Blog

News


Musings of an Aging Workhorse

By J. Estes December 11, 2020
For well over a year now, COVID-19 has been the global headline. The pandemic has forced companies and individuals to adopt new practices such as social distancing, hand washing/surface sanitizing and remote work. Governments are scrambling to ensure the public health and economic stability of their countries. Regardless of the efforts to day, while the world is preoccupied with these threats posed by COVID-19, cybercriminals around the world are exploiting the crisis. Summarized in this article are some of our observations of the cybersecurity impact of COVID-19. Our research staff, collectively known as Cybertel, has observed an elevated phishing, malspam and ransomware attack tempo as cybercriminals are exploiting fear around the virus to impersonate brands that mislead employees, contractors, and customers. We believe this will result in many more infected personal computers and mobile devices. Not only are businesses being targeted, but individuals who download COVID-19 related applications are being tricked into downloading ransomware. Employers should immediately take proactive measures to train their staff and contractors to exercise more caution and vigilance when opening links, emails or documents related to COVID-19. We may be overstating the obvious, but organizations should ensure their intrusion detection and alerting capabilities remain operational while also mitigating the effect of shifting so many workers from on-prem to remote working situations. Internal blue team operations are likely to be impaired due to the pandemic, negatively impacting detection of, and response to, security incidents. Even fundamental security processes like patching will become more challenging, particularly when corporate computing assets are displaced to employees' homes and not necessarily accessible by security teams. Organizations should evaluate existing defenses and explore the use of co-sourcing with security consultants especially where key-person risks are identified. With so many employees working remotely and students learning virtually, enterprise VPNs have been elevated from conveniences to necessities, and their security and availability will be ongoing concerns. We have seen a marked rise in requests for VPN configuration assessments and mitigate services over the last 6 months. Many organizations are realizing that unpreparedness is leading to VPN security misconfiguration that can expose sensitive information to the Internet while simultaneously rendering the corporate network to Denial of Service (DoS) attacks. At least equally risky is the trend to let employees use their personal computers to perform official duties. Without rigorous MDM, configuration management, and network segmentation in place, organizations should not be seduced by the fiscal allure of not buying and maintaining computing resources for remote workers. In most cases the risk is not worth the temporary capital savings. For decades, organizations have implemented disaster recovery and business continuity plans, but most only consider threats like natural disasters, civil unrest, and utility disruption. Many have not been meaningfully revised since Y2K, and very few contemplated the rapid progression of a global pandemic. We are seeing increased interest, particularly at the enterprise level, in reviewing and revising DR/BC plans to include incident response plans for future pandemics. Companies would be well served to partner with cybersecurity experts in a comprehensive risk assessment that includes supply chain and partner disruption. The displacement of so many workers from the office to remote working conditions because of the pandemic creates a two-pronged stress on corporate physical security. Our Red Team practice has experienced a significant rise in requests for physical penetration testing of companies with reduced on-prem staff and of social engineering tests against remote workers. Many office buildings have become more vulnerable to physical penetration due to decreased office and security staffing, reduced hours of occupation, and cutbacks in monitoring. Similarly, remote workers with "cabin fever" may take to their local coffee shop or bistro with laptops for a change of scenery. This increases the risk of theft or compromise of sensitive corporate information from public Wi-Fi networks. Companies all over the world are reducing their workforce in an effort to mitigate the financial strain of the pandemic. In some countries, individuals and families have lost their livelihoods from the restrictions on movement certain governments have imposed. We believe these events will inevitably create more cybercriminals as displaced and disaffected workers with Internet access see an opportunity to make a living out of this pandemic. Employers that lay off staff should enforce proper exit plans. As the percentage of "inside job" security incidents continues to rise, employers should consider the investment in job retraining and placement assistance to displaced employees as a risk mitigation means. A year in, and we're discovering more security implications of the pandemic almost weekly. The threat space is rapidly changing but the fundamentals of risk reduction and incident mitigation are still relevant. Please reach out to us with questions or concerns about your company's cybersecurity preparedness, and check back for more blogs about the evolving cybersecurity landscape. Thanks for reading!
