Nabil Hannan
- Overworked and understaffed teams
- Friction between application security engineers and development teams
During his time at Microsoft, Idan Plotnik, co-founder and CEO at Apiiro experienced these two roadblocks and created an application security testing tool that addressed both. I recently had the opportunity to sit down with him to discuss the concept of shift left and other application security challenges.
Continue reading for highlights from our conversation including contextual pentesting, open-source security, and tips on how a business can better prepare for remote code execution vulnerabilities like Log4Shell. For more, listen to the full episode on the Agent of Influence podcast.
Why is it important to get more context on how software has changed and apply that to pentesting?
Idan Plotnik: One of the biggest challenges we are hearing is that organizations want to run penetests more than once throughout the development life cycle but are unsure of what and when to test. You don't want to spend valuable time on the pentester, the development team, and the application security engineer to run priority or scoping calls in every release. You want to identify the crown jewels that introduce risk to the application. You want to identify these features as early as possible and then alert your pentesting partner so they can start pentesting early on and with the right focus.
It's a win-win situation.
On one hand, you reduce the cost of engineers because you're not bombarding them with questions about what you've changed in the current release, when and where it is in the code, and what are the URLs for these APIs, etc.
On the other hand, you’re reducing the costs of the pentest team because you’re allowing them to focus on the most critical assets in every release.
Nabil Hannan: The traditional way of pentesting includes a full deep dive test on an application. Typically, the cadence we've been seeing is annual testing or annual requirements that are driven by some sort of compliance pressure or regulatory need.
I think everybody understands why it would be valuable to test an application multiple times, and not just once a year, especially if it's going through changes multiple times in a year.
Now, the challenge is doing these tests can often be expensive because of the human element. I think that's why I want to highlight that contextual testing allows the pentester to hone and focus only on the areas where change has occurred.
Idan: When you move to agile, you have changes daily. You need to differentiate between changes that are not risky to the organization or to the business, versus the ones that introduce a potential risk to the business.
It can be an API that exposes PII (Personally Identifiable Information). It can be authorization logic change. It can be a module that is responsible for transferring money in a trading system.
These are the changes that you need to automatically identify. This is part of the technology that we developed at Apiiro to help the pentester become much more contextual and focused on the risky areas of the code. With the same budget that you have today, you can much more efficiently reduce the risks.
Learn more about the partnership between NetSPI and Apiiro.
Why is open-source software risk so important, and how do people need to think about it?
Idan: You can’t look at open source as one dimension in application security. You must take into consideration the application code, the infrastructure code, the open-source code, and the cloud infrastructure that the application will eventually run on.
We recently built the Dependency Combobulator. Dependency confusion is one of the most dangerous attack vectors today. Dependency confusion is where you’re using an internal dependency without a proper naming convention and then an attacker goes into a public package manager and uses the same name.
When you can't reach your internal artifact repository or package manager, it will automatically fall back and access the package manager on the internet. Then, your computer will fetch or download the malicious dependency with the malicious code, which is a huge problem for organizations.
The person who founded the dependency confusion attack suddenly receive HTTP requests from within Microsoft, Apple, Google, and other enterprises because he found some internal packages while browsing a few websites. He just wanted to play with the concept of editing the same packages with the same name to the public repository.
This is why we need to help the community and provide them with an open-source framework that they can extend, so that they can run it from their CLI or CI/CD pipeline for every internal dependency. Contributing to the open-source community is an important initiative.
What can organizations do to be better prepared for similar vulnerabilities to Log4Shell?
In December 2021, Log4Shell sent security teams into a frenzy ahead of the holiday season. Idan and I discussed four simple steps organizations can take on to mitigate the next remote code execution (RCE) vulnerability, including:
- Inventory. Inventory and identify where the vulnerable components are.
- Protection. Protect yourself or your software from being attacked and exploited by attackers from the outside.
- Prevention. Prevent developers from doing something or getting access to the affected software to make additional changes until you know how to deal with the critical issue.
- Remediation. If you do not have that initial inventory that is automated and happening systemically across your organization and all the different software that is being developed, you cannot get to this step.
For the full conversation and additional insights on application security, listen to episode 39 of the Agent of Influence podcast.
On June 24, 2022, NetSPI Managing Director Nabil Hannan published an article in Solutions Review called Four Ways to Elevate Your Penetration Testing Program. Read the preview below or view it online.
+++
Let’s set the scene. For years, organizations have undergone compliance-based penetration testing (pentesting), meaning they only audit their systems for security vulnerabilities when mandated to do so by regulatory bodies. However, this “check-the-box” mindset that’s centered around point-in-time testing is leaving organizations at risk for potential exploitation.
From August-October 2021 alone, a total of 7,064 new Common Vulnerabilities and Exposures (CVE) numbers were registered – all of which could go undetected if a business does not have an established proactive security posture.
With malicious actors continuously evolving and maturing their attack techniques, organizations must leave this outdated mindset behind and take the necessary steps to develop a comprehensive, always-on penetration testing program. Here’s a look at how this can be accomplished.
Adopt an ‘as-a-Service’ Model
Traditional pentesting programs operate under a guiding principle: organizations only need to test their assets a few times a year to protect their business from potential vulnerabilities properly. During this engagement, a pentester performs an assessment over a specified period and then provides a static report outlining all of the found vulnerabilities. While once deemed the status quo, there are many areas for inefficiencies in this traditional model.
With threats increasing, organizations must take a proactive approach to their security posture. Technology-enabled as-a-Service models overhaul traditional pentesting programs by creating always-on visibility into corporate systems. For an as-a-Service model to succeed, the engagement should allow organizations to view their testing results in real-time, orchestrate faster remediation, and perform always-on continuous testing.
This hyperfocus on transparency from both parties will drive clear communication, with the pentesters available to address any questions or concerns in real-time – instead of just providing an inactionable static report. Additionally, it allows teams to truly understand the vulnerabilities within their systems so they can begin remediation before the end of the pentesting engagement.
Lastly, when working in an as-a-Service model, pentesters can help organizations become more efficient with their security processes, as they work as an extension of the internal team and can lend their industry expertise to help strengthen their clients’ security posture.
Read the full article online here.
[post_title] => Solutions Review: Four Ways to Elevate Your Penetration Testing Program [post_excerpt] => On June 24, 2022, NetSPI Managing Director Nabil Hannan published an article in Solutions Review called Four Ways to Elevate Your Penetration Testing Program. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => endpoint-security-elevate-penetration-testing-program [to_ping] => [pinged] => [post_modified] => 2023-01-23 15:10:30 [post_modified_gmt] => 2023-01-23 21:10:30 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=28010 [menu_order] => 208 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [13] => WP_Post Object ( [ID] => 27989 [post_author] => 65 [post_date] => 2022-06-21 11:44:00 [post_date_gmt] => 2022-06-21 16:44:00 [post_content] =>On June 21, 2022, NetSPI Managing Director Nabil Hannan published this article on TechTarget called How to Address Security Risks in GPS-enabled Devices. Read the preview below or view it online.
+++
Trendy consumer gadgets are reaching the market at an expedited rate in today's world, and the next new viral product is right around the corner. While these innovations aim to make consumers' lives easier and more efficient, the rapid development of these products often creates security risks for users -- especially as hackers and malicious actors get more creative.
When commercial drones were brought to market as recreational tools in 2013, for example, consumers jumped at the chance to use them for a wide range of personal purposes, from photography to flying practice. Many security risks emerged, however, and it became clear that drones can be used maliciously to do anything from tracking and monitoring to causing physical harm and societal disruption.
GPS-enabled devices are now experiencing the same growing pains.
The Current Threat Environment
GPS-enabled devices have been on the market for a while, but consumer use has boomed in recent years. The newest device making waves is Apple's AirTag -- a small device that tracks personal items such as keys, wallets and backpacks.
With an affordable price tag, consumers have jumped at the opportunity to keep track of their belongings more easily. As adoption has grown, however, so have security and privacy concerns. Malicious actors can easily slip these devices into peoples' belongings and track them.
While the risk to consumers is clear, businesses and influential figures can also be targeted. GPS-enabled devices can be used to track day-to-day business movements and identify exploitable weak points.
Apple has remediated some of these risks by releasing a personal safety guide outlining the steps users should take if they find an unknown AirTag or suspect someone has gained access to their product. Yet these risks highlight a broader problem with GPS-enabled devices. Threat modeling in the design phase of tech development must evolve to uncover emerging security risks -- before consumers get their hands on the devices.
Read the full article online.
[post_title] => TechTarget: How to Address Security Risks in GPS-enabled Devices [post_excerpt] => On June 21, 2022, NetSPI Managing Director Nabil Hannan was featured in this TechTarget interview called How to Address Security Risks in GPS-enabled Devices. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => techtarget-security-risks-gps-enabled-devices [to_ping] => [pinged] => [post_modified] => 2023-01-23 15:10:31 [post_modified_gmt] => 2023-01-23 21:10:31 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=27989 [menu_order] => 211 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [14] => WP_Post Object ( [ID] => 27749 [post_author] => 65 [post_date] => 2022-05-10 07:00:00 [post_date_gmt] => 2022-05-10 12:00:00 [post_content] =>What is the typical authentication setup for personal online accounts? The username and password.
For too long, we have depended on this legacy form of authentication to protect our personal data. As more people rely on the internet to manage their most important tasks — online banking, applying for loans, running their businesses, communicating with family, you name it — many companies and services still opt for the typical username and password authentication method, often with multi-factor authentication as an option, but not a requirement.
To combat the sophisticated attacks of hackers today, multi-factor authentication methods must be considered the bare minimum. [For those unfamiliar with the concept, multi-factor authentication, or MFA, requires the user to validate their identity in two or more ways to gain access to an account, resource, application, etc.] Then, starting on that foundation, security leaders must consider what other identity and access management practices can they implement to better protect their customers?
For more insights on this global challenge, we spoke with authentication expert Jason Soroko, CTO-PKI at Sectigo, during episode 40 of the Agent of Influence podcast to learn more about the future of multi-factor authentication, symmetric and asymmetric secrets, digital certificates, and more. Continue reading for highlights from our discussion or listen to the full episode, The State of Authentication and Best Practices for Digital Certificate Management.
Symmetric Secrets vs. Asymmetric Secrets
The legacy username and password authentication method no longer offers enough protection. Let’s take a deep dive into symmetric secrets and asymmetric secrets to better understand where we can improve our processes.
Symmetric secrets are an encryption method that use one key for both encrypting and decrypting a piece of data or file. Here’s a fun anecdote that Jason shared during the podcast: “Let’s say you and I want to do business. We agree that I could show up at your door tomorrow and if I knock three times, you will know it's me. Well, somebody could have overheard us having that conversation to agree to knock three times. It’s the same thing with a username and password. That's a shared symmetric secret.”
According to Jason, the issue with this method is that the secret had to be provisioned out to someone or, in today’s context, keyed into memory on a computer. This could be a compromised endpoint on your attack surface. Shared secrets have all kinds of issues, and you only want to utilize them in a network where the number of resources is extremely small. And we should no longer use them for human authentication methods.
Instead, we need to shift towards asymmetric secrets.
Asymmetric secrets, which are used to securely send data today, have two keys: private and public. The public key is used for encryption purposes only and cannot be used to decrypt the data or file. Only the private key can do that.
The private key is never shared; it never leaves a secured place (e.g., Windows 10, Windows 11, trusted platform module (TMP), etc.) and it’s what allows the authentication to occur securely. Not only that, but asymmetric secrets don’t require the 123 steps of authentication, improving the user experience overall. The ability for a hacker to guess or steal the asymmetric secret is much more difficult because it is in a secure element, Jason explains.
Of course, some organizations have no choice but to stick with ancient legacy systems due to financial reasons. But the opportunity here is to complement that legacy authentication method with other controls so you can enhance your authentication system.
Pitfalls of SMS Authentication
If you’re considering SMS authentication, I hate to be the breaker of bad news, but that doesn’t offer comprehensive protection. SMS authentication was never built to be secure, and it was never intended to be used the way it is used popularly today. Now, not only do we have the issue of people using a protocol that’s inherently insecure by design, but hackers can easily intercept authentication messages sent via SMS.
As Jason shared on the podcast, the shocking truth is that SMS redirection is commercially available. It only costs around $16 to persuade the telecommunications company to redirect SMS messages to wherever you want them to go, which shows how easily hackers can obtain messages and data.
Learn more about telecommunications security, read: Why the Telecoms Industry Should Retire Outdated Security Protocols.
Three Best Practices for Managing Digital Certificates
Even with the implementation of multi-factor authentication, how do you know if a person or a device is trustworthy to allow inside your network?
You achieve that with digital certificates also known as public key certificates. They’re used to share public keys and verify the ownership of a public key to the person or device that owns it.
With so many people moving to remote work, this only amplifies the number of digital certificates to authenticate each day. It’s important to manage your digital certificates effectively to mitigate the risk of adversaries trying to access your organization’s network.
For additional reading on the security implications of remote work, check out these articles:
- COVID-19: Evaluating Security Implications of the Decisions Made to Enable a Remote Workforce
- Keeping Your Organization Secure While Sending Your Employees to Work from Home
To get you started toward better digital certificate management, Jason shared these three best practices:
- Take inventory: Perform a proper discovery of all the certificates that you have (TLS, SSL, etc.) to gain visibility into how many you have.
- Investigate your certificate profiles: Take into consideration your DevOps certificates, your IoT certificates, etc., and delve into how the certificates were set up, who set them up, how long the bit-length is, and whether is it a proper non-deprecated cryptographic algorithm.
- Adapt to new use cases: Look towards the future to determine if you can adapt to new use cases (e.g., can this be used to authenticate BYOD devices or anything outside the Microsoft stack, how will the current cryptographic algorithms today differ in the future, what about hybrid quantum resistance, etc.).
The Future of Multi-Factor Authentication
As mentioned at the beginning for this article, multi-factor authentication should be considered the bare minimum, or foundation, for organizations today. For organizations still on the fence about implementing this authentication method, here are three reasons to start requiring it:
- A remote workforce requires advanced multi-factor authentication to verify the entities coming into your network.
- Most cyberattacks stem from hackers stealing people’s username and password. Multi-factor authentication adds additional layers of security to prevent hackers from accessing an organization’s network.
- Depending on which method your organization utilizes, multi-factor authentication provides a seamless login experience for employees — sometimes without the need for a username or password if using biometrics or single-use code.
More organizations are choosing to adopt multi-factor authentication and we can only expect to see more enhancements in this area.
According to Jason, artificial intelligence (AI) will play an important role. Take convolutional neural networks for example. This is a type of artificial neural network (AAN) used to analyze images. If we were to apply convolutional neural networks to cybersecurity, we could train it to identify malicious known binaries or patterns quickly and accurately. Of course, this is something to look forward to in the foreseeable future.
An area we’ve certainly made much progress on, though, is the ability to use machine learning to determine malicious activity in the credit card fraud detection space.
Multi-Factor Authentication is Only the First Step
At a bare minimum, every organization should start with multi-factor authentication and build from there. One-time passwords, email verification codes, or verification links are user-friendly and go a long way in effective authentication.
Cyberwarfare coupled with a remote workforce and government scrutiny should prompt companies everywhere to bolster their cybersecurity defenses. The authentication methods and best practices Jason Soroko shared with me on the Agent of Influence podcast are a step in the right direction toward protecting your organization, employees, and — most importantly — your customers.
On May 5, 2022, Nabil Hannan was featured in the VMblog Get Expert Advice During World Password Day 2022. Preview the article below, or read the full article online.
+++
Did you know, today, May 5th, is World Password Day! The Registrar of National Day Calendar has designated the first Thursday of May of each year as World Password Day, and it is meant to promote better password habits - something we could all use, I'm sure. Passwords are critical gatekeepers to our digital identities, allowing us to access online shopping, banking, social media, private work, and life communications.
We use a lot of online services in our daily lives. And we're constantly having to deal with the possibility of so many different types of attacks, making digital protection more and more important. So let World Password Day be a reminder and encourage people to protect themselves with a series of strong passwords.
To help get a handle on things, a number of industry security experts have chimed in to share their perspectives and opinions with VMblog readers.
--
Nabil Hannan, Managing Director, NetSPI
“World Password Day serves as a moment in time for organizations to re-evaluate password security best practices. Today, a strong authentication strategy must include policies for safe password storage, the most important aspect of password security. Additionally, at a bare minimum, every organization should start with multi-factor authentication and build from there. One-time passwords, email verification codes, or verification links are user-friendly and go a long way in effective authentication.
From a user perspective, all staff working within or alongside the organization should be required to use strong, complex passwords that follow NIST’s latest guidelines. Security leaders may also practice the principle of least privilege, where only those who need access to certain information have it. With these best practices, organizations can better bolster protection and set themselves up for success on World Password Day and beyond.”
