Travis Hoyt
- Pressures and risks banks face today
- Offensive security best practices
- What’s next for financial services cybersecurity
This is part two of our blog series that delves into cybersecurity for the financial services industry.
In part one, we discuss the current state of financial services cybersecurity, the challenges the industry faces, and opportunities for banks and other financial institutions to better protect their organizations.
In this part, we explore measurable and actionable metrics banks can track to craft a powerful cybersecurity story tailored to their regulators and leadership peers. We’ll also discuss opportunities to improve those metrics and address key challenges CISOs experience when building mature programs.
Let’s dive in.
Three Cybersecurity Metrics to Help Financial Institutions Tell Their Story to Regulators
The rise in cyberattacks against financial institutions means heightened scrutiny from bank regulators and more stringent compliance requirements. So, how can banks provide a thorough assessment of their security program to show regulators that they’re meeting regulatory requirements – and are keeping consumers and their data safe?
We can achieve that by identifying and keeping track of cybersecurity metrics that tell a powerful story.
These metrics are critical in two scenarios: to communicate your security program maturity and compliance to financial services industry regulators and to your leadership team/board to make the case for additional budget or resources.
When using metrics, keep in mind context over time is a key success factor for communication on trends. And consider the alignment with other metrics used to measure overall business success.
Cybersecurity metrics are historically challenging to determine as they don’t correlate directly to revenue or profit gain and are often proactive in nature. However, if you choose wisely they can help you benchmark your current cybersecurity program and show how your investments have impacted your organization over time.
To set a solid metric foundation, consider these three key cybersecurity metrics:
- Asset footprint: Anything that gives an accurate depiction of all your assets may be considered your asset footprint. This includes ephemeral assets (e.g., auto scaling compute or containers) and the number of endpoints per dollar of assets under control. For example, in endpoint management, you’re managing the number of devices, servers, or systems that are trying to access your company’s network. Taking inventory of all endpoints provides you with a better view of your security posture and how much it costs to manage your assets. The caveat is that this method works now, but not ideal for measuring your assets moving forward.
- Time to remediation: How long does it take to fix your critical vulnerabilities? What is the time it took to identify critical issues from discovery to vulnerability remediation? Being able to track this context over time provides an overall assessment of your risk profile. A scenario to consider: if your company doubles in size but the number of vulnerabilities remains the same or has increased, you need to investigate that.
- Percentage of revenue that makes up your cybersecurity budget: What percentage of the overall organizational revenue is being spent on cybersecurity? Is that spend increasing, but the number of vulnerabilities, security incidents, fraud reports, etc. remaining the same? Keeping track of your budget relative to your security outcomes can indicate the health of your program and areas that may require reevaluation.
For metric number three, you’ll need to partner with your CFO and finance team to track your progress over time. But for metrics one and two, it will be critical to formulate a plan to capture and improve these metrics to prepare for your next audit or budget meeting. Here are three ways to accomplish this:
- To measure and improve your asset footprint, leverage Attack Surface Management (ASM): ASM identifies and detects all known, unknown, and potentially vulnerable assets across your attack surface whenever there is exposure – not just what’s internet facing but in B2B network connections or peered cloud services too. ASM enables a comprehensive view of your environment from the outside in.
- To measure and improve time to remediation, leverage Penetration Testing as a Service (PTaaS): PTaaS combines technology with human expertise to find critical vulnerabilities that tools and traditional pentesting processes miss. The key here will be to work with a partner that can orchestrate and manage your vulnerabilities in a dynamic platform that allows you to track your remediation progress over time (see: NetSPI Resolve).
Check out these case studies to learn how two banks leveraged penetration testing to address the unique challenges financial firms face:
- NetSPI Addressing Financial Services Security Challenges Head-On
- NetSPI Testing Highlights Security Flaws for Leading Financial Services Firm
How to Articulate the Need for Budget
One of the challenges that we personally experienced in our roles as in-house security leaders and CISOs is the need to articulate budgetary needs to the leadership team and the board.
You need money and resources to employ the right people and acquire the necessary tools to protect your organization, right? This is correct, but you also need to recognize that the metrics you’re currently sharing may not align with the priorities of the CEO or the board. This gets even more challenging when the CEO or board hasn’t funded these initiatives historically.
So, what are ways you can effectively approach this?
First, understand that it’s not about confronting the board or the CEO. It’s about empowering them to articulate the risks they’re willing to take (e.g., risk of a possible breach, exposing consumer PII, etc.)
It’s important to engage with your leadership team and spend the time building this relationship so you both are aligned with the security or control posture of the organization. Security leadership should never operate in a silo.
Second, don’t tell half the story, tell the whole story. Explain how your budget decisions align with the company’s priorities: generating revenue, achieving company goals, maintaining a positive public reputation, etc. Articulate your metrics in the terms and language they understand to effectively tell you cybersecurity maturity story and make the case for additional support.
For more on this topic, read How To Eliminate Friction Between Business and Cyber Security.
Strategic Cybersecurity for Financial Institutions
More than ever, it’s important to be strategic when improving cybersecurity in the financial industry. Here are two things to consider to set you on the right path toward security program maturity:
- Tool overload and alert fatigue. Be mindful of purchasing capabilities you can’t manage or extract the value from. Why? Because you’re going to have to find the people to address all the data you aggregate. This lack of alert coverage and response could result in hesitancy from your leadership team or regulators.
- Technical leaders vs. security leaders. When you hire, ensure that your technical team also understands security and why it matters to your business. Someone with a technical background may not truly grasp security concepts and strategy. Ensure you have a balanced team that can help you articulate your metrics as outlined above.
If there is one thing we want you to take away from this blog post, it is this: financial cybersecurity is an ongoing effort – it is a not a point-in-time commitment. Continuous improvement is essential to telling your cybersecurity story – and the metrics you choose to measure and the way you communicate them will be the backbone of that story.
The financial industry is a top target for cyberattacks. Just behind healthcare, the financial industry is the second most targeted sector, accounting for 12% of all breaches. But what makes banks such a high-profile target for cybercriminals?
The critical assets that financial institutions store – customer personal data and money – make them a lucrative target for cybercriminals. In recent years, we saw a steady inclination towards digitization in the financial industry, and the onset of COVID-19 only accelerated this momentum. Employees transitioning to remote work and customers relying on online transactions mean an ever-expanding attack surface.
Although cybercrime is attempted frequently, the financial industry is known to implement some of the most mature cybersecurity programs.
According to consulting firm McKinsey & Company, the banking sector is one of the most advanced in cybersecurity maturity, due to the regulatory environment, consumer expectations, and competitive pressures. These nuances alone create a unique threat landscape for banks across the globe.
In this two-part blog series, we will dive into cybersecurity for financial institutions. This first blog will explore the current state of financial services cybersecurity, the challenges the industry faces, and opportunities for banks and other financial institutions to better protect their organizations – and in turn, their customers.
In part two, we explore measurable and actionable metrics banks can track to craft a powerful cybersecurity story tailored to their unique threat landscape.
For additional reading on financial industry cybersecurity, check out these resources:
- Penetration Testing for Financial Institutions
- West Monroe Financial Institution Case Study
- How Secure are ATM Machines? An ATM Penetration Testing Expert Explains
- Leading Financial Institution Leveraged NetSPI Red Team Service to Improve
Their Security Posture - NetSPI Testing Highlights Security Flaws for Leading Financial Services Firm
The Current State of Financial Cybersecurity
Cybersecurity decisions are driven by security professionals, technology leaders, business executives, vendors/partners, board of directors, auditors, and regulators. The groups work in partnership to provide some of the most mature security programs.
Banks must comply with established regulators – often run by agencies such as the FDIC, OCC, NYDFS, and FRB in the US; the FCA in the UK; and OSFI in Canada – to oversee banking operations. Regulators ensure that banks comply with industry standards and consumer protection laws, and they oversee the soundness of the financial institution.
Banks that undergo a cybersecurity breach suffer from financial, reputational, and regulatory impacts. In addition to that, banks that receive a MRA (Matter Requiring Attention), or worse a MRIA (Matter Requiring Immediate Attention) from a previous examination or inspection will find themselves under intense scrutiny. This drives up operating costs and distracts resources away from other initiatives.
A medium-sized bank with smaller and less mature cyber functions is more likely to suffer a more impactful impairment. Larger banks that have had significant investments are not immune to compromise. But, because they’ve had the necessary investment to develop robust programs over the last two decades, they are less likely to experience a substantial impact.
This highlights that the current state of cybersecurity is situational and truly depends on various organizational factors and the accompanying unique cybersecurity considerations. For example, the size of your organization, type of banking services provided, who your examiners are, and location, among other factors.
Keeping that in mind, here are five things we know to be true today regarding today’s financial cybersecurity landscape:
- Large banks invest more resources and money into their cybersecurity programs to accommodate for the complex and costly processes needed to avoid risks.
- The larger your organization, the more complex your environment is to secure.
