cybersecurity

My son, the hacker, and the lessons I learned 

~ Garrett B. Brown ~ 1 Comment

Despite the thousands of cybersecurity products on the market today, most business leaders do not understand their true cybersecurity risk or who their potential attackers are. Most think they’re not much of a target at all. They understand that they have to budget for certain protections such as antivirus or firewalls, but once they’ve metaphorically locked the doors and windows, they think they are done. In fact, this lack of understanding of the true risk and who the attackers are is driving complacency, ineffective spending and financial losses. 

2024 is on track to be the costliest for cyber security related incidents. Official reporting from the FBI shows that in the US, losses grew from $3.5 billion in 2019 to $12.5 billion in 2023. This year we saw an Illinois hospital permanently close because of ransomware and countless high profile incidents like MGM Casino, Caesars Palace as well as AT&T and Change Healthcare. This week we learned the seminal brand Stoli Vodka has filed for bankruptcy, due in part to a ransomware attack. But we also know thousands of small organizations were impacted like this Reddit account of a small law firm in Connecticut who closed their doors forever after 30+ years in business. 

As a leader, if you don’t understand the underlying problem, you’re unlikely to fully address it. I’m reminded of this every day in my own home life. I assumed protecting my kids from the dangers of the Internet would be relatively easy for me compared to my friends and non-technical counterparts. I know all the tools and how to set them up to filter Internet content and control my devices. In much the same way that businesses fail to understand their risks and adversaries, I had failed to account for my son’s determination, ingenuity and resources (knowledge, Internet and time). He consistently and repeatedly circumvented the limits and systems I had put in place. 

In 6th grade we gave my son a smartphone. We wrote up a contract about responsibility and acceptable use and the risks posed by social media and the Internet. Additionally, we setup parental controls to limit apps, inappropriate content and the amount of time he could spend on different apps and sites. Lastly, I had put a business class firewall in my home to filter and control the Internet. I was busy congratulating myself and pitying the fools who weren’t as smart as me. I had secured my home technology kingdom, and I thought I was done! 

The first thing he did was realize that if he embedded URL links in Google Docs, which was allowed because he needed it for school, he could open whatever links he wanted in an embedded browser window that would circumvent the parental controls and time limits in place. Next, he realized I had no way of controlling the hotspot on his phone. So, he would connect his computer or our TVs to his hotspot to get around all of my limits. As I ran around scrambling to patch the holes, he continued to find the “bugs.” One day after checking his screen time reports I noticed he was spending a lot of time with the Files app, the program used to browse and open documents on the iPhone. Apparently he had figured out that by embedding URLs in the Files app, he could again circumvent my controls. Lastly, he realized that he could cover his tracks by deleting incriminating files on his phone and then restoring them from the trash when he wanted to access them. He could continue to do this as long as he restored them within the 30 day permanent deletion retention period. 

There is a great talk published on YouTube that I highly recommend for business leaders. It’s only 30 minutes and if you watch it at 2x speed, like my children would, you could get through it in only 15 minutes. In the video researcher Selena Larson tries to dispel the misguided focus of businesses and cyber professionals on APT or government threat actors as the greatest risk. She argues that this is a distraction and provides a false sense of security. She describes a criminal ecosystem that supports both government and non-government threat actors working like any legitimate industry driven by money and endless opportunity. As we learn about the illicit ransomware industry, we learn that it doesn’t matter what type of business you are or how small or large you are, you are a target of equal significance to this criminal industry. 

If we take the example of my son, had I not monitored his screen time regularly, I wouldn’t have noticed the unusually high usage of an unlikely program, the Files app. This cued me into the fact that he was doing something unexpected. If this sounds expensive and time consuming for a business whose focus is making widgets, you’re right. But over the last 30 years businesses have been enjoying the productivity and cost savings of automation, computers and Cloud computing. Now with the explosion of AI and natural language learning models, it will only get more efficient. We have to invest some of that efficiency into understanding the business risks fully and developing effective cybersecurity programs.  

Cybersecurity is not just about implementing tools or locking digital doors; it’s about understanding the risks, the attackers, and the ever-evolving threat landscape. My experience with my son highlights how a determined individual, armed with time and ingenuity, can outmaneuver even the most carefully implemented defenses if risks are not fully anticipated. For businesses, the lesson is clear: a static approach to security is insufficient. Success requires continuous monitoring, adaptability, and a deep understanding of both risks and adversaries. By investing in comprehensive cybersecurity strategies, businesses can safeguard themselves from the devastating consequences of cyberattacks and build resilience in an increasingly connected world. 

Maybe the greatest security risk to your business that no one is talking about 

~ Garrett B. Brown ~ Leave a comment

Do you or your staff use Virtual Assistants (VAs)? Using VAs is great, but if you don’t have good security controls, you may be putting yourself, your staff and your organization at serious risk.  

