Of course, we’re talking about the long-awaited return of KnowBe4’s network-quality video series The Inside Man. Back for its fifth season, the show, created and produced by Twist & Shout Communications (a KnowBe4 company) is now available to all diamond-level KnowBe4 subscribers.  

The Gurus were lucky enough to walk the red carpet alongside the show’s cast and crew last week at the Odeon Luxe Cinema, Leicester Square. A packed-out venue fit for an ambitious and industry-leading series that reunited some of our favourite characters. 

What To Expect This Season 

Season 5 of The Inside Man has big ambitions that echo, as always, real-world scenarios, genuine real-world threats, and plausible scenarios. If season 4 was a nod to 2021’s Colonial Pipeline ransomware attack, season 5 takes a stab at the more political side of cybercrime.  

The season’s antagonist, Cyrus, sums the season – and his intentions – up perfectly: ‘Money? You think this is about money? It’s about power… The power to know how people are going to react before they know themselves, to mould their thoughts, to shape their behaviour… The power to choose who wins an election, wins a war.’ 

Of course, this echoes similar themes that we see in the news frequently, with cyber influence operations becoming all the more common. In fact, just last year US military and intelligence officials announced that they were stepping up efforts to defend the electoral process from foreign influence.  

Whilst the show doesn’t go that far, it does dabble in using cyber influence to show the increasingly complex nature of highly personalised attacks. This season we find Mark, AJ, Fiona, Violent and Maurice approached by the security services to help fight against a remorseless adversary deploying vast resources of hacking powers to gain influence and power. From global corporation acquisition to insider threats within hospitals and healthcare, this is definitely the most eager (and high stakes) series of The Inside Man yet. 

Jim Shields, Creative Director of Twist & Shout Communications said: “In this season, we see many of these exciting plotlines finally come home to roost. Storylines for which we’ve spent two or three seasons laying the foundations. It’s powerful stuff, and the production team have excelled themselves as usual in bringing it to life. I’m unbelievably proud to be a part of this series.”   

Revolutionising Cyber Awareness Training 

For many years, KnowBe4 have been reshaping cybersecurity awareness. Perhaps the most obvious example of this is their willingness to invest in something truly different and, perhaps, revolutionary within its field. It’s clear that The Inside Man is an investment, with stunning sets, large productive value and 12-episode story arc. However, it pays off; the show has real, dedicated fans. In fact, three lucky superfans were invited to the premiere, with one having written a full-blown analysis of it. There’s nothing quite like it! 

“Security awareness training doesn’t have to be boring, nor should it,” says Stu Sjouwerman, CEO of KnowBe4. “‘The Inside Man’ is the most utilised training that KnowBe4 offers in the optional training category because it is highly captivating, and the production quality is more like a network-quality series than training.” 

What The Inside Man does so captivatingly is foreground the human element of cybercrime, with the adversaries not the stereotypical hooded hackers of yesteryear and our victims harrowingly human and relatable. From social engineering to passwords, to social media and deep fakes, this season of The Inside Man covers a lot of ground. Importantly, it reveals how easy it can be for an outsider to penetrate an organisation’s security controls and network. It’s awareness training that doesn’t feel like awareness training – and it’s not preachy either. 

The Verdict  

Season 5 of The Inside Man is well worth a watch. Whether or not you typically ‘enjoy’ cybersecurity awareness training, you can’t help but feel drawn to the show. It’s both educational and entertaining, and that’s pretty impressive.  

Education and awareness are at the heart of everything KnowBe4 does – and The Inside Man is no different, clearly. The Inside Man forces audiences to face safe (or otherwise) cybersecurity practises in an unusual (and rather fun) way. Ultimately, this passion project, beloved within its community, is something vendors should take notice of.  

You can watch the full series on The Inside Man microsite on the KnowBe4 platform if you are a diamond member. 

The post Back and Bigger Than Ever! The Inside Man Season 5 Takes a Stab at Power Hungry Adversaries appeared first on IT Security Guru.

Following an investigation, it becomes apparent that the law firm did not employ basic security controls when attempting to protect their physical premises. No security system, no CCTV, and no “locked doors”, per se. As a result, the clients who once trusted this firm with their data begin a mass exodus, and the law firm find themselves in very rocky waters.

This analogy serves to illustrate a crucial point about the cybersecurity posture for SMEs (Small Medium Enterprises). Statistics show that small and medium-sized businesses are not exempt of being targeted by cyber criminals and can be equally, if not more, affected by an attack that could cause significant operational or reputational damage.

Small businesses are subjected to all types of cyberattacks, which include but are not limited to malware, ransomware, and data breaches. All these result in privacy, security, and operational risks. These attacks may also end in stolen funds, compromised confidential business information, and unauthorised access and disruption of day-to-day operations.

Cybercrime is growing alongside the increased use of the internet and business networks. Today, more than ever, organisations of all sizes rely on their networks, data, and internet connectivity to conduct business. Unfortunately, as a result, sensitive data, intellectual property, and personal information of small and medium-sized firms are targeted by an ever-increasing and sophisticated community of cybercriminals.

Fact is, small organisations, are just as much of a target in today’s cybersecurity landscape as the multinational enterprises who make the headlines.

The Automation Factor

Organisations of all sizes must come to terms with the fact that they are likely to be a target of a breach. Similarly to the global trend of businesses’ digital transformation to improve efficiency or to reach a new customer base, the uprise of Cybercrime is the result of digital transformation of traditional crime methods such as extorsion. Fact is, the weaponization of the 21st century criminal has become another market on its own right. Automated blanket attacks, ransomware-as-a-service offerings, widespread phishing campaigns, and other attack vectors have become part of a “business offering” far from the stereotypical ‘evil genius’ hacker extorting an organisation as an independent actor. Ransomware gangs go so far as to attempt to recruit malicious insiders, as it is growing to become a lucrative market in which there is much money to be made.

According to a McKinsey Global Institute report the internet’s economic impact has been greatest among “individual consumers and small, upstart entrepreneurs”. The internet provides a platform that allows even the smallest firms to have a global impact.

Forbes reported in March that small businesses are more frequent targets of cyberattacks than larger companies, often because cyber criminals assume they lack the necessary means to protect themselves. In the US alone, 60% of SMEs were out of business six months following a cyberattack.

As such, organisations are increasingly realising that the investment in cybersecurity platforms should be considered a cost of doing business, as attacks are now also affecting small businesses who are more vulnerable due to a lack of resources and awareness.

Best practices

As technology continues to evolve, the risk of cyberattacks becomes more extensive and complex, therefore it is crucial for small businesses to look into cybersecurity plans.

Leaders need to remember that, no matter how small they believe their own business operations to be, it will never be small enough to remain hidden from cybercriminals; particularly if their cybersecurity infrastructure falls short.

