CloudGovCo

On Friday May 07 a ransomware attack on Colonial Pipelines shut down gas delivery in the Eastern United States. Colonial Pipelines is the largest USA pipeline and the Administration is scrambling to substitute delivery by oil tankers on land and sea.

Colonial Pipeline halted all operations on its systems and 5,500 miles of pipeline. It is now working to restore operations. It appears the attack was by a group called DarkSide located somewhere in Eastern Europe.

Ransomware is a type of cyberattack in which the attacker removes files and encrypts your hard drives. A ransom is demanded for returning the files or decrypting the hard drives. While ransomware started on a small scale attacking individuals, today it targets large organizations and demands ransoms in millions of dollars. Recent targets have been several large cities.

Utilities like oil and gas are vulnerable because as the Internet became more useful they failed to firewall their operational systems from administrative ones. Realistically the two systems should never be interconnected.

This malicious software is usually delivered through an innocent looking email attachment or an unpatched computer. For protection in the #cloud and #onpremises implement our free security awareness training and:

• Segment networks with Virtual Local Area Networks (VLAN)
• Implement a zero-trust security framework
• Classify data based on its sensitivity to loss using CIA (Confidentiality, Integrity and Availability)
• Understand where important data is kept and create an effective backup strategy
• Maintain an air gap to backup systems so they don’t become infected
• Manage network switches out of band
• Firewalls should quarantine emails with attachments that come from outside the organization
• Employees should not open attachments from unknown people or addresses
• Change default passwords across all access points
• Use multi-factor authentication (MFA)
• Data recovery programs should be in place and tested
• Business continuity programs (BCP) should be in place and tested
• Train staff to recognise suspicious emails
• Apply software patches to keep systems up to date

This malicious software is usually delivered through an innocent looking email attachment or an unpatched computer. For protection in the #cloud and #onpremises implement our free security awareness training. and:

• Segment networks with Virtual Local Area Networks (VLAN)
• Implement a zero-trust security framework
• Classify data based on its sensitivity to loss using CIA (Confidentiality, Integrity and Availability)
• Understand where important data is kept and create an effective backup strategy
• Maintain an air gap to backup systems so they don’t become infected
• Manage network switches out of band
• Firewalls should quarantine emails with attachments that come from outside the organization
• Employees should not open attachments from unknown people or addresses
• Change default passwords across all access points
• Use multi-factor authentication (MFA)
• Data recovery programs should be in place and tested
• Business continuity programs (BCP) should be in place and tested
• Train staff to recognize suspicious emails
• Apply software patches to keep systems up to date

The Five Eyes intelligence agencies are it again, Wired UK reports the Home Office in the UK is again trying to get support for banning encryption and breaking PrivacyProtection.

The demand is that the government must be able to read everything you do to keep you secure. Say What?

Back doors in #encryption will give criminals access to our bank accounts and more. Apple CEO Tim Cook says.

There have been people that suggest that we should have a back door. But the reality is if you put a backdoor in, that backdoor is for everybody, for good guys and bad guys.

The mainstream press plays along, casting the discussion as a spectrum from privacy to security. It’s not. Privacy and data protection provide security. The alternative is pervasive surveillance in societies such as China. Learn about security threats to your well being and what to do with our free security awareness training.

Cloud Service Providers charge for data transfer as NASA recently learned.

Optimising data transfer costs is a key component of financial management in controlling #CloudCosts.

You may be charged for data transfers within your cloud solution, depending on the contract and service-level agreement. This may especially apply to transfers between zones and regions.

• Evaluate the architecture and design of your solution to avoid unnecessary costs.

You will be charged for data-out transfers from the cloud to on-premises. Your Internet Service Provider will also charge for data transferred over an Internet connection. If you are using a VPN (virtual private network) to enhance security, it will also carry a cost.

• Evaluate where data is stored to minimise egress charges

Plot workflows to minimize the traffic charges that occur when components scale across different platforms — either from the data center to the cloud, or from one cloud to another.

• Evaluate the use of a dedicated and direct connection to the cloud to reduce data transfer costs.

You will be charged for data transfers from your application to the Internet.

• Evaluate the use of a content-delivery network to reduce latency on storage and reduce data transfer costs to the Internet.

You will be charged for data transfers between data centres.

• Optimize cross-zone/region or cross-cloud traffic by compressing the traffic or using a WAN optimizer.

