Veracode CEO Sam King says that security can???t be successful, and in fact will become a blocker, if it operates in a silo. She recently sat down for a fireside chat with Mahi Dontamsetti, State Street CTRO, and Jim Routh, MassMutual CISO, to share her thoughts and observations on communicating about security to the Boardﾂ?and the overall connection between the security function and business functions.
She notes that even though there are often designated technical experts on the Board, there is now an increased awareness around cybersecurity, even among the traditionally business-oriented members. So, it???s important to tailor messages to the business functions so that they too can understand the organizations??? risk posture. This doesn???t mean that you should try to make everyone on the Board a cybersecurity expert, but King remarks that there should be a ???baseline knowledge that all Board members have around cybersecurity.??? ﾂ?
Mahi Dontamsetti agrees with King that cybersecurity should be communicated to all members of the Board in an easy-to-understand manner. Dontamsetti goes on to say that sometimes it???s the non-technical experts who ask the best questions or have important insights into cybersecurity. They???re sometimes able to fill in the ???known unknowns.???
Jim Routh adds that Board members are actively seeking out cybersecurity knowledge. ???Board members today go to classes to improve their skill through NACD or other associations,??? he said. ???They’re re-skilling and retooling themselves at a pretty significant pace, so that will give us more Board members with cybersecurity expertise.???
Routh also mentions the importance of level setting cybersecurity expectations with the Board. It shouldn???t be about eliminating all cybersecurity incidents because that???s unrealistic. The goal should be to ???recover quickly when you have security incidents and minimize the business impact.??? And the whole organization needs to work toward that goal. ???Every enterprise at any level of maturity today has to recognize that incident response for cybersecurity has to be a fabric for the entire enterprise. It’s not just a siloed function in IT or in cybersecurity.???
How can you ensure that cybersecurity isn???t siloed? Routh recommends identifying your top 10 cybersecurity risks and making sure that they are well known throughout the company, especially with senior leaders. Resources should be allocated to the top 10 risks and projects and initiatives around those risks should be prioritized.
Not only should you come up with your top 10 cybersecurity risks, but it???s also worth identifying your top 10 business strategies. King makes the point that ???when you’re looking at the top 10 of your business strategies as a company, regardless of whether you’re a cybersecurity company like Veracode or you’re a financial services company, or whatever industry you’re in, cybersecurity has to be in that top 10.??? By making cybersecurity a top 10 business strategy, you ensure that executives and senior leaders are prioritizing risk mitigation strategies and, hopefully, integrating the strategies company-wide.
If cybersecurity is siloed, departments may try to ignore security best practices for the sake of speed. King remarks that without cybersecurity integration, you may hear a lot of, ???We’re super excited about this project, but once we go to the security person there’s going to be all of these different things that we have to be concerned about. And, will we be able to get it done or not????
But cybersecurity integration doesn???t have to slow down processes. If you start your project with security best practices in mind from the very beginning, there won???t be time-consuming or expensive rework down the line.
And how about obtaining cybersecurity resources and budget? Well, King explains that if cybersecurity is one of your top 10 business strategies, there won???t be arguments as to whether or not cybersecurity initiatives should be funded. Cybersecurity won???t be ???taking money??? from a different initiative if it was already determined that cybersecurity is a priority.
To learn more about communicating cybersecurity to the Board, or for tips on integrating cybersecurity best practices throughout your organization, check out the full webinar, Driving the Cybersecurity Agenda with the C-Suite and Boards.
In today’s rapidly evolving cybersecurity landscape, the battle for privacy and security is relentless. Cybercriminals are masters at using technology and psychology to exploit basic human trust and compromise businesses of all sizes. What’s more, they often hide in plain sight, using both covert and overt tactics to cause disruption, steal money and data, and wreak havoc with MSPs and SMBs.
While cybersecurity advice is often focused on technology like endpoint protection, firewalls and anti-virus, it’s important to remember that behind every breach is a human. Knowing who they are and why they target your business is essential to remaining cyber resilient.
As we mentioned in a previous blog, hackers come in many forms, but their methods can generally be classified into three distinct types of cybercriminals:
- The Impersonator – Hackers that pretend to be others, often using social engineering and human psychology to trick users.
- The Opportunist – Hackers that exploit public events and socio-political crises for disruption or personal gain.
