Newsletter - November 2020

 

2020 Wrap Up, Observations & 2021 Considerations

We started 2020 with optimism as the market was up, and leading indicators across multiple industries and segments were strong. As the pandemic swept the globe and the market weakened, many organizations found themselves struggling to support remote workers, engage and retain customers and pivot their internal IT and operational methods to support the "new reality". The Presidential election was filled with turmoil and continued to illustrate the ongoing social divide within the country.

 

As we wrap up 2020 and begin to look towards 2021, many risks and unknowns remain that we need to consider and prepare for. At the end of October New Genesis Solutions hosted a Virtual CISO/CIO Panel and Roundtable that discussed 2021 IT and Security Planning Considerations.

 

We have included a link to that Virtual Panel and Roundtable here, and within the newsletter below.

 

Also included within this newsletter are 2020 cybersecurity and risk observations that were fueled by current trends, threats, and attacks, as well as historical events we have witnessed.

 

We appreciate you investing time to read through our latest newsletter and we hope you find the articles and resources interesting. Please reach out to us with any questions or comments. We look forward to hearing from you.

 

___________________________________________

 

Newsletter Table of Contents

 

  • Security and Risk Considerations - Virtual Panel Highlights

  • Tales From The Trenches - Common Issues Within Customer Engagements

  • Industry Articles and Research

  • Additional Research Reports, Tools

___________________________________________

 

Security and Risk Considerations

Below is a list of resources that include recent Virtual Panels, predictions for 2021, and trends we have been following over the last few months. We hope you find many of these topics interesting and newsworthy.

 

2021 Security & IT Planning Virtual Panel Highlights

In October we pulled together a group of industry executives and security experts to discuss how organizations are approaching Security and IT planning and budgeting for 2021. Listen to these experts discuss how organizations are working to stay ahead of the pandemic, emerging attacks, risks, and the global recession.

 

View the Entire Virtual Panel and Roundtable Recording Here

 

Questions and Commentary from the Virtual Panel

The pandemic has impacted organizations globally. How are leaders continuing to defend and protect their organizations while they deal with the pandemic? The biggest issue is that it feels like we are coming out of 9 months of high stress; we are all worn and tired. It has been a struggle to maintain our strategic view towards the future.

 

1.       Leaders had to quickly transform the business to support remote work. This includes the initial quarantine, requiring EVERYONE to work remotely, and then to implement safeguards that enabled employees to return to work in a safe manner (greater physical security).

2.       The Supply chain issues are not just related to toilet paper. We continue to see either higher prices for products, and some products are back-ordered, or simply cannot be ordered.

3.      Organizations experienced massive increases in phishing attacks and other social engineering attacks.

4.       Hiring and maintaining talent became harder with many professionals changing jobs which impacted stability and a loss of internal knowledge of systems.

5.       As the year closed, teams had to work through budget forecasts with a reduction between 5% and 15%, basically meaning that program growth within organizations is stifled.

 

How have IT, Security plans and budgets, been impacted by the pandemic? Is the impact short, or long term? In truth, we felt that our strategic plans/roadmaps haven't changed. We still have the same initiatives as we continue to mature programs using (NIST-CSF, SOC2, ISO) and ensure they are meeting regulatory requirements (PCI, HIPAA, CCPA, Local Laws).

 

1.        While the budgets might not have changed from a planning perspective (we HAD approval before), we expect the number of spending questions to increase as we begin to implement the plans. While this is a normal part of the process, we are expecting that organizations will become a bit more risk-averse for the next couple years.

 

How are the top threats and attacks that we have witnessed during the pandemic reshaping Security, IT, and Businesses? Or is it business as usual? While we experienced phishing, social engineering, and DDoS attacks rise, the threats and attacks haven't changed. Phishing is still a problem, helping users secure their usernames and passwords has been something as an industry that we have been trying to address for 10+ years.

 

1.        Implementing IT best practices is critical to security and while many of us have developed some cool tricks to identify gaps (lack of change control for development systems), we are continuing to address systems that arrive insecure out of the box.

 

2.        Finding talent (professional services, contractors, or full-time), developing or enhancing insider threat programs, and understanding where and how to secure, manage and track critical data within corporate environments continues to be a challenge.

