Category: Guest Blog Post

You very likely will interact with a content management system (CMS) multiple times today.

Related: How ‘business logic’ hackers steal from companies

For instance, the The Last Watchdog article you are reading uses a CMS to store posts, display them in an attractive manner, and provide search capabilities. Wikipedia uses a CMS for textual entries, blog posts, images, photographs, videos, charts, graphics, and “talk pages” that help its many contributors collaborate.

Chances are strong that your corporate website uses a CMS, and perhaps you have a separate CMS for documents and other files shared by your employees, partners, and suppliers.

Security is essential for a CMS. That’s obviously true if the content in that system requires some level of privacy and access control for internal use, such as for legal documents, customer contracts, and other assets. Security is also necessary if your retrieval system (such as a website or mobile app) has a paywall or is restricted to only a subset of people, such as customers or resellers.

What about public information? Even if you give your content away, you don’t want to allow unauthorized people to add, delete, or tamper with your files.

A big concern on Wikipedia is vandalism. There are automated systems in place to detect and reverse vandalistic edits. You also don’t want unscrupulous individuals to download your content in bulk or re-host it on their own websites without permission.

CMS 101

Today, there are two major types of common CMS platforms:

•The older “traditional” or “monolithic” CMS platforms include a content repository (usually a multimedia database), the administrative console (where content is added and categorized), the presentation system (which makes nice-looking pages), and the search engine.

Gierlinger

•The newer “headless” CMS, running in the cloud, contains everything but the presentation system. Instead, the CMS presents a series of application programming interfaces (APIs) that can be used by programmers creating your websites, mobile apps, and other display systems. A headless CMS is more flexible and customizable than traditional CMS platforms.

Nearly all CMS platforms, whether traditional or headless, offer some level of built-in security to authenticate users who are allowed to view, add, remove, or change content.

Best security practices

Sad to say, those basic measures may not be enough to prevent bad actors from stealing, destroying, or tampering with content. As every computer security professional knows, if anything is on the Internet, it’s subject to increasingly sophisticated attacks.

According to the IBM Data Breach Report 2021, data breaches in the United States reached $4.24 million last year, and a study by Storyblok revealed that 64.3 percent of CMS users worry about the security of their CMS—while 46.4 percent actually had a CMS security issue affect their content.

What can you do about it? The best practices for securing your CMS begin with these five low-hanging-fruit steps:

•Make sure that your CMS platform’s access control and encryption features are turned on and configured correctly.

•Provide employees and content contributors with only as much ability to access or change the content as they actually require. In most organizations, very few people need the ability to add, delete, or change content, or to modify other users’ access privileges.

•When employees leave, turn off their CMS access immediately.

•Design the system so that the servers containing the content cannot be accessed except via the CMS platforms, so that bad actors can’t sneak in and steal, delete, or tamper with the data.

•If you are using a CMS hosted in your data center, then you need to be sure to promptly apply fixes and patches provided by your technology vendor. (If you are using a cloud-based headless CMS, the vendor handles this for you automatically.)

Moving beyond those standard security operations, here are three advanced techniques for maximizing the security of your CMS platform—and its content:

Verify that your CMS platform’s technology provider is adhering to the strongest levels of computer security and privacy; one way of determining this is to look for current certification to the latest ISO 27001 Information Security Management standard.

•Design your architecture in a way where the CMS back end (the behind-the-scenes content repository) is not directly coupled to the front end (the presentation system). This strategy separates your assets and if one end is attacked, the other end is not compromised.

•Make sure the CMS platform uses a robust web application firewall (WAF), conducts continuous automated and manual security tests and uses state of the art encryption technology. All APIs should use the TLS v1.2 (or higher)  encryption protocol, because systems using an older version of TLS are a security risk.

Securing a CMS is not difficult, especially with a headless CMS platform running in the cloud. To do the job right, however, make sure that your employees follow good procedures, and that your platform provider is certified as following the ISO 27001 process. The best practices here provide a solid roadmap and checking for protecting your content.

About the essayist: Sebastian Gierlinger is vice president of engineering at Storyblok, a supplier of CMS services based in Linz, Austria.

It’s a scenario executives know too well.

Related: Third-party audits can hold valuable intel

You and your cybersecurity team do everything correctly to safeguard your infrastructure, yet the frightening alert still arrives that you’ve suffered a data breach.

It’s a maddening situation that occurs far more often than it should.

One of the main culprits for these incredibly frustrating attacks has not so much to do with how a team functions or the protocols a company employs, but instead, it’s a procurement issue that results from supply-chain shortcomings and the hard-to-detect vulnerabilities layered into a particular device.

“The same technologies that make supply chains faster and more effective also threaten their cybersecurity,” writes David Luki, a privacy, security, and compliance consultant. “Supply chains have vulnerabilities at touchpoints with manufacturers, suppliers, and other service providers.”

