
New Genesis
Solutions
Newsletter - December 2020
2020: Learning and Moving Forward
The past year has been a journey no one could have foreseen. It has been a humbling and eye-opening experience for humankind regardless of nation, status, or position that has left us with many lessons to learn and move forward from. We have had to adapt and overcome as both a global society and individuals on every front whether it be personal or professional. Each challenge encountered has required a unique solution with many of them revolving around improving how we handle unexpected difficulties while being quick on our feet and flexible in our response.
As we take a moment to look back on some things we have learned and how we plan on moving into 2021, we also want to reflect on the season we are in, the meaningfulness of those around us, and how truly thankful we all are for each other. Please reach out to us with your thoughts and reflections as well as we enter the new year.
__________________________________________
Lessons Learned
In looking back on the previous year, there indeed is a lot to learn from. Societal and business norms have undergone a paradigm shift. We have had to quickly adapt to this and re-think the way we view things and do business across the board.
Real Life vs Reality
-
With the slowdown of business, many had hoped that cyber-criminal activities would slow as well. The reality of the situation has been exactly the opposite. Cyber-criminal activity and threats have accelerated at an unprecedented pace that has required significant effort to keep abreast of.
Home vs Office
-
The increased demand for remote work this year has shown us that it is a viable model, although not without its complications, it has also reminded us of the humanity of our people. We have all seen more into each other's lives this year than we normally would have whether it be comical meeting interruptions or technical difficulties. It has forced an acceptance of the real-life challenges each individual faces daily and reminds us that we are all in this together and must adapt as one.
Patience vs Persistence
-
In previous times the norm was aggressive deadlines, pushing objectives, and continuous forward progression as rapidly as possible. This year has served to re-instill our sense of patience and the necessity to understand that not everything is going to go as planned.
Essential vs Not
-
Automation and technology are ways in which a business can build additional value. However, people are the foundation of society and any organization. This year has been a great reminder for us personally and professionally to put people first. Whether or not someone is classified as “essential” or not, the goal is to protect and empower our people in every aspect.
___________________________________________
Moving Forward
This time of year offers a lot of reflection on the accomplishments and challenges we faced. Admittedly, it's often easy to throw ourselves into work (I personally struggle with this). And while we never intend it, we do not spend as quality time outside of work. Here are some of the improvement areas that we have discussed within NGS or helped other organizations with, starting of course, with a focus on “people”.
Personally
Thinking Locally
Investing time in family, friends, colleagues, and local communities are more constructive than focusing on what is being communicated in the media that we have little or no control over. Taking a vacation is the traditional way that we spent quality time with our friends and family. But this year has forced us to re-think how we can still spend quality time without having to put ourselves into a more at-risk situation. Here are some things we did in 2020:
-
More phone calls and text messages.
-
Playing video games together.
Keeping up Communications
This year has broken our normal communication and meeting methods. IT is important for us to be checking in on each other.
-
Santa has a list of people, and he checks it twice. We spend time every month going through our phones/contact lists to check in with people we have not connected with.
Professionally
Building a Roadmap
Building roadmaps and 3-year plans for organizations are some of the core things we help organizations with. Here are some of the things we consider, ensuring we always create an achievable plan.
-
Understand the constraints and the velocity of an organization to perform changes. While a change might seem like a “quick win”, the communication takes time to make sure other business operations are not impacted.
-
Making sure the plan considers policies, people, and technology as part of the solution. For example:
-
“How can we make sure the service desk does not have a huge influx of calls if as we implement an MFA solution?”
-
“How do we establish an effective role-based access control strategy for filesharing to support both internal employees and external partners?”
-
Standardizing Delivery
NGS has committed to being a 100% work from home team, but that means we need to establish stronger documentation and process standards to make sure we are consistent.
-
Leveraging checklists that are built into our processes to make sure we are completing critical tasks.