By J. Estes August 30, 2019
I pray that there's a special rung in Hell, with an entire theme park of eternal pain awaiting whomever the asshat is that coined "impactful." Every time I hear it, I want to claw the eyes out of the speaker. Immersion in the unchecked cesspool of adulterated business jargon is one of the most loathsome aspects of my occupation. If there was a real Orwellian Room 101, mine would contain a PC, with Outlook open (with Clippy, of course) to a never-ending, buzzword-laden email entitled "Socializing the Synergy." The Thought Police would put those A Clockwork Orange eye opener things in my head and I'd be compelled to read it until I succumbed. That said, I appreciate that there are certain words appropriated as a sort of business "shorthand" shared among employees that are legitimate because they are more concise than other expressions, they have at least a modicum of onamona pia, and the act of using them appropriately instantly conveys that you are on the team. Medicine and military aviation are laden with such words because a worthy purpose is served when using them. You need to convey some information as concisely as possible and the florid expressions are so much greater than the sum of their parts. That's argot, and it works. "Circle the wagons meeting" is not, and it does not. I got to thinking about the malignant proliferation of buzzwords in reading an opinion piece by André Spicer who is a professor of organizational behavior at City University of London. In it, he opined that buzzwords serve specific social purposes. "Jargon is often used for what economists call 'signaling' in the workplace. Expensive packaging for products sends a signal that what is inside is high-quality. The latest business buzzwords are supposed to send a signal that the person using them is an up to date expert. Using buzzwords can make you look like you are an expert in an area you are not. It is easier to copy the language than to understand the deep knowledge behind it. Also we want to appear as if we are up-to-date. By using the latest buzzwords, we [show] that we are 'keeping up' - even thought our practices may not have changed. They can also signal you are part of the tribe. If everyone else is talking about 'thinking outside the box', then using that phrase shows that you fit in. He continues: "The problem is that general business jargon often covers up a lack of underlying knowledge about a particular issue. It is a way people can sound like they have nouse while simultaneously remaining vague and noncommittal." I think he's right. I'm neither a grammar Nazi nor a diction snob, but I do pride myself on a functional vocabulary and I view the excessive use of buzzwords as proof the speaker does not. I admit to swooning when I hear someone utter sentences that don't end in prepositions. The Digital Age has harkened a dark era for the art of professional expression and I think we should value it more, if for no other reason than articulate corporate communication differentiates your product. Using words like "thought leader" and "change agent" in your LinkedIn profile makes me think you're trying to conceal the fact that you're unemployed.
By J. Estes December 11, 2020
For well over a year now, COVID-19 has been the global headline. The pandemic has forced companies and individuals to adopt new practices such as social distancing, hand washing/surface sanitizing and remote work. Governments are scrambling to ensure the public health and economic stability of their countries. Regardless of the efforts to day, while the world is preoccupied with these threats posed by COVID-19, cybercriminals around the world are exploiting the crisis. Summarized in this article are some of our observations of the cybersecurity impact of COVID-19. Our research staff, collectively known as Cybertel, has observed an elevated phishing, malspam and ransomware attack tempo as cybercriminals are exploiting fear around the virus to impersonate brands that mislead employees, contractors, and customers. We believe this will result in many more infected personal computers and mobile devices. Not only are businesses being targeted, but individuals who download COVID-19 related applications are being tricked into downloading ransomware. Employers should immediately take proactive measures to train their staff and contractors to exercise more caution and vigilance when opening links, emails or documents related to COVID-19. We may be overstating the obvious, but organizations should ensure their intrusion detection and alerting capabilities remain operational while also mitigating the effect of shifting so many workers from on-prem to remote working situations. Internal blue team operations are likely to be impaired due to the pandemic, negatively impacting detection of, and response to, security incidents. Even fundamental security processes like patching will become more challenging, particularly when corporate computing assets are displaced to employees' homes and not necessarily accessible by security teams. Organizations should evaluate existing defenses and explore the use of co-sourcing with security consultants especially where key-person risks are identified. With so many employees working remotely and students learning virtually, enterprise VPNs have been elevated from conveniences to necessities, and their security and availability will be ongoing concerns. We have seen a marked rise in requests for VPN configuration assessments and mitigate services over the last 6 months. Many organizations are realizing that unpreparedness is leading to VPN security misconfiguration that can expose sensitive information to the Internet while simultaneously rendering the corporate network to Denial of Service (DoS) attacks. At least equally risky is the trend to let employees use their personal computers to perform official duties. Without rigorous MDM, configuration management, and