The inherent complexity of the supply chain for modern technology is a reason why so many cybercrime attempts have been successful. Before a device reaches the end user, multiple stakeholders have contributed to it or handled it. CPUs, GPUs, drives, network controllers, and peripherals can each originate at a different supplier.

Then there are firmware developers, transport agencies, testing facilities, and security evaluation agencies that handle the device before it is sent to the corporate client. From there, likely operations staff, audit staff, and IT department personnel handle the device before it finally makes its way into the hands of the intended operator.

This complexity can be compounded by the effects of world events like COVID-19 or a war, resulting in manufacturing slowdowns and lockdowns. Such events have led to parts shortages that force the use of older and less-secure replacement parts to meet schedules, which emphasizes the need for innovation and for additional suppliers.

Lorenzo

As the European Union Agency for Cybersecurity (ENISA) puts it: “The chain reaction triggered by one attack on a single supplier can compromise a network of providers.” ENISA found that 66 percent of cyberattacks focus on the supplier’s code.

The susceptibility laden throughout the device’s product journey leads to an increased risk. Cybersecurity experts like Luki? and the researchers at ENISA recommend that organizations limit the number of suppliers they contract, develop a minimum standard for those with whom they engage, and verify a supplier’s code and security protocols before finalizing terms. But these tactics go only modestly far in protecting you, while the core problem remains.

There is the potential for a reliable solution that can bring some peace of mind however. The Trusted Control/Compute Unit, or TCU, built by Axiado introduces an enhanced zero-trust model to the market.

This artificial intelligence-driven, chip-scale innovation offers multiple and hierarchical trust relationships for complex ownership structures and transitions. It provides an answer to the most common and dangerous forms of cybercrime:

•Security at the root.  With its proactive platform root-of-trust design, the TCU eliminates fragmentation and establishes safeguards for pre-boot, at-boot, and runtime stages of critical device components and functions.

•Anti-counterfeit, anti-theft, and anti-tampering features.  A ground-up solution, the TCU addresses the risks in supply-chain management through its hierarchical infrastructure that has multiple stakeholders and its use of transition management between those stakeholders. TCU’s capabilities encompass a depth and breadth of systems analysis and cutting-edge security management that locates and contains attacks.

•Threat detection.  The TCU deploys AI-based runtime threat-detection surveillance and remediation for enhanced tamper

Traceability and accountability.  With the TCU, networks have advanced forensic abilities to track digital activity and maintain system integrity.

The features of the TCU can greatly help to resolve the four most pressing concerns that can impact any company’s cybersecurity initiatives. The first major problem the TCU solves is in the area of data loss, modification, or exfiltration. These measures, enabled by security at the root and AI, protect users, devices, and network data.

A second problem area that the TCU addresses is failures or loss of system availability. The benefit of security at the root is it protects systems from crippling firmware attacks that can severely compromise and even disable systems.

Third, the TCU solves the issue of a reduction in the availability of components. Control and management of system security can be offloaded from the main CPU and related processors to a TCU.

This allows flexibility to use older components in times of supply shortages as we’ve experienced during COVID-19 and other world events. The TCU offsets the security shortcomings in these alternative devices.

Finally, the TCU safeguards against reputation risk. A TCU-based solution preserves a company’s reputation by stopping unauthorized alterations or implants throughout a product’s lifecycle.  Maintaining a sterling reputation with vendors and suppliers is crucial to long-term success for individual companies and the ecosystems in which they operate.

The good news for executives and in-house cybersecurity experts is that there is finally a way to confidentially mitigate the relentless supply-chain attacks. Axiado’s single-chip solution lessens complex integration of multiple parts while adding new layers of protection. The TCU addresses the supply-chain risks from counterfeits, substitutions, tampering, theft, and implants while adding accountability to the ownership process.

About the essayist: Josel Lorenzo, is vice president of products, at Axiado, which supplies advanced technologies to secure the hardware root of trust.

Reflecting on the threats and targets that we are most concerned with given the Russia-Ukraine war, cybersecurity is now the front line of our country’s wellbeing. Cyber threats endanger businesses and individuals — they can affect supply chains, cause power grid failures, and much more.

Related: Reaction to Biden’s cybersecurity order

This growing environment of risks and increasingly aggressive adversaries demand our readiness, yet our national response continues to be largely reactive to threat conditions. History shows how a small event built on daisy-chained circumstances can kick off a catastrophe, or even a shooting war.

As the war in Ukraine endures and as countries around the world align, a rising threat emerges from Russian sources, adversarial states, unscrupulous opportunists, and a shadow world of 5th column provocateurs. An 800% increase in activities was observed in the first 48 hours of the invasion alone, and scanning and probes on domestic network infrastructures are reaching historic highs.