In today’s world, everything is interconnected and many small firms handle sensitive data or require remote access from their personnel. Therefore, security becomes an absolute priority. Failure to deal with it appropriately could mean significant damage on revenue due to service downtime, loss of brand equity and customer trust, professional indemnity, non-compliance issues, and at worst criminal proceedings.

Business leaders and security teams can work together to make smart decisions that improve overall cybersecurity cultures within their company. One of the considerations they should make is working with a specialized service provider that can protect their digital assets and business interests. An example of this is employing the right cyber security partner to provide sophisticated real-time risk management and bring actionable intelligence to the enterprise where and when it matters the most.

MDR Services available by a Cyber Security provider can protect data, assets and identities in real time, and detect, respond and prevent cyberattacks on a 24/7 basis. This takes the pressure off IT teams and leaders, allowing them to focus on their usual day-to-day tasks, while securing the business from internal and external cyber threats.

https://www.obrela.com/ 

The post Why is cybersecurity vital for small businesses? appeared first on IT Security Guru.

What is shadow code?

Q1: Have any of you heard the term #ShadowCode before? If yes, what do you understand it to mean?

— IT Security Guru (@IT_SecGuru) September 16, 2020

Our influencers seemed broadly aware of the term of shadow code and displayed an understanding of the term. The next challenge for those hoping to defend against the issues brought about by shadow code will be to encourage the term to go mainstream within technology circles, in the same way that ‘Shadow IT’ has become a term omnipresent in technology, developer and security circles. 

Why should we care?

Q2: From a business and marketing perspective, why should companies be aware of the code that they host on their digital ecosystem? #ShadowCode

— IT Security Guru (@IT_SecGuru) September 16, 2020

Here, our influencers make the case for an understanding of shadow code across the business. Making the point that data breaches or compliance issues can lead to diminishing brand reputation, PerimeterX CMO Kim DeCarlis flew the flag for marketing professionals gaining an awareness of shadow code, and working with security and IT teams to ensure that code is reviewed and tools are implemented in order to protect the brand. 

Jamie O’Meara, who heads up global partner solutions at Snyk also made the point that a businesses website is the access portal by which customers are found, dealt with and hopefully, retained – as good a reason as any to understand and be aware of the potential issues caused by shadow code. 

The security implications

Q3: What are the consequences of not being aware of this from a security perspective? #ShadowCode

— IT Security Guru (@IT_SecGuru) September 16, 2020

Here we see a discussion of a much-forgotten element of the shadow code discussion: It does have some positives. Kim DeCarlis suggests that the agility that using Shadow Code can provide can be potentially helpful. 

However, from an infosec perspective, we still see the negatives outweigh the positives. Quentyn Taylor, who heads up information security for Canon in Europe, makes the connection between shadow code and supply chain security, suggesting it is perceived as this it might escape the more rigorous auditing other areas of the business might be subjected to. Ameet Naik of PerimeterX summed the concerns up succinctly too, stating that “You cannot secure what you cannot see.”

Shadow Code and job function

Q4: How is #ShadowCode impacting different job functions such as #CISOs, #infosec teams and #DevOps teams?

— IT Security Guru (@IT_SecGuru) September 16, 2020

The influencers here wax lyrical on the subject of how different job functions are affected by shadow code. As the resident CISO in the room, Quentyn Taylor suggested that the impact is more stringently felt on the DevOps side, and that Shadow code presents both an opportunity and a risk or CISOs. 

The RH-ISAC made the case for shadow code not always being as a result of malicious activity, stating something that a developer is simply on a deadline, and needs to finish the job fast, which in itself speaks to the skills gap in security and IT teams, and the far-reaching consequences. 

Shadow code in the real world

Q5: Can you provide any examples of when #ShadowCode has had a negative effect on a company in the past?

— IT Security Guru (@IT_SecGuru) September 16, 2020

Bridging the gap between the infosec world and the real world, here we see our influencers discussing how this has impacted people in the real world! The infamous Magecart cybercrime syndicate was listed as a main example, with attacks aimed at Best Buy and Delta also referenced. 

Who needs to be the most concerned?

Q6: What are the implications for specific industries such as #ecommerce, travel and #elearning? #ShadowCode

— IT Security Guru (@IT_SecGuru) September 16, 2020

Question 6 asked who has the most at risk from shadow code. With more mature security postures found in financial and healthcare organisations, e-learning is identified as one area which has a less mature security posture, but a staggering amount of PII in their digital ecosystems. 

It’s worth hammering home the point however, as Kim DeCarlis did, that any business using shadow code to speed up their time to market is at risk. 

Moving forward: How to mitigate 

Q7: What is the best way for security teams to mitigate the effects of #ShadowCode?

— IT Security Guru (@IT_SecGuru) September 16, 2020

Here, the advice was as you might expect: Review, understand and monitor. RH-ISAC, PerimeterX’s Ameet Naik, and security analyst and author Richard Steinnon all recommended surveying and monitoring, as well as having increased visibility as ways to mitigate the risks associated with shadow code. 

Are CSPs enough?

Q8: Some say content security policies (CSPs) are sufficient to address #ShadowCode. Is this accurate?

— IT Security Guru (@IT_SecGuru) September 16, 2020

In the most technical aspect of the chat, Quentyn, Richard and Ameet discussed content security policies, and whether they are enough to protect from shadow code, concluding fairly comprehensively that while a CSP is useful from an authorship and source perspective, it cannot tell what the code actually does: It is not a “set and forget” solution.

Shadow code and legislation

Q9: #ShadowCode has been responsible for many recent #Magecart attacks that incur GDPR and CCPA penalties. How much progress have we made towards achieving compliance with data privacy regulations?

— IT Security Guru (@IT_SecGuru) September 16, 2020

Discussing whether the recent legislative trend towards protecting consumer data, as encapsulated by the CCPA and GDPR legislations passed will have any effect on shadow code, our influencers agreed that the legislation is far too new for us to have a true impact. They also highlighted how some of the world’s biggest brands – Marriott Hotels, British Airways – thought they were compliant, but were sorely mistaken. 

What will the future hold?

Q10: Where do you see the issue of #ShadowCode in 5-10 years?

— IT Security Guru (@IT_SecGuru) September 16, 2020

We saved the big question for last: What now? All of our influencers agreed that shadow code is not going anywhere, with carrying degrees of optimism: While Quentyn Taylor suggested that “This will be a issue that will get far worse before it gets better” due to the products that can’t be update, Richard Stiennon was more positive in his outlook, stating that signing code would be a great start. 

Jamie O’Meara argued the natural proclivity for change and development in Application development will mean we are likely to see far more shadow code over the next decade, and Kim DeCarlis agreed that the desire for speed and agility in web development means that shadow code is absolutely not going anywhere soon! 

