Cyber Security During A Merger or Acquisition

Originally posted on October 14, 2020 @ 4:50 pm

In my professional career, I’ve seen several mergers and acquisitions from the inside. Whether it was from the acquiring company or acquired, as an individual contributor, manager or executive, each had one thing specifically in common: it was the most dangerous time for both organizations’ information and data.  Long before any public announcement, there are a lot of moving parts to make the M&A happen, Leadership from both companies, IT professionals  and security for both companies are directly involved.  Then there are all the people unofficially “in the loop” who happen to be connected directly to the pulse of the companies. After the announcement, there are the usual suspects interested in the announcements, competitors, bankers, lawyers, etc.  But in addition, to the legitimate and expected interested parties, hackers are paying attention to any changes to your organization.

Managing risk during M&A activities can be a full time job.  There are many factors and motivations to consider, not to mention the rapidly changing environment as two different companies and cultures collide. Step usually taken to minimize or reassign risk are signing non-disclosure agreements (NDA), implementing corporate communication firewalls (not the network device), and insurance. There are many threats associated with an M&A, some external, other’s internal, some risks you’ll just have to accept, other’s you can take steps to mitigate or eliminate. In addition to mitigation, there are ways to significantly reduce certain internal risks associated with the M&A activity.

Internal threats are those within an organization, and can be looked at in two broad categories, unintentional and intentional. The intentional threats are no different than what might be included in a typical insider threat program and under normal operating procedures so I’ll not address them here.  The unintentional threats primarily occur through poor or limited communications.  The unique environment created by M&A makes your organization ripe for phishing and social engineering attacks.  Generally, people are unsure of who’s in charge, who has organizational authority, and where responsibility lies.  This uncertainty, creates an opportunity for attackers to use various attack vectors to compromise your new company.

Given the complexities, uncertainties and issues surrounding information security during an M&A, there are some practical solutions that can make a significant impact to these internal threats.

  1. Publish the high level corporate structure as soon as possible. The sooner your employees understand at least the high level structure, the faster they will understand who should have information and where corporate authorities lie.
  2. Establish a process for validating requests by the transition team and senior leadership. Any requests for PII, money transfers or other corporate decisions should be validated by multiple methods, E-mail, phone, face to face, etc. No single communication should trusted.
  3. NEVER use an e-mail or phone number that isn’t validated through the corporate Global Address List (GAL) or directory to provide any corporate data. A common practice is to request the victim to call the hacker on a different number to validate the request, giving the victim a false sense of security.
  4. Train your employees to question all visitors to your facilities, work with security to issue badges for all new employee’s immediately. It is too easy for an attacker to impersonate an employee of the partner company and wander around the new office, asking questions, getting printouts and files.

Remember, during M&A everyone is nervous, people worry about their jobs, they are trying to impress their new management or just save their jobs.  This nervousness can lead to mistakes or major data breaches.  Keep vigilant, communicate across the organization and establish rules to validate requests and you can avoid some of the most common pitfalls of data protection during a merger or acquisition.

Will SolarWinds become the new CCleaner?

Originally posted on December 16, 2020 @ 6:19 pm

New Evidence Suggests SolarWinds’ Codebase Was Hacked to Inject Backdoor

As a Cyber Security professional for over 25 years I’ve seen a lot over the years.  One thing that stands out is the hack of CCLeaner in 2017.  Which appears now to have some similarities to the SolarWinds compromise.  The result of the CCLeaner compromise has had lasting effects.  Anyone who participates in CyberPatriot knows, CCLeaner is one of the first things to be removed from an image as it’s assumed to be compromised.

With this new evidence, will SolarWinds become the next security tool that’s considered more of a risk to run it than to not?

http://feedproxy.google.com/~r/TheHackersNews/~3/HPHQs0YyzEs/new-evidence-suggests-solarwinds.html

Baking in Cyber Security through Cyber Patriot

Originally posted on August 11, 2020 @ 11:04 pm

I’m sitting here in the airport after finishing a 1 week Risk Management Framework (RMF) Security Controls Assessment (SCA) and reflecting on the week.  This week the team and I reviewed nearly 30 hosts and over 3000 individual controls.  I remember throughout the week there were many times thinking “this is pretty basic stuff, why aren’t they (the client) following the security guidance?.” and I remember that to many system administrators security isn’t “baked in” like we’ve always claimed it should be.  It also underscores the need to get more Information Technology (IT) professionals trained in cyber security.  That’s why Cyber Centurion is proud to sponsor Civil Air Patrol NC-162 Squadron’s first CyberPatriot Team.

