Cloud 9 Advisers - News #cyber risk

Under Constant Attack

Wed, 21 Jul 2021 14:59:22 -0500

Constant attacks require constant Security

We’re in an environment where our systems are constantly under attack. They're under attack from all sorts of diverse players who are trying to take advantage of the private proprietary information that is available.

Companies are really focused on compliance ensuring that they are protecting their business value from these types of attacks. Every executive has an obligation to ensure that they are compliant with security.

What are most companies doing for security?

Most companies only have basic firewall protection, your basic intrusion prevention (not necessarily intrusion detection), generally just hardware-based. A few others may do just a little more; they may conduct regular scans of their environment. This is really no different than your home having a basic lock and maybe a deadbolt. There is no alarm system like you might have in a home to see and be alerted when intrusions are happening. Being alerted of intrusion is critical in business so that more immediate actions can be taken. Often enough, attacks can be sly and stealthy. Recent studies show that malicious code is embedded on business systems for more than 250 days before it is ever used to promote an actual attack. The reason being so that attackers know their code is also well planted in several layers of business backups as well as active systems.

How have today’s complex attacks changed systems and the approach to security?

The attacks are becoming more sophisticated, automated, and voluminous, so we no longer have the time nor capability to react in a manual way. We actually have to have machine learning and other artificial intelligence technologies to adapt and scan the environment much more rapidly looking for these constant intrusions malicious code, and breeches. These technologies work in tandem with professional cybersecurity teams and Security Operations Centers (SOCs) to constantly manage, monitor, and alert. The trick with alerts is dramatically reducing false positives. Too many alerts are just as futile as too few.

How much does a cyber attack cost?

Recent US cyber crime studies show an average measurement of damage from a breach: a 46 day long average resolution at an average of $21k per day, plus regulatory fines, and major customer fallout. These attacks can be highly damaging to any business. Cyber insurance can only go so far and cover so much. Claims can also be denied for a host of often confusing reasons, leaving the business to fit the bill. These newer types of cyber insurance policies have many requirements and stipulations, and with a sense of irony, those requirements are very much cybersecurity technology many of which are security technology related.

About Cloud 9

Cloud 9 Advisers is a client-only, client-focused agency and consulting group offering vendor selection and management services to help you solve IT and general technology problems fast. We'll walk you through the identification, research, evaluation, and comparison process, provide board-ready documentation and due diligence, and provide oversight of solution implementation on any of our 250+ vendors, carriers, and service providers.

Our teams of vendor-neutral security focused engineers will help you slice through the marketing fluff and industry jargon so you know what you're buying. We'll help you make smart IT investments quickly and confidently. Reach out to us today!

Get Started Now

ALERT: SolarWinds & FireEye

Mon, 28 Dec 2020 12:23:55 -0500

Tips to protect yourself against the SolarWinds Breach

Are you concerned your business has been affected by the SolarWinds hack?

Unfortunately, Cyber Attacks don’t take time off to celebrate with family and friends. Due to the recent news about FireEye discovering the major SolarWinds hack we want to make sure you are equipped and prepared. Cloud 9 and our cybersecurity vendors are receiving numerous inquiries about the recent cyber-attacks on Solarwinds.

Most people have never heard of SolarWinds, which provides IT infrastructure management tools to hundreds of thousands of customers including government agencies, corporations, and nonprofit organizations. SolarWinds boasts of 300,000 global customers of whom include most of the S&P 500, hundreds of colleges and universities, and many of the country’s most important government agencies including the US State Department, Department of Commerce, US Treasury, Department of Homeland Security, and the National Institutes of Health to name a few.

News sources are saying this is the biggest cyber attack from a nation state in US history. Many are blaming a state-sponsored attack from Russia, some say the Russian group "Cozy Bear", still fewer have said that China may be involved. Even though the main target appears to be the US Government the threat goes much deeper giving the attackers administrative access to critical systems of potentially every SolarWinds customer. Because the attacks were targeted against a hugely popular and widely used IT infrastructure monitoring software the effects will be catastrophic to many commercial businesses around the globe.

"This is a huge problem for two major reasons: The attackers were able to gain access for a long period of time without being detected, and it will also take a long time for security experts to determine the extent of what's been compromised." - Business Insider

Here are just a few headlines from several news outlets about the breach:

If you are concerned you could be at risk, please reach out to Cloud 9 immediately. Our vendor-neutral cybersecurity experts will help to validate any concerns, plot the best course of action, and determine the ideal Risk Assessment and Security Assessment services and vendors for your organization. This will give you the ability to inspect all targeted areas within your environment for active malware and other vulnerabilities.

If you are experiencing questionable activity or are concerned in any way...

Describe the suspicious activity.
When did you first notice it?
Are you a SolarWinds customer?

If so, what have you done so far?
If not, what monitoring services do you use?

Are any of your technology service providers a SolarWinds client? If so, who?
Have you noticed any impact to your business? If so, what?
Have you communicated the suspicious activity anyone else? (Executive team, corporate attorney, cyber-insurance provider, etc…)

Immediate next steps – contact Cloud 9 for help and guidance to find the right cybersecurity solution, service, and vendor for initial triage and long-term protection.

Cloud 9 is here to help. Our Vendor Selection and Vendor Management services are free to our clients and are designed to help you determine the best course of action and quickly narrow the focus to the best solutions and vendors for your specific needs.

Learn more about Cybersecurity

As a client you'll have guided access to our proprietary Pathfinder app and experts. We'll get you started down the right path, focused on the right solutions, and narrow down the right vendors to evaluate.

Click the button below to book your appointment now.

Book now

Get Started Now

Supplier Spotlight: Vigilant Technology Solutions

Wed, 19 Feb 2020 12:13:14 -0500

Malware Found on Patient Medical Monitoring Devices

by: Vigilant Technologies and David Dickmeyer

Cloud 9 Supplier Spotlight: Vigilant Technology Solutions

Vigilant helps you avoid catastrophe by giving you full network visibility to see threats 98-days sooner than the industry average!