- Evolving regulatory frameworks account for the size and systemic risk a given institution has on the entire financial system.
- Banks with an international presence face the increased complexity of dealing with regulatory requirements globally.
- There is a significant investment in cybersecurity for financial institutions.
To understand these concepts in depth, let’s look at four key cybersecurity challenges the banking industry faces today.
Keeping up with Banking Cybersecurity Regulations
Different banks have different regulatory imperatives based on where they operate. For instance, in the US, the Financial Industry Regulatory Authority (FINRA) operates at the multinational level, the Office of the Comptroller of the Currency (OCC) at the national level, and the New York State Department of Financial Services (NYDFS) at the state level.
To keep up with the regulatory requirements domestically and internationally, security leaders must work closely with their risk and governance leadership to establish an effective compliance strategy to ensure security protects the enterprise while meeting the expectations of regulators. A strategy that maps regulatory requirements back to the business’ reporting processes is essential since banks work with different countries that implements their own compliance laws.
Furthermore, evolving privacy standards, such as General Data Protection Regulation (GDPR), have a tone of security built into their compliance requirements. It’s important to understand how your security practices can help you comply with privacy standards, although they do not explicitly evaluate cybersecurity.
At the national level in the US, there is a mix of consumer privacy laws to regulate what financial institutions can do with specific types of consumer data, but there is no single legislation that all privacy laws fall under. In fact, only California, Virginia, and Colorado have comprehensive consumer privacy laws. Many states enact their own privacy laws, but they are either incompatible or the data overlaps. For instance, a state may define a breach and what constitutes as personal data differently from another state.
Retaining Financial Industry Cybersecurity Talent
Across the spectrum, financial institutions struggle to attract and retain cybersecurity talent. Although this changes from organization to organization. For instance, larger banks have the funding to attract talent compared to smaller banks that experience more difficulty in this arena. And non-traditional financial institutions may have better luck attracting talent if they have flexible work-from-home policies. As other sectors like healthcare improve their cyber posture, competition for talent is increasing.
The COVID-19 pandemic has created significant demand for remote or hybrid roles. Unfortunately, many financial institutions are not opting to allow this given the traditional nature of the industry. This can deter security candidates from seeking roles in the industry especially since other industries offer competitive pay with the added benefit of being remote.
For smaller banks that lack cybersecurity experts with the necessary background, third-party service providers can help solve hiring challenges and serve as an extension of their team. NetSPI specifically leverages its penetration testing experts and technologies to perform offensive security testing and help financial institutions discover, prioritize, manage, and remediate their security vulnerabilities.
Providers that take a partnership approach can also help organizations meet their objectives and offer services with a bench strength that they are unable to attract or retain themselves.
Regulators Are Your Partners, Not Your Enemy
Regulations are put in place to protect financial institutions and their customers. In cybersecurity, you’re only able to safeguard your critical assets to an extent if you’re not keeping pace with the ever-changing threat landscape.
The independent nature of regulators is a resource many other industries don’t have. They’re able to provide unique perspectives based on the independence and years of experience an organization has. Having the ability to bridge the gap through the market and within the organization makes them an ideal partner to protect your organization and customers. Transparency and actively reaching out to your assigned auditors will be key in this process.
Start by engaging with them in conversations about the future of your organization. Engaging in conversations early in the pipeline and gauging their opinion will open opportunities for more discussion and insights that will help you with compliance.
You also want to work in tandem with your regulator to leverage regulatory requirements against existing controls and efforts to address control gaps in the organization. This enables the regulator to gain a better understanding of the company’s risk culture to effectively map the regulatory requirements back to the business’ operating systems. Then, the board and executive leadership team can make sound decisions relating to budget and risks.
Ultimately, your cybersecurity team and the regulator share the same goal – to protect your customer - so it is important to realize that your regulator is not your enemy, but your partner in maturing your organization.
Prioritizing Investments Within Financial Industry Cybersecurity
We predict that the banking community will continue to invest more in its cybersecurity programs compared to any other industry. Estimates forecast this industry will account for more than 30% of all security spending worldwide.
But how should financial organizations prioritize that spending? By focusing on risk.
What vulnerabilities, if exploited, would cause the most harm to your organization and customers? Fix those first.
What part of your business is responsible for most of your revenue? Increase your investments in securing this portion of your business.
Implementing new technologies or architectures (see: blockchain security)? Understand the cybersecurity implications before deployment.
Just because you are compliant, does not mean you are secure. That’s worth repeating: just because you are compliant, does not mean you are secure. Shifting to a risk-based mindset will set financial institutions up for future success and elevate your program maturity.
On April 27, 2022, NetSPI CTO Travis Hoyt published an article in the Forbes Technology Council called Beyond Bitcoin: Understanding Blockchain Security Implications. Preview the article below, or read the full article online.
+++
The blockchain market is expected to grow 68.4% over the next four years, with 86% of senior executives believing blockchain will become a mainstream-adopted technology. While the majority of the world has been fixated on various cryptocurrencies - including bitcoin, ethereum and the emerging non-fungible token (NFT) market - organizations have adopted blockchain technology behind the scenes. To do this, the right education and implementation strategies are needed because without proper implementation strategies factoring in architectural nuances, organizations are opening their business up to security risks.
There are a handful of blockchain deployment models: private (or internal), permissioned/consortium and public. While they all possess some common traits, each has its own nuances when it comes to its use and associated security risks.
Private (Or Internal) Deployment
Blockchains on a private network are generally isolated but are intended to solve internal operational efficiency problems. They offer an alternative data plane to traditional database architectures, with smart contracts serving as stored procedures.
Private networks are quicker than other deployment models—largely because all of the infrastructure is within the four walls of the organization –– but most importantly because the consensus model doesn’t require trustless verification that public chains do. When deployed internally, processes become more efficient, so the steps to protect business assets are more controlled. We see this specifically with an organization’s internal supply chain—the blockchain enables a faster and more cost-efficient delivery of services.
The organization that controls the blockchains can set permission requirements and implement its own security precautions. By controlling which users can view, add or change data within the blockchain, private information is protected from third parties.
Alternatively, private blockchains are potentially more vulnerable to fraud, so organizations must understand the interworking of the network in order to patch a vulnerability effectively. If a malicious insider or cyberattack presents itself, the steps to mitigate are essentially the same as with any other cyberthreat: conduct risk assessments, have penetration testing in place to identify security gaps and build a threat detection and response plan. Organizations that have neglected to address blockchain acumen gaps in their IT and cyber resources may find their response playbooks aren’t completely meeting their needs.
Read the full article online.
[post_title] => Forbes: Beyond Bitcoin: Understanding Blockchain Security Implications [post_excerpt] => On April 27, 2022, NetSPI CTO Travis Hoyt published an article in the Forbes Technology Council called Beyond Bitcoin: Understanding Blockchain Security Implications. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => forbes-beyond-bitcoin-understanding-blockchain-security-implications [to_ping] => [pinged] => [post_modified] => 2023-01-23 15:10:41 [post_modified_gmt] => 2023-01-23 21:10:41 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=27708 [menu_order] => 278 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [9] => WP_Post Object ( [ID] => 27444 [post_author] => 85 [post_date] => 2022-02-22 10:26:00 [post_date_gmt] => 2022-02-22 16:26:00 [post_content] =>On February 22, 2022, NetSPI and Travis Hoyt were featured in a VMblog article titled, NetSPI Launches New Attack Surface Management Platform. Preview the article below, or read the full article online here.
+ + +
NetSPI introduced Attack Surface Management to help secure the expanding, global attack surface. The platform delivers continuous pentesting backed by NetSPI's global security testing team to help organizations inventory known and unknown internet-facing assets, identify exposures, and prioritize critical risks to their business.
According to Gartner's Emerging Technologies: Critical Insights for External Attack Surface Management report, analysts recommend attack surface management implementation "as part of a broader, enterprise-wide vulnerability and threat management effort, where known and unknown risks, vulnerabilities and assets are handled as part of a concerted and integrated strategy."
Attack Surface Management is a core component of NetSPI's Penetration Testing as a Service (PTaaS) delivery model. It complements the company's established Penetration Testing and Adversary Simulation technology-powered services to provide a full suite of offensive security solutions for its customers.
"You don't know what you don't know, and what you don't know can hurt you," said Travis Hoyt, Chief Technology Officer at NetSPI. "What we have built here is a comprehensive solution to shadow IT and asset management challenges. Attack Surface Management provides an opportunity for organizations to continuously enhance their security posture, improve their penetration testing strategies, and ultimately reduce the probability and impact of a costly cyberattack."
Continue reading NetSPI Launches New Attack Surface Management Platform on the VMblog.