[post_title] => VMblog: Get Expert Advice During World Password Day 2022 [post_excerpt] => On May 5, 2022, Nabil Hannan was featured in the VMblog Get Expert Advice During World Password Day 2022. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => vmblog-expert-advice-world-password-day-2022 [to_ping] => [pinged] => [post_modified] => 2023-01-23 15:10:39 [post_modified_gmt] => 2023-01-23 21:10:39 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=27746 [menu_order] => 232 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [16] => WP_Post Object ( [ID] => 27699 [post_author] => 65 [post_date] => 2022-04-25 09:02:00 [post_date_gmt] => 2022-04-25 14:02:00 [post_content] =>On April 25, 2022, Nabil Hannan was featured in the CSO article, SolarWinds breach lawsuits: 6 takeaways for CISOs. Preview the article below, or read the full article online.
+ + +
The SolarWinds compromise of 2020 had a global impact and garnered the resources of both public and private sectors in an all-hands-on-deck remediation effort. The event also had a deleterious effect on the SolarWinds stock price. These two events, were, predictably, followed by a bevy of civil lawsuits. Fast forward to late March 2022 and we have a federal court saying the suit that named SolarWinds; its vice president of security and CISO, Tim Brown; as well as two prime investor groups Silver Lake and Thoma Bravo may go forward.
As Violet Sullivan, cybersecurity and privacy attorney of client engagement at Redpoint Cybersecurity, observes, the judge finds that the plaintiffs “may have a claim, so the judge is going to hear it.” She explains, “It’s not what is being said in the order that is interesting. It’s what will be shown during the discovery process that is interesting. There will be questions in this suit including: Will the forensic reports be available during the discovery or covered by attorney-client privilege?”
Resource Cybersecurity According to Risk
CISOs are uniquely positioned to provide insight on the threat landscape to business operations and together create the appropriate risk management plan. I recently mentioned how cybersecurity is often something companies get around to. The SolarWinds cyberattack and the resultant civil lawsuits are demonstrating the need for the well-documented investment in cybersecurity must be at the forefront.
The managing director of NetSPI, Nabil Hannan, says, “Internal threats are still a lingering and often under-addressed cybersecurity threat within organizations, especially when compared to the resources applied toward external threats. But, with buy-in from an organization's leadership team, CISOs can have the resources needed to develop a proactive and ongoing threat detection governance program.”
Those who hesitate may find themselves playing catch up as they are spurred along by the new U.S. Securities and Exchange Commission initiative on the need for publicly sharing information security breach information within four days of discovery that the breach is material will affect direct change. Similarly, the SEC’s desire to have companies describe how they address cybersecurity will drive greater transparency within many companies. This SEC effort will pull infosec out of the back room and to the forefront, like policies, procedures, resourcing, and expertise will be on full display via the required SEC filings.
[post_title] => CSO: SolarWinds breach lawsuits: 6 takeaways for CISOs [post_excerpt] => On April 25, 2022, Nabil Hannan was featured in the CSO article, SolarWinds breach lawsuits: 6 takeaways for CISOs. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => cso-solarwinds-breach-lawsuits-6-takeaways-for-cisos [to_ping] => [pinged] => [post_modified] => 2023-01-23 15:10:41 [post_modified_gmt] => 2023-01-23 21:10:41 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=27699 [menu_order] => 238 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [17] => WP_Post Object ( [ID] => 27600 [post_author] => 65 [post_date] => 2022-04-12 07:00:00 [post_date_gmt] => 2022-04-12 12:00:00 [post_content] =>In application security, DevOps, and DevSecOps, “shift left” is a guiding principle for how organizations should implement security practices into the development process. For this reason, today’s application security testing tools and technologies are built to facilitate a shift left approach, but the term has taken on a new meaning compared to when it first entered the scene years ago.
Over the past decade, software development has drastically changed with the proliferation of impactful technology, such as APIs and open-source code. However, shift left has remained a North Star for organizations seeking to improve application security. Its meaning has become more nuanced for those attempting to achieve a mature application security framework.
I recently sat down with Maty Siman, Founder and CTO at Checkmarx on our Agent of Influence podcast to discuss application security and the concept of shift left. You can listen to the full episode here. Let’s explore four highlights from the discussion:
The “Lego-ization” of Software
In the past, developers would build their solutions from the ground up, developing unique libraries to carry out any desired functionality within an application. Today, developers leverage a wide range of tools and technologies, such as web services, open-source code, third party solutions and more, creating software that is ultimately composed of a variety of different components.
As Maty alluded to during the Agent of Influence podcast, many in the industry have referred to this practice as the “lego-ization” of software, piecing together different premade, standardized Lego blocks to form a unique, sound structure.
While both traditional and modern, lego-ized methods are forms of software development, they demand a different set of expertise. This is where mature application security frameworks become invaluable. Maty explains that today’s developers are often working around the clock to keep up with the pace of digital transformation; they cannot just focus on code for vulnerabilities. They must also look at how the different components are connected and how they communicate with one another.
Each connection point between these components represents a potential attack surface that must be secured – but addressing this can also become a source of friction and perceived inconvenience for developers.
The Impact of Today’s Open Source and API Proliferation
The recent proliferation of software supply chain security threats has made the situation even more complex and dire for software developers, as malicious actors look to sneak malicious code into software as it’s being built.
As Siman explains during our podcast conversation, open source code makes up anywhere from 80 to 90 percent of modern applications. Still, developers are pulling these resources from a site like GitHub often without checking to see if the developer who created the package is trustworthy. This further exacerbates the security risk posed by the lego-ized development practices we see today, Maty warns.
Additionally, in recent years, there has been an explosive growth in the usage of APIs in software development. Organizations now leverage thousands of APIs to manage both internal and external processes but have not paid enough attention to the challenge of securing these deployments, according to Maty.
However, efforts have been made to set organizations on the right path in securing APIs, such as the OWASP API Security Project – but there is still a lot of work to be done. Check out the OWASP API Top 10 list, co-written by Checkmarx’s Vice President of Security Research, Erez Yalon.
Read: AppSec Experts React to the OWASP Top 10 2021
Many organizations are not aware of which or how many APIs their services take advantage of, which presents an obstacle towards securing them. As a result, Maty explains that the concept of a “software bill of materials,” or SBOM, is beginning to take shape as organizations seek to better understand the task at hand.
With APIs quickly becoming a favored attack vector for cybercriminals, the importance of developers getting a handle on API security cannot be overstated, which is especially crucial for application penetration testing. Simultaneously, the task is an immense one that many developers see as a headache or hindrance to their main goal, which is to deliver new software as quickly as possible.
Shifting Left in an Evolving Application Development Landscape
While the trends outlined above certainly present significant challenges when it comes to application security, they are not insurmountable. Maty advises that organizations can and should implement certain changes in their approach to application security to better support developers with appropriate application security testing tools and other resources.
One of the main issues organizations face in modern application security testing, including application penetration testing or secure code review, lies in the effort to shift left. Shift left is sometimes seen as a source of friction in the developer community. It is about finding and managing vulnerabilities as early as possible, which has only become more difficult and complex as development has evolved.
Read: Shifting Left to Move Forward: Five Steps for Building an Effective Secure Code Review Program
The amount of innovation in software development and implementation means that shifting as far left as possible is not always feasible or even the best approach. While detecting vulnerabilities in code as early as possible is a priority in application security, attempting to force developers to do so too early in the development process can exhaust developers and slow software delivery, as Maty advises.
For example, the use of integrated development environment (IDE) plugins can often make developers feel hindered and nagged by security rather than empowered by it. While they represent a shift to the extreme left in terms of security, they are not always a good idea to impose on developers.
No Right Way to Shift Left in Application Security
Ultimately, the proper way to shift left is going to vary across organizations, depending on the software they are building and what is going into it. It is paramount to take a tailored approach that balances the security responsibilities placed on developers with the need to maintain agility and deliver software quickly.
Application development has changed significantly, and we can expect it to continue to change in the coming years. Creating and maintaining a mature application security framework will depend on maintaining a proper understanding of the tools and technologies developers are using and adjusting the organizational approach to application security accordingly.
For more, listen to episode 32 of Agent of Influence with Maty of Checkmarx:
On March 11, 2022, Nabil Hannan guest authored a TechTarget article titled, How to Build a Security Champions Program. Preview the article below, or read the full article online here.
+ + +
Application security is more important than ever, as apps remain one of the most common attack vectors for external breaches. Forrester's latest "State of Application Security" report stated organizations are starting to recognize the importance of application security, and many have started embedding security practices more tightly into their development stages — a big step in the right direction.
It's important to understand, however, that building a world-class application security program can't happen overnight. A great deal of foundational work must be done before an organization can achieve results, including sharpening security processes around the software development lifecycle (SDLC) to identify, track and remediate vulnerabilities more efficiently. These efforts will eventually bring organizations to a high level of maturity.
Adoption of security in the SDLC is often lacking in many organizations. The answer to this problem lies within an organization's employee population. Companies should establish a security champions program, where certain employees are elected as security advocates and drivers of change.
To create a strong cybersecurity culture, security champions should be embedded throughout an entire organization. These individuals should have an above-average level of security interest or skill, with the goal of ultimately evangelizing and accelerating the adoption of a security-first culture — not only through software and application development, but throughout the organization.
Developing a security champions program doesn't need to be complicated. This four-step process helps organizations establish their program with ease.
Continue reading How to Build a Security Champions Program on TechTarget.
[post_title] => TechTarget: How to Build a Security Champions Program [post_excerpt] => On March 11, 2022, Nabil Hannan guest authored a TechTarget article titled, How to Build a Security Champions Program. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => techtarget-build-security-champions-program [to_ping] => [pinged] => [post_modified] => 2023-01-23 15:10:49 [post_modified_gmt] => 2023-01-23 21:10:49 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=27514 [menu_order] => 255 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [19] => WP_Post Object ( [ID] => 27447 [post_author] => 65 [post_date] => 2022-03-08 07:00:00 [post_date_gmt] => 2022-03-08 13:00:00 [post_content] =>The Federal Communications Commission (FCC) recently announced its proposal to update data breach laws for telecom carriers.
A key change in the proposal? Eliminating the seven-business-day waiting period required of businesses before notifying customers of a breach.
Although the proposed FCC change would allow companies to address and mitigate breaches more quickly, it does not solve the greater issue at hand: The sensitive data collected by the telecoms industry is constantly at risk of being exploited by malicious actors.
The Telecoms Threat Environment
Protecting data within the telecoms industry is instrumental in ensuring customer privacy and safety.
When telecom companies experience a data breach, hackers often target customer proprietary network information (CPNI) – “some of the most sensitive personal information that carriers and providers have about their customers,” according to the FCC. This includes call logs, billing account information, as well as the customer’s name, phone number, and more.
In August 2021, T-Mobile suffered the largest carrier breach on record, with over 50 million current and former customers affected.
To protect customers from further breaches, the telecoms industry must deploy configurations securely, enable end-to-end encryption, and return to security basics by enabling automation in vulnerability discovery and penetration testing.
Misconfiguration Risk
Networks, specifically telecommunications channels, continue to increase in complexity, causing an increased risk for misconfigured interfaces within organizations.
From these misconfigurations, attackers can stitch together multiple weaknesses and pivot from one system to another across multiple organizations.
In October 2021, LightBasin, a hacking group with ties to China, compromised telecom companies around the world. LightBasin used multiple tools and malware to exploit weaknesses in systems that were configured with overly permissive settings and neglected to follow the principle of least privilege.
These hacking tactics are not unique. Had the telecoms industry instituted the proper channels for alerting and blocking on common attack patterns and known tactics, techniques, and procedures (TTPs) that attackers use widely they may have been able to prevent the LightBasin attack.
Additionally, to protect against future attacks and data breaches, industries should build proper standards and automation to ensure that configurations are deployed securely and consistently monitored.
The Need for End-to-End Encryption
Enabling end-to-end encryption within mobile communication networks could help to combat some of the lateral movement strategies used by LightBasin and similar hacker groups.
This lateral movement within telecommunications networks can be challenging for the industry to address for multiple reasons. The overarching issue? Telecommunications systems were not originally developed with security in mind and are not secure by design.
The telecoms systems have flaws that cannot be fixed without major architectural changes and these systems have evolved to be utilized in a way that’s outside of the original creators’ intent.
In particular, these mobile communications networks were not built with a quality of service guarantee or any type of end-to-end encryption to ensure that users’ data is not exposed while in transit.
WhatsApp, for example, uses the Signal protocol to asymmetrically encrypt messages between users. The encrypted messages then get transmitted the via a WhatsApp facilitated server.
This ensures that only the intended recipient can decrypt the message and others who attempt to do so will fail. Legacy telecoms players should adopt a similar approach for added protection to users’ communications.
While end-to-end encryption can protect against lateral movement strategies, this does not mean the security is infallible. Just because the communication channel is secure doesn’t ensure application security. Users are still vulnerable to social engineering attacks, malware, and, as in WhatsApp’s case, the app itself may be vulnerable.
To truly secure user data, the telecoms industry security must invest in holistic security strategies including application security testing.
For more on end-to-end encryption, read Why Do People Confuse “End-to-End Encryption” with “Security”?
Collaboration and Coordination
As the telecoms industry begins to prioritize security, organizations harnessing the networks must also prioritize security.
This includes ensuring multi-factor authentication between users and systems, the principle of least privilege, or even proper input validation and output encoding.
In tandem, the telecoms industry should strive to build automated vulnerability management processes where possible. This ensure continuous checks and balances are in place to secure all deployed systems – both at the software and infrastructure levels.
Where hackers have only become more sophisticated in the technology and methods used to acquire data, the telecoms industry has neglected to keep up.
Currently, messages and calls can be spoofed, data is not encrypted while in transit, and the quality of service and protection is not guaranteed. We have adopted a network with inherent flaws in its design from a security perspective, and these systems are used by billions of people across the globe.
The change in FCC guidelines mark significant progress. Given the current threat environment, security efforts in the telecoms industry must be prioritized to ensure billions of people and their data are protected.
On February 18, 2022, Nabil Hannan was featured in a LifeWire article titled, Why Unwanted Tracking Is on the Rise. Preview the article below, or read the full article online here.
+ + +
It's never been easier to track your possessions thanks to gadgets like Apple AirTags, but they also contribute to a growing privacy problem.
Apple recently said it would improve AirTag safeguards after reports of people being tracked surreptitiously using AirTags. However, some experts say Apple's efforts won't be sufficient to protect users.
"Even with the personal safety guide released by Apple, consumers are still subject to increased risks, as it only gives consumers some tools to use if they suspect their device has been compromised," Nabil Hannan, managing director at cybersecurity firm NetSPI, told Lifewire in an email interview.
AirTags or CreepTags?
AirTags send out Bluetooth signals that nearby Apple devices can detect. Many people have claimed they've been tracked by people using AirTags without their knowledge.
[post_title] => Lifewire: Why Unwanted Tracking Is on the Rise [post_excerpt] => On February 18, 2022, Nabil Hannan was featured in a LifeWire article titled, Why Unwanted Tracking Is on the Rise. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => lifewire-why-unwanted-tracking-is-on-the-rise [to_ping] => [pinged] => [post_modified] => 2023-01-23 15:10:53 [post_modified_gmt] => 2023-01-23 21:10:53 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=27392 [menu_order] => 265 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [21] => WP_Post Object ( [ID] => 27381 [post_author] => 65 [post_date] => 2022-02-15 04:00:00 [post_date_gmt] => 2022-02-15 10:00:00 [post_content] =>On February 15, 2022, Nabil Hannan was featured in a TechNewsWorld article titled, 49ers Blitzed by Ransomware. Preview the article below, or read the full article online here.
+ + +
While their downstate rivals the Los Angeles Rams were busy winning Super Bowl LVI, the San Francisco 49ers were being clipped in a ransomware attack.
News of the attack was reported by the Associated Press after cybercriminals posted documents to the dark web that they claimed were stolen from the NFL franchise.
In a public statement obtained by TechNewsWorld, the team noted: “We recently became aware of a network security incident that resulted in temporary disruption to certain systems on our corporate IT network.”
Looking for Street Cred
Nabil Hannan, managing director at NetSPI, a penetration testing company in Minneapolis, maintained that it’s unusual for a ransomware gang to post exfiltrated data on the web without making any ransom demands.
“I would assume this is due to the fact that they weren’t able to hold any critical systems hostage,” he told TechNewsWorld.
“The gang may have been able to encrypt/steal some files or systems that were categorized as non-critical, but they likely knew that they wouldn’t be able to receive any ransom payout for such information,” he surmised.
“Most likely this was an act to get ‘street creds’ and pose that they were able to steal information from such a high profile organization to show their reach and ability to break into any system,” he said.
[post_title] => TechNewsWorld: 49ers Blitzed by Ransomware [post_excerpt] => On February 15, 2022, Nabil Hannan was featured in a TechNewsWorld article titled, 49ers Blitzed by Ransomware. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => technewsworld-49ers-blitzed-by-ransomware [to_ping] => [pinged] => [post_modified] => 2023-01-23 15:10:53 [post_modified_gmt] => 2023-01-23 21:10:53 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=27381 [menu_order] => 267 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [22] => WP_Post Object ( [ID] => 27276 [post_author] => 65 [post_date] => 2022-02-01 16:12:33 [post_date_gmt] => 2022-02-01 22:12:33 [post_content] =>While in the Kingdom of Saudi Arabia for the @Hack cybersecurity conference, we noticed a disconnect in the understanding of penetration testing. Many of the people we spoke with assumed pentesting and bug bounty programs were one and the same.