CyberPatriot is the National Youth Cyber Education Program created by the Air Force Association to inspire K-12 students toward careers in cybersecurity or other science, technology, engineering, and mathematics (STEM) disciplines critical to our nation’s future.  At the core of the program is the National Youth Cyber Defense Competition, the nation’s largest cyber defense competition that puts high school and middle school students in charge of securing virtual networks.

The cadets on our team, who range in age from 13-16 began practice in April with basic computer skills and cyber hygiene concepts.  Over the past several months they’ve progress through the basic materials absorbing the information at an incredible pace.  For many, this is their first exposure to managing operating systems and advanced concepts of computer security.  They are excited to begin their first scored round and put their knowledge to the test.

Throughout the week, there were many times that I thought: “Gee, I wish ‘R’ was here.  He could do this in his sleep” or “Wow ‘E’ would have known what to make this setting” or “I wish ‘A’ was here to explain why the system needs to be configured this way”.  I highlight these examples because the cadets in this program have in most cases at least 7 years before they’re in the workforce.  Regardless of what they do in their careers, many will stay close to technology and one thing I am sure of; with these cadets I know security will be baked into whatever they do!

The competition round begins this coming weekend, October 25-27, 2019.  If you are so inclined check out the Cyber Patriot website (www.uscyberpatriot.org) or your local Civil Air Patrol (https://www.gocivilairpatrol.com/) both are great organizations for engaging our youth in Cyber Security and Aerospace Engineering.  If you don’t have a local team or squadron, reach out to me, most of the cyber security training I do with our cadets is virtual and I’m always looking for help!

Workforce diversity and growth starts early, and with you!

Originally posted on August 5, 2020 @ 1:56 pm

At RSA this year there was a big focus on diversity in the workforce.  There were many sessions about how to increase women and minorities in the workforce.  I attended most with hopes of gaining insights on not only how to hire these demographics but ALL demographics.  In my last session of the week, one of the panelists said what I’ve been thinking all week.   “ I’m lucky to get 2 resumes’ to choose from, diversity never enters my mind.  I’m focused on what’s between the eyes and back of the head!” I paraphrased a little but that’s the gist. 

Depending on which website you read (and when) the shortage of Cyber professionals is somewhere between 500K and 3.5Million.  That means that Cyber security is one of the few professions today with 0% unemployment.  According to investopia.com “In 2016, there were 1 million job openings, with two openings for every available job candidate. The rapid job growth is expected to reach 1.5 million positions by 2019.”  From other research I expect we will exceed that 1.5 million and by 2021 be closer to 3.5 million.

As of 2017 there were 780,000 cyber professionals in the U.S. with about 350,000 openings.   The sessions I was in this week talked about increasing the female workforce from 10% to 20% or more.  So that means the speakers were advocating moving from 78,000 women in the workforce to 156,000 still leaving nearly 200K in unfilled positions (there are a lot or assumptions in these numbers, I know.) That still doesn’t close the gap in positions to talent.  We need to be looking at other areas and at building the “pipeline” of candidates.

In my mind, one of our biggest challenges is that our career field is 100% in the abstract.  If your child wants to be a Doctor, she knows she’ll be working with people, things she can touch.  Or if they’re goal is to be a lawyer, they know they’re helping people.  But lets face it, cyber security professionals, no matter what the specialty, work in the abstract. We don’t build anything, we don’t create software or apps (that’s left to the developers), we don’t arrest people (that’s the FBI and other Law Enforcement Officers), in my daughter’s mind all we do is sit in meetings and stare at screens all day long!  Maybe we make a few phone calls.  How do you attract the upcoming generation to such a boring career?  We’re not Kate Libby (Angelina Jolie) and Dade Murphy (Johnny Lee Miller) in Hackers, or Neo (Keanu Reeves) and Trinity (Carrie-Anne Moss) in the Matrix. Heck we’re not even Elliot Alderson (Rami Malek) or Darlene Alderson (Carly Chaikin) in Mr. Robot.  BTW that’s one of the most realistic ‘hacker’ programs coming from Hollywood I’ve seen).