Contingency Planning
Incident Response – laptops still get stolen and misplaced. Now that many employees are working remotely, this risk has increased.
-
Make sure you have hard-drive encryption and a defined set of steps to engage with your legal team and law enforcement representatives if your device is stolen or misplaced.
-
Phishing – The dramatic increase in phishing is causing us to add additional technology controls on top of security awareness messages to help combat the continual increase of phishing attacks.
__________________________________________
The More Things Change, The More (Some) Things Remain the Same
Our Values
New Genesis Solutions has a relationship-first approach to employees, customers, and partners. Our organization has been built on a core value of being "relationship-driven". This means we are collaborative, authentic, and looking for value-based relationships, not transactional relationships. In 2021 and beyond, New Genesis Solutions will continue to build the company based on that core value. Reach out to us with questions about our company or to discuss how we can potentially collaborate in the future.
Investing in People - Mentally, Physically, Emotionally
As advisors to many different types and sizes of companies across different industries, we get exposed to a wide variety of corporate cultures, leadership styles, and team dynamics. One of the largest trends we have seen during the pandemic (and that we expect to continue in future years) is a renewed commitment by organizations to invest in the health, and wellness, and development of their employees and leadership. Studies show that organizations investing in employees and leadership teams are better prepared to navigate the uncertain waters of the pandemic and will perform better in the face of a global recession.
The need for cybersecurity
Cybersecurity risk is increasing, driven by global connectivity and usage of services to store sensitive data and personal information. The widespread poor configuration of these services paired with increasingly sophisticated cyber criminals means the risk that a person or organization suffers from a successful cyber-attack or data breach is on the rise. Gone are the days of simple firewalls and antivirus software being your sole security measures. New Genesis Solutions remains committed to being a partner, not just a vendor, in combatting today's ever-evolving threat landscape.
__________________________________________
Industry Research, Reports, Resources
-
ESET Cybersecurity Trends 2021: Staying Secure in Uncertain Times.
-
2021 IT & Security Planning and Budgeting Considerations Panel
Please email us with questions or comments about the topics or trends above. We want to hear from you! Andy@NewGenesis.Solutions
__________________________________________
Newsletter - November 2020
2020 Wrap Up, Observations & 2021 Considerations
We started 2020 with optimism as the market was up, and leading indicators across multiple industries and segments were strong. As the pandemic swept the globe and the market weakened, many organizations found themselves struggling to support remote workers, engage and retain customers and pivot their internal IT and operational methods to support the "new reality". The Presidential election was filled with turmoil and continued to illustrate the ongoing social divide within the country.
As we wrap up 2020 and begin to look towards 2021, many risks and unknowns remain that we need to consider and prepare for. At the end of October New Genesis Solutions hosted a Virtual CISO/CIO Panel and Roundtable that discussed 2021 IT and Security Planning Considerations.
We have included a link to that Virtual Panel and Roundtable here and within the newsletter below.
Also included within this newsletter are 2020 cybersecurity and risk observations that were fueled by current trends, threats, and attacks, as well as historical events we have witnessed.
We appreciate you investing time to read through our latest newsletter and we hope you find the articles and resources interesting. Please reach out to us with any questions or comments. We look forward to hearing from you.
__________________________________________
Newsletter Table of Contents
-
Security and Risk Considerations - Virtual Panel Highlights
-
Tales From The Trenches - Common Issues Within Customer Engagements
-
Industry Articles and Research
-
Additional Research Reports, Tools
__________________________________________
Security and Risk Considerations
Below is a list of resources that include recent Virtual Panels, predictions for 2021, and trends we have been following over the last few months. We hope you find many of these topics interesting and newsworthy.
2021 Security & IT Planning Virtual Panel Highlights
In October we pulled together a group of industry executives and security experts to discuss how organizations are approaching Security and IT planning and budgeting for 2021. Listen to these experts discuss how organizations are working to stay ahead of the pandemic, emerging attacks, risks, and the global recession.
View the Entire Virtual Panel and Roundtable Recording Here
Questions and Commentary from the Virtual Panel
The pandemic has impacted organizations globally. How are leaders continuing to defend and protect their organizations while they deal with the pandemic? The biggest issue is that it feels like we are coming out of 9 months of high stress; we are all worn and tired. It has been a struggle to maintain our strategic view of the future.
1. Leaders had to quickly transform the business to support remote work. This includes the initial quarantine, requiring EVERYONE to work remotely, and then to implement safeguards that enabled employees to return to work in a safe manner (greater physical security).
2. Supply chain issues are not just related to toilet paper. We continue to see either higher prices for products, and some products are back-ordered, or simply cannot be ordered.
3. Organizations experienced massive increases in phishing attacks and other social engineering attacks.
4. Hiring and maintaining talent became harder with many professionals changing jobs which impacted stability and a loss of internal knowledge of systems.
5. As the year closed, teams had to work through budget forecasts with a reduction between 5% and 15%, basically meaning that program growth within organizations is stifled.
How have IT, Security plans and budgets, been impacted by the pandemic? Is the impact short, or long term? In truth, we felt that our strategic plans/roadmaps haven't changed. We still have the same initiatives as we continue to mature programs using (NIST-CSF, SOC2, ISO) and ensure they are meeting regulatory requirements (PCI, HIPAA, CCPA, Local Laws).
1. While the budgets might not have changed from a planning perspective (we HAD approval before), we expect the number of spending questions to increase as we begin to implement the plans. While this is a normal part of the process, we are expecting that organizations will become a bit more risk-averse for the next couple years.
How are the top threats and attacks that we have witnessed during the pandemic reshaping Security, IT, and Businesses? Or is it business as usual? While we experienced phishing, social engineering, and DDoS attacks rise, the threats and attacks haven't changed. Phishing is still a problem, helping users secure their usernames and passwords has been something as an industry that we have been trying to address for 10+ years.
1. Implementing IT best practices is critical to security and while many of us have developed some cool tricks to identify gaps (lack of change control for development systems), we are continuing to address systems that arrive insecure out of the box.
2. Finding talent (professional services, contractors, or full-time), developing or enhancing insider threat programs, and understanding where and how to secure, manage and track critical data within corporate environments continues to be a challenge.
__________________________________________
Tales From The Trenches - Common Issues Within Customer Engagements
Common Recurring Security Issues in Small Businesses
New Genesis Solutions conducts numerous security assessments each year, from in-depth cybersecurity penetration tests to compliance gap assessments. Despite the fact that organizations remain extremely nervous about being attacked by criminals in black hoodies, we continue to see a lot of “common” (and easy to fix) security issues that we have been surprised by. We also do not believe these issues will be addressed broadly any time soon:
1. Physical security is (still) a problem - and will continue to be.
-
Recommendation: Walk around the building from the street
-
Recommendation: Verify exposed locking mechanisms work
-
Recommendation: Set internal cultural expectations that security is everyone's job and we need to be aware, diligent
2. Websites (even ones without sensitive data) are STILL juicy targets - and will continue to be hacked and leveraged for criminal activities.
-
Be Aware, Alert, Investigate and Test for: Brand-jacking attacks (HR Recruiting, ads, marketing campaigns), stealing marketing contacts, leads, and revenue is a growing theme
-
Be Aware, Alert, Investigate and Test for: Criminals and hackers gaining footholds in websites for data and information exfiltration, theft or crypto-mining
-
Be Aware, Alert, Investigate and Test for: Criminals, hackers using Social media networks impersonating employees to social engineer their way into an organization to snoop, harvest intelligence, launch malware, phishing attacks
3. Passwords will likely be the death of us (or at least our reputation) - and until the industry as a whole comes together to establish a uniform standard and approach this will continue.