[post_title] => VMblog: NetSPI Launches New Attack Surface Management Platform [post_excerpt] => On February 22, 2022, NetSPI and Travis Hoyt were featured in a VMblog article titled, NetSPI Launches New Attack Surface Management Platform. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => vmblog-netspi-launches-new-attack-surface-management-platform [to_ping] => [pinged] => [post_modified] => 2023-01-23 15:10:51 [post_modified_gmt] => 2023-01-23 21:10:51 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=27444 [menu_order] => 302 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [10] => WP_Post Object ( [ID] => 27421 [post_author] => 85 [post_date] => 2022-02-22 09:00:00 [post_date_gmt] => 2022-02-22 15:00:00 [post_content] =>On February 22, 2022, Travis Hoyt was featured in a VentureBeat article titled, Pentesting Firm NetSPI Expands Into Attack Surface Management. Preview the article below, or read the full article online here.
+ + +
Exposure of internet-facing enterprise assets and systems can bring major risks for security. And yet in many cases, enterprises aren’t even aware of all the internet-facing assets they have — which of course makes it impossible to go about securing those assets and systems.
As digital transformation continues turning all enterprises into internet companies, to one degree or another, this problem of exposed assets and systems is growing fast. And that has led to the emergence of a new category of security technology: External attack surface management, or EASM.
The technology — sometimes referred to simply as attack surface management, or ASM — focuses on identifying all of an enterprise’s internet-facing assets, assessing for vulnerabilities and then remediating or mitigating any vulnerabilities that are uncovered.
A separate discipline within security is penetration testing, or pentesting, in which a professional with hacking expertise performs a simulated attack and tries to breach a system, as a way to uncover vulnerabilities that need to be addressed.
Today, enterprise pentesting firm NetSPI announced that it’s bringing the two worlds together, with the debut of its new attack surface management offering. The solution integrates the company’s pentesting experts into the attack surface management process, as a way to improve the triage and remediation of risky exposures, said Travis Hoyt, CTO at NetSPI.
“EASM does not typically include manual pentesting — at least not in the way NetSPI incorporates it into our new offering,” Hoyt in an email to VentureBeat.
However, “both are necessary to truly accomplish a holistic, proactive security program,” he said. “In today’s threat environment, conducting a pentest once a year is no longer effective given the rate at which the attack surface is changing. EASM ensures that corporate networks have constant coverage and attack surface visibility.”
Continue reading Pentesting Firm NetSPI Expands Into Attack Surface Management on VentureBeat (reporting by: Kyle Alspach).
[post_title] => VentureBeat: Pentesting Firm NetSPI Expands Into Attack Surface Management [post_excerpt] => On February 22, 2022, Travis Hoyt was featured in a VentureBeat article titled, Pentesting Firm NetSPI Expands Into Attack Surface Management. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => venturebeat-pentesting-firm-netspi-expands-into-attack-surface-management [to_ping] => [pinged] => [post_modified] => 2023-01-23 15:10:51 [post_modified_gmt] => 2023-01-23 21:10:51 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=27421 [menu_order] => 303 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [11] => WP_Post Object ( [ID] => 27414 [post_author] => 85 [post_date] => 2022-02-22 08:05:00 [post_date_gmt] => 2022-02-22 14:05:00 [post_content] =>NetSPI employs many former CISOs and security leaders, myself included. When discussing the challenges that we faced in those roles, we all agreed that one of the greatest challenges was keeping up with constant change to our attack surface.
New things pop up on the external network all the time, often without IT awareness. And it’s up to security leaders to keep track of all assets AND understand the risk of every exposure. In other words, keeping up with the rapidly evolving external attack surface is not for the faint of heart.
To help, NetSPI launched Attack Surface Management, a platform-driven, human delivered offering that mitigates attack surface risks. Pulling from lessons learned during the R&D of Attack Surface Management (ASM), I want to share some advice on how you can adjust your cyber attack surface management strategy to ultimately keep pace with the rate of change security leaders are experiencing today.
What is Attack Surface Management?
First, it’s important to understand what the attack surface is.
An attack surface is an accumulation of all the different points of entry on the internet that stores your organization’s data (external-facing assets). This includes your hardware, software, your digital assets uploaded to the cloud, and much more.
Attack surface management provides continuous observability and risk assessment of your organization’s entire attack surface. When coupled effectively with continuous penetration testing, it helps organizations improve their attack surface visibility, asset inventory, and understanding of their assets and exposures.
Attack Surface Management Use-Cases
Through the attack surface, adversaries can exploit exposures to identify vulnerabilities that will give them access to your organization. If the threat actors are successful, the outcomes may vary, but are undoubtably negative. Those outcomes could include:
- Deployment of malware on your network for the purposes or ransomware, or even worse killware.
- Extraction of employee data such as social security numbers, healthcare data, and personal contact information, which could become a nightmare for privacy teams as privacy legislation across the globe continues to grow.
- Threaten to block access to your financial records with ransomware, then hold you hostage for more not to publicly disclose that data.
You can incorporate an attack surface management solution to detect known, unknown, and potentially vulnerable public-facing assets, as well as changes to your network. Effective asset management and change control processes are challenging, and even the most well-intentioned organizations often see this as an area of opportunity for improvement. Common reasons organizations invest in attack surface management include:
- Continuous observability and risk management
- Identification of external gaps in visibility
- Discovery of known and unknown assets and Shadow IT
- Risk-based vulnerability prioritization
- Assessment of M&A and subsidiary risk
Explore additional attack surface management use-cases: Download our data sheet.
3 Ways to Improve Your Attack Surface Management Strategy
As I noted earlier, attack surface management is not for the faint of heart. The volume of data many technology-based external attack surface management (EASM) solutions generate can be hard to consume and even harder to make actionable. But there are three ways you can improve your strategy to minimize risk and better secure your organization.
Incorporate Human Expertise
Most of today’s attack surface management solutions are heavily reliant on technology. But what’s missing in the market are comprehensive solutions that intersect innovative technology with human intuition. Humans find vulnerabilities that tools miss and can provide business context to each exposure. There’s no replacement for human talent.
Additionally, many organizations rely solely on technology, but the reports scanners sent over generate noise for clients and contain many false positives. By adding manual exposure triaging to your attack surface management workflow, you can limit the noise and only focus on the exposures that matter most to your business.
At NetSPI, our ASM Operations Team pulls from its 20+ years of manual penetration testing expertise to provide the intuition and insight needed to help you prioritize the areas of weakness on your attack surface. We can provide you with additional context to determine next steps, help you triage exposure, evaluate the risk it poses to your business, advise your team on remediation strategies, and prioritize manual testing techniques to find business-critical vulnerabilities tools often miss.
Enable Always-on, Continuous Penetration Testing
An attack surface monitoring solution needs to manage risks to your attack surface via ongoing, continuous monitoring. If your current attack surface management solution is not truly continuous, or if you’re unable to effectively reason about the data the solution is generating, you’re giving adversaries ample time to find risky exposures before you do.
NetSPI helps your security teams stay on top of changes to your attack surface by providing a 24/7/365 ongoing assessment of your organization’s external-facing assets. This is achieved through our automated scan orchestration technology, Scan Monster.
We use a multitude of automated and manual methods including open source intelligence (OSINT) to identify data sources such as business entities, IP addresses, domains, employee information, and sensitive company data.
Coupling this technology with our human expertise provides a robust, around-the-clock attack surface management strategy gives you comprehensive visibility that enables you to effectively manage risk.
Prioritize Exposures Based on Risk
Many organizations today scan for external-facing assets and then send reports and alerts over without any context. This creates noise, and wastes time, money, and resources to parse through the data.
Attack surface management isn’t your day job. Cybersecurity leaders have an entire portfolio of controls to consider and solutions that just feed a torrent of data distracts you and your teams from focusing on the real threats to your business.
What are the critical risk factors that will affect the business? Who are the potential threat actors? Which vulnerabilities should I remediate first? Which exposures are most likely to be exploited?
NetSPI’s ASM Operations Team and our ASM platform will help you identify the answer to these questions. In the Attack Surface Management technology platform you can group assets based on risk using the tagging function to create a risk-based view of your attack surface.
You can also view your results over time to measure your ability to reduce risk. We deliver results to clients that are meaningful, validated, and help organizations understand the true risks on their attack surface. This way, you can prioritize your time and effort on critical exposures that matter.
NetSPI’s Attack Surface Management
So, how do you minimize risk and ensure full visibility of your attack surface? By integrating an attack surface management strategy that is human delivered, continuous, and risk-based.
We created our Attack Surface Management offering based on these three pillars – and we’re thrilled to formally launch it to the public today. Ready to learn more about our service and technology platform? Visit www.netspi.com/attack-surface-management.
On January 31, 2022, Travis Hoyt was featured in a CMS Wire article titled, How Blockchain Is Enabling Digital Transformation. Preview the article below, or read the full article online here.
+ + +
Blockchain is not a new technology despite much of the hype about it in recent months. What is somewhat new is what's behind the hype. It's being driven not by the technology itself, but rather its applications and the digital workplace tools it enables.
For example, we have seen the key role that blockchain technology is playing in the enablement of Web3. But it is also playing a major role in the development of the metaverse and defining new ways to manage data, too. All of this has been facilitated by the evolution of blockchain technology itself.
