Joram Borenstein, Author at Microsoft Security Blog http://approjects.co.za/?big=en-us/security/blog Expert coverage of cybersecurity topics Tue, 26 Sep 2023 15:38:21 +0000 en-US hourly 1 https://wordpress.org/?v=6.6.2 How to prepare for CMMC compliance as a defense industrial base supplier using the Microsoft cloud http://approjects.co.za/?big=en-us/security/blog/2021/08/30/prepare-for-cmmc-compliance-with-microsoft/ Mon, 30 Aug 2021 16:00:20 +0000 DoD and DIB suppliers—see how Microsoft can give your business a competitive edge toward CMMC compliance.

The post How to prepare for CMMC compliance as a defense industrial base supplier using the Microsoft cloud appeared first on Microsoft Security Blog.

]]>
In 2020, the US Department of Defense (DoD) began the phased rollout of a new framework for protecting their supply chain, known as the defense industrial base (DIB). This new Cybersecurity Maturity Model Certification1 (CMMC) system requires regular audits that will bolster the security of the DIB, which comprises approximately 350,000 commercial companies producing everything from Abrams tanks, satellites, and Reaper drones down to laptop computers, uniforms, food rations, medical supplies, and much more.

It’s no secret why the DoD would want to tighten security on its supply chain. According to DoD officials, organizations in the DIB are under constant attack both from nation-states and rogue actors seeking sensitive information (like weapon systems designs). Any breach of a DIB contractor not only poses a risk to national security but also results in a significant loss to US taxpayers. According to a 2021 report by CyberSecurity Ventures2, it’s estimated that cybercrime will cost businesses worldwide $10.5 trillion annually by 2025. Coincidentally, 2025 is the year every business in the DIB will be required to show compliance with CMMC if they want to continue doing business with the Pentagon. Learn more about Microsoft’s CMMC Acceleration Program and leverage these resources to get started on your compliance journey.

How does CMMC work?

While the CMMC Interim Rule allows companies to attest to their compliance with NIST 800-171, the ability to self-attest will eventually be retired. Starting in 2021, a phased-in approach will cause DoD contractors to need certification from an independent Certified Third-Party Assessor Organization (C3PAO). Certification provides the DoD with the assurance that a contractor (prime or sub) can be trusted to store Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). The CMMC model is created and managed by the DoD and confers a cybersecurity “maturity”—the efficacy of process and automation of practices—ranging from “basic” to “advanced.”

Far from being a one-and-done checkbox, CMMC compliance is ongoing and must be re-assessed every three years.

The five levels of CMMC.

Figure 1: The five levels of CMMC.

  • Level 1 certification primarily involves people and processes and is required for any company that deals with FCI not intended for public release. Most DIB suppliers will land in this category. Level 1 aligns best with commercial clouds.
  • Level 3 is required for any company that handles CUI or is bound by International Trade in Arms Regulations (ITAR)—roughly 50,000 DIB contractors. However, market pressure may see some companies certify to Level 3 just for a competitive edge. Level 3 aligns best with government clouds.
  • Level 5 is required for only a small segment of DIB contractors that are most likely to be targeted by advanced persistent threats (APT) and nation-state activity. Level 5 aligns best with government clouds.

Levels 2 and 4 are considered transitional; it’s not expected that contracts will require them.

In September 2021, the DoD will be overseeing 75 pilot contracts adhering to CMMC. By the same time in 2023, that number will reach 250, then up to 479 pilot contracts in 2024. By October 2025, every business in the DIB must be compliant with CMMC.

Microsoft knows compliance

Microsoft has been doing business with the DoD for four decades. Of the 350,000 companies in the DIB, 80 percent are small-to-medium-sized businesses (SMB). So, whether you’re a prime contractor working directly with the DoD, or a smaller subcontractor, Microsoft Office 365 Government plans can provide your business with all the features of Office 365 you expect—but in a segmented government community cloud (GCC). Plus, Microsoft lightens the burden of compliance by encrypting your data and enforcing strict access controls for employees, vendors, and subcontractors.

Microsoft Office 365 Government – GCC High is a sovereign cloud platform located in the Contiguous US (CONUS) that complies with US government requirements for cloud services. Office 365 Government – GCC High is designed specifically for use by the DoD and DIB, requiring that organizations be validated before they can deploy to this cloud. Along with all the expected features and capabilities of Office 365, deploying to GCC High ensures:

  • Your content is segregated from customer content in commercial Office 365 services.
  • Your organization’s content is stored within the US.
  • Access to DIB content is restricted to screened Microsoft personnel who have passed rigorous background checks.
  • Your cloud deployment complies with certifications and accreditations that are required for US public sector customers.

Microsoft Azure Government is a sovereign CONUS cloud platform that also offers hybrid flexibility—customers can maintain some data and functionality on-premises while enabling the broadest level of certifications of any cloud provider. Only US federal, state, local, and tribal governments and their partners have access to this dedicated instance, with operations controlled only by screened US citizens.

Comparison chart of Microsoft Commercial, M365 GCC, and M365 GCC High.

Figure 2: Microsoft 365 Government + Azure Government compliance.

Though different cloud platforms may have a level of cybersecurity maturity in alignment with CMMC, Microsoft recommends the US Sovereign Cloud with Azure Government and Microsoft 365 Government – GCC High in alignment with CMMC Levels 3 through 5. Microsoft Consulting Services can help you decide on the right platform to enable CMMC compliance for your organization.

Microsoft CMMC Acceleration Program

To help speed your journey to CMMC compliance, our CMMC Acceleration Program provides resources for partners and DIB companies alike. Our goal is to provide a baseline framework that can help close the gap for compliance of infrastructure, applications, and services hosted in Microsoft Azure, Microsoft 365, and Microsoft Dynamics 365. We work with partners and customers to help them mitigate risks and assist tenants with their shared customer responsibility, as well as provide solutions for assessment and certification.

Recent updates to Microsoft CMMC Acceleration Program include:

  • Microsoft Product Placemat for CMMC: an interactive view representing how Microsoft cloud products and services satisfy requirements for CMMC practices.
  • Azure Sentinel CMMC Workbook: provides a mechanism for viewing Microsoft Azure Sentinel log queries from across your Azure environment—Office 365, Teams, Intune, Windows Virtual Desktop, and more—helping you gain better visibility into your cloud architecture while reinforcing CMMC principles across all five maturity levels.
  • Compliance Manager available in commercial and government cloud environments: helps organizations manage CMMC compliance requirements with greater ease and convenience, from taking inventory of data protection risks to managing the complexities of implementing controls, staying current with regulations and certifications, and reporting to auditors.
  • Azure Policy and blueprint sample for CMMC Level 3: Azure Policy and Azure Blueprints allow organizations to easily establish compliant environments via a centrally managed policy initiative. This helps avoid misconfigurations while practicing consistent resource governance.
  • Quickly deploy DoD STIG-compliant images and visualize compliance using Azure: Security Technical Implementation Guides (STIGs) are secure configuration standards for installation and maintenance of DoD Information Assurance (IA)-enabled devices and systems. The Azure team has created sample solutions using first-party Azure tooling to deliver STIG automation and compliance reporting. Use these quickstart resources.
  • Azure Blueprint for Azure Security Benchmark Foundation: enables developers and security administrators to create hardened environments for their application workloads, helping to implement Zero Trust controls across identities, devices, applications, data, infrastructure, and networks.

No provider can guarantee a positive adjudication, but Microsoft’s CMMC Acceleration Program can help improve your CMMC posture going into a formal review in accordance with CMMC Accreditation Body (AB) standards.