-
Initiate Action to Reduce Risk: MFA is really not that hard to implement and could actually be deployed immediately. Reach out to an expert to discuss how to implement MFA
-
Initiate Action to Reduce Risk: Users that need to change habits are not going to change immediately; change is difficult and it takes time, ongoing reinforcement, governance, oversight from leadership is required to enforce and drive change
A Few Surprising (But Common) Issues
Below are a few more complicated information technology issues that organizations are experiencing because the technology was either misconfigured when deployed, or the organization simply misunderstood how to approach the deployment as they went through the implementation process:
1. Backups not being completed, not consistent, not verified
-
Review, Inspect, Test Your Backup Process: Many organizations have an overreliance on "gold-level" backups or DRaaS vendor solutions and services
-
Review, Inspect, Test Your Backup Solution Deployments and Vendors: There appears to be a growing number of organizations reporting issues or gaps in solution deployments or service delivery. This could be exposing a lack of reliable solutions in the market or that many providers over promised and are under-delivering.
2. Turning off VPN (or other services) but still allowing remote mail connection
-
Be Careful About Making Rash Decisions: "VPNs are the devil!" - Many leaders and organizations struggle with remote employees using VPNs in an optimal manner and their attitude is that VPNs are evil - this brings to mind a bad Adam Sandler Water Boy Movie meme. Think through the security and compliance ramifications of moving away from VPNs.
-
Ask for Input from Security Experts: Using Webmail around the world without a secure connection, and while phishing and social engineering attacks are on the rise and becoming a plague on corporate society is not the best course of action.
3. IT organizations making "risk-based decisions" but without an actual framework
-
Thinking Through a Risk Framework Can Reduce Future Risk and Complexity: Hardening systems without considering how easy or how hard is it to build a new system, access a new site, provide access to services might seem like a short term fix but it often leads to significant complexity and additional risks down the road.
-
Seek Advice from Security Experts: Firewalls that are configured to block traffic based on geography, but are not aligned to actual organization data flow, application or service access based on roles, a formal access control hierarchy can create significant chaos and disruption within the business.
Technologies Organizations Can Invest In to Reduce Risk, Improve the Security of Systems, Applications, Data
If New Genesis Solutions were to go out on a limb and suggest to customers what technology they should be investing in, our recommendation would be to investigate Identity and Access Management solutions. These solutions:
-
Enable organizations to leverage identity and access between on-premise and cloud technologies, environments, and critical business applications (both SaaS and PaaS)
-
Can be utilized to establish the foundation for an organization’s insider threat program
-
Can be utilized to help establish zero-trust segmentation strategies and programs
-
Help drive the adoption of Multi-Factor Authentication (MFA) to ensure employees are only accessing their systems, applications, and data they are authorized to access while keeping cyber-criminals out of the network. MFA is a requirement everywhere, not just in the most used applications.
_________________________________________
Industry Articles and Research
Below are a few reports and white papers on cybersecurity, compliance, and risk trends that we found interesting. Enjoy!
CISA Election Security Resources: Election Infographic Products
Election Infographic Products is a set of three infographics and two maps designed to combat disinformation by equipping election officials, stakeholders, and voters with information on the mail-in voting, post-election, and election results processes (which vary by state and/or jurisdictions), and the security measures that were implemented to safeguard the 2020 election season.
Read more about these resources.
National Cybersecurity Potentially Impacted by the Election
Chris Krebs, the director of DHS’ Cybersecurity and Infrastructure Security Agency (CISA) expects the White House to fire him, as the Trump administration continues a purge of officials that are considered disloyal to the former President Trump.
COVID-19 Focused Attacks Continue on Vaccine Makers
At least the three nation-state actors have targeted seven COVID-19 vaccine makers, they are Strontium, Lazarus Group, and Cerium, Microsoft warns. “In recent months, we’ve detected cyberattacks from three nation-state actors targeting seven prominent companies directly involved in researching vaccines and treatments for Covid-19.” reads the post published by Microsoft. “The targets include leading pharmaceutical companies and vaccine researchers in Canada, France, India, South Korea, and the United States. The attacks came from Strontium, an actor originating from Russia, and two actors originating from North Korea that we call Zinc and Cerium.”
