Tori Norris

Tori is the Content Marketing Manager at NetSPI, where she supports the development of blog posts, webinars, resources, and more. Prior to NetSPI, she worked at public relations agencies across the country leading various B2B healthcare, technology, and cyber security accounts. Tori earned her BA in Public Relations and Marketing from Winona State University.

More by Tori Norris

The NetSPI team ventured from Minneapolis to Boston to attend the 2022 SecureWorld cybersecurity conference. For the first time in over two years, we saw plenty of smiling faces in the halls of the Hynes Convention Center as Boston lifted its COVID-19 mask mandate just days before the event.

While NetSPI has a growing satellite team in Boston, including managing director Nabil Hannan who is a frequent contributor to the NetSPI Executive blog, it was the first or second time to Boston for many of us. Needless to say, we took full advantage of the oysters, lobster rolls, and Italian food. Boston is truly a special city, which was made evident by the local security community members that we connected with at SecureWorld and at our post-event happy hour at Eataly.

If you skim through the SecureWorld Boston 2022 agenda you’ll quickly recognize common themes: the cybersecurity skills and diversity gap, ransomware prevention, application security, and more.

But the session descriptions can only tell you so much. Here are for four key narratives to take away from the event.

Security Awareness Training Takes Center Stage

In nearly every session we attended, security awareness training was referenced in some capacity. In many cases it was the final – and most actionable – recommendation provided.

How should you prepare for the increased cybersecurity risk amid Russia’s attack on Ukraine? Security awareness training. How can you prevent ransomware? Security awareness training. How do you secure the cloud? You guessed it… security awareness training.

One session titled, A Whole Lotta BS (Behavioral Science) About Cybersecurity, Lisa Plaggemier, Executive Director at the National Cybersecurity Alliance analyzed the results from a study that benchmarks the current state of security awareness and training.

The most shocking statistics from the report?

Only 22% of respondents always report phishing emails to their email platform.
28% of respondents do not know how to report phishing emails.

Only 12% of respondents use a password management platform, which Lisa attributed to the lack of trust within the industry due to the breaches they experienced early on.
48% of respondents have never heard of multi-factor authentication (MFA).

Lisa went on to explain that capability, opportunity, and motivation are necessary to get someone to form a new habit. And when it comes to cybersecurity hygiene, motivation is the hardest to achieve.

A question from the audience member validated this concept. They asked, “How can I motivate my employees to report phishing attempts more regularly?” Lisa and the audience chimed in with actionable recommendations including:

Give people validation. Have an automated response that thanks employees for successfully identifying a phishing attempt. People want validation and a simple automated “thank you” note goes a long way.
Gamify your social engineering assessments and reward success. An audience member implemented a program where employees receive points for properly reporting a phishing attempt. They can then cash in those points to purchase from the company store.
Include HR in your conversations around social engineering. They will have great ideas as to what motivates people in the workplace and can help set policies for those who repeatedly fail phishing assessments.

These were timely suggestions as phishing attempts are not only more frequent, but also more successful. The State of the Phish report from Proofpoint found that 83% of organizations experienced a successful email-based phishing attack in 2021, versus 57% in 2020.

It’s no surprise that security awareness was top of mind for Boston’s security leaders at SecureWorld.

Security Decisions Should Never Be Made in a Silo

One of the most engaging sessions was called, Congratulations on CISO, Now What?. Bill Bowman, CISO at Emburse, spoke directly to the newer CISOs about how to set a solid foundation for success in the demanding role.

He began his talk with an overview of the OODA Loop: Observation, Orientation, Decision, and Action. Where are your crown jewels? How does your business make money? What exactly did you inherit? What security framework are you using? These were a few of the questions he urged CISOs to answer as they get started.

“You are the brakes that make your company go faster,” explained Bill. Yes, security may cause friction to business processes, but it also adds immense value. And it’s up to the CISO to showcase and communicate that value they bring to the table.

He went on to explain why security decisions cannot be made in a silo. “The bad guys always collaborate, and the good guys don’t,” Bill said as he urged the CISOs in the room to establish security decision making teams within their organizations.

He continued with actionable advice for building said teams, specifically a policy review board and an infosec committee. Bill suggested that the policy review board should consist of thought leaders with clout and legal teams. While infosec teams should consist of not only who the CISO reports to, but also the technical security engineering team: those in charge of penetration testing, vulnerability scanning, bug bounty programs. These are people who understand where your security program is at and how to improve it, tactically.

Bill ended the session with insights around security awareness and the need to understand what types of security content people are interested in.

Delivering content that truly interests them, whether that’s through monthly meetings or an internal newsletter, allows you to seamlessly connect your security program to your employees. Plus, he dug deeper into how to establish metrics that matter, including vulnerability management metrics, and the need to prepare for a crisis early on and establish relationships with law enforcement contacts in the event of a breach. If you ever get a chance to hear Bill speak, don’t miss it!

