Coffee with Jim – Colonial Pipeline Chaos

Following the hack on the Colonial Pipeline in the US, join Jim as he reviews the situation one week on. We talk about what we know about the hack, what have been the effects, who are the perpetrators and what do we know about them and – most importantly – what can we learn from this and how can we protect ourselves from similar attacks?

As always, we’re here to answer any questions you might have so leave a comment or drop us a line. And don’t forget to subscribe to our YouTube channel!

The Interview Series: Corey Williams, CyberArk

Grab a coffee and join us for a chat with CyberArk’s Head of Identity Security Marketing, Corey Williams. If you don’t know them already, CyberArk are leaders in identity security and access management. We talk about how the pandemic has changed the way businesses can (and should!) adopt technology to improve business processes and the challenges that come with this, including how to tackle a lack of understanding and improving communication within your organisation.

Corey tells us about why we should be focusing on accelerating digital business initiatives and using changes in the way we use identity to make better decisions and identify – and mitigate – risks. We talk about cyber security trends and what processes we need to adopt for success in this digitally focused way of working.

Finally Corey shares his thoughts on the best way to progress in a career in infosec, certifications to work for and the key skills to work on.

As always, we’re happy to answer your questions – just drop us a line, and don’t forget to subscribe to our channel!

Watch: The Art of Digital War

Following our blog about The Art of Digital War, join Jim to find out what we need to do to protect ourselves in a war against hackers and cybercrime. Attacks today are getting more sophisticated and we need to take a fresh look at the way we build our security baselines.

We take a look at:

– understanding more about the threats we are facing
– changing our focus on the types of security solutions we use
– the technology we are using vs what we SHOULD be using
– what new areas we need to focus on – our recommendations

Read the blog here: https://www.razorthorn.com/the-art-of-digital-war/

The PCI DSS Compliance Mini Series, Ep 2

Welcome to episode 2 of our PCI DSS mini series, where we’re talking about selecting a QSA. QSAs are not (or shouldn’t be) cheap, so making sure you employ the right person to successfully get your business through the audit is really important.

Find out what you need to know to make sure your QSA is the right fit for your sector, has the required level of experience, how to check they are certified and their training is up to date.

Jim shares his tips for interviewing and vetting QSAs and then working with your chosen QSA to make the auditing process as pain-free as possible.

As always, we’re here to answer any questions you might have so leave a comment or drop us a line. And don’t forget to subscribe to our YouTube channel!

The Art of Digital War

by James Rees CISM, PCI DSS QSA, ISO 27001 LA
Managing Director, Razorthorn Security

“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat.”

Sun Tzu, The Art Of war, 5th Century BC

There are few books in history that are still considered to be as valuable today as when they were written and “The Art of War” is one of them. Written in 5th Century BC, it is still considered today to be essential reading in many fields, including business. It has been quoted in a ton of movies, books and media more times than you can probably count. As you can probably see, I am a huge fan of the manuscript and have studied it numerous times both for my work in the field of information security and for my own medieval battle interests outside of my working life. It is an excellent read and I’d recommend getting yourself a copy as soon as you can.

I was interviewing Richard Cassidy from Exabeam for our YouTube channel recently and he mentioned that we are fighting a never ending digital battle, us information security people, IT people and business people, against the malicious actors looking to compromise systems and networks for their own gain. He was absolutely correct and after some thinking, this article was born.

Since the internet became widely available back in the 90s, we have been seeing an ever-increasing demand for technological advancement. Many of the systems and services that we rely on today are all connected to networks, which are connected to other networks and so on and so forth until you reach the internet. Applications and software run everything. The last 25 years have seen more advancement in technology than ever before in the history of our species and the rate of development and advancement is increasing and getting faster and more efficient every year. It is a fantastic time to be alive.

But for all the huge benefits we have in today’s world, we are totally reliant on that same technology to run our lives, our businesses and our governmental institutions. It’s hard to remember a world where information was not instantly available, or services available at our fingertips. Whilst this provides us the comfort to concentrate on other matters to previous generations, it has led to a level of reliance that means if that same access to technology gets taken away, in whole or in part for any length of time, there would be serious social, mental and real-world implications. All our financial and critical infrastructure now runs digitally in some form or another – it has made us both strong and weak as a species.

So now I have set the scene, what has this got to do with cyber security and digital war?

Everything.

