Winter 2020 -- Articles & Media on Cybersecurity, Emerging Tech, Security, and GovCon by Chuck Brooks
A Cybersecurity Checklist For 2021: 6 Ways To Help You Protect Yourself In Coming Year
Chuck Brooks FORBES Contributor
Dec 26, 2020
2021 Text with binary code GETTY
2020 has been a perilous challenge for everyone across the globe. It was the year of the virus, from both a biological and a digital perspective.
We were unexpectedly infected by Covid19, a deadly and disruptive virus that changed our way of living. Thankfully, great strides are being made in therapeutics, and vaccines are on the way. The unexpected happened in 2020, and it served as an urgent wake-up call on the need for better pandemic preparedness.
Similarly, the digital scourge of cyber-attacks and breaches, exacerbated by the need for an ecosystem of immediate remote work to avoid Covid19, was calamitous. Hackers took advantage of the gaps in new remote work environments as the global cyber-attack surface greatly expanded. Governments, companies, organizations, and individuals have paid a heavy price from breaches and from ransomware attacks—clearly, we were not adequately prepared for the digital virus either. 2021 needs to be the year for cybersecurity preparedness.
With most businesses operating remotely, in 2020 hackers stepped up attacks against an expanded and target-rich environment. Breaches almost doubled from 2019. The surge correlates to an expanded attack surface. This comes as no surprise because there were close to 4.6 billion Internet users active as of July 2020, representing 59% of the world’s population. Internet users in the world 2020 | Statista Online crimes reported to the FBI’s Internet Crime Complaint Center (IC3) nearly quadrupled as a result of the COVID-19 pandemic.
In 2021, the work from home trend will continue and cybersecurity will continue to be a major challenge. According to Cybersecurity Ventures, it is estimated that cybercrime will cost the world $6 trillion annually by 2021. Cybersecurity Ventures envisions that a business will fall victim to a ransomware attack every 11 seconds by 2021. Global Ransomware Damage Costs Predicted To Reach $20 Billion (USD) By 2021 (cybersecurityventures.com)
The means and capabilities of attack for hackers are varied across levels of sophistication and depending upon the actors, some who are related to organized crime groups or, especially, nation states. Financial gains are still the main motivation behind most cyber-attacks. Phishing has been a tried-and-true method of gaining access to company and personal data. It is usually done by employing a fake website which is designed to look like the actual website. The purpose of this attack is to trick the user into entering their username and password into the fake login form, which allows the hacker to steal the identity of the victim. Hackers can easily mimic known brand websites, banks, and even people you may know.
Another method of hackers to reap havoc has been the growing trend of ransomware. Although ransomware has been around for years, it has become a more prevalent method for hackers as they can operate under the cover of cryptocurrencies that are more difficult to trace. Ransomware can hold computers, and even entire networks, hostage for electronic cash payments. Cybersecurity Ventures forecasts that global ransomware damage costs to reach $20 billion by 2021 — which is 57X more than it was in 2015. Cybercrime To Cost The World $10.5 Trillion Annually By 2025 (cybersecurityventures.com)
There a many more types of cyber- threats, and their impact is accelerated by machine learning and artificial intelligence technologies that are allowing hackers to pinpoint vulnerabilities in networks and on devices for exploits.
The fundamental question for most companies and individuals is what can be done to better protect data in the increasingly connected global digital landscape. Below are a few basic actions we can undertake to make ourselves safer.
10 Steps for Cybersecurity Protection in 2021
1) Learn: It all starts by having a risk management perspective. Learn what you need to do from open sources. Gather insights from informational resources available in the media. Network with those who have expertise or experience that mirrors your customized cybersecurity needs.
2) Create a Cybersecurity Framework: Explore Cybersecurity Frameworks such as NIST or MITRE ATT&CK®. which offer guidance on technical organization and response programs that identify and suggest means to mitigate gaps for cyber-threats. Cybersecurity frameworks are based upon lessons learned and continually modified to address new threats, including an incident response to a breach. Your goal should be to use these frameworks to create barriers to breach and policies for resilience.