Zero Trust is key to CMMC

Microsoft is experienced in facilitating Zero Trust architectures in federal frameworks, a concept that’s critical to preventing attackers from elevating access within your environment. Zero Trust is built around three basic principles: verify, based on all available data points; use least-privileged access with just-in-time and just-enough-access (JIT/JEA); and assume breach to minimize blast radius and prevent lateral movement. Microsoft employs several references for implementing Zero Trust in federal information systems, including the National Institute of Standards and Technology (NIST) SP 800-207, Trusted Internet Connections (TIC) 3.0, and Continuous Diagnostics and Mitigation (CDM). We view these principles as technology-agnostic and apply them across endpoints, on-premises systems, cloud platforms, and operational technology (OT).

The Azure Sentinel: Zero Trust (TIC 3.0) Workbook provides an overlay of Microsoft security offerings onto Zero Trust models, enabling security analysts and managed security service providers (MSSPs) to gain awareness of their cloud security posture. This workbook features more than 76 control cards aligned to TIC 3.0 security capabilities and can augment security operations center (SOC) efforts through automation, AI, machine learning, query/alerting, visualizations, tailored recommendations, and documentation references. Each panel aligns to a specific control, providing an actionable path to help cover gaps and improve alerting, even incorporating third-party security solutions.

If your organization is interested in pursuing contracts with the DoD or its suppliers, it’s in your interest to be proactive about cybersecurity maturity. To learn more about how Microsoft can help your organization improve your compliance standing, visit our new CMMC homepage.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

 


1Cybersecurity Maturity Model Certification, CMMC Accreditation Body.

22021 Report: Cyberwarfare in the C-Suite, Cybersecurity Ventures, 21 January 2021.

The post How to prepare for CMMC compliance as a defense industrial base supplier using the Microsoft cloud appeared first on Microsoft Security Blog.

]]>
Guarding against supply chain attacks—Part 3: How software becomes compromised http://approjects.co.za/?big=en-us/security/blog/2020/03/11/guarding-against-supply-chain-attacks-part-3-how-software-becomes-compromised/ Wed, 11 Mar 2020 16:00:32 +0000 Set a high standard of software assurance with internal teams, partners, and suppliers to reduce your risk of a software supply chain attack.

The post Guarding against supply chain attacks—Part 3: How software becomes compromised appeared first on Microsoft Security Blog.

]]>
Do you know all the software your company uses? The software supply chain can be complex and opaque. It’s comprised of software that businesses use to run operations, such as customer relationship management (CRM), enterprise resource planning (ERP), and project management. It also includes the third-party components, libraries, and frameworks that software engineers use to build applications and products. All this software can be difficult to track and can be vulnerable to attack if not known and/or not managed properly.

In the U.S. Department of Defense’s Defense Federal Acquisition Regulation Supplement, a supply chain risk is defined as “the risk that an adversary may sabotage, maliciously introduce unwanted function, or otherwise subvert the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of a covered system so as to surveil, deny, disrupt, or otherwise degrade the function, use, or operation of such system.”

If you rely on a web of software providers, it’s important that you understand and mitigate your risk. This Part 3 of our five-part blog series entitled “Guarding against supply chain attacks” illustrates how software supply chain attacks are executed and offers best practices for improving the quality of the software that undergirds your applications and business.

Examples of software supply chain attacks with global reach

Starting in 2012 the industry began to see a marked increase in the number of attacks targeted at software supply chains each year. Like other hacking incidents, a well-executed software supply chain attack can spread rapidly. The following examples weaponized automatic software updates to infect computers in large and small companies in countries all over the world and highlight how they have evolved over time.

  • The Flame malware of 2012 was a nation-state attack that tricked a small number of machines in the Middle East into thinking that a signed update had come from Microsoft’s trusted Windows Update mechanism, when in fact it had not. Flame had 20 modules that could perform a variety of functions. It could turn on your computer’s internal microphone and webcam to record conversations or take screenshots of instant messaging and email. It could also serve as a Bluetooth beacon and tap into other devices in the area to steal info. Believed to come from a nation state, Flame sparked years of copycats. While Flame was a supply chain “emulation” (it only pretended to be trusted), the tactic was studied and adopted by both nation states and criminals, and included noted update attacks like Petya/NotPetya (2017), another nation-state attack, which hit enterprises in over 20 countries. It included the ability to self-propagate (like worms) by building a list of IP addresses to spread to local area networks (LANS) and remote IPs.
  • CCleaner affected 2.3 million computers in 2018, some for more than a month. Nation-state actors replaced original software versions with malware that had been used to modify the CCleaner installation file used by customers worldwide. Access was gained through the Piriform network, a company that was acquired by Avast before the attack was launched on CCleaner users. As Avast says in a blog on the subject, “Attackers will always try to find the weakest link, and if a product is downloaded by millions of users it is an attractive target for them. Companies need to increase their attention and investment in keeping the supply chain secure.”
  • In May 2017, Operation WilySupply compromised a text editor’s software updater to install a backdoor on target organizations in the financial and IT sectors. Microsoft Defender Advanced Threat Protection (ATP) discovered the attack early and Microsoft worked with the vendor to contain the attack and mitigate the risk.

Implanting malware

There are three primary ways that malicious actors infect the software supply chain:

  • Compromise internet accessible software update servers. Cybercrooks hack into the servers that companies use to distribute their software updates. Once they gain access, they replace legitimate files with malware. If an application auto-updates, the number of infections can proliferate quickly.
  • Gain access to the software infrastructure. Hackers use social engineering techniques to infiltrate the development infrastructure. After they’ve tricked users into sharing sign-in credentials, the attackers move laterally within the company until they are able to target the build environment and servers. This gives them the access needed to inject malicious code into software before it has been complied and shipped to customers. Once the software is signed with the digital signature it’s extremely difficult to detect that something is wrong.
  • Attack third-party code libraries. Malware is also delivered through third-party code, such as libraries, software development kits, and frameworks that developers use in their applications.

Safeguarding your software supply chain

There are several steps you can take to reduce the vulnerabilities in your software. (We’ll address the vulnerabilities and mitigation strategies related to people and processes in our next post.):

  • Much like the hardware supply chain, it’s important to inventory your software suppliers. Do your due diligence to confirm there are no red flags. The NIST Cyber Supply Chain Best Practices provide sample questions that you can use to screen your software suppliers, such as what malware protection and detection are performed and what access controls—both cyber and physical—are in place.
  • Set a high standard of software assurance with partners and suppliers. Governmental organizations such as the Department of Homeland Security, SafeCODE, the OWASP SAMM, and the U.K. National Cyber Security Centre’s Commercial Product Assurance (CPA) provide a model. You can also refer to Microsoft’s secure development lifecycle (SDL). The SDL defines 12 best practices that Microsoft developers and partners utilize to reduce vulnerabilities. Use the SDL to guide a software assurance program for your engineers, partners, and suppliers.
  • Manage security risks in third-party components. Commercial and open-source libraries and frameworks are invaluable for improving efficiency. Engineers shouldn’t create a component from scratch if a good one exists already; however, third-party libraries are often targeted by bad actors. Microsoft’s open source best practices can help you manage this risk with four steps:
    1. Understand what components are in use and where.
    2. Perform security analysis to confirm that none of your components contain vulnerabilities
    3. Keep components up to date. Security fixes are often fixed without explicit notification.
    4. Establish an incident response plan, so you have a strategy when a vulnerability is reported.

