Cloud 9 Advisers - News #cyber security

Under Constant Attack

Wed, 21 Jul 2021 14:59:22 -0500

Constant attacks require constant Security

We’re in an environment where our systems are constantly under attack. They're under attack from all sorts of diverse players who are trying to take advantage of the private proprietary information that is available.

Companies are really focused on compliance ensuring that they are protecting their business value from these types of attacks. Every executive has an obligation to ensure that they are compliant with security.

What are most companies doing for security?

Most companies only have basic firewall protection, your basic intrusion prevention (not necessarily intrusion detection), generally just hardware-based. A few others may do just a little more; they may conduct regular scans of their environment. This is really no different than your home having a basic lock and maybe a deadbolt. There is no alarm system like you might have in a home to see and be alerted when intrusions are happening. Being alerted of intrusion is critical in business so that more immediate actions can be taken. Often enough, attacks can be sly and stealthy. Recent studies show that malicious code is embedded on business systems for more than 250 days before it is ever used to promote an actual attack. The reason being so that attackers know their code is also well planted in several layers of business backups as well as active systems.

How have today’s complex attacks changed systems and the approach to security?

The attacks are becoming more sophisticated, automated, and voluminous, so we no longer have the time nor capability to react in a manual way. We actually have to have machine learning and other artificial intelligence technologies to adapt and scan the environment much more rapidly looking for these constant intrusions malicious code, and breeches. These technologies work in tandem with professional cybersecurity teams and Security Operations Centers (SOCs) to constantly manage, monitor, and alert. The trick with alerts is dramatically reducing false positives. Too many alerts are just as futile as too few.

How much does a cyber attack cost?

Recent US cyber crime studies show an average measurement of damage from a breach: a 46 day long average resolution at an average of $21k per day, plus regulatory fines, and major customer fallout. These attacks can be highly damaging to any business. Cyber insurance can only go so far and cover so much. Claims can also be denied for a host of often confusing reasons, leaving the business to fit the bill. These newer types of cyber insurance policies have many requirements and stipulations, and with a sense of irony, those requirements are very much cybersecurity technology many of which are security technology related.

About Cloud 9

Cloud 9 Advisers is a client-only, client-focused agency and consulting group offering vendor selection and management services to help you solve IT and general technology problems fast. We'll walk you through the identification, research, evaluation, and comparison process, provide board-ready documentation and due diligence, and provide oversight of solution implementation on any of our 250+ vendors, carriers, and service providers.

Our teams of vendor-neutral security focused engineers will help you slice through the marketing fluff and industry jargon so you know what you're buying. We'll help you make smart IT investments quickly and confidently. Reach out to us today!

Get Started Now

Never Trust and Always Verify

Tue, 16 Mar 2021 17:11:26 -0500

Zero Trust Picking up Steam in the Enterprise

Never Trust and Always Verify. Hmm, doesn't sound very productive in most business situations, but if you're talking about technology and security, I think we might be on to something.

"The traditional perimeter-based security model is dead. It has been overtaken by an era of cloud, mobility, and BYOD that requires a new approach to network access control."

The Zero Trust Network Access (ZTNA) model is a new method of access control that considers all network connections untrusted. This is a shift from the traditional concept of an inside/outside network where only some connections were considered trusted. The ZTNA model requires organizations to consider all traffic as potential threats, which means security controls must be in place at every stage of the attack lifecycle and beyond the firewall layer into your environment.

Never Trust and Always Verify is the general premise behind Zero Trust Network Access (ZTNA). A strong proponent for the replacement of traditional remote access like Virtual Private Networking (VPN), where a secure tunnel straight into the corporate network is created and anything that goes through that tunnel is presumed "safe" and "trusted". There are a number of "faith-based" assumptions that take place when using VPN. One big one being the remote device creating the tunnel is still a trusted device. ZTNA takes a different approach: nothing is trusted and everything must be verified. This might seem laborious, but the user experience is minimally affected and security benefits are significant.

ZTNA is starting to turn heads with IT for its protection of applications, data, and networks, easier control, and innate simplicity allowing access to remote staff, suppliers, and contractors. Some providers offer client and clientless versions for far greater flexibility and no need to constantly update Active Directory just to let a supplier in for two hours worth of work. And even provided secure access to users' personal devices without the typically required "big brother'"intrusions.

The real power of ZTNA comes when its combined with the power of a Secure Access Service Edge (SASE) solution. These two put together forms a full security barrier and flexible perimeter thoroughly protecting endpoints and users.

Using disparate/separate SASE and ZTNA platforms can certainly be done, but should only be done so by the most adept and experience security professionals. The management interface and integration of these separated systems is highly complex. Many solutions exist that combine both SASE and ZTNA together with a single management interface. Some providers also offer a completely managed solutions as well.

Regardless there is a lot to consider. Contact us and we'll get you in contact with a Strategic Tech Expert to wal you through all of the options and find out who the best vendors are for your business

Get Started Now

ALERT: SolarWinds & FireEye

Mon, 28 Dec 2020 12:23:55 -0500

Tips to protect yourself against the SolarWinds Breach

Are you concerned your business has been affected by the SolarWinds hack?