Spoiler alert: that assumption is incorrect. While they share a similar goal, pentesting services and bug bounties vary in impact and value.
In an effort to demystify the two vulnerability discovery activities, in this blog we will cover how each are used in practice, key differences, and explain the risks associated with solely relying on bug bounties.
What is a Bug Bounty Program?
Simply put, a bug bounty program consists of ethical hackers exchanging critical vulnerabilities, or bugs, for recognition and compensation.
The parameters of a bug bounty program may vary from organization to organization. Some may scope out specific applications or networks to test and some may opt for a “free-for-all" approach. Regardless of the parameters, the process remains the same. A hacker finds a vulnerability, shares it with the organization, then, once validated, the organization pays out a bounty to the hacker.
For a critical vulnerability finding, the average payout rose to $3,000 in 2021. Bounty payments have come a long way since 2013’s ‘t-shirt gate,’ where Yahoo offered hackers a $12.50 company store credit for finding a number of XSS (cross-site scripting) vulnerabilities – yikes.
What is Penetration Testing?
Penetration testing is an offensive security activity in which a team of pentesters, or ethical hackers, are hired to discover and verify vulnerabilities. Pentesters simulate the actions of a skilled adversary to gain privileged access to an IT system or application, such as cloud platforms, IoT devices, mobile applications, and everything in between.
Pentesting also helps organizations meet security testing requirements set by regulatory bodies and industry standards such as PCI and HIPAA.
Pentesters use a combination of automated vulnerability discovery and manual penetration testing techniques. They work collaboratively to discover and report all vulnerability findings and help organizations with remediation prioritization. Pentesting partners like NetSPI work collaboratively with in-house security teams and are often viewed and treated as an extension of that team.
Penetration testing has evolved dramatically over the past five years with the emergence of penetration testing as a service (PTaaS). PTaaS enables more frequent, transparent, and collaborative testing. It streamlines vulnerability management and introduces interactive, real-time reporting.
As an industry, we’ve shifted away from traditional pentesting where testers operate behind-the-curtain, then deliver a long PDF list of vulnerabilities for security teams to tackle on their own.
6 Core Differences Between Pentesting and Bug Bounties
So, what are the greatest differences between pentesting and bug bounties? Let’s break it down into six components: personnel, payment, vulnerabilities, methodology, time, and strategy.
Personnel
Pentesters are typically full-time employees that have been vetted and onboarded to provide consistent results. They often work collaboratively as a team, rather than relying on a single tester.
Bug bounty hackers operate as independent contractors and are typically crowdsourced from across the globe. Working with crowdsourced hackers can open the door to risk, given you cannot be 100% confident in their intentions and motives.
Will they sell the intel they gather to a malicious party for additional compensation? Will they insert malicious code during a test? With full-time employees, there are additional guardrails and accountability to ensure the hacking is performed ethically.
Payment
With penetration testing vendors, the payment model can vary. Cost is often influenced by the size of the organization, the complexity of the system or application, vendor experience, the scope, depth, and breadth of the test, among other factors.
With a bug bounty program, the more severe the vulnerability, the more money a bug bounty hunter makes. Keep in mind that negotiation of the bounty payment is very common with bug bounty programs, so it is important to factor in the time and resources to manage those discussions.
Additionally, one cause for concern with bug bounty payments is that instead of reporting vulnerabilities as they are found, it’s common for hackers to hold on to the most severe vulnerabilities for greater payout and recognition during a bug bounty tournament.
Vulnerabilities
Because of the pay-per-vulnerability model bug bounty programs follow, it’s no surprise that many are focused solely on finding the highest severity vulnerabilities over the medium and low criticality ones. However, when chained together, lower severity vulnerabilities can expose an organization to significant risk.
This is a gap that penetration testing fills. Penetration testers chain together seemingly low-risk events to verify which vulnerabilities enable unauthorized access. Pentesters do prioritize critical vulnerabilities, but they also examine all vulnerabilities with a business context lens and communicate the risk each could pose to operations if exploited.
Vulnerability findings aside, there are also key differences in how the results are delivered. With bug bounties, it’s up to the person who found the vulnerability to decide when to disclose the flaw to the program – or save it for a tournament as mentioned above, or even disclose it publicly without consent.
Modern penetration testing companies like NetSPI operate transparently and report findings in real time as they are discovered. Plus, pentesters validate and retest to confirm the vulnerability exists, evaluate the risk it poses, and determine if it was fixed effectively.
Methodology
The greatest difference in the testing methodology of bug bounty programs and penetration testing services is consistency.
From our discussions with security leaders, the biggest challenge they face with bug bounty programs is that service, quality, project management, and other key methodology factors often lack consistency. Notably, the pool of independent contractors varies across experience and expertise. And the level of effort diminishes as rewarding, critical vulnerabilities are found and researchers move on to opportunities with greater opportunity for compensation.
Penetration testing is more methodical in nature. Testers follow robust checklists to ensure consistency in the testing process and make certain that they are not missing any notable gaps in coverage. They also hold each other accountable by working on teams. At NetSPI, our pentesters use the workbench in our Resolve PTaaS technology platform to collaborate and maintain consistency.
For any organization that has legal, regulatory, or contractual obligations for a robust security testing bug bounties simply cannot meet those requirements. Bug bounty programs are opportunistic. There is no assurance of full coverage testing as they do not adhere to defined methodology or checklists to ensure consistency from assessor to assessor, or assessment to assessment. Some bug bounties can use checklists upon request – for a hefty added cost.
Time
While bug bounty programs are evergreen and always-on, traditional penetration testing has been limited by time-boxed assessments.
To address this, first and foremost we recommend organizations provide their pentesting team with access to source code or perform a threat modeling assessment to equip their team with information a malicious hacker could gain access to in the wild. This allows pentesters to accurately emulate real attackers and spend more time finding business critical vulnerabilities.
The pentesting industry is rapidly evolving and is becoming more continuous, thanks to the PTaaS delivery model and attack surface management. Gone are the days of annual pentests that check a compliance box. We see a huge opportunity for integration with attack surface management capabilities to truly offer continuous testing of external assets.
Strategy
Penetration testing is a strategic security activity. On the other hand, bug bounty programs are very tactical and transactional: find a vulnerability, report it, get paid for it, then move on to the next hunt.
As noted earlier, penetration testing is often viewed as an extension of an internal security team and collaborates closely with defensive teams. You can also find pentesting partners that offer strategic program maturity advisory services. Because of this, pentesters deeply understand the systems, networks, applications, etc. and can assess them holistically. This is particularly beneficial for complex systems and large organizations with massive technology ecosystems.
Furthermore, strategic partnerships between penetration testing vendors and their partners lead to a greater level of trust, institutional knowledge, and free information exchange. In other words, when you work with a team of penetration testers on an ongoing basis, their ability to understand the mechanics of your company and its technologies lends itself to discovering both a greater number and higher quality of vulnerabilities.
Final Thoughts
The way penetration testing has and continues to evolve fills many of the gaps left by bug bounty programs. There is certainly room for both bug bounty programs and penetration testing in the security sector – in many cases the services complement one another. However, it is important to understand the implications and risks associated when deciding where to focus your efforts and budget.
[post_title] => Penetration Testing Services vs. Bug Bounty Programs [post_excerpt] => What are the greatest differences between pentesting and bug bounties? We break it down into six components: personnel, payment, vulnerabilities, methodology, time, and strategy. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => penetration-testing-services-versus-bug-bounty [to_ping] => [pinged] => [post_modified] => 2023-08-22 09:52:04 [post_modified_gmt] => 2023-08-22 14:52:04 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=27276 [menu_order] => 269 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [23] => WP_Post Object ( [ID] => 27280 [post_author] => 65 [post_date] => 2022-02-01 07:00:00 [post_date_gmt] => 2022-02-01 13:00:00 [post_content] =>On February 1, 2022, Nabil Hannan was featured in SHRM's article on the UKG ransomware attack. Preview the article below, or read the full article online here.
+ + +
Along ordeal for customers of Ultimate Kronos Group (UKG) is nearing an end. The vendor has restored its time-keeping and payroll services after a ransomware attack disrupted the lives of thousands of HR professionals and employees alike.
But experts say fallout from the attack will continue, given that some customer data was stolen, companies will have to transition manual records back into UKG systems and shaken clients are questioning their future with the vendor.
In a public update on Jan. 22, UKG said it had restored core time, scheduling and payroll capabilities to all customers impacted by the ransomware attack on its Kronos Private Cloud system. The statement said UKG is now focused on the "restoration of supplemental features and nonproduction environments" and is offering video-based recovery guides to help customers reconcile their data.
The outage—which lasted more than a month for many UKG clients—forced thousands of organizations to scramble to create manual workarounds. It happened during a particularly challenging time of year; employers had to find ways to pay workers holiday pay and overtime as employees worked extra shifts to cover staff shortages caused by the omicron variant of the coronavirus and ongoing resignations.
UKG and companies using its services may be facing legal action. "Unfortunately, some customer data was stolen in the attacks and that creates a secondary concern for UKG and its clients," said Allie Mellen, a security and risk analyst with research and advisory firm Forrester. UKG confirmed in its latest public statement that the personal data of at least two of its customers had been "exfiltrated" or breached.
.....
Cautionary Tale for HR Tech Vendors
HR technology analysts say vendors and their clients should brace themselves for similar attacks as more hackers train their sights on sensitive employee data rather than customer data.
"The reality is we're going to see more of these attacks," said Trevor White, a research manager specializing in HCM technologies with Nucleus Research in Boston. "The question for HR vendors is how they'll limit disruption to their customers as they go about solving problems related to ransomware and other cyberattacks. Unless you pay the ransom, these things can take weeks to solve."
Nabil Hannan, managing director for NetSPI, an enterprise security testing and vulnerability management firm in Minneapolis, said too many organizations still focus on protecting customer data at the expense of securing employee data.
"Hackers are getting more creative and focusing more of their efforts on finding ways to lock up systems that on their face may not seem as critical but that have far-reaching impacts, like HR data," Hannan said.
[post_title] => SHRM: Concerns Linger Following UKG Ransomware Attack [post_excerpt] => On February 1, 2022, Nabil Hannan was featured in SHRM's article on the UKG ransomware attack. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => shrm-concerns-linger-following-ukg-ransomware-attack [to_ping] => [pinged] => [post_modified] => 2023-01-23 15:10:54 [post_modified_gmt] => 2023-01-23 21:10:54 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=27280 [menu_order] => 268 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [24] => WP_Post Object ( [ID] => 27239 [post_author] => 91 [post_date] => 2022-01-25 12:09:02 [post_date_gmt] => 2022-01-25 18:09:02 [post_content] =>On January 25, 2022, Travis Hoyt, Florindo Gallicchio, Charles Horton, and Nabil Hannan were featured in TechRound's 2022 Cybersecurity Predictions round up. Preview the article below, or read the full article online here.
- Explore industry expert predictions on what’s in store for cybersecurity in 2022.
- Cyber-attacks have remained a key concern throughout the COVID-19 pandemic. With 2021 now over, what does the new year have in store for cybersecurity?
- We’ve collected predictions from industry experts, including HelpSystems’s Joe Vest, Gemserv’s Andy Green and more.
With many businesses continuing to work from home where possible and settling into a more hybrid style of work, cybersecurity has been a key concern across a range of industries.
Here, we’ve collected opinions from industry experts on what they predict 2022 has in store for cybersecurity.
Travis Hoyt, CTO at NetSPI
Attack surface management: “As organisations continue to become more reliant on SaaS technologies to enable digital transformation efforts, the security perimeter has expanded. Organisations now face a new source of cybersecurity risk as cybercriminals look to exploit misconfigurations or vulnerabilities in these SaaS technologies to wage costly attacks. In 2022, we can expect that organisations will become more focused on SaaS posture management and ensuring that their SaaS footprint is not left open as a vector for cyberattacks. This trend will be further accelerated by the insistence of insurance providers that organisations have a detailed understanding of their SaaS deployments and configurations, or face higher premiums or even a refusal of insurance altogether.”
Next generation architectures open new doors for security teams: “Interest in distributed ledger technology, or blockchain, are beginning to evolve beyond the cryptocurrency space. In 2022, we’ll begin to see the conversation shift from bitcoin to discuss the power blockchain can have within the security industry. Companies have already started using this next generation architecture, to better communicate in a secure environment within their organisations and among peers and partners. And I expect we’ll continue to see this strategy unfold as the industry grows.”
CFOs will make or break ransomware mitigation: “For too long, companies have taken a reactionary approach to ransomware attacks – opting to pay, or not pay, after the damage has already been caused. I expect to see CFOs prioritising conversations surrounding ransomware and cyber insurance within 2022 planning and budgetary meetings to develop a playbook that overalls all potential ransomware situations and a corresponding strategy to mitigate both damage and corporate spend. If they don’t lead with proactivity and continue to take a laggard approach to ransomware and cyber insurance, they are leaving their companies at risk for both a serious attack and lost corporate funds.”
Florindo Gallicchio, Managing Director and Head of Strategic Solutions at NetSPI
Cybersecurity budgets will rebound significantly from lower spend levels during the pandemic: “As we look to 2022, cybersecurity budgets will rebound significantly after a stark decrease in spending spurred by the pandemic. Ironically, while COVID-19 drove budget cuts initially, it also accelerated digital transformation efforts across industries – including automation and work-from-home infrastructure, which have both opened companies up to new security risks, leading to higher cybersecurity budget allocation in the new year. Decisions are being made in Fortune 500+ companies with CFOs on the ground, as these risk-focused enterprises understand the need for larger budgets, as well as thorough budgeted risk and compliance strategies. Smaller corporations that do not currently operate under this mindset should follow the lead of larger industry leaders to stay ahead of potential threats that emerge throughout the year.”
Charles Horton, Chief Operations Officer at NetSPI
Company culture could solve the cybersecurity hiring crisis: “It’s no secret that cybersecurity, like many industries, is facing a hiring crisis. The Great Resignation we’re seeing across the country has underscored a growing trend spurred by the COVID-19 pandemic: employees will leave their company if it cannot effectively meet their needs or fit into their lifestyle. From a retention perspective, I expect to see department heads fostering a culture that’s built on principles like performance, accountability, caring, communication, and collaboration. Once this team-based viewpoint is established, employees will take greater pride in their work, producing positive results for their teams, the company and themselves – ultimately driving positive retention rates across the organisation.”
Nabil Hannan, Managing Director at NetSPI
2022 is the year for API security: “In 2022, we will see organisations turn their attention to API security risks, deploying security solutions and conducting internal audits aimed at understanding and reducing the level of risk their current API configurations and deployments create. Over the past few years, APIs have become the cornerstone of modern software development. Organisations often leverage hundreds, and even thousands, of APIs, and ensuring they are properly configured and secured is a significant and growing challenge. Compounding this issue, cyberattackers have increasingly turned to APIs as their preferred attack vector when seeking to breach an organisation, looking for vulnerable connection points within API deployments where they can gain access to an application or network. For these reasons, securing APIs will be a top priority throughout 2022.”
The Skills Shortage Will Continue Until Hiring Practices Change: “In 2022 the cybersecurity skills gap will persist, but organisations that take a realistic approach to cybersecurity hiring and make a commitment to building cybersecurity talent from the ground up will find the most success in addressing it. The focus in closing the skills gap often relies on educating a new generation of cybersecurity professionals through universities and trade programs, and generally encouraging more interest in young professionals joining the field. In reality, though, these programs will only have limited success. The real culprit behind the skills gap is that organisations often maintain unrealistic hiring practices, with cybersecurity degrees and certification holders often finding untenable job requirements such as 3+ years of experience for an entry level job.”
[post_title] => TechRound: Cybersecurity Predictions for 2022 [post_excerpt] => On January 25, 2022, Travis Hoyt, Florindo Gallicchio, Charles Horton, and Nabil Hannan were featured in TechRound's 2022 Cybersecurity Predictions round up. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => techround-cybersecurity-predictions-for-2022 [to_ping] => [pinged] => [post_modified] => 2023-01-23 15:10:56 [post_modified_gmt] => 2023-01-23 21:10:56 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=27239 [menu_order] => 273 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [25] => WP_Post Object ( [ID] => 27220 [post_author] => 53 [post_date] => 2022-01-24 16:47:10 [post_date_gmt] => 2022-01-24 22:47:10 [post_content] =>Overview
Today's approaches to defense in depth for application security are siloed and lack context, thus results have fallen short. But a layered approach is the key to building a world-class AppSec program that spans the entire Software Development Lifecycle (SDLC). So, how does our approach need to change?
In this webinar, you’ll hear from three experts at each of the core security touchpoints within the Software Development Life Cycle (SDLC): at the code level, pre-deployment, and post-deployment.
Speakers include Nabil Hannan, managing director at NetSPI, Moshe Zioni, VP of strategy research at Apiiro, and Samir Sherif, CISO at Imperva.