Learn more

“Guarding against supply chain attacks” is a five-part blog series that decodes supply chain threats and provides concrete actions you can take to better safeguard your organization. Previous posts include an overview of supply chain risks and an examination of vulnerabilities in the hardware supply chain.

We also recommend you explore NIST Cybersecurity Supply Chain Risk Management.

Stay tuned for these upcoming posts as we wrap up our five-part series:

  • Part 4—Looks at how people and processes can expose companies to risk.
  • Part 5—Summarizes our advice with a look to the future.

In the meantime, bookmark the Security blog to keep up with our expert coverage on security matters. For more information about Microsoft Security solutions, visit our website: http://approjects.co.za/?big=en-us/security/business. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Guarding against supply chain attacks—Part 3: How software becomes compromised appeared first on Microsoft Security Blog.

]]>
Guarding against supply chain attacks—Part 2: Hardware risks http://approjects.co.za/?big=en-us/security/blog/2020/02/03/guarding-against-supply-chain-attacks-part-2-hardware-risks/ Mon, 03 Feb 2020 17:00:30 +0000 Part 2 examines the hardware supply chain, its vulnerabilities, how you can protect yourself, and Microsoft’s role in reducing hardware-based attacks.

The post Guarding against supply chain attacks—Part 2: Hardware risks appeared first on Microsoft Security Blog.

]]>
The challenge and benefit of technology today is that it’s entirely global in nature. This reality is brought into focus when companies assess their supply chains, and look for ways to identify, assess, and manage risks across the supply chain of an enterprise. Part 2 of the “Guarding against supply chain attacks” blog series examines the hardware supply chain, its vulnerabilities, how you can protect yourself, and Microsoft’s role in reducing hardware-based attacks.

Unpacking the hardware supply chain

A labyrinth of companies produces mobile phones, Internet of Things (IoT) devices, servers, and other technology products that improve our lives. Product designers outsource manufacturing to one or more vendors. The manufacturer buys components from known suppliers. Each supplier buys parts from its preferred vendors. Other organizations integrate firmware. During peak production cycles, a vendor may subcontract to another company or substitute its known parts supplier with a less familiar one. This results in a complex web of interdependent companies who aren’t always aware that they are connected.

Tampering with hardware using interdiction and seeding

Tampering with hardware is not an easy path for attackers, but because of the significant risks that arise out of a successful compromise, it’s an important risk to track. Bad actors compromise hardware by inserting physical implants into a product component or by modifying firmware. Often these manipulations create a “back door” connection between the device and external computers that the attacker controls. Once the device reaches its final destination, adversaries use the back door to gain further access or exfiltrate data.

But first they must get their hands on the hardware. Unlike software attacks, tampering with hardware requires physical contact with the component or device.

So how do they do it? There are two known methods: interdiction and seeding. In interdiction, saboteurs intercept the hardware while it’s on route to the next factory in the production line. They unpackage and modify the hardware in a secure location. Then they repackage it and get it back in transit to the final location. They need to move quickly, as delays in shipping may trigger red flags.

As hard as interdiction is, it’s not nearly as challenging as seeding. Seeding attacks involve the manipulation of the hardware on the factory floor. To infiltrate a target factory, attackers may pose as government officials or resort to old fashioned bribery or threats to convince an insider to act, or to allow the attacker direct access to the hardware.

Why attack hardware?

Given how difficult hardware manipulation is, you may wonder why an attacker would take this approach. The short answer is that the payoff is huge. Once the hardware is successfully modified, it is extremely difficult to detect and fix, giving the perpetrator long-term access.

  • Hardware makes a good hiding place. Implants are tiny and can be attached to chips, slipped between layers of fiberglass, and designed to look like legitimate components, among other surreptitious approaches. Firmware exists outside the operating system code. Both methods are extremely difficult to detect because they bypass traditional software-based security detection tools.
  • Hardware attacks are more complex to investigate. Attackers who target hardware typically manipulate a handful of components or devices, not an entire batch. This means that unusual device activity may resemble an anomaly rather than a malicious act. The complexity of the supply chain itself also resists easy investigation. With multiple players, some of whom are subcontracted by vendors, discovering what happened and how can be elusive.
  • Hardware issues are expensive to resolve. Fixing compromised hardware often requires complete replacement of the infected servers and devices. Firmware vulnerabilities often persist even after an OS reinstall or a hard drive replacement. Physical replacement cycles and budgets can’t typically accommodate acceleration of such spending if the hardware tampering is widespread.

For more insight into why supply chains are vulnerable, how some attacks have been executed, and why they are so hard to detect, we recommend watching Andrew “bunny” Huang’s presentation, Supply Chain Security: If I were a Nation State…, at BlueHat IL, 2019.

Know your hardware supply chain

What can you do to limit the risk to your hardware supply chain? First: identify all the players, and ask important questions:

  • Where do your vendors buy parts?
  • Who integrates the components that your vendor buys and who manufactures the parts?
  • Who do your vendors hire when they are overloaded?

Once you know who all the vendors are in your supply chain, ensure they have security built into their manufacturing and shipping processes. The National Institute of Standards and Technology (NIST) recommends that organizations “identify those systems/components that are most vulnerable and will cause the greatest organizational impact if compromised.” Prioritize resources to address your highest risks. As you vet new vendors, evaluate their security capabilities and practices as well as the security of their suppliers. You may also want to formalize random, in-depth product inspections.

Microsoft’s role securing the hardware supply chain

As a big player in the technology sector, Microsoft engages with its hardware partners to limit the opportunities for malicious actors to compromise hardware.

Here are just a few examples of contributions Microsoft and its partners have made:

  • Microsoft researchers defined seven properties of secure connected devices. These properties are a useful tool for evaluating IoT device security.
  • The seven properties of secure connected devices informed the development of Azure Sphere, an IoT solution that includes a chip with robust hardware security, a defense-in-depth Linux-based OS, and a cloud security service that monitors devices and responds to emerging threats.
  • Secured-core PCs apply the security best practices of isolation and minimal trust to the firmware layer, or the device core, that underpins the Windows operating system.

Project Cerberus is a collaboration that helps protect, detect, and recover from attacks on platform firmware.

Learn more

The “Guarding against supply chain attacks” blog series untangles some of the complexity surrounding supply chain threats and provides concrete actions you can take to better safeguard your organization. Read Part 1: The big picture for an overview of supply chain risks.

Also, download the Seven properties of secure connected devices and read NIST’s Cybersecurity Supply Chain Risk Management.

Stay tuned for these upcoming posts:

  • Part 3—Examines ways in which software can become compromised.
  • Part 4—Looks at how people and processes can expose companies to risk.
  • Part 5—Summarizes our advice with a look to the future.

In the meantime, bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Guarding against supply chain attacks—Part 2: Hardware risks appeared first on Microsoft Security Blog.

]]>
Cyber-risk assessments—the solution for companies in the Fourth Industrial Revolution http://approjects.co.za/?big=en-us/security/blog/2020/01/29/cyber-risk-assessments-the-vaccine-for-companies-in-the-fourth-industrial-revolution/ Wed, 29 Jan 2020 17:00:52 +0000 A cyber-risk assessment is crucial to any organization’s risk management strategy.

The post Cyber-risk assessments—the solution for companies in the Fourth Industrial Revolution appeared first on Microsoft Security Blog.

]]>
Technology continues to play a critical role in shaping the global risks landscape for individuals, governments, and businesses. According to the World Economic Forum’s Global Risks Report 2020, cyberattacks are ranked as the second risk of greatest concern for business globally over the next 10 years. Cyberattacks on critical infrastructure—rated the fifth top risk in 2020 by the expert network—have become the new normal across sectors such as energy, healthcare, and transportation. This confirms a pattern recorded in previous years, with cyber risks consolidating their position alongside environmental risks in the high-impact, high-likelihood quadrant of the report’s Global Risks Landscape.