To find out more about shadow code, and how your business can defend against it, please visit the resources on the PerimeterX website.

The post Tweet Chat: Exploring the hidden world of Shadow Code appeared first on IT Security Guru.

We wanted to find out what trends had been seen, how organisations should go about ensuring security is being kept as a priority, the impact Covid-19 will have and the importance of having a strong security culture during this time of uncertainty. To help us answer these questions, we were joined by KnowBe4’s security awareness evangelists. KnowBe4 is the provider of the world’s largest security awareness training and simulated phishing platform so they are best placed to give the necessary insight into the phishing trends which was where we started the Tweet Chat…the evangelists were certainly happy and eager to get started…

Current mood #AskKB4 https://t.co/lQk3tRfxp7 pic.twitter.com/27dNcNccMT

— Javvad Malik v2.0 (@J4vv4D) July 29, 2020

Noticeable trends and surprise tactics used by Hackers

A1: Ransomware, Data breaches have held steady. With the recent ShinyHunter data leaks due to phishing attacks. Phishing will not go away until more organizations provide training and this attack vector is no longer successful for the cybercriminals #AskKB4 #phishing https://t.co/fQL4mL11jJ

— James (@James_McQuiggan) July 29, 2020

Nearly every trend has been linked to the 'rona. The impromptu "digital transformation", wfh, attacks against home workers and home infrastructure, lots of misinformation. #AskKB4 https://t.co/WA4w1HKhaa

— Javvad Malik v2.0 (@J4vv4D) July 29, 2020

A2: I thought the android ransomware being spread as a Canadian COVID tracing app was interesting. The Canadian govt said they were making one and scammers fired up pages that looked legit and took advantage. Clever #AskKB4 https://t.co/MGDS5vdYv0 pic.twitter.com/kvo8LbbkNs

— Madsqu1rrel (@ErichKron) July 29, 2020

A2 Not a particular scam.. but I do notice the bad guys becoming more bold and blatant in their approach. And they don't really need to be inventive (unfortunately). BEC type scams, for instance, have been around for ages and are still the same #askkb4 https://t.co/QIrREaNmBn

— JellySandwich (@JelleWieringa) July 29, 2020

Will we see a rise in DeepFakes?

We then moved onto the impact the pandemic will have given that face-to-face contact will be limited for the time being and how criminals will leverage this for their own nefarious means…

A3a: #Deepfake attacks are still developing and take too much time and effort to be used in a commodity types of attacks, only high-value targets. Frankly those are still easier to get without all the deepfakery right now #AskKB4 https://t.co/PDlmy1qXDh

— Madsqu1rrel (@ErichKron) July 29, 2020

A3b: To avoid being impacted, make sure your processes are set up and people trained to require an out-of-band confirmation, such as calling someone on a known good phone number, before transferring money or sensitive info #AskKB4 https://t.co/PDlmy1qXDh

— Madsqu1rrel (@ErichKron) July 29, 2020

A3 As for voice and text phishing. This is far easier to set up and execute. And since a lot of users still find it hard to determine whether something is a fraudulent text or voice message, there is plenty of opportunities for the bad guys to be successful with this. #askkb4 https://t.co/yCzfyrbDxU

— JellySandwich (@JelleWieringa) July 29, 2020

A3: With their “hacker toolboxes”, cybercriminals vary attack vectors to get folks to be convinced of the event – #SMSing or #Vishing to convince people of bank changes,account passwords and click the link, phone the number #AskKB4 https://t.co/frJ0FMHJ1x pic.twitter.com/RfCgdkkaDE

— James (@James_McQuiggan) July 29, 2020

Humans will continue to be important

We then transferred the discussion to the vital role the human workforce plays in keeping organisations safe, especially when facing out of the ordinary threats seen today. Technology will always have its place in cybersecurity, but the importance of the human factor cannot be underestimated. Yet, this also begs the question: how much should be spent on technology vs training?

A4: Humans have always been a huge part and this has only highlighted that as they work form home with fewer technical controls and tools at their disposal. It’s important to realize that it is not their fault, but they ARE the ones targeted so often and get beat up #AskKB4 https://t.co/lI38Yf1nii pic.twitter.com/oCPql9qPtO

— Madsqu1rrel (@ErichKron) July 29, 2020

70% -90% of malicious breaches are due to social engineering humans, so helping the humans make better security decisions is THE best defense you can implement. #AskKB4 https://t.co/2LJ6JAx9lz

— Roger A. Grimes (@rogeragrimes) July 29, 2020

While I believe investing in the human workforce is vital.

Equally so, it's important for organisations to understand where tech controls are effective and appropriate, where procedures are needed and where and when to invest in humans and the limitations of each. #AskKb4 https://t.co/MPMNe2QA8d

— Javvad Malik v2.0 (@J4vv4D) July 29, 2020

A6: The money needed for annual training is a drop in the bucket compared to the money spent on technology. The training budget is the first cut when it comes to budget cuts for organizations. Provide education & training for the employees vs the cost of a new blinky box #AskKB4 https://t.co/4RHkC0lGDJ pic.twitter.com/9lQbLz6qeY

— James (@James_McQuiggan) July 29, 2020

A6: That depends on where they are now and how much ground they need to make up in one area or another. It also depends on the types of attacks they experience. I suggest using the approach @rogeragrimes takes in his Data-Driven defense book #AskKB4 https://t.co/Kv7RzhqSuy

— Madsqu1rrel (@ErichKron) July 29, 2020

Digging deeper into the training aspect of security, many may overlook the significance security awareness plays in the overall protection of an enterprise. Is there a perception that security awareness training is not necessary?

Yes. It may surprise some people, but we still get a small % of people questioning it's value at all. And we say just look at the data…anyone's data. Good security awareness training significantly reduces risk of compromise and I don't care who's data you use. #AskKB4 https://t.co/mXl3m0Ohpq

— Roger A. Grimes (@rogeragrimes) July 29, 2020

A7 I think a lot of organizations do value it. But find it hard to execute properly. Therefore, they go for the (easier?) technology angle. Showing them (through data) of the need AND the value in security awareness is the way to go to convince them. #AskKB4 https://t.co/KFNRvwro2I

— JellySandwich (@JelleWieringa) July 29, 2020

It also created a discussion amongst the evangelists as can be seen in this thread:

The money needed for annual training is a drop in the bucket: Not always

The training budget is the first cut when it comes to budget cuts for organizations: Any evidence to support this?#AskKb4

— Javvad Malik v2.0 (@J4vv4D) July 29, 2020

Surviving the current waves of cyberattacks requires the implementation of strong security culture – this should be paramount, but who within an organisation should be leading the way for this approach and how can one measure if they actually have a solid security culture foundation?

