Author name: Abhay S K

Between cyber-criminal groups, Lazarus (North Korea), Conti (Russia), and Mustang Panda (China), almost every business in every sector is on the radar of hackers. Because of geopolitical and economic reasons, these groups have stepped up their scanning and target acquisition activities in the last 4 weeks. Though evidence of collaboration is scant, there is some evidence to indicate that at least two of these groups have exchanged a list of targets in the past. So what have we got to worry about? Targeted attacks on OT networks are rising and depending on who is attacking, the motivation could be anything from ransom, disruption, elimination of competition, or even training Oil and gas facilities have been successfully targeted in the last two months and the ransom that came from these attacks has fueled a new wave of attacks by Conti (including the launch of a new multi-loader malware that was released early) While Lazarus is primarily targeting the financial services sector, it could switch to attacking manufacturing units and other critical or large chemical processing units for ransom Most attacks are based on spear-phishing using specific messaging By targeting oil and gas and manufacturing, the hackers are also trying to destabilize economies and large supply chains Even without these events, 2022 has been a tough year for CISOs with Cyber threat assessment for IT, OT, and IoT is the need of the hour   Most businesses are not conducting security audits frequently enough. They are also not investing adequately in ramping up their security posture to cover new and emerging threats. The reason for this is simple. These businesses are not conducting enough threat assessment runs to understand internal and external threats and vulnerabilities they are exposed to. This makes such threats and vulnerabilities invisible to them and these businesses continue operations on a BAU mode while the threats multiply and grow in sophistication and potential impact. A threat assessment exercise when done in the right way at the right time could save millions in revenue, downtime avoided, and loss of market share due to delays in production and shipment of products. what are the components of a good threat assessment program? Frequency: calendarize the exercise so that the exercise is taken up periodically and frequently Coverage: cover the infrastructure as a whole including devices, networks, HMI units, SCADA systems, data platforms, and everything connected. It should also cover access privileges and any and all components including, if possible, assets that are not yet added but will be in the short term Methodology and framework: threat assessment should not be aligned to compliance objectives alone. Instead, it should also take into account all operational sources of risk, threat surfaces, and all infrastructure components. The core framework should be flexible enough to incorporate any changes in operations and the methodology should ideally be unique to your business keeping the parameters mentioned above in mind. It is advisable to build a unique methodology and framework for your threat assessment program Be clear about the objectives and outcomes. Also, a threat assessment program that doesn’t have an action plan for improving security is as good as a non-existent one Working with a cyber threat assessment partner like Sectrio can improve the outcomes and shrink the learning curve. Sectrio will build a unique framework and method for you from the ground up and conduct the exercise as well. Benefits of Sectrio’s threat assessment program: Get a comprehensive report on your cybersecurity posture including all threats, risks, vulnerabilities, misconfigurations, exposed threat surfaces, and entry points for threats Prioritize top threats so that you can avoid straining your resources while addressing the threats Action plan and roadmap to address the challenges and scale to the next level of security Rating on how your existing security posture compares with your threat environment Impact assessment for key risks, vulnerabilities Enhance maturity level of IT operations and improve data security Try our threat intelligence feeds for free for the next two weeks. Get access to enriched IoT-focused cyber threat intelligence for free for 15 days   Book a demo now to see our IT, OT, and IoT security solution in action: Request a Demo

When it comes to drawing up a proactive plan to secure infrastructure, a threat assessment drive can go a long way. In addition to helping understand the sources and gravity of individual threats, it can also sensitize all stakeholders on various security aspects and help organizations understand and address specific and generic threats. However, due to some inherent deficiencies, the full value of an institutional cyber threat assessment program is not realized by many enterprises who chose to conduct such an assessment program. What are these deficiencies and how can they be addressed, read on to find out. Deficiency one:  wrong or outdated cyber threat assessment model   In our interactions with CISOs across manufacturing, utilities, maritime, oil and gas, and financial services sectors, we found that many businesses were relying on models that were primate and not suited to the emergent threats that are now dominating the threat landscape. These models were often borrowed from their peers in the industry and have been passed down from one generation of cybersecurity leaders to another across decades in some instances. Remedy: work with a vendor or internal security operations team to prepare a model that is specific to your business.  