The cyberattack surface (the totality of all information system and internet exposure) is growing at a rapid pace. In parallel, inherently borderless cybercrime is impacting victims around the globe, with the authority of law enforcement often constrained by jurisdiction and the limitations of legal processes serving to request information beyond national borders. Moreover, cybercrime-as-a-service is a growing business model, as the increasing sophistication of tools on the Darknet makes malicious services more affordable and easily accessible for anyone.

In this context, a cyber-risk assessment is crucial to any organization’s risk management strategy. A cyber-risk assessment provides an informed overview of an organization’s cybersecurity posture and provides data for cybersecurity-related decisions. A well-managed assessment process prevents costly wastes of time, effort, and resources and enables informed decision-making.

Many jurisdictional instruments, including the European Union General Data Protection Regulation (GDPR) and the Data Protection Act (DPA) 2018 in the United Kingdom, require risk assessments to be conducted. Any organization with a digital footprint should have an understanding of their cyber preparedness to ensure that the leadership does not underestimate or overlook risks that could cause significant damage.

Cybersecurity-focused

Yet today, cybersecurity awareness is largely insufficient and there is no standard approach among investors and corporate leadership for evaluating the cybersecurity preparedness of their own, or their portfolio of companies. A cybersecurity-focused culture, based on cyber expertise and awareness, is vital to prioritizing cybersecurity in the investment process.

Including cybersecurity risk assessment in the investment and decision-making process is a rather new approach. The World Economic Forum along with leaders and cybersecurity experts in the investment industry have developed a due care standard to guide investor responsibility in terms of cybersecurity. Tailored to investors’ needs and principle-based, it aims to influence behavioral change rather than merely prescribe specific action to be taken.

According to a World Economic Forum report, adequate cybersecurity expertise is foundational and vital to exercising the cyber due care principles. Investors should ensure requisite cybersecurity expertise is available to them and their investment portfolio companies either internally or through external experts. An investor’s attention to cybersecurity should extend well beyond regulatory compliance and legal obligations and include regular briefings on evolving cyber risks.

Expertise should evolve to guarantee optimal efforts to stay abreast of cybersecurity developments. Overall, investors are urged to foster a cybersecurity awareness culture as most businesses, investment targets, and their key assets are either becoming digital or are already in the digital domain.

Principles to follow

Incorporate a cyber-risk tolerance—The investor incorporates cyber-risk tolerance into their portfolio risk methodology similar to other types of risks monitored, such as financial and management risks. This cyber-risk tolerance threshold indicates the investor’s risk appetite and serves as a reference when making investment decisions.

Conduct cyber due diligence—The investor conducts a business-relevant cybersecurity assessment of the target company in terms of people, processes and technology, as part of the due diligence evaluation and weighs the potential cyber risks against the valuation and strategic benefits of investment.

Determine appropriate incentive structure—In the early stage of investment negotiations, the investor clearly defines ongoing cybersecurity expectations, benchmarks, and incentives for portfolio companies within investment mandates and term sheets.

Secure integration and development—The investor develops and follows systematic action plans to securely integrate the investment target according to the nature of the investment. These action plans span the secure integration of people, processes, and technology, as well as define the support that the investor will offer to develop the target’s cybersecurity capabilities. The extent of integration may vary according to the type of investor (financial vs. strategic) and the motivation for the investment.

Regularly review and encourage collaboration—The investor reviews the cybersecurity capabilities of its portfolio companies on a regular basis. These reviews assess adherence to the cybersecurity requirements set out by the investor and serve as a basis for sharing cybersecurity challenges, best practices, and lessons learned across the investor’s portfolio.

Investing in innovation is one way to reduce the likelihood of unexpected disruption, identify “blue oceans” (markets associated with high potential profits), and contribute to achieving desired returns. Whereas entrepreneurs drive innovation and experimentation, investors play an important role in helping them to grow, optimize, and mature their businesses. Helping entrepreneurs to prioritize cybersecurity is one significant way in which investors can increase the likelihood of long-term success and a product’s resilience in the market, thereby strengthening the brand name and consumer trust.

When investing in a technology company, investors need to consider the degree of cyber-risk exposure to understand how to manage and mitigate it. Investors play a critical role in leading their investment portfolio companies towards better security consideration and implementation.

Cyber expertise comprises not only technical know-how but also cybersecurity awareness in governance and investment. The principles and the cybersecurity due diligence assessment framework are designed for investors who want to include cybersecurity among the criteria for their investment consideration and decision. One of the main barriers to prioritizing cybersecurity is the lack of cyber expertise in the market. Yet every investor who understands the importance of cybersecurity in our technological age can ask the right questions to assess and understand a target’s cybersecurity preparedness, thus play a significant role in securing our shared digital future.

The post Cyber-risk assessments—the solution for companies in the Fourth Industrial Revolution appeared first on Microsoft Security Blog.

]]>
Guarding against supply chain attacks—Part 1: The big picture http://approjects.co.za/?big=en-us/security/blog/2019/10/16/guarding-against-supply-chain-attacks-part-1-big-picture/ Wed, 16 Oct 2019 16:00:54 +0000 Paying attention to every link in your supply chain is vital to protect your assets from supply chain attacks.

The post Guarding against supply chain attacks—Part 1: The big picture appeared first on Microsoft Security Blog.

]]>
Every day, somewhere in the world, governments, businesses, educational organizations, and individuals are hacked. Precious data is stolen or held for ransom, and the wheels of “business-as-usual” grind to a halt. These criminal acts are expected to cost more than $2 trillion in 2019, a four-fold increase in just four years. The seeds that bloom into these business disasters are often planted in both hardware and software systems created in various steps of your supply chain, propagated by bad actors and out-of-date business practices.

These compromises in the safety and integrity of your supply chain can threaten the success of your business, no matter the size of your operation. But typically, the longer your supply chain, the higher the risk for attack, because of all the supply sources in play.

In this blog series, “Guarding against supply chain attacks,” we examine various components of the supply chain, the vulnerabilities they present, and how to protect yourself from them.

Defining the problem

Supply chain attacks are not new. The National Institute of Standards and Technology (NIST) has been focused on driving awareness in this space since 2008. And this problem is not going away. In 2017 and 2018, according to Symantec, supply chain attacks rose 78 percent. Mitigating this type of third-party risk has become a major board issue as executives now understand that partner and supplier relationships pose fundamental challenges to businesses of all sizes and verticals.

Moreover, for compliance reasons, third-party risk also continues to be a focus. In New York State, Nebraska, and elsewhere in the U.S., third-party risk has emerged as a significant compliance issue.

Throughout the supply chain, hackers look for weaknesses that they can exploit. Hardware, software, people, processes, vendors—all of it is fair game. At its core, attackers are looking to break trust mechanisms, including the trust that businesses naturally have for their suppliers. Hackers hide their bad intentions behind the shield of trust a supplier has built with their customers over time and look for the weakest, most vulnerable place to gain entry, so they can do their worst.

According to NIST, cyber supply chain risks include:

  • Insertion of counterfeits.
  • Unauthorized production of components.
  • Tampering with production parts and processes.
  • Theft of components.
  • Insertion of malicious hardware and software.
  • Poor manufacturing and development practices that compromise quality.

Cyber Supply Chain Risk Management (C-SCRM) identifies what the risks are and where they come from, assesses past damage and ongoing and future risk, and mitigates these risks across the entire lifetime of every system.