The Future of Blockchain in Enterprise Businesses
The predominant focus of blockchain technology to date has been in the development and deployment of cryptocurrencies, tokens and other digital asset mediums with little impact on corporations and workplaces, said Travis Hoyt, chief technology officer at Minneapolis-based NetSPI, an information security provider.
But that is changing, Hoyt said, as companies start to look at the advantages of blockchain technology in areas of enterprise focus such as process flows, automation and simplification.
The result is that the blockchain market is expected to grow 68.4% over the next five years and become a key technology investment across the enterprise. There’s a substantial increase in hiring for blockchain-related skills, a number that is expected to continue to grow.
The innovations that stem from adoption of this technology will create unique opportunities, Hoyt said, but also come with risks that many organizations are not ready to address. Blockchain-based architectures share many similarities to traditional architectures, web applications and APIs, and the underlying infrastructure is largely the same or very similar. But the introduction of a distributed data plane, smart contracts and consensus models will have a notable impact on the threat model for those deployments.
"It is clear that blockchain technology is here to stay," Hoyt said. "As cities start to leverage it, or as corporations and governments look at its potential of operational efficiency, the allure of immutable data and the ability to have perfect transactional recollection increases."
Data will also become easily accessible, he added, and will be a powerful driver of innovation.
[post_title] => CMSWire: How Blockchain Is Enabling Digital Transformation [post_excerpt] => On January 31, 2022, Travis Hoyt was featured in a CMS Wire article titled, How Blockchain Is Enabling Digital Transformation. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => cmswire-how-blockchain-is-enabling-digital-transformation [to_ping] => [pinged] => [post_modified] => 2023-01-23 15:10:55 [post_modified_gmt] => 2023-01-23 21:10:55 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=27279 [menu_order] => 313 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [13] => WP_Post Object ( [ID] => 27239 [post_author] => 91 [post_date] => 2022-01-25 12:09:02 [post_date_gmt] => 2022-01-25 18:09:02 [post_content] =>On January 25, 2022, Travis Hoyt, Florindo Gallicchio, Charles Horton, and Nabil Hannan were featured in TechRound's 2022 Cybersecurity Predictions round up. Preview the article below, or read the full article online here.
- Explore industry expert predictions on what’s in store for cybersecurity in 2022.
- Cyber-attacks have remained a key concern throughout the COVID-19 pandemic. With 2021 now over, what does the new year have in store for cybersecurity?
- We’ve collected predictions from industry experts, including HelpSystems’s Joe Vest, Gemserv’s Andy Green and more.
With many businesses continuing to work from home where possible and settling into a more hybrid style of work, cybersecurity has been a key concern across a range of industries.
Here, we’ve collected opinions from industry experts on what they predict 2022 has in store for cybersecurity.
Travis Hoyt, CTO at NetSPI
Attack surface management: “As organisations continue to become more reliant on SaaS technologies to enable digital transformation efforts, the security perimeter has expanded. Organisations now face a new source of cybersecurity risk as cybercriminals look to exploit misconfigurations or vulnerabilities in these SaaS technologies to wage costly attacks. In 2022, we can expect that organisations will become more focused on SaaS posture management and ensuring that their SaaS footprint is not left open as a vector for cyberattacks. This trend will be further accelerated by the insistence of insurance providers that organisations have a detailed understanding of their SaaS deployments and configurations, or face higher premiums or even a refusal of insurance altogether.”
Next generation architectures open new doors for security teams: “Interest in distributed ledger technology, or blockchain, are beginning to evolve beyond the cryptocurrency space. In 2022, we’ll begin to see the conversation shift from bitcoin to discuss the power blockchain can have within the security industry. Companies have already started using this next generation architecture, to better communicate in a secure environment within their organisations and among peers and partners. And I expect we’ll continue to see this strategy unfold as the industry grows.”
CFOs will make or break ransomware mitigation: “For too long, companies have taken a reactionary approach to ransomware attacks – opting to pay, or not pay, after the damage has already been caused. I expect to see CFOs prioritising conversations surrounding ransomware and cyber insurance within 2022 planning and budgetary meetings to develop a playbook that overalls all potential ransomware situations and a corresponding strategy to mitigate both damage and corporate spend. If they don’t lead with proactivity and continue to take a laggard approach to ransomware and cyber insurance, they are leaving their companies at risk for both a serious attack and lost corporate funds.”
Florindo Gallicchio, Managing Director and Head of Strategic Solutions at NetSPI
Cybersecurity budgets will rebound significantly from lower spend levels during the pandemic: “As we look to 2022, cybersecurity budgets will rebound significantly after a stark decrease in spending spurred by the pandemic. Ironically, while COVID-19 drove budget cuts initially, it also accelerated digital transformation efforts across industries – including automation and work-from-home infrastructure, which have both opened companies up to new security risks, leading to higher cybersecurity budget allocation in the new year. Decisions are being made in Fortune 500+ companies with CFOs on the ground, as these risk-focused enterprises understand the need for larger budgets, as well as thorough budgeted risk and compliance strategies. Smaller corporations that do not currently operate under this mindset should follow the lead of larger industry leaders to stay ahead of potential threats that emerge throughout the year.”
Charles Horton, Chief Operations Officer at NetSPI
Company culture could solve the cybersecurity hiring crisis: “It’s no secret that cybersecurity, like many industries, is facing a hiring crisis. The Great Resignation we’re seeing across the country has underscored a growing trend spurred by the COVID-19 pandemic: employees will leave their company if it cannot effectively meet their needs or fit into their lifestyle. From a retention perspective, I expect to see department heads fostering a culture that’s built on principles like performance, accountability, caring, communication, and collaboration. Once this team-based viewpoint is established, employees will take greater pride in their work, producing positive results for their teams, the company and themselves – ultimately driving positive retention rates across the organisation.”
Nabil Hannan, Managing Director at NetSPI
2022 is the year for API security: “In 2022, we will see organisations turn their attention to API security risks, deploying security solutions and conducting internal audits aimed at understanding and reducing the level of risk their current API configurations and deployments create. Over the past few years, APIs have become the cornerstone of modern software development. Organisations often leverage hundreds, and even thousands, of APIs, and ensuring they are properly configured and secured is a significant and growing challenge. Compounding this issue, cyberattackers have increasingly turned to APIs as their preferred attack vector when seeking to breach an organisation, looking for vulnerable connection points within API deployments where they can gain access to an application or network. For these reasons, securing APIs will be a top priority throughout 2022.”
The Skills Shortage Will Continue Until Hiring Practices Change: “In 2022 the cybersecurity skills gap will persist, but organisations that take a realistic approach to cybersecurity hiring and make a commitment to building cybersecurity talent from the ground up will find the most success in addressing it. The focus in closing the skills gap often relies on educating a new generation of cybersecurity professionals through universities and trade programs, and generally encouraging more interest in young professionals joining the field. In reality, though, these programs will only have limited success. The real culprit behind the skills gap is that organisations often maintain unrealistic hiring practices, with cybersecurity degrees and certification holders often finding untenable job requirements such as 3+ years of experience for an entry level job.”
[post_title] => TechRound: Cybersecurity Predictions for 2022 [post_excerpt] => On January 25, 2022, Travis Hoyt, Florindo Gallicchio, Charles Horton, and Nabil Hannan were featured in TechRound's 2022 Cybersecurity Predictions round up. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => techround-cybersecurity-predictions-for-2022 [to_ping] => [pinged] => [post_modified] => 2023-01-23 15:10:56 [post_modified_gmt] => 2023-01-23 21:10:56 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=27239 [menu_order] => 315 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [14] => WP_Post Object ( [ID] => 27156 [post_author] => 85 [post_date] => 2022-01-11 12:14:00 [post_date_gmt] => 2022-01-11 18:14:00 [post_content] =>On January 11, 2022, NetSPI CTO Travis Hoyt was featured in an article written by Karen Hoffman for SC Magazine. Read the full article online here.
+ + +
In cybersecurity, as in many areas, the “little guy” gets squeezed. Such is the apparent case with the financial industry, where small and minority-led financial services institutions (FSIs) and credit unions are feeling greater pressure and impact from online threats.
In recent months, this has grown beyond being a basic IT security, or even banking, issue into being a political one, as FSI executives and the Congress representatives who support them have made their case that smaller and emerging community-based FSIs need greater cybersecurity support from regulators, larger fellow FSIs and the core processors that typically support these small FSIs.
...
As Travis Hoyt, chief technology officer at NetSPI, pointed out, smaller banks, minority-led institutions, and credit unions have had an issue with cyberattacks for a number of years, oftentimes because they are unable to “attract and retain the talent needed to staff robust security teams, especially when faced with competition by larger FSIs with bigger budget allocations.”
“This challenge is exacerbated by the fact that the larger FSIs, while still a target, are more difficult to hack into than their smaller counterparts,” Hoyt added, “which entices threat actors into targeting the arguably softer, smaller targets without effective cyber control capabilities.”