___________________________________________

 

 

Tales From The Trenches - Common Issues Within Customer Engagements

 

Common Recurring Security Issues in Small Businesses

New Genesis Solutions conducts numerous security assessments each year, from in-depth cybersecurity penetration tests to compliance gap assessments. Despite the fact that organizations remain extremely nervous about being attacked by criminals in black hoodies, we continue to see a lot of “common” (and easy to fix) security issues that we have been surprised by. We also do not believe these issues will be addressed broadly any time soon:

 

1.   Physical security is (still) a problem - and will continue to be.

  • Recommendation: Walk around the building from the street

  • Recommendation: Verify exposed locking mechanisms work

  • Recommendation: Set internal cultural expectations that security is everyone's job and we need to be aware, diligent

2.   Websites (even ones without sensitive data) are STILL juicy targets - and will continue to be hacked and leveraged for criminal activities.

  • Be Aware, Alert, Investigate and Test for: Brand-jacking attacks (HR Recruiting, ads, marketing campaigns), stealing marketing contacts, leads, and revenue is a growing theme

  • Be Aware, Alert, Investigate and Test for: Criminals and hackers gaining footholds in websites for data and information exfiltration, theft or crypto-mining

  • Be Aware, Alert, Investigate and Test for: Criminals, hackers using Social media networks impersonating employees to social engineer their way into an organization to snoop, harvest intelligence, launch malware, phishing attacks

3.   Passwords will likely be the death of us (or at least our reputation) - and until the industry as a whole comes together to establish a uniform standard and approach this will continue.

  • Initiate Action to Reduce Risk: MFA is really not that hard to implement and could actually deployed immediately. Reach out to an expert to discuss how to implement MFA

  • Initiate Action to Reduce Risk: Users that need to change habits are not going to change immediately; change is difficult and it takes time, ongoing reinforcement, governance, oversight from leadership is required to enforce and drive change

 

A Few Surprising (But Common) Issues

Below are a few more complicated information technology issues that organizations are experiencing because the technology was either misconfigured when deployed, or the organization simply misunderstood how to approach the deployment as they went through the implementation process:

1.   Backups not being completed, not consistent, not verified

  • Review, Inspect, Test Your Backup Process: Many organizations have an overreliance on "gold-level" backups or DRaaS vendor solutions and services

  • Review, Inspect, Test Your Backup Solution Deployments and Vendors: There appears to be a growing number of organizations reporting issues or gaps in solution deployments or service delivery. This could be exposing a lack of reliable solutions in the market or that many providers over promised and are under-delivering.

2.   Turning off VPN (or other services) but still allowing remote mail connection

  • Be Careful About Making Rash Decisions: "VPNs are the devil!" - Many leaders and organizations struggle with remote employees using VPNs in an optimal manner and their attitude is that VPNs are evil - this brings to mind a bad Adam Sandler Water Boy Movie meme. Think through the security and compliance ramifications of moving away from VPNs.

  • Ask for Input from Security Experts: Using Webmail around the world without a secure connection, and while phishing and social engineering attacks are on the rise and becoming a plague on corporate society is not the best course of action.

3.   IT organizations making "risk-based decisions" but without an actual framework

  • Thinking Through a Risk Framework Can Reduce Future Risk and Complexity: Hardening systems without considering how easy or how hard is it to build a new system, access a new site, provide access to services might seem like a short term fix but it often leads to significant complexity and additional risks down the road.

  • Seek Advice from Security Experts: Firewalls that are configured to block traffic based on geography, but are not aligned to actual organization data flow, application or service access based on roles, a formal access control hierarchy can create significant chaos and disruption within the business.

 

Technologies Organizations Can Invest In to Reduce Risk, Improve the Security of Systems, Applications, Data

If New Genesis Solutions were to go out on a limb and suggest to customers what technology they should be investing in, our recommendation would be to investigate Identity and Access Management solutions. These solutions:

 

  1. Enable organizations to leverage identity and access between on-premise and cloud technologies, environments, and critical business applications (both SaaS and PaaS)

  2. Can be utilized to establish the foundation for an organization’s insider threat program

  3. Can be utilized to help establish zero-trust segmentation strategies and programs

  4. Help drive the adoption of Multi-Factor Authentication (MFA) to ensure employees are only accessing their systems, applications, and data they are authorized to access while keeping cyber-criminals out of the network. MFA is a requirement everywhere, not just in the most used applications.

 

___________________________________________

 

 

Industry Articles and Research

Below are a few reports and white papers on cybersecurity, compliance, and risk trends that we found interesting. Enjoy!

 

CISA Election Security Resources: Election Infographic Products

Election Infographic Products is a set of three infographics and two maps designed to combat disinformation by equipping election officials, stakeholders, and voters with information on the mail-in voting, post election, and election results processes (which vary by state and/or jurisdictions), and the security measures that were implemented to safeguard the 2020 election season.

