Category Archives: Best Practices

Businesses Losing Customers due to Connected Products Security Concerns

59% of cybersecurity executives at large and medium organizations say that they have LOST business due to product security concerns for connected and embedded devices.

connected product security concerns

45% say that customers want detailed information about what is in their devices, but only 11% of companies have high confidence that they can do that, even if they want to.

Only 27% of people interviewed said that their organizations conduct software composition analysis (what is in it) and only 30% say that they can easily generate a software bill of materials (as required by the new executive order).

So what does it take to develop secure products? More resources (62%), more expertise (60%), industry standards (46%). Only 21% said that their have a security supply chain policy.

connected product security concerns

On top of this, only half of the respondents said their organization check out the security of their products before they ship them.

The good news is that 74% of the organizations either have a Chief Product Security Officer or plan to hire one. In the next two years.

And, last but not least, only 10% have full confidence that they know all vendors in the supply chain for each of its devices.

Ready to buy one of them secure connected devices now?

Credit: Help Net Security

What if You Get Locked Out of Your Cloud Account?

Konstantin Gizdov has an interesting story to tell. He got locked out of his Microsoft Azure account. He doesn’t think it was hacked, it was a Microsoft software bug.

More importantly, his attempts to recover the account were incredibly frustrating. The frustration was, in part, caused by the fact that Microsoft didn’t think it was their problem.

The problem started when he got an email that his account had been renamed. All of his attempts to get Microsoft support to unlock the account were totally unsuccessful and the data in the account was important to him.

Part of his problem was that, as an IT person, he had secured his account very effectively and removed most of the back doors that would have let him back in.

He followed all of Microsoft’s procedures for recovering his account, but, for whatever reason, none of them worked. Microsoft said there are no bugs (really? What alternate reality do they live in?)

He did have an emergency account recovery code which should work except that, he said, there was s 30 day waiting period before he could use it.

But he lucked out. His story got a fair amount of coverage and Microsoft’s Identity VP saw it. HE apologized on Twitter, both for the bug and how Microsoft’s customer support handled it.

But this is a good lesson for everyone.

Even Microsoft says that you should use an out of network backup. WE have at least 4 generations of backups, including at least one that is locked up in a bank vault. You really can’t have too many backups.

As companies and individuals move more stuff to the cloud, this is becoming a potentially large issue.

While the world won’t stop turning if you lose all of your music or photos stored in the cloud, I suspect a lot of people will not be happy. Support on the consumer side is even worse than what this guy experienced.

On the business side, getting locked out of your business records or customer records could, potentially, put you out of business. And get you sued on top of it.

And cyber insurance companies are starting to get into the act telling businesses that they won’t get coverage if they don’t have the right air-gapped backups.

This would be a good time to review what you have, both for your business and personally, and make sure that you are okay with whatever losses you might have if something bad were to happen.

Credit: The Register and Security Week

Attorney Client Privilege in Cyber Land

Historically, attorney-client privilege was used to protect conversations between attorneys and their client as they were preparing their defense.

While that is still the case, there is a lot of information that companies that were breached might not want to get out to the folks suing them. If it is not done right, it is highly unlikely that the information will be protected.

Some of examples of doing it wrong.

After a data breach occurred, Capital One retained a law firm that later entered into an agreement with Mandiant for various cyber-related services (including incident remediation), which required that Mandiant provide deliverables to the firm, rather than to Capitol One.  Plaintiffs sought release of the report created by Mandiant (regarding the factors leading to the breach), arguing that it was prepared for business and regulatory purposes and therefore was not privileged, while Capital One argued that the report was privileged because it was prepared in anticipation of litigation.  Capital One lost and they had to turn over the report.

Plaintiffs filed a motion to compel Dominion Dental Services to produce a report created by Mandiant, a cybersecurity firm.  Dominion claimed that the report was created to inform legal counsel and create a litigation strategy, and thus was privileged and protected by the attorney work-product doctrine.  The court stated that Dominion had not met its burden of demonstrating that the materials were protected work-product and held that the materials were not privileged because (1) Mandiant had a relationship with Dominion prior to the breach, and which anticipated services in the event of a breach occurring; and (2) Dominion used the materials for non-litigation purposes.  