You will be charged for data retrieval and export from archival data storage such as Amazon Glacier and GoogleCloud StorageNearline. These transfer costs can easily surpass the cost of storage.

Cloud Service Providers charge for data transfer as NASA recently learned.

Optimizing data transfer costs is a key component of financial management in controlling #CloudCosts.

You may be charged for data transfers within your cloud solution, depending on the contract and service-level agreement. This may especially apply to transfers between zones and regions.

• Evaluate the architecture and design of your solution to avoid unnecessary costs.

You will be charged for data-out transfers from the cloud to on-premises. Your Internet Service Provider will also charge for data transferred over an Internet connection. If you are using a VPN (virtual private network) to enhance security, it will also carry a cost.

• Evaluate where data is stored to minimize egress charges

Plot workflows to minimize the traffic charges that occur when components scale across different platforms — either from the data center to the cloud, or from one cloud to another.

• Evaluate the use of a dedicated and direct connection to the cloud to reduce data transfer costs.

You will be charged for data transfers from your application to the Internet.

• Evaluate the use of a content-delivery network to reduce latency on storage and reduce data transfer costs to the Internet.

You will be charged for data transfers between data centres.

• Optimize cross-zone/region or cross-cloud traffic by compressing the traffic or using a WAN optimizer.

You will be charged for data retrieval and export from archival data storage such as Amazon Glacier and GoogleCloud StorageNearline. These transfer costs can easily surpass the cost of storage.

Instead of a slide presentation on your #cloud project, use a briefing note with six paragraphs:

1. The Challenge. This defines “where we are now” and is always either a problem or an opportunity. Don’t be afraid to state problems, it’s not ideal to hide everything under the MBA-speak “opportunity”, so differentiate between problems and true opportunities.
2. The Undesired Outcome. This defines “where we don’t want to be”–what will happen if the problem or opportunity is not addressed. You can also think of this as the opportunity cost if we spend the money on something else.
3. The Desired Outcome. This defines “where we do want to be,” which should obviously be better than the undesired outcome or the status quo.
4. The Proposed Solution. This defines what must be done to avoid the undesired outcome and achieve the desired one.
5. The Risk Remover. This explains in simple terms why the proposed solution is likely to succeed and unlikely to fail. (This is not a risk impact analysis.)
6. The Call to Action. This tells the reader the specific decision you want made that will put the solution into motion to achieve the desired outcome.

Quick wins in a project show results to management, instill confidence and motivate the team.

This also creates momentum – important in every project – and creates warm and fuzzy feelings in the organization when you advertise success.

Quick wins are not a one off – you should be continuously managing a list of prospects using a #Kanban board or similar.

A quick win is an improvement that is visible, has immediate benefit, and can be delivered quickly after the project begins.

The quick win does not have to be profound or have a long-term impact on your organization, but needs to be something that many stakeholders agree is a good thing.

Quick wins can be easily discovered during analysis of business processes or during requirements elicitation.

You can often identify quick wins by simply asking stakeholders if they have any quick win recommendations that could result in immediate benefits to the organization.

The best quick wins are easy to implement, inexpensive, and of course can be rapidly implemented.

There’s every indication that the pandemic is changing the nature of cybersecurity. Online threats are evolving to match our new remote-work paradigm, with 91% of businesses reporting an increase in cyberattacks during the coronavirus outbreak. 

Hackers are getting more and more sophisticated and targeted in their attacks. Many of these cyber threats have been around for a while, but they are becoming harder for the average user to detect. Beware of these four common types of cyber threats – and learn what you can do to prevent them. 

Advanced phishing attacks

Phishing takes place when a hacker tricks an individual into handing over information or exposing sensitive data using a link (with hidden malware) or a false email. These types of security threats are quite common, but in recent months they are becoming even more advanced. 

Microsoft’s recent survey of business leaders in four countries found that phishing threats are currently the biggest risk to security. Since March, 90% of those polled said that phishing attacks have impacted their organization, and 28% admitted that attackers had successfully phished their users. Recently, phishing emails have targeted enterprises to capture personal data and financial information using one of the following tactics: 

• Posing as a provider of information about COVID-19 vaccines, PPE, and other health and sanitation supplies
• Creating false “portals” for business owners to apply for government assistance and stimulus funds during the economic shutdown
• Using download links for platforms and tools that help remote teams communicate, such as video conferencing 
• Posing as “critical update” downloads for enterprise collaboration solutions, such as Microsoft OneDrive, and social media applications
• Targeting IT service providers that ask for payment in order to provide tech support. 