Information security people have for a long time now been working as hard as possible to secure infrastructure, systems and services from being compromised or rendered unavailable due to some form of software error or outage. Us old timers call this the AIC Triad, which stands for Availability, Integrity and Confidentiality. In the early days, we spent a lot more time securing against software outages, downed comms links and similar such issues. IT back then was very much a young discipline and innovation in that space was based around the development of better, more efficient systems and redundancy to ensure critical systems and services remained available. There was a lot of innovation in moving the older paper-based systems over to fully digital versions that were built to be able to evolve and change as well as be refined as required.

Then we started moving to ecommerce over traditional high street shopping. And with that, the world of information security changed forever.

As is historically proven time and time again, once a system is in place to take payment for services, or a system for the movement of money is created, or anything to do with money is put in place, shortly after you will get the criminals sniffing around. And with the rapid rise in popularity of internet shopping, more and more followed. Today, cyber crime is considered to be one of the fastest growing criminal industries on the planet, eclipsing even the global drugs trade in profitability.

Thus we hit where we are today, after that brief history lesson. 20 – 25 years ago we were worried about a virus causing havoc, or a system falling over etc. Today, we are worried about ransomware, data loss, credit card theft, cryptocurrency theft, etc. The list grows each day. As I have mentioned in my video blogs, there is currently the seriously disturbing trend towards compromising key service providers and software solution providers from alleged state sponsored hackers who are targeting these institutions to introduce backdoors and malicious code into their software, which, when installed onto their customer systems, provide access for those malicious groups to undertake covert operations.

Information security professionals are in great demand at the moment. Malicious activity has grown to epidemic proportions in the last few years and it has caused many a board of directors and shareholders of organisations of all sizes serious concern about whether they will be the next targets. But for every information security professional trying to protect an organisation, there is another trying to find new ways to compromise everything the information security professional is trying to protect. In essence, this is a huge digital battle raging on the internet that you only really see when one or more of the malicious groups compromise the systems of an organisation and the news gets out. Unfortunately, you rarely hear about breaches if there is the possibility of a coverup. The difficulty in this never ending battle is that information security professionals are usually underfunded and the malicious actors can make a lot of money and thus are in essence overfunded. Other than what these individuals or groups take for themselves, they usually plough the remainder into increasing their ill-gotten yields.

There is a whole Dark Web cyber criminal community where they sell their gains as well as access to systems, malicious code, targeted attacks, vulnerabilities and all kinds of supporting services and technologies. This cyber criminal ecosystem mirrors that of the ethical system in reverse. There are coders paid to create malicious software, there are initial access brokers selling access to systems, there are hackers for hire and many, many other services that can be procured for those with the right contacts, the right money and the right determination.

The unfortunate truth is that cyber crime is never going to go away. Cyber attacks and state sponsored attacks are going to get more and more widespread as time goes by. We are constantly having to adjust and change our defensive tactics to keep up with our counterparts in the darker side of cyber security because if we don’t, the average cost of cyber crime per year will rise even faster than it is now. It is a real balancing act – by keeping the cyber criminals on their toes, we are keeping the rate of cyber crime damages increasing at a lower rate, yet they are keeping us information security people on our toes by coming up with ways to circumvent the security countermeasures we put in place… it’s an endless dance that is never going to change.

This is a war that can never be won and will only ever continue.

Organisations, both public and private, will have to rethink security in order to efficiently and effectively maintain a semblance of balance. Security can no longer be the bolt on at the end of the process, it needs to be carefully baked into the beginning, the middle and the end of every part of an organisation’s DNA. An organisation needs to have a baseline for basic security, then build levels of defence in depth on top in the form of policies, processes, standards and awareness training. Software developers need to undertake secure coding and strict DevSecOps along with security testing of code and products. IT professionals need to secure infrastructure, perimeters and ensure adequate testing of all infrastructure at least annually or after any significant change, and information security teams need to carefully manage and support the business with governance, risk and compliance to pull it all together in a way that provides consistent, effective and evolving security and risk management as the organisation itself evolves and changes.

There are so many components to information security in today’s world that it’s hard to list them. The list I just mentioned is in no way complete and hardly does it justice, but it’s a good base to start from, I could spend several days talking about cyber security and tooling alone, let alone security governance, risk management and incident response, but I don’t think I have quite that much time.

Trust me, there is a lot to go over.

To conclude, let’s revisit the quote I used at the beginning. I think one of the biggest problems we have as an industry is the limited knowledge we have of both ourselves and of the enemy, hence why we are stopping some attacks, but falling foul of others. We have a good knowledge of low to mid-level attacks, as well as the types of malicious software the lower end of the cyber criminal spectrum use. We put countermeasures in place to deal with these and they are pretty effective.