Why, does it seem that companies are falling victim to hackers left and right? To add insult to injury, these are not ordinary companies we are talking about. They are companies ranging from Fortune 500s and major retailers to banking institutions, all with very large security budgets intended to maintain the security of their customer’s data. These incidents lead organizations to ask themselves three important questions

If all of these companies are compliant with industry regulations, how is it they are still so successfully attacked?
With security budgets of giant companies in the millions, how will I ever be able to afford protecting myself?
If Firewalls, logging, and AV are getting better all the time, how do these attacks go undetected?

CyberDNA is a managed network security monitoring service from Vigilant LLC. and successfully reduces the overall cyber risk to an organization by proactively monitoring the customer’s network for signs of anomalous activity that could be indicative of an active compromise, misconfigurations, or other notable security risks. To allow customers to see the added value of CyberDNA over and above industry leaders, Vigilant offers a proof-of-value, free trial period, which produces a detailed threat report of our findings. This written report contains the findings from that free trial and highlights the value of having a fully managed continuous network security monitoring service.

Why your Network Loves Ebola

The headline might seem a bit dramatic, but there really is a correlation between diseases, how (and when) they are treated, and how your network and company data are protected – specifically, how antivirus works.

Modern medicine is amazing. It seems like every other week another news story comes out about some major breakthrough, some miracle treatment for a disease once thought to be incurable. It has become so commonplace, in fact, that we often find ourselves scratching our heads, impatiently wondering why all disease can’t simply be cured.

We’ve become so accustomed to miraculous breakthroughs that it takes something extraordinary – a disease of incomparable fear - to make us take notice. In the 1940s and 50s, it was Polio. In the 1980s, it was HIV and AIDS. Today’s scariest threat is Ebola.

More recently, we’ve observed the spread of Ebola throughout sub-Saharan Africa. What started as a couple isolated cases quickly spread to dozens, dozens begat hundreds, and hundreds were quickly morphed into thousands.

But this is the where the cold, hard truth of modern medicine comes into play. While seemingly miraculous to the yet uninfected, the discovery and synthesis of treatments for some of our most troublesome and problematic medical disorders comes at the ultimate sacrifice of those unlucky enough to have been exposed before us. How many thousands died of HIV and AIDs before a cocktail of drugs was identified to control its symptoms? How many children were left stricken with Polio before Jonas Saulk synthesized his vaccine?

Ebola is no different. In order for people to be protected from Ebola, other people, unfortunately, need to get sick and often times die from it. It’s in this critical mass of early sufferers that treatment will be found. As more people get sick, more opportunities for study arise – more opportunities for testing treatments.

This phenomenon is the same with most modern-day “cyber-diseases". And the “cures”, like antivirus, next-generation firewalls, or intrusion detection and prevention solutions, all come from a method called signature-based detection. Signature-based detection at its core is the data security equivalent of antibiotics and vaccines. It is a treatment for an illness that has already infected many others – hopefully before you. But, like many vaccines, it isn’t necessarily responsive. Other networks had to be infected with the disease first before any of the technologies had the ability to detect it. Therefore, widespread detection capabilities are merely reactive. They are only designed to discover known threats and if it doesn’t know about them, it can’t detect them.

Our largest challenge as defenders and cybersecurity professionals is that threats are constantly changing. Hackers are targeting companies with specific tactics – tactics designed for exploiting an individual system, organization, or end user – not just widespread threats. It’s like a disease designed specifically to make you and only you sick. There’s no way to benefit from others prior illness. Signature based detection, which gives many network administrators a sense of security, is certainly good to have, but it’s only one layer of security – and not a terribly effective one on targeted attacks.

Targeted tactics are why hackers can infiltrate and remain inside organizations undetected for up to 215 days on average and why big organizations are struggling to defend against them.

Protecting your network and data today requires multiple layers of security and the ability to identify any abnormality – often the symptoms before a diagnosis. Network visibility is the essential prerequisite to effective security.

Case Study: Malware Found on Patient Medical Monitoring Devices

Vigilant was engaged by a Healthcare Provider who was experiencing a sudden and extreme drop in bandwidth within their infrastructure. Their IT staff had been working on the problem for two weeks without any detection or artifacts of the problem visible in their existing IDS/IPS or logs. Something was eating up their bandwidth and bringing them to a grinding halt. Upon starting the engagement, Vigilant installed its CyberDNA sensors that would give the best ability to collect all traffic traversing the customer network.

CyberDNA is agentless, meaning there is no software loaded on any customer devices, which also ensures that the attacker is not aware of the monitoring device/service. This further reduces the risk of any potential attacker’s countermeasures. We strategically placed our sensors in a manner that will not alert the attacker of our presence while still allowing full visibility. The remote attacker has to travel across the network at some point on their way out to the internet. This allows for an interesting vantage point of our detection and monitoring tools as no matter how the attacker tries to conceal themselves they still have to travel on the network and are detectable by the CyberDNA sensors and the Vigilant analyst team. Vigilant’s approach gives immediate visibility and can inform a customer in real-time about what is happening in the deepest parts of their network. It’s like turning on the lights late at night to see if there is a monster in the room, although you hope there isn’t one. If there is, however, now you know and can take appropriate actions. Within minutes of turning on Vigilant’s CyberDNA service, our analysts were able to detect that multiple heart monitor devices at one of the hospital’s remote locations were running an embedded operating system infected with a botnet known as Conficker. They may never have known what was going on or that they were on heart monitors hooked up to patients however the attackers were using these devices to attack other locations on the internet and brought down the hospital’s network in the crossfire. There were two problems here, first, the Conficker worm was bringing their network down, and second, the devices were running outdated and non-compliant operating systems that were connected to patients.

