Securing Remote Workers in the Age of Teleworking – Infoblox

A significant number of your employees are now working from home as the pandemic continues to spread globally and the need to protect people’s health takes number one priority. In this situation, companies have had very little time to prepare for such large scale remote work and think about how to secure these devices that are now accessing corporate resources from outside the perimeter. But work from home doesn’t mean you have to compromise on security. Read this white paper to learn about:

  • Top security challenges around teleworking
  • Evolving threat landscape in the current scenario and top attacks that could target your remote users
  • How to secure your work from home users using foundational network services

Click Here to Read Infoblox’s Whitepaper

Verizon’s 2020 DBIR Report: Take Aways & Reaction

Verizon’s 119 page 2020 Data Breach Investigations Report (DBIR) provides a comprehensive analysis of breaches and incidents.  The report’s underlying data set consists of 157,525 incidents gathered between 11/1/18 and 10/31/19 from 81 contributing partners across 16 verticals, 81 countries, and 4 regions.

Twenty percent – or 32,002 incidents – met Verizon’s stringent data quality standards and twelve percent of those – or 3,950 – were confirmed data breaches.  Changing trends can be seen over time against the backdrop of a total of 755,000 incidents Verizon has collected and painstakingly analyzed for 13 years running.

In addition to sections covering industry segments, regional analysis, and organization size (< 1000 employee SMB versus large organizations review), the report analyses a wide variety of factors.   Factors include: Type of Actors (i.e.,  external, internal, organized crime nation states); Actors’ Motives (i.e., financial, espionage, fun/grudge/other etc.); Threat Actions (i.e., Phishing, Use of stolen Creds, Mis-delivery, Misconfiguration, Password Dumper, Trojan, Ransomware, RAM Scraper); Threat Varieties (i.e., Malware, Hacking, Social, Misuse, Physical, Error and Environmental); Data compromised (i.e., Credentials, Payment, Personal, Medical, Internal, Other); and incident classification Patterns (i.e., Crimeware, Cyber-Espionage, Denial of Service, Privilege Misuse, Miscellaneous Errors, Point of Sale, Lost and Stolen Assets, Payment Card Skimmers, Web Applications and Everything Else).  There is a lot to dig into and there is something in the report for every type of reader.

Breach findings include:

  • 86% were financially motivated
    • 43% involved web applications – double last year
    • 37% stole or used credentials
    • 22% involved phishing
    • 17% due to errors
    • 24% cloud assets vs. 70% on premises assets
    • 96% involved IT (information technology) vs. 4% OT (operational technology)
    • 60% were discovered in 1 day or less vs. 26% discovered in 1 month or more

Additional general insights include:

  • Human errors are on the rise with the increase in technical complexity.
    • Credentials are still the favorite attack surface.
    • Security researcher has become the most likely Discovery method for an Error action breach by a significant amount – over six times more likely than it was last year.
    • While patching practices seem to have strengthened, Asset Management problems become vulnerability management problems on the assets organizations do not realize are there.

Effective data sharing is key to fighting bad actors’ evolving tactics.  Verizon is improving how VERIS (Vocabulary for Event Recording and Incident Sharing) data connects and interacts with other existing standards like the Center for Internet Security (CIS)4 Critical Security Controls and the MITRE ATT&CK®5 framework to improve the types of data that can be collected and reported on.  Mapping industry vulnerabilities to top controls – a new feature in this year’s report – help readers translate attack information into positive, constructive actions vital to organizations’ defenses.

Report Presentation: A Labor of Love

Kudos on Graphics 

The quality of and care given to visualization graphics in Verizon’s 2020 DBIR is inspired. The report author’s took care to make sure the abstract work of art image below would not be mistaken for “Butterfly Vomit” by clarifying that “No, a butterfly did not just vomit on your report.” p 32.   The graphic depicts the number of steps involved by threat action type and the associated attribute that was compromised helping to visualize the range of Attack paths. 

In my perfect world, the actual data points would be or become visible when hovered over on bar charts. 

Engaging Headlines and Tone

I felt like I got to know the 5 person Verizon DIBR team (Gabriel Bassett,  C. David Hylender,  Philippe Langlois , Alexandre Pinto , and  Suzanne Widup)  a bit by reading the report and really appreciated the narrative they provided. Some favorites quotes included:

“If you will allow us a mixed metaphor, there is no outrunning the bear in this case, because the bears are all being 3D-printed in bulk and automated to hunt you.  So, carry on my wayward son and keep doing what you’re doing (you know, patching), and perhaps skip over to the “Assets” section to get an inkling of what you might be missing.” p. 23

“Many of the attacks studied in this report fall somewhere between a stickup and the Great Train Robbery in terms of complexity.” p. 36