This process examines:

  • Product design and development.
  • How parts of the supply chain are distributed and deployed.
  • Where and how they are acquired.
  • How they are maintained.
  • How, at end-of-life, they are destroyed.

The NIST approach to C-SCRM considers how foundational practices and risk are managed across the whole organization.

Examples of past supply chain attacks

The following are examples of sources of recent supply chain attacks:

Hardware component attacks—When you think about it, OEMs are among the most logical places in a supply chain which an adversary will likely try to insert vulnerabilities. Moreover, these vulnerabilities can be inserted into the end product via physical access as a physical component is being transported or delivered, during pre-production access in a factory or manufacturing facility, via a technical insertion point, or other means.

Software component attacks—Again in 2016, Chinese hackers purportedly attacked TeamViewer software, which was a potential virtual invitation to view and access information on the computers of millions of people all over the world who use this program.

People perpetrated attacks—People are a common connector between the various steps and entities in any supply chain and are subject to the influence of corrupting forces. Nation-states or other “cause-related” organizations prey on people susceptible to bribery and blackmail. In 2016, the Indian tech giant, Wipro, had three employees arrested in a suspected security breach of customer records for the U.K. company TalkTalk.

Business processes—Business practices (including services), both upstream and downstream, are also examples of vulnerable sources of infiltration. For example, Monster.com experienced an exposed database when one of its customers did not adequately protect a web server storing resumes, which contain emails and physical addresses, along with other personal information, including immigration records. This and other issues can be avoided if typical business practices such as risk profiling and assessment services are in place and are regularly reviewed to make sure they comply with changing security and privacy requirements. This includes policies for “bring your own” IoT devices, which are another fast-growing vulnerability.

Big picture practical advice

Here’s some practical advice to take into consideration:

Watch out for copycat attacks—If a data heist worked with one corporate victim, it’s likely to work with another. This means once a new weapon is introduced into the supply chain, it is likely to be re-used—in some cases, for years.

To prove the point, here are some of the many examples of cybercrimes that reuse code stolen from legal hackers and deployed by criminals.

  • The Conficker botnet MS10-067 is over a decade old and is still found on millions of PCs every month.
  • The criminal group known as the Shadow Brokers used the Eternal Blue code designed by the U.S. National Security Agency as part of their cybersecurity toolkit. When the code was leaked illegally and sold to North Korea, they used it to execute WannaCry in 2017, which spread to 150 countries and infected over 200,000 computers.
  • Turla, a purportedly Russian group, has been active since 2008, infecting computers in the U.S. and Europe with spyware that establishes a hidden foothold in infected networks that searches for and steals data.

Crafting a successful cyberattack from scratch is not a simple undertaking. It requires technical know-how, resources to create or acquire new working exploits, and the technique to then deliver the exploit, to ensure that it operates as intended, and then to successfully remove information or data from a target.

It’s much easier to take a successful exploit and simply recycle it—saving development and testing costs, as well as the costs that come from targeting known soft targets (e.g., avoiding known defenses that may detect it). We advise you to stay in the know about past attacks, as any one of them may come your way. Just ask yourself: Would your company survive a similar attack? If the answer is no—or even maybe—then fix your vulnerabilities or at the very least make sure you have mitigation in place.

Know your supply chain—Like many information and operational technology businesses, you probably depend on a global system of suppliers. But do you know where the various technology components of your business come from? Who makes the hardware you use—and where do the parts to make that hardware come from? Your software? Have you examined how your business practices and those of your suppliers keep you safe from bad actors with a financial interest in undermining the most basic components of your business? Take some time to look at these questions and see how you’d score yourself and your suppliers.

Looking ahead

Hopefully, the above information will encourage (if not convince) you to take a big picture look at who and what your supply chain consists of and make sure that you have defenses in place that will protect you from all the known attacks that play out in cyberspace each day.

In the remainder of the “Guarding against supply chain attacks” series, we’ll drill down into supply chain components to help make you aware of potential vulnerabilities and supply advice to help you protect your company from attack.

Stay tuned for these upcoming posts:

  • Part 2—Explores the risks of hardware attacks.
  • Part 3—Examines ways in which software can become compromised.
  • Part 4—Looks at how people and processes can expose companies to risk.
  • Part 5—Summarizes our advice with a look to the future.

In the meantime, bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

To learn more about how you can protect your time and empower your team, check out the cybersecurity awareness page this month.

The post Guarding against supply chain attacks—Part 1: The big picture appeared first on Microsoft Security Blog.

]]>
Overview of the Marsh-Microsoft 2019 Global Cyber Risk Perception survey results http://approjects.co.za/?big=en-us/security/blog/2019/09/18/marsh-microsoft-2019-global-cyber-risk-perception-survey-results/ Wed, 18 Sep 2019 16:00:50 +0000 Results from the 2019 Marsh-Microsoft Global Cyber Risk Perception survey reveal several encouraging signs of improvement in the way organizations view and manage cyber risk.

The post Overview of the Marsh-Microsoft 2019 Global Cyber Risk Perception survey results appeared first on Microsoft Security Blog.

]]>
Technology is dramatically transforming the global business environment, with continual advances in areas ranging from artificial intelligence (AI) and the Internet of Things (IoT) to data availability and blockchain. The speed at which digital technologies evolve and disrupt traditional business models keeps increasing. At the same time, cyber risks seem to evolve even faster—moving beyond data breaches and privacy concerns to sophisticated schemes that can disrupt entire businesses, industries, supply chains, and nations—costing the economy billions of dollars and affecting companies in every sector.

The hard truth organizations must face is that cyber risk can be mitigated and managed—but it cannot be eliminated. Results from the 2019 Marsh-Microsoft Global Cyber Risk Perception survey reveal several encouraging signs of improvement in the way that organizations view and manage cyber risk. Now that cyber risk is clearly and firmly at the top of corporate risk agendas, we see a positive shift towards the adoption of more rigorous, comprehensive cyber risk management in many areas. However, many organizations still struggle with how to best articulate, approach, and act upon cyber risk within their overall enterprise risk framework—even as the tide of technological change brings new and unanticipated cyber risk complexity.

Highlights from the survey

While companies see cyber events as a top priority, confidence in cyber resilience is declining. Cyber risk became even more firmly entrenched as an organizational priority in the past two years. Yet at the same time, organizations’ confidence in their ability to manage the risk declined.

  • 79 percent of respondents ranked cyber risk as a top five concern for their organization, up from 62 percent in 2017.
  • Confidence declined in each of three critical areas of cyber resilience. Those saying they had “no confidence” increased from:
    • 9 percent to 18 percent for understanding and assessing cyber risks.
    • 12 percent to 19 percent for preventing cyber threats.
    • 15 percent to 22 for responding to and recovering from cyber events.

New technology brings increased cyber exposure

Technology innovation is vital to most businesses, but often adds to the complexity of an organization’s technology footprint, including its cyber risk.

  • 77 percent of the 2019 respondents cited at least one innovative operational technology they adopted or are considering.
  • 50 percent said cyber risk is almost never a barrier to the adoption of new technology, but 23 percent—including many smaller firms—said that for most new technologies, the risk outweighs potential business benefits.
  • 74 percent evaluate technology risks prior to adoption, but just 5 percent said they evaluate risk throughout the technology lifecycle—and 11 percent do not perform any evaluation.

Increasing interdependent digital supply chains brings new cyber risks

The increasing interdependence and digitization of supply chains brings increased cyber risk to all parties, but many firms perceive the risks as one-sided.