While the Conflicker worm, sometimes referred to as Downad, was first discovered over 12 years ago in November of 2008, many recent reports show that it is still highly active and is the worm that just won’t die. At its peak Conflicker managed to infect over 9 million systems worldwide, making it one of the most prolific malware of its day.

When using third-party software or devices like Point-of-Sale (POS) systems in retail, medical devices in healthcare, door-entry and other “smart” sensor systems in buildings, etc. businesses are at the mercy of the vendor’s level of security--or, the weakest link in the chain. If the vendor makes a mistake it can cost you. Vigilant CyberDNA gives you visibility into these devices without needing to have additional agents installed. By doing this we can show you all software and operating systems running on your network. We keep your vendors honest about security and greatly reduce your risk and exposure.

This attack was carried out by tactics that Vigilant detects every day. Without the visibility that Vigilant brings it would have likely gone undetected in this victimized organization because their other advanced detection tools simply couldn’t see it.

Summary:

The patient medical devices running an embedded operating system were first infected with Conficker behind the hospital firewall and were later activated.
The effects of the infected devices caused a sharp decrease in bandwidth across the hospital's network resulting in applications being rendered unusable.
All previously installed and active IDS/IPS and detection methods available within the hospital network did not see or know about the outdated operating system nor the Conficker infection.
CyberDNA was placed, agentless, within the environment and immediately detected both the non- compliant OS and that Conficker was the source of the bandwidth draw.
Vigilant’s analyst team notified the customer of the infected systems. The customer removed the systems from the patients, cleaned them and notified the manufacturer of the vulnerability.

About Vigilant

Vigilant Technology Solutions is a cybersecurity firm based out of Cincinnati, Ohio providing security detection and prevention solutions. Vigilant is strict in it methodology of separating threat detection from threat prevention, using two tools: CyberDNA and MEP (Managed Endpoint Protection). Remarkably affordable and extremely effective, we work with businesses of all sizes in all industries. Vigilant is particularly effective with businesses in heavily regulated industries like finance and healthcare and we actively work with numerous Fortune 500 companies around the world, Vigilant has been operating since 2009, is privately held (and will remain so) with no outside investment funding.

Vigilant helps you avoid catastrophe by giving you full network visibility to see threats 98-days sooner than the industry average.

Learn More

Contact Cloud 9 Advisers to see if Vigilant and their CyberDNA (detection) or MEP (protection) security solutions are right for your business. Cloud 9 Advisers is 100% vendor-agnostic. If Vigilant is not right for you we'll help steer you to the right company and solution from over 200 service providers in our curated Supplier Portfolio

Contact Cloud 9

Supplier Spotlight: Allgress

Wed, 05 Feb 2020 18:19:35 -0500

Governance, Risk Management, and Compliance (GRC)

by: Allgress

Cloud 9 Supplier Spotlight: Allgress

RISK EXCEPTION

Track Risk – Evaluate and communicate strategic risks that align to your organizations enterprise risk program

Document and track risk exceptions with full life-cycle management by providing a standardized approach for the review, management, and acceptance of Findings and Exceptions

THIRD PARTY VENDOR MANAGEMENT

Oversee – Establish due diligence and ongoing monitoring of third party’s activities and performance

Gain visibility into your vendor’s risk posture and compliance to make informed decisions about the business relationship of your contracted vendors

COMPLIANCE MANAGEMENT

Assess Risk Efficiently – Assess risks against industry standards and regulatory requirements, provide gap analysis, risk treatment and reporting

RISK MANAGEMENT

Communicate Strategically with Key Stakeholders – Track strategic risks, assign ownership across the enterprise, quickly and easily communicate risk posture through dashboards, and provide continuous monitoring and improvement of risk posture of the organization

POLICY MANAGEMENT

Stay Organized – Unify and disseminate your organization’s document library from a centralized platform

Quickly assess your gaps in policy, mange your document lifecycle and exceptions

INCIDENT RESPONSE

Investigate & Mobilize – Track and respond to security threats impacting your company’s critical infrastructure with centralized management, root cause analysis, reporting, and tracking

VULNERABILITY MANAGEMENT

Collect, analyze and visualize data in the way you need to see it so you can make key decisions that align security and regulatory compliance programs with top business priorities. Manage patch exceptions, and understand the impact of your organizations exposure of unpatched assets

Leverage AWS API’s to Automate Compliance.

Allgress ComplianceVision (CV): Organizations are faced with the task of providing assurance that high-rated risk factors are being managed with the appropriate controls in place and that those controls are operating effectively. With increases in the regulatory regime, increasing technology complexity and pressures on cost, the demand is high for productivity improvements in the performance evaluation of internal controls. Allgress ComplianceVision (CV) provides continuous monitoring of control operating effectiveness. CV provides continuous data assurance to verify the integrity of data flowing through systems, as well as continuous risk monitoring and assessment to dynamically measure your organization’s risk.

Allgress CV improves control management and monitoring while reducing the time sink and complexity of traditionally annual, detailed controls assessments. Organizations are able to leverage API’s from Amazon Web Services (AWS) as well as AWS Technology Partners, enabling a continuous compliance process. In addition, policies in configuration content are included for all major compliance frameworks. With Allgress CV organizations realize cost reductions through improved efficiency and effectiveness, and additionally benefit from increased test coverage, improved timeliness of testing, reduced risk velocity and remediation cost, improved consistency, the ability to identify trends, and comprehensive risk visibility through the Allgress Platform. Allgress CV replaces the manual, error-prone, preventive controls of the past with automated, detective controls to reduce your risk profile.

CV identifies the shared, inherited, and customer specific control statements and demonstrates how you can leverage the AWS Shared Responsibility model to document adherence with applicable compliance standards. Focusing on all major compliance frameworks such as PCI, HIPAA, CJIS, NIST, and FISMA compliance, the portal guides you through the compliance process by providing targeted content at every step of the way. ComplianceVision automates manual compliance functions through integration with current AWS tools.