During this webinar, speakers will discuss:
- Key timeframes to implement security testing – and why
- How to incorporate risk context across the SDLC
- Best practices for application penetration testing and secure code review
- Proper implementation of application security tools for continuous monitoring
- Plus, more tips to achieve a layered application security strategy
Key highlights:
- 1:21 – The state of AppSec testing
- 3:55 – Contextual AppSec testing
- 14:45 – Best practices for application pentesting and secure code review
- 30:40 – The implementation journey
- 42:00 – Q&A
The State of AppSec Testing
To get started, it’s important to have an understanding of the current state of today’s AppSec programs and application security in general.
Key challenges with application security include:
- Siloed: Application security programs are siloed in most organizations. AppSec-related activities often happen without being in sync with the rest of the organization, but effective application security requires collaboration across the board.
- Lacks context: A lot of testing happens in different phases of the software development lifecycle (SDLC), but oftentimes it tends to lack context. Testing may be driven by customer needs or regulatory and compliance requirements, but often there’s not enough testing being done based on an organization’s software context and understanding when and why you need to test systems, other than specific requirements from external pressures.
- Results fall short: When application security testing is siloed, lacks context, and doesn’t have proper strategy, the results are more likely to fall short.
A layered testing approach is the key to building a world-class AppSec testing program that spans the entire SDLC, including code level, pre-deployment, and post-deployment.
Contextual AppSec Testing
For AppSec testing to be effective, context from across the SDLC is required to understand risk.
Some of the benefits of context in each stage across the SDLC include:
- Design
- Prioritize and trigger threat model sessions
- Trigger contextual compliance reviews
- Branch
- Trigger contextual security code reviews and enrich data from SAST/SCA/GWs
- Trigger contextual compliance reviews
- Automate manual risk questionnaires
- Automate code governance
- Repository
- Gain complete visibility into AppSec infrastructure and CSS
- Actionable remediation work plan
- Trigger incremental plan testing
- Reduce SAST & SCA FP and prioritize results
- Detect compromised results
- CI/CD
- Prevent build-time code injection attacks (SolarWinds)
Best Practices for Application Pentesting and Secure Code Review
Understanding best practices for application pentesting and secure code review can help ensure your approach is as effective as possible.
Here are some ways optimize your application pentesting:
1. Risk-based pentesting is key
- Understand how your business makes money
- Prioritize remediation of vulnerabilities that pose the greatest risk to the organization
- Loop in finance and risk leadership
- Contextual pentesting
2. Strategy is the future
- Informed pentesting is more valuable, as hackers aren’t bound by time
- Threat modeling and secure design reviews
- Pair point-in-time testing with always-on monitoring
- Bug bounty vs. pentesting
3. Enable manual testing
- Enable your testing team to find vulnerabilities that tools miss
- According to NetSPI testing data, 63% of critical vulnerabilities are found through manual testing
- External network pentesting finds 10x more critical vulnerabilities than a single network vulnerability scanning tool
4. Take a holistic approach
- Validation of security controls
- Understanding how everything works together
Another important aspect is building an effective secure code review program. Some step to do this include:
- Establish a security culture and listen to your developers
- Create simple and effective methodologies and processes
- Plan application onboarding and scan frequency
- Understand that remediation matters most
- Measure and improve over time
As you formalize your company’s AppSec program, following a maturity checklist can help set the program up for success.
Make sure to include the following steps your application security program maturity checklist:
- Formalize your roadmap
- Governance in the SDLC
- Establish metrics that matter
- Be an AppSec ambassador
The Journey to Implement AppSec
When it comes to how an organization looks at and approaches application security in general, breadth is an important framework to redefine and conceptualize application security.
This framework includes:
- Shift-left to dev training and code analysis
- Heavy focus on in-app and perimeter protections
- Shift-right to advanced, proactive, and managed services
Left-to-right application security features the following solutions:
- Awareness and education
- Learning, training, threat modeling
- Code analysis
- SAST, DAST, IAST, SCA, code risk
- In-app protection
- RASP, CWPP (EW)
- Perimeter protection
- WAAP, CWPP (NS), DDoS, Zero Trust
- Advanced solutions
- Bot, insights, fraud, 3rd party, TI, CDR, DLP
- Proactive solutions
- VM, CSPM, CIEM, BAS, EASM, MDR
Partner with NetSPI to Improve Application Security
NetSPI’s Application Security as a Service helps organizations manage multiple areas of their application security program.
Our AppSec as a service capabilities combine the power of technology through our vulnerability management and orchestration platform with our leading cybersecurity consulting services featuring expert human pentesters to ensure you can build and manage a world-class application security program.
Learn more about our AppSec as a service offerings and partner with NetSPI to drive your application security program forward to meet your security objectives. Schedule a demo today.
[wonderplugin_video iframe="https://youtu.be/bml1NTFqxFA" lightbox=0 lightboxsize=1 lightboxwidth=1200 lightboxheight=674.999999999999916 autoopen=0 autoopendelay=0 autoclose=0 lightboxtitle="" lightboxgroup="" lightboxshownavigation=0 showimage="" lightboxoptions="" videowidth=1200 videoheight=674.999999999999916 keepaspectratio=1 autoplay=0 loop=0 videocss="position:relative;display:block;background-color:#000;overflow:hidden;max-width:100%;margin:0 auto;" playbutton="https://www.netspi.com/wp-content/plugins/wonderplugin-video-embed/engine/playvideo-64-64-0.png"]
[post_title] => Application Security In Depth: Understanding The Three Layers Of AppSec Testing [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => application-security-in-depth-understanding-the-three-layers-of-appsec-testing [to_ping] => [pinged] => [post_modified] => 2023-07-12 12:43:09 [post_modified_gmt] => 2023-07-12 17:43:09 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=webinars&p=27220 [menu_order] => 44 [post_type] => webinars [post_mime_type] => [comment_count] => 0 [filter] => raw ) [26] => WP_Post Object ( [ID] => 27166 [post_author] => 65 [post_date] => 2022-01-18 07:00:00 [post_date_gmt] => 2022-01-18 13:00:00 [post_content] =>Today’s business environment extends far beyond traditional brick and mortar organizations. Due to an increased reliance on digital operations, the frequency and complexity of supply chain cyber attacks — also known as vendor risk management or third-party security — are growing exponentially. It’s apparent that business leaders can no longer ignore supply chain security.
Not only did we see an increase in supply chain attacks in 2021, but the entire anatomy of an organization’s attack surface has evolved significantly. With more organizations shifting to a remote or hybrid workforce, we’ve seen a spike in cloud adoption and a heavy reliance on digital collaboration with third-parties.
Over the past few years we’ve introduced many new risks into our software supply chains. So, how do we ensure we don’t become the next SolarWinds or Accellion? In this blog, we reveal four supply chain security best practices to get you started on solid footing.
First, understand where the threats are coming from.
With so many facets of the supply chain connected through digital products, organizations and security leaders need to understand which sectors are most vulnerable and where hackers can find holes — both internally and externally.
A recent study found that 70% of all breaches are caused by an outside force, and 17% were specifically from malware. This is to be expected. As software developers have been outsourced more frequently, the doors have opened to traditional malware attacks and breaches. Businesses need to understand how and where their resources can be accessed, and whether these threats can be exploited. However, malicious code detection is known to be very difficult. Standard code reviews won’t always identify these risks, as they can be inserted into internally-built software and mimic the look and feel of regular code. This is one of the biggest trends leaders must be aware of and fully understand which threats could impact their organization.
In addition to malware, hackers have begun attacking multiple business assets outside of an organization's supply chain through “island hopping.'' We’re seeing 50% of today’s cyber attacks use this technique. Security leaders need to identify and monitor island hopping attacks frequently to stay ahead of the vulnerability. Gone are the days where hackers target an organization itself — instead adversaries are going after an organization's partners to gain access to the initial organization's network.
Supply Chain Security Best Practices
How do organizations ensure they don’t become the weakest link in the supply chain? First and foremost, be proactive! Businesses must look at internal and external factors impacting their security protocol and implement these four best practices.
1. Enforce security awareness training.
Ensure you are training your staff not only when they enter the organization, but also on a continuous basis and as new business emerges. Every staff member, regardless of level or job description, should understand the organization's view and focus on security, including how to respond to phishing attempts and how to protect data in a remote environment. For example, in a retail environment, all internal employees and third-party partners should understand PCI compliance, while healthcare professionals need a working knowledge of HIPPA. The idea is to get everyone on the same page so they understand the importance of sensitive information within an organization and can help mediate a threat when it is presented.
2. Enact policy and standards adherence.
Adherence to policies and standards is how a business keeps progressing. But, relying on a well-written standard that matches policy is not enough. Organizations need to adhere to that policy and standards, otherwise they are meaningless. This is true when working with outside vendors as well. Generally, it’s best to set up a policy that meets an organization where it is and maps back to its business processes – a standard coherence within an organization. Once that’s understood, as a business matures, the policy must mature with it. This will create a higher level of security for your supply chain with less gaps.
In the past, we’ve spent a lot of time focusing on policies and recommendations for brick and mortar types of servers. With the new remote work and outsourcing increasing, it’s important to understand how policies transfer over when working with vendors in the new remote setting.
3. Implement a vendor risk management program.
How we exchange information with people outside of our organization is critical in today’s environment. Cyber attacks through vendor networks are becoming more common, and organizations need to be more selective when choosing their partners.
Once partners are chosen, security teams and business leaders need to ensure all new vendors are assessed with a risk-based vendor management program. The program should address re-testing vendors according to their identified risk level. A well-established, risk-based vendor management program involves vendor training — follow this three-tiered approach to get started:
- Tier one: Organizations need to analyze and tier their vendors based on business risk so they can hone in on different security resources and ensure they’ve done their due diligence where it matters most.
- Tier two: Risk-based assessments. The higher the vendor risk, the more their security program should be accessed to understand where an organization’s supply chain could be vulnerable – organizations need to pay close attention here. Those categorized as lower risk vendors can be assessed through automated scoring, whereas medium risk vendors require a more extensive questionnaire, and high-risk vendors should showcase the level of their security program through penetration testing results.
- Tier three: Arguably most important for long term vendor security. Re-testing vendor assessments should be conducted at the start of a partnership, and as that partnership grows, to make sure they’re adhering to protocol. This helps confirm nothing is slipping through the cracks and that the safety policies and standards in place are constantly being met.
4. Look at the secondary precautions.
Once security awareness training, policy, and standards are in place, and organizations have established a successful vendor risk management program, they can look at secondary proactive measures to keep supply chain security top of mind. Tactics include, but are not limited, to attack surface management, penetration testing services, and red team exercises. These strategic offensive security activities can help identify where the security gaps exist in your software supply chain.
Now that so many organizations are working with outside vendors, third-party security is more important than ever. No company wants to fall vulnerable due to an attack that starts externally. The best way to prepare and decrease vulnerability is to have a robust security plan that the whole company understands. By implementing these four simple best practices early on, businesses can go into the new year with assurance that they won’t be the weakest link in the supply chain — and that they’re safeguarded from external supplier threats.
Cybersecurity is a moving target. As adversaries evolve, the methodologies we use to protect our businesses must evolve in tandem.
Penetration testing is a great example of a category that must continuously innovate to keep pace with attackers. After all, the goal of penetration testing services is to emulate real-world attack tactics, techniques, and procedures (TTPs) as accurately as possible.
Traditional penetration cannot keep pace with the realities of business agility and hacker ambitions. Without innovation and evolution, it remains slow, stodgy, inconsistent, and simply checks a compliance box. So, how do we drive the industry forward? Strategy is key, according to Manish Khera, CISO at a national utilities company.
I recently invited Manish on the Agent of Influence podcast, a place to share best practices and trends in the world of cybersecurity and vulnerability management. We dove deep into the future of penetration testing, among other topics. When discussing the evolution of pentesting, he believes strategy is key – and I couldn’t agree more. Taking a strategic approach to security testing is vital. Continue reading to learn why, and for highlights from our conversation.
Do you believe the security mindset has migrated to a more proactive approach today? Or do you think there's more work that needs to happen?
Manish: I think we have become more proactive. Is it working? Hard to say. We have created proactive programs like AppSec and the concept of shifting left for example. We talk about security assessments and consulting, and security is getting involved earlier on projects. We’re making sure that it's not a “stage gate” pentest that occurred to assess a project. We've obviously grown and matured in that regard.
So, what is the right approach? If we're too proactive, we may miss some of the needs for last-minute reviews. A pentest before a go-live for an external facing application, for example, is a good best practice. Ideally, we have good application security processes in place early on – SAST, DAST, whatever scans, plugins, et cetera, to get a better feel of low hanging fruit. It is a tough hill to climb balancing proactive and reactive security, but we are getting better.
Nabil: You mentioned something that resonates well with how I talk about pentesting. Ultimately, people tend to start their security practices with penetration testing as a way to discover vulnerabilities. But I think as you mature, you have to change that mindset to view pentesting as a way to determine how effective our other controls are. Keeping that in mind...
How does penetration testing need to evolve based on the trends you're seeing in the industry?
Manish: I think you and I are on of one mind in this space. I do agree with you 100%, that pentesting has to evolve. The idea of it being a report card or simply finding vulnerabilities, when it should be the sum total of great activities up to that point. For future pentesting, we must do a couple different things.
Organizations should be more thoughtful about their approach. We should be willing to spend the money to threat model down to give proper avenues for pentesting vendors or your internal pentesting team. Organizations are often afraid to engage a pentesting vendor over a long period of time, and we feel we’ve spent too much money pentesting. However, we need to threat model, work with that vendor, and spend time with them to make sure they have enough time and resources to not just find vulnerabilities that are lucky to find, but also business context vulnerabilities.
If I say “you have two weeks to get this done” that is not really a good pentest. Get that vendor in, spend a day with them, have them understand what the actual threat vectors are, understand the important parts of that application and data sets are, what the target would be from an informed, authenticated user, and so on. Then give them time to figure it out. The vendor should be smart about it too. It’s on both sides to be smart about it. It can't be a time box, very slim budget event. It's got to be thoughtful and threat-focused versus, “I have 50k to spend on a pentest.”
I also think that the “shift left” marketing schemes have to come into play. We've got to get better integrated in using scans, using ID plugins, and teaching developers how to code better. We call this a security champions program. Have somebody from the development team join the appsec team and work with them to better understand appsec processes. Then, they go back to the development team and become champions that speak the same language as across teams.
All of a sudden, pentesting becomes an event that clears the scorecard. If you practice good security up to that point, the vulnerabilities you find are more likely to be small efforts versus huge efforts that delay projects from going live. I hope that pentesting matures in that regard – but only time will tell.
Threat modeling can be time consuming, but valuable. Can you share a scenario where you found that threat modeling something, and then using that to drive a pentest or a security activity, was more valuable?
Manish: The first time you do threat modeling is always the heaviest lift. Determining what framework to follow and how to create the process so that it is repeatable is most time consuming. But it does get easier over time if you follow a consistent framework. Especially if you have the same teams involved or a threat modeling champion engaged when a vendor comes in to do the threat modeling engagement.
In terms of a key win or scenario, every time we do it, we find a better way to approach a pentest or improve our security activities. Every threat modeling assessment produces something that is shocking or surprising. I think you should always do it, because there’s always an opportunity to gain a better understanding of your applications and enable better tests.
Essentially, coming in “blind” to do a pentest is rarely as valuable as having more details and information about how the system is architected. Taking an approach where you're enabling your pentesters with as much detail as possible only allows you to get better results. I'm not a big fan of “black box” testing or unauthenticated testing. We should assume that an adversary has deep inside knowledge of the environment, because they likely do. They can buy it or coerce somebody to give it to them – they can get it one way or another. We have to open our eyes to that scenario. We want informed testing and we want detailed reviews. That's how we drive value.
For more on the future of penetration testing – plus, insights on cybersecurity challenges in the utilities sector, consultancy vs. in-house security leadership roles, how to build a security champions program, and more – listen to episode 29 of Agent of Influence, featuring Manish Khera.
[post_title] => Strategic Penetration Testing is the Future [post_excerpt] => Learn why taking a strategic penetration testing approach is vital. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => future-of-penetration-testing-strategy [to_ping] => [pinged] => [post_modified] => 2023-08-22 09:54:15 [post_modified_gmt] => 2023-08-22 14:54:15 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=27147 [menu_order] => 278 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [28] => WP_Post Object ( [ID] => 26881 [post_author] => 65 [post_date] => 2021-12-07 16:28:08 [post_date_gmt] => 2021-12-07 22:28:08 [post_content] =>On December 7, 2021, NetSPI Managing Director Nabil Hannan was a featured guest on ITSPmagazine’s Redefining Security Podcast, where they discuss the new OWASP Top 10 2021. Listen below or view online here.
Episode Summary
Every few years, a group of individuals work together to deliver what has become a staple in application security practices: The Open Web Application Security Project (OWASP) Top 10. In the 2021 edition, the team took a fresh look at the data and what it means. Everything changed while staying the same.
Episode Notes
Every few years, a group of individuals work together to deliver what has become a staple in application security practices: The Open Web Application Security Project (OWASP) Top 10. In the 2021 edition, the team took a fresh look at the data and what it means. Everything changed while somehow stayed the same.
The real changes are in how organizations should look at this information and how to use it to make a difference in their application development and information security programs. While data analytics played a huge role in changing the game for the OWASP Top 10 for 2021, it's the humans that will see the outcomes come to fruition. Or, at least we hope.