Cyber vs kinetic warfare

This is a heightened condition of hostilities that will continue and extend beyond physical engagements. We must confront the fact that globally sourced cyberattacks are the essence of modern warfare. It is simpler, cheaper, and more impactful to run a cyberattack campaign than a traditional kinetic act of war.

Cyberattack campaigns make strategic military sense since they are designed to impact communications, impact energy, cripple a population, military readiness, or make any number of dire situations worse. This is why we see intelligence agencies either directly or indirectly involved in cyberwarfare.

As Russia becomes more isolated from the rest of the world, it is believed that even in the aftermath of current conflicts its leaders, intelligence agencies, and even rogue groups of unemployed hackers will be more apt to deploy cyberattacks, either in retaliation or simply for monetary gain.

Sayegh

China has targeted the United States for decades and they have done so on every possible front. From the military, to business, to finance, to the global race for resources, China has leveraged every possible point using tools such as political influence, market manipulation, cyber intrusions, partnerships, and military threat.

Throughout the industry, we can track countless advanced attacks and backdoors to their efforts. In the crosshairs of this force are state departments, contractors, and any organization it can hook itself into. In many cases, their aim is a lot more everlasting, as it is industrial espionage and the theft of intellectual property in addition to ransoms.

Rebuilding Security

We are in a position where even a minor escalation of cyberattack characteristics could cripple this nation and cause massive impacts on life and property. Our response positioning must equal and exceed the specter of the overall threats, and our readiness must be comprehensive.

In addition to the ongoing Congressional efforts to improve our national cybersecurity, we must add the following tasks to the national cybersecurity mission:

•Fix the damage. We must put a priority on funding new security initiatives, with an emphasis on new technologies, the growth of intelligent protection, and services that can augment the baseline of overall security posture.

•Training a nation Quality training systems must be made readily available that address modern kill-chain awareness, attack simulations, and advanced countermeasure techniques.

•Greater collaboration We must expand the efforts of the Cybersecurity and Infrastructure Security Agency (CISA) to work with the community beyond early warning systems, and to help model comprehensive cybersecurity protection systems by leveraging technologies and services.

•Pursue criminal activities We must continue to bring cases of cyber theft, cyberespionage, and cyberattack to the point of grand jury indictment. We need these cases as assets in defending our digital sovereignty, even when they will not result in fines or jail time.

Building a secure digital future is an essential task that demands success, and it should be one of our core missions as a nation. We must take measures to improve cybersecurity through increased knowledge, better technologies, and tactics that are built for the modern range of cyberthreat conditions.

From mobile endpoints to applications, to identity, and onward to the cloud and infrastructure combined, safeguarding critical assets is a comprehensive task that requires the highest possible prioritization. The recent history of cyber-driven disruptions to critical services thus far has only been indicative of warnings of what could happen.

We must face the threat that we are only a few lines of code away from a very significant event. Our readiness must improve immediately.

About the essayist: Emil Sayegh is the President and CEO of Ntirety, which provide compliant, pervasive protection systems covering the entire IT stack — and manages IT security for organizations across the Fortune 500. He launched and led successful cloud computing businesses at Rackspace, HP, and Codero. He also led the merger between Hostway Inc. and Hosting Inc. to form Ntirety. Sayegh holds nine patents. 

In the days of non-stop attacks on personal and work devices, the common day consumer wouldn’t know where to begin in order to protect their devices.

Related: Apple’s privacy stance questioned

The rise of attacks is unavoidable and with the everyday announcement of a new strain of malware, ransomware and now data wipers, consumers find themselves asking: where do I start? How do I do this?

Whether you are focused on your home computer, work laptop or business operating system as a whole, it’s important to learn the key steps you can take to ensure your defenses are active and up to date.

Update checklist

•Use and keep your security software (i.e. anti-virus program) up to date and turned on. Many users switch off their real-time protection to gain some speed, but safety should come before. We strongly recommend making sure that you use the latest version of the anti-virus software, and for that matter of any software that you are using on your computer. Newest versions come with improved and additional features to enhance software capability.

•Keep your firewall turned on. Software based firewalls are widely recommended for single computers, while hardware firewalls are typically provided with routers for networks. Some operating systems provide native software firewalls (such as Windows OS). For Microsoft Windows home users we recommend using the firewall in its default settings.

Stelzhammer

•Always perform the updates of your OS. If you use the Internet on your computer, then it is connected to the widest network there is – the World Wide Web. Since the WWW is a dynamical space, operating systems permanently adapt to threats by releasing updates and patches that fix the eventual bugs, glitches or vulnerabilities that can prove to be exploited by attackers and become security holes. Thus, it is important to keep your OS up to date, as most new exploits are rendered inefficient by an updated system.