ComplianceVision will soon support all major cloud platforms, including Microsoft Azure, Google Cloud Platform and Oracle Cloud Platform.

About Allgress

Founded in 2008, Allgress helps enterprise security and risk professionals solve the problem of how to assess, understand and manage corporate risk.

Its founders and management team are committed to providing CISOs with the ability to make effective investment decisions that align security and compliance programs with top business priorities, communicate the value of those decisions to senior executives, and manage risk, fines, and brand damage.

Allgress Business Risk Intelligence solutions converge disparate risk silos across global enterprise networks and automate governance, risk and compliance (IT GRC) management processes. Powered by the patented Allgress Business Risk Intelligence engine, the company's products, solutions and CISO reporting tools provide customers with heat maps and compliance assessment reports that reveal a comprehensive, immediate and intuitive picture of their organizations' security and compliance risk posture.

Allgress provides operational efficiency. Its solutions allow users to assess once and manage and report on many industry and government regulations. Allgress deploys faster than competing solutions and provides rapid ROI.

Is Allgress right for you?

Contact Cloud 9 to see if Allgress is right for your business. Cloud 9 Advisers is vendor agnostic and can help you find the right solutions and the right companies from our list of over 200 vendors in our curated Supplier Portfolio.

CyberSecurity Communications Connectivity Cloud

Learn more about Cloud 9

Supplier Spotlight: Nitel

Tue, 04 Feb 2020 12:06:38 -0500

Nitel: Managed Next-Generation Security

By: Nitel USA, see the article here https://www.nitelusa.com/blog/explore-4-levels-of-security-testing/

Cloud 9 Supplier Spotlight: NITEL

Explore Four Levels of Security Testing

With cloud, big data and mobile solutions becoming mission-critical to organizations of all sizes, IT teams are struggling to keep up with the adoption and innovation of the latest security best practices, leaving their organizations vulnerable to cybercriminals. And it’s not just large organizations cybercriminals are targeting; smaller companies are just as likely to be attacked. They tend to be easier targets, more likely to pay up in the case of a ransomware attack. They can also serve as a back door into other third-party organizations they do business with.

Although managed security is an investment, many organizations simply cannot afford to not conduct on-going security testing. According to a recent Trustwave security report, 41% of those surveyed feared financial damage to their company in the event of a cyberattack or data breach.

Managed security testing is defined as subscription-based proactive scanning and testing of environment security to identify vulnerabilities. However, a comprehensive managed security solution does more than identify vulnerabilities and weak points.

When working with a qualified managed security provider an organization should not only gain insight into weaknesses, but gain a blueprint on how to prioritize, mitigate and remediate these risks. When your customer engages with a provider of managed security services like Nitel, backed by a cybersecurity Gartner Magic Quadrant Leader Trustwave, they can choose to engage with four levels of testing depending on their budget and business needs, including:

Basic threat – Simulates the most common attacks executed in the wild today. This class of attacker typically uses freely-available, automated attack tools.
Opportunistic threat – Builds upon the basic threat and simulates an opportunistic attack executed by a skilled attacker that does not spend an extensive amount of time executing highly sophisticated attacks. This type of attacker seeks easy targets (”low-hanging fruit”) and will use a mix of automated tools and manual exploitation to penetrate their targets.
Targeted threat – Simulates a targeted attack executed by a skilled, patient attacker that has targeted a specific organization. This class of attacker will expend significant resources and effort trying to compromise an organization’s systems.
Advanced threat – Simulates an advanced attack executed by a highly motivated, well-funded and extremely sophisticated attacker who will exhaust all options for compromise before relenting.

Cloud 9 Advisers clientele benefit from Nitel/Trustwave’s crowd-sourced, global threat intelligence through a solution that is scoped to fit their needs. Nitel's intrinsic network knowledge, combined with Trustwave’s highly skilled SpiderLab ethical hacker team, can quickly identify security weak points and guide you to a solution to protect your organization.

Managed Next-Gen Security Solutions

What keps business and IT leaders up at night?

For business leaders everywhere, a data breach is on par with the most damaging things that could happen to an organization. The thought of being the next company to make headlines keeps leaders up at night while IT organizations fight to keep the bad guys out. As threats become increasingly widespread, sophisticated and dangerous, companies look to develop security strategies that protect their environment while staying within budgets that seem to get tighter every year.

Your business is unique, with its own set of needs and priorities. That’s why we offer a suite of security solutions that offers multiple ways for you to protect your business. Whether your business is big or small, whether you value distributed architecture or centralized, you’ll find a solution that fits how you prefer to manage your environment.

ENTERPRISE GRADE PROTECTION

Safely enable applications, users and content by classifying all traffic, determining the business use case, and assigning policies to allow and protect access to relevant applications.
Prevent threats by eliminating unwanted applications to reduce your threat footprint and apply targeted security policies to block known vulnerability exploits, viruses, spyware, botnets and unknown malware (APTs).
Protect your datacenters through the validation of applications, isolation of data, control over rogue applications and high-speed threat prevention.
Secure public and private cloud computing environments with increased visibility and control; deploy, enforce and maintain security policies at the same pace as your virtual machines.
Embrace safe mobile computing by extending the enterprise security platform to users and devices no matter where they are located.

ROCK SOLID PROTECTION FOR SMB

Our customized solutions deliver next-generation security for every size and type of business. Gain full control and visibility of application traffic passing through your network, even for encrypted traffic, thanks to application detection, user-identity awareness, SSL interception and built-in live reporting.