- The Infiltrator – Hackers that target specific organizations and work to breach systems using a variety of tools and tactics.
Each one has their own methods and protecting against them requires a multi-layered approach. Let’s look at a few primary examples.
Who is the Impersonator?
An impersonation attack recently made headlines with the 2020 Twitter/Bitcoin scam, in which 130 high-profile Twitter accounts were compromised by outside parties to steal bitcoin. The perpetrators gained access to Twitter’s administrative tools in order to pose as legitimate CEOs and celebrities to trick users into sending bitcoin with the promise of doubling their investment. Unfortunately, attacks like this work, and the hackers received $ 121,000 that was never paid back. This is a scam that’s been around for years and since no one can reverse a cryptocurrency transaction, it’s very likely here to stay.
This type of cybercriminal manipulates victims into opening doors to systems or unwittingly sharing sensitive information by pretending to be someone you would inherently trust. The most notable attack is the “Nigerian prince” email scam, also known as “foreign money exchange” scams. These typically start with an email from someone overseas claiming to be royalty, offering to share a financial opportunity in exchange for your bank account number. Nowadays, you’re more likely to receive an email from your boss’ boss asking for gift cards or money, but these scams are still active in many forms, as the Twitter attack shows.
Impersonators are known to use phishing, Business Email Compromise (BEC) and domain spoofing to lure victims, and they’re always looking for new ways to innovate. In fact, our 2020 Threat Report found that impersonators are now imitating legitimate business websites to release malicious payloads or steal data, and a shocking 27% of phishing sites use HTTPS to trick the user into clicking phishing links, which makes these attacks even more dangerous. It’s easy to assume an official-looking website with an HTTPS address is safe, but hackers can also use HTTPS sites to launch phishing emails and distribute BEC scams as obtaining SSL certificates is trivial now. This is why a multi-layered approach that can block phishing sites (including HTTPS) in real time, is key for staying safe.
What Does the Opportunist Want?
While attacks of opportunity are nothing new, the tactics of the opportunist have gone to a new level with the recent coronavirus pandemic. According to our COVID-19 Clicks report, at least one in three people have fallen for a phishing email in the past year. This year has been all about the pandemic and the fear surrounding it. These phishing attempts often appear in the form of articles about the best ways to avoid coronavirus or links to documents that have lists of people with COVID-19 “in your area.” These documents will ask users to enable an embedded macro that then delivers malware, usually in the form of ransomware. Over 90% of malware campaigns used the pandemic in their initial phishing email this past year.
Opportunists wait for the right opportunity to strike, and just as impersonators take advantage of trust, opportunists also rely on trust and familiarity to deceive users into downloading malicious payloads. Unlike other hackers, however, they don’t have specific victims in mind. The opportunist capitalizes on urgency, fear and unpreparedness to catch as many victims in their net as possible.
As we point out in a popular Hacker Personas podcast, other opportunist attacks like those exploiting U.S. government stimulus payments are also on the rise. Business leaders in particular should watch out for these tactics, as phishing emails can compromise company devices. With the increase of remote workers using unsecured systems and personal devices to access corporate networks, all businesses are at risk from opportunists who bait remote employees.
How Do Infiltrators Breach Systems?
One of the best examples of an infiltration attack is the 2020 SolarWinds breach, in which a foreign state hacked the SolarWinds supply chain to infiltrate at least 18,000 government and private networks including over 425 of the fortune 500. Nation-state hackers took advantage of SUNSPOT malware to insert the SUNBURST backdoor into software builds of the Orion platform, and unbeknownst to SolarWinds developers, they released it as a normal update to their customers. Several significant US agencies, including parts of the Pentagon, the Department of Homeland Security, the State Department, the Department of Energy, the National Nuclear Security Administration, and the Treasury were attacked. What’s more, the fallout of this attack is still ongoing and we may never know the full damage.
The Infiltrator is the opposite of an opportunist in that they target specific victims and have a clear-cut approach to getting what they want. Rather than casting a wide net and hoping for the best, they usually know the system they want to infiltrate, and they use stealthy measures to breach systems, often coming away with a large payout in the form of a costly ransom to criminal enterprises or valuable intel to nation states.
What Steps Should MSPs and SMBs Take to Stay Cyber Resilient?