[post_title] => SC Magazine: Small, minority-led banks and credit unions face greater cyber risk [post_excerpt] => On January 11, 2022, NetSPI CTO Travis Hoyt was featured in an article written by Karen Hoffman for SC Magazine. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => sc-magazine-small-minority-led-banks-and-credit-unions-face-greater-cyber-risk [to_ping] => [pinged] => [post_modified] => 2023-01-23 15:10:57 [post_modified_gmt] => 2023-01-23 21:10:57 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=27156 [menu_order] => 319 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [15] => WP_Post Object ( [ID] => 27134 [post_author] => 85 [post_date] => 2022-01-05 08:45:00 [post_date_gmt] => 2022-01-05 14:45:00 [post_content] =>On January 5, 2022, NetSPI CTO Travis Hoyt published an article for the Forbes Technology Council. Read the full article below or online here.
+ + +
Think security is solely the responsibility of the chief information security officer (CISO)? Think again. Finance and risk C-suite leadership have a critical role to play in preventing cybersecurity breaches.
Cybersecurity is a real loss event that has a potentially negative financial impact on a business — and it should be treated as such.
Case in point: According to Digital Hands’ "The Cost of Doing Nothing" report, damages from destructive malware and ransomware were the most expensive cyber attacks at $4.52 million and $4.22 million, respectively. Beyond direct financial losses (e.g., ransom paid), the indirect costs of a ransomware attack — regulatory fines, operational downtime, reputational damage, insurance premiums and legal costs — are also on the rise.
In reality, ransomware and other cybersecurity incidents are a revenue hit. It's time for security and technology leaders to include finance and risk leadership in cybersecurity conversations, and security testing is a great place to start. Read on for three reasons why.
To Better Understand The Business Risk
For too long, security testing and vulnerability management activities, such as penetration testing, red teaming and breach and attack simulation, among others, have been discussed in an IT or security silo. That’s not where those discussions should be held.
Security professionals must communicate with finance and business leadership to better understand how the organization makes money. At the end of the day, that is what is core to your business and what we are ultimately protecting from cyber threats. Reshaping the way we think about security testing — moving from an engineering focus to a business risk perspective — can help us make more thoughtful decisions on which risks to prioritize, the cybersecurity activities to invest in and which business decisions have limited or negative ROI when incorporating cybersecurity implications.
To Validate And Champion For Cybersecurity Spend
Cybersecurity is often viewed as a cost center, but it should be viewed as a business enabler. When putting your security controls to the test, looping in the CFO and CRO can be invaluable to validate spend and measure ROI.
CFOs, CROs and the like have a unique understanding of loss potential and can help CISOs identify the level of security investment and resources necessary to protect the organization, in line with the organization’s risk appetite.
A running list of vulnerabilities is not the only deliverable you receive following a penetration test. Not anymore, at least. Modern penetration testing models, such as penetration testing as a service (PTaaS), can help you validate your existing security controls (e.g., SIEM, EDR, firewalls) to thoroughly understand the scope of your control coverage.
“Do my controls give me the level of coverage I need to say that I'm effectively securing this value stream?” is the question that CISOs should ask themselves. Speaking the language of the C-suite — in dollars and cents — will help CISOs create security champions among the leadership team. In addition to reporting the critical vulnerabilities and how they are being remediated, showcase that each security investment is working as intended — or not — through your pentesting assessments.
To Shift Your Vulnerability Management Mindset
Today, there are organizations that still implement a “spray and pray” vulnerability management approach. They rely solely on automated scanners for their testing, without human context. Just as businesses are not created equal, all vulnerabilities are not created equal. It requires human intuition to identify the greatest risks to your business and prioritize the remediation efforts. Tech-enabled experts can bring that intuition to bear in an efficient way so as to enable greater coverage in both breadth and depth.
The threat landscape is constantly changing and testing annually is no longer good enough. Businesses are dynamic — CFOs and CROs know this well — so why don’t today’s testing strategies align with this?
Security testing is a critical component of the CFO and CRO's roles as they focus on adhering to regulatory bodies and auditors in their day to day. An annual, check-the-box pentest may help them adhere to compliance requirements today, but those requirements are evolving. As a risk-based vulnerability management approach gains traction, continuous testing will become the standard.
Applications change and new releases are rapid-fire. Executives must be committed to investing in security, but also investing in process improvements that enable this type of testing to occur more frequently. Reduced friction security engagements can provide reassurances that unidentified risks are not making it into production with each feature release. Work with your CFOs and CROs to help them understand the concept of risk-based vulnerability management and establish a plan for always-on testing, such as implementing a pentesting strategy.
The goal of security testing is no longer to find as many vulnerabilities as possible. It’s now shifting to a model where we are identifying the vulnerabilities that create the greatest risk to an organization in real time. Establishing relationships between security and risk/finance leadership is key to achieving a risk-based security testing program.
[post_title] => Forbes: Three Reasons To Include Finance And Risk Leadership In Security Testing Discussions [post_excerpt] => On January 5, 2022, NetSPI CTO Travis Hoyt published an article for the Forbes Technology Council. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => forbes-including-finance-and-risk-leadership-in-security-testing [to_ping] => [pinged] => [post_modified] => 2023-01-23 15:10:59 [post_modified_gmt] => 2023-01-23 21:10:59 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=27134 [menu_order] => 322 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [16] => WP_Post Object ( [ID] => 26976 [post_author] => 85 [post_date] => 2021-12-13 16:07:00 [post_date_gmt] => 2021-12-13 22:07:00 [post_content] =>On December 13, 2021, NetSPI Chief Technology Officer Travis Hoyt was featured in an article written by Karen Hoffman for SC Media. Read the full article below or online here.
+++
A regional bank based in New York announced earlier this month that it would begin issuing stablecoins, raising the issue of how the traditional banking industry might deal with the security and regulatory concerns of dealing in cryptocurrencies.
New York Community Bank, based in Westbury, New York, announced it would be the first U.S. banking institution to begin minting stablecoins, despite the fact that the Biden administration and Congress have been trumpeting strict regulation on this and other forms of cryptocurrency. Clark Frogley, Americas head of financial crime solutions at Quantexa, a data and analytics software company, said: “This is the kind of action we will begin to see more and more happening in the coming year. Some large banks around the world were looking to do this as early as three years ago, so definitely a move that has been anticipated.”
Stablecoins are linked to the U.S. dollar, a digital asset meant to offset cryptocurrency volatility, making stablecoins more acceptable to the mainstream banking industry and its customers.
“The payments landscape is ripe for disruption — but of both a commercial and regulatory variety,” said Brock Dahl, Head of U.S. Fintech & Counsel at Freshfields. “The federal government clearly signaled its growing concern with the expanding market power of stablecoin offerings in the White House’s recent working group report on the matter. Solutions aligned with traditional intermediaries will look most palatable to regulators, but time will tell just how much innovation the government will permit.”
Indeed, a government report issued last month on stablecoins recommended that Congress legislate oversight of stablecoins, in the interest of making them more widely accepted. The stablecoin market has grown more than tenfold in the past year from a market cap of $20 billion last year to more than $137 billion in November 2021, according to a report from Morgan Stanley. And given the recent attacks on cryptocurrency, there is reason to be concerned for the security of this approach.
Stablecoins face same risks as other cryptocurrency, experts say
Max Galka, founder and CEO of Elementus, a blockchain search engine, pointed out that the smartest blockchain companies in the world routinely get hacked and have vulnerabilities exploited. “But I think what makes this different for financial institutions [compared with] blockchain companies is that this is not their traditional domain of expertise,” Galka said.
“It’s not the kind of risk that banks are used to facing, and the risk to them is higher because there’s more at stake,” Galka added. “Most of the crypto companies that are working on stablecoins don't have the same kind of large legacy business at stake where if there is some kind of vulnerability, people lose faith in the institution.”
Andrew Howard, CEO of Kudelski Security, believed the risks of stablecoins are similar to other blockchain currencies.
“The difference is in the guaranteed backing of specific currencies. This means the additional risks introduced are more aligned to corporate financial institutions’ accounts, such as fraud, theft, and other loss of funds scenarios,” Howard said. “Also, this naturally introduces centralization to a decentralized financial model, which has its own issues.”
Howard said he does not see minting stablecoins as a big trend at U.S. financial institutions, “although a few more may enter the market.”
Travis Hoyt, chief technology officer at NetSPI, who has previously led security programs Bank of America and TIAA, said he sees the potential security flaws in stablecoins as there might be in any new technology.
"A distributed ledger that employs smart contract functionality and is accessible by the public comes with the risk of abusing those platforms and the smart contracts that run on them,” Hoyt said, adding that in the past year, there have been a few notable examples of these security risks in Decentralized Autonomous Organizations (DAOs) being hacked, causing a wide group of individuals and institutions to be impacted, including financial services institutions and retail investors.