  • There was a discrepancy in many organizations’ view of the cyber risk they face from supply chain partners, compared to the level of risk their organization poses to counterparties.
  • 39 percent said the cyber risk posed by their supply chain partners and vendors to their organization was high or somewhat high.
  • Only 16 percent said the cyber risk they themselves pose to their supply chain was high or somewhat high.
  • Respondents were more likely to set a higher bar for their own organization’s cyber risk management actions than they do for their suppliers.

Appetite for government role in managing cyber risks draws mixed views

Organizations generally see government regulation and industry standards as having limited effectiveness in helping manage cyber risk—with the notable exception of nation-state attacks.

  • 28 percent of businesses regard government regulations or laws as being very effective in improving cybersecurity.
  • 37 percent of businesses regard soft industry standards as being very effective in improving cybersecurity.
  • A key area of difference relates to cyberattacks by nation-state actors:
    • 54 percent of respondents said they are highly concerned about nation-state cyberattacks.
    • 55 percent said government needs to do more to protect organizations against nation-state cyberattacks.

Cyber investments focus on prevention, not resilience

Many organizations focus on technology defenses and investments to prevent cyber risk, to the neglect of assessment, risk transfer, response planning, and other risk management areas that build cyber resilience.

  • 88 percent said information technology/information security (IT/InfoSec) is one of the three main owners of cyber risk management, followed by executive leadership/board (65 percent) and risk management (49 percent).
  • Only 17 percent of executives say they spent more than a few days on cyber risk over the past year.
  • 64 percent said a cyberattack on their organization would be the biggest driver of increased cyber risk spending.
  • 30 percent of organizations reported using quantitative methods to express cyber risk exposures, up from 17 percent in 2017.
  • 83 percent have strengthened computer and system security over the past two years, but less than 30 percent have conducted management training or modeled cyber loss scenarios.

Cyber insurance

Cyber insurance coverage is expanding to meet evolving threats, and attitudes toward policies are also shifting.

  • 47 percent of organizations said they have cyber insurance, up from 34 percent in 2017.
  • Larger firms were more likely to have cyber insurance—57 percent of those with annual revenues above $1 billion had a policy, compared to 36 percent of those with revenue under $100 million.
  • Uncertainty about whether available cyber insurance could meet their firm’s needs dropped to 31 percent, down from 44 percent in 2017.
  • 89 percent of those with cyber insurance were highly confident or fairly confident their policies would cover the cost of a cyber event.

Key takeaways

At a practical level, this year’s survey points to a number of best practices that the most cyber resilient firms employ and which all firms should consider adopting:

  • Create a strong organizational cybersecurity culture with clear, shared standards for governance, accountability, resources, and actions.
  • Quantify cyber risk to drive better informed capital allocation decisions, enable performance measurement, and frame cyber risk in the same economic terms as other enterprise risks.
  • Evaluate the cyber risk implications of a new technology as a continual and forward-looking process throughout the lifecycle of the technology.
  • Manage supply chain risk as a collective issue, recognizing the need for trust and shared security standards across the entire network, including the organization’s cyber impact on its partners.
  • Pursue and support public-private partnerships around critical cyber risk issues that can deliver stronger protections and baseline best practice standards for all.

Despite the decline in organizational confidence in the ability to manage cyber risk, we’re optimistic that more organizations are now clearly recognizing the critical nature of the threat and beginning to seek out and embrace best practices.

Effective cyber risk management requires a comprehensive approach employing risk assessment, measurement, mitigation, transfer, and planning, and the optimal program will depend on each company’s unique risk profile and tolerance.

Still, these recommendations address many of the common and most urgent aspects of cyber risk that organizations today are challenged with; as such, they should be viewed as signposts along the path to building true cyber resilience.

Learn more

Read the full 2019 Marsh-Microsoft Global Cyber Risk Perception survey or find additional report content on Marsh’s website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Overview of the Marsh-Microsoft 2019 Global Cyber Risk Perception survey results appeared first on Microsoft Security Blog.

]]>
Council of EU Law Enforcement Protocol improves cross-border cooperation http://approjects.co.za/?big=en-us/security/blog/2019/07/30/eu-law-enforcement-protocol-improves-cross-border-cooperation/ Tue, 30 Jul 2019 16:00:00 +0000 The new EU Law Enforcement Emergency Response Protocol addresses the growing problem of planning and coordinating between governments, agencies, and companies when cyberattacks occur across international boundaries.

The post Council of EU Law Enforcement Protocol improves cross-border cooperation appeared first on Microsoft Security Blog.

]]>
Last March, the Council of the European Union announced the new EU Law Enforcement Emergency Response Protocol to address the growing problem of planning and coordinating between governments, agencies, and companies when cyberattacks occur across international boundaries. Remember well-known incidents such as NotPetya and WannaCry? They’re good examples of how cyberattacks can simultaneously impact organizations and other entities in two or more countries. This especially applies to multinational corporations since they have footprints in multiple jurisdictions.

In reading through the Protocol, a few key items are worth noting:

  • There’s a focus on process—It’s so good to see them focusing on process (and not only on technology). Too many regulations and rulesets talk about technology as if it’s the sole solution to all problems. To truly resolve cybersecurity attacks and to mitigate downstream implications quickly, it takes the combination of technology + people + process.
  • Operational Technology (OT) systems and risks need more attention—For many years, OT systems have been increasingly attacked by adversaries. While the focus on IT in the Protocol is logical, the omission of OT factors keeps it from being an even stronger and more robust document. The new Protocol explicitly calls out this problem when it says, “…to establish the criminal nature of the attack, it’s fundamental that the first responders perform all required measures … to preserve the electronic evidence that could be found within the IT systems affected by the attack, which are essential for any criminal investigation or judicial procedure.” This omission of OT systems is all the more confusing when the website announcing the Protocol states that, “The possibility of a large-scale cyber-attack having serious repercussions in the physical world and crippling an entire sector or society, is no longer unthinkable.”
  • Operational alignment is well-executed—Praise is deserved for the outstanding effort to coordinate multi-stakeholder processes using existing resources and teams. For instance, a partial list of the entities working on these issues in Europe includes Europol’s European Cybercrime Centre (EC3), the European Union’s Cybersecurity Incident Response Team (CSIRT) Network, the European Union Agency for Network and Information Security (ENISA), and other EU member law enforcement groups. While everyone has the best interest of preventing and responding to cyberattacks at heart, ensuring the alignment and optimal use of existing resources makes very good sense.
  • Important cross-border thinking adds value—Cyber-adversaries pay no attention to boundaries, so it’s important to defend against these problems with a similar mindset that embraces diverse thinking. Countries that cooperate and coordinate their efforts are likely to detect and identify cyber-adversaries faster and more comprehensively if they approach the problem as a united front. This cross-border way of thinking should be an example for other regions of the world.

The improvements to the EU Law Enforcement Emergency Response Protocol are invaluable. By streamlining and strengthening their cross-border approaches, protocols, and ways of communicating, efforts to thwart attacks can begin immediately and proceed more effectively.

Preserving electronic evidence makes finding and punishing the perpetrators a priority. However, work still must be done on developing plans and protocols to mitigate damage to OT systems, and I hope they prioritize this focus for their next iteration.

Learn more

  • Complete an offline assessment of your Active DirectoryAssess your Active Directory security posture and reduce support costs by exposing and remediating configuration and operational security issues before they affect your business.
  • Learn more about the cybersecurity risk landscape—Watch this Microsoft Digital Crimes Unit overview video to learn more about how Microsoft is working with public and private partners.
  • Discover how the Microsoft Incident Response and Recovery Process can help—Read about our expert security services that are available in case an incident occurs.

