Perry Carpenter

I often hear the question "Where/What are our biggest security exposures?" Cyentia Institute recently had the opportunity to explore this question using data from hundreds of thousands of attack path assessments conducted through the XM Cyber Continuous Exposure Management (CEM) platform. The attached figure gives a categorical breakdown of what we observed based on all entities (digital assets), total security exposures, and exposures affecting critical assets. . The left-most chart represents the attack surface based on broad categories of digital entities discovered during attack path assessments. Active Directory constitutes just over half of entities identified across all environments. On-premises IT and network devices account for another 31% of entities and cloud environments house the remaining 17%. Not all entities, however, are exposed via attack paths. If we change the scope of the attack surface to include only vetted exposures (entities susceptible to attack techniques), things look different. The middle chart captures this perspective and Active Directory exposures dominate the attack surface. But not all of those exposures affect critical assets. To be truly effective, Exposure Management must encompass all environments and account for where critical assets are most at risk. If we once again rescope the attack surface to focus on exposures to critical assets, a very different picture emerges, which is captured in the rightmost chart. Cloud environments now encompass over half of all critical asset exposures, followed by AD at 33% and IT/Network devices at 11%. Does this sync with exposures across your attack surface? Which perspective/view/chart is your primary guide for managing exposures? The full report contains tons of additional insights on exposure management. Download here: https://lnkd.in/dPfqXG7y #cybersecurity #exposuremanagement #cyberrisk

48

8 Comments

I stay away from politics, but I feel this is an important article to share. CSO Online "Another red flag, experts say, is a recommendation to move the Office of the National Cyber Director (ONCD) to the National Security Council (NSC), and to require NSC employees to submit to something akin to a political loyalty test, injecting partisan politics into cybersecurity policy, which has long been a nonpartisan issue among lawmakers and policy professionals." #cybersecurity #riskmanagement #ITmanagement #CIO #CISO https://lnkd.in/ggDrtrth

6

TEMU sued for being “dangerous malware” For anyone curious enough to download and install TEMU for the super cheap products, beware. Many "free" apps come with a price. Your privacy. Before installing ANY app on your phone - read the EULA. I had checked out the EULA for TEMU, but I had to dig. This is what I found on the "Privacy Policy" page under Information collected automatically. To enhance your experience with our services and support the other purposes for which we collect personal information, we, our service providers, and our business partners may automatically record information about you, your computer, or mobile device and your interactions with the Service, our communications, and other online services over time, such as: - Device data: We collect certain information about the device you use to access the Service, such as device model, operating system information, language settings, unique identifiers (including identifiers used for advertising purposes). - Service usage information: We collect information about your interactions with the Service, including the pages you view, the duration on a page, the source from which you arrived at the page, your interactions with the page, whether you opened our emails, and whether you clicked the links within our emails. - Location data: We collect your approximate location based on your technical information (e.g. IP address). ***Define [other online services over time] ??? *** Share your thoughts and any other links you may have found. Read more in this article by Malwarebytes. #cybersecurity #LearnTechWithLinkedIn https://lnkd.in/eiuhTQ_3  

12

I dislike using the term “crisis communications” when talking about security incidents because it gives people permission to accept chaos and panic. These are red flags that your decision-making process isn’t ready for prime time. Anyway, I’m always glad to see more security teams recognize that incident communications isn’t just what you say publicly, it’s also how you communicate internally so that you’re proud of how you show up for the people impacted.

24

Earlier this year, Cyentia Institute published a meta-study analyzing the top ATT&CK techniques reported across 20+ industry sources. NOT ONE OF THEM reported observing T1195.003 - Compromise Hardware Supply Chain. Hold on - my aid has an urgent message for me...oh my...they what?!...pagers exploding - really?...I see...got it...will do... Sorry for the interruption. As I was saying, T1195.003 was THE MOST REPORTED sub-technique in the entire study! Download it today from the compromised device of your choice: https://lnkd.in/eafNi5u3 #supplychain #cybersecurity #fud

91

6 Comments

ATTENTION: HEALTHCARE BOARD MEMBERS AND C-SUITE EXECUTIVES. ODDS ARE YOUR ORGANIZATION HAS NOT CONDUCTED AN OCR-QUALITY® RISK ANALYSIS! Shocking? NO! Since ... 90% of the organizations subjected to an OCR investigation involving electronic Protected Health Information (ePHI) are found to have failed to conduct the very first requirement (risk analysis implementation specification) in the very first standard (Security Management Process) in the very first area (Administrative Safeguards) of the ol' HIPAA Security Rule. OCR Audits produced equally dismal compliance findings. How can you address your cyber risks if you don't know what they are? EASY FIX! Attend the upcoming COMPLIMENTARY Clearwater OCR-Quality® Risk Analysis Working Lab. #HIPAA #riskanalysis #riskmanagement #cyberriskmanagement #boardcyberoversight #boardofdirectors

