Cybersecurity: The Hackers Are Already Through The Utilities’ Doors, So What’s Next?

Forbes | December 20, 2018

In a recent conversation on the topic of cybersecurity, Ray Rothrock – CEO of cybersecurity firm RedSeal, and author of the 2018 book Digital Resilience – offered some interesting and sobering insights on the state of the cyber world and utilities. He commented that hackers are already likely sitting in various U.S. utility systems and reconnoitering, in what the Department of Homeland Security calls an Advanced Persistent Threat mode. The critical question, then, is what to do about that fact, and how to create resilient responses.

Zuckerberg: How He Can Get Facebook Back On Track

Forbes | December 15, 2018

“Facebook rose to success at a time when most people made clear how little they cared about privacy – we would post anything, and we enjoyed the freedom and the sense of connection,” said Dr. Mike Lloyd, who is the CTO of RedSeal. “Unfortunately, like a vine growing up a building, Facebook has spent years attaching itself to the way people used to behave.  Its business model depends on people remaining incautious, and insensitive to privacy issues. But people are changing as we encounter more of the downsides of social networks.  We are getting more suspicious and less trusting.”

Best security software: How 25 cutting-edge tools tackle today’s threats

IDG | December 14, 2018

Threats are constantly evolving and, just like everything else, tend to follow certain trends. Whenever a new type of threat is especially successful or profitable, many others of the same type will inevitably follow. The best defenses need to mirror those trends so users get the most robust protection against the newest wave of threats. Along those lines, Gartner has identified the most important categories in cybersecurity technology for the immediate future.

Trade group pushes voluntary cybersecurity standard for defense contractors

The Washington Post | December 13, 2018

With Kimberly Baker, RedSeal Senior Vice President and GM Public Sector

As the U.S. military tries to ensure its military assets are as secure as possible against cyberattack, the U.S. defense industry is gathering behind a new set of standards to spot cybersecurity laggards within its own supply chain.

The Aerospace Industries Association (AIA), an Arlington-based trade association that lobbies on behalf of defense contractors, on Tuesday released a set of voluntary standards designed to help U.S. aerospace companies ensure the weapons systems they make for the U.S. military are secure from hackers.

Does Improving Cybersecurity Begin with Improving the Acquisitions Process?

Government Technology Insider | December 11, 2018

With Kimberly Baker, RedSeal Senior Vice President and GM Public Sector

The ability to secure federal data, networks, and assets is impacted by the ability of agency cyber leaders to access required technology. They need to continually respond to well-resourced adversaries that are constantly evolving the mechanisms of attack.

Because of the acquisitions process, requests to upgrade existing cyber defenses or acquire the tools that can keep pace with this constantly evolving threat environment can take months if not years. During that time – from request to approval and deployment – critical systems and data are vulnerable to a breach.

Scanning for Flaws, Scoring for Security

Krebs on Security | December 2018

“You can, of course, establish some important things about the quality of a building from a photograph, but it’s no substitute for really being able to inspect it from the inside,” Dr. Mike Lloyd told Dark Reading regarding the Chamber/FICO announcement in October.

Digital Resilience: Book Review by Azure Yu

By Azure Yu, Titans Briefs, The University of Texas at Austin McCombs School of Business

Summary:

Cyberattacks are inevitable and costly in today’s intensively connected world. Undergoing cyberattacks will be the norm rather than the exception for all kinds of organizations, and these attacks will usually have devastating consequences. To survive in this hostile environment, companies have implemented necessary security measures such as firewalls and anti-malware, but these measures are insufficient against the inherent risks of digital networks. Greater connectivity comes with more vulnerability. Rothrock points out that C-suites must use “digital resilience” as a whole-business strategy. Digital resilience allows companies to survive attacks, contain breaches, recover, and continue to operate while under attack. Lack of digital resilience can lead to severe consequences – the 2013 Target breach was an example.

The book describes digital resilience in detail. It covers the history of networks, the technical fundamentals, and the distributed nature of the current state. It paints a vivid picture of the inevitability of a successful attack, given that over a trillion Internet of Things (IoT) devices are connected to the network and each node creates vulnerability. It provides actions business leaders can take toward achieving digital resilience. Here are the eight steps listed in the book to build deep knowledge of your data and networks:

  1. Verifying that the device configurations comply with relevant regulation and industry best practices.
  2. Modeling the network by collecting configuration and operation data of the network devices as often as necessary and without burdening the network.
  3. Visualizing end-to-end access and path details to see intended and unintended access among all parts of the network.
  4. Measuring network resilience and managing it. Rothrock explains the resilience scoring in his RedSeal system in Chapter 6.
  5. Identifying hidden areas of the network to manage risks in those areas – the “scary parts” and unknown part of the network can be significant security risks.
  6. Prioritizing vulnerability patching to allocate resources to patch the most urgent network situation.
  7. Verifying network security policy. It is essential to know if security policies are implemented properly in order to measure the real resilience of a network.
  8. Prioritizing network change control. Businesses need the capability to assess the security impact of potential or proposed changes to the network.