There are more of these. The wall for attorney-client privilege is filled with holes.

This means that you need prepare for how you are going to respond in case of a breach.

BEFORE the breach.

Some things to figure out:

  • Failure to distinguish the parameters of retaining an outside consultant for the creation of a breach report can increase the risk of this report not being covered within the work-product doctrine. THIS MEANS THAT YOU NEED TO COMPARTMENTALIZE WHAT YOU ARE DOING. Likely one project/vendor for incident cleanup and a different one for legal prep.
  • Retainers for vendors used in preparing a breach report should be categorized as a legal expense. BREACHED COMPANIES WHO HAD ENGAGED MANDIANT BEFORE THE BREACH AND CLASSIFIED THE EXPENSE AS AN IT EXPENSE HAVE A HARD TIME CHANGING THEIR MIND LATER. BUT CLASSIFING IT AS A LEGAL EXPENSE DURING NORMAL TIMES AND HAVING THEM REPORT TO “IT” IS ALSO A PROBLEM.
  • Only share the data breach report for legal purposes, and share the report with as few individuals in the organization as possible. SEE COMPARTMENTALIZE ABOVE. IF YOUR LAW FIRM DOES NOT UNDERSTAND THIS, THEY ARE THE WRONG LAW FIRM TO HANDLE THE TASK.
  • Proceed with caution when using a data breach report outside of litigation purposes.

Now is the time to figure things out. Before you need to use it. Credit: ADCG

Do You Like Multi-Factor Authentication?

Do you use multi-factor authentication? Google says that less than 10 percent of its users use MFA. They were concerned that if they made people use MFA they would leave. Not sure what they would leave to? Who else offers as compelling a suite of software. For free. Or at least just for stealing all of your information.

Google announced this week that by the end of this year they are going to automatically enroll 150 million Google users and 2 million YouTube creators in two factor authentication.

Google is not telling you which method of MFA you are going to use. You can use an app on your phone. Or you can get it emailed to you. Or a hardware token. Or even via text message.

If you sign up for a new account, you will automatically be enrolled in two factor authentication.

Given that Google has, probably, a billion users, they are being selective in terms of which 150 million users are being auto-enrolled.

On the other hand, if you want to post stuff on YouTube, MFA is not optional.

So, if you have been hesitant to use MFA, you might want to try it now. Before it gets turned on for you.

What is not clear is whether you can turn it off once it has been turned on. My guess is that you can, just like you can now, but it sounds like Google is going to be persistent.

Credit: Bleeping Computer

Major Software & Hardware Vendors Cause Self-Inflicted Downtime

Let’s Encrypt is the free HTTPS encryption service that is used by millions of web sites. Since it started out as a good idea of two Mozilla employees in 2012, it has issued about 2 billion free TLS certificates.

The history behind this organization is long and convoluted. The industry has a high bar for entery for a new player and in 2012, they had to get someone that the industry trusted to, kind of, co-sign their HTTPS certificates.

They knew that co-sign process was a short term solution and about 4 years ago they convinced the “Internet authorities” that they were the real deal and replaced that co-signed certificate with a new one.

Browsers and other software vendors have been incorporating this new software since 2017.

Let’s Encrypt, itself, has been warning people for about a year that the old certificate was going to expire today and software vendors needed to upgrade.

We expected that old, unsupported software like Windows XP and old hardware like Android phones running Android 7, would have a problem today.

That turned out to be true.

What we did not expect is that mainstream websites like Shopify, mainstream tech vendors like Palo Alto and Cisco and mainstream service vendors like Monday.com, Google Cloud monitoring and Quickbooks would be caught, napping or completely asleep at the switch.

Unfortunately, we were wrong.

These vendors and many others went dark about about 8 AM Mountain Time this morning.