The post Council of EU Law Enforcement Protocol improves cross-border cooperation appeared first on Microsoft Security Blog.

]]>
UK launches cyberstrategy with long-term relevance http://approjects.co.za/?big=en-us/security/blog/2019/05/23/uk-cyberstrategy-long-term-relevance/ Thu, 23 May 2019 16:00:13 +0000 Read a review of the “National Cyber Security Strategy: 2016-2021,” the most frequently referenced document in cybersecurity discussions. Learn three ways that the security strategy can expand and thrive and why it’s important to revisit it to help secure your digital transformation.

The post UK launches cyberstrategy with long-term relevance appeared first on Microsoft Security Blog.

]]>
Like most major global economies, the United Kingdom continues to place cybersecurity issues front and center. The National Cyber Security Strategy: 2016-2021 document—published by the UK Government and released nearly two years ago—describes the plan to make the UK secure and resilient in cyberspace. It’s the most frequently referenced document and project in any cybersecurity discussion. After two years, and with recent updates, it’s worthwhile to revisit the document to assess its importance in securing digital transformation across the UK’s economy. Moreover, the National Security Capability Review (NSCR) March 2018 update to the National Cyber Security Strategy makes the timing for a review of this all the more relevant, as the 80-page document is well-written, thorough, and remains useful and relevant. The cyberstrategy’s core pillars—defend, deter, and develop—are described in detail and address a wide array of important topics, including education, international cooperation, and public-private collaboration.

Specifically, the cybersecurity document does an excellent job in the following areas:

  • Insider threats—This type of threat is highlighted throughout the document; something that is not always emphasized sufficiently. For example, “Insider threats remain a cyber risk to organizations in the UK. Malicious insiders, who are trusted employees of an organization and have access to critical systems and data, pose the greatest threat.” We continue to hear about this problem from customers in nearly all industries and in all countries. This bold and clear statement makes it clear that this problem is front and center for the UK strategy, as it should be.
  • Public incidents—It’s refreshing to see major incidents that impact companies and organizations in the UK highlighted rather than hidden from public view. The document includes several incidents, such as the 2015 TalkTalk breach, and the 2016 attack on the Society for Worldwide Interbank Financial Telecommunication (SWIFT) payment system in Bangladesh, the Philippines, and the Ukrainian power grid incident. While these incidents did not all occur on UK soil or directly to UK organizations, their impact was still felt in the UK.
  • Diversity and inclusion—The UK is committed to increasing diversity while also addressing its cybersecurity skills shortage. The document states emphatically that “we will address the gender imbalance in cyber-focused professions, and reach people from more diverse backgrounds to make sure we are drawing from the widest available talent pool.” The need is so critical that cybersecurity has become known as a wonderful field for younger professionals to embark on a new career, even if it is not something that is well-known.
  • Public-private collaboration—Cybersecurity is a “team sport” and working together across private and public sectors is essential. Openly admitting this and accepting government responsibility is a key tenet of this strategy, described as, “Government has a clear leadership role, but we will also foster a wider commercial ecosystem, recognizing where industry can innovate faster than us.” The document also states, “We will set out more clearly the respective roles of government and industry, including how these might evolve over time.”

As we look at other areas that the strategy may wish to consider expanding into or elaborating upon in the coming years, three specific areas come to mind:

  • Links to money laundering and terrorist financing—While the initial 2016 version did not mention how the flow of money impacts and funds cybercrime, the NSCR March 2018 update did, with three specific references to money laundering and terrorist financing, explaining, “We will take a whole-of-government approach including with the Devolved Administrations to tackle serious and organized crime and publish an updated Serious and Organized Crime Strategy in 2018.” It also stated, “We remain a leading player in developing and applying economic sanctions [… and will] … continue using sanctions smartly to deliver national security outcomes after we have left the EU.”
  • Returning military veterans—Whether it be from armed conflicts or peace-keeping missions or other such activities, one way the UK could shrink the gap in cybersecurity skills would be to help military veterans transition into this field. The strategy states, “This skills gap represents a national vulnerability that must be resolved.” To that end, there are multiple paths that other countries have pursued that could be applied here.
  • Cloud computing—The terms “cloud” and “cloud computing” are not mentioned in the original 2016 strategy document or in the NSCR March 2018 update. Cloud-based security offerings are a mainstay of any cybersecurity strategy and bring with them enormous benefits, speed, operational efficiencies, and more.

Looking ahead, it is inspiring to see that in the NSCR March 2018 update to the National Cyber Security Strategy there is a real commitment to maintaining the course with the original 2016 strategy. The 2018 update states quite openly that “the NSCR cyber project confirms that our overarching strategic objectives still stand” and “We will continue to implement the National Cyber Security Strategy and ensure it keeps pace with the threat.”

Clearly the UK will stay the course with its original cybersecurity strategy with additional changes and enhancements. Moreover, with all eyes on the UK transition out of the EU, it’s important to demonstrate to the world community that cybersecurity strategy can not only exist but in fact can thrive even amid a massive overhaul in international geopolitics.

The post UK launches cyberstrategy with long-term relevance appeared first on Microsoft Security Blog.

]]>
5 steps financial institutions can take to reduce their cybercrime risk http://approjects.co.za/?big=en-us/security/blog/2019/03/18/5-steps-financial-institutions-reduce-cybercrime-risk/ Mon, 18 Mar 2019 16:00:17 +0000 Increasingly financial institutions are concerned about their cybersecurity risk. Here are five recommendations can help them more effectively manage that risk.

The post 5 steps financial institutions can take to reduce their cybercrime risk appeared first on Microsoft Security Blog.

]]>
When it comes to cybersecurity, financial institutions are uniquely challenged as they are often a target for hackers. My customers rightly worry about exposing their business and the broader financial system to a security breach. Some are reticent to adopt new technology that will help them stay competitive because of these fears. Yet I don’t believe that financial institutions need to choose between innovation and security. Existing financial processes can be applied to cybersecurity risk management, and cloud technology can help them stay ahead of banking innovation and improve their security. I have five recommendations, outlined below, designed to help financial institutions more effectively manage their risk from cybersecurity incidents.

A key finding in the eleventh edition of the Deloitte Insights Global Risk Management Survey, which reports on risk management trends in the financial services industry, found that “sixty-seven percent of respondents [at financial institutions] named cybersecurity as one of the three risks that would increase the most in importance for their business over the next two years, far more than any other risk.” I’m not surprised that cybersecurity risk has elevated in importance, but for an industry that also must contend with credit, liquidity, and regulatory risk, this finding is a notable trend. In addition, the survey found “the number of cyberattacks against financial institutions is estimated to be four times greater than against companies in other industries.”

The report provides a good overview of how financial institutions are thinking about risk. In response to a data point the survey uncovered, “Only about one-half of respondents felt their institutions were extremely or very effective in managing this [cybersecurity] risk,” I have the following five recommendations financial institutions can take to help them more effectively manage cybersecurity risk:

  1. Expand your view of cyber risk to include real-world implications.
  2. Calculate your economic capital.
  3. Look at fraud and cyber risk in aggregate.
  4. Go deeper and wider on the cloud.
  5. Keep learning.