Sean Tierney, Constella’s vice president of threat Intelligence, pointed out that stablecoin inherits many of the “same cybersecurity risks and challenges faced by financial intuitions, cryptocurrency exchanges, and e-commerce. These can include attacks against the institution such as denial of service, various forms of fraud and attacks on customers or end user, as well as cyberattacks against the firms such those which have impacted SWIFT banking network and several cryptocurrency exchanges.”
“However, they should also presume blockchain implementations as a whole, along with their particular implementation and platform will garner increasing attention from those who would find and exploit weakness for profit or other gain," Tierney added. “The mitigations will involve continued defense and in-depth, good security hygiene and practices."
"It is highly likely we’ll see growing involvement from FSIs, including minting their own coins, as they learn to legally operate with existing and emerging regulation,” Tierney said.
As Hoyt noted that with any blockchain, the security of that chain depends on the strength of its decentralization. For example, with Providence Blockchain, there are 21 validators — which would universally be considered a very small population — while this doesn’t imply the blockchain would be suspect, those in the cryptocurrency space should be cautious of cybersecurity threats.
“On the flip side, having a relatively small group of validators could enable reversal of transactions if something negative occurs. When looking at potential security risks, there would need to be an exit mechanism for threat actors to cause real harm," Hoyt said, adding that since there are currently no cross-chain capabilities or accessible fiat exits available, threat actors would have no means to extract any value from the chain, making the possibility for exploitation minimal.
“However, this does not mean that they couldn’t disrupt the chain itself in a destructive manner, which could still cause damage," said Hoyt.
[post_title] => SC Media: As New York bank begins minting stablecoins, security concerns ensue [post_excerpt] => On December 13, 2021, NetSPI Chief Technology Officer Travis Hoyt was featured in an article written by Karen Hoffman for SC Media. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => sc-media-new-york-bank-stablecoin-security-concerns [to_ping] => [pinged] => [post_modified] => 2023-01-23 15:11:01 [post_modified_gmt] => 2023-01-23 21:11:01 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=26976 [menu_order] => 328 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [17] => WP_Post Object ( [ID] => 26888 [post_author] => 85 [post_date] => 2021-12-08 08:15:00 [post_date_gmt] => 2021-12-08 14:15:00 [post_content] =>On December 8, 2021, NetSPI Chief Technology Officer Travis Hoyt was featured in an article written by the Forbes Technology Council. Read the full article below or online here.
+ + +
A move to the cloud comes with multiple cost and productivity benefits for companies, including outsourcing hardware maintenance, the ability to quickly expand and easy access to the latest software. But while the cloud offers convenience, it can also add to a company’s cybersecurity risks. A significant cyberattack on a cloud provider can trickle down and affect all of that provider’s clients.
It’s important that both cloud providers and the companies who purchase their services stay up to date on the latest and most effective cybersecurity solutions for protecting essential assets in the cloud. Below, 16 industry experts from Forbes Technology Council share new and trending cybersecurity paradigms that companies must consider to best protect their sensitive data in the cloud.
1. Quantum Computing
Ransomware extortion impacts every industry. There are a lot of solutions being used to thwart cybersecurity threats, but one of the most promising solutions is quantum computing. There are still questions about quantum’s viability—particularly around its deployment and high costs—but in the long term, it may prove to be the most effective way to combat cyberattacks and protect user data. - Jason Jantz, ReadyMode
2. A Focus On Access Management And Segmented Environments
Consider automated posture management and strong remediation requirements with a heavy focus on identity access management, including application programming interface keys. Segment your environments at the account/subscription level instead of just at the virtual private cloud level to create hard barriers between your assets, and use focused VPC-to-VPC connections to reduce the potential blast radius. - Travis Hoyt, NetSPI
3. Cloud-Based File Sharing
The debate about cloud security frequently overlooks a common surface of unauthorized data exposure: email. Emailing data, especially to a person outside of your organization, is typically less secure than using a cloud-based file-sharing app. Yet when cloud apps are blocked, an unintended consequence is that users default to email to share sensitive data, thereby creating greater security risks. - Edmund Zagorin, Bid Ops
4. Least-Privilege Policies
Identities are the foundation of cloud security, since the only perimeter between applications and data is a user login. Therefore, companies need to proactively manage identities, including permissions and entitlements. Enforcing least privilege, in which human and machine identities only have access to the resources they need to perform their business functions, is a must in the cloud. - Shai Morag, Ermetic
5. Reviews Of Vendor Cybersecurity Risk Management Protocols
Given the prevalence of supply chain hacks that impact multiple clients, companies implementing cloud services need to request and review their key communications providers’ and internet service providers’ cybersecurity risk management protocols to ensure potential vulnerabilities don’t turn into exposures. - Michael Gurau, Altman Solon
6. Added-Value Email Security Layers
If not done correctly, cloud migration can impart major risks to organizations. With over 90% of malware transmitted over the cloud via email, businesses need to start focusing more on dynamic and added-value email security layers. Only through building a comprehensive blend of new and old systems can you ensure some level of protection. - Oren Eytan, odix
7. Insurance To Cover Ransomware Costs
I was recently part of a meeting regarding a cloud storage company that was hacked. The company could not afford the ransom cost, and all its clients were impacted. The cloud company did not have enough insurance, so leadership determined it was best to just shut the doors. The company had six data centers and 42,000 users. Review your insurance policies to be ready for the worst-case scenario! - Nick Damoulakis, Orases
8. Identity Orchestration
With multiple clouds, data and account passwords have become distributed across many users, who access numerous apps that run across different clouds. This creates a massive attack surface. Passwords are the weak link in the security chain. The ideal solution is to authenticate users without the dependency on passwords. Use identity orchestration to roll out multifactor authentication for your apps without rewriting them. - Eric Olden, Strata Identity
9. Encrypted And Tokenized Data
First, protect data natively rather than relying on old-school (on-premises) perimeter/environment security paradigms, which are haphazardly adapted for the cloud. For sensitive or personal data, encrypt at rest and tokenize when the payload doesn’t need to be known for the process to work. The old behavioral issue of using copies of real data for systems testing must be replaced by the use of synthetic data. - Simone Steel, Nationwide Building Society
10. Multilayered User-Activity Monitoring
Most security risks associated with the cloud have to do with data and access breaches. A lot of cloud service providers have adequate security measures in place. However, it is ultimately up to client companies to install a multilayered method for monitoring user activity. This may include multifactor authentication, data-at-rest encryption and/or a perimeter firewall. - Ondrej Krehel, LIFARS LLC
11. Transformation Of Data To Ciphertext
In a word, the answer is “encryption.” Strong encryption transforms your data into ciphertext, ensuring that any lost data remains unreadable and meaningless to others. This protects you from unauthorized access, data breaches, data exposures, government legislative access provisions and, potentially, even the requirement to provide notifications under various privacy breach regulations such as GDPR. Only you hold the key. - Leonard Kleinman, Palo Alto Networks
12. A Focus On Internal Security
Experts position infrastructure as a service and platform as a service as more secure than any self-managed, organization-owned data center could be, but they fail to mention the shared security model that is inherent in these services. The provider owns some responsibility for security, but not all. You must consider how your internal security team will own and enforce security across applications, workloads and containers in the cloud. - Ian McShane, Arctic Wolf
13. Enhanced Identity Access Management
In eDiscovery, there is no new security paradigm; there are only best practices and proven tools. The approach to risk management changes in the cloud. The single-sign-on portal is the gateway to the data and resources bad actors want. This makes identity access management a top priority. Control your identities, and you can reduce your cybersecurity risks. - Jordan McQuown, George Jon
14. Behavior Monitoring Through Machine Learning
In some organizations, cloud credentials might be outside the scope of internal network security policies and controls. Using machine learning, security teams can distinguish between normal and abnormal behavior. They can easily and immediately discover who is using cloud resources to upload sensitive corporate information or illicitly access cloud applications and revoke their credentials. - Stephen Moore, Exabeam
15. Privacy-Enhancing Technologies
Tech companies should consider privacy-enhancing technologies, which deliver advanced cyber resilience and allow the sharing of data while protecting security and privacy. Given the increased shift to cloud storage, the relevance of PETs will grow in the future since they satisfy legal and regulatory mandates and prevent malicious attacks on sensitive data. - Roman Taranov, Ruby Labs
16. Zero Trust
Migrating to a cloud-based infrastructure means adopting a zero-trust cybersecurity policy. It requires more frequent testing, clearer segmentation and better transparency in a company’s infrastructure. The importance of ID authentication and authorized access to detailed data also increases, especially among company employees, and zero trust also considers the need to limit access to third parties. - Robert Strzelecki, TenderHut
[post_title] => 16 cybersecurity solutions for protecting sensitive data in the cloud [post_excerpt] => On December 8, 2021, NetSPI Chief Technology Officer Travis Hoyt was featured in an article written by the Forbes Technology Council. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => cybersecurity-solutions-for-protecting-sensitive-cloud-data [to_ping] => [pinged] => [post_modified] => 2023-08-22 09:21:51 [post_modified_gmt] => 2023-08-22 14:21:51 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=26888 [menu_order] => 334 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [18] => WP_Post Object ( [ID] => 26665 [post_author] => 53 [post_date] => 2021-11-12 12:30:08 [post_date_gmt] => 2021-11-12 18:30:08 [post_content] =>What’s next for enterprise security professionals? No one can know for certain, but NetSPI’s expert bench of security pros – pulling from their decades of cybersecurity leadership and daily conversations with some of the world’s most prominent organizations – have a few ideas as to where the industry is headed.