Cloud Security is a Shared Responsibility

One narrative that resonated across all of the cloud security sessions was the Shared Responsibility Model, the concept that cloud security is both the responsibility of the cloud providers, AWS, Azure, Google Cloud Platform (GCP) and the organizations who use the technology.

At NetSPI, we practice this through our cloud penetration testing services. We help our customers identify cloud platform misconfigurations and fix vulnerabilities on the end-user side. Every organization must take responsibility for their own cloud security.

In an early panel, speakers discussed how the shift to fully remote and hybrid workforce models have increased the urgency to improve cloud security. When the moderator asked the audience, “Who has a formal work-from-home policy in place for their employees?” Shockingly, only a few hands were raised out of the crowd of at least 50.

They continued to speak about the long-term technological impact of COVID-19, how expectations have changed, and why cloud services have become much more valuable today. Their final words of wisdom? If you’re migrating to the cloud, take the time to do things properly the first time. Silo your technologies, work with your data scientists, and leverage cloud pentesting and bug bounty programs to find security flaws before bad actors do.

It’s Necessary to Pause Before Reacting to a Crisis

With all eyes on Ukraine and the threat of cyberwarfare looming across the globe, panelists from an afternoon keynote session, Live from Ukraine: How Does Your Crisis Management Playbook Stack up During a Real-World Conflict?, explain why organizations need to pause before reacting to a crisis situation.

Why? Empathy.

DataRobot CISO Andy Smeaton joined the panel live from Poland where he was helping Ukrainians find safety and aid in humanitarian efforts. He was joined by Esmond Kane, CISO at Steward Health Care, Selva Vinothe Mahimaidas, CISO at Houghton Mifflin Harcourt, and Eric Gauthier VP of Infrastructure & Security at Emsi Burning Glass.

“Plans are essentially useless, but planning is essential,” quoted one of the panelists. They discussed tabletop exercises and provided some recommendations on how to run an effective session and what to do when a real crisis, such as a breach, happens. Advice included:

Review your incident response plan. Refresh your understanding of the content and revisit the corresponding notes from the last tabletop for hidden gems and key insights.
Tabletop exercises should focus on outcomes.
Start small. Book an hour to start and grow and improve the sessions from there.
Use what you have sitting in front of you. Evaluate the security controls you already have and understand how to use them to your advantage versus buying new technologies to fill a gap.
Ask yourself, is this your crisis?
Include security and IT teams in the planning phase. Let them participate and express judgement. It’s important to have a critical view of your playbook.
Take a deep breath. The more you project calmness and control, the better you will respond.
Be realistic. Smaller security teams will take more time, resources, and money compared to larger teams.

It’s challenging to prioritize planning for something that might not happen, but it’s vitally important. The most difficult factor of crisis planning and response according to the panelists? The human factor. There’s no playbook for how to deal with your emotions.

The panelists went on to explain that CISOs must practice empathy as employees grapple with the impact of the war. Humans are imperfect and they will fall victim to misinformation and phishing attempts. It’s up to security leaders to hit pause, reflect, and lean on their team to make thoughtful decisions together to not only protect their business and their job, but also their people.

A Successful Happy Hour with Team NetSPI

Following the event on Wednesday, NetSPI hosted a happy hour at Eataly just next door to the convention center. We continued the conversations around security leadership, increasing threats, penetration testing services, and more while we enjoyed themed cocktails (appropriately named “NetSPIked” and “Netgroni”) and delicious Italian bites.

Check out this recap of the event:

https://youtu.be/9zjs7c071aQ

Want to connect with us at a security event or NetSPI happy hour?

Visit our events page to find out where NetSPI is heading next!

Keeping up with modern cybersecurity best practices and the latest news is no simple task. In today’s digital world there are countless ways to digest information – from social media to podcasts to whitepapers and beyond.

At NetSPI we’ve made it our mission to keep our finger on the pulse of the security industry and only report on the most important news and cybersecurity challenges of the moment. We pay close attention to our client’s biggest pain points, gaps where more cyber awareness and education is needed, and when we can provide insight and support around the most critical security incidents.

This is evident in our top blogs, resources, webinars, and podcasts of 2021. Not only were these the most read, downloaded, watched, and listened to content of the year, but can also serve as an indicator of the security industry’s focus over the past 365 days. Continue reading to learn which topics were deemed “The Best of NetSPI” in 2021.

Top Executive Blogs

Log4j: Is My Organization Impacted? | Team NetSPI

It’s no surprise that a Log4j-centric blog post topped the charts with only one month left in the year… not to mention ThreatPost referenced the blog in a story about Log4Shell mutations. Read the blog for an overview of Log4j, its impact, detection best practices, and more.

The State of ATM Security: DMA Vulnerabilities are Lurking | Larry Trowell, Principal Consultant

NetSPI’s Larry Trowell is one of the foremost experts on IoT penetration testing. In this article, he explores the current state of ATM security, including common vulnerabilities, a deep dive on DMA attacks, and ATM security best practices. Attending the ATM Industry Association (ATMIA) annual conference in February? Larry will be sharing additional ATM cybersecurity tips during the Fraud and Logical Security Workshop on Tuesday, February 8.