So, how do we attract new talent to such an abstract and boring profession?  Part of it is the money.  A friend from a long time ago told me that the only requirement she would place on her daughter going to school is that whatever the daughter majored in, she could make a living on.  With Cyber Security, regardless of the discipline, the rising professionals can make a living, with 0% unemployment they can make a good living!  The other part is education, people think that only the smartest people on the planet can do cyber security “stuff”.  Yes, you have to be smart, but we all started at the bottom and worked our way up building our knowledge.  No one is born as a cyber guru we all need to be taught and mentored.

Where was I going with this?  Well if you’re reading this, chances are you’re a cyber security professional.  I encourage everyone who sees this to get involved at the level closest to the children that your comfortable with.  What does that mean?  If you’ve got children, get involved.  The GirlScouts have a cyber badge now,  your school likely has a CyberPatriot Program (if they don’t, start one),  take your kids/grandkids to work, show them what you do. 

If you’re a manager of people within your organization, get to know your staff.  See what they’re interested in.  If they’ve got the drive and desire to move up and into the cyber security profession, encourage it.  One of the many success stories I’ve seen is someone who’ve moved from Administrative Assistant to Information Security Engineer.  She came back to the workforce after having children and knew she wanted to do more than manage someone’s calendar.  She came back into an entry level position and got the training and certifications to move up in the organization.  She took advantage of the training and education benefits of the company and is a highly successful Information Security Engineer. 

The workforce problem isn’t just a one dimensional problem, as cyber professionals, take the lead and start working with youth to “build” the pipeline.  If your kids are grown, work with the local HS, College, Civil Air Patrol, JROTC, Girl Scouts, Boy Scouts etc.  Your example can help built the next generation of cyber professionals.

Looking for people who want to make a difference

Originally posted on April 1, 2021 @ 4:25 pm

If you’ve got the skills and desire to make a difference in the security and mission of our military and IC clients then we’ve got the opportunities for you. 

Checkout our hot jobs:

HOT – Senior Data Scientist – HOT

HOT – Data Scientist – HOT

HOT – Computer Engineer, Data Systems – HOT

HOT- Computer Scientist, Data Analysis – HOT

HOT – Computer Engineer, Data Administration – HOT

What are you risking on public WiFi?

Originally posted on July 14, 2020 @ 7:23 pm

We’ve all been tempted at one time or another to connect to that public WiFi connection at the airport, Starbucks or the hotel. Whether it’s because you’ve reached your data plan limit, or the cellular signal is just too poor to get a decent data rate it; crosses everyone’s mind from time to time. That’s a dangerous decision that many people make every day without thinking of the potential consequences and inherent risks.

Public WiFi, by definition, is easy for the public to access and use. Because of that, administrators rarely put significant security in place to protect the users connecting to their networks.  The danger of connecting to the public WiFi is who’s listening.  The technical term is Man-in-the-Middle (MiTM) attack. A MiTM attack is where an attacker intercepts the communication between two parties and sometimes alters it or uses it (in the case of username and password) later. When connecting to your corporate WiFi network, there is generally more security including stronger passwords, and encryption for those who access the system. On your home network you are protected by the passwords and encryption you’ve setup on the network and the number of users who can physically connect to your network (based on proximity).  Of course, if you live in a Condo, TownHouse or Apartment, there are many more people who can receive the WiFi signal than if you live in a single family home, but I’ll discuss home/corporate WiFi security at another time.