____________________________
Guests
Diana Kelley
On ITSPmagazine https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/diana-kelley
Andrew van der Stock
On LinkedIn | https://www.linkedin.com/in/vanderaj/
On Twitter | https://twitter.com/vanderaj
Nabil Hannan
On LinkedIn | https://www.linkedin.com/in/nhannan/
On Twitter | https://twitter.com/nabilhannan
Shortly after Thanksgiving, we packed our bags and ventured off to Riyadh, Saudi Arabia for the inaugural @Hack cybersecurity event. We were invited to exhibit at the SecureLink booth, who we recently partnered with to expand NetSPI’s services to the Middle East and Africa (MEA).
Over the past two years, the Kingdom of Saudi Arabia has gone through accelerated digital transformation, driven heavily by its Vision 2030 reform plan. And with this digital transformation, comes expanded attack surfaces and more exposure to cyber threats. This was a key theme and concern during the event – and a large part of why the event was organized in the first place.
It was exciting to see the energy and enthusiasm around technology and cybersecurity (almost as exciting as when we realized that @Hack was synonymous with “attack”). @Hack organizers estimated that more than 14,000 people from 70 countries were in attendance, many of which we spoke to at the NetSPI stand about the state of security in Saudi Arabia, penetration testing, cybersecurity education, cybersecurity jobs, and more.
As we packed up to head to our next destinations, we took time to reflect on our conversations, the people we met, and the key themes we observed on the show floor.
Cybersecurity Maturity in the Kingdom of Saudi Arabia
The Kingdom of Saudi Arabia has only recently focused on transforming their technological infrastructure and has invested in becoming a technological powerhouse in the region. At the conference itself, we saw the use of QR codes, mobile payments, digital sharing of contact information, and more. Although their technology adoption is very high, there is an opportunity for the region to mature its understanding of and focus on cybersecurity challenges.
One of the younger attendees came from Egypt and participated in the “bug bounty” challenge. He came in 2nd place and mentioned how the challenge to him was simple compared to what he was used to in his home country. To us, this indicates that security is not necessarily at the forefront of Saudi Arabia’s considerations when acquiring or deploying technology, and there is some catching up it needs to do to ensure security keeps pace with its technological developments.
We also recognized that most of the cybersecurity work performed is based on what is mandated by the Kingdom of Saudi Arabia government. Penetration testing services are not a large part of that discussion today, but we anticipate security testing activities – pentesting, secure code review, threat modeling, red team, design reviews – will be part of the requirements very soon.
The State of Penetration Testing
At the event, we were surprised to hear that the concept of penetration testing is new to most people and organizations in the region. In many of our conversations, we heard that they were interested in purchasing products and software solutions that could take care of all security concerns. But, as we know, even the largest technology companies can make security mistakes (see: Microsoft Azure CVE-2021-4306).
There were a number of misconceptions about penetration testing that we helped to address at the show. Notably, the difference between penetration testing and simply running an automated scanner tool or a monitoring solution.
The explosion in technology adoption over the last few years has caused many companies to rapidly seek new and innovative security solutions, however, the adoption of pentesting services in the Middle East will be largely driven by regulation.
Youth and Women in Cybersecurity
@Hack brought a diverse group of people together. Students as young as 11 stopped by our booth and were eager to learn from us. It was incredible to see the younger generation’s interest in cybersecurity careers and education. Questions we were asked include, “how can we learn more?”, “where can I find more resources?”, “what resources should I look at to become a pentester?”, and “can you hire me and train me?”
A large portion of those coming into the industry are students who have learned from global online communities, including bug bounties, capture the flag, and online forums. For continued reading, this Arab News article highlights some of the young attendees involved at the event.
Across the globe, there are initiatives to get women more involved in cybersecurity. Cybersecurity Ventures and WiCys predict that women will hold 25 percent of cybersecurity jobs globally by the end of 2021, up from 20 percent in 2019. This was evident @Hack.
Women were equally, if not more, involved at the conference than their male counterparts in terms of communication, interest, types of questions they were asking, etc. The transition to more progressive ideologies in the region has clearly resulted in a large influx of highly educated and motivated women wanting to break into the space.
Overall, the event was a great opportunity to connect and share information with security peers across the globe and we hope they will put on @Hack next year. With our new SecureLink partnership, we’re excited to continue educating the region on the benefits of penetration testing and the value it brings when done well. Want to connect with us at the next big cybersecurity event? We’re heading to RSA Conference in San Francisco, February 7-10, 2022. Schedule a meeting with us!
The number of security controls and activities any given cybersecurity leader manages is continuously evolving. For instance, this year, the Global InfoSec Awards features 212 different categories – from penetration testing to insider threat detection to breach and attack simulation. That’s 212 different technologies or security activities CISOs could be implementing dependent on their needs.
This highlights the importance of taking a step back to recognize the activities making the greatest difference in your security program. AF Group CISO Seth Edgar does just that during our Agent of Influence podcast interview. For Seth, asset management, vulnerability management, and authentication topped his list of cybersecurity best practices.
Continue reading to learn how these security activities are changing the game for Seth and for highlights from our discussion around his unconventional career path, lessons learned from reverse engineering, and cyberattack trends in the insurance space. For more, listen to the full episode on the NetSPI website, or wherever you listen to podcasts.
What have you learned from your experience as a middle school teacher that you apply to your role as a CISO?
Middle school is an area of your life that's memorable for a lot of reasons. As a teacher, delivering materials to students in a manner they can consume is an ever-changing battle. Not only is there the struggle to remain interesting and relevant to a roomful of 12-year-olds, but also understanding how to communicate a complex subject or introduce a new, complex theme. I couldn't stop at relaying the information. “I've put it out there, now it's on you to consume,” was not an effective strategy. I had to make sure that the concepts were reinforced and delivered in a manner they could grasp because my goal was for them to be successful.
As CISO, I'm doing the exact same thing. Most of my job is education and a portion of my job is security, budget, and people management. I'm teaching people why security is important. What is higher or lower risk. I'm talking to executives and communicating the ROI of security. In doing so, I have to gauge on the fly whether they're tracking with what I'm saying, or whether we're going to need to revisit the topic from a different angle.
I get exposure to upper-tier leadership within my organization, but those interactions are limited. They have to be because they're scheduled. It's not like a classroom where I'm with the students every single day. If we missed it today, we'll get it tomorrow – same time, same place. With business leaders I've got to get it right the first time.
Just like in a classroom, you have to get to know the students before you can truly teach them. And at the end of the day, you must make your material relevant and usable for them, make it understandable and draw upon their background. It must also be presented in a manner that makes sense, without oversimplification. All those techniques are exactly what I'm doing right now as a CISO, just with a different body of knowledge. Finding that the balance between simplification and understanding is a challenge, but it's something that I can draw upon from my prior experience and from my undergraduate education to help me communicate complex security topics clearly to my leadership team.
Are there components of what you learned from reverse engineering that you apply in practice today?
I am a big fan of learning by doing. It's way different completing a sample problem than it is touching real software. It is helpful to have a deep technical background to be able to have conversations with technical folks and establish credibility. However, the more important lesson that I pulled from those early days doing reverse engineering is that it's okay to have trial and error. It's okay to make mistakes and learn from them.
As a leader, I don't punish mistakes, we learn from them. If that mistake is repetitive, I'm likely going to move you away from doing that that role within our organization. But mistakes are part of the learning process. They're important. We too often think, ‘I'm not going to do anything because if I screw it up, I'm going to get in trouble.’ That's not how we learn, that's not the way that systems are developed, and it's certainly not the way you have a breakthrough. So, the most important lesson I learned from reverse engineering was learning how to make a mistake, recover, and use it to inform the next steps going forward.
There's been a lot of news recently about the insurance space, such as the CNA Financial ransomware attack. Are there certain attack trends that you're paying close attention to today?
We are watching a lot right now. Ransomware is a high risk and a top-of-mind issue, not only from a perspective of ransomware prevention, but also from an insurance perspective. We don't touch this area much in my role, but cybersecurity insurers are starting to realize that their model may need to change because the risk profile has ramped up significantly. If you look at how ransomware has grown, we have seen this crazy upward trend in financial impact and sophistication – nobody wants to get hit. At the same time, if it is not going to happen to you, it is very likely will happen to a third- or a fourth- or a fifth-party provider. That’s where supply chain security issues come into play.
With COVID-19, many went from a fully on premise workforce to a fully remote workforce almost overnight. There are inherent network risks and security models that bank on a perimeter-centric security. There's a large knowledge exchange that had to happen with groups of people who always report into a building that have maybe never used a VPN or had to do any kind of multifactor authentication before, whereas other people have been doing it for a decade or more. There's going to be that subset of your users that this is the first rodeo they've ever had with remote workforce security protocols.
We've seen interesting scams arise out of this. Wire fraud transfer scams have always been existent but are taking advantage of companies that have changed business models. Attackers try and monetize whatever it is they get their hands on. If I'm an attacker, if I compromise an email account, I want to turn that into some sort of monetization as quickly as possible.
There is one clever attack that I’ve heard described among my peers. Let's say I compromise a mailbox and immediately search for the word “invoice” looking for unpaid invoices. I find out who the sender of that invoice is and create a look alike domain for that sender. Now I spoof that exact user that sent the invoice in the first place and say, “This invoice is overdue and needs to be paid.” It creates that sense of urgency just like a normal attack would and then, you get them to change the wire transfer number. Now they're stuck in a position where they're trying to describe a decently complex attack to probably an under resourced small- to medium-sized business.
Many organizations don't have the capability to view and understand how the user got into their environment and it becomes a game of finger pointing. It's an awkward and difficult situation to be in. This brings up the importance of validating senders and sources. A positive business best practice in this situation would be to reach out and validate the information with a verified contact.
What are the most effective security activities you're implementing today?
The most effective security activities that are changing the game for me have revolved around strong asset management, patching, and vulnerability management practices.
Beyond that, having strong authentication is equally critical. Not only multifactor, but checking system state, user agent strings, consistent source IP, and similar practices. I can know, with relatively simple rule set, whether a log in is attempted with a new IP, device, or if it is a new source for this user’s authentication, and act accordingly. We've seen some incredible progress, just not only in our own development or tooling, but leveraging products we already have available. They're not perfect, none of them are airtight. But it gives us a certain probability or a reasonable level of assurance that this user is who they claim to be – or not.
As mentioned earlier, moving your workforce to remote is a hard problem to solve in areas like vulnerability remediation and patch management. Getting software updated, especially if it was historically on-premise, is a major shift. If you're working with an incomplete asset inventory right out of the gate, you have no indication what your success ratio is. This is an age-old problem that organizations still struggle with today. Whether you have good asset management can tell you whether your security program is successful.
The bright side? Vulnerability management and asset management are areas that can be improved and understanding your attack surface is a good first step. The Print Nightmare vulnerability is a great example of this. Once alerted, having a good understanding of the devices that need to get print drivers locked down on and what devices you need to make changes to rapidly reduce your exposure proved vital in that situation.
What’s next for enterprise security professionals? No one can know for certain, but NetSPI’s expert bench of security pros – pulling from their decades of cybersecurity leadership and daily conversations with some of the world’s most prominent organizations – have a few ideas as to where the industry is headed.
Watch our 2022 cybersecurity predictions webinar, where our panel will tackle some of the most debated topics of the past 365 days and predict how each will evolve in the new year and beyond. Topics include:
- The cybersecurity hiring crisis
- Application security program maturity
- Attack surface management
- The evolution of ransomware
- Cybersecurity budget allocation
- And next generation architectures (see: blockchain)
[wonderplugin_video iframe="https://youtu.be/rLcwnJAO5Qo" lightbox=0 lightboxsize=1 lightboxwidth=1200 lightboxheight=674.999999999999916 autoopen=0 autoopendelay=0 autoclose=0 lightboxtitle="" lightboxgroup="" lightboxshownavigation=0 showimage="" lightboxoptions="" videowidth=1200 videoheight=674.999999999999916 keepaspectratio=1 autoplay=0 loop=0 videocss="position:relative;display:block;background-color:#000;overflow:hidden;max-width:100%;margin:0 auto;" playbutton="https://www.netspi.com/wp-content/plugins/wonderplugin-video-embed/engine/playvideo-64-64-0.png"]
[post_title] => 2022 Cybersecurity Predictions:What to Expect in the New Year [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => 2022-cybersecurity-predictions-what-to-expect-in-the-new-year [to_ping] => [pinged] => [post_modified] => 2023-06-22 20:39:36 [post_modified_gmt] => 2023-06-23 01:39:36 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=webinars&p=26665 [menu_order] => 45 [post_type] => webinars [post_mime_type] => [comment_count] => 0 [filter] => raw ) [32] => WP_Post Object ( [ID] => 26628 [post_author] => 65 [post_date] => 2021-11-04 09:56:02 [post_date_gmt] => 2021-11-04 14:56:02 [post_content] =>
On November 4, 2021, NetSPI Managing Director Nabil Hannan was featured in an article by TechRepublic:
In the latest effort to combat cybercrime and ransomware, federal agencies have been told to patch hundreds of known security vulnerabilities with due dates ranging from November 2021 to May 2022. In a directive issued on Wednesday, the Cybersecurity and Infrastructure Security Agency (CISA) ordered all federal and executive branch departments and agencies to patch a series of known exploited vulnerabilities as cataloged in a public website managed by CISA.
The directive applies to all software and hardware located on the premises of federal agencies or hosted by third parties on behalf of an agency. The only products that seem to be exempt are those defined as national security systems as well as certain systems operated by the Department of Defense or the Intelligence Community.
All agencies are being asked to work with CISA's catalog, which currently lists almost 300 known security vulnerabilities with links to information on how to patch them and due dates by when they should be patched.
...
Within 60 days, agencies must review and update their vulnerability management policies and procedures and provide copies of them if requested. Agencies must set up a process by which it can patch the security flaws identified by CISA, which means assigning roles and responsibilities, establishing internal tracking and reporting and validating when the vulnerabilities have been patched.
However, patch management can still be a tricky process, requiring the proper time and people to test and deploy each patch. To help in that area, the federal government needs to provide further guidance beyond the new directive.
"This directive focuses on patching systems to meet the upgrades provided by vendors, and while this may seem like a simple task, many government organizations struggle to develop the necessary patch management programs that will keep their software and infrastructure fully supported and patched on an ongoing basis," said Nabil Hannan, managing director of vulnerability management firm NetSPI.
"To remediate this, the Biden administration should develop specific guidelines on how to build and manage these systems, as well as directives on how to properly test for security issues on an ongoing basis," Hannan added. "This additional support will create a stronger security posture across government networks that will protect against evolving adversary threats, instead of just providing an immediate, temporary fix to the problem at hand."
Read the full TechRepublic article here: https://www.techrepublic.com/article/us-government-orders-federal-agencies-to-patch-100s-of-vulnerabilities/
[post_title] => TechRepublic: US government orders federal agencies to patch 100s of vulnerabilities [post_excerpt] => The Cybersecurity and Infrastructure Security Agency is maintaining a database of known security flaws with details on how and when federal agencies and departments should patch them. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => techrepublic-us-government-orders-federal-agencies-to-patch-100s-of-vulnerabilities [to_ping] => [pinged] => [post_modified] => 2022-12-16 10:51:47 [post_modified_gmt] => 2022-12-16 16:51:47 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=26628 [menu_order] => 312 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [33] => WP_Post Object ( [ID] => 26557 [post_author] => 65 [post_date] => 2021-10-19 07:00:00 [post_date_gmt] => 2021-10-19 12:00:00 [post_content] =>Being a cybersecurity leader is not for the faint of heart. The increasing sophistication of adversaries and number of successful breaches puts significant pressure on security teams today. For advice, I invited Pacific Northwest infosec leader David Quisenberry to join me on the Agent of Influence podcast, a series of interviews with industry leaders and security gurus where we share best practices and trends in the world of cybersecurity and vulnerability management.
During our conversation, David shared four ways he’s approaching cybersecurity leadership today by:
- Tapping into his wealth management experience.
- Collaborating across the organization.
- Working closely with his local security community as the president of OWASP Portland, Oregon.
- Creating a solid network of mentors.
Continue reading for highlights from our conversation around wealth management, collaboration mentorship, OWASP Portland, and more. You can listen to the full episode on the NetSPI website, or wherever you listen to podcasts.
Can you tell me about your career transition from wealth management to cybersecurity?
David Quisenberry: The decisions you make, the careers you go down, the things you do – everything's interrelated and connected. There are some differences, but there are also a lot of similarities. In wealth management, you deal a lot with risk tolerance. Like companies, when someone is just starting off as an investor, they don't have a lot of money and they're much more willing to take on risk and do things that a more established person, family, or trust might not do with their money because they have a fiduciary standard to make sure that they invested wisely for all the beneficiaries.
Again, like companies, when they're building out their foundation of revenue, security may not be as front and center to a lot of the decisions that get make. But as companies grow, a lot of enterprise corporations view security and risk tolerance much differently. They want to understand all the risks that go into each decision they make as a business. Risk tolerance is a similar theme.
Another thing that's very similar between the world of wealth management and the world of cybersecurity is you’re always reading, always studying. As a wealth manager, you're constantly keeping up to speed on all the trends with global investment flows, global economics, and mutual funds. That obviously translates into the security world where you're reading and learning things all the time.