3) Enact basic Cyber Hygiene: For example, do you have strong passwords and multi-factor authentication? Is your key data backed up? Do you use a secure WIFI? Do you need to use a virtual private network or encryption? Be sure to update your anti-virus software applications and regularly patch security flaws as they are updated. Referring
back to item #1, there are many good lists available on proper cyber hygiene you can adapt as your own. I recommend This CyberAvengers Graphic:
Good Cyber Hygiene Checklist CYBERAVENGERS
4) Be on the lookout for social engineering attacks: With the volumes of social media information out there on your personal likes and dislikes, hackers can figure ways to reach out to you with malware via phishing. Always look at who the emails or texts are actually from (not who they pretend to be from), and do not open up any files that are suspicious. Always be suspicious and operate on the premise of zero trust when it comes to social engineering threats.
5) The Internet of Things (IoT) has arrived and prepare for it: Each IoT device represents an attack surface that can be an avenue into your data for hackers. A Comcast report found that the average households is hit with 104 threats every month. The most vulnerable devices include laptops, computers, smartphones and tablets, networked cameras and storage devices, and streaming video devices, a new report found. Cybersecurity report: Average household hit with 104 threats each month - TechRepublic An important step to take is to change your default passwords on any IoT devices you have in your network.
6) Consider outsource security services: If you have a small or medium sized business, consider bringing in outside cybersecurity expertise or managed service. They can augment your security posture with your internal IT shop and perform vulnerability assessments and recommend solutions and services that are most applicable to your industry requirements.
These are six basic actions to make cyber life easier in 2021. Nobody is fully invulnerable to breaches, but we can all take actions to improve cybersecurity. Wishing you a cyber-safer, healthier, and happier 2021!
Chuck Brooks, President of Brooks Consulting International, is a globally recognized thought leader and subject matter expert Cybersecurity and Emerging Technologies. He is a two-time Presidential Appointee and served ten year on The Hill to a United States Senator on security issues. GovCon & Executive Mosaic named him as one of the top executives to follow on government cybersecurity. LinkedIn named Chuck as one of “The Top 5 Tech People to Follow on LinkedIn.” He was named by Thompson Reuters as a “Top 50 Global Influencer in Risk, Compliance,” a “Top Cybersecurity Expert to Follow in 2021” by Cybersecurity Ventures, and by IFSEC as the “#2 Global Cybersecurity Influencer.” He was featured in the 2020 Onalytica "Who's Who in Cybersecurity" – as one of the top Influencers for cybersecurity issues. Chuck, who is also Adjunct Faculty for Georgetown University’s Graduate Cybersecurity Risk and Applied Intelligence Programs, briefed the G-20 Energy Conference on operating systems cybersecurity. Chuck has an M.A. from the University of Chicago, and a BA from DePauw University.
Chuck Brooks is President of Brooks Consulting International. He is also Adjunct Faculty at Georgetown University’s Applied Intelligence Program and graduate Cybersecurity Programs where he teaches courses on risk management, homeland security, and cybersecurity. LinkedIn named Chuck as one of “The Top 5 Tech People to Follow on LinkedIn” out of their 550 million members. He was named by Thompson Reuters as a “Top 50 Global Influencer in Risk, Compliance,” and by IFSEC as the “#2 Global Cybersecurity Influencer” in 2018. In both 2017 and 2016, he was named “Cybersecurity Marketer of the Year by the Cybersecurity Excellence Awards. He is also a Cybersecurity Expert for “The Network” at the Washington Post, Visiting Editor at Homeland Security Today, and a Contributor to FORBES. Chuck’s professional industry affiliations include being a member of the August USA Chapter of EC-Council Global Advisory Board for TVM (Threat and Vulnerability Management), EC-Council is the world's largest body in cybersecurity training and certifications. He is on the MIT Technology Review Advisory Global Panel, a member of The AFCEA Cybersecurity Committee, and as member of the Electrical and Electronics Engineers IEEE Standards Association (IEEE-SA) Virtual Reality and Augmented Reality Working Group. Some of Chuck’s other activities include being a Subject Matter Expert to The Homeland Defense and Security Information Analysis Center (HDIAC), a Department of Defense (DoD) sponsored organization through the Defense Technical Information Center (DTIC), as a featured presenter at USTRANSCOM on cybersecurity threats to transportation, as a featured presenter to the FBI and the National Academy of Sciences on Life Sciences Cybersecurity. He is an Advisory Board Member for The Center for Advancing Innovation, the Quantum Security Alliance, and a member of the CyberAvengers, a group that promotes safe Cyber-hygiene. Chuck was also appointed as a Technology Partner Advisor to the Bill and Melinda Gates Foundation. He as the Chairman of CompTIA’s New and Emerging Technology Committee, and he has served as the lead Judge for the 2014,15,16, and 17 Government Security News Homeland Security News Awards evaluating top security technologies. In government, Chuck has received two senior Presidential appointments. Under President George W. Bush Chuck was appointed to The Department of Homeland Security (DHS) as the first Legislative Director of The Science & Technology Directorate at the Department of Homeland Security. He also was appointed as Special Assistant to the Director of Voice of America under President Reagan. He served as a top Advisor to the late Senator Arlen Specter on Capitol Hill covering security and technology issues on Capitol Hill. In local government he also worked as an Auxiliary Police officer for Arlington, Virginia. In industry, Chuck has served in senior executive roles for Xerox as Vice President & Client Executive for Homeland Security, for Rapiscan and Vice President of R & D, for SRA as Vice President of Government Relations, and for Sutherland as Vice President of Marketing and Government Relations. He was also Vice President of Federal R & D for Rapiscan Systems. In media, Chuck is the featured Homeland Security contributor for Federal Times, featured cybersecurity contributor for High Performance Counsel on cybersecurity, and an advisor and contributor to Cognitive World, a leading publication on artificial intelligence. He has also appeared in Forbes and Huffington Post and has published more than 150 articles and blogs on cybersecurity, homeland security and technology issues. He has 45,000 followers on LinkedIn and runs a dozen LI groups, including the two largest in homeland security. In academia, Chuck is Adjunct Faculty at Georgetown University teaching a course in homeland security risk management. He was an Adjunct Faculty Member at Johns Hopkins University where he taught a graduate course on homeland security for two years. He has an MA in International relations from the University of Chicago, a BA in Political Science from DePauw University, and a Certificate in International Law from The Hague Academy of International Law. Chuck Brooks LinkedIn Profile: https://www.linkedin.com/in/chuckbrooks/ Chuck Brooks on Twitter” @ChuckDBrooks Read Less
---------------------------------------------------------------------------------------------------------------
Two cybersecurity hygiene actions to improve your digital life in 2021
AT&T Cybersecurity Blog
DECEMBER 3, 2020 | by CHUCK BROOKS
It is that time of year again where we start planning resolutions for the coming year. A good start is putting cybersecurity on the top of the list whether you are a business or individual. According to a University of Maryland study, Hackers attack every 39 seconds, on average 2,244 times a day. It may be even higher now that more of us are working remotely because of Covid19 and the attack surface has greatly expanded in numbers and vulnerability. Clearly, with the plethora of breaches, spams, and ransomware we already experienced in 2020, we need to be better prepared in 2021.
What are a couple of cybersecurity hygiene action upgrades that will improve outcomes in 2021?
#1 Passwords
Poor passwords have always been viewed as the low hanging fruit for hackers as the easiest way into the crown jewels of data. Yet, many still use common passwords such as #132456 #password, or birthdays that pose little barriers to letting the bad guys access your accounts, In fact, a UK National Cyber Security Centre 2019 survey analysis discovered that 23.2 million victim accounts from all parts of the world used 123456 as a password. Another 7.8 million data breach victims chose a 12345678 password. More than 3.5 million people globally picked up the word "password" to protect access to their sensitive information.
Now that we have all become creatures of social media, hackers can use social engineering tactics by exploring your social media accounts that often highlight pet names (quite often used as passwords - I admit I have been guilty of that too) or other identifiable items that may give clues to passwords and interests. What is particularly alarming is that there are algorithmic programs that can also utilize public social sites and marketing information to “guess” passwords.
Actions: remedies are easy to get beyond that bad habit of using easy passwords to crack. Do not use default passwords on your devices and when you do create passwords make them complicated. Consider making them long or using phrases with letters, numbers and characters. Also, do not use the same password for multiple accounts. Make it difficult for hackers to get in with one try. Make their challenges more difficult by using multifactor or biometric authentication such as a fingerprint, facial recognition, or texts to verify it is you when you sign in. And if you want to make things less stressful on your memory (we all forget our passwords), consider using a security token and/or password manager. The bottom line is that secure passwords are a basic step to stronger cyber hygiene.
#2 Phishing
Phishing is the tool of choice for many hackers. Phishing is commonly defined as a technique of hackers to exfiltrate your valuable data, or to spread malware. Anyone can be fooled by a targeted phish, especially when it appears to be coming as a personal email from someone higher up the work chain, or from a bank, organization or a website you may frequent. Usually the phishing malware comes via email attachments but can also be web-based. According to an analysis by Webroot, 46,000 new phishing sites are created every day and 1.385 million new, unique phishing sites are created each month. At a more granular level, the firm Wandera says that a new phishing site launches every 20 seconds.
Advances in technologies have made it easier for hackers to phish. They can use readily available digital graphics, apply social engineering data, and a vast array of phishing tools, including some automated by machine learning. Phishing is often accompanied by ransomware and a tactic for hackers is to target leadership at companies or organizations (spear-phishing) because they usually have better access to valuable data and make ready targets because of lack of training.
Actions: No one is invulnerable to a crafty phish, but steps can be taken to lessen chances and costs of a breach. For one thing, do not click on any attachment you do not know, and even if you think you know it, double check and verify the sender. Beware of visually appealing pop ups on your computer too. Cybercriminals are sophisticated and creative. An easy rule to follow is to automatically discard any communications asking you for personal information. Chances are you are not the recipient of long lost funds found in a obscure bank account, nor did you randomly win a contest. If something is too good to be true, it likely isn’t.
Some other important advice is to make sure you backup your valuable data, preferably on another device segmented from the targeted PC or phone. If you are a small business or an individual, it is not a bad idea to invest in anti-phishing software. It adds another barrier. I also recommend monitoring your social accounts and credit accounts to see if there are any anomalies on a regular basis. And if you are with a larger company, consider getting anti-phishing training. Companies often use gamification for employees to enhance cybersecurity awareness (and can make learning fun).
Conclusion
These are just two basic cyber hygiene actions that anyone can take to make their digital identities more secure. Certainly, there are many other steps that should be instituted for a layered and more holistic zero trust defense. For example, some things you can do is regularly update security patches, install firewalls, secure your routers, wifi, and use virtual private networks (VPNs).
For better protection also consider adding antivirus & intrusion detection software to your devices. Another means of protection to contemplate is to store your data in the cloud where it can also be agile and encrypted. For many of these security implementations and applications I suggest using professionals in the field who can determine gaps and requirements through risk management vulnerability assessments. There are also some excellent managed service providers who can outsource and coordinate your cybersecurity needs.
Next year please be aware of the benefits of using strong passwords and how to avoid the phish in the cyber threat landscape. Hopefully these two steps alone will make 2021 a safer year.
--------------------------------------------------------------------------------------------------------------
GovCon Expert Chuck Brooks: Better Cybersecurity on 2021 Urgent Wish List for U.S. Government
William McCormick December 22, 2020 GovCon Expert, News, Technology
GovCon Expert Chuck Brooks
GovCon Expert Chuck Brooks has published his latest article as a member of Executive Mosaic’s GovCon Expert program on Tuesday.
In his latest piece, Chuck Brooks discussed the most recent cyber breaches that have impacted federal agencies and the dire need to prevent future breaches and potential consequences of not prioritizing cybersecurity in 2021. He also mentioned the potential impact of the Cybersecurity Maturity Model Certification (CMMC) program and other issues surrounding our nation’s supply chain management heading into the new year.
“Cybersecurity is not just a technology problem, but also a national security problem that encompasses people, processes, and shared knowledge and strategies,” said GovConExpert Chuck Brooks.
You can read Chuck Brooks’ latest GovCon Expert article below:
Better Cybersecurity on 2021 Urgent Wish List for U.S. Government
By Chuck Brooks
The most recent breaches of government agencies certainly pushed better cybersecurity up the wish list for 2021. The high-profile and connected breaches of both SolarWinds and FireEye by nation-state sponsored hackers have sent alarms across the government. Worse news on the breaches may be yet to come.
It will take weeks, if not months to assess the damages inflicted by the hackers, especially what data was infiltrated by the malicious code inserted in the SolarWinds network management software platform, Orion. The breach impacted all branches of the U.S. Military and likely most federal government agencies.
According to official sources, the breach may have even reached the National Nuclear Security Administration (NNSA) where some of the nation’s most guarded secrets are kept about the nuclear weapons stockpile. Early analysis correlates that the attacks were sophisticated, skilled, meticulous, and hard to detect in what was a software supply chain attack.
The fallout from the attacks is alarming. The Department of Homeland Security (DHS) has acknowledged that government and private sector systems are at “grave risk.” Other countries and the private sector were also victimized.
Theresa Payton, who served as White House Chief Information Officer under former President George W. Bush noted the severity of the breach: “I woke up in the middle of the night last night just sick to my stomach,” said. “On a scale of 1 to 10, I’m at a 9 — and it’s not because of what I know; it’s because of what we still don’t know.”
The hacks call attention to the reality of vulnerabilities for both the private sectors in an increasingly digital world and the challenge of protecting data and privacy. Government has invested multi-billions of dollars protecting both the public and private sectors against cyber-attacks, and many have been prevented.
Unfortunately, there are a lot of assets and people to protect and any gaps can be quickly exploited and compromised in the immense network, as evidenced by the SolarWinds episode. Also, because of the growing interconnectivity of devices, automated machine-learning directed attacks, and collaboration among nation-state adversaries in offensive cybersecurity, there will be a continued need for large government investment (with more accountability) in cybersecurity.
Cybersecurity needs to be at the top of the priority list because the stakes are high, and the consequences of breaches are potentially deadly. Cybersecurity is not just a technology problem, but also a national security problem that encompasses people, processes, and shared knowledge and strategies.
Although nothing is totally invulnerable to being hacked, data can be better protected (encrypted at all sensitive levels) and segmented, endpoints hardened, identities validated, and networks can be continually monitored. Better systems and network security are critically important. A retaliatory option needs also to be further developed. Investment in offensive cybersecurity capabilities need to be a key part of the programmatic equation.
As a part of the cybersecurity strategy, greater focus needs to be on the weakest links and that includes the supply chain, especially third-party vendors, and insider threats. As a result of the breaches, supply chain vulnerabilities are now in the limelight. And they should be. I stated in my recent GovCon article “Chuck Brooks: Government Focused on Securing the Cyber Supply Chain” that supply chain cyber-attacks can be perpetrated from nation state adversaries, espionage operators, criminals or hacktivists.
Their goals are to breach contractors, systems, companies and suppliers via the weakest links in the chain. This is often done through taking advantage of poor security practices of suppliers, embedding compromised (or counterfeit) hardware and software, or from insider threats within networks.
Supply chain issues are being formally adapted into security strategy by the federal government. On May 15, 2019, the White House Presidential Executive order was issued to help secure the supply chain (both public and commercial) poses an undue risk of sabotage to or subversion of the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of information and communications technology or services in the United States.”