Phishing is so effective because it can be very hard to recognize and targets individual people, rather than IT vulnerabilities. Yet, they are still ways to lower your risk of phishing. 

How to prevent phishing: The best chance to prevent phishing attacks is to educate your teams on what to look for in a phishing message. Poor spelling and grammar, as well as an email address that doesn’t match the user, are telling signs of a phishing message. If an offer seems too good to be true, it is a good sign you’re being scammed.  In addition to user education, you can add multi-factor authentication and other interventions to stop phishing messages from getting through. “Spam filters with sandboxing and DNS filtering are also essential security layers because they keep malicious emails from entering the network, and protect the user if they fall for the phishing attempt and end up clicking on a malicious hyperlink,” said one security expert told ZDNet.

Ransomware

Ransomware is a type of security threat that encrypts a victim’s files so they can’t access their information. The hacker then asks for a ransom – usually payment – to restore access and decrypt the user’s data. 

Perhaps the most notorious recent example of a ransomware attack is that of Garmin. In July, Garmin – a navigation and fitness wearables company – was hit by a ransomware attack that downed service for virtually every Garmin customer.  “Hackers deployed the ransomware tool WastedLocker, which encrypts key data on a company’s digital infrastructure,” reported Cyber Security Hub. “In the case of Garmin, website functions, customer support, and user applications were all affected. Unlike typical ransomware software, WastedLocker does not steal identifying information and hold it for ransom. Instead, it renders programs useless until decrypted.” Garmin reportedly paid $10 million for the decryption key to resume services after four days of outages. 

Garmin isn’t alone, however. There’s been a seven-fold increase in ransomware attacks this year targeting companies of all sizes. So, what can your organization do to protect itself?

How to prevent ransomware: First and foremost, it’s important to make sure your security protocols are kept airtight – and apply security patches as quickly as possible to prevent hackers from exploiting vulnerabilities. A tool like Nightfall can make it easier to maintain a strong defense, with AI monitoring your network for any issues. Multi-factor authentication can also prevent hackers from getting too far into your system. And, you should regularly back up your system so if a ransomware attack does happen, you’ll be able to recover some data. 

Password-based cyberattacks

A password-based cyberattack is one that targets users who have the same password for multiple sites. Research from the World Economic Forum found that 4 out of 5 global data breaches are caused by weak/stolen passwords. 

There are several different ways a hacker can infiltrate your system using a password-based cyberattack. The most common method is known as a brute force attack. This attack uses a computer program to try to login to a user’s account by trying all possible password combinations, starting with the most common and easiest to guess options – for instance, “1234” or “abcde”.  Sensitive data like passwords, credentials and secrets are in constant danger of exposure, especially as more companies conduct the majority of their business in the cloud. The highly collaborative and always-on nature of cloud services make it hard to enforce good password practices. Therefore, organizations need data loss prevention (DLP) to secure essential data from being exposed. 

How to prevent a password-based attack: make it easy for users and security teams alike to circumvent the risk of password attacks by implementing password-free authentication methods. This is a type of authentication that requires a user to confirm their identity during the login process through a separate channel. This extra step can also protect your workspace in case there’s any account compromised or if a device gets stolen. 

IoT and smart medical devices 

The internet of things makes life a lot easier – and also more open to bad actors. Connected devices are an increasingly popular target for cyber threats. In 2019, cyberattacks on IoT devices increased by 300%, according to one report. This includes attacks on everything from laptops and webcams to smart homes (like Google Nest), smart watches, routers, and other home appliances. 

Our personal devices aren’t the only things that are vulnerable. The Software Engineering Institute of Carnegie Mellon University reported, “As more devices are connected to hospital and clinic networks, patient data and information will be increasingly vulnerable. Even more concerning is the risk of remote compromise of a device directly connected to a patient. An attacker could theoretically increase or decrease dosages, send electrical signals to a patient or disable vital sign monitoring.” Healthcare providers must also contend with protecting patient data. As many healthcare providers shift to remote work, they become an attractive target for hackers. Protected health information (PHI) must be kept safe during all cloud-based activities – yet many SaaS providers, including Slack, are not HIPAA-compliant right out of the box.

