Tag Archive for: cyber resilience

Strengthened Cybersecurity Regulations in New York: What It Means for Businesses

/by

In an ever-evolving digital landscape, cybersecurity remains a paramount concern for both individuals and businesses alike. New York’s Department of Financial Services (DFS) has recently taken a significant step forward in addressing these concerns by issuing updated and strengthened cybersecurity regulations. These new regulations build upon the foundation laid out in 2017 and introduce several key changes to enhance cybersecurity measures and safeguard sensitive data. As leaders in network exposure analytics, we’re here to shed light on the implications of these regulations, what they mean for businesses of all sizes, and how to prioritize security by reducing vulnerability. 

Three tiers for different companies 

One of the notable changes in these updated regulations is the introduction of a tiered approach for companies. These tiers classify companies based on their size, with specific requirements tailored to size and cybersecurity capabilities. Companies with fewer than 20 employees and less than $5 million in gross annual revenue over the last three years will be subject to fewer cybersecurity requirements. This more nuanced approach acknowledges that smaller companies may have different cybersecurity capabilities and resources compared to larger enterprises. 

Enhanced governance and access control 

The new regulations place significant emphasis on governance and access control. Companies will now be required to implement enhanced governance measures to ensure the protection of sensitive data. Additionally, there are new controls in place to prevent unauthorized access to systems and mitigate the spread of cyberattacks. This is a crucial step in fortifying the first line of defense against potential breaches. 

Regular risk assessments and incident response 

Risk assessment is a fundamental component of any robust cybersecurity strategy. The updated regulations mandate more regular risk and vulnerability assessments, reflecting the ever-changing nature of cyber threats. Moreover, companies must strengthen their incident response, business continuity, and disaster recovery planning. This ensures that businesses are prepared to handle and recover from cyber incidents efficiently, minimizing the potential impact on operations and data integrity. 

Ransomware reporting 

Ransomware attacks have become a growing concern for organizations worldwide. Regulations issued in New York now require companies to report ransomware payments. This change is in line with the broader effort to increase transparency and help law enforcement agencies track and combat ransomware threats effectively. 

Investment in training and awareness 

One of the most critical aspects of cybersecurity is human behavior. To strengthen this front, the regulations direct companies to invest in at least annual training and cybersecurity awareness programs. These programs should anticipate social engineering attacks, which often target employees as the weakest link in a company’s cybersecurity defenses. 

Looking ahead 

New York’s updated cybersecurity regulations raise the bar for cyber resilience. By providing a tiered approach that recognizes the diversity of businesses, enhancing governance and access controls, emphasizing regular risk assessments, and promoting cybersecurity awareness, these regulations aim to protect businesses and individuals from the ever-present threat of cyberattacks. 

While these regulations mark a significant step forward in bolstering cybersecurity, businesses must also stay proactive in adapting to emerging threats. Being proactive with vulnerability prioritization is essential for any organization to effectively manage and mitigate cybersecurity risks. 

Cybersecurity is an ongoing process, and compliance with regulations is just the beginning. Will other states follow New York’s lead? RedSeal will watch and report should any additional states update cybersecurity regulations. 

RedSeal recommends organizations transition from defensive to proactive security.  Businesses should continually assess their security posture, stay informed about the latest threats, and invest in comprehensive cybersecurity solutions to ensure they remain protected in an increasingly digital world.  

Reach out today for more information on how RedSeal can support your business with proactive vulnerability prioritization. 

 

On the Internet We’re All in a War Zone: Why it’s Time to Prepare for the Worst

/by

Sadly, once again we find ourselves watching war as it unfolds. More than any previous conflict, this one is being fought in cyberspace as well as on land and in the air. Many commentators raised their eyebrows when NATO officially added cyber to Article 5 of its founding treaty back in 2016. That now seems like a prescient move. But while the fighting, both online and off, has been largely confined to Ukrainian targets thus far, that’s unlikely to last for long.

The truth is that, by accident or design, we’re all in a war zone online, because online conflict does not respect country boundaries or even physical distance. Western targets must prepare accordingly, by understanding their attack surface in granular detail, and probing for weaknesses that could be exploited by adversaries in the days, weeks and months to come. Resilience is the name of the game here, and that will only come about by plugging the highest risk gaps now across cloud and on-premises infrastructure.

Upping the Stakes

We’ve already heard of multiple offensive cyber-campaigns traced back to the Kremlin. They began even before the invasion, when scores of Ukrainian government websites were defaced and wiper malware known as WhisperGate was discovered targeting multiple organizations in the region. More destructive malware variants, HermeticWiper and IsaacWiper were launched in the early days of the campaign, reportedly rendering hundreds of machines unusable. 