•Keep third party applications (like e.g. Java,  Adobe Acrobat Reader, browsers, etc.) up to date

Third party applications are programs written to work within operating systems but produced by individuals or companies other than the provider of the operating system. These can be browsers, e-mail clients, plugins (such as multimedia plugins for online streaming/gaming, or plugins for reading certain types of files). Since most of them are acting in the Internet environment, it is crucial that they always stay up to date and patched, because cyber-felons use vulnerabilities in older/unpatched versions to get control of your system.

Backup checklist

Backup is essential in case of data loss caused by malware attacks or malfunctions. Operating systems will attempt to recover system data through features such as System Recovery (Windows), but this procedure does not cover files or third-party software. Therefore, we recommend using one or more of the following backup methods:

•Backup on a third-party device such as mobile hard drive, CD, USB storage device, flash drive, etc. These should be precisely labelled as to contents and date and stored securely. Three securely guarded generations of copies to the critical/important data (referred to as generational backup) are recommended: grandfather/father/son. You should take time to identify the important/critical data stored on your computer and proceed accordingly with the backup.

•Backup on a remote location, on a verified secure server. You can do this directly or via

•You should perform backups regularly (at least every three months as a rule or with every change you make, for critical data). Take the time to test the restoration process from the back-up copy. Even though you spend some time doing this, remember the alternative of losing all your data.

•Additionally, consider using an imaging software to make regular backup images of your system.

About the essayist: Peter Stelzhammer co-founded AV-Comparatives in 1999 as a joint student project at the University of Innsbruck.  AV-Comparatives is an independent organisation offering systematic testing to examine the efficacy of security software products and mobile security solutions.

Ransomware? I think you may have heard of it, isn’t the news full of it? Well, the stats are even scarier with over 50% increase in ransomware attacks in 2021, compared to 2020.

Related: Make it costly for cybercriminals

The media paid close attention to ransomware attacks last year, as they had a significant impact on Colonial Pipeline, the nation’s largest fuel distributor, and JBS, the nation’s largest meat distributor. In fact, Colonial Pipeline shut down, causing major problems at the gas pumps for days.

When these ransomware attacks occurred, RiskyBiz podcast host Patrick Grey commented that the U.S. would respond: “Don’t take away our gas or burgers.” What an outstanding response! And, he’s not wrong. When supply chain attacks start impacting everyone’s daily life, it becomes very real for us all.

Ransomware is likely going to be here for years to come. It’s such a big industry that Ransomware-as-a-Service (RaaS) actually offers criminals customer service and tech support. This means it’s now a commoditized industry leveraging backend services and capabilities all built for scale.

Best practices

Let’s walk through some practical steps organizations can take today, implementing zero trust and remote access strategies to help reduce ransomware risks:

•Obvious, but difficult – get end users to stop clicking unknown links and visiting random websites that they know little about, an educational challenge. As an enterprise security team, you could restrict internet access at your egress points, but this doesn’t do much when the workforce is remote.

•Back up your data and secure your backups in an offline location. If the data is online, then it’s accessible to bad actors and just waiting to be encrypted for ransom.

•Enable multi-factor authentication (MFA) to access your applications and services, especially for admin access to platforms and backend systems.

Jones

•Enable device posture checking and enforcement, ideally integrating with a decent XDR platform. For decades, application and data access ignored the device and simply asked for the user identity to be validated. This resulted in users being allowed to login from devices that may have outdated operating systems, missing patches, not having endpoint security software installed, or not being up to date. You’ll significantly reduce your risk if you enforce a minimum security bar for all devices accessing your data.

•Systemically update your operating systems and apply current patches. Not just endpoints, but server/virtual systems as well. Furthermore, don’t forget about ingress and egress points, cloud-based services (like EC2). In short, anything accessible from the internet should be given extra attention.

•Turn your office network into a guest network. This  disables peer-to-peer access, enabling internet-only access. And it also almost eliminates lateral movement during compromise. While you may enable some access to limited services, a good zero trust implementation will result in users accessing internal services via an internet-facing proxy platform instead of an internal network. This type of solution pays many dividends, including more secure use of contractors and consultants, as well as being able to more easily handle access in mergers & acquisition situations.

The reality is that a bad actor’s initial attack begins with either an endpoint downloading, clicking, browsing (something bad), or internet-facing devices/services not being secured. Fun fact: 80% of these breaches occur at the endpoint, often via phishing or social engineering. So as investments go, checking device posture as part of your zero trust program is a huge win. It’s quick to deploy and simple to operate.