2

Impactful cyber news today -- An important step in the direction that CISOs are treated more like a CFO, with the right level of accountability, transparency, as well as protection. Senator Wyden and Warner just proposed a new healthcare cybersecurity bill. This bill might be a watershed moment for the cybersecurity industry, an important step in codifying the practice of cyber security. It aims to regulate and document the official responsibilities of Cybersecurity leadership for a healthcare entity. This bill might do for the CISO what Sarbanes-Oxley did for the role of the CFO. If this bill passes, other industries may follow suit. The bill specifically calls out the - Establishment of a minimum cybersecurity standard for the health care industry - Public certification of compliance (The CISO must certify) - Annual security audit and stress test of incident recovery  - No Cap in Health and Human Services fine authority - Provides financial help to small and safety net hospitals Press release: https://lnkd.in/gqRS_ZMD One page summary:  https://lnkd.in/gQpszBrm For public companies today, the CFO and the CEO must certify the company's financial statements every quarter. This bill would have the CISO (and presumably the CEO) publicly certify its cybersecurity compliance annually. This step will allow the CISO to gain appropriate resources, take on proper accountability, and also receive much-needed protection for his/her job. Thank you to Joe Sullivan who brought this to my attention. Jim Higgins, Vitaly Gudanets, Kirsten Davies, Lakshmi Hanspal, Ariel Litvin, Confidence Staveley, Catherine A. Allen, Karissa A. Breen (KB), Jackie Bow, Gary Hayslip, Rinki Sethi, Matthew Rosenquist, Stephanie M. Shorter, PhD, Ross Haleliuk, Stephanie Domas, Heather Hinton, Chris Hughes, Tal Mozes

60

10 Comments

Interesting to see that not only is this company being sued for allegedly violating Texas' data privacy law, but as part of this lawsuit, it was alleged that the data broker in question did not register as a data broker in Texas [full disclosure: this is a law - SB 2105 - that I was an advisor on]. It should also be noted that the same company appears not to be registered in California as a data broker.

16

2 Comments

As usual, a lot of useful information packed into Summit 7's SummitUp Podcast this week, a particularly solid piece from Jacob Horne is a deep dive on the genesis and composition of the "Policy" requirement that has been on the In and Out NIST Burger menu all along. To level set and unify in language, Horne wisely points to NIST SP 800-12 from the Paleolithic period of formalized, regulated governance. Also important to note is how modern NIST SPs 800-171 and 53 (and their assessment 'a' counterparts) mandate event driven and less than annually Organizational Defined Parameter (ODP) specified cadence of review and refresh of said policies(see below). At the peril of abusing the well-abused parlance of "left-of-boom", this is very much a regulatory boom organizations would be wise to get to the left of as soon and as proactively as possible. Auditors will feast upon organizations that fail to do so in the nearer-than-you-think future. One other note, resources like this podcast featuring Horne and Jason Sproesser are out there, FOR FREE! This is the golden age of excellent cybersecurity podcasts, I hope folks at all levels of the ecosystem are partaking of these great contributions to rise all cyber boats. Section 2.5 - Information Security Policy Information security policy is defined as an aggregate of directives, regulations, rules, and practices that prescribes how an organization manages, protects, and distributes information. In making these decisions, managers face difficult decisions with regard to resource allocation, competing objectives, and organizational strategy, all of which relate to protecting technical and information resources as well as guiding employee behavior. Managers at all levels make choices that can affect policy, with the scope of the policy’s applicability varying according to the scope of the manager’s authority https://lnkd.in/ecNXaets

10

4 Comments

Check out this podcast interview with me just after my TribalNet keynote in Vegas recently. I was asked a random question at the end about the first concert I attended that you might find interesting (and it's not just what's listed in the podcast description). #infosec #CISO #CIO #businessleaders #cybersecurity #podcast #keynotespeaker #backtobasics #rockconcerts #ISAC

5

Classical MFA (multi factor such as OTP and authenticator apps) was easily bypassed by these "Attacker in the middle" Phishing kits. Upgrade to Phishing resistant MFA is no longer an option but must be a top priority for any CISO serious about their security. Remember 90% of cyber attacks start with phishing!

