inclusivity [post_excerpt] => Read this blog to learn security expert Diana Kelley’s insights on communicating cybersecurity ROI, how to build an appsec program, and hiring for inclusivity. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => diana-kelley-roi-application-security-inclusivity [to_ping] => [pinged] => [post_modified] => 2021-07-19 16:37:46 [post_modified_gmt] => 2021-07-19 21:37:46 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=25984 [menu_order] => 4 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [comment_count] => 0 [current_comment] => -1 [found_posts] => 51 [max_num_pages] => 0 [max_num_comment_pages] => 0 [is_single] => [is_preview] => [is_page] => [is_archive] => [is_date] => [is_year] => [is_month] => [is_day] => [is_time] => [is_author] => [is_category] => [is_tag] => [is_tax] => [is_search] => [is_feed] => [is_comment_feed] => [is_trackback] => [is_home] => 1 [is_privacy_policy] => [is_404] => [is_embed] => [is_paged] => [is_admin] => [is_attachment] => [is_singular] => [is_robots] => [is_favicon] => [is_posts_page] => [is_post_type_archive] => [query_vars_hash:WP_Query:private] => cfe1575dbacd286f9b63187560a6f4d4 [query_vars_changed:WP_Query:private] => [thumbnails_cached] => [stopwords:WP_Query:private] => [compat_fields:WP_Query:private] => Array ( [0] => query_vars_hash [1] => query_vars_changed ) [compat_methods:WP_Query:private] => Array ( [0] => init_query_flags [1] => parse_tax_query ) )
The Adoption of Emerging AppSec Technology
Nabil Hannan
Getting Started on Application Security
Nabil Hannan
Extreme Makeover AppSec Edition
Nabil Hannan