Harvard Business Review: The Risks You Can't Foresee
For all a company's efforts to anticipate what-ifs, novel risks will still emerge, and companies will not have a script or a playbook for managing them "right of boom," or after a disaster has struck. Also, nothing in the backgrounds of operating or risk managers will help them respond quickly and appropriately. In this situation a company needs to make decisions that are (a) good enough, (b) taken soon enough to make a difference, (c) communicated well enough to be understood, and (d) carried out well enough to be effective until a better option emerges. A company has two options for right-of-boom responses:
-
Deploy a critical incident response team
-
Manage crisis at a local level (read: at a level you can actually impact the result)
McKinsey Article: How to Address Cybersecurity Vulnerabilities
While many companies are not part of the energy industry and sector, there are some parallels in this Mckinsey article on cybersecurity vulnerabilities in their industry. The best 'take-away' is the "myth" section that pushes past old beliefs (read: install and forget) that traditional controls are enough. Here are some of the approaches companies might want to consider in their OT/SCADA environment:
-
Pentest to validate only authorized connections (airgap and limit physical connections)
-
Physical and logical monitoring alerts
-
Document and monitor vendor connections to ensure all access is authorized
-
Ensure all contractor and vendor resources that access Valley Metro equipment are part of security awareness expectations and understand that they are required to help keep Valley Metro secured by only using authorized systems to access Valley Metro systems
-
Perform a security controls assessment as part of annual contract reviews and vendor management reviews
__________________________________________
Additional Research Reports, Tools
Please email us with questions or comments about the topics or trends above. We want to hear from you! Andy@NewGenesis.Solutions
__________________________________________
Newsletter - October 2020
Welcome to the New Genesis Solutions (NGS) Newsletter!
NGS helps organizations to prevent cybersecurity events and reduce risk, by addressing gaps within IT and business processes through vulnerability and risk management consulting services.
We started 2020 with optimism as the market was up, and leading indicators across multiple industries and segments were strong. As the pandemic swept the globe and the market weakened, many organizations found themselves struggling to support remote workers, engage and retain customers and pivot their internal IT and operational methods to support the "new reality". As we enter the last quarter of 2020 organizations are faced with the economic headwinds of a recession and are dealing with a massive increase in ransomware, phishing, and new malicious attacks.
We appreciate you investing time to read through our latest newsletter and we hope you find the articles and resources interesting. Please reach out to us with any questions or comments. We look forward to hearing from you.
__________________________________________
Newsworthy Topics & Trends
Below is a list of various topics and trends we have been following over the last month. We find many of these topics interesting and newsworthy.
Cyber Security & Regulations:
The global pandemic and increases in cyber and physical domestic terrorism have impacted the way we live and work. It has also caused regulators to expand the list of controlled substances, including everyday household items such as hydrogen peroxide. This is one of 300+ chemicals that are now regulated under the CISA Chemical Facilities Anti-Terrorism Standards (CFATS) program. Through CFATS, CISA works directly with facilities to reduce the risk that certain hazardous chemicals are weaponized by terrorists. While we recognize this level of control reduces risk, we wonder what the long-term impact will be to citizens and how this will change the consumer experience and consumption laws. View the Chemical Facility Anti-Terrorism Standards.
Global Impact of the Pandemic
S&P Global research and analysis on the pandemic's impact on local and global markets is extensive. S&P's mid-year ITT updates provide a snapshot of 39 industries in North America and EMEA. They focus on the impact of COVID, the likely shape of each industry’s recovery, and key risks around our forecasts. View the latest research here. Also, sign up for this complimentary webinar on October 2 regarding global credit conditions and the impact this data has on the economic recovery.