My daughter came home with an assignment to explore human nature and different philosophical perspectives. As I reflected on that conversation, which in true teenage fashion she quickly told me she was done with, I started to think about a common situation we have addressed with many clients and wondered, do all these business execs believe in the innate goodness of people? That certainly is a much kinder way to understand their choices. 

A quick Google search reveals many online resources and people extolling the benefits of overseas VAs including flexibility, availability and cost. Many of these resources have brief notices about security and privacy considerations. Many suggest that having proper due diligence and contracts in place are good mitigations to risks. However, the technical details of how to properly protect data and privacy are never disclosed or discussed. This article from US News has a small 4 sentence expandable blurb at the end that simply suggests choosing a reputable service is the best way to protect yourself. 

Using an overseas VA is not necessarily a bad idea. VAs can be a very powerful tool for businesses and individuals. However, in order to avoid a serious data security or financial disaster, it is critical to understand what your risks are and how to mitigate them.   

One day we got an alert for one of our clients who is in a regulated industry. The alert was about improbable geographic access to one of their Microsoft 365 mailboxes. Upon investigation, it turned out that a salesperson had hired an overseas VA to help manage their calendar and sales efforts. The salesperson had shared their credentials and MFA to an unvetted foreign agent and potentially provided access to legally protected data. This was a clear violation of their security policy. 

Despite having gone through training on the company’s security policies and participating in regular cybersecurity awareness training, this salesperson seemingly didn’t know that what they were doing was wrong. Perhaps they just didn’t care? Or perhaps the lure of what the VA offered was just too compelling; a widely used, cheap, effective sales support tool. Or maybe they just believed in the innate goodness of people? Surprisingly we see this all the time. People are too willing to give up their privacy and security for free or inexpensive products and services. Gmail is a clear example of this! 

It isn’t just salespeople, it’s the C suite too. Outsourcing administrative work to inexpensive overseas staff is very common. We have clients ranging from plumbers to data analytics companies and insurance agencies that have outsourced executive assistant and administrative roles to overseas VAs. 

What many people fail to realize is that granting a stranger access to your email is not only against most company policies, but also a very bad idea. In 2023, the FBI reported $12.5 billion in losses from US firms due to fraud and cybercrime. Of that, $2.9 billion was related to Business Email Compromise (BEC). For most businesses, email is a critical system that provides significant access to other systems, files, people and resources. This is why email systems are a favorite target for attackers. They stand to gain significant levels of access and are able to use that access to establish authority with other victims.  

In another recent example, we advised a client whose use of an overseas VA would have allowed the VA to easily impersonate, defraud and damage the client’s business. In our discussions with them, they revealed that they had set up an Apple iPad for their VA, through which the VA had complete access to their personal Apple ID, phone records and text messages. They were using the VA to help with administrative tasks including responding to emails and text messages. With access to the person’s Apple ID, this complete stranger on the other side of the world had access to personal photos, access to financial resources such as Apple Pay, mobile banking, and access to sensitive data stored throughout their Apple account. They even knew the client’s location information! What’s more, the VA’s access included knowledge of the device PIN. The device PIN is a form of identity verification for Apple and is used to encrypt iMessages. 

Many of these VA services are located outside the US, beyond the jurisdiction of the US legal system. If you don’t have the time and resources to hire someone locally, you probably don’t have the time and resources to chase down an overseas fraudster. So even if your overseas VA was caught doing something illicit or immoral, there is little recourse, and navigating a foreign legal system can be challenging and costly. 

It is astounding to me the way in which people are circumventing their own security policies to take advantage of low-cost efficiency tools. Those policies are in place for a reason. If I were North Korea’s Kim Jung Un or Russia’s Vladimir Putin, why spend the time and resources breaking into systems around the world when all you have to do is ask? They could setup inexpensive overseas VA shops, charge reasonable rates and wait for their victims to open their doors to them! In fact this is already happening. It has been recently reported that North Korean employees are infiltrating western companies, a slight twist on the VA angle I’m describing.

So, when you’re ready to engage your VA, you don’t have to solve the age-old question of human nature. You just need to do some planning. Take the time to understand what systems or resources your VA will need access to to perform their role. Determine if company policies or laws limit what data and systems they can access. Finally work with your IT and/or security team to put the necessary controls around their access with appropriate monitoring. If you take the time to plan appropriately, you can help avoid a costly and disruptive breach. 

Who is left holding the bag?

~ Garrett B. Brown ~ 4 Comments

In the march towards the November election and all the high-profile headlines, there is little room for a thoughtful discussion around the never-ending unpleasant cybersecurity news. In fact, many companies like AT&T and Snowflake are thankful for the current environment! At any other time in history, their unprecedented system compromises and data leaks would normally dominate the headlines for weeks. 