Unfortunately, Cyber Attacks don’t take time off to celebrate with family and friends. Due to the recent news about FireEye discovering the major SolarWinds hack we want to make sure you are equipped and prepared. Cloud 9 and our cybersecurity vendors are receiving numerous inquiries about the recent cyber-attacks on Solarwinds.

Most people have never heard of SolarWinds, which provides IT infrastructure management tools to hundreds of thousands of customers including government agencies, corporations, and nonprofit organizations. SolarWinds boasts of 300,000 global customers of whom include most of the S&P 500, hundreds of colleges and universities, and many of the country’s most important government agencies including the US State Department, Department of Commerce, US Treasury, Department of Homeland Security, and the National Institutes of Health to name a few.

News sources are saying this is the biggest cyber attack from a nation state in US history. Many are blaming a state-sponsored attack from Russia, some say the Russian group "Cozy Bear", still fewer have said that China may be involved. Even though the main target appears to be the US Government the threat goes much deeper giving the attackers administrative access to critical systems of potentially every SolarWinds customer. Because the attacks were targeted against a hugely popular and widely used IT infrastructure monitoring software the effects will be catastrophic to many commercial businesses around the globe.

"This is a huge problem for two major reasons: The attackers were able to gain access for a long period of time without being detected, and it will also take a long time for security experts to determine the extent of what's been compromised." - Business Insider

Here are just a few headlines from several news outlets about the breach:

If you are concerned you could be at risk, please reach out to Cloud 9 immediately. Our vendor-neutral cybersecurity experts will help to validate any concerns, plot the best course of action, and determine the ideal Risk Assessment and Security Assessment services and vendors for your organization. This will give you the ability to inspect all targeted areas within your environment for active malware and other vulnerabilities.

If you are experiencing questionable activity or are concerned in any way...

Describe the suspicious activity.
When did you first notice it?
Are you a SolarWinds customer?

If so, what have you done so far?
If not, what monitoring services do you use?

Are any of your technology service providers a SolarWinds client? If so, who?
Have you noticed any impact to your business? If so, what?
Have you communicated the suspicious activity anyone else? (Executive team, corporate attorney, cyber-insurance provider, etc…)

Immediate next steps – contact Cloud 9 for help and guidance to find the right cybersecurity solution, service, and vendor for initial triage and long-term protection.

Cloud 9 is here to help. Our Vendor Selection and Vendor Management services are free to our clients and are designed to help you determine the best course of action and quickly narrow the focus to the best solutions and vendors for your specific needs.

Learn more about Cybersecurity

As a client you'll have guided access to our proprietary Pathfinder app and experts. We'll get you started down the right path, focused on the right solutions, and narrow down the right vendors to evaluate.

Click the button below to book your appointment now.

Book now

Get Started Now

Supplier Spotlight: Nitel

Tue, 04 Feb 2020 12:06:38 -0500

Nitel: Managed Next-Generation Security

By: Nitel USA, see the article here https://www.nitelusa.com/blog/explore-4-levels-of-security-testing/

Cloud 9 Supplier Spotlight: NITEL

Explore Four Levels of Security Testing

With cloud, big data and mobile solutions becoming mission-critical to organizations of all sizes, IT teams are struggling to keep up with the adoption and innovation of the latest security best practices, leaving their organizations vulnerable to cybercriminals. And it’s not just large organizations cybercriminals are targeting; smaller companies are just as likely to be attacked. They tend to be easier targets, more likely to pay up in the case of a ransomware attack. They can also serve as a back door into other third-party organizations they do business with.

Although managed security is an investment, many organizations simply cannot afford to not conduct on-going security testing. According to a recent Trustwave security report, 41% of those surveyed feared financial damage to their company in the event of a cyberattack or data breach.

Managed security testing is defined as subscription-based proactive scanning and testing of environment security to identify vulnerabilities. However, a comprehensive managed security solution does more than identify vulnerabilities and weak points.

When working with a qualified managed security provider an organization should not only gain insight into weaknesses, but gain a blueprint on how to prioritize, mitigate and remediate these risks. When your customer engages with a provider of managed security services like Nitel, backed by a cybersecurity Gartner Magic Quadrant Leader Trustwave, they can choose to engage with four levels of testing depending on their budget and business needs, including:

Basic threat – Simulates the most common attacks executed in the wild today. This class of attacker typically uses freely-available, automated attack tools.
Opportunistic threat – Builds upon the basic threat and simulates an opportunistic attack executed by a skilled attacker that does not spend an extensive amount of time executing highly sophisticated attacks. This type of attacker seeks easy targets (”low-hanging fruit”) and will use a mix of automated tools and manual exploitation to penetrate their targets.
Targeted threat – Simulates a targeted attack executed by a skilled, patient attacker that has targeted a specific organization. This class of attacker will expend significant resources and effort trying to compromise an organization’s systems.
Advanced threat – Simulates an advanced attack executed by a highly motivated, well-funded and extremely sophisticated attacker who will exhaust all options for compromise before relenting.