6

Move on over HIPAA, there is a new bill working its way through the Washington red tape machine called "Health Infrastructure Security and Accountability Act". Since pretty much all of our health and personal data has already been leaked by inadequate data collectors, some lawmakers decided it was time to act. They are 20 years too late but it's election season so they need to pull out all the stops. HISAA (sounds 'gangsta' doesn't it) has civil penalties for all those health data grabbers out there who don't comply (and get caught) with HISAA requirements. These include: No knowledge – Minimum of $500 Reasonable cause – Minimum of $5,000 Willful neglect (Corrected) – Minimum of $50,000 Willful neglect (Uncorrected) – Minimum of $250,000 Yes, one "reasonable cause" will cost them a month's mortgage payment (4 bedroom, 2 bath, detached garage), which will be passed down to you, the patient, in one form or another. You can compare this bill to the ole SOX Act but for health care. The bill includes checklists, audits, stress test (pen test sorta) and someplace where the CEO has to sign off on the compliance thingy. Health care organizations have 3 years to figure out ways around the bill before they need to worry, once this bill is passed (if it is passed). $800 million of taxpayer cash will be given to Medicare safe providers to help them figure out how data security works. Then there is another $500 million of TaxO'Cash to " incentivize all hospitals" to adopt data security. I've attached a two page summary of HISAA so you too can gasp in horror at how our government thinks. Happy Halloween https://lnkd.in/gmyyCxhe

9

1 Comment

Imagine being at the forefront 🚀 yet lagging in essentials.❌ XARF, which stands for Extended Abuse Reporting Format, is gaining popularity as the new standard for handling abuse reports.📊 It's not just a new standard, it's also becoming essential for effective digital communication📱 and security🔒. With dozens of reporters and hundreds of abuse teams already using it.👥 This is not just about adopting a format for Hosting Providers and other service providers. It's about commitment to safety, efficiency, and responsibility.🔐 If your systems balk at handling XARF or flinch at attachments in ARF or ACNS, it's more than a technical glitch.⚠️ It's a failure to meet the basic standards of your role in the digital ecosystem.⚡ Not being able to process these reports isn't a tiny oversight; it's a glaring gap in your capability to safeguard your network and, by extension, your users.👨‍💻 In a world where digital security is paramount, being unprepared is inexcusable.❗ Upgrade, adapt, and take action.📲 Your network's safety and users' trust depend on it.💼 Let's not wait for sympathy.🕓 Let's strive for excellence.🌟 Your move.🎯 What's it going to be?

11

⚡️Some domains likely used by #transparentTribe #APT36 counciling[.]com nbssedelhi[.]org ashifdigitalseva[.]xyz birthdeath[.]in gov-certificate[.]com viewss[.]click admin-mcas-df[.]ms admin-mcas[.]ms mcas-df[.]ms mcas[.]ms verifycertificate[.]info nimsme[.]org

1

1 Comment

Over the past four years, President Joe Biden’s administration has made cybersecurity a top priority within the federal government. This includes focusing on threats from nation-state actors, countering ransomware, developing artificial intelligence guidelines, and pushing private companies and agencies to develop and deploy more secure code. The Biden White House has also sought to make hiring tech professionals for thousands of open cybersecurity positions a bigger priority for private companies and federal agencies. With President-elect Donald Trump set to return to the White House in January 2025, the new administration will likely take a different view of the nation’s cybersecurity policies and how agencies respond to threats. #cybersecurity #CISA #Trump

3

While a major crisis was averted, the disclosures may open up needed conversations about transparency and coordination, according to researchers. The open-source community took a moment to exhale over the weekend, as security researchers dialed back initial fears of an existential crisis for Linux systems related to critical vulnerabilities in the Common Unix Printing System. The CUPS vulnerability could allow an attacker to take control of a vulnerable system when a user launches a print job. However, despite initial comparisons to 2021’s Log4j crisis, researchers said the level of user interaction made this case far less concerning. “Celebrity vulnerabilities certainly continue to make an impact in news cycles, but they don’t always overlap with whether they warrant an emergency response from organizations,” Erik Nost, senior analyst at Forrester, said via email. The flaws, listed as CVE-2024-47076, CVE-2024-47175, CVE-2024-47176 and CVE-2024-47177, can allow an attacker to replace IPP URLs on a printer with a malicious version and then execute commands. #cyberriskmanagement #threatinformeddefense #thirdpartyriskmanagement #supplychainsecurity #SBOM #AIBOM #GRC #cyberinsurance

5

New study finds uptick in cybersecurity disclosers due to new SEC requirements. Still, few detail the material impact of these events. More work and clarity are needed. https://lnkd.in/gQ2paXVs #cybersecurity #infosec #SEC #disclosure

7

📌 Q: How can I evidence compliance with NIST SP 800-171? A: Conduct your NIST 800-171 self-assessment. The assessment should be done according to NIST SP 800-171A. That methodology will result in a self-assessment score, which must be submitted via the DoD’s SPRS portal. The goal is an SPRS score of 110 v/ PreVeil Cc: Chris Petersen | Keith Dobbs | Chuck Brooks | Jason Thomas #cloud #cloudsecurity #cloudai #cyberai

17