 

Read more about these resources.

 

National Cybersecurity Potentially Impacted by the Election

Chris Krebs, the director of DHS’ Cybersecurity and Infrastructure Security Agency (CISA) expects the White House to fire him, as the Trump administration continues a purge of officials that are considered disloyal to the former President Trump.

 

Read the article here.

 

COVID-19 Focused Attacks Continue on Vaccine Makers

At least the three nation-state actors have targeted seven COVID-19 vaccine makers, they are Strontium, Lazarus Group, and Cerium, Microsoft warns. “In recent months, we’ve detected cyberattacks from three nation-state actors targeting seven prominent companies directly involved in researching vaccines and treatments for Covid-19.” reads the post published by Microsoft. “The targets include leading pharmaceutical companies and vaccine researchers in Canada, France, India, South Korea and the United States. The attacks came from Strontium, an actor originating from Russia, and two actors originating from North Korea that we call Zinc and Cerium.”

 

Read the article here.

 

Harvard Business Review: The Risks You Can't Foresee

For all a company's efforts to anticipate what-ifs, novel risks will still emerge, and companies will not have a script or a playbook for managing them "right of boom," or after a disaster has struck. Also, nothing in the backgrounds of operating or risk managers will help them respond quickly and appropriately. In this situation a company needs to make decisions that are (a) good enough, (b) taken soon enough to make a difference, (c) communicated well enough to be understood, and (d) carried out well enough to be effective until a better option emerges. A company has two options for right-of-boom responses:

 

  1. Deploy a critical incident response team

  2. Manage crisis at a local level (read: at a level you can actually impact the result)

 

Read more of this article.

 

McKinsey Article: How to Address Cybersecurity Vulnerabilities

While many companies are not part of the energy industry and sector, there are some parallels in this Mckinsey article on cybersecurity vulnerabilities in their industry. The best 'take-away' is the "myth" section that pushes past old beliefs (read: install and forget) that traditional controls are enough. Here are some of the approaches companies might want to consider in their OT/SCADA environment:

 

  1. Pentest to validate only authorized connections (airgap and limit physical connections)

  2. Physical and logical monitoring alerts

  3. Document and monitor vendor connections to ensure all access is authorized

  4. Ensure all contractor and vendor resources that access Valley Metro equipment are part of security awareness expectations and understand that they are required to help keep Valley Metro secured by only using authorized systems to access Valley Metro systems

  5. Perform a security controls assessment as part of annual contract reviews and vendor management reviews

 

Read the article here.

 

___________________________________________

 

 

Additional Research Reports, Tools

 

 

Please email us with questions or comments about the topics or trends above. We want to hear from you! Andy@NewGenesis.Solutions

___________________________________________

Newsletter - October 2020

 

Welcome to the New Genesis Solutions (NGS) Newsletter!

NGS helps organizations to prevent cyber security events and reduce risk, by addressing gaps within IT and business processes through vulnerability and risk management consulting services.

 

We started 2020 with optimism as the market was up, and leading indicators across multiple industries and segments were strong. As the pandemic swept the globe and the market weakened, many organizations found themselves struggling to support remote workers, engage and retain customers and pivot their internal IT and operational methods to support the "new reality". As we enter the last quarter of 2020 organizations are faced with the economic headwinds of a recession and are dealing with a massive increase in ransomware, phishing, and new malicious attacks.

 

We appreciate you investing time to read through our latest newsletter and we hope you find the articles and resources interesting. Please reach out to us with any questions or comments. We look forward to hearing from you.

Newsworthy Topics & Trends

Below is a list of various topics and trends we have been following over the last month. We find many of these topics interesting and newsworthy.

 

Cyber Security & Regulations:

The global pandemic and increases in cyber and physical domestic terrorism has impacted the way we live and work. It has also caused regulators to expand the list of controlled substances, including every day household items such as hydrogen peroxide. This is one of 300+ chemicals that are now regulated under the CISA Chemical Facilities Anti-Terrorism Standards (CFATS) program. Through CFATS, CISA works directly with facilities to reduce the risk that certain hazardous chemicals are weaponized by terrorists. While we recognize this level of control reduces risk, we wonder what the long-term impact will be to citizens and how this will change the consumer experience and consumption laws. View the Chemical Facility Anti-Terrorism Standards.