Cloud 9 Advisers clientele benefit from Nitel/Trustwave’s crowd-sourced, global threat intelligence through a solution that is scoped to fit their needs. Nitel's intrinsic network knowledge, combined with Trustwave’s highly skilled SpiderLab ethical hacker team, can quickly identify security weak points and guide you to a solution to protect your organization.

Managed Next-Gen Security Solutions

What keps business and IT leaders up at night?

For business leaders everywhere, a data breach is on par with the most damaging things that could happen to an organization. The thought of being the next company to make headlines keeps leaders up at night while IT organizations fight to keep the bad guys out. As threats become increasingly widespread, sophisticated and dangerous, companies look to develop security strategies that protect their environment while staying within budgets that seem to get tighter every year.

Your business is unique, with its own set of needs and priorities. That’s why we offer a suite of security solutions that offers multiple ways for you to protect your business. Whether your business is big or small, whether you value distributed architecture or centralized, you’ll find a solution that fits how you prefer to manage your environment.

ENTERPRISE GRADE PROTECTION

Safely enable applications, users and content by classifying all traffic, determining the business use case, and assigning policies to allow and protect access to relevant applications.
Prevent threats by eliminating unwanted applications to reduce your threat footprint and apply targeted security policies to block known vulnerability exploits, viruses, spyware, botnets and unknown malware (APTs).
Protect your datacenters through the validation of applications, isolation of data, control over rogue applications and high-speed threat prevention.
Secure public and private cloud computing environments with increased visibility and control; deploy, enforce and maintain security policies at the same pace as your virtual machines.
Embrace safe mobile computing by extending the enterprise security platform to users and devices no matter where they are located.

ROCK SOLID PROTECTION FOR SMB

Our customized solutions deliver next-generation security for every size and type of business. Gain full control and visibility of application traffic passing through your network, even for encrypted traffic, thanks to application detection, user-identity awareness, SSL interception and built-in live reporting.

You benefit from the same critical next-generation security features that large enterprises receive—but sized appropriately for your business. Your business will fend off threats with included next-gen features that take place directly in the data path, including:

Firewalling
Intrusion Detection and Prevention (IDS/IPS)
URL Filtering
Dual Antivirus
Application Control

SECURITY EXPERTISE ON YOUR SIDE

Nitel has partnered with Gartner Magic Quadrant leader Trustwave to complement our managed next-generation firewall service with a suite of security management services. This 1–2 punch creates a comprehensive managed security solution to reduce your business risk and give you peace of mind. With Nitel overseeing your network health, performance and security, you have a single partner working on your behalf to ensure your business operates optimally and safely.

SECURITY INFORMATIONEVENT MANAGEMENT

Achieve more effective identification and mitigation of security threats. You’ll reduce your burden with around-the-clock support from 10 global security operations centers staffed with experts who have in-depth knowledge and experience working with complex network environments for highly distributed organizations.

Our SIEM service collects, analyzes and stores logs from networks, hosts and critical applications. It extends visibility beyond the network perimeter to the application layer, helping you achieve more effective identification and mitigation of security threats, and compliance validation with numerous regulatory and industry standards.

Advantages:

SpiderLabs security research utilizing global event data to identify current and emerging threats
Industry-leading compliance expertise
Solutions tailored to the specific needs of healthcare, financial, retail and more
Collects and reviews over 1 billion events per day

Need to maintain compliance with PCI, DDS, HIPAA, SOX, FISMA, GLBA/FFIEC? Let Nitel help. We’ll help you fulfill your requirements for vulnerability scanning, penetration testing and ongoing evaluation of your environments and applications.

MANAGED SECURITY TESTING

Reveal potential vulnerabilities in your environment with thorough penetration testing. Expert “ethical hackers,” armed with the same techniques as today’s cybercriminals, attempt to hack into your network or application to help you identify network-connected assets, learn how those assets are vulnerable to attack and understand what could happen if those assets were compromised.

Learn More

Contact Cloud 9 Advisers for expert guidance and help with any compliance, risk management, monitoring, edge security and any other cybersecurity issues. We'll guide you to the right vendors, like Nitel, from our Supplier Portfolio.

Contact Cloud 9

Supplier Spotlight: RSI

Mon, 03 Feb 2020 10:29:06 -0500

Getting Zero Trust Right

By: Taylor Hersom, RSI, see the original article here RSItex.com/post/getting-zero-trust-right

Cloud 9 Advisers, Supplier Spotlight: Renaissance Systems, Inc.

At RSI, our priority is to help companies improve their Cyber Risk Management. While a lot of our clients’ attention is focused on our unique Automated Cyber Risk Management solution, powered by CyberCompass, we also assist our forward-thinking clients to achieve Zero Trust Security through the adoption of our ‘Evolving Trust’ Framework. The purpose of this article is to provide some background on Zero Trust Security, highlight how RSI has re-imagined this strategy, and demonstrate how RSI can help you to adopt true Zero Trust using our Evolving Trust Framework.