A8: It has not only to be talked about by leadership, but demonstrated as well. From the C-suite to line managers, it is important that leadership publicly demonstrate a proper security culture. #AskKB4 https://t.co/tdEjYWocMM

— Madsqu1rrel (@ErichKron) July 29, 2020

In an emergency or new event, most people revert to what they have been trained to do. So, training, no matter how you do it, is important to do. You just need to make sure the training is well done and relevant, however you do it. #AskKB4 https://t.co/rOU3MSE8c5

— Roger A. Grimes (@rogeragrimes) July 29, 2020

Use such metrics as "how many incidents have occurred or been prevented", using a Phish Prone Percentage of the employees. Create different scorecards for different roles, C-Suite, Finance, Developers, R&D, Service etc. #AskKB4 #scorecards https://t.co/WsFOO7pPFT

— James (@James_McQuiggan) July 29, 2020

Lastly, we moved onto password security.

We continuously read about poor password practises, whether its password reuse or sharing it with another person. So, has the password become obsolete or is there a future for this common layer of security?

A10: Every organisation needs to provide their employees with a password management application, just like applications for spreadsheets, email and databases. Add it to their corporate policies and require the use of it. People can learn it, like email and browsers. #AskKB4 https://t.co/WsFOO7pPFT

— James (@James_McQuiggan) July 29, 2020

If you agree or disagree or wish to continue the discussion, feel free to reach out to the Guru or any of the KnowBe4 evangelists on twitter with your thoughts.

The post Tweet Chat Roundup with KnowBe4 appeared first on IT Security Guru.

Too much technology?

We began with a question that focussed on technology and the pivotal role it is playing within cyber today. It could be said that organisations have become too dependent on this component of security. But why? Well, the community certainly feel that technology offers an element of convenience that perhaps humans can’t provide.

A1. Yes, and mostly because people and process are hard, or seen to be. Harder than obtaining budget for and buying a shiny box of magic. The best fuse people, process and technology into an interconnected construct, because that is what it is throughout the business. #ITSecGuru https://t.co/T72OK5wr8K

— Ed Tucker (@Teddybreath) June 9, 2020

Well, this started off by going right for the jugular.

I do agree there is a large dependency on tech. Too often we look to solve people problems with tech. When a conversation would usually suffice. cc @LisaForteUK @drjessicabarker @infosecmo @Teddybreath https://t.co/anHQIgxVhb

— Javvad Malik v2.0 (@J4vv4D) June 9, 2020

A1: Tech is inherent in security; so are people & processes. Latter two get overlooked because it can feel easier to focus on tech. Focus is often on superficial causes of breaches (eg the latest vuln) rather than root causes (eg insecure dev or poor system design). #ITSecGuru https://t.co/0FypiiHtiS

— Jess (@drjessicabarker) June 9, 2020

You are the weakest link, goodbye

Humans also have the added stigma of being referred to as the ‘weakest link’ within security, and so this reliance on technology may seem justified. Yet, by disregarding or not addressing this mindset, organisations are essentially missing the chance to solve a critical problem within the overall security of their organisation, especially as the human factor is essential for any business. Building education and awareness from within is key.

A2: It is an easy buck to pass and root cause analysis is hard for most organisations. Staff shouldn’t have to have the burden of being told “to be secure”. Carrying on with that rhetoric only builds distrust with staff. #ITSecGuru https://t.co/nbGeaUsXz0

— Mo Amin (@infosecmo) June 9, 2020

A lot of this has emerged from a position of arrogance. Security pros feeling like they’re better than everyone else and not looking inwards at where their own shortcomings may be. #ITSecGuru https://t.co/WdKhxlxQCj

— Javvad Malik v2.0 (@J4vv4D) June 9, 2020

A2: Back in the helpdesk days, there was always the joke of ID10T errors-end users were criticized because they just didn’t know. We fail as cybersecurity professionals if we don’t educate everyone. Understand the basic cyber hygiene measures. #ITSecGuru

— James (@James_McQuiggan) June 9, 2020

What resources should be prioritised?

We then asked whether businesses are investing their resources in the wrong places to tackle security and if compliance was driving this? With global data security and privacy regulations severely punishing those found non-compliant, there is a strong possibility that many business decision-makers wrongfully believe that being compliant automatically means the business is secured.

Compliance can be box ticking. In some industries it is necessary but it doesn’t mean it is sufficient. Focus on the assets that need protection and have a plan for what happens it it all goes wrong and you are breached #itsecguru https://t.co/MADA2N2SGE

— Lisa Forte (@LisaForteUK) June 9, 2020

One error I see often is investing in tech first without understanding the threat landscape and business risk appetite (and priorities) first. Understand what the real issues are and what’s important, then invest resources that add the most value. #ITSecGuru https://t.co/wwk1ebvqd1

— Javvad Malik v2.0 (@J4vv4D) June 9, 2020

A3: Lack of effective governance and risk management of both their investments and resources. Organizations need to strike a balance between conformance and performance.

— Jaded InfoSec Pro (@edwardmccabe) June 9, 2020

Businesses don’t appreciate the costs or complexity of security nor the risks. Security specialists don’t do a good job of communicating and reconciling this with senior management.

— Tim Morgan (@tjcmorgan) June 9, 2020

What is more detrimental – poor knowledge or poor security?

Next, it was time to find out what the security community viewed more dangerous for a business: a cyber unaware workforce or a security system that has been misconfigured. Well it depends…

A4: This is chicken and egg: a cyber unaware workforce is more likely to have misconfigured systems and not know about it! #ITSecGuru https://t.co/L3TKNMCSSB

— Jess (@drjessicabarker) June 9, 2020

I think both clearly pose risks but users that are unaware of the sensitivity of data, the threats posed by attackers and the common tactics employed leave you (and them personally) fat more vulnerable #itsecguru https://t.co/St5lKl92rv

— Lisa Forte (@LisaForteUK) June 9, 2020

A4 It depends on your environment and what the classification of the data is that’s held on the system. But generally your staff should have an overall understanding of the risks that your business faces and how they can help to keep it secure. #ITSecGuru https://t.co/vGlRXyYH9h

— Mo Amin (@infosecmo) June 9, 2020

A4. Ah…….it depends (FINALLY!)

They each represent parameters of risk. Weaknesses or vulnerabilities which might, or might not be exploited, or controls that might, or might not be effective. Neither is greater than the other without context. #ITSecGuru https://t.co/igJQkXZBF3

— Ed Tucker (@Teddybreath) June 9, 2020

CISO/Security Leaders take note

Where do CISO’s and security leaders go wrong when trying to obtain sufficient backing from the boardroom to enable them to build a security programme? it is clear they have an up-hill battle convincing management on how to invest when it comes to security.

A5: Use the right language, avoid technical jargon and focus on issues from the angle which resonates with your ‘audience’. Familiarise yourself with annual reports for your org, understand the business priorties and consider the wider organisational culture. #ITSecGuru https://t.co/HWKzGwQsUv

— Jess (@drjessicabarker) June 9, 2020

Q5. What are the common mistakes CISOs make when trying to obtain sufficient backing from the boardroom when trying to build a security programme? #ITSecGuru

— IT Security Guru (@IT_SecGuru) June 9, 2020

Invest is needed, but make it the right investment

But what happens if investments are made? We still continue to see data breaches and successful cyberattacks plague organisations of all sizes. So, why shouldn’t we lose hope? Where should CISOs and security leaders focus their efforts?

Step back and examine where your actual risk is. This will help invest time and money more wisely. I really like the approach @rogeragrimes takes to this in his book ” Data-Driven Computer Security Defense”

Many CISOs need to prioritize better and this will help #ITSecGuru https://t.co/qejuhcDlIg

— Madsqu1rrel (@ErichKron) June 9, 2020

This fight isn’t over!!! We need to invest in making the attackers work as hard for their money as we do for ours! We need a plan for if we are attacked and we need to test that plan. Where are the “life ruining” assets- focus on them. #itsecguru https://t.co/r4pTEP68U8

— Lisa Forte (@LisaForteUK) June 9, 2020

Focus on the basics. Incidents will happen. Be prepared.

— Tim Morgan (@tjcmorgan) June 9, 2020

A6. Breaches have always happened, but one of our biggest issues is that we continue to operate in theory, and often scaremongering theory at that. Evidence, facts, demonstrable impact (good and bad). #ITSecGuru https://t.co/Q6iljaal6p

— Ed Tucker (@Teddybreath) June 9, 2020

Building a security culture

For security professionals looking to establish a strong security culture or at least have a platform to build from, here is some advice from our panellists:

A7: I’ve run and helped run culture studies in the past e.g. survey+focus group. Though this only provides a one time baseline i.e. you’ll need to run annual ones. We need to move to a data led quantitative approach… https://t.co/iWakFQB5MG

— Mo Amin (@infosecmo) June 9, 2020

A7. Involve security as little as possible. Engage the people executing business processes. Promote and foster relationships, collaboration, understanding, empathy, talking, but more importantly listening. Let the business lead you. It is their culture not yours! #ITSecGuru https://t.co/6ZBtdXPZ1I

— Ed Tucker (@Teddybreath) June 9, 2020

Culture / behavioural change takes time. So don’t expect things to rapidly change. Measure the behaviours that mean the most to you – train – re-measure to see how that has changed. Tweak and retrain. Think of it like a marketing campaign not a security one. #ITsecGuru https://t.co/fgI8e6ONKw

— Javvad Malik v2.0 (@J4vv4D) June 9, 2020

A7: Listen to your colleagues in the rest of the business, understand your wider company culture (don’t try to just bolt security culture on!) and recognise that within one organisation there will be many different sub-cultures. #ITSecGuru https://t.co/zopJq2M9gU

— Jess (@drjessicabarker) June 9, 2020

Identify high risk staff (people with access to the good stuff) Give them more in depth or face to face trainings. Get decent awareness training for all. Use phishing tests but look at developing skills not catching people out. Get staff to see the personal impact of cyber crime https://t.co/VC3MvTRMQe

— Lisa Forte (@LisaForteUK) June 9, 2020

To close the chat…

The previous questions generated a great discussion and provided insight around the difficulties, problems and issues security professionals are faced with when trying to tackle cybersecurity. But the last question nails home the significance and importance of having the human element in security.

Yes! Because humans always interact with technology. We all run on the same hardware. We are all subject to similar vulnerabilities and biases so in many ways with the right awareness and culture it is one of the easiest elements of security to fix. We know the weaknesses https://t.co/S4hleD59Ji

— Lisa Forte (@LisaForteUK) June 9, 2020

A8. Yes. There’s humans everywhere throughout the business and security itself. PEOPLE, process and technology. If you ignore the human factor, the whole human factor, you’ll fail miserably. Well, more miserably. #ITSecGuru https://t.co/26wh2PwLU7

— Ed Tucker (@Teddybreath) June 9, 2020

A8: In my up-coming book I cover the technology lifecycle and the fact that people are involved in every stage: design, creation, testing, use, abuse and destruction. So, yes, effective security always involves people! #ITSecGuru #ShamelessSelfPromotion inspired by @J4vv4D

— Jess (@drjessicabarker) June 9, 2020

A8: Fundamentally, we are trying to influence org culture. So in short, yes. Whilst we need to appreciate people, process and technology. We need to delve deeper into the people side of things… https://t.co/jz41P7hPL5

— Mo Amin (@infosecmo) June 9, 2020

Yes, because much like self-driving cars, as much as we’ve advanced technology, I wouldn’t trust it completely without the human factor. Plus involving people can bring about the Ikea effect… https://t.co/D4cfZNkpCp pic.twitter.com/GwvjB6N08c

— Javvad Malik v2.0 (@J4vv4D) June 9, 2020

And if you needed any more clarification as to why we shouldn’t solely depend on technology, I shall revert you to this reply…

As long as you have humans in your organization, absolutely.

Even Skynet had to deal with the human factor, just a bit differently #ITSecGuru pic.twitter.com/W3uqiIJWIU

— Madsqu1rrel (@ErichKron) June 9, 2020

If you were unable to make the Tweet Chat, no worries, simply follow the IT Security Guru or search the hashtag #ITSecGuru to see the Q&A.

The post Tweet Chat: The Human factor in Security appeared first on IT Security Guru.

What is cryptography?

Cryptography, the dark art of information security. The deus-ex-machina, the silver bullet, the be all and end all of all security measures. Widely misunderstood, often poorly implemented.

My first introduction to cryptography was when I was told of this man called Phillip Zimmerman who’d created a piece of software called Pretty Good Privacy or PGP. A bit of sorcery that could protect emails so well, that even the prying eyes of Big Brother could not get at it easily. It was so profound, that the U.S. Government initiated an investigation against Zimmerman. This was on the premise that strong cryptography was classed as munitions so it was in the same classification as real life weapons.

How amazing could that be? This software called cryptography, according to the U.S. Government could be as potent as an AK47? I had to find out more.

Cryptography is a relatively simple concept to understand. It’s the ‘how’ that can get slightly complex.

In essence, it’s taking some information and scrambling it up so no-one else knows what it is. Then having a way to unscramble it back to the original information again.

And really that’s all there is to it. Just like how when you were a child you were told that’s all there is to a Rubik cube and wasted many frustrated hours failing to get it right before resorting to peeling off the stickers and sticking them on wherever you felt.

Everything else surrounding cryptography is about finding ways to make sure the scrambling of information is done in a quick and efficient manner that nobody else in the entire universe can unscramble unless they possess the McGuffin.

Think of it like a Witch who can cast a spell on a Prince and turn him into a frog. If she waves her wand and says “hocus pocus” the Prince turns into the frog and becomes completely unrecognisable. No-one would ever know that the frog was actually a Prince unless they had the Witches wand and waved it over the frog saying, “hocus pocus”.

Symmetric key cryptography

Symmetric key is something that is conceptually familiar as it is a simple flow. One key is used to transform the information from plaintext to ciphertext. Ciphertext is just the fancy way of saying that the plain or clear text has been converted into a format that makes no sense or doesn’t resemble the original text.

The same key is then used to reverse the process and convert the ciphertext into plaintext.

If we revisit the example of the Witch turning the Prince into the frog, the Prince is plaintext and the frog is ciphertext. The key that the Witch uses to convert the Prince into the frog and from a frog back into the Prince is the same, i.e. wave a wand and say ‘hocus pocus’.

Because the process is the same for both sides, one could say it’s symmetric. Hence the highly original definition of symmetric key cryptography.

Asymmetric (public) key cryptography

Asymmetric or public key cryptography isn’t as difficult in concept to understand as most books make it out to be.

In asymmetric key cryptography, you use a key (like in symmetric key) to encrypt some plaintext into ciphertext.

Again, very much like symmetric encryption, you use a key to decrypt the cipher text back into plaintext.

The importance difference is that one key encrypts the data and a different key decrypts the data.

This sometimes confuses people and I think this is because we’re so used to physical keys it’s difficult to rationalise how one key can only lock a door and not unlock it and vice versa. So, I’ll use a different analogy.

Remember I mentioned the Witch who waves her wand and says hocus pocus for the Prince to turn into a frog.

Now imagine, she didn’t have the ability to turn the frog back into the Prince. The wand only casts spells but can’t break the spells.

No, in order to break the spell, a certain Princess (only one of them) has to kiss the frog and it turns back into a Prince.

One key (the wand) was used to turn the Prince into the frog and another key (the kiss) was used to turn the frog back into the Prince.

This is how a key pair work in asymmetric encryption. One key encrypts and one key decrypts. Both the keys have a weird relationship to each other. It’s like they’re unidentical twins. They share the same parents but are totally different, yet connected to one another. That’s about as far as the mathematics of the key pair go. By all means, if you have an interest in understanding the mathematical way the key pairs are created, there are plenty of books that will explain it in great detail till your brain melts.

Now expanding on this example let’s say the princess is the one who created the magic wand and she went and put it in the market square. Anyone who wanted to send her a Prince could take the wand, say hocus pocus at a Prince and it would turn the frog, get delivered to the Princess and she could kiss the frog and turn it back into the Prince.

Bear with me… this is important.

Firstly, why would a Prince need to be changed to a frog to get to the Princess? Let’s assume that the guards didn’t let anyone into the palace, so a frog could easily get inside.

Secondly, because the wand was created by the Princess, only HER kiss would be able to change the frog back into the Prince so no other Princess would be able to claim the Prince as her own.

We’ve established that there are two keys. One is the Wand which is placed in the market place (public key) where anyone can pick it up and use it to turn a Prince (plaintext) into the frog (ciphertext).

This frog (ciphertext) can then waltz into the palace and to the Princess undetected by the guards (unreadable by anyone else). If anyone does try to kiss the frog, it will remain a frog.

Only the Princess, using her own kiss (private key) can turn the frog (cipher text) back into a prince (plaintext).

At a simple level then we have described how asymmetric key encryption works. You have a key pair, one part is public and one part is private. if someone wants to send a secret message, they will use the recipients public key to encrypt the data and send it to them. That way they are assured that only the true recipient will be able to decrypt the data because only they have the private key needed to do so.

So if someone encrypts data using the public key, they can be sure that only the owner of the private key can decrypt it.

On the reverse side, if someone encrypts data with their private key and sends it out, then anyone can decrypt it using the senders public key. However, what it does guarantee is that the message indeed originated from the person owning that private key.

Hash functions

An important function within many aspects of cryptography is the hash function. The has function is one-way process. Data is passed through it and it produces a much smaller output called a hash value, or hash sum, or checksums.

Think of the hash value as your fingerprint. If your fingerprints are on a glass, then it leaves little doubt that you were holding that particular glass. Your fingerprint is unique to you and only you. If someone only had your fingerprint, they would not be able to draw any other conclusions, e.g. they can’t tell if you’re male or female, your age or hair colour etc. It only works one way.

In other words, your finger can produce the unique fingerprint. But the fingerprint can’t produce your finger.

Now that you’re an expert in understanding what hash functions are, we can look at what role they play in cryptography.

Continuing with the fingerprint analogy, let’s say a criminal is transferred from one prison to another. Before the prisoner is transferred, his fingerprints are taken and those are sent to the receiving prison. When the prisoner reaches the destination, the receiving prison can take his fingerprint and match it to those which were sent to them separately by the sending prison. If they match, then they can be sure that this is the right prisoner and there hasn’t been an elaborate switch conducted en-route.

However, if the fingerprints don’t match then, there is a bit of a problem.

This is one of the primary functions of a hash, it’s quick to reproduce a hash and compare its value to ensure the integrity of the item it is validating. Which is why when you go to a website and download a package, they sometimes have the hash displayed. The purpose of that is so that when you download the file you can check the hash of the downloaded file and compare it against what it should be. If the values match you’re ok, otherwise it could be you’ve downloaded an altered file which could contain some malware.

For the smart ones out there, you’ve probably noticed one flaw with using hashes to validate the integrity of a sent file. If I were a bad guy and could intercept the file and change or replace it before it got to you. Then I could just as easily change or replace the hash so that everything looked ok.

Which is why before the hash is sent, it is encrypted with the private key of the sender. That way the receiver can decrypt it using the sender’s public key and be assured that it was indeed sent by the right person. A hash encrypted with a private key is usually referred to as a digital signature.

So to break it down we have 3 core components,

• A public key
• A private key
• A digital signature

If you send an email to me using my public key, then that protects the confidentiality of the message because only I will be able to open it.

If you send an email to me using your private key, then I can be sure it came from you and only you. But anyone who can access your public key (everyone) will be able to read it.

A digital signature provides assurance that the message has not been altered in any way from the time it left you till I received it, i.e. it assures integrity

The post Can you explain encryption to me? appeared first on IT Security Guru.