A Checklist for Application Security Program Maturity | Nabil Hannan, Managing Director

Applications are the lifeblood of organizations today – and application security must be prioritized. However, building an AppSec program that stays current is no easy feat. To help, Nabil developed an application security checklist to help organizations shore up their security processes and take the necessary steps to establish a mature AppSec program.

The Best Blogs for Pentesters

Escalating Azure Privileges with the Log Analytics Contributor Role | Karl Fosaaen, Director

Karl explains how he discovered a privilege escalation that allowed an Azure AD user to escalate from the Log Analytics Contributor role to a full Subscription Contributor role. He also details how he worked with Microsoft to remediate the situation by removing the Automation Accounts permissions from the affected role.

Azure Persistence with Desired State Configurations | Jake Karnes, Managing Consultant

Jake details how pentesters can use the Desired State Configuration (DSC) VM extension to run arbitrary commands in Azure environments, with built-in functionality for recurring commands and persistence.

Tokenvator Release 3 | Alexander Polce Leary, Principal Consultant

NetSPI’s Alexander Polce Leary authored Tokenvator, a pentesting tool that can alter privileges with Windows tokens. This year, he made some big improvements to the tool including the user interface, impersonation/thread tokens, and the ability to change privileges on the token.

Ransomware, Pentesting, and Red Teams Top the Resource Charts

The Ultimate Guide to Ransomware Attacks

Ransomware was and continues to be one of the greatest threats to businesses. We developed this Ultimate Guide to Ransomware Attacks to help business leaders get up to speed on the latest ransomware trends, targets, and families, understand how ransomware works, and provide checklists for ransomware prevention and detection.

How to Choose a Penetration Testing Company

There are hundreds of penetration testing companies, and each offer different levels of service, pentesting methodologies, and technologies. We created this guide to help you choose the best pentesting company to work with. It features criteria to consider, questions to ask your partners during the RFP process, pentesting use cases, and more.

5 Things Every Red Team Needs to Optimize Operations

For a red team to be successful, it must have these 5 things: the right soft skills, an understanding of the business objectives, alignment on goals, ability to communicate business impact, and the best red team tools. Learn more about what it takes to create a successful red team in this tip sheet.

Most Watched Webinars

Understanding Modern EDR Tools: How They Work, How They Provide Value, and How to Bypass Them | Nick Landers, Head of Adversarial Research and Development

During this webinar, Nick explores the role modern EDRs play today, details the latest defensive evasion techniques adversaries use to bypass EDR tools, and shares advice for evaluating the technologies.

CVE-2020-17049: Kerberos Bronze Bit Attack - Explained and Exploited | Jake Karnes, Managing Consultant

In late 2020, Jake Karnes discovered the Kerberos Bronze Bit Attack: CVE-2020-17049. Stemming from the discovery and responsible disclosure to Microsoft, he presented a webcast to explain the inner workings of the vulnerability, which would allow attackers to bypass security features and escalate privileges in an Active Directory domain. This webinar is a must-watch for those looking to better understand Kerberos.

Automated Social Engineering for the Antisocial Engineer | Patrick Sayler, Principal Security Consultant

Phone communication remains a lucrative avenue for attackers, otherwise known as “vishing.” Putting your employees to the test against realistic vishing attempts is manual and time consuming. In this webcast, NetSPI’s Patrick Sayler describes how he configured interactive voice response (IVR) technology into a build-you-own social engineering robot.

Top Cybersecurity Podcasts

Startup Security, Threat Modeling, Pre-Social Engineering, and More – Insights Gained from a Unique Career Path | Episode 024 - Hadas Cassorla, CISO at M1 Finance

Nabil sits down with Hadas to discuss the challenges and opportunities of startup security, the effectiveness of threat modeling, what “pre-social engineering” means, and unconventional, empathetic security training tactics.

What Makes a Successful Technologist, A Day in the Life of a Security Firm CISO, and Lessons from an Effective Phishing Engagement | Episode 020 - Roshan Popal, CISO at MicroStrategy

Nabil is joined by Roshan, who shares advice for emerging security professionals, discusses what it’s really like to be a CISO at a security firm, and reminisces about an effective phishing campaign that fooled Nabil when the two worked together.

A Day in the Life of a NetSPI Penetration Tester | Episode 037 - Austin Altmann and Marissa Allen, NetSPI Security Consultants

Want a glimpse into a day in the life of a NetSPI penetration tester? Austin and Marissa explore what it takes to be a great pentester, share stories from their entry-level days in NetSPI University, how the current security curriculum could be improved, cybersecurity career misconceptions and more.