A Brief History

Historically, network security hasn’t changed that much. Corporate networks were designed like a castle, where all users are screened at the gate (firewall) for appropriate credentials. Once a user is allowed access, they are trusted and therefore have access to all the goodies inside. In this model, it's difficult for a user to get into the ‘castle’, but the network is vulnerable to widespread turmoil if malicious users manage to get in. As the IT landscape has evolved into multiple devices per user, remote work policies, and sketchy Starbucks WiFi, the need for a better way of managing users/access has become dire.

Hence, Zero Trust is born. Originally known as ‘Zero Trust Network’ or ‘Zero Trust Architecture’, the idea was created in 2009-2010 by Forrester Research Inc.(specifically John Kindervag). While the concept was clever, it took a few years and a BIG company to provide a proof of concept. Google created an enterprise security model, coining it BeyondCorp, and achieved company-wide adoption of the Zero Trust model using home-grown, in-house tools and technologies. BeyondCorp achieved the previously inconceivable; it enabled every employee to work from untrusted networks without the use of a VPN. Since Zero Trust was only a concept at the time, Google had to create and piecemeal together a variety of technologies. Thankfully, there has since been widespread adoption and a variety of technologies created to help you achieve the same vision as Google, but we’ll get to that.

What is Zero Trust? I encourage you to read more about Google’s BeyondCorp solution to gain insight into the intricacies, but in a nutshell: the Zero Trust model asserts that organizations should not automatically trust anything or anyone inside or outside its perimeter(s). Instead, access controls are shifted from the network perimeter to individual endpoints/users and data analytics (i.e. location, time of day, employee credentials, etc.) are used to create meaningful decisions on whether an access request is appropriate. This all adds up to what is called a ‘Trust Score’, and it’s assigned every time a user attempts to log in. Remember the castle analogy above? Think about it like this: Zero Trust micro-segments your castle into a bunch of little castles. You now have the ability to determine which castle(s) your users have access to. If implemented properly, you no longer have to be connected to the corporate network and can work from any internet connection.

The Case for Evolving Trust Security

Early on, RSI understood the value of Zero Trust, especially as businesses increasingly allow remote work, BYOD, and SaaS solutions to accomplish daily tasks. Many companies have moved their most precious data to the cloud and manage an average of 1000 applications at any given time. RSI built a professional services arm to assist companies in understanding the value of this Zero Trust model as well as adopting it without any significant, upfront requirements. In order to accomplish this, we took the Google approach and adopted it ourselves (thankfully we didn’t have to build all the technology from the ground up). This journey allowed us to identify pain points, discern shortcuts from pitfalls, and ultimately develop a framework that adds tremendous value to each of our clients. What’s more, we took the time to look at Zero Trust from a non-traditional lens by including some non-traditional thinkers from our Innovation Center (and its data scientists with their big, beautiful scientific brains). What we identified is a gap in how Zero Trust is discussed, how it is interpreted, and how companies are leveraging the current solutions. RSI took that data and developed our Evolving Trust Framework. The following are some of our biggest takeaways:

One Size Does Not Fit All
Arguably the most important point I will stress is that while advertisements show you can “adopt Zero Trust in minutes with our tool”, those marketing gurus are causing companies to put the proverbial cart before the horse. Even with incredible SaaS tools at your disposal, you still have to be extremely familiar with the implementation and all the nuances that stem from the process, such as certificate authority, device discovery, and inherent limitations. This requires members of your organization to take the time to understand Zero Trust, understand the variety of required tools, and figure out a launch strategy that doesn’t cripple your organization. Furthermore, while there are a variety of technical solutions on the market that claim ‘Zero Trust Security’ (i.e. OKTA, Duo Security), this is only part of the puzzle. There are more components to the Zero Trust Model than those addressed by these Identity & Access Management (IAM) tools. Without this knowledge and expertise, your Zero Trust strategy will gain zero traction.
Easy to Miss the Mark On Execution
Unfortunately, companies tend to fall into this pit of saying “let’s require every user to authenticate in three different ways every time they access any critical application”. Not only does this create a very difficult beast to manage for your IT department, but it also doesn’t even accomplish some of the biggest potential benefits of Zero Trust. This was the #1 reason RSI created the Evolving Trust framework, and the name says it all: we believe in incorporating deep monitoring/data analytics into the entire process so that checks and balances are strategically placed throughout a users’ access journey rather than just at the beginning. For example, when a user authenticates and meets our basic requirements (i.e. correct credentials, an appropriate device, relevant geo-location), we let them in. Next, we monitor those users and what they are trying to access. If they attempt to access any system/data we deem critical, then we require another authentication check. Finally, we keep an eye on the patterns of each user to detect anomalies in what/when/where they are accessing critical applications or data. This allows us to control the narrative for every user, every time, without creating huge inefficiencies in our organization.
Employee Education is Even More Important Than Technology
Zero Trust is just another component of cyber security and one of the biggest problems that security experts are facing is the fact that people LOVE to skirt rules. It’s human nature to make assumptions that we all know everything and we all deserve the best for ourselves, especially when some very nice Nigerian prince is trying to wire us FREE money. RSI discovered the hard way that this unfortunate mindset carries into the Zero Trust realm. The fact of the matter is, Zero Trust adds at least one extra step for every employee when they attempt to login to a critical application by requiring Multi-Factor Authentication (MFA). This causes some people to lose their minds (especially those pesky developers who are obsessed with minimizing clicks), which creates a snowball effect down the road when they decide to adopt a shiny, new SaaS tool and choose not to tell anyone about it. What’s more, IT experts have developed a mindset that firewalls keep bad actors out and that they can inherently trust their environments. The same people who haven’t changed their server admin passwords in 4 years are now required to shift their mindset to the opposite end of the spectrum, which takes time. Your Zero Trust model is only as powerful as the IT people, processes, and technologies you are in control of, which is why RSI identified other strategies to counteract these risks in the form of discovery tools, monitoring, and data analytics.
It Takes A Village Just to Manage A Village
Similar to the game of Monopoly, acquiring the esteemed Boardwalk space is only half the battle. You still have to enforce and manage your acquisition or the positive effects are moot. Zero Trust requires a SOC team to actively manage access, evaluate trust scores on a periodic basis, track new assets, and manage vulnerable endpoints (i.e. outdated OS, vulnerable applications, etc.). RSI treated our implementation as an opportunity to train our entire Technical Assistance Center (TAC) team, creating a squad of experts in the entire Zero Trust Management process and providing them the tools to scale this expertise to our clients. One of the biggest benefits of our Evolving Trust framework is that it requires a LOT less effort for our TAC team to manage access because we have automated many of the previously manual processes.

In summary, Zero Trust is an incredibly useful strategy for companies to keep up with the evolving IT landscape of endless personal devices, SaaS solutions out the wazoo, and cyber-crime galore. In my humble opinion, I don’t see how any company can keep up with this transformation without Zero Trust. However, I’m concerned that many companies are fooled by the current glamour of Zero Trust and their desperation to improve overall cyber hygiene can create more problems than solutions. RSI is working hard to address the Access Management cyber epidemic, and we strongly believe that the Zero Trust model (more specifically, our Evolving Trust framework) is a huge step in the right direction.

To learn more about Zero Trust and how RSI can help, please contact Cloud 9 Advisers.

RSI is a member of the Cloud 9 Supplier Portfolio

Learn More

About RSI

RSI transforms company and culture through fully automated solutions for business workflow. We serve the enterprise with software solutions for business process improvement, artificial intelligence for big data, and custom, managed IT services.

RSI is the exclusive channel distributor of CyberCompass™, a SaaS solution for cyber risk management and remediation.

Automated solutions for business workflow
AI solutions for data analytics
Custom, managed IT services
Exclusive distributor of CyberCompass™, automated cyber risk management
Drone Services

For more than 35 years, the passion for helping people has transformed our business and that of our customers. By developing strong partnerships with our clients, we have a deeper understanding of what they need to better run their businesses. As a result, our services have expanded for a greater reach with every client.

10 risk factors no one talks about

Wed, 30 Oct 2019 10:24:06 -0500

Ten Cybersecurity Risk Factors No One Talks About

These risk factors might not show up on an official risk assessment report, but every security professional should be thinking about them.

By Roger A. Grimes, Columnist, CSO | OCT 17, 2019 3:00 AM PDT see the original article at CSOonline.com

The traditional risk management factors you are all taught include the staid process of categorizing potential threats and risks, evaluating their likelihood of occurrence, and estimating the damage that would result from them if not mitigated. The costs of the potential mitigations and controls are measured against the potential damage. Mitigations are put in place if they are cheaper and better to implement than allowing the risks and threats to occur.

You have all fretted about the difficulty of calculating both the likelihood of an event and its potential damages. They have always been more like a best guess than an insurance actuarial table. How can anyone estimate the chances that a sophisticated ransomware, DDoS or insider attack will occur to their organization in a given year or what assets it might be able to take out with any accuracy? Can anyone prove that likelihood is 20% versus 60% in a given year?

We all struggle with those large estimation issues, but there are a ton of other factors that impact risk management. Here are ten that are rarely discussed openly.

1. Fighting over “might happen” risk

Every risk assessment is a fight between something that might happen and doing nothing, especially if it hasn’t happened before. Many people believe it’s cheaper to do nothing, and those who fight to do something might be seen as wasting money. “Why waste the money? That’s never going to happen!”

Few people get in trouble for following the status quo and doing what has always been done. It’s far harder to push to be proactive, especially when large sums of money are involved, than to just wait for the damage to happen and address it then.