You benefit from the same critical next-generation security features that large enterprises receive—but sized appropriately for your business. Your business will fend off threats with included next-gen features that take place directly in the data path, including:

Firewalling
Intrusion Detection and Prevention (IDS/IPS)
URL Filtering
Dual Antivirus
Application Control

SECURITY EXPERTISE ON YOUR SIDE

Nitel has partnered with Gartner Magic Quadrant leader Trustwave to complement our managed next-generation firewall service with a suite of security management services. This 1–2 punch creates a comprehensive managed security solution to reduce your business risk and give you peace of mind. With Nitel overseeing your network health, performance and security, you have a single partner working on your behalf to ensure your business operates optimally and safely.

SECURITY INFORMATIONEVENT MANAGEMENT

Achieve more effective identification and mitigation of security threats. You’ll reduce your burden with around-the-clock support from 10 global security operations centers staffed with experts who have in-depth knowledge and experience working with complex network environments for highly distributed organizations.

Our SIEM service collects, analyzes and stores logs from networks, hosts and critical applications. It extends visibility beyond the network perimeter to the application layer, helping you achieve more effective identification and mitigation of security threats, and compliance validation with numerous regulatory and industry standards.

Advantages:

SpiderLabs security research utilizing global event data to identify current and emerging threats
Industry-leading compliance expertise
Solutions tailored to the specific needs of healthcare, financial, retail and more
Collects and reviews over 1 billion events per day

Need to maintain compliance with PCI, DDS, HIPAA, SOX, FISMA, GLBA/FFIEC? Let Nitel help. We’ll help you fulfill your requirements for vulnerability scanning, penetration testing and ongoing evaluation of your environments and applications.

MANAGED SECURITY TESTING

Reveal potential vulnerabilities in your environment with thorough penetration testing. Expert “ethical hackers,” armed with the same techniques as today’s cybercriminals, attempt to hack into your network or application to help you identify network-connected assets, learn how those assets are vulnerable to attack and understand what could happen if those assets were compromised.

Learn More

Contact Cloud 9 Advisers for expert guidance and help with any compliance, risk management, monitoring, edge security and any other cybersecurity issues. We'll guide you to the right vendors, like Nitel, from our Supplier Portfolio.

Contact Cloud 9

Supplier Spotlight: RSI

Mon, 03 Feb 2020 10:29:06 -0500

Getting Zero Trust Right

By: Taylor Hersom, RSI, see the original article here RSItex.com/post/getting-zero-trust-right

Cloud 9 Advisers, Supplier Spotlight: Renaissance Systems, Inc.

At RSI, our priority is to help companies improve their Cyber Risk Management. While a lot of our clients’ attention is focused on our unique Automated Cyber Risk Management solution, powered by CyberCompass, we also assist our forward-thinking clients to achieve Zero Trust Security through the adoption of our ‘Evolving Trust’ Framework. The purpose of this article is to provide some background on Zero Trust Security, highlight how RSI has re-imagined this strategy, and demonstrate how RSI can help you to adopt true Zero Trust using our Evolving Trust Framework.

A Brief History

Historically, network security hasn’t changed that much. Corporate networks were designed like a castle, where all users are screened at the gate (firewall) for appropriate credentials. Once a user is allowed access, they are trusted and therefore have access to all the goodies inside. In this model, it's difficult for a user to get into the ‘castle’, but the network is vulnerable to widespread turmoil if malicious users manage to get in. As the IT landscape has evolved into multiple devices per user, remote work policies, and sketchy Starbucks WiFi, the need for a better way of managing users/access has become dire.

Hence, Zero Trust is born. Originally known as ‘Zero Trust Network’ or ‘Zero Trust Architecture’, the idea was created in 2009-2010 by Forrester Research Inc.(specifically John Kindervag). While the concept was clever, it took a few years and a BIG company to provide a proof of concept. Google created an enterprise security model, coining it BeyondCorp, and achieved company-wide adoption of the Zero Trust model using home-grown, in-house tools and technologies. BeyondCorp achieved the previously inconceivable; it enabled every employee to work from untrusted networks without the use of a VPN. Since Zero Trust was only a concept at the time, Google had to create and piecemeal together a variety of technologies. Thankfully, there has since been widespread adoption and a variety of technologies created to help you achieve the same vision as Google, but we’ll get to that.

What is Zero Trust? I encourage you to read more about Google’s BeyondCorp solution to gain insight into the intricacies, but in a nutshell: the Zero Trust model asserts that organizations should not automatically trust anything or anyone inside or outside its perimeter(s). Instead, access controls are shifted from the network perimeter to individual endpoints/users and data analytics (i.e. location, time of day, employee credentials, etc.) are used to create meaningful decisions on whether an access request is appropriate. This all adds up to what is called a ‘Trust Score’, and it’s assigned every time a user attempts to log in. Remember the castle analogy above? Think about it like this: Zero Trust micro-segments your castle into a bunch of little castles. You now have the ability to determine which castle(s) your users have access to. If implemented properly, you no longer have to be connected to the corporate network and can work from any internet connection.

The Case for Evolving Trust Security

Early on, RSI understood the value of Zero Trust, especially as businesses increasingly allow remote work, BYOD, and SaaS solutions to accomplish daily tasks. Many companies have moved their most precious data to the cloud and manage an average of 1000 applications at any given time. RSI built a professional services arm to assist companies in understanding the value of this Zero Trust model as well as adopting it without any significant, upfront requirements. In order to accomplish this, we took the Google approach and adopted it ourselves (thankfully we didn’t have to build all the technology from the ground up). This journey allowed us to identify pain points, discern shortcuts from pitfalls, and ultimately develop a framework that adds tremendous value to each of our clients. What’s more, we took the time to look at Zero Trust from a non-traditional lens by including some non-traditional thinkers from our Innovation Center (and its data scientists with their big, beautiful scientific brains). What we identified is a gap in how Zero Trust is discussed, how it is interpreted, and how companies are leveraging the current solutions. RSI took that data and developed our Evolving Trust Framework. The following are some of our biggest takeaways:

One Size Does Not Fit All
Arguably the most important point I will stress is that while advertisements show you can “adopt Zero Trust in minutes with our tool”, those marketing gurus are causing companies to put the proverbial cart before the horse. Even with incredible SaaS tools at your disposal, you still have to be extremely familiar with the implementation and all the nuances that stem from the process, such as certificate authority, device discovery, and inherent limitations. This requires members of your organization to take the time to understand Zero Trust, understand the variety of required tools, and figure out a launch strategy that doesn’t cripple your organization. Furthermore, while there are a variety of technical solutions on the market that claim ‘Zero Trust Security’ (i.e. OKTA, Duo Security), this is only part of the puzzle. There are more components to the Zero Trust Model than those addressed by these Identity & Access Management (IAM) tools. Without this knowledge and expertise, your Zero Trust strategy will gain zero traction.
Easy to Miss the Mark On Execution
Unfortunately, companies tend to fall into this pit of saying “let’s require every user to authenticate in three different ways every time they access any critical application”. Not only does this create a very difficult beast to manage for your IT department, but it also doesn’t even accomplish some of the biggest potential benefits of Zero Trust. This was the #1 reason RSI created the Evolving Trust framework, and the name says it all: we believe in incorporating deep monitoring/data analytics into the entire process so that checks and balances are strategically placed throughout a users’ access journey rather than just at the beginning. For example, when a user authenticates and meets our basic requirements (i.e. correct credentials, an appropriate device, relevant geo-location), we let them in. Next, we monitor those users and what they are trying to access. If they attempt to access any system/data we deem critical, then we require another authentication check. Finally, we keep an eye on the patterns of each user to detect anomalies in what/when/where they are accessing critical applications or data. This allows us to control the narrative for every user, every time, without creating huge inefficiencies in our organization.
Employee Education is Even More Important Than Technology
Zero Trust is just another component of cyber security and one of the biggest problems that security experts are facing is the fact that people LOVE to skirt rules. It’s human nature to make assumptions that we all know everything and we all deserve the best for ourselves, especially when some very nice Nigerian prince is trying to wire us FREE money. RSI discovered the hard way that this unfortunate mindset carries into the Zero Trust realm. The fact of the matter is, Zero Trust adds at least one extra step for every employee when they attempt to login to a critical application by requiring Multi-Factor Authentication (MFA). This causes some people to lose their minds (especially those pesky developers who are obsessed with minimizing clicks), which creates a snowball effect down the road when they decide to adopt a shiny, new SaaS tool and choose not to tell anyone about it. What’s more, IT experts have developed a mindset that firewalls keep bad actors out and that they can inherently trust their environments. The same people who haven’t changed their server admin passwords in 4 years are now required to shift their mindset to the opposite end of the spectrum, which takes time. Your Zero Trust model is only as powerful as the IT people, processes, and technologies you are in control of, which is why RSI identified other strategies to counteract these risks in the form of discovery tools, monitoring, and data analytics.
It Takes A Village Just to Manage A Village
Similar to the game of Monopoly, acquiring the esteemed Boardwalk space is only half the battle. You still have to enforce and manage your acquisition or the positive effects are moot. Zero Trust requires a SOC team to actively manage access, evaluate trust scores on a periodic basis, track new assets, and manage vulnerable endpoints (i.e. outdated OS, vulnerable applications, etc.). RSI treated our implementation as an opportunity to train our entire Technical Assistance Center (TAC) team, creating a squad of experts in the entire Zero Trust Management process and providing them the tools to scale this expertise to our clients. One of the biggest benefits of our Evolving Trust framework is that it requires a LOT less effort for our TAC team to manage access because we have automated many of the previously manual processes.

In summary, Zero Trust is an incredibly useful strategy for companies to keep up with the evolving IT landscape of endless personal devices, SaaS solutions out the wazoo, and cyber-crime galore. In my humble opinion, I don’t see how any company can keep up with this transformation without Zero Trust. However, I’m concerned that many companies are fooled by the current glamour of Zero Trust and their desperation to improve overall cyber hygiene can create more problems than solutions. RSI is working hard to address the Access Management cyber epidemic, and we strongly believe that the Zero Trust model (more specifically, our Evolving Trust framework) is a huge step in the right direction.

To learn more about Zero Trust and how RSI can help, please contact Cloud 9 Advisers.

RSI is a member of the Cloud 9 Supplier Portfolio

Learn More

About RSI

RSI transforms company and culture through fully automated solutions for business workflow. We serve the enterprise with software solutions for business process improvement, artificial intelligence for big data, and custom, managed IT services.

RSI is the exclusive channel distributor of CyberCompass™, a SaaS solution for cyber risk management and remediation.

Automated solutions for business workflow
AI solutions for data analytics
Custom, managed IT services
Exclusive distributor of CyberCompass™, automated cyber risk management
Drone Services

For more than 35 years, the passion for helping people has transformed our business and that of our customers. By developing strong partnerships with our clients, we have a deeper understanding of what they need to better run their businesses. As a result, our services have expanded for a greater reach with every client.

10 risk factors no one talks about

Wed, 30 Oct 2019 10:24:06 -0500

Ten Cybersecurity Risk Factors No One Talks About

These risk factors might not show up on an official risk assessment report, but every security professional should be thinking about them.

By Roger A. Grimes, Columnist, CSO | OCT 17, 2019 3:00 AM PDT see the original article at CSOonline.com

The traditional risk management factors you are all taught include the staid process of categorizing potential threats and risks, evaluating their likelihood of occurrence, and estimating the damage that would result from them if not mitigated. The costs of the potential mitigations and controls are measured against the potential damage. Mitigations are put in place if they are cheaper and better to implement than allowing the risks and threats to occur.