Lastly, convincing others to take action. As a wealth manager, there's this tension, especially if you're working with families where you want them to save as much as possible so that they can have a lot of money in retirement for their kids, for their charities. They care about their future self, but they also want to live life. There are these tensions, and you have to convince someone to spend their dollars one way versus the other. This is very similar to security work with developers, product owners, product managers, et cetera. It's a constant game of understanding all the various priorities and working together to identify that sweet spot of paying security debt, staying on top of future security debt, as well as getting other features built to drive your business forward.
You are taking some unique approaches to better collaborate across different teams within your organization. Can you share with us the approach you're taking? Are there things that worked well or not?
David Quisenberry: One of the philosophies I have about most things is “relationships first.” As an information security manager, I've tried to take the approach of being available and approachable. If somebody sends me a question or an email, most of the time I will drop what I'm doing so that I can answer them in that moment. Even when people get frustrated with me, I take the opportunity to take a step back and think, “We have a tension right now. But they're thinking about security. What's not clear? How do I communicate the why?” If I can accurately explain the why, it's going to help so much. I try to take that relationship first approach, identify those early wins, and set clear expectations of what is a milestone and then celebrate those when we hit them.
It’s important to have regular monthly meetings with the scrum masters with the various leadership teams for the different products, engineering managers, project managers. I encourage them to ask questions and know that we're going to have an opportunity to dig into things. To prepare for those meetings, we have a working agenda that both parties can add to, and I also try to give visibility into data and analytics.
As the president of the OWASP chapter in Portland, how did you get involved with the community? And what are some interesting things that you're doing that might be different from other chapters?
David Quisenberry: David Merrick introduced me to the chapter. I started going to the chapter meetings whenever I could. Around late 2018/2019, I started being mentored by the previous chapter President, Ian Melvin, who's been an amazing mentor and really helped me along in my progress. He got me more involved on the on the leadership side.
What I found is most OWASP chapters have leadership that have been laboring hard for a long time to keep the chapter going. If you're willing to help bring in speakers, engage in membership, promote social media activity, or think of topics to present, they'll open up. Especially if you prove yourself and that you can deliver on it. What I found with the Portland chapter was that, as I started getting involved, we needed to meet developers where they're at.
We did a lot early on when I took over as president of the Portland OWASP chapter. We built out a mentorship program where we had around 24 people with varying skill levels meeting regularly. We really ramped up our social media presence, specifically Twitter and LinkedIn. We used meetup.com which helped us solidify returning visitors and provided an easy mechanism for people to RSVP to our monthly meetings. By the end of 2019, we were close to 50-60 people per meeting. And we brought in a lot of great speakers.
And then then COVID-19 hits, and suddenly you can't meet in person anymore. We had to do everything virtually, but we were able to continue our path of monthly, or bi-monthly meetings. We also have another thing that we do as a local chapter, which is study sessions. More hands-on, shorter sessions or labs and then 40-minutes hands on keyboard. Working with Burp Suite or Wireshark. You name it. We started a podcast in late 2019 and that's been super successful. We had 6,500 listeners or so over this last year and some interesting guests. We're also exploring some other opportunities for cybersecurity training with other chapters. We’ve been trying to collaborate more with the chapters around us and that's been going quite well.
NetSPI’s Portland, OR office is growing. Check out our open cybersecurity careers in PDX!
I wouldn't be where I am today without my involvement with OWASP. If you're interested in truly excelling and expanding your horizons in the security space, these community meetings and chapters really pay dividends in the long run. I'd be curious to get your perspective on any guidance you have on how to choose a mentor that's right for you?
David Quisenberry: The first thing I would say is don't have one mentor. And I think of it almost as a personal board of directors. For myself what I want is people from across the spectrum. So, business leaders, engineering leadership, security leadership, different types of security leadership. I want 4-10 people that I talk with quarterly, some people more often. I want to be able to have multiple perspectives to bounce ideas off when I'm having a hard time with something at work or a moral decision I need to make or just trying to understand what is normal or what is acceptable.
One of the big things that I always try to push with my mentors is what are you learning? What are you reading? What are the things that you go back to time and time again? There is a saying that I always think about: “If you dig, you get diamonds.” Where can you dig to get diamonds? With mentors, I try to have a lot of people, I try to be real with them, and make it clear that this is only between us. And I also try to pay it forward. I want to help people and lots of people have helped me.
There is a book by Keith Ferrazi I read a long time ago, it's called Never Eat Alone. It's all about how people like to help people. We're all hesitant to ask for advice or ask for help. But the most successful people ask for help all the time. As humans, we like to help each other. His whole thing is to find out what you want to do and where you want to get, and then build a relationship action plan to move your way there. He's also big on building your network before you really need it. If you're in a job hunt, and you're trying to build your mentorship, or mentor platform at that point in time, that's going to be hard to do. But if you're in career, and you start building that network, and you don't need to use it for a couple years, by the time you do need to use it those people will know that you're genuine and know who you really are. They'll be more than willing to help you.
For more, listen to episode 23 of Agent of Influence. Or, connect with David on LinkedIn or listen to the OWASP Portland podcast.
Overview
Supply chain security, vendor risk management, third-party security. Each of these synonymous cybersecurity terms has become widely used, thanks to the increase in the exploitation of threat vectors from outside of an organization.
So, what can software vendors and third-party technology partners do to ensure they don’t become the weak link in the supply chain?
In this webinar you’ll get two different viewpoints on supply chain security from two NetSPI team members, Field CISO, Nabil Hannan, who will explore the topic from the software development perspective, and Managing Director, Chad Peterson, who will approach it from a business risk perspective.
- Their differing views on supply chain security
- The anatomy of a supply chain attack
- Considerations and best practices for securing the supply chain
- How vendors can get proactive to show potential partners that they are NOT the weakest link
- The future of supply chain security
Key highlights:
- 1:27 – Defining the supply chain
- 2:54 – Supply chain and risk
- 5:15 – Anatomy of a supply chain attack
- 14:50 – Proactive measures to protect against supply chain attacks
- 29:53 – What’s next with supply chain security?
Defining the supply chain
When it comes to supply chain security, it’s important to look at it from two sides – business risk and insider threat.
Business risk includes:
- Critical assets and intellectual property
- Internal risk programs
- Business partners
Insider threat includes:
- Internal software development
- Unique capabilities of the adversary
Supply chain and risk
From a business risk perspective, the supply chain landscape has changed substantially over the years.
Here are some of the key motivators of change:
- Perimeter transparency: Today’s environments extend well beyond the traditional brick and mortar business, with cloud and software as a service and remote work now being the norm.
- Reliance on business partners: Organizations today are relying on partners to support essential pieces of their business, including business processes, infrastructure, and application development.
- Increased attack surface: Outsourcing and the transparency of the perimeter have resulted in a loss of control for internal security teams. Additionally, external and internal environments have become blurred and there’s now an increased emphasis on privileged access.
As a result of this changing landscape, the anatomy of attacks has evolved for many organizations.
Some of the ways in which attacks are changing include:
- Island hopping: Because companies are doing a better job of protecting their own environments, attacks are no longer exclusively focused directly at the organization, but rather within the supply chain. Emerging attack methods include network-based, reverse email, and watering hole attacks.
- External motivations: Organizations are increasingly outsourcing their software development for cost savings and to have additional resources to expedite and accelerate software development. To support this, more software developers are being hired from outside the U.S., which can pose challenges with managing insider threats in the supply chain.
- Internal motivations: It can be challenging for organizations to know for certain that when they hire developers, they’re not malicious and that they’ll truly perform the work they’ve been hired to do. Another related concern is when U.S.-based employees outsource their own software development jobs to developers in China or elsewhere, which can give individuals outside the company access to an organization’s code or other sensitive data. Many organizations don’t have a full picture of what’s happening within their company, which can pose supply chain security risks in the long run.
Traditional malware vs. malicious code
A key piece of effective supply chain security is understanding the differences between traditional malware and malicious code.
- Traditional malware is installed on systems from external sources, usually downloaded through different attack vectors like phishing, and is a result of outside attackers trying to compromise systems at a larger scale, such as sending a phishing email to thousands of people at once, hoping at least someone will click on it.
- Malicious code is code is much more targeted and inserted into software that’s built internally, usually inserted by an internal employee, and looks and feels like regular, non-malicious code. Internal adversaries include different types of employees, such as software developers, administrators or operations team members, and change management team members, all of whom have access to internal systems.
Proactive supply chain security measures
While the supply chain threats that businesses face today are significant, there are some proactive measures organizations can put in place to ensure supply chain security is effective.
Consider the following proactive measures at your organization:
- Security awareness training: Ensure you’re training your staff on security best practices to follow. Have a process in place for the training to be provided to all new employees, as well as an annual refresher training with all employees.
- Policy and standards adherence: Implement organizational policies and standards that are a reflection not only of best practices, but are followed and in line with business processes.
- Vendor management: Assess all new vendors using a risk-based vendor management program. The program should also address retesting vendors in accordance with their identified risk level.
The three proactive measures outlined above are some of the foundational steps your organization can take to elevate your supply chain security. Some of the other critical components to consider bringing in to improve supply chain security include attack surface management, penetration testing, and red team exercises.
What’s next in supply chain security?
When it comes to internal software development and associated risks from a supply chain perspective, the next steps to take after identifying malicious risk are not as simple as some may think. The reason it’s not straightforward is because the typical vulnerability escalation process now includes the adversary, because internal resources are seen as potential threats. As a result, “just fix the vulnerability” isn’t a viable mitigation strategy and organizations need to instead define governance the process and controls around managing malicious code.
Malicious code risk mitigation steps can range from rather benign to very serious and may include:
- Suspicious, but not malicious
- Circle of trust invitation
- Passive monitoring
- Active suppression
- Executive-level event
NetSPI’s supply chain security capabilities
Leading businesses trust NetSPI for continuous threat and exposure management, leveraging our team, technology, and comprehensive methodology to detect and remediate vulnerabilities.
Learn more about how our Attack Surface Management, penetration testing, and red team testing capabilities can help identify where security gaps exist in your software supply chain. Connect with an expert team member by scheduling a demo today.
[wonderplugin_video iframe="https://youtu.be/xBYMzqZd4eA" lightbox=0 lightboxsize=1 lightboxwidth=1200 lightboxheight=674.999999999999916 autoopen=0 autoopendelay=0 autoclose=0 lightboxtitle="" lightboxgroup="" lightboxshownavigation=0 showimage="" lightboxoptions="" videowidth=1200 videoheight=674.999999999999916 keepaspectratio=1 autoplay=0 loop=0 videocss="position:relative;display:block;background-color:#000;overflow:hidden;max-width:100%;margin:0 auto;" playbutton="https://www.netspi.com/wp-content/plugins/wonderplugin-video-embed/engine/playvideo-64-64-0.png"]
[post_title] => How NOT to be the Weakest Link in the Supply Chain [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => how-not-to-be-the-weakest-link-in-the-supply-chain [to_ping] => [pinged] => [post_modified] => 2023-09-01 07:05:14 [post_modified_gmt] => 2023-09-01 12:05:14 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=webinars&p=26525 [menu_order] => 46 [post_type] => webinars [post_mime_type] => [comment_count] => 0 [filter] => raw ) [35] => WP_Post Object ( [ID] => 26522 [post_author] => 65 [post_date] => 2021-10-04 14:11:00 [post_date_gmt] => 2021-10-04 19:11:00 [post_content] =>On October 4, 2021, NetSPI Managing Director Nabil Hannan was featured as a guest contributor for TechTarget:
Software and applications are present in everything from consumer goods to medical devices to submarines. Many organizations are evaluating their application security, or AppSec, to ensure their strategies are mature and not vulnerable to cyber attacks.
According to Forrester Research, applications remain a top cause of external breaches. The prevalence of open source, APIs and containers only adds to the complexity of the problem.
Most organizations struggle to understand how to approach AppSec program maturity. Given many organizations have switched from Waterfall to Agile in their software development lifecycle (SDLC), practitioners are asking, "How do we continue to evolve our AppSec programs?"
Roadmaps can help navigate these issues. Organizations looking to develop mature programs need to be mindful of inherent team biases. For example, if the AppSec team comes from a pen testing background, the program may lean toward a bias. If the team is experienced in code review, then bias may shine through, too. While both disciplines are important and should be a part of an AppSec program, the experiences may cause bias when a more objective approach is needed.
Many mature AppSec frameworks exist, but a one-size-fits-all approach is not going to work. Every organization has unique needs and objectives around thresholds, risk appetite and budgets. This is largely why prescriptive frameworks, such as Microsoft Security Development Lifecycle, Software Security Touchpoints or Open Software Assurance Maturity Model, are not the answer. It's best to tailor roadmaps on the specific needs and objectives of a particular organization.
5 principles for implementing an AppSec program
These five tenets can serve as a guide for implementing a mature AppSec program.
- Make sure people and culture drive success
- Insist on governance in the SDLC
- Strive for frictionless processes
- Employ risk-based pen testing
- Determine when to use automation in vulnerability discovery
Read Nabil's 5 principles for AppSec program maturity on TechTarget's SearchSecurity: https://searchsecurity.techtarget.com/post/5-principles-for-AppSec-program-maturity
[post_title] => TechTarget: 5 principles for AppSec program maturity [post_excerpt] => Applications remain a top cause of external data breaches. Follow these five principles to achieve application security program maturity. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => techtarget-5-principles-for-appsec-program-maturity [to_ping] => [pinged] => [post_modified] => 2022-12-16 10:51:50 [post_modified_gmt] => 2022-12-16 16:51:50 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=26522 [menu_order] => 321 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [36] => WP_Post Object ( [ID] => 26519 [post_author] => 65 [post_date] => 2021-10-04 05:00:00 [post_date_gmt] => 2021-10-04 10:00:00 [post_content] =>NetSPI Managing Director Nabil Hannan sat down with BBC World News anchor Lewis Vaughan Jones on October 4, 2021 to talk about a global social media outage. Nabil discusses the current state of the world's software ecosystem, what it means for modern businesses, and the potential of a passwordless world.
Watch the clip below:
Building an application security (AppSec) program that stays current is no easy feat. Add to that the ubiquity of software and applications in everything from consumer goods to medical devices to submarines.There is an increasingly urgent need for organizations to take another look at their AppSec strategies to ensure they are not left vulnerable to cyberattacks and continuously measure and improve their program maturity.
Heads up: Building a world-class, mature AppSec security program is something that needs to be accomplished in phases. It will not happen overnight. A great deal of foundational work needs to be in place before an organization can achieve positive results.
When analyzing AppSec programs, we often find a number of sizable gaps in how vulnerabilities are managed as well as opportunities for improvement, especially related to security processes around the software development lifecycle (SDLC). Addressing these issues and harmonizing the various security processes will help give organizations the capability and vision to identify, track, and remediate vulnerabilities more efficiently, eventually elevating the organization to the level of maturity it seeks.
Following is a checklist to help organizations think through the issues around AppSec maturity to build a program that produces valuable security results.
Ensure Your Security Practices are Current
Given how rapidly application development techniques and methodologies are transforming – and the rate at which software is developed today – companies need to ensure that their security practices are staying current with the ever-changing pressures around compliance/governance, software deployment, DevOps, SDLC, and training. Understanding the current level of maturity and developing a data-driven plan to evolve your AppSec program is key to the success of an organization’s security efforts.
Leverage Real World Data to Benchmark Your AppSec Program
Put a stake in the ground and objectively determine the status of your AppSec program. Comparing your organization’s program with real world data across multiple business verticals will help augment your efforts and determine areas that require focus. Base your security decision on your specific business needs andlessons learned from other mature programs in your industry.
Put Roadmaps in Place to Prioritize and Allocate Resources
The AppSec and software engineering teams within an organization should constantly partner to evolve and improve the AppSec posture for all software assets. This collaboration will help determine how to improve upon current efforts while uncovering additional activities that should be adopted to meet business goals. Putting in place a formalized roadmap for this collaboration allows an organization to better prioritize its business initiatives, budgets, and resource allocation while reducing the overall AppSec risk faced by the organization.
Roadmap stipulation: Use caution and watch for bias. Organizations that are serious about developing a mature program need to be mindful that there may be inherent team biases based on familiarity. For example, if the AppSec team comes from a penetration testing background, the program may lean toward a pentesting bias. Is the team’s experience in code review? Then that bias may shine through. While both disciplines are important and should be a part of an AppSec program, my point is that there may be bias when a more objective approach is needed.
Also understand that there are many frameworks to mature application security. A one-size-fits-all approach is not going to work because every organization has unique needs and objectives around thresholds, risk appetite, and budget availability.
Insist on Governance in the SDLC
Setting up governance within the SDLC is critical. Why? If security teams don’t define what they are trying to accomplish or what security looks like within the SDLC process, it leaves too much ambiguity for who is accountable. Creating governance around SDLC will also help define where an organization needs to build in testing, both manual and automated, from a vulnerability discovery perspective.
Track Your Progress; Benchmark Your Efforts Against Your Peers
Benchmarking your AppSec program by leveraging industry standard frameworks allows you to measure AppSec program maturity consistently and objectively, and make informed decisions based on your business objectives.