The story I like to use is 9/11 and air travel safety. It’s not like air travel safety experts didn’t already know before 9/11/01 that a hijacker could take over a cockpit using a boxcutter or smuggle explosives onto a plane. These risks had been known for decades. Imagine the public outcry if passengers were made to throw out their water bottles and get full body scans before 9/11 happened. It would have outraged the public and the airlines would have proactively tried to get rid of the security measures.

After 9/11, we happily take off our shoes, throw away our water bottles, and subject ourselves to full-body scans. Getting real money to fight possible risks is much harder to do than to get the money after the damage has happened. It takes real bravery every time a risk assessor warns about a problem that has never ever happened. They are the unsung heroes.

2. Political risk

Proactive risk-taking leads to the next unknown risk component: political risk. Every time proactive heroes argue for something that never happens, they lose a little bit of their political capital. The only time they win is when the thing they were proactive about happens. If they are successful and convince the company to put controls and mitigations in place so the bad thing never happens, well, it never happens.

It’s a self-defeating prophecy. When they win, no one ever knows because they successfully argued for the controls. So, each time the thing they worried about never happens, they are seen as “crying wolf.” They lose political capital.

Anyone who has fought one of these risk management battles can tell you they don’t want to take on too many of them. Each one taken burns their reputation a bit (or a lot). So, proactive warriors calculate which battles they want to fight. Over time, seasoned warriors pick fewer battles. They have to. It’s survival of the fittest. Many of them are just waiting for the day when a really bad thing happens that they didn’t fight to prevent hurts the organization and they become scapegoats.

3. "We say it’s done, but not really" risk

Many of the controls and mitigations we say we have done aren’t really done…at least not at 100%. Many people in the process understand it’s not really done. The most common examples are patching and backups. Most companies I know say they are 99% to 100% patched. In my over 30-year career of checking on the patch status of millions of devices, I’ve never found one that was truly fully patched. Yet, every company I’ve audited told me they were fully patched or nearly so.

The same is true of backups. The current ransomware epidemic has laid bare that most organizations don’t do good backups. Despite most organizations and their auditors checking off for years that critical backups are both done and are regularly tested, it just takes one big ransomware hit to show how radically different the truth is.

Everyone in risk management knows this. How can a person who is in charge of backups ever test everything when they aren’t given the time and resources to do so? To test if a backup and restore would work, you would have to do a test restore of many different systems, all at once, into a separate environment where it would have to work (even though all the resources are pointing in the original environment). That takes a huge commitment of people, time, and other resources, and most organizations don’t give the responsible person any of that for the task.

4. Institutionalized risk: “It’s always been done that way”

It’s hard to argue against “that’s the way we’ve always done it,” especially when no attacks against the weakness have occurred for decades. For example, I frequently come across organizations that allow passwords to be six-characters long and never changed. Sometimes it’s that way because the PC network passwords have to be the same as the passwords connecting to some archaic “big iron” system that the company depends on. Everyone might know that six-character, non-changing passwords are not a good idea, but it’s never caused any problems.

Good luck arguing that everything needs to be upgraded to support longer and more complex passwords, possibly spending millions of dollars, The institutional “wisdom” is against you, and most of those people have been there way longer than you.

5. Operational interruption risk

Every control and mitigation you implement might cause an operational issue. It might even disrupt operations. You are far more likely to get fired for accidentally disrupting operations than for proactively preventing some theoretical risk. For every control and mitigation that you push, you worry about the potential operational interruption it will cause.

The more radical the control, the more likely it is to mitigate every bit of the risk of the threat it is fighting, but the more suspicious you are that it can do so without operational interruption. If mitigating risks without causing operational interruption were easy, everyone would be doing it.

6. Employee dissatisfaction risk

No risk manager wants to make employees angry. If you want to do so, implement any control that restricts where they can go on the internet and what they can do on their computer. End users are responsible for 70% to 90% of all malicious data breaches (through phishing and social engineering). You cannot trust end users’ instincts to protect the organization.

Yet the mere mention of restrictions on what end users can do, such allowing only pre-approved programs to run or restricting where and what they can do on the internet, is met by hostility from most employees. The labor market is tight. Every company is struggling to get good employees, who don’t want to be told they can’t do whatever they want to do on “their” computer. You lock it down too much and they might go work somewhere else.

7. Customer dissatisfaction risk

No one wants to implement a policy or procedure that turns customers off. Upset customers become other companies’ happy customers. For example, credit card companies are far more concerned with accidentally denying a legitimate customer a legitimate transaction than in stopping fraud. They care about fraud, but it’s at a level they feel is long-term sustainable. The subcontractors and companies that make credit card transactions more accurate sell their services to the credit card companies on how well they don’t deny legitimate transactions. Customers wrongly denied twice in a year will use someone else’s credit card.

It’s also why you don’t need to use a PIN with a chipped card in the US. The rest of the world requires both the chip and a PIN, and this is a more secure option by far. How did it get that way? Because PIN and chip cards came to the US relatively recently, and merchants and customers were just getting used to swiping cards. Requiring people to insert the card so that the chip was read correctly was going to make a small percentage of transactions fail and upset some customers.