I have attempted to write this blog post at least three times since the middle of July. First, when AT&T disclosed its massive data breach exposing the data of every customers’ (110 million subscribers) phone and text message activity and geolocation data, I thought, “This is it! A wake-up call! AT&T will have to come clean and face the consequences.” But then the CrowdStrike incident took out large swaths of the internet. AT&T’s executives’ prayers were answered! The implications of their outrageous failures and negligence would be dealt with, in the quiet shadows of the endless recriminations of CrowdStrike’s own gross negligence (yes, you read that right, gross negligence). 

Of course that wasn’t the end. Rumors of the National Public Data’s system compromise had been swirling and in early August news of the disclosure of 3 billion records containing names, addresses, social security numbers and other private data, became public. But that wasn’t the end. There preceded a stream of disclosures from other high profile businesses including ADT, HealthEquity, FBCS, Trello, Rite Aid, and Twillo

The hard truth is, all of these incidents were avoidable. The excuses are endless, and the “reasonable” explanations are endless. Yes, building secure software and systems is not simple, easy or inexpensive. In the case of Crowdstrike, you will hear people explain away that no system is immune from system failure and how impressive their response and resilience was. In the case of the AT&T data breach, you will hear excuses about “sophisticated foreign threat actors” and their significant resources. They will also point fingers at the hosting provider, Snowflake, for not maintaining a secure by default design.   

These are all excuses! None of the scenarios that lead to any of these failures are so novel, so creative or so unavoidable that the designers of these systems couldn’t have reasonably anticipated these types of faults and built in appropriate controls and resiliency. The problem is a lack of accountability. There are very few regulations around the building and maintenance of critical business systems and the protection of private data. 

The incentives for businesses and investors are reflective of the limited financial and legal risks associated with the failure to protect consumer and businesses data and systems. Businesses are highly incentivized for fast growth and product development based on easy to deploy private cloud and SaaS infrastructure. This article on Lawfare does a nice job of exploring the issues. In other mature industries like construction, automotive, airline, food safety and medicine, we do have regulations that help ensure a baseline of safety and standards. 

Building and health codes were born out of tragedies such as fires and disease. As early as the 1680s, cities such as Boston started implementing codes to limit catastrophic fires. It wasn’t until the early 1900’s that building codes started to take shape with the formation of the National Association of Home Builders (NAHB) in 1942. We all now take for granted that our homes are safe, the roads and bridges we drive on are safe and the buildings we conduct business in are safe. 

Food safety standards started to take shape in Massachusetts with the passage of the Massachusetts Act Against Selling Unwholesome Provisions in 1785. In 1862, Abraham Lincoln formed the USDA and FDA. Throughout the twentieth century, several acts were passed to strengthen food safety and transparency. None of us questions the safety of foods we pick up at the grocery store now. 

The standards around IT infrastructure and software design are all over the place with various standards being established by different federal agencies, states, not-for-profits and for-profit institutions. What’s already in place doesn’t even account for the emergence of AI.  In addition, the Federal and State regulations that exist around data privacy have few teeth or little enforcement. The US Federal government has established regulations around military/DOD contracts, aka CMMC, but they’re too costly and heavy handed for any practical commercial application. 

While it may seem like the recent CrowdStrike incident or the many other large data breaches are not the same as a building collapse or food born illness resulting in human loss, equally impactful tragedies are taking place as the result. Many businesses and individuals are left holding the bag.  As a result, hospitals were unable to perform lifesaving procedures, small businesses have closed or shrunk due to lost or unavailable funds, and individuals have lost their retirements and life savings. These types of failures impact the lives of everyday people. And who will pay? Who will suffer? This week the FTC just imposed a $13 million fine on AT&T, which is a welcome development, but will neither make its customer whole or provide a meaningful deterrence to a 122 billion dollar company. Very few businesses will get insurance money to cover their losses due to a myriad of clauses around cyber and business continuity insurance. CrowdStrike’s own terms of service will at best cover the cost of services. 

This is not a problem individuals or businesses can solve for themselves. The truth is that no business could have been fully prepared for Crowdstrike’s failed update or AT&T’s data breach. Some with more resources and better planning will recover more quickly. This is not, as some have suggested, a legitimate opportunity for businesses to practice their incident response plans. 

If we are going to build our society around the fast-evolving technologies of public Cloud, SaaS and AI, we need to have an honest discussion about what the rules are, who’s responsible for what and how we can build a safe and secure future. 

In the absence of these guardrails and standards, the best we can do is teach our clients to make themselves smaller targets. Adopt a good security framework like NIST or CIS and go through the exercise of understanding their own risk tolerances and what the costs are to minimize those risks. 