Sign up for our monthly newsletter to receive the latest content from NetSPI in 2022

[post_title] => Best of NetSPI: Top Cybersecurity Blogs, Resources, Webinars, and Podcasts of 2021 [post_excerpt] => Find out which NetSPI blog posts, webinars, tip sheets, and podcasts topped the charts in 2021. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => top-cybersecurity-blogs-resources-webinars-podcasts-2021 [to_ping] => [pinged] => [post_modified] => 2023-01-23 15:11:00 [post_modified_gmt] => 2023-01-23 21:11:00 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=27026 [menu_order] => 325 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [2] => WP_Post Object ( [ID] => 26144 [post_author] => 89 [post_date] => 2021-08-17 07:00:00 [post_date_gmt] => 2021-08-17 12:00:00 [post_content] =>

At the beginning of the month, the NetSPI team ventured out to Las Vegas for the highly anticipated Black Hat USA and DEF CON 29 cybersecurity conferences. Given the hybrid nature of the events this year, the crowd was much thinner and the halls of Mandalay Bay much quieter – reports mention that Black Hat attendance was one-fourth of a typical year’s attendance pre-pandemic.

While quieter than usual, there were still many opportunities to connect with one another face-to-face, rather, mask-to-mask. I sat down with my colleagues who attended the conferences – both in-person and virtually – to get their take on what went down at the events this year. After all, “What happens in Vegas… gets posted on the NetSPI blog.” Right? From keynotes to topics/themes to hacks, read on for five of the greatest moments from Team NetSPI’s time in Las Vegas.

1. Call for collaboration: The Joint Cyber Defense Collaborative

Jen Easterly, the newly appointed head of the Cybersecurity and Infrastructure Security Agency (CISA), used her platform at Black Hat to build trust and personal relationships with the private sector. During her talk she noted her plans to continue the work that former CISA head Chris Krebs started, specifically around building relationships between CISA, the private sector, and government.

Secretary of Homeland Security Alejandro Mayorkas delivered the final keynote at Black Hat which echoed much of Easterly’s call for collaboration. He took to the virtual stage to recruit security professionals to work for DHS and to talk about the need to diversify the workforce. He cited two specific ways hiring private sector professionals at DHS could increase collaboration: acting as a bridge between the hacker community and DHS as well as mentorship.

Both keynotes highlighted the Joint Cyber Defense Collaborative, a new CISA initiative that plans to “bring together public and private sector entities to unify deliberate and crisis action planning while coordinating the integrated execution of these plans.”

Read more about the keynote speeches online at SC Media:

2. Caution around supply chain attacks

Supply chain attacks are just getting started, warned Corellium COO Matt Tait during his keynote speech. He cited the exploitation of zero-day vulnerabilities as the driver for the increase in software supply chain attacks. Since 2014, the number of zero-day vulnerabilities detected “in the wild” has increased 236 percent.

The road to securing the supply chain is not going to be easy, Tait reassured. But he did share his thoughts on two critical steps we can take to get started: improvements to bug bounty programs and Certificate Transparency. Contrary to the keynotes from Easterly and Mayorkas, Tait suggested that platform vendors hold most of the responsibility for securing the supply chain, and government intervention or regulation will not do much to address the problem.

For more, read Channel Futures and The Daily Swig’s coverage of the keynote.

3. Ransomware policy panel

The panel on ransomware policy solutions at DEF CON was a highlight for the NetSPI team. It featured co-chair of the Ransomware Task Force Chris Painter, security researcher Robert Graham, and lawyer Elizabeth Wharton.

They discussed the varying aspects and challenges of handling a ransomware attack. (Hint: it’s not as cut-and-dry as banning ransom payments). The panel debated the role of cybersecurity insurance, whether to pay a ransom, the need to understand the granular details of an attack, and more.

Robert Graham pointed out that the true problem with ransomware is that organizations aren’t looking at how the ransomware is getting into the systems, they’re focusing more on whether their recovery efforts are hardened. He brings up a great point and highlights a problem that NetSPI is helping to solve with its new Ransomware Attack Simulation service.

Info Security Magazine wrote a detailed recap of the panel – check it out.

4. Team NetSPI at DEF CON

We may be biased but learning from colleagues at DEF CON was certainly a “greatest moment” from the conference. This year, Portland-based director Karl Fosaaen and our newest NetSPI director Chad Rikansrud presented at the conference.

Karl is one of the foremost experts on Azure penetration testing. His presentation at the DEF CON Cloud Village focused on Azure password extraction. In the talk he showcases how to use the password extraction functionality in MicroBurst, a toolkit he created that contains tools for attacking different layers of an Azure tenant. He also walked through a real example of how it was used to find a critical issue in the Azure permissions model that resulted in a fix from Microsoft. For those that missed Karl’s talk, register for his upcoming webinar: Azure Pentesting: Extracting All the Azure Passwords.

During Chad’s talk he and container security expert Ian Coldwater told the story of the first mainframe container breakout. They became the first people on the planet to escape a container on a mainframe, and they explain how they did it. Watch on YouTube: Crossover Episode: The Real-Life Story of the First Mainframe Container Breakout.