Benchmarking scorecards, supported with visuals, enable high-bandwidth conversations with your organization’s leadership team and provides an opportunity to showcase the positive influence that your AppSec program is having on the organization’s business goals. Additionally, you can leverage data from your benchmarking efforts to compare your efforts to others within your peer vertical group, and other business verticals that are also leveraging the same industry standard AppSec framework.
Employ Risk-Based Application Penetration Testing
When looking to mature an AppSec program, organizations should view application penetration testing as a gate validating that everything implemented in the SDLC is working, not just a discovery of vulnerabilities. Pentesting services should be the method used to determine the effectiveness of your secure SDLC and all the automated and manual processes implemented. Oftentimes, organizations will approach this concept in the reverse by starting with penetration testing.
Additionally, having a dynamic pentesting platform that offers data points and risk scores aids in objectively identifying where AppSec is immature and what needs to be prioritized to remediate vulnerabilities that present the greatest risk.
Determine When to Use Automation in Vulnerability Discovery
To build an optimum, mature AppSec program, it is important to determine when it is best to use automation in vulnerability discovery and when to employ manual penetration testing. In short, an effective AppSec program includes the ability to manage and employ threat modeling, manual penetration testing, and secure code review, augmented with automated vulnerability discovery tools that are deployed at various phases of the SDLC process.
For example, automatic testing like dynamic scanning, static analysis, and interactive security testing may be sufficient day to day, but manual penetration testing is warranted when significant architectural changes or technology upgrades to software systems are made. Finding balance in vulnerability discovery is important. It isn’t an either/or.
Vulnerabilities found in production cost roughly $7,600 to fix – 9,500% more than the $80 it would cost to fix those same vulnerabilities when they are detected early in the development process.
– WhiteSource reporting on a joint study by IBM and Ponemon Institute
Insist on Metrics for Proper Data and Analysis
Consistent, timely, and accurate DevSecOps data measurements are important feedback for any organization to capture and analyze as it looks to govern development operations. Quality metrics (numbers with analysis and meaning in context) can ensure visibility, accountability, and management of software security initiatives. Proper application security program metrics allow you to articulate the AppSec program’s value to your organization’s leadership. The benefit? Being able to properly evangelize the value of your AppSec effortsmakes it easier to procure funding and improve the security risk posture of your organization. Additionally, understanding the data at hand to be able to answer contextualized business questions allow for better strategic decision making.
Maturity Attained: Be an Ambassador
What does an organization do once it determines its AppSec program is mature? First, decide if a mature program is a long-term goal. Obviously, security always needs to be a priority, but ongoing maturity programming can be expensive and time consuming. Secondly, there will undoubtedly always be areas that require more attention. While addressing them, I encourage organizations to share their program successes with the broader market. Become a leader and use AppSec maturity as a differentiator that can drive customer and team member goodwill, brand differentiation, and market leadership.
[post_title] => A Checklist for Application Security Program Maturity [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => checklist-application-security-program-maturity [to_ping] => [pinged] => [post_modified] => 2023-04-07 09:19:32 [post_modified_gmt] => 2023-04-07 14:19:32 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=26360 [menu_order] => 326 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [38] => WP_Post Object ( [ID] => 26333 [post_author] => 65 [post_date] => 2021-08-31 07:00:00 [post_date_gmt] => 2021-08-31 12:00:00 [post_content] =>When the term “reality check” is used, it’s intended to get someone to recognize the truth about a situation. In a fast-moving industry like cybersecurity, reality checks from its leaders are necessary. Thinking pragmatically about the solutions to our biggest challenges helps drive the industry forward.
I recently sat down with Splunk global advisory CISO Doug Brush on the Agent of Influence podcast, a series of interviews with industry leaders and security gurus where we share best practices and trends in the world of cybersecurity and vulnerability management. During our conversation he shared three major cybersecurity reality checks:
- Most tools out there are going to be part of the picture, but they're not going to solve everything. The slow progression of incident response today is not a technology problem.
- Chinese-based organizations, such as DJI Drones and TikTok, have much in common with the Bay Area tech community. We have a lot to learn from them.
- A top-down mentality must be applied to mental health in cybersecurity. Prioritizing mental health should be adopted at the C-Suite level.
Read on for highlights from our conversation around the evolution of incident response, security practices at Chinese-based organizations, mental health in cybersecurity, and more. You can listen to the full episode online here, or wherever you listen to podcasts.
Nabil: You've done many different incident response investigations. How that has that evolved over time – or over the course of your career?
Doug: I wish incident response has evolved more. I would say it's a slow evolution. Early on, it was very manual process to parse things. Say if you're doing dead box forensics, or even memory forensics to a large degree, there weren’t tools that could automate some of those processes.
By no means is a tool an answer to all problems, but it's going to help build efficiencies if you understand the process. We had to deconstruct things in hex editors, it was a very manual process and took a very, very long time. Now, you can script automate a lot of those and these tools can build databases – so that’s gotten better.
When I see things like the SolarWinds incident, we focus on the TTPs around how somebody gets in. And once they get in, they move laterally, privilege escalation, build backdoors, get domain, get other accounts, and build this persistence mechanism. We've been tracking this since 2006/2007. There's nothing new about it. And that's the frustrating part to me. While we think some of the technologies evolved to allow us to be more efficient, some of the root things that we should be looking for, we are not. I think there needs to be a greater focus on detection and response and building our response capabilities, as opposed to an afterthought past defense.
Nabil: Is there a reason why that hasn't happened yet, or why it's taking so long?
Doug: It's hard. And it's not a technology problem. I work for a technology vendor, I would like to say. “we're the best in the world and we can stop everything, detect anything,” but that's not the reality. Most of the tools out there are going to be part of the picture, but they're not going to solve everything.
When you look at the entire security operations, it's going to be people, process, then technology. Technology is only a small percentage, it's not your entire program. We get really excited about cool, new shiny objects. We all go to Black Hat and RSA, and we all pat ourselves on the back that all these new things are coming out. The reality is that we're solving the same problems we saw 30 years ago. We don't have good asset inventory. We don't have visibility of our environments.
Nabil: Let's shift gears to talk about a topic that I quite enjoy. I would love to learn about your work with various Chinese based organizations – DJI Drones and TikTok. In particular, what do you think about the privacy and security concerns that people bring up about using their technology?
Doug: It gets overly politicized at times. Inevitably, the Chinese government has their agenda, and I would add the blanket statement that there are also a lot of Chinese companies that don't necessarily align with how the Chinese government operates. Some of these companies I've talked to have said, “You folks in the U.S. think we're the enemy and think we're stealing all this data. But we're just a startup.”
The thing that surprised me most in Shenzhen was that the tech center reminded me of the Bay Area. It was very westernized and had a startup vibe with many young professionals. That's the fallacy that we have: they’re against us. We don’t realize how much we have in common. They have a distrust of their government, just as we have a distrust of our own government. They have a mentality of “trust but verify” more than we appreciate. They have some built out documented and thoughtful programs when it comes to governance and organization.
In reality these companies are trying to create cool products just as we are. The reason DJI Drones became so popular is because they work really well. They built a vertically integrated manufacturing process where they weren’t using third parties – they had control over their supply chain. They manage third party risk well in advance. There are a lot of things that these organizations do that allow them to be competitive in the capitalistic and development space that we need to learn from.
We have to change this mindset that, because you’re in a specific country, you have to share the viewpoints of whatever the loudest political party is at that time. We need to try to look at things in a more pragmatic and realistic way.
Nabil: You're a big advocate for mental health. It's a huge issue and an area of focus today in the security industry, especially due to things like staffing shortages and burnout. What advice do you have for security leaders when addressing mental health?
Doug: Yeah, it's a tough one, there's no doubt about it. The last few years have been particularly tough, but it’s an issue that's been coming up for a long time that we don't talk about enough. First of all, we need to have honest and frank discussions about it. There was a nominated study in 2019 that looked at global cybersecurity professionals. 91% of the CISOs surveyed said that their stress levels were suffering and 60% felt really disconnected from their work role. In the U.S., almost 90% of CISOs have never taken a two-week break from their job. And a lot of them feel that a breach is inevitable in their environment.
We talk about top-down security and top-down leadership, which should go for mental health too. It has to be something that is adopted at the board and C-Suite level. Leaders should recognize that they’re only as good as the people that are working for them… when they're at their best. Humans aren’t batteries, you can't just revolve through them. The cost of acquiring the good cybersecurity professional right now is very high and CISOs are even harder to find and you don't want to be churning through these people. Continuously hiring people, training them, and getting them onboarded, increases the cost and reduces efficiencies. We need to change this idea of how we hire.
I would say it's changed since I started in consulting. It was very easy to continue this idea that you had to work 80-90 hours a week. More of the folks that I've hired in the past decade or so have focused on balancing mental health. We shouldn’t expect someone to work overtime each week if we want the best from them. Happier staff results in better work, more efficiencies, higher employee retention – which, in turn, results in happier customers and more top line revenue.
When people feel the best, they perform at their best. This idea that it's mental health versus business is a zero-sum game. If we construct that from the leadership level down and appreciate the fact that you can do more to retain your employees by giving them a better self-care environment, they're going to be better employees for you. Investing in employee health, mental health, and wellbeing is non-negotiable.
Nabil: Can you also share a little bit about the neurodiversity initiatives you're supporting at Splunk?
Doug: The mental health aspect is just one part of the neurodiversity journey. When we talk about diversity in the workplace it should also include neurological differences like autism, ADHD, mood, and other functions. These have historically been viewed with a negative perception, but they’re just natural variation in the human genome. These folks have exceptional abilities alongside what is traditionally been viewed as a “disability.” Recognizing that it’s not something that needs to be fixed is a shift that needs to be adopted and supported.
Instead of saying, “thou shalt think like we do,” it's this idea that a diverse mental environment is going to give you more candidates, and probably a better output. When I've had a diverse staff and we all get in the room, I don't get affinity bias. My greatest fear is that I'm going to build my own echo chamber of people telling me what I want to hear. We need diversity in thought to increase better output for our customers. You’ll find that you get a better outcome overall when you bring a lot of different people to the table.
For more, listen to episode 33 of Agent of Influence. Or, connect with Doug on LinkedIn, Twitter, or listen to his podcast, Cyber Security Interviews.
Cybersecurity leaders hold one of the most difficult positions today, as they’re often tasked with protecting an entire organization from sophisticated threats with limited resources. I recently sat down with founding partner and CTO at Security Curve Diana Kelley on the Agent of Influence podcast, a series of interviews with industry leaders and security gurus where we share best practices and trends in the world of cybersecurity and vulnerability management, to discuss key challenges and opportunities security leaders face today. Read on for highlights from our conversation around communicating cybersecurity ROI, building an application security program, inclusivity in the cybersecurity industry, and more.
Nabil: Connecting and conveying a particular message to the C-suite is a common challenge across the security industry. What has worked well for you when communicating ROI or asking for budget from leadership?
Diana: Cybersecurity ROI can be tough to communicate. First, remember, if you're going to the executives or presenting to the C-suite, you have to look at the world through their lens. We tend to, as technical people, look at it through our lens – which is okay for our understanding, but it is the fiduciary responsibility of the stakeholders of the company to make it profitable. It is important to always think about that, think about how security translates to profitability. Do not go into a leadership or board meeting with technical detail, go in there with “this is what it means” or “this is how it impacts our bottom line.”
Second, do not dismiss the fact that their lens is different, as if it is somehow denigrated. The craziest thing I’ve experienced was a technical person in front of a board of directors say, “I'm the risk expert here.” They may have been the technical risk expert, but they didn't understand that the job of the board is risk assessment. It's a different lens of risk assessment, focused on business and profit, but it's still risk.
People always say to speak in the language of business. The way to do this in practice is to remember their lens of profitability, remember that risk is about business risk, and then tie your technical risk in a business way that isn't deeply technical, but is very strong and powerful. You can also share examples, such as, “Did a similar customer lose money due to a competitor having the same problem?” or “Is there new legislation coming down the pipeline that's going to change our implementation and strategy?”
Finally, do not forget to engage leadership in the decision-making process. You want to avoid being demanding, which often happens after a breach or audit. Early on, engage with leadership and communicate the security issues, what it could mean to your profitability, and explain how the security team can help improve or protect the business in the future. Most importantly, ask if they agree that the investment is a good way to spend the organization’s money and ensure you have a consensus.
Nabil: Let's talk about application security. What insight would you give people as they try to decide what frameworks they should use and how to navigate the different options out there?
Diana: Organizations must get an application security program in place – a secure software development lifecycle (SSDLC). This is the most critical part. As far as frameworks go, BSIMM is a good option to understand what other companies that look like you are doing in terms of application security. It allows organizations to have a maturity model to build towards.
Have a framework in place to start implementing an application security program, create standards for your developers, and start application security testing early on. Identify your application security requirements and understand the threat model so that you can start to build and think about the test harness as soon as possible. It's more important to start implementing rather than focusing on which framework you choose.
It concerns me that now we're getting into this big shift in the enterprise where we're no longer writing code from the ground up, we're doing a lot of low-code no-code. This is fantastic in terms of what we're able to build and how quickly we're able to build it. But companies that are now creating low-code no-code solutions are using a lot of functions and libraries and they are not thinking about it as custom-built code.
I've heard many times, “we don't actually build any applications.” Then, you start talking to the company and you find out that they have many scripts that are pulling in functions from the cloud, they're using cool tools like Zappy or Airtable, but they're giving access into parts of their data sets, and they don't realize those scripts are code. I'm hopeful that companies don’t solely have an application security program in place, but also an understanding that they need to extend this program to the low-code no-code serverless world that we are moving towards.
Nabil: A lot of the work that you do is focused on inclusivity in the security industry. What advice do you have for security leaders looking for new talent?
Diana: With Women in Cybersecurity (WiCyS) specifically, we’re very focused on bringing women into cybersecurity, but there are many different non-profits out there that are looking at cohorts and sectors that have not been involved in cybersecurity in the past. I think security leaders could benefit from getting involved with these organizations to look for internships for externships.
It's very common for leaders to say, we can't find any diverse talent and we had to hire somebody who looks like everybody else because there were no other candidates. Often, it's not that you didn't look far enough or hard enough. And that may be because they're not in your network. If your network doesn't extend out broadly to different groups of people, then work to expand it.
Be open to people that may not have college degrees, as every job in cybersecurity doesn't necessarily need a four-year liberal arts degree. Maybe there is somebody who has recently graduated from high school that's completed the right training. Rethink what you know, how you're hiring, who you're hiring, open that aperture wider, and work with those communities that are encouraging inclusivity.
Another tip is to think critically about how you’re writing job descriptions. There is research that shows that women will not apply for a job unless they match about 90% of the criteria or higher, whereas men will apply if they only match 50%. If you write a job description that includes every experience and skill under the sun because you want to get great resumes, what you’re actually doing is turning off the candidates who are reading that job description and believe that, if they don't have 90 percent or 100 percent of the criteria, they're not going to be eligible for the job. Rethink your job descriptions: do not gender the job descriptions and make sure that they're not overstuffed. Write it for what are you looking for and focus on what is important. You’ll be surprised at the resumes it brings in.
On July 16, 2021, NetSPI Managing Director Nabil Hannan was featured as a guest contributor for TechTarget:
At the end of the day, for those of us on DevSecOps teams, it is all about managing risk, even in the highly regulated healthcare industry. Compliance around medical records and privacy concerns is a driver, so development and security professionals must take aggressive steps to prioritize risk management as the healthcare industry continues to be a frequent target of bad actors. According to Gartner, the worldwide end-user spending on public cloud services is forecasted to grow 18.4% in 2021 to a total of $304.9 billion, up from $275.5 billion in 2020. "The pandemic validated the cloud's value proposition," Gartner Research Vice President Sid Nag said.
The monetary loss from cybercrime goes beyond just affecting healthcare with an estimated $945 billion cost in 2020, according to McAfee. For those working in the healthcare industry, realize that a 2020 breach analysis report by IBM and Ponemon Institute found that healthcare breaches were the costliest. In other words, not managing risk is expensive.
Gartner also reported COVID-19 forced organizations to preserve cash and optimize IT costs, support and secure a remote workforce, and ensure resiliency. And the cloud became a convenient means to address all three. If this scenario sounds familiar to your organization, the following are four insights to consider that will help to protect data in the cloud.
Read Nabil's 4 tips for secure cloud migration on TechTarget's SearchSecurity: https://searchsecurity.techtarget.com/post/4-healthcare-risk-management-tips-for-secure-cloud-migration
[post_title] => Tips for a secure cloud migration for Healthcare [post_excerpt] => From improving the security posture and updating threat modeling to securing cloud data, learn about four risk management tips for healthcare organizations migrating to cloud. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => techtarget-4-healthcare-risk-management-tips-for-secure-cloud-migration [to_ping] => [pinged] => [post_modified] => 2023-08-22 09:16:41 [post_modified_gmt] => 2023-08-22 14:16:41 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=25942 [menu_order] => 341 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [41] => WP_Post Object ( [ID] => 25569 [post_author] => 65 [post_date] => 2021-06-15 07:00:00 [post_date_gmt] => 2021-06-15 07:00:00 [post_content] =>It is amazing how much the cybersecurity industry has grown and evolved over the years. If you just look back even just a couple of years, the strategic conversations we were having have certainly changed. The space is evolving, and each of us in the industry are having to evolve with it to stay current. One area that has evolved greatly over time is risk management, specifically the role of the Chief Risk Officer.