Business Feel Let Down By UK Government on Cybersecurity

UK Businesses Are Asking the Government to Provide More Support Around Cybersecurity Issues in 2019

LONDON, UK – Monday 10th December, 2018 – Has a sensitive political and business environment in 2018 deflected attention away from security and left UK businesses less prepared for cyberattack? New research* has revealed that UK businesses are looking for greater support from the Government in the ever-growing battle against cybercrime.

According to the latest insights from RedSeal, nearly seven in ten (68%) IT bosses say their business has suffered at least one cyberattack in the past year. Almost a third (31%) also said the government does not offer businesses enough guidance or support on cybersecurity. The data also revealed that one in five (19%) of the UK businesses surveyed had no plan in place to deal with a cyberattack and that 65% of IT teams believe that their senior management needs to pay more attention to cybersecurity in 2019.

This latest research comes just two months after the National Cyber Security Centre’s second annual review where the Chancellor of the Duchy of Lancaster, David Lidington, gave a speech at the National Cyber Security Centre on why cyber security matters. He highlighted that the Government’s latest annual Cyber Security Breaches Survey had also revealed that more needed to be done. It flagged that only 30% of UK businesses have a board member with responsibility for cybersecurity and a small 10% require their suppliers to adhere to any cyber standards. Lidington also said that the Government’s next announcement on their cybersecurity strategy for UK business is planned for some time this month.

Ray Rothrock, CEO of RedSeal and author of the book Digital Resilience commented, “We commissioned this research to explore how prepared businesses are to continue operating during an attack. The number of high profile breaches has meant that 2018 has become the year where businesses are left wondering what more they can do to protect themselves, how to remain resilient, to keep operating and minimise customer damage. Our research highlights the fact that that senior IT bosses want the UK government direct more attention, money and resource to supporting their businesses in the face of cyberattacks.”

RedSeal’s research today, along with high-profile breaches such as the Marriott and British Airways in recent weeks and months, has only highlighted the ever-growing need for more to be done in the fight against cybercrime. Two-thirds (67%) of those that had been attacked in the last year stated that this had resulted in a financial loss, 37% in a loss of customers and nearly half (43%) suffered damage to their reputation.

* An online survey was conducted by Atomik Research among 501 UK IT professionals, Director Level and above. The research fieldwork took place between the 13th and 19th November 2018 Atomik Research is an independent creative market research agency that employs MRS-certified researchers and abides to MRS code.

7 Common Breach Disclosure Mistakes

Dark Reading | December 7, 2018

When a breach happens, speed and clarity are vital, adds Mike Lloyd, CTO at RedSeal. Organizations that have fared badly after a breach have always been the entities that mishandled the disclosure, took too long to disclose, miscommunicated the details, or tried to cover up the issues, he says.

“There is always a surprise factor when you realize someone has broken in, but the better you know your own organization, the faster you can respond,” Lloyd says.

Using RedSeal to Fix Cracks in the Foundation          

Written By Nate L. Cash, RedSeal Senior Network Security Engineer

A house is only as strong as its foundation. You want to ensure that water can’t enter your foundation, or it will compromise the strength of the house. In technology that foundation is your network and hackers are the water. Like water, hackers will slowly and methodically test your foundation. As they carefully look at the perimeter of your foundation to find a place to get in, they’ll find your cracks and nooks. And, once hackers are in, they will cause damage.

RedSeal’s platform provides a good way to test and check the foundation of your network technology stack automatically. It compares your device configurations with industry best practice guidelines to ensure that your foundation is solid. Whenever you import devices, RedSeal will compare their configurations with these guidelines and flag those that need to be remediated.

When they first start this process, most of our customers feel overwhelmed by the number of devices that need remediation. This points to an easily fixable process problem. Begin by updating any centralized configuration templates for your devices. You are using one, right? If not, a centralized configuration template is a baseline. It’s a checklist to ensure that all network devices are configured with the same basic security configurations. You start here because you don’t want to keep adding devices to your network that don’t comply with industry best practices.

“The man who moves a mountain begins by carrying away small stones.”- Confucius

Next, pick out some easy wins. For example, enabling Secure Shell and disabling telnet. These have low network impact, but high security value for your organization. Knock out these configurations first. Our customers choose to run reports between analysis, so they can follow along as the number of failed devices go down and passed devices go up. Note – this is a fantastic reporting metric to use because it shows a quantifiable decrease in risk. You’re patching and fixing cracks in your foundation.

I’ve saved the best part for last — RedSeal custom checks. If you’re passionate about securing your organization, ensuring your foundation is free of cracks, then you know the manufacturer settings are a baseline. You want to move past that bar to your own hardening standards, without adding additional overhead. This is where the RedSeal custom checks excel.

A RedSeal administrator can take your hardening standards and create custom rules that align. Every time RedSeal imports a device, it will run your custom checks alongside standard guidelines. Once the definitions are in place, it’s an automatic process. It’s a low overhead and a high value add to your organization’s security posture.

When you align RedSeal with your workflow, it’s easy to see how RedSeal will automate tasks that improve your foundational security. Comparing your devices with industry secure configurations and your own hardening standards is an automated way to ensure that your foundation is free from any cracks. Without adding a lot of overhead, it gives you the tools you and your team need to make a hacker’s job much harder.