The Roomba Approach to Cybersecurity and Compliance

~ Garrett B. Brown ~ Leave a comment

Imagine that I have a big house with 4 kids, 3 animals, 4 bedrooms and a lot of chaos. It’s a mess. It’s dirty and disorganized. January 1st rolls around and my New Year’s resolution is to get the house organized and clean.

If I were to take the approach to this problem like so many do to cybersecurity, the first thing I would do is get on the Internet and google “house cleaning technologies.” When I do that I’d find solutions like iRobot’s Roomba. Boom!! It turns out all I have to do is buy some autonomous AI cleaning tech. This was the first result in my search: https://www.architecturaldigest.com/story/high-tech-cleaning-devices-for-your-home

I purchase an AI powered vacuum ($1,000), a phone sanitizer ($120), a smart trash can ($200), a smart litter box ($700) and finally an air cleaner ($250). After spending $2,300, my home is actually more cluttered! Despite all the automated smart tech with AI, my house is no cleaner or more organized than it was before my tech buying spree. In fact, it would be worse now because I have more useless stuff laying around!

Alternatively, if I spend the time organizing the first floor, putting away what’s not in use, labeling and getting things off the floor and making sure everyone in the family knows what their role is in keeping the space clean, then can I leverage the Roomba and other technologies to become more effective and efficient.

Like with cybersecurity tech, successful and meaningful implementation of the Roomba will require knowing the areas it can clean, setting up guiding barriers and purchasing 2 Roomba’s because it turns out I have a step in the middle of my first floor.

The point is there is no magic Easy Button (not to mix marketing metaphors) in cybersecurity or compliance despite what all the marketing vaporware tells us. There are a number of vendors advertising automated SOC 2 compliance solutions with type 1 reports completed in 5 days! Like cleaning one’s house, cybersecurity and compliance require actual elbow grease and a disciplined effort to understand what’s going on in an organization. Only then can you leverage the fancy tech to become more effective and efficient.

Cyber Wellbeing

~ Garrett B. Brown ~ Leave a comment

It’s been over 6 months since my last post, and frankly the time during Covid seems to pass at warp speed! I can’t believe I’m already thinking and planning for the summer! We are making progress in the fight against Covid, vaccines are rolling out, and schools are opening, which has got me thinking more about building my business again.

But overshadowed by my new optimism and all the headlines of the election, the storming of the Capitol and Covid, the last six months have been witness to the most active and destructive cyber security events in recent history. The depth and breadth of these attacks is staggering, with implications for our economy and government. We are in a new age of cyber risk for businesses, so we all need to get better prepared to manage and guide our organizations through these new challenges and new growth. Here is just a quick list of what you may have missed…

  • SolarWinds supply chain hack, which affected 18k businesses and multiple government agencies including Microsoft, Cisco, Amazon, the US Treasury Department, Department of Commerce and many others. This hack lead to the disclosure of untold sensitive and critical data to foreign adversaries and the loss of control of critical government and business networks.
  • Microsoft Exchange hack leading to over 60,000 organizations having their email systems compromised and likely accessed by unauthorized users.
  • Accelion supply chain hack, which lead to the compromise of thousands of high profile businesses and government agencies and the disclosure of personal, privileged and sensitive information around the globe.
  • FireEye systems and data breach leading to disclosure of critical client information, which includes many Fortune 500 and government agencies and included the code to sophisticated testing and cyber espionage tools used by their offensive testing team.
  • SITA systems and data breach exposing personal and sensitive information about airline riders from over a dozen airlines.
  • BlackBaud systems and data breach compromising their systems and exposing sensitive information about donors and Not for Profits including healthcare systems, charities, universities and hospitals
  • and so many more…

To help business owners and managers understand and address these new realities, I recently penned a blog post for Ihloom, Mantra Computing’s sister cyber security business, about a new set of business skills we call Cyber Wellbeing. Like many business owners and managers, I am comfortable reviewing my businesses financial wellbeing, knowing where our revenues are, expenses, inventory, sales pipelines, etc. But most business owners and managers have no idea what their current risks are of a debilitating cyber event. What are the costs of preventing a cyber event? What are the costs of being unprepared? Will my cyber insurance cover my losses and ensure continuity of business?

My colleagues and I will be blogging on the Ihloom site and sending out related communications to continue educating business owners and managers on the concepts of business Cyber Wellbeing. If this is something that’s of interest to you, please check out the post and subscribe to our mailing list.

Like many of you, I’m excited about a post Covid rebirth. However, successfully capitalizing on this new opportunity will require being prepared. As G.I. Joe used to remind me, “Knowing is half the battle!”