Some of them fixed the issue. Shopify, for example, recovered at about 3:30 PM.

Others, like Fortinet, seem to continue to be asleep at the switch and have told their customers to turn off the security feature that warns you when you have a security issue. That is not a great solution, but for some Fortinet customers, that is their only option.

Many more likely have not been detected yet – like IoT devices that just stopped working but that no one has either noticed or figure out why.

And, importantly, if these software or hardware products are no longer supported, you are probably out of luck and will have to replace it.

In some cases, you have the ability to tell the system to ignore the error and move forward, but most of the time, that is not an option.

I am writing this because, I think, this is day one of an extended discovery process. Likely there are things that are down and people don’t know they are down or don’t know why they are down. This will take a while to discover and to fix. In some cases, the fix will be expensive and extended.

I wrote about this a few months ago. This should not have happened as the industry knew exactly what day it was going to be a problem 9 years ago. Still we, as an industry, create self inflicted wounds.

For more details, check out this article at ZDNet.

CISA Issues Cyber Goals & Objectives for Critical Infrastructure Control Systems

While goals are CURRENTLY voluntary, CISA issued guidelines for what it expects from pipelines and other critical infrastructure in light of the Colonial Pipeline attack. While it appears that the hackers were not able to take over the control systems in that attack, they did take over the control systems in the Florida and Kansas water system attacks.

And, while this legally only applies to critical infrastructure, if it makes sense, you might want to do it also.

Here are some highlights.

CISA already has a raft of documents, so they reviewed and harmonized them and came up with a single list. See the link at the end for more information. Here are some of the highlights. Each goal comes with a rationale and objectives.

RISK MANAGEMENT AND CYBERSECURITY GOVERNANCE

GOAL: Identify and document cybersecurity risks to control systems using established recommended practices (e.g., NIST Cybersecurity Framework, NIST Risk Management Framework, International Society of Automation/International Electrotechnical Commission (ISA/IEC) 62443, NIST Special Publication (SP) 800-53, NIST SP 800-30, NIST SP 800-82) and provide dedicated resources to address cybersecurity risk and resiliency through planning, policies, funding, and trained personnel.

ARCHITECTURE AND DESIGN

GOAL: Integrate cybersecurity and resilience into system architecture and design in accordance with established recommended practices for segmentation, zoning, and isolating critical systems (e.g., Industrial Control Systems-Computer Emergency Response Team Defense in Depth guide, Purdue Diagram) and review and update annually to include, as appropriate, any lessons learned from operating experience consistent with industry and federal recommendations.

CONFIGURATION AND CHANGE MANAGEMENT

GOAL: Document and control hardware and software inventory, system settings, configurations, and network traffic flows throughout control system hardware and software lifecycles.

PHYSICAL SECURITY

GOAL: Physical access to systems, facilities, equipment, and other infrastructure assets, including new or replacement resources in transit, is limited to authorized users and are secured against risks associated with the physical environment.

SYSTEM AND DATA INTEGRITY, AVAILABILITY AND CONFIDENTIALITY

GOAL: Protect the control system and its data against corruption, compromise, or loss.

CONTINUOUS MONITORING AND VULNERABILITY MANAGEMENT

GOAL: Implement and perform continuous monitoring of control systems cybersecurity threats and vulnerabilities.

TRAINING AND AWARENESS

GOAL: Train personnel to have the fundamental knowledge and skills necessary to recognize control system cybersecurity risks and understand their roles and responsibilities within established cybersecurity policies, procedures, and practices.

INCIDENT RESPONSE AND RECOVERY

GOAL: Implement and test control system response and recovery plans with clearly defined roles and responsibilities.

SUPPLY CHAIN RISK MANAGEMENT

GOAL: Risks associated with control system hardware, software, and managed services are identified and policies and procedures are in place to prevent the exploitation of systems through effective supply chain risk management consistent with best practices (e.g. NIST SP 800-161).

For more details go to this CISA web site here.