8. Cutting edge risk

People on the cutting edge often get cut. No one wants to be on the pointy tip of the spear. Early adopters are rarely rewarded for being early. They often become the lessons learned that make it easier for the herd to adopt improved tactics.

Two years ago, the US National Institute of Standards and Technology (NIST) said that its long-standing password policy of requiring long and complex passwords that are frequently changed caused more hacking than it prevented. Its new Digital Identity Guidelines, NIST Special Publication 800-63-3, says passwords can be short, non-complex, and never have forced password changes unless you know the passwords have been compromised. It was a complete 180-degree turn from the previous advice that was accepted as dogma.

Since then, no compliance guideline or regulatory law has been updated to say that following the new advice is recommended or legal. I haven’t seen or heard of any companies moving to the new policies. That’s probably a good thing, because if you changed your policy and got hacked because of it, even if NIST said it was the right thing to do, fingers will be pointed at you asking why you did it. It’s much safer to wait for the herd to move to the new password policies and they are proven right or wrong.

9. Time lag risk

You are almost always fighting some risk that has already happened to other people (or to your organization). You wait to see what tricks the hackers have up their sleeves and then create mitigations and controls to fight those new risks. Having to first wait to see what the hackers are doing makes a time lag from when the new malicious behavior is spotted until you can assess the new technique, think of new controls, and push them out. In a wait-and-see game, you are always behind.

10. "Can’t do everything right" risk

Last year more than 16,555 new public vulnerabilities were announced. More than 100 million unique malware programs are known. Every type of hacker from nation-states to financial thieves to script kiddies are trying to break into your organization. It’s a lot to worry about. You have no way to defend against it all unless someone gives you an unlimited amount of money, time and resources. The best you can do is guess (see #1 above) what are the most important risks and try to stop them.

These are not new components of risk assessment. They have always been there, and they are what you are all thinking about when assessing risk and thinking of controls. It all points to the fact that risk assessment and risk management are far harder to do than it seems, especially on paper or from formal theory in a book. When you consider all the things the average computer security person has to worry about and contemplate, it’s amazing that we can actually get it right most of the time.

Now go out there and continue to fight the good fight!

Learn more about CyberSecurity and Cloud 9 Advisers

Every company wants to be your partner, but let’s face it, if they are selling you something, they’re not your partner, they’re just another vendor. Cloud 9 is different. We don’t actually sell anything and we don't charge our clients. We become an extension of your team and help manage the often overwhelming process of finding, evaluating, and selecting the right technologies and competitive providers. When it comes to cyber security there is far too much to consider. Cloud 9, together with our distributors, is made up of more than two-hundred and fifty experts, engineers and staff, all devoted to helping you save time and money and make choices easier. Our curated Supplier Portfolio contains nearly two-hundred of the best service provider companies. We are one of the largest buyers of technology in the country. Through us, you’ll get the collective buying power of thousands of other clients. Consider us your professional technology shoppers and babysitters. We are impartial, unbiased, and supplier-neutral. We sit on your side of the table to help you find, evaluate, and negotiate with service provider companies. We’ll help you design the right solution and identify the best technologies. We’ll get pricing from multiple competing companies, then guide you through the evaluation and procurement process. Use our evaluation tools for documentation and due diligence. Plus, have our entire team at your disposal before, during, and after the acquisition of your new services. We'll be by your side for as long as you’re in business.

Technology Partners. Strategic Advisers.

China Tops List as Top Risk (duh!)

Tue, 08 Oct 2019 04:02:04 -0500

China Tops List of U.S. Cybersecurity Agency’s Top Risks

By William Turton | August 23, 2019 - see the full article at InsuranceJournal.com

Cybersecurity and Infrastructure Security Agency (CISA), a newly created U.S. cybersecurity agency said Thursday that China represents the greatest strategic risk to the U.S., and as a result, the agency’s top operational priority is reducing the risks from Chinese compromises to the global supply chain, including emerging 5G technology. The statement was part of a report outlining CISA's strategic intent for the next five years. The agency is responsible for protecting America’s critical infrastructure, like election systems and power grids, from hackers and other cybersecurity threats.

Besides China, the agency’s other priorities include federal cybersecurity and reducing risks for industrial control systems. Christopher Krebs, the agency’s director, said in a speech Thursday that his agency is the nation’s “risk adviser,” which doesn’t have its hands on the keyboards of computer networks but rather seeks to make other agencies and companies do a better job managing risks against cyberattacks.

The priorities reflect the work CISA has already been doing since the agency was established in November 2018, a time during which the Chinese manufacturer Huawei Technologies Co. was blacklisted by the Trump administration amid security concerns and Russian agents were indicted for seeking to manipulate the 2016 presidential election.

“When we think about Russia, they’re trying to disrupt the system,” Krebs said, at an event at Auburn University in Alabama. “And China is trying to manipulate the system, so that requires us to take different approaches.”