Let’s talk VPNs

Traditional VPNs are almost always configured to allow full-time employees complete access to your network. All it takes are some compromised credentials and bad actors have the ability to attack all other devices on the corporate network. From there, it’s possible to find devices with privileged accounts and take the attack further. This has gone unchecked for years and there’s no good reason to let it continue

My recommendation is to shift to a modern remote access strategy, where specific applications and resources are accessed via reverse proxy, while also leveraging identity-based access. Imagine a device being compromised – would you like it to have access to your entire network?

Or, would you prefer that it can only access a specific application after passing a device posture check so we know it’s more secure? If you could remove the ability for devices on your corporate network to see (and therefore attack) each other, wouldn’t that be a huge step forward in your security?

We all know that ransomware is here to stay, but the good news is that, by following these basic cyber tips and tricks, you have the ability to reduce the risk and likelihood of your company being a victim.

Food for thought, eh!

About the essayist: Den Jones, CSO at Banyan Security, which supplies  simple, least-privilege, multi-cloud application access technologies

Potable water and wastewater management is a top priority for cybersecurity professionals and the Biden administration alike. With new regulations and funding, companies must find the best way to implement and manage cybersecurity to protect these systems.

Related: Keeping critical systems patched

As the US federal government begins to put its eye on securing more of its infrastructure against the rising risk of large-scale cybersecurity attacks, a late January statement from the White House has put its eye on securing water facilities.

The U.S. Environmental Protection Agency (EPA), the National Security Council (NSC), the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), and the Water Sector Coordinating Council and Water Government Coordinating Council (WSCC/GCC), are taking part in President Biden’s Industrial Control Systems (ICS) Initiative. This is part of National Security Memorandum 5, Improving Cybersecurity for Critical Infrastructure Control Systems.

The Industrial Control Systems Cybersecurity Initiative – Water and Wastewater Sector Action Plan concentrates on high-impact activities that can be surged within 100 days. The goal is  to protect water resources by improving cybersecurity across the water sector.

Decentralized exposures

The federal government and critical infrastructure community will help facilitate the deployment of technologies that provide cyber-related threat visibility, indicators, detections, and warnings.

Prior to this, the federal government set out to create new standards and regulations, beginning with the American Water Infrastructure Act of 2018 (AWIA 2018), which called for water utilities to perform an assessment and response plan.

The United States relies on a decentralized water utility network, putting state, municipal, and city governments in charge of managing their own utilities. While some private companies cover vast regions, it is common to see individual towns and cities manage their own water for their residents.

Barda

Standalone utility authorities allow communities more autonomy and flexibility in their operations. But they commonly struggle to pool together the critical resources needed to secure their operations against the ever-evolving face of cybersecurity hackers.

Lack of standards and regulation presents opportunities for hackers looking to disrupt their delicate Operational Technology (OT) and Industrial Control Systems (ICS). This is especially true at a time when these facilities are facing the need for remote access and operations to remain resilient during natural disasters and pandemics, beyond cyber attacks.

Continuous monitoring needed

These fragmented systems open new attack vectors for competitive nation-states, criminals, and terrorists to exploit vulnerabilities in a far more distributed infrastructure. This means water districts and municipalities sharing reservoirs also share risks.

An example of this is how water asset owners are located in rural areas, although they may have large water supplies. Being on the periphery makes them less likely to receive government funding early on, relative to larger providers, even though they are more susceptible to cybersecurity attacks because of lack of regulation due to their smaller size.

Part of the AWIA-2018 recommends monitoring the operational networks at water utilities.   Continuous monitoring, anomaly detection, incident management & reporting, and remediation planning are vital to remaining compliant. These clearly defined deliverables will aid in protecting the water infrastructure for people throughout the country.

An effective ICS/SCADA protection plan requires comprehensive identification and mapping of all devices, connections, ports, and other network assets. Only then will utility providers be able to detect vulnerabilities and exposures while assessing them in terms of severity and potential impact if compromised.

Devising an ICS protection plan can be a daunting task. There’s no one-size-fits-all solution, and in many cases, operators have incomplete visibility into their networks.

Partnering with an MSP

It’s critical to partner with an MSP organization to save time and resources in implementation. This allows the water utilities to harden vulnerabilities that they face in their systems today immediately. This strengthening of a facility’s cybersecurity posture is not just a large technical load but also introduces a significant risk of project failure without the right mixture of partner and toolset. Resources are too critical to rely on the educated guesswork of industry veterans and experts.

Some companies in the field, such as Radiflow, are working around the globe facing similar issues. While some systems and regulatory protocols may vary by region, the global cybersecurity threat landscape demands the same level of protection regardless of location.

Radiflow has helped facilities managers protect their IT environment by introducing the same digitally mirrored virtual environments commonly used in the IT world to prepare teams to mitigate and manage future threats.

This golden opportunity presented by the current administration in the US is a once-in-a-lifetime opportunity for managers of critical utility sites to secure themselves today and into the future.