network segmentation in place, organizations should not be seduced by the fiscal allure of not buying and maintaining computing resources for remote workers. In most cases the risk is not worth the temporary capital savings. For decades, organizations have implemented disaster recovery and business continuity plans, but most only consider threats like natural disasters, civil unrest, and utility disruption. Many have not been meaningfully revised since Y2K, and very few contemplated the rapid progression of a global pandemic. We are seeing increased interest, particularly at the enterprise level, in reviewing and revising DR/BC plans to include incident response plans for future pandemics. Companies would be well served to partner with cybersecurity experts in a comprehensive risk assessment that includes supply chain and partner disruption. The displacement of so many workers from the office to remote working conditions because of the pandemic creates a two-pronged stress on corporate physical security. Our Red Team practice has experienced a significant rise in requests for physical penetration testing of companies with reduced on-prem staff and of social engineering tests against remote workers. Many office buildings have become more vulnerable to physical penetration due to decreased office and security staffing, reduced hours of occupation, and cutbacks in monitoring. Similarly, remote workers with "cabin fever" may take to their local coffee shop or bistro with laptops for a change of scenery. This increases the risk of theft or compromise of sensitive corporate information from public Wi-Fi networks. Companies all over the world are reducing their workforce in an effort to mitigate the financial strain of the pandemic. In some countries, individuals and families have lost their livelihoods from the restrictions on movement certain governments have imposed. We believe these events will inevitably create more cybercriminals as displaced and disaffected workers with Internet access see an opportunity to make a living out of this pandemic. Employers that lay off staff should enforce proper exit plans. As the percentage of "inside job" security incidents continues to rise, employers should consider the investment in job retraining and placement assistance to displaced employees as a risk mitigation means. A year in, and we're discovering more security implications of the pandemic almost weekly. The threat space is rapidly changing but the fundamentals of risk reduction and incident mitigation are still relevant. Please reach out to us with questions or concerns about your company's cybersecurity preparedness, and check back for more blogs about the evolving cybersecurity landscape. Thanks for reading!
By J. Estes August 30, 2019
I pray that there's a special rung in Hell, with an entire theme park of eternal pain awaiting whomever the asshat is that coined "impactful." Every time I hear it, I want to claw the eyes out of the speaker. Immersion in the unchecked cesspool of adulterated business jargon is one of the most loathsome aspects of my occupation. If there was a real Orwellian Room 101, mine would contain a PC, with Outlook open (with Clippy, of course) to a never-ending, buzzword-laden email entitled "Socializing the Synergy." The Thought Police would put those A Clockwork Orange eye opener things in my head and I'd be compelled to read it until I succumbed. That said, I appreciate that there are certain words appropriated as a sort of business "shorthand" shared among employees that are legitimate because they are more concise than other expressions, they have at least a modicum of onamona pia, and the act of using them appropriately instantly conveys that you are on the team. Medicine and military aviation are laden with such words because a worthy purpose is served when using them. You need to convey some information as concisely as possible and the florid expressions are so much greater than the sum of their parts. That's argot, and it works. "Circle the wagons meeting" is not, and it does not. I got to thinking about the malignant proliferation of buzzwords in reading an opinion piece by André Spicer who is a professor of organizational behavior at City University of London. In it, he opined that buzzwords serve specific social purposes. "Jargon is often used for what economists call 'signaling' in the workplace. Expensive packaging for products sends a signal that what is inside is high-quality. The latest business buzzwords are supposed to send a signal that the person using them is an up to date expert. Using buzzwords can make you look like you are an expert in an area you are not. It is easier to copy the language than to understand the deep knowledge behind it. Also we want to appear as if we are up-to-date. By using the latest buzzwords, we [show] that we are 'keeping up' - even thought our practices may not have changed. They can also signal you are part of the tribe. If everyone else is talking about 'thinking outside the box', then using that phrase shows that you fit in. He continues: "The problem is that general business jargon often covers up a lack of underlying knowledge about a particular issue. It is a way people can sound like they have nouse while simultaneously remaining vague and noncommittal." I think he's right. I'm neither a grammar Nazi nor a diction snob, but I do pride myself on a functional vocabulary and I view the excessive use of buzzwords as proof the speaker does not. I admit to swooning when I hear someone utter sentences that don't end in prepositions. The Digital Age has harkened a dark era for the art of professional expression and I think we should value it more, if for no other reason than articulate corporate communication differentiates your product. Using words like "thought leader" and "change agent" in your LinkedIn profile makes me think you're trying to conceal the fact that you're unemployed.
Share by: