Tag: CIPE

Should You Be Worried About Iran Cyber Attacks?

Lots of readers have asked if they need to be worried about cyber attacks from Iran as the military action between that country and the United States continues.  While the answer is “yes,” there’s a lot more to the answer than that simple, single word can really cover.


 The reality of the situation:

First and foremost, Iran and other nations routinely launch cyber attacks against nearly everyone else in the world. While there has been a definite uptick in the number of those attacks from Iran, they’re using techniques that they’ve been using since before hostilities began.  That’s good news, because those tactics and techniques are know to the cybersecurity community. When you hear your IT department or local technical nerd talking about taking precautions, you should be listening. 

Next, it’s important to point out that Iran has already had some success with attacking large US companies since the military action began.  A “hacktivist” group (people who – on the surface, at least – launch cyber attacks for political and/or protest reasons) that is known to be directly affiliated with the Iranian government took down Stryker, a medical device manufacturer, for several days about a week ago. The attack wiped all data from every company-managed device in the entire organization, which not only directly impacted Stryker’s ability to generate revenue, but also had all their customers (just about every doctor, dentist, and hospital in the US and many EU countries) scared to use their devices for the potential that their own organizations could get compromised.  As it turned out, their customers weren’t at risk, but it was a real concern for the first 24-48 hours of the attack. 

Finally, Iran is not the only country that launches cyber attacks against people and businesses in the US.  China, Russia, and many others routinely attack orgs and the general public in the US. During periods of military action, other countries have a habit of ramping up their own cyber threat activity because they can use the combatants attacking each other as “cover” for their own shenanigans. So while the current situation may be focused on Iranian threat actors, it’s extremely important to realize that they’re not the only player on the world stage.

So what can you do?

Iranian threat actors tend to use two methods to compromise organizations and people: Social Engineering and Exploitation of Vulnerabilities. While this isn’t a list of everything they try, nearly all their attacks start by following one of those two paths.  The Stryker attack appears to have started with Social Engineering, at least according to the best information we have at this time.  This means there are indeed things you can do to protect yourself, your families, and the companies you work for.

1 – Always keep things updated.  I can’t stress how important this is, as Iranian threat actors absolutely love to take advantage of outdated software that has security holes in it.  Whenever Windows or macOS wants you to apply an update, do it that evening.  Both can be set to install these Operating System (OS) updates overnight, so just let them do what they’d normally do and have them update your machine while you’re asleep.   As for applications, there’s a few ways to keep things up-to-date.  On macOS, anything you got from the Mac App Store can be updated just by opening the store – it will show you what apps have updates you should be installing.  Get into the habit of doing this once a week or so. Just go to the Apple menu, then App Store, then look for Updates in the left-hand sidebar.   On both Windows and macOS, most applications will also routinely check for updates themselves and will alert you when a new version is available.  For your company devices, do the same things as at home, but also allow reboots and restarts of applications when your company “pushes” out updates to your laptop or desktop. Don’t ignore those updates, finish what you’re doing, then allow the update to be applied. 

2 – Arm yourself with basic user security techniques.  You don’t need to become a cybersecurity expert in any way, just take basic precautions.  Iranian threat actors like to use Social Engineering, so arming yourself with knowledge about how to avoid phishing emails, text messages, and phone calls will definitely help.  I’ve got an article on this blog about what to look for: HERE 

3 – Don’t Panic! Not only is that the tag-line from one of the best sci-fi book series ever (Hitchhiker’s Guid to the Galaxy), but it is sound advice when there are military actions that result in higher-than-normal cyber threat activities. Panic leads to rushing, which can lead to mistakes being made.  Update your software and Operating System. Be on alert for phishing attacks. If you think something is going on, reach out to your company IT team for help (or to trusted technology folks you know for home systems).  By quickly and calmly acting to deal with any problems, you can often stop a threat actor before they do significant damage. Panicking, being embarrassed that something happened, and rushing to fix something without the proper knowledge will both allow the threat actor to do more damage and also is likely to cause more problems in and of itself. 

Summing up:

Military action against another country that is well-known for cyber threat activity is going to lead to more attacks, against more companies and people.  This is a basic truth of living in our current world which cannot be changed – or at least not changed easily.  You can, however, arm yourself with knowledge and techniques to keep yourself, your family, and the company you work for safe and secure.  Stay calm, stay aware, and stay safe as we go through this time of cybersecurity threat – and continue doing those things after this time is over, as they are always a good idea.  

Cybersecurity in Plain English: What is Cybersecurity Resilience?

I’ve written a blog series like this for many companies I’ve worked for, now I’m doing it on my own blog for everyone to read. Please drop me questions you’d like answered to me via Twitter/X/whatever it’s called this week @miketalonnyc – I’d love to get you answers explained without the jargon! 

Resilience

Cybersecurity resilience – the key term on just about every CIO/CISO/CSO/CTO’s mind these days. Tons of vendors say they can help with it. Regulators are beginning to demand it. Customers are expecting it. But, what isit? This is a question I’ve gotten from many readers over the last year, so let’s dive in and spell it out.

 

When we speak about resilience in the general technology world, what we’re really talking about is the ability to withstand events that would cause downtime or damage. An email server is resilient when it can continue to provide email services even if one or more servers/services go offline. SaaS technology is resilient when it can be maintained online at full or near-full capacity even if a Cloud provider has issues in one or more regions. For the most part – outside of cybersecurity – resilience is the practice that drives High Availability, Disaster Recovery, and Business Continuity operations. Stay online, or be able to get back up and online quickly.

 

In the cybersecurity world, resilience incorporates general technical definitions of the term with the addition of threat activity which may be encountered. This means that instead of the primary concern being uptime balanced against redundancy, we’re instead looking at the system’s ability to withstand an attack without allowing the attacker to gain control of the system or steal its data. As you might guess, this is a more complex operation than general technical resiliency, but the good news is that cybersecurity resilience is rated on much more of a sliding scale. Customers and regulators can demand that you must be within a certain level of uptime easily – the technology to perform that type of operation is available today within at least reasonable costs. Total cybersecurity resilience is not something that’s possible with today’s technology (and not likely to become available in the very near-term), and as such it is more about being able to prove you have done what you could, rather than proving you’re bullet-proof. 

 

Key components of cybersecurity resiliency are:

 

1 – Layered security methodologies: Whenever we talk about cybersecurity resilience, we’re talking about being able to have security controls compensate for each other if one should be bypassed by a novel attack. So you would perform security awareness training for employees, implement endpoint controls (like anti-malware tools), identity solutions (like Active Directory, Okta, etc.), web gateways (firewalls, proxies, etc.), and other layers of security controls to allow for catching and blocking threat activity that could slip through any one control. 

 

2 – Security-by-design development protocols: If you build technology – either hardware or software – you start by building in security as a primary development metric. This is different from traditional development which primarily addressed security as part of late-stage development operations. By understanding the threat landscape and building defenses into the hardware or software being developed, the likelihood of successful attack is reduced.

 

3 – Testing regularly: For any set of security controls, the only way to know that they are working (and being able to prove that they’re working) is to test them on a regular basis. This means running controlled threat activity within the production environment, and as such you may need to leverage professionals like penetration testers who know how to do that safely. 

 

4 – Tuning regularly: No cybersecurity is “set it and forget it.” Every tool, policy, control, etc. must be reviewed on an ongoing basis to ensure that it isn’t falling behind in its primary role of defending the organization. This can be based on your testing in part 3 above, but can also include regular review of best-practice documentation from the vendors of your hardware and software. The cybersecurity threat landscape is changing all the time, so regularly tuning systems and controls to counter those threats is a necessity. 

 

5 – Monitor your environments: Cybersecurity incidents happen fast, and your organization needs to know that they happened, that your controls held, or that you need to take immediate action to counter the threat activity. This requires monitoring the organization’s systems to make sure that if something does happen, technology and cybersecurity team members know about it fast and begin to deal with it immediately. As the tools and systems used to monitor can be complex – such as SIEM solutions and security orchestration (SOAR) platforms – this may be another area where your organization can benefit from a partner who has the expertise in-house already. 

 

6 – Document everything. While it may sound like overkill, unless it is documented, it doesn’t exist. So all the layered compensating controls, security-by-design operations, testing, and tuning aren’t useful to an organization unless they’re documented; and that documentation is kept updated. This aids in satisfying auditors and regulators, but also greatly aids the cybersecurity team if something does happen. They can quickly assess the situation based on up-to-date information about the overall security of the organization, then take action. 

 

Cybersecurity resilience is less a set of strict requirements, and more about knowing that your systems and data are as defended as possible, and what you will do if those defenses fail unexpectedly. Through the six areas above, you can provide a solid measure of that resilience that can be shared with auditors, regulators, and anyone else who may need you to show your work and prove that you’re taking the necessary steps to defend your systems, data, and customers. 

Miketalon.com Privacy Policy