This post originally appeared on Nightfall and is reproduced here with permission.

About Nightfall

Nightfall is the industry’s first cloud-native DLP platform that discovers, classifies, and protects data via machine learning. Nightfall is designed to work with popular SaaS applications like Slack and GitHub as well as IaaS platforms like AWS.

1. Security culture is inseparable from the values of your organization’s leadership

Like any other organizational value, building a culture of security starts at the top. Invested stakeholders, usually starting with senior leadership, must cascade the types of cultural changes they wish to see by helping spearhead initiatives that will ultimately transform their organization. Although it is IT’s job to educate and engage with employees who break security policies and don’t follow security best practices, it would be very difficult for IT to function in an organization where leadership doesn’t embody the values needed to maintain a secure organization. 

While security teams and leadership have historically talked past one another, there is a growing understanding that leadership must play a role in fostering a culture of security by investing in security teams and setting the expectation that security is taken seriously across the entirety of the organization. Luckily, a growing number of security teams have found a common language to discuss these issues with the board and C-level executives – the language of business risk assessment and security performance benchmarking. When security leaders and business leaders speak the same language, it’s then that business leaders will begin to understand their role in shaping their organization’s security posture. This will motivate them to enshrine security as one of the organization’s core values and enable processes like best practices documentation and security education programs to play a critical role in employee onboarding and training. 

With this in mind, it might be challenging for organizations whose leaders don’t already appreciate the importance of security to adapt to the security challenges of remote work. Assuming these processes are in place within your organization, now is the time to update them to appropriately reflect the risks remote employees may encounter while working from home. However, if such processes are not in place, implementing them will obviously be a critical goal going forward.

2. Employees must be made aware of how important security is to the organization and how it impacts their work

Whether or not your organization has training and documentation in place, it’s a good idea to reiterate the significance of security best practices to employees through company wide communications channels and remote events like security discussions and training. This is especially true given that many employees are adopting new technologies to work and collaborate remotely while facing new and emerging types of malware and social engineering. Your aim as you educate employees is to remind them that security is critical to the health of the organization, and that the security risks they face effectively translate to job performance. Ultimately, an employee affected by a security incident will be unable to perform their duties making it very important for them to broadly grasp the types of cyber threats the organization faces. 

3. As you educate employees tie it into personal learning

A good security education program effectively serves a workforce development function. Getting employees to see this will improve employee buy-in and make them more readily embrace security education. In addition to the previous point of tying security education to organizational health and improved job performance, you should also highlight that security education will make employees good digital citizens which will help them in their personal life and in future roles. To reflect this mindset, security teams should whenever applicable highlight when security lessons apply both on the job and off the job.

4. Encourage employees to apply what they’ve learned

Building and revamping security education programs for the remote work era is only half the battle. Getting employees to apply what they’ve learned by identifying and potentially stopping incidents is the ultimate goal. Comprehensive security education programs should often be paired with periodic simulations (like phishing tests) where employees can demonstrate their security savvy. Employees and departments that are successful in identifying real or simulated incidents should be recognized for doing so during performance reviews and evaluations.

5. Build a security resource library

Most of this post has focused on the nature of security education and awareness programs; however, documentation is an important resource for employees as well. Good onboarding documentation, like your employee handbook, is critical to setting the expectation that security is important. However, your organization should more generally provide other documation. In most cases this will take the form of a security resource library which should contain plain language summaries of company security policies, as well as descriptions of cyber risks relevant to your company. You might also choose to include learnings from previous security training in the form of videos or other interactive content. Finally, you’ll want to ensure you’ve assigned a stakeholder to maintain this library and encourage employees to review it periodically so that they can stay up to date on what they need to know to stay secure. 

If you already have such a resource, it’ll naturally be a great channel to provide employees with the lessons they’ll need to stay safe while working remotely. If not, it’s not too late to build one. You might find that some of your existing security content can readily be turned into materials to give remote employees the security insights they’ll need as they navigate the security risks of remote work.

This post originally appeared on Nightfall and is reproduced here with permission.

About Nightfall

Nightfall is the industry’s first cloud-native DLP platform that discovers, classifies, and protects data via machine learning. Nightfall is designed to work with popular SaaS applications like Slack and GitHub as well as IaaS platforms like AWS.