“All in all, we do like to think that there has been an improvement in detection and response over the past year and that we are not wasting precious years of our life in a completely pointless battle against the encroaching void of hopelessness.”  p. 37

“For whatever reason, these Error types –  Misdelivery (sending data to the incorrect recipient) and Misconfiguration (i.e, forgetting to secure to a storage bucket) – seem to be the peanut-butter-and jelly sandwich of the breach world this year. Perhaps Internal actors are simply too busy trying to perfect their Renegade dance on TikTok these days; we do not know for sure.  Whatever the reason, these errors are found in every industry and region, and in alarmingly large percentages. As mentioned elsewhere in this report, the vector for these errors is almost entirely carelessness on the part of the employee.”  p. 89

Longed for a Discussion of Financial Implications

While Appendix C of the report did share that  “In 2019, the Secret Service prevented $7.1 billion of cybercrime losses and returned over $31 million in stolen assets to victims of fraud” p115 and the Financially Motivated Social Engineering section stated that “median impact cost for incidents reported to the FBI IC3… for business email compromises (BEC), most companies either lost $1,240 or $44,000 with the latter being slightly more frequent” p25, I found myself longing to be grounded in basic macro statistics like – How much gets stolen each year? What do we spend on defending ourselves?  I also wonder about collateral damage and the follow-on impacts of how stolen funds are used.

As I ran at answering these questions for myself, I found there to be a wide range of answers for key statistics. Here are some starting points:

According to IDC, worldwide spending on security-related hardware, software and services will be $106.6 billion in 2019, an increase of 10.7% over 2018.  This amount will reach $151.2 billion in 2023 with a compound annual growth rate (CAR) of 9.4% over the 2019-2023 forecast period.

This is against a backdrop of global spending on IT overall is expected to be 3.9 trillion dollars in 2020 according to Gartner.

According to Cyber Security Ventures, global spending on cybersecurity products and services are predicted to exceeded $1 trillion cumulatively over 5 years, from 2017 to 2021.

According to Statista, 10.6% of IT budgets is spent on IT security.  According to Boston Consulting Group, average spending % ranges 300% depending on source (from 3.7% – 10%).

According to Cybersecurity Ventures, cybercrime damage costs are predicted to hit $6 trillion annual by 2020, up from $3 trillion in 2015.  They state that “this represents the greatest transfer of economic wealth in history, risks the incentives for innovation and investment and will be more profitable than the global trade of all major illegal drugs combined.”

Companies globally could incur US$5.2 trillion in additional costs and lost revenue over the next five years due to cyberattacks.  — Accenture

60% of small business fail within 6 months of having been hit with a cyber breach

It is sobering to contemplate how the stolen funds are being used to to fund ever bigger and badder activities.

Wrap Up

“Cybersecurity is the central challenge of the digital age.”  – Satja Nadella CEO, Microsoft

Verizon’s DIBR is a great report on a terrible situation. I found it well worth diving into the details and was impressed by the graphics and refreshingly engaging and accessible tone of the analysis which lowers the hurdle to raising broader awareness about cyber threats. I did need to begin researching key macro financial implications of the report findings.  Identifying a handful of key impact statistics and tracking them over time could serve as a companion to or possibly become part of the report.  By providing a data based view of security gaps and mapping to controls, Verizon enables organizations to take important steps to shutting down known security gaps – so key to protecting our economy, democracy, and way of life. 

-Katrin Hillner

PCN Announces New GRC Security Services

Wayne, PA—PC Network Inc. (PCN), a global technology infrastructure services provider, announces launch of a Governance, Risk, and Compliance (GRC) Security Services practice.

PCN’s GRC Security Services enable organizations to develop scalable programs that improve their security posture and provide assurance that risk is being managed according to policy. Our assessment, advisory and assurance services offer guidance to organizations in the protection of critical assets by averting threats, closing gaps and effectively managing risk.

“Cyber threats are persistent, growing, and demand a committed vigilant response,” said PCN’s President & CEO Katrin Hillner.  “Organizations are looking for more resource and cost-effective ways to design and maintain cybersecurity programs to address existing and evolving risks.   We are excited to provide GRC Security Services to meet these critical customer needs.”

Bruce Young, PCN’s GRC Security Practice Lead, joins the leadership team, delivering guidance and expertise to our growing GRC customer base. “Organizations serious about cybersecurity recognize that they must start with Governance, Risk, and Compliance,” said Young.  “You begin by selecting a security framework to assess risk against.  This reveals the necessary actions to build and maintain required controls. Our team, tools and templates simplify the design, development and implementation of effective cybersecurity programs.”