Getting the working culture right for any business can be difficult but KnowBe4 seems to have found a winning formula to achieve this. We caught up with Erika Lance, SVP of People Operations at KnowBe4, who is seen as the brains behind much of this success, to hear how she was able to get such great results.

When a CEO wants to implement a good working culture for the company, what does that mean?

EL: It means that he (Stu Sjouwerman, CEO at KnowBe4) wants to set a tone for how you approach policies, procedures and the environment in relation to employees. Although an HR team can do initiatives, if it doesn’t start from the very top and then get communicated all the way down through every area of the organisation, it will fail. You also have to ensure it is scalable.

What does culture mean to you?

EL: It means the overall tone you set for the employees. How open and honest they can be, and how honest and open you will be with them. You want to create a management style where every employee loves to come to work for the challenge and creative environment they are going to be in. They have to know what is expected of them and they have to have a clear path to achieve this. Never leave an employee wondering where he or she stands.

What is wrong with current HR models used by organisations today?

EL: They are assuming that the employee feels 100% lucky they got the job. Gone are the days where an employee signs up to be there 25 years and get a gold watch. Today’s employees want to be able to move up. If that is not available at their current employer, they will find a place they can accomplish their goals. Also, most employers do not realise it is not about how much someone is paid. If they have an amazing work environment, they will be there no matter what they are paid. Employees work for their managers. Have the correct management strategy and you will go far.

In summary, the combination of good pay, amazing managers, good benefits and an amazingly challenging work environment is how to be successful with employees.

KnowBe4 recently won Best Workplace for Women by Fortune. Why do you think that is and what do you do differently from other companies?

EL: First, we have a workforce comprised of 50% women and have maintained this naturally through our hyper-growth. One of the largest differences is all employees are judged on purely their skills and abilities. We have opportunities for every person to move up within our organisation and in fact, we make sure that we have training, tuition reimbursement and certifications available so any person can move up. We also partner with many organisations that are helping women find careers and be successful in cybersecurity.

How difficult was it to get the board onboard with this ethos? 

EL: Not difficult at all. In our case, the results speak for themselves in our numbers. That is truly the end result of happy employees.

I will say that is not always the case for most. We are lucky. But I think that we need to have more boards look up from the numbers and remember there are people behind them.

How do you go about implementing this strategy? Is it a quick process with immediate results or does it require patience?

EL: First, you have to ask what employees want. Well done surveys that are executed fast, and turning out the results quickly lets employees know you are listening. I’ve heard stories where people have been in jobs to fill out an employee satisfaction survey and six months down the line, nothing has been actioned and the same concerns are still plaguing the business. It’s a long time to be dissatisfied with an element of their jobs, so quick action is imperative.

We have a Developer of Fun and Shenanigans and an Artisan of Culture and Geekery (yes these are real job titles) that ensure our culture goals and plans are carried out. You have to dedicate time and money to invest on keeping your employees feeling like there is no other place in the world that they want to work.

How do you measure or know you have happy employees?

EL: You can walk into any place of business and in minutes you can see how happy the employees are. How proud they are to work there. It is an energy that is infectious, and you cannot help but want to be there alongside them.

What advice can you give to other budding HR employees looking to improve working culture?

EL: Remember that each and every employee is your customer. You want them to be happy, impressed and telling everyone they know about you.

Sometimes the simple act of walking around and speaking with your employees, finding about their goals and giving high-fives for being part of the team can make a huge impact. It is easy for an employee to find themselves feeing invisible, make them feel like a Rockstar instead.

The post Why is working culture so important for the benefit of the business? appeared first on IT Security Guru.

Advanced Persistent Threats are long term patterns of network exploitation that go undetected for extended periods of time and are usually aimed at high profile targets such as governments, higher education institutions, political activists, and companies. They are often motivated by economic, political, and financial reasons, and the attacks tend to be highly targeted, resourceful, and risk tolerant.  

The typical APT involves several phases:  

• Infiltration/Initial compromise: 

This is when a malicious actor gains access to the network. The most common way in which criminal groups gains a foothold is through spearphishing or other forms of highly targeted, socially engineered attacks. These are preceded by a reconnaissance phase, when attackers collect information about the organisation they intend to breach, such as network hierarchy, operating systems and other relevant information that will allow them to remain undetected. 

• Lateral Movement  in the network: 

In this phase, hackers consolidate their presence on the network and open a communication channel between the compromised system and the command and control server. This usually requires stealing credentials, where threat actors use Man-in-the-Middle techniques or keyloggers to obtain access to specific areas of the network.  

With the stolen credentials, attackers can further expand to control desktops, or even obtain domain credentials to log in systems, servers and switches.  

• Exfiltration of relevant information:  

At this stage, attackers have likely gained access to the type of data they’re trying to steal (credit cards, PII, etc) and they can start moving that data out of the network with the goal of not being detected. 

• Covering their tracks: 

It’s in the actor’s best interest not to be spotted so that they can maintain their presence on the network for future initiatives. For this reason, after exfiltrating data, attackers usually cover any track of their activity, meaning that victims can be unaware of a threat on their network even for years.   

Why APTs are a legitimate concern for organisations of any size 

Small and medium enterprises should not make the mistake of falling into a false sense of security. While it’s true that APTs tend to aim at high-profile targets such as governmental organisations or large enterprises, these often have the highest cybersecurity measures in place, precisely because they are aware of being potential targets.  

To avoid the trouble of having to circumvent such strict security defence systems, threat actors oftentimes break into the network of smaller, less protected companies. They may also attack a third-party supplier of their actual target. Since they aren’t viewed as high-risk for APT attacks, these small companies and contractors often have limited security resources and allocated IT security staff. 

Once they’ve gained a foothold from within the smaller organisation, they can conduct attacks from that organisation against their final target.  

But gaining access to a larger enterprise is not the only reason why a motivated threat actor could want to infiltrate the network of SMBs. Smaller businesses should not underestimate the value of their digital assets: even seemingly trivial information can be sold on the dark market for a profit, and exploited in further criminal endeavours.  

For this reason, while your organization or company may not be involved in higher-risk industries associated with APTs (such as financial, government or tech institutions), you should still absolutely worry about this model for sophisticated attacks. It’s easy to dismiss APT protection as a useless investment because of the small likelihood of being attacked by one, but they are as real as more obvious and noticeable attacks, such as ransomware or DDoS.  

Furthermore, often times sophisticated threat actors use open-source attacks, tools or techniques to compromise assets. These open source attacks or techniques get recycled and used by other threat actors, even non-sophisticated ones, so having APT protection in place can be a sensible investment to protect from other, lower level attacks.  

How can organisations protect themselves? 

While the likelihood may be lower, you should still craft a threat model based on your organization’s assets. A great place to start is by looking at what assets your organization have that is Internet-facing as well as how large your networks are. The first principle of protecting the network is always visibility: you can’t protect yourself against something you didn’t know existed. All the potential entry points to your organisation’s infrastructure should be mapped and monitored continuously. 