About the essayist: Ilan Barda is the CEO of Radiflow, a leading supplier of  Operational Technology (OT) security systems deployed by major industrial enterprises and utilities protecting over 6,000 critical facilities worldwide.

 

 

Passwords have become ubiquitous with digital. Yet most people don’t know how to use them properly. The humble password is nothing more than a digital key that opens a door.

Related: The coming of passwordless access

People use keys to open their house, office, garage or car. And they use passwords to open a device, a system, an account, a file and so on.

But the similarities stop here. In the physical world, people are not required to make their own keys; keys are given to them by a landlord, a locksmith, or an employer. Whereas in the digital world, people are required to make their own passwords, which they then have to remember and type every time.

Which begs the question: why do people create their own passwords? In truth they don’t need to. Just as they don’t need to hammer their own keys. All they need is to receive, retrieve and use them.

Cybersecurity’s blindspot

This misunderstanding has real implications for companies as it takes away their ability to be cybersecure. From the moment companies let their employees create their own passwords, they transfer their network command and control, financial risks and liabilities to their employees.

They also create a huge cybersecurity “blindspot” and potential surface of attack, as they have no idea if and when passwords are shared, stolen or phished. Finally, as the human brain cannot create and remember multiple complex and unique passwords, they set their employees up to fail, as people keep using passwords like 123456, the same password or a password pattern they can remember.

O’Toole

That explains why over 80 percent of data breaches start with weak, reused, and stolen passwords through password phishing, social engineering, brute force attacks and credential stuffing. Hackers don’t need to hack in, they just log in.

With more victims, they harvest more credentials, which lead to more victims. After the Covid-19 pandemic pushed people to work from home, this cyber pandemic has only worsened, allowing more and more ransomware attacks.

Automated distribution

Just as employees don’t bring their own keys to the office, they should not bring their own passwords to the digital office. A much better way is to integrate an innovative technology that distributes encrypted, unique passwords to the employees that only they can use to access each separate device, account, file, or system.

Helpfully, this innovative solution is easy-to-implement and doesn’t require any change of infrastructure. It relieves employees from the burden of creating, memorising, and typing passwords.

And contrary to single access solutions, where hackers only need one key to gain access and take all, it segments each access so that each password only opens one door, which ensures cyber-resilience and cybersecurity. In case a password is stolen, for example in a supply-chain attack, only one system is infected and, by default, contained, while the other systems stay safe.

Segmenting access

This segmented access system completely removes the concept of identity or trust from access. Just as your door doesn’t need to recognise your identity when you go home: if you have the key, you can enter; otherwise, you can’t no matter who you are.

When a new hire starts a new job, he or she receives encrypted passwords, stored in a digital fortress that only that user can access after multiple levels of security. Each system has a different password which the user can click to open a system, without ever seeing what the password is, just like when they use a fob or card to open a door.

The system also allows companies to see who has accessed their passwords, similar to a building access monitoring system, which further helps tracking access in case there is a breach.

When people leave a company or department, companies can instantly remove their passwords. Plus, since they never knew their passwords in the first place, they can’t keep and pass them around. In exactly the same way as employees hand over their keys, badges, and cards to access company building, lifts or offices when they leave. That removes the risks of unauthorised access via old accounts when people leave.

An encrypted password distribution system not only allows companies to take back control of their own access, it also removes the need to invest in educating employees on password hygiene, a taxing task for the brain which it was never meant to do in the first place. Freeing up their time to invest in more productive work.

This approach not only simplifies employees’ lives (as there are no more passwords to know, so no more password resets) it also eliminates all the security risks and costs attached to human behaviour and the huge problems associated with stolen, phished, or shared passwords.

Finally, this type of zero-trust system is completely future-proofed, as you can make the keys increasingly complex. To resist the upcoming threats of quantum computing, companies can easily use billions-character-long passwords, since it is just a string no one needs to see.

About the essayist: Julia O’Toole is the founder and CEO, MyCena Security Solutions, which supplies a mobile app that transforms your smart device into a portable digital vault.

In a recent survey of US-based CEOs, talent shortages and cybersecurity were listed as two of the top five business concerns in 2022.

Related: Cultivating ‘human sensors’

They may not entirely realize that when compounded, these two concerns could pose a critical security threat for their organization.

CEOs who are looking to secure their data and build a cyber-resilient infrastructure are facing a quadruple whammy:

•Expanding their digital infrastructure faster than they can secure it,

•Combatting record numbers of cyber incidents,

•Struggling to fill open cybersecurity roles, with now 600,000 unfilled cybersecurity roles in the U.S., and

•Losing the security talent that they do have to what has been called the Great Resignation.