Contact: PCN Marketing
Phone: (267) 236-0015
Email: Marketing@PCN-inc.com

PCN Coronavirus COVID-19 Update

As the number of cases of Coronavirus (COVID-19) continues to grow in Canada, UK and the United States, everyone needs to take precautions for the safety and wellbeing of our families and co-workers.  PCN is monitoring the Coronavirus (COVID-19) developments closely. As the managers of critical infrastructure, we believe limiting any impact this health event could have on our employees and service to our customers is imperative.

As such, we have activated our Business Continuity Plan, which includes:

  • Enabling work from home capabilities within impacted regions
  • Providing PCN employees with information and best practices to prevent the spread of any illness
  • Limiting and/or terminating all non-essential business travel
  • Temporarily suspending visitor access to our sites
  • Communicating with our customer/partners that PCN has activated our Business Continuity Plan

Implementation of PCN’s Business Continuity Plan should have minimal impact on how services are delivered to our customers, as the majority of the PCN team members have experience supporting many contracts from their home offices from geographically dispersed locations.  All technical support provided by PCN has been designed to be performed remotely. 

PCN and Unisys extend Mentor Protégé Program Participation for a second Year

PCN and Unisys are excited to extend their participation in the Commonwealth of Pennsylvania’s Diversity, Inclusion and Small Business Opportunity Program’s Mentor Protégée program for a second year.  The four objectives being pursued are 1) Product Development & Product Lifecycle support; 2) Advisory services for scaling PCN products and services; 3) Enhancing PCN’s marketing and sales plan targeting partners who do B2B and B2Gov/Ed and Commonwealth opportunities; and 4) Leverage Unisys’ global best practices to enhance PCN resource skill and overall delivery capabilities.  PCN has been a small business partner to Unisys supporting the Commonwealth’s PACTs data center enterprise contract for years and appreciates the opportunity to deepen its relationship with Unisys as a strategic partner. 

World Bank Women, Business and the Law 2020 Report: Gender Barriers Persist Globally

Only 8 countries give women equal legal work rights as men. The U.S. is not one yet.

The World Bank’s recent Women, Business and the Law report measured gender discrimination in 190 countries. It found only 8 countries give women equal legal work right as as men, and the US is not one yet

Belgium, Canada, Denmark, France, Iceland Latvia, Luxembourg and Sweden scored full marks on eight indicators – from receiving a pension to freedom of movement – influencing economic decisions women make during their careers. The US ranks #38 with an overall index of 91.3 breaking out by indicator as follows:  Mobility 100, Workplace 100, Pay 75, Marriage 100, Parenthood 80, Entrepreneurship 100, Assets 100, Pension 75. 

A typical economy only gives women three-quarters the rights of men in the measured areas. The WBL index measures only formal laws and the regulations which govern a woman’s ability to work or own businesses– a country’s actual norms and practices are not captured.

Clearly, much more work remains as women in many countries have only a fraction of the legal rights of men, holding them back from opportunities for employment and entrepreneurship.

The report also provides summaries of 62 reforms implemented globally over the 2-year period since it was last published. 

Wrap Up

According to the World Bank, discriminatory laws continue to threaten women’s economic security, career growth, and work–life balance.  While progress clearly is being made, there much work to be done.  As a woman business owner with a passion for gender equity, I appreciate the report’s framework and measurement of laws and regulations that restrict women’s economic inclusion, and the important role it plays contributing to research and policy discussions about the state of women’s economic opportunities. 

-Katrin

Vendor Panel: Impact of Government Procurement Practices on Outcomes

Together with Chad Firestone from Deloitte and John Alwine from Unisys, Katrin Hillner PCN’s CEO addressed the 2019 IT Executives and IT Managers classes.  The panel was moderated by HU’s Randy Jones and covered a lot of ground, including how companies decide whether to bid on proposals, characteristics of successful and unsuccessful procurements, what goes into vendors’ proposal response efforts and partnering strategies for pursuits.  The panel discussion was followed by a lively Q&A session.  PCN is proud to be a sponsor of HU’s GTI which under the leadership of GTI Executive Director, Charlie Gerhards is a driving force in educating IT Leaders, empowering them with increased skills to make “Good Government Great Government.”

Paying it Forward: PCN’s CEO Katrin Hillner participates in Deloitte Women In Tech Panel at Wharton

Jeanette Yung, Technology Strategy Partner at Deloitte and Kathleen Brunner President of Acumen Analytics joined Katrin Hillner President and CEO of PCN for a wide ranging panel discussion about opportunities in the tech sector.  The panelists shared how the got started in careers in technologies and their wide ranging experiences along the way.  The session was well attended and followed by a happy hour with lively one on one conversations and networking for Wharton MBA candidates interested in learning more about the vast opportunities Technology offers from a career perspective.