To dig deeper on its evolution, I sat down with CEO and founder of Risk Neutral Jeff Sauntry on the Agent of Influence podcast, a series of interviews with industry leaders and security gurus where we share best practices and trends in the world of cybersecurity and vulnerability management. Read on for highlights from our conversation around risk management, the role of the Chief Risk Officer, and more.
Nabil: Let's start by talking about risk management. How did you make that transition from cybersecurity to risk management?
Jeff: For me, it was a natural evolution to upskill my vocabulary as I started interacting with more senior business leaders and board members. When the board members and the C-suite have normal discussions, they're still discussing challenges and opportunities, but they're speaking in terms of risk, cost, and outcomes. In cybersecurity, we're often discussing threats and consequences. Something was getting lost in translation, so I decided to build on my strong technical and cybersecurity background and dig into risk management and the ability to become a more effective communicator.
Nabil: What would you say are some of the key characteristics that make someone great at risk management?
Jeff: My whole career had risk management components to it, but I did not yet understand risk as an empirical domain. That’s one of the reasons I chose to make this pivot. I also made the investment of time and resources to go to Carnegie Mellon and get my Chief Risk Officer certification. What was great about that is I went from being very myopic, maybe talking about technology, operational, or compliance risk, and then opening my eyes to the fact that there are five major risk categories that every business has to worry about: Strategic risk – which is by far the most important if you don't get that one right, nothing else matters – then operational, finance, compliance, and then reputational risk comes into play if any of the first four fail.
Nabil: Tell me more about your experience at Carnegie Mellon.
Jeff: Most of us in cybersecurity are very familiar with some of the great work Carnegie Mellon has done with the maturity model of Capability Maturity Model Integration (CMMI), the insider threat program, and they have been a great partner with the government in terms of coming up with funded cybersecurity programs. I was familiar with the quality of the Carnegie Mellon products and insights, and when I read the curriculum, I thought to myself, “this is going to be really awesome.” One thing I wanted to avoid was that I didn't want the course to be comprised of completely fintech leaders. For a lot of people fintech and financial services firms lead the way in terms of Chief Risk Officers and managing risk from a quantifiable perspective. But I knew the risk domain was much bigger and I wanted to be a well-rounded risk professional. Having a very broad group of peers in my cohort really helped me as well as the caliber of instructors that they brought in that could talk about the different ways to look at risk. I feel that I can now talk about enterprise risk management programs and not have such a myopic view around cybersecurity-, technology-, or compliance-related risk.
Nabil: Do you think the way organizations approach cybersecurity risk today needs to evolve?
Jeff: One hundred percent! It's one of those things that you're embarrassed about because you've been part of the problem for so long. We have to take a hard look in the mirror. I've looked back at some of the conversations I’ve had and they're almost cringeworthy. Given the knowledge I have gained in the last two years about risk management, I wish I could go back and redo conversations with certain clients.
Nabil: From your experience, how has the role of the Chief Risk Officer evolved?
Jeff: A big part of this evolution is the cybersecurity profession. In general, cybersecurity is very focused on technical skills. That's naturally how a lot of us come up through our profession and education. But, it's even more important to understand that if you can't explain the outcome of your results or your findings, it's not going to resonate with clients. It's as if you never did a security engagement if you can't get the message or the impact across. That's where I think the risk management professional is evolving. Improving soft skills that so that cybersecurity risk can have a seat at the table rather than someone coming in to tell them that the sky is falling. The Chief Risk Officer has to be a true peer to the rest of the C-suite, they should even have a solid line into the board of directors. Most companies should think about having a dedicated Risk Management Committee at the management level that's complemented by one at the board level so that risk gets the right amount of time and attention. Then, you’ll have people with the right skill set in the room having the right discussions.
One of the important things that came out the financial services industry is that they found if you embed risk managers structurally within each business unit there to please their boss and rubber stamp high risk decisions, it can end badly. This is part of what got us into the problem of the big financial meltdown in 2008/2009. It should have been a canary in the coal mine moment for risk management as a profession to say, “you have to be very careful about allowing the Chief Risk Officer to operate independently.” They need the right reporting structures and shouldn’t be allowed to be fired on a whim because they raised their hand and said, “I think this is a little too risky for us.” So, I think the evolution of the chief risk officer is at a very exciting point in time right now.
Nabil: Let's talk a little bit about your advisory board work. Do you have any advice for others who are looking to work in that capacity?
Jeff: You need to be very pragmatic, just like you would plan your secondary education and your master's degree in your career. From a board journey perspective, it's very much the same thing. You should start with an organization that you’re passionate about in order to understand: What are the procedures? What are the roles that are played? What are the different committees? Then, as you decide that you want to pursue service on a private board or a public board, think about the additional skill sets that you may need related to your fiduciary responsibilities and insurance and what are some of the personal and professional liabilities. Set a game plan for yourself, make some investments of time and money, and really figure out what it takes to be a board professional. I think it's very worthwhile. People with a strong technical and cybersecurity background definitely have something to contribute to advisory boards from a cognitive diversity perspective as organizations face digital transformations and threats from a wider range of actors each year.
Nabil: You are a scuba instructor and a captain of the US Merchant Marines. What parallels do you draw between being a scuba instructor or captain and risk management?
Jeff: All of us have something to learn from an environmental, social, and governance perspective. One of the reasons I'm a merchant marine captain is that people covet what they know. I thought it was extremely important to get people under the water and really understand things like what plastics are doing to our oceans to understand that, yes, the stuff you throw out your car actually does make it into environments that we care about.
Everything related to instructing scuba is about risk management. The standards they have for teaching, how many students you can have per instructor, the burden being on the instructor to determine whether it's safe to do certain things, the insurance I have to carry – all that stuff is designed to minimize risk to the students and staff. It's incredible how they handle violations of policy. There's a professional journal and if somebody does something wrong, they put it out there for everyone to learn from.
The reality is when you take those people out onto the ocean and you're responsible for them, you need to bring them back healthy and safe. This comes down to a couple thing: What experiences do I bring to those situations based on the training I've had on the water? What is the quality of the vessel and the equipment that I'm relying on to help me deal with those situations? How prepared am I for this situation? And those are the three things as a captain that you can control.
Those core concepts resonate with cybersecurity well. How prepared are you to do the job you've been asked to do as part of a team? How well have you prepared your organization to deal with a specific threat? That prudent mindset of being a good steward for the people you're responsible for resonates with people in cybersecurity as well.
The scope of healthcare data is remarkable. It’s no wonder healthcare cybersecurity is a growing concern as security professionals are challenged by managing and protecting the immense amount of personally identifiable information (PII) and protected health information (PHI) housed in their systems.
Introduce a public health pandemic to the threat landscape, and the healthcare data management and security challenge grows exponentially. In 2020, more than 29 million healthcare records were breached due to the 25 percent year-over-year increase in healthcare data breaches, according to HIPAA Journal’s analysis of the U.S. Department of Health and Human Services healthcare breach data figures.
During the 2021 Cyber Security Hub Healthcare Summit, NetSPI managing director Nabil Hannan and RxMx senior director of engineering Jesse Parente sat down to discuss the world of healthcare data management – notably, how to manage sensitive data securely. They explore the healthcare industry’s regulatory pressures and share insights on how to collect, store, and manage healthcare data securely and look at your data security program holistically using threat modeling and design review initiatives. Additionally, with the pandemic as a catalyst for digital transformation in the healthcare industry, cloud adoption has soared. Nabil and Jesse discuss the benefits of the cloud for data management, along with its security considerations.
Continue reading for highlights from the discussion or watch the full session online here.
In a compliance driven industry, such as healthcare, why is risk-based security so critical?
Jesse Parente: Risk-based security in general, regardless of the industry, is critical. At the end of the day, security is about managing risk. The easiest, and the most obvious answer in healthcare is, it can cost you if you're not focusing on risk. I was looking into the 2020 breach analysis report by IBM and Ponemon Institute and healthcare breaches were the costliest. That's mostly due to the fact that it's a very regulated market. You've got laws like HIPAA, which was formed and assigned in 1996, so it's rather old now. And it's actually a fairly low bar if you think about it. For example, encryption was considered an optional item back then. But in 2009, the HITECH Act was signed into law, and that gave HIPAA some teeth: Breach notification requirements and additional fines for non-compliance. There were almost 730 reported breaches in the last two years. If you do some simple math, that's about a breach a day… reported breaches. Now, the average cost per record is about $150-$200 and the average number of records exposed or lost was over 3,000. It's costly to not focus on risk.
Nabil Hannan: Speaking of breaches and the data involved, ultimately securing personal data is important. People understand why their personal, non-public data should be kept private. If someone else has that information, they could easily impersonate you and ruin things like your credit, or your records, or even steal your identity. And that's a problem. But we also want to think about healthcare data and the complexities that surround it. For example, there are a lot of children whose data go into medical systems because they go see the doctor. But for a lot of non-adults, when that happens, their parent’s information is also associated with that record. Now you have multiple people whose information is available, their insurance information, home address, financial information in many cases. The importance of securing personal data, especially in the medical field, becomes exponentially more important because of the complexities of your family and relatives whose data may also be associated with your personal records. And the challenge there too, is personal information is something that you can't easily change. If you, for example, were part of a breach where an attacker accessed your credit card number, you can call up the company and immediately change that number and a new card sent to you. If your social security number gets breached, you can't change that. Or if your home address is breached, you're not going to move in order to change that. There are certain data types that are permanent and cannot be changed, data that presents a higher risk if breached – data that is often found in healthcare systems.
How can healthcare IT and security leaders securely collect, store, and manage data?
Jesse: Before you even collect data or store it or manage it, it's really important to understand what the data is. Also, there's a concept of minimum necessary. Do you need this data? You have to do an analysis to understand what the data is and if it is sensitive. Classifying data is a really important piece when you're going to collect and store it. Additionally, pay attention to where that data goes downstream. This is the management aspect of it. Do the vendors that you work with need or have access to some of this data? In 2013, there was a final Omnibus ruling, which was an addition to HIPAA, and this essentially held business associates or vendors that you work with, accountable for non-compliance as well. So, you also have an obligation to make sure that your vendors are doing the right thing, when it comes to collecting, storing, and securing healthcare data.
Nabil Hannan: There is the actual safe way to store and manage data and then there's the part of making sure you have the data that's relevant, and you're only storing and managing the data that you truly need to maintain your business functionality. A significant amount of breaches lately, over the last five years or so, happened because of simple misconfigurations of data storage. So often we see that you may have data stores, such as Amazon S3 buckets, that are meant to be private and internal, but because of the misconfiguration, they're publicly available to the internet. Understanding what you're collecting and how it needs to be stored and, then, have automation and processes regularly checking to ensure that the attack surface that your data is exposed to is managed correctly is really important. That's ultimately the first step: Making sure you have processes in place to ensure that you're not inadvertently making a configuration change that leaves you exposed.
What can healthcare organizations do now to evaluate their current security posture?
Nabil: There are a lot of common security tactics that healthcare organizations are using today. They are performing regular security scans using automated tools, making sure that their external attack surface is not easily reachable by script kiddies that are also running similar tools on the internet, performing penetration tests with manual humans testing and breaching systems to identify exploitable areas. To take these initiatives to the next level, start looking at things that tools and automation cannot identify, which is design flaws. To describe this, I typically use home inspection as a parallel. If you've bought a house, you've probably completed a home inspection. A person shows up and they inspect the house at a basic level, checking the locks, windows, insulation, furnace, roof, etc. to see if they work. But looking at a home from the outside in, you cannot truly determine if the house was designed properly. To understand if the load bearing wall has enough support or not, or to understand if the studs are spaced correctly or not, they have to look at the blueprint and look at the internals of how the house was designed. Similarly, for any system, you have to look at the threat model and how the different components of a system interact with each other. Threat modeling is so important because it is a manual process. Tools are not able to tell you what the greatest risks are. It requires a human to think critically and be clever. With threat modeling, you’re identifying what the assets are in your systems and the threat actors that you should care about. Based on that, you define the threat vectors that the attackers would use to try and get to your assets. With this information, you can start assigning trust zones within your systems and determine how those interactions occur and review whether you have the right controls in place, like authentication, authorization, encryption, error handling and logging and things of that nature. I think threat modeling is the next step we need to take as an industry because there is a whole different classification of vulnerabilities and issues that come from the design side. Empirically, we see 50 percent of security issues are at the design level and 50 percent are what we call bugs. We have to start doing threat modeling to uncover the inner workings of how our systems are working and interacting together and whether they pose a threat.
Jesse: I think what organizations can do to evaluate their posture is get a baseline. There are tons of ways to do this with frameworks and certifications. One of my favorites is the Cloud Security Alliance, an organization that's purpose built to support the transition to the cloud. They have something called the Cloud Controls Matrix that helps organizations align to various frameworks, whether that’s NIST, ISO27001, or HIPAA. When it comes to data, oftentimes the software world is pushing these activities to the left, or the idea of shifting left, and that means doing these security-based activities earlier on in a software development lifecycle. A great example is threat modeling. In the design phase, understand what your threats are and figure out ways to mitigate them. In the cloud, we’re shifting, too. The four walls and the castle approach of securing a perimeter, those days are gone. There is this shift in the landscape changes as well, as we now see a lot of organizations operating partially in the cloud. Because the data is potentially publicly available, we have to find ways to identify where the data is, where the data is going to go, and how to secure it. There are many cloud providers out there, and with that there are many services to help you manage the data and have visibility into the cloud. And for me, that visibility is one of the key things that has helped my organization manage healthcare data securely. Organizations not leveraging the cloud do not necessarily have that visibility. The last thing to remember is that we need to hold our vendors accountable, understand their security posture and what activities are they doing to help secure the data we share.
How has the pandemic triggered the increased adoption in the cloud?
Jesse: Almost overnight, many organizations were forced to have data and resources available remotely and externally accessible. VPNs were overloaded and people scrambled to find a physical space to work outside of the office. The cloud was – and is – an opportunity to make things available. As we saw in our viewer poll, 42 percent of participants are operating partially in the cloud. It’s clear people are experimenting with the cloud and this comes with its own challenges, as organizations haven't had the opportunity to fully vet and evaluate the cloud. Remember, we should consider cloud providers vendors and need to evaluate them as such – and that requires time. That's the challenge that's missing from this rush to make things available and it can create serious problems.
Nabil: There is another gap in our knowledge as employees don't necessarily know how their organization manages its data. It may be completely invisible to us on whether an organization increased adoption of the cloud. And that's how it should be. The whole purpose of cloud-based systems is the ability to scale as needed and have elasticity. Teleconferencing systems are a good example of this. The reason Zoom could support the huge demand of users as the pandemic started was because of the cloud. If they were not using cloud infrastructure for their systems, they would not have been able to support the large number of users because it was not expected or planned. And then there are security considerations to think about too. Just because you're in the cloud and the cloud providers are providing you with certain baseline of security controls and protection, that doesn't mean that you don't have to think about security anymore. Ensure you understand the implications of your transition from a traditional data center deployment to the cloud, and ensure you're maintaining regular best practice initiatives around things like configuration reviews, design reviews, and threat modeling. Be sure to understand the risk implications of the decisions you're making.
This session was originally shown at Cyber Security Digital Summit's online event for Healthcare and Life Sciences.
In this session, NetSPI’s Nabil Hannan and RxMx’s Jesse Parente will explore the world of healthcare data management – notably, how to manage sensitive data securely.
Delve into the healthcare industry’s regulatory pressures and the biggest cyber threats it faces today, then hear insights on how to:
- collect, store, and manage your data securely
- look at your data security program holistically (threat modeling and secure design review)
Lastly, with the pandemic as a catalyst for digital transformation in the healthcare industry, cloud adoption has soared. Nabil and Jesse will discuss the benefits of the cloud for data management and review its security considerations.
[wonderplugin_video iframe="https://youtu.be/2Pcub41I-Qc" lightbox=0 lightboxsize=1 lightboxwidth=1200 lightboxheight=674.999999999999916 autoopen=0 autoopendelay=0 autoclose=0 lightboxtitle="" lightboxgroup="" lightboxshownavigation=0 showimage="" lightboxoptions="" videowidth=1200 videoheight=674.999999999999916 keepaspectratio=1 autoplay=0 loop=0 videocss="position:relative;display:block;background-color:#000;overflow:hidden;max-width:100%;margin:0 auto;" playbutton="https://www.netspi.com/wp-content/plugins/wonderplugin-video-embed/engine/playvideo-64-64-0.png"]
[post_title] => Healthcare Data Protection in a Pandemic-Driven World [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => healthcare-data-protection-in-a-pandemic-driven-world [to_ping] => [pinged] => [post_modified] => 2023-09-01 07:06:21 [post_modified_gmt] => 2023-09-01 12:06:21 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=webinars&p=25314 [menu_order] => 55 [post_type] => webinars [post_mime_type] => [comment_count] => 0