Pandemic Fuels Demand for Cyber Talent
We've been talking about the cybersecurity skills gap for more than a decade, but industries are now reporting huge cybersecurity staffing shortages as attacks surge during the pandemic. The Information Systems Security Association found a 63% increase in cyberattacks related to the pandemic. Read more here.
National Cybersecurity Awareness Month
To kick off national cybersecurity awareness month, CISA is hosting a virtual 2020 Cybersummit, providing a series of webinars every Wednesday for four weeks beginning September 16 and ending October 7. Each series will have a different theme that focuses on CISA’s mission to “Defend Today, Secure Tomorrow,” with presentations from targeted leaders across government, academia, and industry. The Day 2 video will stream live beginning at noon on September 23. Check out the website for additional information. View the 2020 Cybersummit website here.
Addressing Business & Organizational Risks:
Executives and business owners should always assume that their organization has something cybercriminals want. You don’t need to be famous or have millions of dollars in a bank account to become the victim of cybercrime. For the last 10 years businesses of all sizes have fallen victim to phishing and business email compromise scams that launch malware, steal credentials to systems, or drive unsuspecting employees to carry out an activity such as sending a payroll report or a list of employees of customers to an imposter. These acts lead to system breaches, theft, and fraud. View this series of short videos on how to protect yourself in the workplace and check out this Cyber-Threat Risk Mitigation Article.
__________________________________________
Industry Articles & Research
Below are a few reports and white papers on cybersecurity, compliance, and risk trends that we found interesting. Enjoy!
Mitigating COVID-19 Cyber Attacks
Dark Reading always does a solid job publishing research and advice from 3rd parties. This page provides a series of articles on recent COVID-19 cyber attack trends and best practices for preventing attacks and reducing risks during these uncertain times. View the page here.
Interpol COVID-19 Cybercrime Report
Cybercriminals are developing and boosting their attacks at an alarming pace, exploiting the fear and uncertainty caused by the unstable social and economic situation around the world. At the same time, the higher dependency on connectivity and digital infrastructure due to the global lockdown increases the opportunities for cyber intrusion and attacks.
Misconfigured Web Application Firewall Leads to $80 Million Dollar Fine
As Capital One just found out, all it takes is one bad guy and one mistake to create a massive breach that results in a massive fine. In 2019 a hacker leveraged a misconfigured web application firewall to access Capital One’s files, hosted on Amazon Web Services S3 servers. Capital One has been driving significant remediation and corrective action to redeem themselves per a Federal Reserve cease and desist order. Read more here. Capital One is not alone with their struggles around misconfigured cloud servers and applications as cosmetic giant Avon announced a breach of 19 million records in July 2020.
Microsoft Source Code Leaked Online...After All, it is 2020 Right?
Well, it wouldn't be 2020 if Microsoft was not embroiled in some level of security incident. It appears that Torrents have been placed online containing the source code for Windows XP, Windows 2000, and other software from Microsoft. Shared on the notorious 4chan, a collection of files approaching 50GB in size also include the source code for Windows Server 2003, Windows NT, and MS-DOS. Read more here.
FortiGate VPN Default Config Allows MitM Attacks
It appears that Microsoft isn't the only technology manufacturer showing up in the news this month. Researchers reported that default configurations of Fortinet’s FortiGate VPN appliance could open organizations to man-in-the-middle (MitM) attacks, where threat actors could intercept important data. Read more here.
Keeping Up with Regulatory Compliance Actions, Changes
Organizations across dozens of industries are required to comply with industry regulations. Regulations and legislation can be updated or passed frequently, creating significant strain and pressure on organizations to keep up with the rate of change and to navigate the change management associated with updating policies, procedures, reporting, and training of employees. View this website to keep track of pending regulatory actions within the U.S.
__________________________________________
Additional Links to Research Reports, Tools
Please email us with questions or comments about the topics or trends above. We want to hear from you!