You have all fretted about the difficulty of calculating both the likelihood of an event and its potential damages. They have always been more like a best guess than an insurance actuarial table. How can anyone estimate the chances that a sophisticated ransomware, DDoS or insider attack will occur to their organization in a given year or what assets it might be able to take out with any accuracy? Can anyone prove that likelihood is 20% versus 60% in a given year?

We all struggle with those large estimation issues, but there are a ton of other factors that impact risk management. Here are ten that are rarely discussed openly.

1. Fighting over “might happen” risk

Every risk assessment is a fight between something that might happen and doing nothing, especially if it hasn’t happened before. Many people believe it’s cheaper to do nothing, and those who fight to do something might be seen as wasting money. “Why waste the money? That’s never going to happen!”

Few people get in trouble for following the status quo and doing what has always been done. It’s far harder to push to be proactive, especially when large sums of money are involved, than to just wait for the damage to happen and address it then.

The story I like to use is 9/11 and air travel safety. It’s not like air travel safety experts didn’t already know before 9/11/01 that a hijacker could take over a cockpit using a boxcutter or smuggle explosives onto a plane. These risks had been known for decades. Imagine the public outcry if passengers were made to throw out their water bottles and get full body scans before 9/11 happened. It would have outraged the public and the airlines would have proactively tried to get rid of the security measures.

After 9/11, we happily take off our shoes, throw away our water bottles, and subject ourselves to full-body scans. Getting real money to fight possible risks is much harder to do than to get the money after the damage has happened. It takes real bravery every time a risk assessor warns about a problem that has never ever happened. They are the unsung heroes.

2. Political risk

Proactive risk-taking leads to the next unknown risk component: political risk. Every time proactive heroes argue for something that never happens, they lose a little bit of their political capital. The only time they win is when the thing they were proactive about happens. If they are successful and convince the company to put controls and mitigations in place so the bad thing never happens, well, it never happens.

It’s a self-defeating prophecy. When they win, no one ever knows because they successfully argued for the controls. So, each time the thing they worried about never happens, they are seen as “crying wolf.” They lose political capital.

Anyone who has fought one of these risk management battles can tell you they don’t want to take on too many of them. Each one taken burns their reputation a bit (or a lot). So, proactive warriors calculate which battles they want to fight. Over time, seasoned warriors pick fewer battles. They have to. It’s survival of the fittest. Many of them are just waiting for the day when a really bad thing happens that they didn’t fight to prevent hurts the organization and they become scapegoats.

3. "We say it’s done, but not really" risk

Many of the controls and mitigations we say we have done aren’t really done…at least not at 100%. Many people in the process understand it’s not really done. The most common examples are patching and backups. Most companies I know say they are 99% to 100% patched. In my over 30-year career of checking on the patch status of millions of devices, I’ve never found one that was truly fully patched. Yet, every company I’ve audited told me they were fully patched or nearly so.

The same is true of backups. The current ransomware epidemic has laid bare that most organizations don’t do good backups. Despite most organizations and their auditors checking off for years that critical backups are both done and are regularly tested, it just takes one big ransomware hit to show how radically different the truth is.

Everyone in risk management knows this. How can a person who is in charge of backups ever test everything when they aren’t given the time and resources to do so? To test if a backup and restore would work, you would have to do a test restore of many different systems, all at once, into a separate environment where it would have to work (even though all the resources are pointing in the original environment). That takes a huge commitment of people, time, and other resources, and most organizations don’t give the responsible person any of that for the task.

4. Institutionalized risk: “It’s always been done that way”

It’s hard to argue against “that’s the way we’ve always done it,” especially when no attacks against the weakness have occurred for decades. For example, I frequently come across organizations that allow passwords to be six-characters long and never changed. Sometimes it’s that way because the PC network passwords have to be the same as the passwords connecting to some archaic “big iron” system that the company depends on. Everyone might know that six-character, non-changing passwords are not a good idea, but it’s never caused any problems.

Good luck arguing that everything needs to be upgraded to support longer and more complex passwords, possibly spending millions of dollars, The institutional “wisdom” is against you, and most of those people have been there way longer than you.

5. Operational interruption risk

Every control and mitigation you implement might cause an operational issue. It might even disrupt operations. You are far more likely to get fired for accidentally disrupting operations than for proactively preventing some theoretical risk. For every control and mitigation that you push, you worry about the potential operational interruption it will cause.

The more radical the control, the more likely it is to mitigate every bit of the risk of the threat it is fighting, but the more suspicious you are that it can do so without operational interruption. If mitigating risks without causing operational interruption were easy, everyone would be doing it.

6. Employee dissatisfaction risk

No risk manager wants to make employees angry. If you want to do so, implement any control that restricts where they can go on the internet and what they can do on their computer. End users are responsible for 70% to 90% of all malicious data breaches (through phishing and social engineering). You cannot trust end users’ instincts to protect the organization.

Yet the mere mention of restrictions on what end users can do, such allowing only pre-approved programs to run or restricting where and what they can do on the internet, is met by hostility from most employees. The labor market is tight. Every company is struggling to get good employees, who don’t want to be told they can’t do whatever they want to do on “their” computer. You lock it down too much and they might go work somewhere else.

7. Customer dissatisfaction risk

No one wants to implement a policy or procedure that turns customers off. Upset customers become other companies’ happy customers. For example, credit card companies are far more concerned with accidentally denying a legitimate customer a legitimate transaction than in stopping fraud. They care about fraud, but it’s at a level they feel is long-term sustainable. The subcontractors and companies that make credit card transactions more accurate sell their services to the credit card companies on how well they don’t deny legitimate transactions. Customers wrongly denied twice in a year will use someone else’s credit card.

It’s also why you don’t need to use a PIN with a chipped card in the US. The rest of the world requires both the chip and a PIN, and this is a more secure option by far. How did it get that way? Because PIN and chip cards came to the US relatively recently, and merchants and customers were just getting used to swiping cards. Requiring people to insert the card so that the chip was read correctly was going to make a small percentage of transactions fail and upset some customers.