If knowing your enemy is the first step to protecting your business, the next step is to develop a strong cyber resilience posture that protects against their attacks. Part of that is understanding that cyberattacks are often a matter of “when, not if.” Even if you’re not the target of an infiltrator, for example, your business or employees may be the unknowing victims of an opportunist or impersonator.
Protecting your business includes:
- Implementing a multi-layered cybersecurity approach that includes complete endpoint protection, firewalls, real time anti-phishing as well as Security Awareness Training
- Continuously educating and training employees, staff and customers to follow cybersecurity best practices and to stay up to date on cyberattack news
- Using a backup and recovery solution that can restore critical files after an attack and keep the business up and running during a crisis.
To learn more about hacker personas and strategies to protect against their various attacks, check out our eBook, Hacker Personas: A Deeper Look Into Cybercrime. You can also follow our Hacker Files and Lockdown Lessons series that include a variety of guides, podcasts and webinars covering these topics and more.
The post Hacker Personas Explained: Know Your Enemy and Protect Your Business appeared first on Webroot Blog.
Since the COVID-19 pandemic drove workforces home, we’ve seen an increase in security risk across the board: from an increase in phishing and spear phishing attacks to an increase in reliance on third-party DNS-over-HTTPS resolver use and sophisticated nation-state attacks like the one that hit SolarWinds. The gap between what organizations are trying to protect against and where the threats are lurking continues to widen and threatens to overwhelm security teams. In response, I see … More
The post Risky business: 3 timeless approaches to reduce security risk in 2021 appeared first on Help Net Security.
Image from page 84 of “The business of farming” (1914)
Image by Internet Archive Book Images
Title: The business of farming
Year: 1914 (1910s)
Authors: Smith, William Cadid, 1857-
Publisher: Cincinnati : Stewart & Kidd Company
Contributing Library: Cornell University Library
Digitizing Sponsor: MSN
Click here to view book online to see this illustration in context in a browseable online version of this book.
Text Appearing Before Image:
es further commentin a special chapter, notwithstanding we have al-ready said much about it and other menaces tothe business of farming. We have shown how the whip and spurmethod of farming so long practiced in the UnitedStates, by which our soils have been subjected tothe process of getting all you can out of them with-out the return of anything to maintain or increasefertility, has so exhausted vast areas of our soilsthat they no longer produce paying crops. Anysoil that will not produce crops that more thanpay for the cost of production, is a worn-out soil,and we must not be blind to the fact that they existeven to alarming proportions in every part andportion of our country, yea, in those portions thatboast of their rich soils. We have shown that a greedy husbandry, asordid tillage, lack of capital, deceptive theorieslike crop rotation, etc., have been producers ofworn and worn-out soils. There are scores of farms in the abandonedfarm districts of the East, a humid region where 66
Text Appearing After Image:
^J-s|| O n! flj ^ iH ij nS « Sj= Om- c 2 o oj t-^ rt C •S o « ^ >^ 1 1- ca r- U 1- ■= y i; S Jo (J ^ — ID i^ -C 13 rt (fl iz. O ii u qii „ <A O ^ ■ C rt J- . •— tn -t-J ^ JS .^^■?1 5 o< hJ <: g-o =.3 c -S 1-4 rt CJ „, 3 4j < fe xB g c ^ OOh O s sandyplowedit waser and slire wasook fro u t/3 ~ ^ g « a. u IC g = == 1) (U <-■ 3 1- m ™ -= -S^S j;| o o o,r= ■ *j i; H _ ■- 4_J ^ OJ o^-oS £ H2 «J~ 5 OUE WORN SOILS 67 the rainfall is sufficient to insure perfect cropgrowth, capable of producing enough to feed mil-lions of people that now lie like fallow soil, grow-ing hack into a wilderness as dense as the wilder-ness from which they were rescued centuries ago.These farms are set in landscapes beautiful be-yond comparison, interspersed by perfect roads,watered by springs and streams of never failingsparkling pure water, much of which can be har-nessed by dams and made to move the wheels thatwill manufacture the electricity to light the homes,ba
Note About Images
Please note that these images are extracted from scanned page images that may have been digitally enhanced for readability – coloration and appearance of these illustrations may not perfectly resemble the original work.