Deficiency two: lack of unit-level assessment Even today, many businesses conduct threat assessment at an infrastructure/enterprise level rather than go a few notches lower to assess threats at an equipment or transaction level. Based on the family of devices, communication protocols, supply chain characteristics, device profile, digital footprint, and many other parameters, each device could face a multitude of threats. Further, networks face a series of threats that could be unique to various network characteristics. Without taking these into account, an IoT, IT, or OT threat assessment exercise will not present sufficient actionable data that can reduce your risk exposure. Remedy: prepare an inventory of all devices and networks before embarking on a threat assessment exercise. This is especially true for OT-based infrastructures where device inventories are often outdated or do not exist. Also Read: Why IoT Security is important in today’s network? Deficiency three: low frequency of assessment In IoT and OT environments connected with critical infrastructure, threat assessments should be conducted at least once a month to identify and track new risks and threats and plug any vulnerabilities or security posture-related gaps that may arise. Remedy: calendarize and conduct threat assessments as frequently as possible. Deficiency four: compliance-driven threat assessment agenda Often businesses conduct threat assessment drives due to external factors such as audits, compliance needs, or pressure from the board or senior leadership. Sometimes threat assessments are conducted as a knee-jerk reaction to an advisory from a regulator as well. This leads to the threat assessment exercise being treated as an ad-hoc effort with no long-term view or focus. Remedy: conduct threat assessments as a calendarized activity. The agenda should be specific to the risk exposure management needs of the business that is conducting it. Compliance Kit: IoT and OT cybersecurity self-assessment tool using NIST CSF Deficiency five: lack of skilled cybersecurity threat assessment experts As threat assessment is often not seen as a core activity, the work is assigned to team members who have to learn on the job. No additional training is imparted and such team members are often made to handle threat assessments along with their other responsibilities. Remedy: allocate specific threat assessment responsibilities to team members and train them to do it professionally with diligence. Such members should also be made to undergo threat assessment certifications and act independently while making honest threat assessment recommendations. Deficiency six: lack of integration (or synergy) with the overall cybersecurity roadmap Since most businesses conduct a threat assessment exercise in an ad hoc manner, its findings or frequency, or even the objectives are not synchronized with the institutional risk management priorities. This leaves a wide gap in implementing the findings of the threat assessment exercise which are sometimes not even implemented. Remedy: integrate the threat assessment exercise with the overall risk management program using incremental steps. Never conduct a threat assessment exercise in isolation as that will simply erode the benefits that your institution could gain from such an effort Wish to know how to turbocharge your threat assessment programs to improve your institutional threat hunting and cyber risk management efforts?  Talk to Sectrio. We have assisted businesses across verticals such as manufacturing, oil and gas, maritime, banking, supply chain, and pharmaceutical manufacturing to evolve and run comprehensive and beneficial threat assessment programs. Talk to us now. Wish to talk to our threat assessment specialists for more information? Share your details here. Try our threat intelligence feeds for free for 15 days to see what your threat hunting program is missing here: Sign up for FREE threat intelligence feeds Learn more about our threat assessment methodology here: OT and IoT Threat Assessment Book a demo now to see our IT, OT and IoT security solution in action: Request a Demo Try our threat intelligence feeds for free for the next two weeks. Get access to enriched IoT-focused cyber threat intelligence for free for 15 days  

US Cybersecurity budget proposal stands at $10.9B (FY2023), while cybercriminals made $6 trillion in 2021 One can decipher the importance of cybersecurity and at the same notice the bridge between spending and losing in that stat. A quantum future is already in the making, and tech giants are already in the race. One research estimate put quantum computers to be a million times faster than classical computers. Such great computing power can reform the way we see and interact with technology. To be a part of such an experience, one needs to rethink cybersecurity, novel threats, and challenges posed in the ever-increasing digital space. Every enterprise, irrespective of its size and nature, allocates a certain chunk of its IT budget toward cybersecurity. These figures roughly land anywhere between 2% to 10.7% or just around 0.2% to 0.9% of their revenue. This roughly equals the (proposed) US Cybersecurity budget – around 0.45% of their GDP.  