8. Cutting edge risk

People on the cutting edge often get cut. No one wants to be on the pointy tip of the spear. Early adopters are rarely rewarded for being early. They often become the lessons learned that make it easier for the herd to adopt improved tactics.

Two years ago, the US National Institute of Standards and Technology (NIST) said that its long-standing password policy of requiring long and complex passwords that are frequently changed caused more hacking than it prevented. Its new Digital Identity Guidelines, NIST Special Publication 800-63-3, says passwords can be short, non-complex, and never have forced password changes unless you know the passwords have been compromised. It was a complete 180-degree turn from the previous advice that was accepted as dogma.

Since then, no compliance guideline or regulatory law has been updated to say that following the new advice is recommended or legal. I haven’t seen or heard of any companies moving to the new policies. That’s probably a good thing, because if you changed your policy and got hacked because of it, even if NIST said it was the right thing to do, fingers will be pointed at you asking why you did it. It’s much safer to wait for the herd to move to the new password policies and they are proven right or wrong.

9. Time lag risk

You are almost always fighting some risk that has already happened to other people (or to your organization). You wait to see what tricks the hackers have up their sleeves and then create mitigations and controls to fight those new risks. Having to first wait to see what the hackers are doing makes a time lag from when the new malicious behavior is spotted until you can assess the new technique, think of new controls, and push them out. In a wait-and-see game, you are always behind.

10. "Can’t do everything right" risk

Last year more than 16,555 new public vulnerabilities were announced. More than 100 million unique malware programs are known. Every type of hacker from nation-states to financial thieves to script kiddies are trying to break into your organization. It’s a lot to worry about. You have no way to defend against it all unless someone gives you an unlimited amount of money, time and resources. The best you can do is guess (see #1 above) what are the most important risks and try to stop them.

These are not new components of risk assessment. They have always been there, and they are what you are all thinking about when assessing risk and thinking of controls. It all points to the fact that risk assessment and risk management are far harder to do than it seems, especially on paper or from formal theory in a book. When you consider all the things the average computer security person has to worry about and contemplate, it’s amazing that we can actually get it right most of the time.

Now go out there and continue to fight the good fight!

Learn more about CyberSecurity and Cloud 9 Advisers

Every company wants to be your partner, but let’s face it, if they are selling you something, they’re not your partner, they’re just another vendor. Cloud 9 is different. We don’t actually sell anything and we don't charge our clients. We become an extension of your team and help manage the often overwhelming process of finding, evaluating, and selecting the right technologies and competitive providers. When it comes to cyber security there is far too much to consider. Cloud 9, together with our distributors, is made up of more than two-hundred and fifty experts, engineers and staff, all devoted to helping you save time and money and make choices easier. Our curated Supplier Portfolio contains nearly two-hundred of the best service provider companies. We are one of the largest buyers of technology in the country. Through us, you’ll get the collective buying power of thousands of other clients. Consider us your professional technology shoppers and babysitters. We are impartial, unbiased, and supplier-neutral. We sit on your side of the table to help you find, evaluate, and negotiate with service provider companies. We’ll help you design the right solution and identify the best technologies. We’ll get pricing from multiple competing companies, then guide you through the evaluation and procurement process. Use our evaluation tools for documentation and due diligence. Plus, have our entire team at your disposal before, during, and after the acquisition of your new services. We'll be by your side for as long as you’re in business.

Technology Partners. Strategic Advisers.

China Tops List as Top Risk (duh!)

Tue, 08 Oct 2019 04:02:04 -0500

China Tops List of U.S. Cybersecurity Agency’s Top Risks

By William Turton | August 23, 2019 - see the full article at InsuranceJournal.com

Cybersecurity and Infrastructure Security Agency (CISA), a newly created U.S. cybersecurity agency said Thursday that China represents the greatest strategic risk to the U.S., and as a result, the agency’s top operational priority is reducing the risks from Chinese compromises to the global supply chain, including emerging 5G technology. The statement was part of a report outlining CISA's strategic intent for the next five years. The agency is responsible for protecting America’s critical infrastructure, like election systems and power grids, from hackers and other cybersecurity threats.

Besides China, the agency’s other priorities include federal cybersecurity and reducing risks for industrial control systems. Christopher Krebs, the agency’s director, said in a speech Thursday that his agency is the nation’s “risk adviser,” which doesn’t have its hands on the keyboards of computer networks but rather seeks to make other agencies and companies do a better job managing risks against cyberattacks.

The priorities reflect the work CISA has already been doing since the agency was established in November 2018, a time during which the Chinese manufacturer Huawei Technologies Co. was blacklisted by the Trump administration amid security concerns and Russian agents were indicted for seeking to manipulate the 2016 presidential election.

“When we think about Russia, they’re trying to disrupt the system,” Krebs said, at an event at Auburn University in Alabama. “And China is trying to manipulate the system, so that requires us to take different approaches.”

CISA is currently offering services to election equipment vendors to find potential vulnerabilities in its systems. CISA’s work also includes protecting state and local governments from ransomware attacks, like the one that hit 22 towns in Texas last week. “Ransomware is not going anywhere,” Krebs said. “It’s only getting worse.”

CISA sits within the Department of Homeland Security. Krebs, the agency’s first director, joined the DHS in 2017 and was nominated to lead the agency by President Donald Trump in 2018. Before that, he was the Director for Cybersecurity Policy on Microsoft Corp.’s U.S. Government Affairs team.

Learn how Cloud 9 can help you protect your business

Save Time: We manage everything by becoming an extension of your team and do the legwork for you.
Save Money: We save you big by getting the buying power of thousands of other clients.
Get Confidence: We evaluate and negotiate to get you the best solution, best supplier, and the best price.
Get Clarity: We find the right companies, distill the information, and clear the clutter.

Technology Partners. Strategic Advisers.