The remedy to fixing supply chain vulnerabilities is heightening government and industry collaboration highlighted in the policy initiatives, such as NIST, and in task forces on supply chain security established by the Executive Branch. More precisely, it requires enacting a risk management process that identifies vulnerable systems (especially legacy) and gains visibility into all the elements of the supply chain.
A General Accounting Office (GAO) report, released last week highlighted the importance and difficulties of protecting supply chains. “Supply chains are being targeted by increasingly sophisticated threat actors, including foreign cyber threat nations such as Russia, China, Iran and North Korea. Attacks by such entities are often especially sophisticated and difficult to detect.”
A newer and important element of the Government’s approach to mitigating supply chain risk and systems security will be the implementation of the Cybersecurity Maturity Model Certification program (CMMC). Conceived in 2018, the CMMC is designed to ensure that sensitive Department of Defense (DoD) data is safe within the vendor software supply chain.
The CMMC model is intended to build upon existing cybersecurity frameworks and requirements (i.e., NIST 800-171) and is organized into five incremental levels of cybersecurity processes that range from basic to advanced cybersecurity hygiene. This makes sense as lack of cybersecurity hygiene that includes strong passwords, awareness of phishing attacks, encryption, and backup of files is often not adhered to properly by vendors in the supply chain.
Insider threats have also been a problem, whether they are deliberate or negligent acts. They can also be a part of the vendor supply chain. Government agencies have mission-critical information at risk and need to stay ahead of the threats.
The most popular cybersecurity technologies to deter insider threats have been Data Loss Prevention (DLP), encryption, identity and access management solutions, log management and SIEM platforms.
Agencies are also looking at behavioral identifiers bolstered by machine learning and artificial intelligence to detect and mitigate insider threats. It is an area that needs more attention in government as well as industry as data is continually being breached as a result of human activities.
Better supply chain protection, called to attention by the SolarWinds breach, and Insider threat protection are just two elements (but very important ones) of cybersecurity that should be on the government priority wish list. The government cybersecurity wish list needs to be a long one in tools and capabilities and will require continual augmentation.
Congress in its oversight role is already proactive. For example, in The Fiscal Year 2021 National Defense Authorization Act (NDAA) there are 76 plus cyber provisions related to improving our national cybersecurity posture.
There are dozens of additional tools, policies, and programs that can be enhanced and expanded as we confront more threats in 2021. As the after-action impact of the breach is analyzed for lessons learned, one clear finding will be that better cybersecurity is an imperative and urgently needed.
---------------------------------------------------------------------------------------------------------
Business Development Manger
9mo2024 Data Protection Trends Report Download Report: https://tinyurl.com/43wxbrcn, #dataprotection #data #protection #safety #security #datasafety #datasecurity #datasecuritie
Data-Driven B2B Marketer | Driving Business Success
9mo2024 Data Protection Trends Report – Americas Summary Download Report: https://tinyurl.com/43wxbrcn, #dataprotection #data #protection #safety #security #datasafety #datasecurity #datasecuritie
Business Development Manger
10moCloud security skills can take your career to infinity (and beyond) Get Your FREE Copy Today: http://tinyurl.com/2hhx7fku, #cloudsecurity #cloud #security #cloudsecurityengineer #cloudsecurityexpo #cloudsec #cloudsecurityalliance #technologytrends
Data-Driven B2B Marketer | Driving Business Success
10moA New Paradigm for Managing Data Download Now: http://tinyurl.com/yh7jxzxh #data #dataanalytics #datamanagement #bigdata #datascience #informationmanagement #databased #datadriven #analytics #datademocratization #dataculture #datagovernance #dataprivacy #datasecurity #dataethics #clouddata #hybriddata
Data-Driven B2B Marketer | Driving Business Success
11moHow You Can Become a Cybersecurity Hero Get Your FREE Copy Today: http://tinyurl.com/bdf29zcv #cybersecurity #cybersecurities #cybersecurityheros #cybersafetyprofessionals #cybersafety #cybersecurityleaders