CISA is currently offering services to election equipment vendors to find potential vulnerabilities in its systems. CISA’s work also includes protecting state and local governments from ransomware attacks, like the one that hit 22 towns in Texas last week. “Ransomware is not going anywhere,” Krebs said. “It’s only getting worse.”

CISA sits within the Department of Homeland Security. Krebs, the agency’s first director, joined the DHS in 2017 and was nominated to lead the agency by President Donald Trump in 2018. Before that, he was the Director for Cybersecurity Policy on Microsoft Corp.’s U.S. Government Affairs team.

Learn how Cloud 9 can help you protect your business

Save Time: We manage everything by becoming an extension of your team and do the legwork for you.
Save Money: We save you big by getting the buying power of thousands of other clients.
Get Confidence: We evaluate and negotiate to get you the best solution, best supplier, and the best price.
Get Clarity: We find the right companies, distill the information, and clear the clutter.

Technology Partners. Strategic Advisers.

5 things keeping Chief Information Security Officers (CISO) up at night...

Wed, 09 Jan 2019 09:20:19 -0500

Counting Threats: 5 Things that Keep CISOs Up at Night

Survey says!

1. The building comes alive (IoT)

2. Cloud gives cover for bad actors

3. Supply chains deliver the good, bad, and ugly

4. Professional Services and 3rd-party weak links

5. Data growth and alert fatigue

read more from Pam Baker on Channel Futures .com

Get Started Now

CyberSecurity Basics

Sat, 29 Sep 2018 12:27:49 -0500

The Basics of Cyber Security, What every business should do

The following is a quick, simple list of must-dos to help businesses of all sizes protect themselves against cyber threats.

Vulnerability Scanning

Doesn’t actually fix anything, but...
Shows “bad spots’”
Good services will show a plan of remediation
If subject to compliance (HIPPA, PCI, etc) recurring V.Scans are required
Do it at least annually, quarterly is common for many businesses, monthly “managed” services best, but more costly

Think of it as a home inspection.

Penetration Testing

Different than a V.Scan but related
Considered “white-hat” or “ethical” hacking
Attempts to actually hack into your network
Should come after a V.Scan and initial remediations steps to test efficacy
Most Pen Tests will deliver a detailed, lengthy report of findings and remediation suggestions
Usually done annually. Should at least be done every couple/few years.

Endpoint Security

Mobile Security;

increasingly important and often overlooked window in to the network
proprietary and cloud apps.
corporate or employee owned mobile devices (BYOD)

Anti-Virus
Firewall, go with a Next Gen FW (NGFW). Best would be a managed Firewall solution. Depending on your situation also look into a cloud firewall solution.

Employee Education

Email phishing; train employees to recognize bad, phishing emails by using mock emails

Contact us at Cloud 9 Advisers. We are impartial, independent, and provider-neutral, consultants of Communications, Collaboration, Connectivity, and Cloud technologies. We guide our clients through the morass of options, solutions, and providers. Sign up for our Consulting & Buying Program and get the real story on CyberSecurity and the best methodology for your business.Find out who the best providers are and who to avoid. Get real-world advice, recommendations, and unbiased solution design.

Through the Program, you’ll have access to our distributor team of provider-neutral SME-Subject Matter Experts and Services Engineers. We’ll help you get pricing and bids from multiple, competing companies through our distributor portfolio of nearly 200 vetted and approved service providers. Use our evaluation tools to show decision makers the entire process, reasoning, and recommendations and complete due diligence for the project. We’ll help manage the entire procurement process (and keep all those pesky sales-guys off your back!). Visit www.Cloud9Advisers.com for more information

Get Started

Cloud 9 Advisers - News #cyber security

Under Constant Attack

Constant attacks require constant Security

About Cloud 9

Never Trust and Always Verify

Zero Trust Picking up Steam in the Enterprise

About Cloud 9 Advisers

ALERT: SolarWinds & FireEye

Tips to protect yourself against the SolarWinds Breach

Are you concerned your business has been affected by the SolarWinds hack?

Supplier Spotlight: Nitel

Nitel: Managed Next-Generation Security

Explore Four Levels of Security Testing

Managed Next-Gen Security Solutions

Supplier Spotlight: RSI

Getting Zero Trust Right

A Brief History

The Case for Evolving Trust Security

About RSI

10 risk factors no one talks about

Ten Cybersecurity Risk Factors No One Talks About

1. Fighting over “might happen” risk

2. Political risk

3. "We say it’s done, but not really" risk

4. Institutionalized risk: “It’s always been done that way”

5. Operational interruption risk

6. Employee dissatisfaction risk

7. Customer dissatisfaction risk

8. Cutting edge risk

9. Time lag risk

10. "Can’t do everything right" risk

China Tops List as Top Risk (duh!)

China Tops List of U.S. Cybersecurity Agency’s Top Risks

5 things keeping Chief Information Security Officers (CISO) up at night...

Counting Threats: 5 Things that Keep CISOs Up at Night

CyberSecurity Basics

The Basics of Cyber Security, What every business should do