Watch our 2022 cybersecurity predictions webinar, where our panel will tackle some of the most debated topics of the past 365 days and predict how each will evolve in the new year and beyond. Topics include:
- The cybersecurity hiring crisis
- Application security program maturity
- Attack surface management
- The evolution of ransomware
- Cybersecurity budget allocation
- And next generation architectures (see: blockchain)
[wonderplugin_video iframe="https://youtu.be/rLcwnJAO5Qo" lightbox=0 lightboxsize=1 lightboxwidth=1200 lightboxheight=674.999999999999916 autoopen=0 autoopendelay=0 autoclose=0 lightboxtitle="" lightboxgroup="" lightboxshownavigation=0 showimage="" lightboxoptions="" videowidth=1200 videoheight=674.999999999999916 keepaspectratio=1 autoplay=0 loop=0 videocss="position:relative;display:block;background-color:#000;overflow:hidden;max-width:100%;margin:0 auto;" playbutton="https://www.netspi.com/wp-content/plugins/wonderplugin-video-embed/engine/playvideo-64-64-0.png"]
[post_title] => 2022 Cybersecurity Predictions:What to Expect in the New Year [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => 2022-cybersecurity-predictions-what-to-expect-in-the-new-year [to_ping] => [pinged] => [post_modified] => 2023-06-22 20:39:36 [post_modified_gmt] => 2023-06-23 01:39:36 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=webinars&p=26665 [menu_order] => 51 [post_type] => webinars [post_mime_type] => [comment_count] => 0 [filter] => raw ) [19] => WP_Post Object ( [ID] => 26580 [post_author] => 85 [post_date] => 2021-10-26 07:00:00 [post_date_gmt] => 2021-10-26 12:00:00 [post_content] =>
It’s no coincidence that Halloween and Cybersecurity Awareness Month are both observed in October. Just as monsters, ghosts, and witches wreak havoc in our favorite Halloween movies, cyber adversaries haunt organizations across the globe with their increasingly sophisticated attack tactics.
There are three cybersecurity threats that, in my opinion, are the most frightening of them all: ransomware, work from home attacks, and software as a service (SaaS). Have no fear, not only will this article reveal the spookiest threats, but I’ll also share tips and best practices for prevention – no spell book required!
Beware of ransomware
Paying a ransom has no guarantees. On average, only 65% of encrypted data was restored after a ransom was paid, according to the Sophos State of Ransomware 2021.
By now, we can all generally define ransomware. It’s making national headlines due to its widespread impact in both the cyber and physical world. One of the more frightening aspects of ransomware is the uncertainty of the attack, specifically the varying attacker motivations.
Killware is an emerging ransomware threat in which the motivation is to impact critical infrastructure with the intent to do harm. In the case of Killware, they are not after money. It’s ransomware with no decryption keys. They want you to be down and stay down. For more, this USA Today article explains possible Killware scenarios and motivations.
It’s also a fluid and uncertain legislative and regulatory space. As it becomes more challenging to recover from a ransomware attack, payment is often the fastest way to get back to business. So, what happens if ransom payments become illegal?
Ransomware attack outcomes can also vary significantly. For example, just because you pay, doesn’t mean you will get the decryption keys or access to all your data. Often, ransomware families blackmail organizations with stolen data to increase their financial gain.
Ransom payments also fluctuate. Just this year it was reported that CNA Financial paid $40 million in ransom. And Palo Alto Networks found that the average ransomware payment climbed 82% since 2020 to a record-high $570,000 in the first half of 2021.
Ransomware is a financial loss event and should be treated as such. It’s no longer the sole responsibility of cybersecurity and technology teams, finance, and others responsible for managing business and financial risk have a critical role to play.
Ransomware simulation assessments can remove some of the uncertainty surrounding these adversarial attacks. An attack simulation can benchmark how well an organization is positioned to detect, prevent, and defend against ransomware. Are your controls sufficient? Are your response teams effective? If there is a detection or response failure… can you recover? These are questions NetSPI’s Ransomware Attack Simulation service and AttackSim technology platform can help address.
Haunted by work from home attacks
Nearly 80% of IT and security leaders believe their organizations lack sufficient protection against cyberattacks despite increased IT security investments made to deal with distributed IT and work-from-home challenges, according to a survey from IDG Research Services and Insight Enterprises.
The percentage of people in the U.S. working from home doubled between 2019 and 2020, according to the U.S. Bureau of Labor Statistics American Time Use Survey. Now more than ever, organizations are embracing flexible work environments and, with that, comes employees connecting to external WiFi networks.
Consider this: Each employee device is an extension of your corporate network. The workstation itself is provisioned and managed by IT, but beyond that, they do not have control over these devices. Home networks are a black box, even more so if you use a router supplied by your internet provider. More concerning are the uncontrolled connections (coffee shops, hotels, family member’s homes, etc.) that can serve as another entry point for an attacker to access the device.
Another factor to consider is the management of personal devices. Through the pandemic, we’ve seen a shift away from office phones and often people use their personal cellphones to manage their work. It’s the lack of control organizations have over these devices that is the most frightening.
The shift to work from home ultimately broadens an organization’s attack surface. But that is the reality of our workforce today. Remote work is here to stay in some capacity and infosec teams are tasked with creating security tactics and policies to ensure business continuity and productivity… simultaneously.
To address work from home security challenges a focus on endpoint security is critical, particularly for devices not inside the ‘walled garden’ of your corporate network. Network penetration testing can help you identify the right level of protection and telemetry for your endpoint controls.
I also anticipate technology innovation in the attack surface management space to help infosec professionals tackle the many challenges that accompany a remote workforce: asset management, shadow IT, bring your own device (BYOD), and more.
Software as a Service (SaaS) in the shadows
1 out of 3 employees at Fortune 1000 companies regularly use SaaS apps that haven’t been explicitly approved by internal IT departments, according to IBM.
Add to that the fact that organizations use an average of 110 SaaS applications, according to the 2021 State of SaaSOps report, and there’s a real issue with SaaS visibility and security. The adoption SaaS platforms has increased given its ability to enable remote work, create workflow efficiencies, and collaborate (see: Zoom, Slack, Teams, Wrike).
SaaS adoption requires you to examine the security of your extended attack surface, but its footprint doesn’t receive the same level of shared responsibility as infrastructure as a service (IaaS) or cloud environments. We put a lot of trust into the security of SaaS providers today, however, these applications present many interesting security challenges.
Most people connect direct from a managed device to the SaaS platform without going through a secure corporate network, which creates authentication and identity and access management (IAM) challenges. For example, are you requiring SSO or multi-factor authentication for SaaS platforms? How do you ensure authentication best practices for SaaS applications outside the corporate network?
SaaS platforms are a critical component of our workflow today and contain troves of sensitive data. With the rapid adoption of SaaS applications today, it is important for security teams to align and communicate SaaS security policies within their organizations and ensure secure configuration of SaaS platforms. To strengthen security, SaaS security posture management is key.
Defined by Gartner in the Hype Cycle for Cloud Security, SaaS security posture management (SSPM) is “tools and automation that can continuously assess the security risk and manage SaaS application security posture.” This could include continuous monitoring and alerts, configuration review, comparison against industry frameworks, and more.
For a detailed conversation on SaaS posture management, CEO and Co-Founder at Adaptive Shield Maor Bin joins us on the Agent of Influence cybersecurity podcast next month. Tune in!
[post_title] => 3 Frightening Cybersecurity Threats Lurking this Halloween [post_excerpt] => Ransomware, work from home, and SaaS – eek! We reveal the 3 scariest cybersecurity threats and share best practices for prevention. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => spookiest-cybersecurity-threats-lurking-halloween [to_ping] => [pinged] => [post_modified] => 2022-12-16 10:51:48 [post_modified_gmt] => 2022-12-16 16:51:48 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=26580 [menu_order] => 357 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [20] => WP_Post Object ( [ID] => 19243 [post_author] => 85 [post_date] => 2020-07-14 07:00:29 [post_date_gmt] => 2020-07-14 07:00:29 [post_content] =>$8.19 million. That’s the average loss U.S. organizations face each year due to the damages of cyber security attacks, according to a Ponemon Institute study. More worrisome is the fact that the average time it took to identify and contain a breach was 279 days, a number that is growing. Cyber security and IT teams continue to feel unprepared in the event of a breach and struggle to keep pace with the ever-evolving threat landscape. Maintaining an always-on mentality, prioritizing vulnerability testing to faster remediation, and understanding the implications of an alert in an organization’s asset management platform are key to staying ahead. But in the long-term, also having a deep contextual knowledge of business operations as a whole should be considered fundamental to preparing and defending against escalating threats.