A real world example of a MiTM attack was uncovered by Kaspersky Lab in 2014 called “Dark Hotel”.  Dark Hotel operated for more than seven years before being discovered and is believed to be a sophisticated economic espionage campaign by an unknown country. Dark Hotel targeted CEOs, government agencies, U.S. executives, and other high-value targets while they were in Asia. When executives connected to their luxury hotel’s WiFi network and downloaded what they believed were regular software updates, their devices were infected with malware. This malware could sit inactive and undetected for several months before being remotely accessed to obtain sensitive information on the device.

This all sounds terrible and I HIGHLY recommend, NEVER connect to a public WiFi. But I know that sometimes it is just impractical to do anything else.  So if you must connect, here are some precautions and recommendations:

  1. Don’t do online shopping, log into your financial institution or other sensitive activities on public networks.
  2. Use 2-factor authentication when logging into sites when possible (including Gmail).  2-factor authentication ensures that malicious users cannot log into your account at a later time without both authentication mechanisms (like your password and cell phone)
  3. Whenever possible, use HTTPS for websites.  It encrypts the data and makes you a harder target.
  4. Turn off File sharing, automatic connections, and other services that would transmit your password or open you up to an attack.
  5. Use a Virtual Private Network (VPN) service.  This encrypts your data from the computer to another device on the Internet and ensures that no one connected to the local network can eavesdrop on your communications.

Even doing all of these steps could still result in a compromise when connecting to a public network if someone is determined to attack your device.  Implementing these steps will ensure that you’re more protected and a harder target than the guy sipping the latte next to you and hopefully, the attacker will go after them instead. Your best bet is to buy a MiFi, implement personal hotspot capabilities on your cellular phone or buy an unlimited data plan so you don’t have to use someone else’s network to get to the Internet or other online resource.

Travel Safely this Holiday!

We’re entering one of the busiest travel weekends of the year within the US. With traveling and the stress of family, the last thing anyone wants to worry about is identity theft and cyber security. Here are a few tips that will help keep you secure while traveling.

1. Disable wireless connectivity (Wi-Fi and Bluetooth)
You’re wireless devices can provide hackers with valuable information that can lead to identity theft, or even worse physical theft. Your wireless connections can beacon where you’ve been, your home Wi-Fi information, the type of headphones you use, etc. This information can help physically identify you in a crowd which could be dangerous.

2. Don’t use public Wi-Fi, if possible.
Public WiFi, by definition, is easy for the public to access and use. Because of that, administrators rarely put significant security in place to protect the users connecting to their networks. The danger of connecting to the public WiFi is who’s listening. The technical term is Man-in-the-Middle (MiTM) attack. A MiTM attack is where an attacker intercepts the communication between two parties and sometimes alters it or uses it (in the case of username and password) later. When connecting to your corporate WiFi network, there is generally more security including stronger passwords, and encryption for those who access the system. On your home network you are protected by the passwords and encryption you’ve setup on the network and the number of users who can physically connect to your network (based on proximity).

3. Disable Auto-Connect
Auto-Connect is the feature that when your wireless network is on, it automatically connects to networks you’ve connected to in the past. Hackers can impersonate global networks and trick you into connecting to their network and compromise your computer.

4. Minimize or turn off location sharing
Location sharing on your phone enables applications to report on where you’re located. This can provide bad-guys with information that you’re away from home and traveling, leaving your house vulnerable to break-in or theft. That really hand app that reminds you where your car is parked, also could remind a car thief as well.

5. Install Anti-Virus Protection

This should be standard regardless of whether or not your traveling.

6. Update Operating Systems
Operating system developers routinely develop fixes to security problems, instability and functionality. It is always a good idea to implement patches offered by your OS manufacturer. The key is when upgrading, make sure the patch/update is directly from your manufacturer. Check the website before downloading, check to make sure it’s a valid site and the vendor is publishing information about the specific patch. If there’s some question, do a little more digging and you’ll easily find whether or not it is legit.

7. Don’t update social media with location information
I know everyone wants to share the good times they’re having on vacation, but just like location services, it can lead criminals to you or inform them you’re not home. It can also provide photos and videos to unwanted viewers. Instead of uploading your photos in real time (during the vacation), upload them when you get home. Make sure you also lock down who can see and share your photos.