5. More DEF CON talks worth watching

Our services team looks forward to meeting up at DEF CON each year. And while the annual NetSPI happy hour on the Las Vegas Strip is likely everyone’s top moment of the weekend, there were plenty of interesting talks held during the conference. Here are five talks worth watching on-demand if you didn’t catch them at the show:

New Phishing Attacks Exploiting OAuth Authentication Flows – Jenko Hwong, Researcher at Netskope
Overview: This talk details OAuth authentication flow for phishing and abusing refresh tokens to pivot and avoid audit log entries.
Offensive Golang Bonanza: Writing Golang Malware – Ben Kurtz, Host of the Hack the Planet Podcast
Overview: This talk breaks down why Golang is so useful for malware with a detailed tour through the available components used for exploitation, EDR and NIDS evasion, and post-exploitation, by one of the main authors of the core components.
Hacking G Suite: The Power of Dark Apps Script Magic – Matthew Bryant, Red Team at Snapchat
Overview: This talk delves into the dark art of utilizing Apps Script to exploit G Suite (AKA Google Workspace).
Bundles of Joy: Breaking MacOS via Subverted Applications Bundles – Patrick Wardle, Creator of Objective-See
Overview: This session provides an easy way to bypass all of Mac's native malware protections. For a summary of the bypass, view the slide at 24:50.
Hacking Humans with AI as a Service – Eugene Lim, Glenice Tan, Tan Kee Hock
Overview: They present the “nuts and bolts” of an AIaaS phishing pipeline that was successfully deployed in multiple authorized phishing campaigns.

The conversations around collaboration, securing the supply chain, ransomware, and more were invaluable. As were the opportunities for those that were able to meet safely in-person. Whether you were there in person, attended virtually, or simply kept an eye on the announcements/news coming out of the event, it feels great to feel a sense of community in the security space yet again.

Join Team NetSPI at Black Hat and DEF CON next year – we’re hiring!

[metaslider id=26145 cssclass=""]

[post_title] => Greatest Moments from Black Hat 2021 and DEF CON 29 [post_excerpt] => A recap of the events at Black Hat and DEF CON in 2021, featuring talks on collaboration, supply chain attacks, ransomware, Azure cloud pentesting, and much more. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => greatest-moments-black-hat-2021-defcon-29 [to_ping] => [pinged] => [post_modified] => 2022-12-16 10:51:55 [post_modified_gmt] => 2022-12-16 16:51:55 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=26144 [menu_order] => 375 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [3] => WP_Post Object ( [ID] => 25461 [post_author] => 89 [post_date] => 2021-05-25 00:00:00 [post_date_gmt] => 2021-05-25 00:00:00 [post_content] =>

RSA’s 2021 virtual conference wrapped up last week and inspired attendees around the theme of resilience. While the definition of resilience is “the capacity to recover quickly from difficulties,” the conference was equally focused on how to adjust an organization’s security posture to focus and prepare for proactive protection and cybersecurity readiness rather than incident response. As we consumed the content from the conference, we saw three common themes that resonated with us around change as a concept, proactive protection versus incident response, and the workforce implications of 2020. Read on as we dig deeper on these subjects.

Cybersecurity at the speed of change

In his RSAC session, Cisco’s Chairman and CEO Chuck Robbins rightly observed that the world transformed over the past year as it adjusted to a new, hybrid workplace model. He pointed to the fact that every organization in every industry focused on keeping their business resilient while facing more complexity than ever before. Speaking of complexity, he points to the security landscape. According to Robbins, employees, by just having 30 extra minutes on their mobile devices, created 20 percent more vulnerabilities than we would have in a normal time, vulnerabilities that could open organizations to breaches, hacks, and bad actors.

With the monetary loss from cybercrime, estimated at $945 billion in 2020 according to McAfee, managing risk should be critically important for all cybersecurity teams. And reportedly CISOs are paying attention by devoting time, attention, and funding to cybersecurity initiatives. Reported in VentureBeat earlier this year, global cybersecurity spending is expected to grow 10% in 2021 as new types of threats emerge along with an increasing volume of attacks. With enterprises adapting their infrastructure to new cloud architectures and new work configurations, the need to address potential vulnerabilities is taking on greater urgency.

With organizations across the country now working through return-to-office and work-from-home issues, one thing is clear: cybersecurity teams must plan for the fact that a portion of tomorrow’s workforce will be working out of their homes permanently. Robbins says that end-to-end encryption is foundational to being able to deal with all users, data and applications in this scenario.

Succeed with a more proactive cybersecurity program

Mary O’Brien, General Manager for IBM Security, and Mauricio Guerra, CISO for Dow Chemical, discussed putting zero trust into action to manage security and enable business. They said that today’s security leaders are now responsible for helping their businesses deliver new capabilities grounded in security – while also managing threats and compliance – with the zero trust security concept a cornerstone of proactive security programs that can help achieve these objectives.

Relatively in its infancy in adoption, CSO Magazine defines zero trust as a security concept centered around the belief that organizations should not automatically trust anything inside or outside its perimeters and instead must verify anything and everything trying to connect to its systems before granting access. Historically, organizations focused on defending their perimeter. Now, however, some of the most egregious data breaches happened because hackers, once they gained access inside corporate firewalls, were able move through internal systems without much resistance.

While in support of zero trust planning, we counsel our CISO clients to also develop a business-aligned vulnerability management program that takes into consideration the vulnerabilities that would have the most significant, negative impact on the business. A vulnerability management program looks at the most relevant threats that could exploit those vulnerabilities and remediation strategies as well as the controls needed to counter those threats. Such a strategy is built on a framework that enables, implements, and maintains the program and informs all security initiatives, controls, and processes.

Additionally, adding threat modeling to an organization’s cybersecurity arsenal is also critically important as the process looks at a system from an architectural level and identifies potential security design flaws. This is critical because, based on experience and empirical data, we know that almost 50 percent of security issues are design level flaws. Organizations must start doing threat modeling to uncover the inner workings of how its systems are working and interacting together and whether they pose a threat. It is essential to identify who would want to attack your systems, and where the assets are to understand the potential attack vectors and to best enable the appropriate security controls. This analysis takes place during threat modeling.

Promoting workplace culture without relaxing security

2020 was full of challenges, not only for our NetSPI team, but also for our clients. A prediction of ours heading into 2021 was that there would continue to be more security jobs than people to fill the roles. Even with the pandemic subsiding this has proven to remain true. Security leaders have been challenged to fill roles that require candidates with mid- to senior- level experience, and entry level job openings have continued to be in high demand. Hiring and the workforce and culture implications were popular topics at RSAC.

Jinan Budge with Forrester Research discussed the importance of putting people at the heart of security and aligning vision and approach to achieve strategic organizational security culture change. Further, we also believe strongly in the importance of culture within an organization, and that hiring for skills beyond the technical – like curiosity, memory recall, innovation – will foundationally help organizations grow and excel during times of talent shortages.

As CISOs focus on building strong teams with exceptional culture, organizations must also remain vigilant for insider threats. Protecting against internal threats should be part of any threat detection program; the SolarWinds breach also brought to light this under-discussed application security challenge. The frequency and financial impacts of insider threats—defined as a careless or negligent employee or contractor; a criminal or malicious insider; or a credential thief—has grown dramatically in just the past two years. In a recent Ponemon Institute study, the overall average cost of insider threats per incident increased by 31% from $8.76 million in 2018 to $11.45 million in 2020. In addition, the number of incidents has increased by a staggering 47% in just two years, from 3,200 in 2018 to 4,716 in 2020. This data shows that insider threats are still a lingering and often under-addressed cybersecurity threat within organizations, compared to external threats.

A thriving future

To quote RSA: “Because being resilient requires infinite strength. There can be no let ups. No breaks. No finish lines. Just an unending passion to evolve, adapt and do everything possible to protect the people and organizations that rely on us as their advocates. We will do more than survive. We will thrive.” Indeed. We stand fully behind RSA’s quote. The reality is that cybersecurity attacks today are inevitable and put organizations at grave risk making it imperative to stay one step ahead of adversaries by focusing on prevention-based security techniques. With a pat on the back to all professionals in this business, the cybersecurity profession not only survived the past 16 months, but all indicators also show that it is thriving.

[post_title] => RSA 2021 Conference Recap: Resiliency in the Face of Change [post_excerpt] => Read our recap of RSA 2021, where we highlight three common themes: change as a concept, proactive cybersecurity, and the workforce implications of 2020. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => rsa-2021-conference-recap-resiliency [to_ping] => [pinged] => [post_modified] => 2022-12-16 10:50:50 [post_modified_gmt] => 2022-12-16 16:50:50 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=25461 [menu_order] => 403 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [4] => WP_Post Object ( [ID] => 24940 [post_author] => 71 [post_date] => 2021-04-20 07:00:00 [post_date_gmt] => 2021-04-20 07:00:00 [post_content] =>

Unless you’re Pfizer, Moderna, or Johnson & Johnson, you may not consider your biotech or pharmaceutical organization a lucrative target for cyberattacks as COVID-19 vaccine production and distribution ramps up. However, it is important to note that the larger, well known organizations in the vaccine pipeline are well funded and staffed and have the ability to prioritize cyber security - and sophisticated adversaries know this well. In turn, this makes smaller organizations involved in vaccine development, distribution, and administration a prime target.

Notably, we expect to see increased threat activity among the small to midsized biotech organizations that are collecting patient data or have access to vaccine research and development (R&D) information. Whether or not your organization is working directly or indirectly with the COVID-19 vaccine, there’s a lot to learn from the security concerns and activity to date. In this article, we explore the motivations for vaccine cyber security threats, reasons why biotech organizations should prioritize security, and pragmatic steps organizations can take now to proactively prepare for imminent attacks.

The vaccine security threat landscape

Cybercrime is known to increase amid chaos or crisis, when people are the most vulnerable. And the COVID-19 pandemic is certainly no exception. Large-scale data breaches increased 273 percent in the first quarter of 2020 versus 2019. The U.N. Security Council reported a massive 350 percent increase in phishing websites in the first quarter of 2020, many targeting hospitals and healthcare systems. And now, capitalizing on the vaccine rollout, the number of phishing attacks targeting the healthcare industry increased by 189 percent from December 2020 to February 2021.

There are three realistic motivations for adversaries as it pertains to vaccine security: 1) the theft of personal health data, 2) to compromise business systems, and 3) to access intellectual capital. To gain a better understanding of the threat landscape, let’s take a deeper look at each scenario.

To steal sensitive health data:

Protected health information (PHI) includes identifiable information in a person’s health data records, such as health details, date of birth, Social Security number, fingerprints, and even financial information. Given biotech firms are working with patients to develop and test vaccines in a medical setting, they are also responsible for managing and securing PHI. PHI can be used by adversaries for identity theft, medical fraud, access computer networks, and to learn more about the capabilities and processes of an organization for future large-scale attacks.

To access intellectual capital:

An approved vaccine is a very valuable source of intellectual capital. COVID-19 vaccine production data is extremely valuable today as the global race to administer vaccines continues. Biotech firms house a lot of intellectual capital, from R&D information to vaccine formulas to testing and drug trial data, making them a lucrative target. According to research from F5, “threat actors in this case are advanced cyber attackers, either working for or hired by nation states. This makes them the most capable and well-resourced threat that organizations could face.”

In early 2021, the European Medicines Agency (EMA), a regulatory agency tasked with vaccine assessments and approvals for the EU, found that hackers stole COVID-19 vaccine data belonging to Pfizer and BioNTech. Further, leveraging intellectual capital for misinformation is another key motivator. The data in the EMA breach had been leaked online only after manipulating the exfiltrated data to undermine public trust in the vaccine.

To compromise business systems:

Whether it’s a ransomware attack on a healthcare organization or an attack on the vaccine appointment scheduling software, adversaries could also aim to interfere with business operations in the vaccine pipeline. Biotech firms have a critical role to play in ensuring the security of its partners.

Third-party security is a major challenge for healthcare organizations - and one that is very relevant to vaccine rollouts. A 2020 survey of healthcare CISOs, CIOs, and other C-suite leaders discovered that four out of five organizations experienced a cybersecurity breach precipitated by a third-party vendor over the past year.

Right now, there are many third-parties working hand-in-hand with biotech firms to coordinate the rollout of the COVID-19 vaccine, from logistics and transportation to the on-site distribution locations. How can we ensure each organization involved follows the right security protocols? A recent example of a third-party breach attempt is the targeted attacks on cold storage company Americold and global firm Miltenyi Biotec. The companies were targeted with cyberattacks in an apparent attempt to disrupt the vaccine supply chain.

Making the case for cyber security in biotech, pharma, and other healthcare industries

We recently attended a webinar on medical device security presented by Kevin McDonald, a cyber security advisor for Mayo Clinic. At the end of the discussion Kevin highlighted the core drivers for security investments in healthcare: patient care, revenue loss, and public perception.

Above all, continuation of patient care is the end goal of all security activities in healthcare organizations. Security is put in place to not hinder the quality of care, but to ensure it can continue without interruption from adversaries.

Revenue loss and public perception are fairly self-explanatory for most healthcare organization, but there are some nuances regarding the biotech industry. The goal of many biotech firms is to raise funds and eventually get purchased, and according to Silicon Valley Bank, in 2020 acquisitions of biotech startups increased. If your organization experiences a security breach, your chances and/or valuation may decrease given the increased risk and the reputational damage created.

4 security activities to implement to proactively protect your assets

Once you’re aware of the most likely risks, it’s important to understand the steps you can take to proactively protect your organization and its sensitive data. To get started, here are four activities we recommend:

Red teaming: Red team operations allow you to test your security controls and processes for a specific target or goal, such as vaccine formulas or patient social security numbers. Hire a red team or equip your internal red team with the right tools to simulate the stealthy approach a real adversary would take.
Detective control testing: Correctly configured detective controls are vital to network security. Test your detective controls against the tactics, techniques, and procedures (TTPs) used by real-world attackers to ensure your layers of
defense in depth are working as intended.
Internal network penetration tests: Given the increase in phishing attempts and the vulnerability of humans in a crisis scenario, it’s likely that sophisticated adversaries will inevitably find a way to access your network. This is where internal network penetration tests prove necessary. An internal network
penetration test evaluates a network for security vulnerabilities and provides actionable recommendations for remediation. It allows an organization to discover where your internal network gaps are before an adversary does.
Continuous testing: Often it is the case that an organization’s attack surfaces are only evaluated via a penetration test on an annual basis. Implementing more
frequent, lighter touch tests throughout the year, or when a new technology or partner is added to your infrastructure, helps teams stay up to date on any recently introduced vulnerabilities.