In 1989, Robert Morris created what has been widely acknowledged as the first computer threat, which spread so aggressively and quickly that it succeeded in closing down much of the internet. While the Morris Worm was the impetus to putting in place coordinated systems and incident teams to deal with cyberattacks, it wasn’t until the Target breach in 2013, in which information from 40 million credit and debit cards were stolen, that leaders in corporations began to fully understand that all levels of an organization must understand the potential threat of breaches and that ad hoc support of cyber security initiatives was no longer sufficient. Rather, all-encompassing programs of prevention, monitoring, and remediation must be in place.
Bringing Context to Incident Response
Incident response teams today must have full knowledge of the ecosystem and what systems need protecting (and the data residing within) to have a more comprehensive approach to protecting their organizations from cyber security threats. They can do so by adding context to incident response. Currently, if there is a threat event that occurs, the analyst has to synthesize the environment that they’re trying to defend before action can take place. But if they don’t have the contextual knowledge of their organization—what application supports what infrastructure, which impacts what business process and value stream—then that incident responder is already behind.
Security teams should understand what they are reacting to, how to recreate the view and immediately understand the ecosystem they are trying to protect so they can act on it right away rather than reverse engineer the situation, which it may be too late to do anyway. In that case, the threat actor may be able to move faster than the incident responder. Easily said, but as apps are starting to be decomposed, the ecosystem is becoming even more distributed, making the context even harder for incident response managers to understand. With more and more application security and applications offered in containers, in the cloud (or cloud native), or offered serverless and through functions-as-a service-platforms, incident responders are now in a position in which they need to understand the contextual challenge of the threats. It is critical that incident responders understand what type of threat they are responding to and what it is they are trying to protect in the larger business sense. Helping to create context is going to be an emerging challenge that needs to be addressed by the industry and community in the future.
Creating Better Asset Management Platforms to Improve Incident Response
When creating asset management platforms, I recommend that CISOs work with their team to base that development on context around the business and the technology. When the platform isn’t so rigidly defined in the context of an application, we start to make connections with the infrastructure to the business processes and the value streams. And it is then that you can truly start to be a counselor to senior leadership and articulate the business impact of any given threat. Through contextualization, you’ll immediately know when you have the asset data and the association, and whether it is of lesser importance (and you don’t need to wake up the CEO!). Or vice versa, when there is a high-fidelity threat that is hitting your flagship application that is behind the capabilities of the entire business process. That is when it will warrant executive leadership attention, but now you will be in a position to also provide solutions to remediation.
Some areas I’ve explored while developing asset management platforms revolve around visualization. I’m looking at the integration between logging and monitoring capabilities and the data they generate through asset management tools, but also other solutions like cloud and container monitoring platforms and the telemetry they provide. Then I’m looking at the visualization tools that are out there that can create these views. Picture this asset management platform chronology:
- Data comes up through logging and monitoring capability
- Incident Responder quickly determines it is a problem
- Through the functionality of the asset management platform, the backends stitches together all that data and pulls up a visualization tool that is able to map the internal environment or/cloud environment that shows the team that this alert is associated with a particular container, which is a part of a particular ecosystem/value stream that is talking to these specific databases
- Incident Responders quickly react to visual cues, improved through real-time contextual awareness, so they can more quickly appreciate the danger and immediately take on real action to thwart the threat
That is a future state that positions incident responders as a force to be reckoned with against the ever-evolving threat landscape.
Improving Your Standing in Incident Response
In addition to investing in understanding the context of your incident response plans, I offer the following advice to improve incident responders’ professional standing:
- Become Invaluable as Subject Matter Experts—Understand the ecosystem of your organization, the context in which threats may occur and the consequences on the business values streams so you can quickly synthesize the information to give the broader team – even the C-Suite – insights and counsel.
- Always Remain Curious, Even Suspicious—Have your radar always on so that, for example, if a new threat comes out, which may or may not even impact your environment but may be within your vertical market, you can preemptively guard against them.
- Understand the Threat and its Potential Impact—Be readily able to ascertain if there is a concern in your environment through volume metrics (i.e., how much of that problem do we have?) and through risk quantification (i.e., threat W is against X so not a concern, but threat Y is against Z so it is a big concern).
Conclusion
There is real opportunity to improve real-time contextual awareness so incident responders can more quickly appreciate what they have so they can immediately action on it rather than waste time in making inferences about the environment. To be sure, incident response plans are ever evolving, and some plans are undoubtedly better than others. It boils down to whether the incident responders are executing on the plan and have an appropriate contextual appreciation of the environment, the ecosystem, the business value streams and the stakeholders involved to get the right people to the table to best defend against adversaries.
[post_title] => Focus on Context to Improve Your Incident Response Plan [post_excerpt] => $8.19 million. That’s the average loss U.S. organizations face each year due to the damages of cyber security attacks, according to a Ponemon Institute study. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => focus-on-context-to-improve-your-incident-response-plan [to_ping] => [pinged] => [post_modified] => 2021-04-14 00:52:44 [post_modified_gmt] => 2021-04-14 00:52:44 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=19243 [menu_order] => 488 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) ) [post_count] => 21 [current_post] => -1 [before_loop] => 1 [in_the_loop] => [post] => WP_Post Object ( [ID] => 28634 [post_author] => 85 [post_date] => 2022-10-10 09:00:00 [post_date_gmt] => 2022-10-10 14:00:00 [post_content] =>On October 10, NetSPI CTO Travis Hoyt was featured in the CoinTrust article called NetSPI Unveils Blockchain Penetration Trial Services for Enterprises. Read the preview below or view it online.
+++
NetSPI, the pioneer in corporate penetration testing and attack surface management, has introduced a new blockchain penetration testing solution that includes deployment. The business will give organizations with a complete, full-spectrum review of blockchain-based installations using its decades of penetration testing experience and knowledge of the architecture’s specific security problems.
Its blockchain penetration testing services will assess all deployment types, including private, permissioned, consortium, and public, as well as several distributed ledger technologies, such as ConsenSys Codefi, R3 Corda, Hyperledger Fabric, custodial platforms, and public chains, among others.
According to the Forbes Blockchain 50 2022, “Blockchain’s most significant advances remain concealed.” The world’s top corporations are increasingly using distributed ledger technology to conduct everyday operations, including the verification of insurance claims and the monitoring of car components across the supply chain. Organizations are becoming aware of its scalability, competitive benefits, and income prospects.
“As usage skyrockets, technology and security teams will need to rapidly grow their blockchain expertise to enable and secure these solutions – this starts with identifying and solving people, process, and technology gaps,” said NetSPI’s Chief Technology Officer, Travis Hoyt. Our new blockchain penetration testing service line reflects NetSPI’s unwavering commitment to the future, allowing our clients to do the same.
Enterprises who are actively using blockchain or exploring its possibilities may join with NetSPI to increase the security of their installations. For more information about NetSPI’s blockchain penetration testing services, please visit www.netspi.com or get in touch with us.
You can read the full article at CoinTrust!
[post_title] => CoinTrust: NetSPI Unveils Blockchain Penetration Trial Services for Enterprises [post_excerpt] => On October 10, NetSPI CTO Travis Hoyt was featured in the CoinTrust article called NetSPI Unveils Blockchain Penetration Trial Services for Enterprises. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => cointrust-netspi-unveils-blockchain-penetration-trial-services-for-enterprises [to_ping] => [pinged] => [post_modified] => 2023-01-23 15:10:07 [post_modified_gmt] => 2023-01-23 21:10:07 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=28634 [menu_order] => 194 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [comment_count] => 0 [current_comment] => -1 [found_posts] => 21 [max_num_pages] => 0 [max_num_comment_pages] => 0 [is_single] => [is_preview] => [is_page] => [is_archive] => [is_date] => [is_year] => [is_month] => [is_day] => [is_time] => [is_author] => [is_category] => [is_tag] => [is_tax] => [is_search] => [is_feed] => [is_comment_feed] => [is_trackback] => [is_home] => 1 [is_privacy_policy] => [is_404] => [is_embed] => [is_paged] => [is_admin] => [is_attachment] => [is_singular] => [is_robots] => [is_favicon] => [is_posts_page] => [is_post_type_archive] => [query_vars_hash:WP_Query:private] => 7ac1dbff9506aba22bdf2e1e7cf298c7 [query_vars_changed:WP_Query:private] => [thumbnails_cached] => [allow_query_attachment_by_filename:protected] => [stopwords:WP_Query:private] => [compat_fields:WP_Query:private] => Array ( [0] => query_vars_hash [1] => query_vars_changed ) [compat_methods:WP_Query:private] => Array ( [0] => init_query_flags [1] => parse_tax_query ) )