The bottom line: organizations with unfilled cybersecurity roles are leaving themselves vulnerable to the growing number of cyber threats.

While there is no silver bullet to combat the many challenges facing leaders who are experiencing growing talent shortages and cybersecurity threats, these circumstances call for a reexamination of how we fill these essential roles as fast as possible.

Opening more doors

Four-year universities have traditionally been the only way into a career in cybersecurity, but this is rapidly changing — and for the better. What was once the gold standard, these traditional programs take significant time and resources that many individuals, and now organizations, do not have.

It’s time for the industry to reimagine what a traditional and effective path into these roles looks like, and more so, what skills and hands-on experience individuals need to fill these gaps rather than a degree.

Koziol

Today, there are more paths into cybersecurity than ever. Individuals and organizations can now fill these skill gaps through online, self-paced training and short-term programs that give people the technical skills, hands-on experience and certifications they need to successfully serve in cyber roles.

Now, organizations must follow suit to encourage these expedited and skills-focused options. It’s become clear that the faster we accept and promote these various entry points into our industry, the faster we can fill these mission-critical roles.

Rethinking the talent game

Similar to how we must reevaluate how we’re training and giving the people the skills to fill cybersecurity roles, we must also reevaluate how we hire and retain them. According to the Infosec 2021 IT & Security Talent Pipeline Survey, over 90% of hiring managers struggle to fill open cyber roles — leaving mission-critical work undone and existing teams strapped for time and resources.

On retaining talent, it’s up to security leaders to understand what’s most important to their employees, whether it be compensation, professional development, remote work options or career pathing. Our clients have seen investment into their teams and building career paths for them to grow internally at their organization plays a huge role in talent deciding to stay at one place, with one such enterprise doubling the size of their cybersecurity training and upskilling program in just a few years due to demand and interest.

On attracting talent, the same survey revealed employers having success with hiring talent:

•Removed unnecessary experience requirements

•Offered competitive compensation package based on market demand

•Hired and supported inexperience candidates with re-skilling and up-skilling programs

•Implemented hiring initiatives to diversify talent pools

•Included non-technical skills like leadership skills and communication during the interview process.

Focusing on strategies like these that widen and diversify cyber talent pipelines allows hiring managers to drive better results at all stages of the talent management lifecycle, from attracting a larger cyber talent pool to developing employees throughout their careers.

Blurring the lines

Given the extremely high demand for cybersecurity talent, we must adapt to today’s challenges in attracting, upskilling and retaining cyber talent. We must collaborate across the industry and education providers to bring people into our field whether that be a certification and hands-on skill training online, an internal reskilling program to fill gaps with existing talent or pushing from more short-course security programs from higher education.

To fill this gap, we must blur the lines between traditional and new-age cybersecurity training, hiring and retention. If we don’t, the Great Resignation could become the next advanced persistent threat facing organizations worldwide.

About the essayist: Jack Koziol is the founder, SVP and GM of Infosec Institute, a cybersecurity education company. He is the author of The Shellcoder’s Handbook. When he’s not keeping the world safe by helping organizations educate their employees, he tries to get his three children to eat their breakfast and get to school on time.

Today, all organizations are required or encouraged to meet certain standards and regulations to protect their data against cybersecurity threats. The regulations vary across countries and industries, but they are designed to protect customers from the threat of posed data breaches. 

Related: The value of sharing third-party risk assessments

With estimates suggesting there are currently over 15 billion user credentials scattered across the dark web, the importance of compliance is clear to see. In spite of this, many organizations today still see compliance as a nuisance, rather than a business enabler.

All too often, organizations will analyze compliance requirements and harden their systems and practices to meet them, without really thinking about their importance to the business. Instead, they will tick the mandatory checkboxes, even if security measures haven’t been enacted, and file the record away as quickly as possible.

Job done! Compliance has been met — or may appear to have been met; now let’s make some money… That is until they learn they have been breached. When the CEO tries to defend the business by pulling out a dusty copy of its two-year-old compliance record, they then face the harsh reality that single “point in time” compliance doesn’t cut it in today’s threat landscape.

Strategizing compliance

Compliance is no longer a “set and forget” security framework. To keep up to speed in today’s evolving threat landscape, compliance is a process that must be maintained continuously.

Here are a few ways for organizations to implement an effective cybersecurity compliance strategy, so that it remains current, providing protection against new and emerging threats:

•Keep up to date with the evolving and growing attack surface

Today, organization’s digital environments evolve continuously: new devices are added into networks daily, staff is on-boarded and off-boarded, new suppliers are taken on, and as more organizations adopt hybrid working measures, staff are accessing corporate networks from locations worldwide. The threat landscape is also continuously changing, with new attacker trends coming to light and new software vulnerabilities discovered which put organizations at risk if they are not patched.