However, we have very little knowledge of the malicious actors higher on the spectrum, especially in the state sponsored side. It is a fact that governmental security institutions have been reported to have backdoors and knowledge of vulnerabilities in key technologies that they can use to compromise systems, and with all the reports of “state sponsored hackers” actively attacking key organisations, we are starting to see an evolution of the battle entering into a new level.

We need to take a step back and re-evaluate the battlefield and the defensive methodologies we are using to protect our organisations and institutions. It is apparent that protecting our organisations is down to us alone, as our own government’s state sponsored teams are more concerned with waging their own cyber wars, with little regard for protecting commercial concerns, who are being left to defend themselves. This is never going to change, so we need to spend more time talking as a community, helping one another out, advising one another and pooling our resources so that we can mount a collective defence posture that can protect our commercial institutions from this ongoing war.

This all sounds very grandiose, I fully appreciate that. But I firmly believe the information security industry needs to carefully return to the basics and rebuild for a modern information security world, rather than returning to the same old systems that quite frankly are very hit and miss at the best of times. If you don’t believe me, just look at the last 2 years’ worth of attacks and do the research.

It is time for us to get to know ourselves and re-evaluate our situation and research and re-review our enemy and their goals.

Watch: Interview with Richard Cassidy

Today we take a fascinating dive into the psychology behind cyber security with Exabeam’s Senior Director of Security Strategy, Richard Cassidy.

From how to deal with negative attitudes and passive aggressive behaviour at work to challenging the negative stereotypes of infosec staff, Richard shares his approach to creating positive and productive working relationships.

As we all know, ransomware is rife at particularly at the moment, and Richard tells us about the psychology behind the attacks, what tactics to watch out for and why they are so successful. He also tells us about the importance of story telling when it comes to an attack or a breach – a security incident never happens in isolation, so what are the most important things we must consider when it comes to mitigation?

We also take a look at how to make use of successful security strategies from other industries when improving our own and Richard gives his advice for a successful career in infosec and what he looks for in new candidates.

As always, we’re happy to answer your questions – just drop us a line, and don’t forget to subscribe to our channel!

Watch: Interview with Duncan Moore

We’re really looking forward to sharing this interview with you – meet Duncan Moore, Group Head of Information Security GRC at a well known gambling company (that must remain nameless, for additional intrigue).

Duncan tells us his thoughts on the most significant challenges facing the infosec industry in 2021 as well as the key learnings from the SolarWinds breach and which new security tools will make a difference to securing organisations as we face the new, post-pandemic, way of working.

For those of us looking to progress in our careers within infosec, Duncan shares his thoughts on the key skills and certifications required and his secrets for success. As always, if you have any questions for either Duncan or Razorthorn, drop us a line and don’t forget to subscribe to our channel!

The PCI DSS Compliance Mini Series, Ep 1

Whether you’re new to PCI DSS compliance or looking for ways to improve the process, join us for the first in a series of vlogs on the subject, presented by James Rees, QSA. With over 15 years’ experience helping organisations achieve PCI DSS compliance (and over 25 years in the industry), Jim is one of the most experienced QSAs in infosec.

This episode covers:

– An overview on the need for compliance
– The golden rules for scoping
– Tips for redoing the certification
– The importance of up to date technology

If there is anything in particular you would like us to cover in future episodes, please leave a comment or drop us a line.

Don’t forget to subscribe to make sure you don’t miss future videos in this series!

Watch: Interview with Ian Murphy, CEO, CyberOff

We’ve had some excellent feedback on our interview series on our YouTube channel, thank you! Today, we’re excited to bring to you a chat with the incomparable Ian Murphy, CEO of CyberOff. Known for his hugely entertaining videos on LinkedIn, we chat with the self proclaimed cyber security gangsta who injects some much needed humour and light heartedness into cyber security awareness. We talk about how, as a semi professional football player, he ended up following his passion for electronic engineering and landed a job that lead to a varied and exciting career. Ian shares some great tips for progression for those in the early stages of their careers and his opinions on key skills and certifications. He gives some great advice on getting around the barriers to the role you want as well as the things he wishes he’d know when he started out.

Don’t forget to subscribe to our channel and visit Ian’s page for some quality (educational) entertainment, including an unforgettable rap about passwords… 

Follow Us