The Inner Circle

 View Only

Security Advisory for C-Suite, Top IT Executives, CISOs, CTO, SOCs and Security Professionals (Quick Read) by David Olugbenga

  • 1.  Security Advisory for C-Suite, Top IT Executives, CISOs, CTO, SOCs and Security Professionals (Quick Read) by David Olugbenga

    Posted Sep 26, 2022 10:20:00 AM
    Edited by David Olugbenga Sep 26, 2022 10:21:23 AM
    We are facing a Cyber-WARFARE! And It is the sole responsibility of every cybersecurity professional to disseminate the most critical security PII (Personal Identifiable Information) and create security insights for each National Critical Functions (NCFs) within the traditional and evolving Operational technology (OT) vulnerability landscape, as we evolve to the Web(∞).

    Before we proceed, it is imperative to understand that a threat to an organization's operations is a threat to the Economy as it is to human livelihood, Hence Security is to be seen as an Act of service to the greater good while ensuring that the adequate risk assessment & management mechanism to enable resiliency in (ISMS) security systems deployment, Audit GDPR, and Compliance is established.

    A 2022 Survey Research by (Industrial Defender) - "State of Operational Technology (OT) Cybersecurity" discovered that Reporting and Compliance remains the most popular areas for 2022 OT budget investments.

    Top 4 Key CISO Duties

    1. Developing Security Policies and Strategies (estimate & priotize risk) NIST 800 -30
    2. Managing Developed Policies timely (review & update security policies)
    3. Coordinating IT team and Consulting
    4. Maintaining Security Investmests

    A quick recap of the most hostile security events by Black Hat, APTs, and Other Threat actors:

    10 Top Fortune 500 Companys that Got Compromised (Hacked!) in 2022

    • AT&T
    • Cisco
    • Uber
    • Marriot
    • Amazon
    • Apple
    • Wells Fargo
    • CVS Health
    • Nvidia
    • Microsoft

      "Traditional approaches to securing Operational Technology and Industrial Control System do not adequately address current threats."- ( Control System Defence Control , Cybersecurity Advisory by NSA and CISA ).

      The average cost of breach in 2021/2022 is $4.2million (world economic forum 2022)

      The Average known Ransom payout is about USD $228,125 Q122 by (BlackFOG & Cyber Resque Alliance best Cyber insight 2022)

      (Overview) A Systematic Risk Assessment Approach - NIST 800-30/ 800 -39

      Step 1: Prepare and Conduct an assessment

      Step 2: Generate information derived from evaluating organizations' risk framework

      • identify threat source/events
      • identify vulnerabilities
      • Determine the Likelihood of occurrence
      • Determine impact score/severity
      • Determine the Risk

      Step 3: Communicate Risk Result

      Step 4: Review, Preserve and maintain assessment

      Quantitative information risk Analysis:
       The Annual Loss Expectancy(ALE) = SLE *ARO, where (SLE) is Single loss Expectancy and (ARO) Annual Rate Occurance.
       SLE = AV x EF, where (AV)is asset value (EF) is the exposure factor. (Tsiakis, 2010, Boehme and Nowey, 2008)

      Top 3 Reasons for increasing Cyber Attacks in 2022

      • Financial motivation
      • Political (ideology, state sponsor, hacktivism)
      • Religious (historical ideology, ethnical, supremacy)

      6 Known persistent Trail Blazers - (Threat Actors and Origin)

      • Russian - (SOFACY APT28/29, BEAR, Sandworm Team. (MITRE G0034))
      • North Korea - ( Lazarus Group (MITTRE G0032), STARDUSTVELVET, OnionDog, CHOLLIMA APT37-8, ELECTRICFish )
      • Iran - ( KITTEN, Direfate, BlackShadow)
      • China - (PANDA, Yanluowang ransomware)
      • Turkey - (SPIDER, WOLF)
      • Gaza - (Molerats GCG (MITRE G0021)

      Top 5 (APTs) Tactics, Techniques, and Procedures (TTPs) (client and server sides)

      • Ransomware
      • Cross-site Scripting
      • Evasive Phishing
      • Signed Binary Proxy Execution (Rundl32)
      • Disinformation, deepfake and Social engineering

      Top 6 most vulnerable Sector by 2022

      • Industrial
      • Financial
      • Defense and Miltary
      • Health
      • Transportation
      • Education

      Top 5 APT Protection Companies in 2022

      • Palo Alto
      • Broadcom
      • Sophos
      • Cisco
      • Kaspersky

      Top 7 most used emerging security terminology- 2022

      • Zero-trust (ZTNA) - A.I & Biometrics play a huge role!
      • Quantum Security (sensors,crptography,imaging)
      • XDR/ MDR (Endpoint security)
      • APTs (Advanced Persistent threat)
      • 0-zero day
      • Threat modeling
      • IOC (indicator of compromise)

      4 Implications of Security Negligence/inattention

      • Companys' Integrity
      • Financial Loss
      • Regulatory Sanctions
      • Business Liquidation

      NIST best frameworks for information security

      ( NIST Framework is characterized by 5 key Functions – Identify, Protect, Detect, Respond, Recover)

      • NIST 27001(Information Security Management Systems)
      • NIST ISO/IEC 27002 (information security standards)
      • NIST 27701 (Privacy Information Management System)
      • NIST 800 -39 (managing information security risk)
      • NIST 800 -30 ( Information Security)
      • NIST 800 - 53 (Security and Privacy of information system)
      • ISO/IEC 27400 (IoT and Privacy)

      "The Category of Threat is based on information" - Joe Weinman

      Refer to Common Criteria (ISO/IEC I5408) to evaluate requirements of risk policies and environmental analysis , CC conforms to ;
      (PP) Protection Profile , (ST) Security Targets, and (TOE) Target of Evaluation

      6'Ds of Security Evaluation (Design, Develop, Deployment, DocumentationX3)

      Conclusion: Every business operation is currently experiencing an influx of adverse threat from both known and unknown sources, it is a choice to "Sink or Swim" as an organization, Top Security Exec must promptly Monitor, Frame, Assess risk in other to Responded to business operational security challenges. The essence of this Publication is to Highlight; Critical Updates on Information Security requirements, as well as inform security professionals, C-Suite executives, Top level management on the necessary security standard frameworks, metrics, and control policies as well as summarize security incidents and responses around the cybersecurity global ecosystem, geared toward creating cyber consciousness and developing more insights on information risk treatment plan.

      Thanks for Reading.
      David Olugbenga

      David Olugbenga
      Cybersecurity Analyst