In a space where black hats (criminal hackers) are intimidating even the top tech giants, one has to reassess their Cybersecurity budget, and simultaneously look after cybersecurity budget optimization to achieve the best price to performance ratio. Does your Cybersecurity budget address these key areas? A cybersecurity budget breakdown should be able to define a company’s viewpoint and direction in adopting cybersecurity practices. Our experts at Sectrio curated the four areas, where you should exclusively focus upon: 1. Reactive vs Proactive The first and the most vital step in cybersecurity is being proactive, and not reactive. By the time a security breach is discovered and acted upon, the enterprise might end up losing credibility, business, and reputation. Many enterprises only work on implementing preventive measures and miss upon securing critical data and infrastructure. A proactive approach includes building cybersecurity from a hacker’s point of view and trying to penetrate the systems. An enterprise can hire blue/red hat experts to carry out penetration exercises and ramp up its cybersecurity.   Also Read: Why IoT Security is important in today’s networks? 2. Leveraging SOAR technologies SOAR (Security Orchestration, Automation, and Response) technologies may not be coming at takeaway prices, but surely their ROI can justify their costs. The in-house cybersecurity team is often overwhelmed by the quantum of alerts thrown up by security systems. Collecting, assessing, and identifying false positives is a herculean task for the security team. Where speed and efficiency are vital, these challenges can be daunting. This is where SOAR technologies help in building automated responses to low-level threats. This leaves the cybersecurity teams more time to work on tasks that require human intervention and deeper analysis. 3. Protection of infrastructure & data In a digital space, data is the key to success. Protecting every bit of that data is vital to an enterprise’s success. The following should be a part of every company’s annual cybersecurity budget breakdown: Detection tools, micro-segmentation, and encryption technologies Network monitoring solutions – Intrusion prevention systems, intrusion detection systems, web scanners, and packet sniffers Secure Email gateways to counter phishing and social engineering attacks Access and authentication technologies Robust data protection plan – Data sharing, tracking, portability, and breach notification Regular data backup and replication – This protects against data loss during ransomware attacks 4. Improving cybersecurity culture Cybersecurity is not only the cybersecurity team’s job but everyone’s. Awareness programs, skill development, basic identification and reporting, and security awareness training should be a part of the cybersecurity budget of any enterprise. This prevents a considerable number of phishing cyber-attacks. What is Cybersecurity budget optimization? Everything needs to be optimized. Your phone battery, your hard disk memory, your grocery budget, and even the nation’s budget. Similarly, even a company requires a thorough cybersecurity budget optimization to make the best use of the resources available. It is of utmost significance that a company knows where it is overspending, underspending, and where it needs to be spent optimum. This helps in minimizing costs escalating due to unnecessary or otherwise unimportant factors and spending more on areas that require time and value. Maybe you are overspending here! Our experts have decoded the four areas of overspending from a company’s typical cybersecurity budget breakdown. Make sure you address the following four areas to curb your overspending: 1. Handling Technology bloat In a company driven by technology, it is apparent that applications bloat over time. While few of them might be important, many of them can be simply pulled out of the regular workflow. Doing so will reduce time and money. Companies should deploy Technology Rationalization periodically to assess and eliminate tools and applications deemed unnecessary. 2. Legacy Systems Running processes on legacy systems is one area many enterprises are stuck with. While the individual costs don’t pop up in the annual balance sheets, these costs compound with time and become start bruising before one realizes it. It is best advised to move to modern IT infrastructure that gives better cybersecurity support. 3. Protecting all data equally Data type and nature vary greatly. While personal identification details, credit card numbers, and phone numbers can be very sensitive, policy documents and other in-house documents hardly have value. Depending on the type and nature of the data, protection tools must be deployed. This helps in bringing down the costs by a large margin with time. 4. Traditional Preventive Tools Hackers find novel ways to leverage the latest technology and tools to intrude into a system. Deploying heavy traditional tools may not be the right way to go ahead in the future. A thorough risk assessment can help in identifying the high likelihood of the type of risks and deploy cloud-based solutions accordingly. How to optimize your Cybersecurity budget? Spending more does not mean more protection. Only when you spend wisely, your protection improves. It is vital to know where to focus and how to prioritize spending across various aspects. 1. Technology that serves your purpose need not be the best More often than not, most hackers try to gain access to your enterprise’s network for financial gain.