Stay vigilant of attackers infiltrating your network, malicious actors use attack vectors such as phishing, Business Email Compromise (BEC), and spearphishing to gain access to an organisation’s network. To prevent these types of campaigns, which rely on email, investing in a solid email filtering is a good place to start.  

More importantly, you should make sure that your employees are cybersecurity savvy by running training courses and – better—simulation drills. While this might not be useful against particularly well-designed emails, users who are aware of cybersecurity best practices will be less likely to click on suspicious links or download attachments from unrecognised senders.  

Finally, design your identity access management policies and procedures to follow the principle of least privilege, so that you not only know who has access to what and when, but that you can monitor all activities in the most critical areas of the network – ideally through session recording or behavioural monitoring.  

Building defenses against sophisticated threat actors will not only help mitigate damages (publicity impact, loss of customer trust, lawsuits) against the incident if it happens, but will also be complementary to your entire security program. If you can block APTs, you can block lower risk malware too. 

The post Anatomy of an Advanced Persistent Threat appeared first on IT Security Guru.

KnowBe4’s analysis shows that of social media phishing tests those with “LinkedIn” in the subject line totaled more than 56 percent, more than all other social media phishing tests combined. This isn’t surprising as social media phishing attacks are growing at a remarkable rate of 75 percent in 2019. When combined with Shadow IT concerns that prevent IT and security departments from managing and monitoring services and apps users bring into the corporate environment – such as social networks on their mobile phones – it becomes more important than ever that users are educated about how to avoid a phishing or social engineering attack.

“It feels good to ‘join my network’ or connect with someone in some way – that’s why social media phishing attacks are so successful,” said Stu Sjouwerman, CEO of KnowBe4. “Users innately trust their ‘verified’ contacts so are more apt to click on a link that come from someone they know. It’s becoming harder to identify phishing attacks, but our users are smarter than the bad guys think and can absolutely be trained to identify and avoid phishing and social engineering attacks.”

The top clicked social media phishing tests that KnowBe4 identified are:
• LinkedIn: 56%
• Login alert for Chrome on Motorola Moto X: 9%
• 55th Anniversay and Pizza Party: 8%
• Your Friend Tagged a Photo of You: 8%
• Facebook Password Reset Verification: 8%
• Your password was successfully reset: 6%
• New Voice Message At 1:23 AM: 5%
*Capitalisation and spelling are as they were in the phishing test subject line.

In addition to examining phishing subject lines related to social media, KnowBe4 found that phishing tests that focused on password management were successful, with 35 percent of users clicking. Additionally, in-the-wild attacks – those that were actual phishing emails and not KnowBe4 testing emails – found greatest success when they asked for action from the recipient, such as being invited to share an Outlook calendar or being assigned a task in a Microsoft platform.

KnowBe4 understands that users are an organisation’s last line of defense and are most successful when they are consistenly trained and tested on the latest phishing threats. To further support their mission to help organisations improve their security, KnowBe4 introduced its Social Media Phishing Test in Summer 2019. The free test was created to help IT and security professionals at organisations of all sizes better identify users who are likely to fall for a phishing email that looks like it originated from a credible social media site such as Facebook, LinkedIn or Twitter.

About KnowBe4
KnowBe4, the provider of the world’s largest integrated security awareness training and simulated phishing platform, is used by more than 26,000 organisations worldwide. Founded by data and IT security expert Stu Sjouwerman, KnowBe4 helps organisations address the human element of security by raising awareness of ransomware, CEO fraud and other social engineering tactics through a new-school approach to security awareness training. Kevin Mitnick, internationally recognised computer security expert and KnowBe4’s Chief Hacking Officer, helped design KnowBe4’s training based on his well-documented social engineering tactics. Tens of thousands of organisations worldwide trust KnowBe4 to mobilize their employees as their last line of defense.

Number 96 on the 2018 Inc. 500 list, #34 on 2018 Deloitte’s Technology Fast 500 and #2 in Cybersecurity Ventures Cybersecurity 500. KnowBe4 is headquartered in Tampa Bay, Florida with European offices in England, the Netherlands, Germany and offices in South Africa and Singapore.

The post LinkedIn Accounts For More Than Half Of Social Media Phishing Emails In Q2 2019 appeared first on IT Security Guru.

The certification validates Securonix’s adherence to state and federal security, privacy, and regulatory standards for healthcare data. The Securonix SaaS platform operates on AWS, the most secure cloud infrastructure in the industry. Securonix’s compliance with HIPAA, HITRUST, and SOC2 frameworks ensures that client data is protected by the most comprehensive and up-to-date security controls.

Securonix Next-Gen SIEM is the only SIEM solution that provides a packaged solution with built-in connectors and use cases specifically designed for monitoring threats to healthcare organizations. The solution comes with built-in connectors for all major healthcare applications such as EPIC, Cerner, and many others. The solution incorporates behavioural analytics and employee and patient context to detect and respond to the most advanced insider and cyber threats.

Securonix was also recognized as a leader in the 2018 Gartner Magic Quadrant for Security Information and Event Management.

“Healthcare organisations are under pressure to comply with regulations which require the utmost care in handling patient data. Achieving this pivotal benchmark is a validation of our ongoing commitment to meet the data privacy need of our customers,” said Nitin Agale, SVP of strategy and marketing at Securonix. “With a secure cloud environment and the most advanced analytics capabilities, customers can leverage the benefits of rapid deployment, no operational overhead, and advanced threat detection, while having an assurance that their data is safely and securely protected.”

HITRUST CSF certification is a security framework companies use to manage compliance. It integrates, harmonises, and cross-references globally recognised standards and business requirements including HIPAA, PCI, NIST, ISO, and state laws for comprehensive security controls. HITRUST provides both prescriptive requirements and a flexible framework that evolves alongside changing industry conditions.

HITRUST CSF is the industry-wide standard required by health care providers and insurance plans. This achievement puts Securonix at the forefront of compliance for a SIEM solution that is cloud based, healthcare ready, and available as a service.

To learn more about the Securonix packaged security monitoring solution for healthcare, visit https://www.securonix.com/solutions/securonix-for-healthcare/

About Securonix

Securonix is redefining SIEM using the power of big data and machine learning. Built on an open Hadoop platform, Securonix Next-Gen SIEM provides unlimited scalability and log management, behaviour analytics-based advanced threat detection, and automated incident response on a single platform. Globally, customers use Securonix to address their insider threat, cyber threat, cloud security, and application security monitoring requirements.

The post Securonix Achieves SOC2® + HITRUST CSF® Certification. appeared first on IT Security Guru.