This means threats to corporate data are constantly changing. What might be secure today could be an organization’s greatest weakness tomorrow.

As a result, compliance needs to keep up with new threats and network changes; otherwise, organizations could inherit serious gaps in their architecture that will be easy for cybercriminals to exploit.

•Take a risk-based approach

One of the biggest mistakes organizations make when meeting compliance regulations is the belief that all requirements can be met through products. They don’t think about the impact security risks would have on their organization.

Today breaches cost organizations millions of dollars, both in losses and in fines. When they suffer attacks, reputations are damaged, customers and investors are lost and sometimes the very survival of the business is at stake. This means cybersecurity should never be viewed as just a technical issue; it is a businesswide problem.

Business leaders need to understand the risks to prioritize security spending effectively.With an organization’s data its most valuable asset today, understanding where it is held, who has access to it, and what is being done to protect it from intruders is critical.

Jemmett

Business leaders should also think about risks posed by specific attacks and take time to understand what the organization would stand to lose if attackers were to breach their network. Is data backed up regularly? Would the business recover if it was hit with ransomware?

Once they have these answers, what can be done to reduce the risk? Security threats are here to stay and perfect software doesn’t exist, so hardening and resilience must be the priority for any business leaders.

•Remember cybersecurity is a culture, not a product

Cybersecurity is a companywide challenge, and all departments need to be involved to get it right. Business leaders therefore need to prioritize security and promote its importance from the top down, training employees and encouraging them to mirror the attitude.

This means when attacks do target an organization, employees can stand as the first line of defense, armored with the correct knowledge to know not to click on links and attachments that seem suspicious.

Compliance is an important driver for security, and organizations should never view it as a mere technical nuisance. Cybersecurity is a critical business enabler today, and those that get it right will excel. Those that get it wrong, and do not prioritize their defenses, could stand to lose everything.

About the essayist: David Jemmett is CEO of Cerberus Sentinel a Managed Compliance and Cybersecurity Provider (MCCP) with its exclusive MCCP+ managed compliance and cybersecurity services plus culture progra.

While global commerce is an important aspect of the world economy, individuals who hold national security clearances need to be aware that some of the activities they engage in could pose a security risk and may negatively impact their security clearances.

Related: Russia takes steps to radicalize U.S. youth

Individuals who possess security clearances are not prohibited from traveling to foreign countries; however, there are certain acts and behaviors that may raise foreign influence and/or foreign preference concerns.

Under Guideline B of the security clearance adjudicative guidelines, the United States government is concerned with any potential for foreign influence. This includes contact with foreign nationals or obtaining financial or property interests in a foreign country, that could create a heightened risk for foreign exploitation.

First, there are reporting requirements which indicate that any foreign travel, aid, logistics, obtaining property in a foreign country, or other such activity must be reported to one’s security officer.

It is common for people to want to expand their financial portfolios, sometimes including investments overseas; however, that possesses a security concern as any foreign assets may be used to exert pressure or influence over individuals who possess a security clearance. in order to persuade them to divulge U.S. national security secrets.

Nerney

The conflict in Ukraine is a prime example of how engaging in global commerce and providing aid to foreign countries or foreign nationals may pose a security risk. Anybody who wants to provide aid to Ukraine could be put in a position of potentially exposing themselves to exploitation, inducement, manipulation, or pressure, which may conflict with the interests of the United States.

Guideline C of the security clearance adjudicative guidelines provides potentially disqualifying conditions in relation to participation in foreign activities, which includes serving the interests of a foreign person, group, organization, or government in any way that conflicts with the U.S. national interests.

Additionally, providing any aid, including military aid such as logistics, equipment, or fighting for Ukraine in general, while possessing a security clearance poses major security concerns under Guideline C.

This poses a risk because providing aid to a foreign government or individual could be perceived as exhibiting a foreign preference for another country.  It also opens individuals up to exploitation and may put them in a position of heightened risk, especially if they are providing this aid and are captured by foreign enemies or intelligence personnel.

The events in Ukraine have the potential to change things for security clearance holders in the United States. There is always an element of concern about foreign influence from countries like Russia and China, as these countries are typically known to target U.S. citizens to obtain classified or sensitive material.

The conflict in Ukraine has the potential to further alienate Russia and place Russia in a category much like North Korea. Any security clearance holder that has ties to Russia in the future may be met with heavier scrutiny and may find it more difficult to obtain and maintain a security clearance in the future.

About the essayist: Ryan C. Nerney, Esq. is a partner in the Ladera Ranch, California office of Tully Rinckey PLLC, where he has represented numerous clients in security clearance revocation proceedings. He has a proven record of saving clients’ jobs, as well as anticipating and resolving potential future issues with their security clearances. He can be reached at info@tullylegal.com or at (619)-357-7600.