#1: Expand your view of cyber risk

Stories of security breaches at large corporations, financial and otherwise, have raised the profile of cybersecurity risk across all sectors of life. Everyone from the board of directors on down have witnessed the reputational damage done to respected bands that suffer a large security breach. Beyond the headlines are real-world implications that may not be initially obvious but are still critical. Companies may lose existing customers or see a decline in new customer acquisition. Organizations are sometimes required to shut down systems while they recover from an incident, including physical properties like ATMs. And if intellectual property is stolen, new products may be delayed or scrapped entirely, impacting future earnings. Think broadly about how a cybersecurity event could impact your financial institution, so you better understand what’s at stake. Then prioritize security resources to protect the most valuable parts of the business.

#2: Calculate your economic capital

According to the survey, most financial institutions calculate economic capital for their financial risks, but only 16 percent calculate how much capital will be needed to support cybersecurity risk. As you identify the potential implications of an attack, it will become clear that some could be quite costly to the business, in real terms and in unrealized revenue. An accurate calculation of the economic capital required to recover will help you better prepare and keep your board of directors well informed. For more information on how to talk to your board of directors about security, watch Security is everyone’s business in our CISO Spotlight Series.

#3: Look at fraud and cyber risk in aggregate

The world of cyber and financial criminals increasingly overlaps. Fraudsters have borrowed tactics from the hacker world to gain access to accounts without stepping foot in a physical bank branch. Networks of bad actors, from both the cyber world and the financial fraud world, work together to share data and tools. Preventing these crimes requires collaboration on the defensive side. Anti-fraud and cybersecurity professionals each have valuable backgrounds and tools to investigate and respond to these threats. However, if they are working in silos, they may miss important connections. Institute policies and process, such as cross training and holistic incident tracking, that ensure anti-fraud and cybersecurity professionals are sharing insights and learning from each other. And if you have deep executive support and funding, consider building what some people refer to as a “fraud fusion center,” which brings together anti-fraud and cybersecurity teams to merge this divide.

#4: Go deeper and wider on the cloud

In my work with financial institutions, I often consult with teams that are conflicted about migrating more services to the cloud. My experience is reflected in the Deloitte survey, which found that only 48 percent of survey respondents reported using cloud computing. In many instances, an IT team may be ready to take advantage of cloud computing power, while the security team is concerned about exposing the organization to more risk. I recently spoke to a security team who was struggling to get an IT team on board. Cloud service providers (CSPs), like Microsoft Azure, can help organizations take advantage of emerging technologies, such as machine learning, without the massive investment required to build a team and infrastructure in-house.

The same is true of security. The cloud can help reduce your risk. Azure and other big cloud providers have very strict physical security in their datacenters, such as requiring extensive background checks of everyone who works there, and the use of biometrics for access. At Microsoft, we regularly patch and update our software and hardware, which reduces vulnerabilities. You can also take advantage of the benefits of scale. CSPs can hire the best security professionals, who stay up to date on global security regulations and monitor the current threat environment. CSPs have the systems and analytics to synthesize data across all their services and endpoints to rapidly uncover threats and block them before they impact other customers. Read the Azure Security blog series for more details on how Azure can improve your security.

#5: Keep learning

It’s important to develop a process for staying up to date on emerging technology trends, such as machine learning, quantum computing, and blockchain. Your adversaries are doing their research and will experiment with new technologies as they become available. Understand the latest thinking and try to get out ahead of it. Research can help inspire ideas and spark innovative thinking within your team.

Stay informed

Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post 5 steps financial institutions can take to reduce their cybercrime risk appeared first on Microsoft Security Blog.

]]>
Why the Pipeline Cybersecurity Initiative is a critical step http://approjects.co.za/?big=en-us/security/blog/2019/02/21/why-the-pipeline-cybersecurity-initiative-is-a-critical-step/ http://approjects.co.za/?big=en-us/security/blog/2019/02/21/why-the-pipeline-cybersecurity-initiative-is-a-critical-step/#respond Thu, 21 Feb 2019 17:00:54 +0000 Working together with government to push a more coordinated effort around infrastructure security—particularly pipelines and utilities—is critical. The new Pipeline Cybersecurity Initiative will help ensure that additional resources, information-sharing, and coordination will help mitigate additional cyber-related risks against the U.S. energy industry in the coming years.

The post Why the Pipeline Cybersecurity Initiative is a critical step appeared first on Microsoft Security Blog.

]]>
It’s well known by now that pipeline attacks and attacks on utilities of all kinds have been an unfortunately well-trodden path by cyber-adversaries in numerous countries for a few years now. These types of attacks are not theoretical, and the damage done to date—as well as the potential damage—is significant.

With this backdrop, it was encouraging to see a few months ago that that the U.S. Government was working in a coordinated fashion to push for a more coordinated effort around pipeline security. As part of the annual Cybersecurity Awareness Month each October, the U.S. Department of Energy (DOE) and Department of Homeland Security (DHS) met with the Oil and Natural Gas Subsector Coordinating Council (ONG SCC) to discuss ongoing threats having to do with pipeline security, resulting in the Pipeline Cybersecurity Initiative.

According to Hunton Andrews Kurth, the Pipeline Cybersecurity Initiative “will harness DHS’s cybersecurity resources, DOE’s energy sector expertise, and the Transportation Security Administration’s (TSA) assessment of pipeline security to provide intelligence to natural gas companies and support ONG SCC’s efforts.”

And even though the Pipeline Cybersecurity Initiative is in its earliest stages, it’s worth discussing the key items that it relates to and how it might impact better cybersecurity hygiene going forward across the industry as a whole:

  • Timing—The timing for this initiative is important. No longer can industry observers and experts claim that pipeline, energy, and utility security is not an issue. As indicated above, this is a genuine problem that has real-world implications. Moreover, we know that this issue has occurred in a number of different countries.
  • Industrial Internet of Things (IIoT)—IIoT is a topic that continues to be raised in meetings with customers and partners around the world. Some of those customers are in financial services (think ATMs) while others are in healthcare (think imaging machines) and yet others are of course in energy (think pipelines, pumping stations, etc.). My point is that across unrelated industries, this topic is a very real area that companies are increasingly taking seriously. Utility Dive summarizes this well, “With the prevalence of automation and digital sensors, pipelines moving a physical commodity, like oil or natural gas, are vulnerable to cyber-intrusions, just as a transmission line or power plant.”
  • Public-private partnership—The public-private nature of this partnership makes good sense and is great to see. For instance, it was important to see this mentioned so openly by the TSA in one of the accompanying statements and is a clear indication that this is a complex issue that requires broader coordination and partnership. “The TSA is committed to the mission of securing the nation’s natural gas and oil pipelines, and values longstanding relationships with pipeline operators across this great nation,” said TSA Administrator David Pekoske. This also builds on some of the past few years of efforts in this realm in the U.S. specifically.
  • An international issue—Beyond the U.S., other countries working on similar initiatives should be mentioned. While not a comprehensive list, it would be remiss not to mention other parts of the world that also either suffer from or worry about this issue, including the U.K., Denmark, and Australia.

To those of us in the cybersecurity world, energy security as it relates to cyberthreats has been a concern for a while. The known attacks have been disconcerting and people beyond the energy industry have recognized this. Practitioners and defenders have been doing fabulous work, and the Pipeline Cybersecurity Initiative will help ensure that additional resources, information-sharing, and coordination will help mitigate additional cyber-related risks against the U.S. energy industry in the coming years. For more information on infrastructure security, read Defending critical infrastructure is imperative and listen to the Cybersecurity Tech Accord web seminar, Cyberattacks on infrastructure.

The post Why the Pipeline Cybersecurity Initiative is a critical step appeared first on Microsoft Security Blog.

]]>
http://approjects.co.za/?big=en-us/security/blog/2019/02/21/why-the-pipeline-cybersecurity-initiative-is-a-critical-step/feed/ 0