[post_title] => Vaccine Security is Not Exclusive to Pfizer, Moderna, and Johnson & Johnson: Here’s Why [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => vaccine-security-biotech [to_ping] => [pinged] => [post_modified] => 2022-12-16 10:50:54 [post_modified_gmt] => 2022-12-16 16:50:54 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=24940 [menu_order] => 413 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) ) [post_count] => 5 [current_post] => -1 [before_loop] => 1 [in_the_loop] => [post] => WP_Post Object ( [ID] => 27498 [post_author] => 89 [post_date] => 2022-03-15 15:40:15 [post_date_gmt] => 2022-03-15 20:40:15 [post_content] =>

If you skim through the SecureWorld Boston 2022 agenda you’ll quickly recognize common themes: the cybersecurity skills and diversity gap, ransomware prevention, application security, and more.

But the session descriptions can only tell you so much. Here are for four key narratives to take away from the event.

Security Awareness Training Takes Center Stage

In nearly every session we attended, security awareness training was referenced in some capacity. In many cases it was the final – and most actionable – recommendation provided.

The most shocking statistics from the report?

Only 22% of respondents always report phishing emails to their email platform.
28% of respondents do not know how to report phishing emails.

Only 12% of respondents use a password management platform, which Lisa attributed to the lack of trust within the industry due to the breaches they experienced early on.
48% of respondents have never heard of multi-factor authentication (MFA).

Give people validation. Have an automated response that thanks employees for successfully identifying a phishing attempt. People want validation and a simple automated “thank you” note goes a long way.
Gamify your social engineering assessments and reward success. An audience member implemented a program where employees receive points for properly reporting a phishing attempt. They can then cash in those points to purchase from the company store.
Include HR in your conversations around social engineering. They will have great ideas as to what motivates people in the workplace and can help set policies for those who repeatedly fail phishing assessments.

It’s no surprise that security awareness was top of mind for Boston’s security leaders at SecureWorld.

Security Decisions Should Never Be Made in a Silo

Bill ended the session with insights around security awareness and the need to understand what types of security content people are interested in.

Cloud Security is a Shared Responsibility

It’s Necessary to Pause Before Reacting to a Crisis

Why? Empathy.

Review your incident response plan. Refresh your understanding of the content and revisit the corresponding notes from the last tabletop for hidden gems and key insights.
Tabletop exercises should focus on outcomes.
Start small. Book an hour to start and grow and improve the sessions from there.
Use what you have sitting in front of you. Evaluate the security controls you already have and understand how to use them to your advantage versus buying new technologies to fill a gap.
Ask yourself, is this your crisis?
Include security and IT teams in the planning phase. Let them participate and express judgement. It’s important to have a critical view of your playbook.
Take a deep breath. The more you project calmness and control, the better you will respond.
Be realistic. Smaller security teams will take more time, resources, and money compared to larger teams.

A Successful Happy Hour with Team NetSPI

Check out this recap of the event:

https://youtu.be/9zjs7c071aQ

Want to connect with us at a security event or NetSPI happy hour?

Visit our events page to find out where NetSPI is heading next!

[post_title] => Live from SecureWorld Boston 2022 [post_excerpt] => Read about our favorite moments from SecureWorld Boston 2022, featuring conversations on security awareness training, cloud security, cybersecurity crisis management, and more. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => secureworld-boston-2022 [to_ping] => [pinged] => [post_modified] => 2023-01-23 15:10:48 [post_modified_gmt] => 2023-01-23 21:10:48 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=27498 [menu_order] => 296 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [comment_count] => 0 [current_comment] => -1 [found_posts] => 5 [max_num_pages] => 0 [max_num_comment_pages] => 0 [is_single] => [is_preview] => [is_page] => [is_archive] => [is_date] => [is_year] => [is_month] => [is_day] => [is_time] => [is_author] => [is_category] => [is_tag] => [is_tax] => [is_search] => [is_feed] => [is_comment_feed] => [is_trackback] => [is_home] => 1 [is_privacy_policy] => [is_404] => [is_embed] => [is_paged] => [is_admin] => [is_attachment] => [is_singular] => [is_robots] => [is_favicon] => [is_posts_page] => [is_post_type_archive] => [query_vars_hash:WP_Query:private] => 49106684f727619433e77eebb4ec2d29 [query_vars_changed:WP_Query:private] => [thumbnails_cached] => [allow_query_attachment_by_filename:protected] => [stopwords:WP_Query:private] => [compat_fields:WP_Query:private] => Array ( [0] => query_vars_hash [1] => query_vars_changed ) [compat_methods:WP_Query:private] => Array ( [0] => init_query_flags [1] => parse_tax_query ) )