 

Global Impact of the Pandemic

S&P Global research and analysis on the pandemic's impact to local and global markets is extensive. S&P's mid-year ITT updates provide a snapshot of 39 industries in North America and EMEA. They focus on the impact of COVID, the likely shape of each industry’s recovery, and key risks around our forecasts. View the latest research here. Also, sign up for this complimentary webinar on October 2 regarding global credit conditions and the impact this data has on the economic recovery.

 

Pandemic Fuels Demand for Cyber Talent

We've been talking about the cyber security skills gap for more than a decade, but industries are now reporting huge cybersecurity staffing shortages as attacks surge during the pandemic. The Information Systems Security Association found a 63% increase in cyberattacks related to the pandemic. Read more here.

 

National Cybersecurity Awareness Month

To kick off national cybersecurity awareness month, CISA is hosting a virtual 2020 Cybersummit, providing a series of webinars every Wednesday for four weeks beginning September 16 and ending October 7. Each series will have a different theme that focuses on CISA’s mission to “Defend Today, Secure Tomorrow,” with presentations from targeted leaders across government, academia, and industry. The Day 2 video will stream live beginning at noon on September 23. Check out the website for additional information. View the 2020 Cybersummit website here.

 

Addressing Business & Organizational Risks:

Executives and business owners should always assume that their organization has something cyber criminals want. You don’t need to be famous or have millions of dollars in a bank account to become the victim of cybercrime. For the last 10 years businesses of all sizes have fell victim to phishing and business email compromise scams that launch malware, steal credentials to systems, or drive unsuspecting employees to carry out an act such as sending a payroll report or a list of employees of customers to an imposter. These acts lead to system breaches, theft and fraud. View this series of short videos on how to protect yourself in the workplace and check out this Cyber-Threat Risk Mitigation Article.

 

 

Industry Articles & Research

Below are a few reports and white papers on cybersecurity, compliance and risk trends that we found interesting. Enjoy!

 

Mitigating COVID-19 Cyber Attacks

Dark Reading always does a solid job publishing research and advice from 3rd parties. This page provides a series of articles on recent COVID-19 cyber attack trends and best practices for preventing attacks and reducing risks during these uncertain times. View the page here.

 

Interpol COVID-19 Cybercrime Report

Cybercriminals are developing and boosting their attacks at an alarming pace, exploiting the fear and uncertainty caused by the unstable social and economic situation around the world. At the same time, the higher dependency on connectivity and digital infrastructure due to the global lockdown increases the opportunities for cyber intrusion and attacks.

Read the full report here.

 

Misconfigured Web Application Firewall Leads to $80 Million Dollar Fine

As Capital One just found out, all it takes is one bad guy and one mistake to create a massive breach that results in a massive fine. In 2019 a hacker leveraged a misconfigured web application firewall to access the Capital One’s files, hosted on Amazon Web Services S3 servers. Capital One has been driving significant remediation and corrective action to redeem themselves per a Federal Reserve cease and desist order. Read more here. Capital One is not alone with their struggles around misconfigured cloud servers and applications as cosmetic giant Avon announced a breach of 19 million records in July 2020.

 

Microsoft Source Code Leaked Online...After All it is 2020 Right?

Well, it wouldn't be 2020 if Microsoft was not embroiled in some level of security incident. It appears that Torrents have been placed online containing the source code for Windows XP, Windows 2000, and other software from Microsoft. Shared on the notorious 4chan, a collection of files approaching 50GB in size also include the source code for Windows Server 2003, Windows NT and MS DOS. Read more here.

 

FortiGate VPN Default Config Allows MitM Attacks

It appears that Microsoft isn't the only technology manufacturer showing up the news this month. Researchers reported that default configurations of Fortinet’s FortiGate VPN appliance could open organizations to man-in-the-middle (MitM) attacks, where threat actors could intercept important data. Read more here.

 

Keeping Up with Regulatory Compliance Actions, Changes

Organizations across dozens of industries are required to comply with industry regulations. Regulations and legislation can be updated or passed frequently, creating significant strain and pressure on organizations to keep up with the rate of change and to navigate the change management associated with updating policies, procedures, reporting, and training of employees. View this website to keep track of pending regulatory actions within the U.S.

 

 

Additional Links to Research Reports, Tools

 

 

Please email us with questions or comments about the topics or trends above. We want to hear from you! 

Andy@NewGenesis.Solutions

New Genesis Solutions

Copyright  2020 New Genesis Solutions.

All Rights Reserved.  

 

Privacy Policy

Terms of Conditions

Get information or register for our newsletter!

Follow Us

  • LinkedIn Social Icon