By targeting the Master Boot Record (MBR) and strategically important folders of the Windows OS, the malware is eerily reminiscent of NotPetya, another wiper variant disguised as ransomware and aimed at Ukrainian targets in 2017. NotPetya is important because it tells us something very important about destructive cyber-attacks: they can very easily “spill over” and impact organizations that weren’t originally intended as targets. It also happened with Stuxnet—a weapon that was designed with high precision to target Iranian uranium enrichment facilities, but still spilled over and infected other machines.

In short, war is never as clean and precise as Hollywood movies make it seem. In the case of NotPetya, multinationals in Ukraine found their networks impacted, and the worm-like threat eventually travelled down corporate VPNs to spread globally, causing billions of dollars’ worth of damage. One victim, US pharma giant Merck, was only recently awarded a $1.4B payout from its insurer to cover costs incurred during the attack.

That said, Western firms may also need to contend with genuine Russian state-backed cyber-attacks if tensions ratchet up further and economic sanctions begin to hit the Putin regime hard. Just what they’re capable of should be clear following the SolarWinds attacks which compromised nine US government agencies. Russia also has an ace in the hole: an ‘army’ of organized cybercrime groups prepared to turn their nefarious talents to hitting critical infrastructure and other strategically important Western sectors. With big budgets to spend on attack tools and exploits, plenty of know-how, and a sophisticated cybercrime supply chain in place, they could do significant damage.

Building Resilience

If geopolitical tensions remain high for an extended period of time, the chances increase significantly of innocent organizations being drawn into the online conflict. The lesson for defenders is to fix defensive gaps now, before they’re exposed—intentionally or otherwise. Just as First World War gas attacks spread indiscriminately, harming anyone without a well-fitted and sealed gas mask on, cyber-weapons will go anywhere, through whatever gaps are left open.

Finding these vulnerabilities and misconfigurations first requires a detailed understanding of the entire corporate network, which for most organizations will extend from on-premises servers and data centers across multiple public cloud environments. That means knowing and mapping every single network device, application, service and data pathway. From this position of enhanced visibility, it’s then possible to enforce security policy to minimize exposure, and continuously check for and correct any policy compliance drift. The “continuous” qualifier is particularly important given the dynamic and ephemeral nature of cloud assets.

Ultimately, war, in whatever theater it’s fought, is about resilience. So if it wasn’t already before, take some inspiration from the brave men and women protecting their Ukrainian homeland, and make cyber-resilience a priority for your organization today. 

Best Practices for Cyber Resilience: Step One, Walk the Terrain

/by

 

You’ve been asked to defend your organization from a myriad of threats: state sponsored attacks, cyber criminals, insiders. But where do you start?

Many years ago, as a young Marine lieutenant I learned that the first step to establishing a defense is to understand what you’re defending. You must know the terrain. Walk the terrain. Understand the key parts of the terrain and all avenues of approach. Then ask yourself how you would attack the same terrain. You must understand your own terrain better than the enemy.

In information security, we haven’t been given the luxury of understanding what we have — but we need to understand what we have to effectively defend it. Our networks were built to optimize for performance and availability, not for security. Understanding our cyber terrain has become a daunting task – but one fundamental to security.

Today, we rely on current inventory management technologies, but they provide just part of the picture. You get an overwhelming amount of detail and yet still struggle to understand how everything interconnects.

Ideally, you’d like to be able to understand what you have, how it’s all connected, and what’s at risk. Specifically, you’ll want to:

  • Visualize each of your sites and the connectivity between them.
  • Locate and identify devices missing from your inventory management and NCCM solutions.
  • Rationalize data from multiple data sources, including vulnerability scanners, CMDBs and EDRs.
  • Quickly determine where an attacker can traverse to in your network — from any point.

Most organizations begin by trying to get their endpoint or host inventory. This seems logical, since that’s where your applications and data are housed. But without an overall picture of how your network is configured, you have a collection of data points that don’t tell a full story.

The first step needs to be organizing your cyber terrain at the highest level. Identify your sites, then group your assets by site or facility. For example, assign devices to your Austin data center, Denver data center, branch offices, and AWS. Next determine the conductivity within and between these sites. This requires an inventory of networking devices and their configurations. You’ll end up with a model of your network devices, security groups and VPCs and quickly be able to get a picture all the connections and interconnections — intentional and unintentional — in your network. Inevitably, you’ll discover unknown network devices.

Then, with this framework in place, you can add your host information.