Perry Carpenter

Jay Jacobs and I have been working a lot this week on the inaugural study of EPSS performance. Thought I'd share a pretty chart that Jay churned out yesterday. It addresses the question "What’s the typical pattern of exploitation activity?" As you may suspect, the answer depends on the vulnerability in question. Some vulns are continuously exploited for long periods of time. Some are just a flash in the pan. Exploits of others come in fits and starts. Some real-world examples of these patterns are demonstrated in the chart below, which depicts observed exploitation activity for five CVEs over the course of 2023. #vulnerabilitymanagement #vulnerabilities #vulnerabilityexploitation #cyberattacks

148

30 Comments

ATTENTION: HEALTHCARE BOARD MEMBERS AND C-SUITE EXECUTIVES. ODDS ARE YOUR ORGANIZATION HAS NOT CONDUCTED AN OCR-QUALITY® RISK ANALYSIS! Shocking? NO! Since ... 90% of the organizations subjected to an OCR investigation involving electronic Protected Health Information (ePHI) are found to have failed to conduct the very first requirement (risk analysis implementation specification) in the very first standard (Security Management Process) in the very first area (Administrative Safeguards) of the ol' HIPAA Security Rule. OCR Audits produced equally dismal compliance findings. How can you address your cyber risks if you don't know what they are? EASY FIX! Attend the upcoming COMPLIMENTARY Clearwater OCR-Quality® Risk Analysis Working Lab. #HIPAA #riskanalysis #riskmanagement #cyberriskmanagement #boardcyberoversight #boardofdirectors

2

State, County, and Local Governments in Florida, are you aware of the mandatory cybersecurity awareness training and cybersecurity for executives and managers? The Arruda Group is here to help you check this off your to-do list with a compliance logo for your website. Contact us today at (813) 382-0859 or training@arrudagroup.com to schedule your training and get your compliance logo. Let us help you focus on your job as a network fire fighter. #Florida #CybersecurityAwareness #ComplianceLogo #cybersecuritytraining

4

Great news from NIST as they adapt digital identity guidelines for state and local benefits programs. This collaboration with the Digital Benefits Network and the Center for Democracy and Technology to refine digital identity measures is a step in the right direction. It's essential to ensure that as we enhance digital services, we also safeguard privacy and equity, particularly in public benefits administration. Looking forward to seeing how these guidelines will foster more secure and inclusive digital environments. https://bit.ly/3KYuH5J

22

Protecting your personal accounts is critically important in today's digital age. Two weeks ago a family member called me because they were locked out of their Google account. No MFA. We eventually got lucky and restored access, but MFA would have turned this temporary crisis into a nothing-burger. I re-recorded my video to demo how to set up MFA on your Google account, now including Passkeys. I tried to make this easy and accessible for everyone, no matter your technical knowhow. If you have family and friends who you know are not using MFA, send this video along! I've annotated the sections so you can jump right to the demos if you like. Enjoy!

18

2 Comments

This is going to get interesting: https://lnkd.in/gTTaWP4G

5

1 Comment

Exciting to analyze the latest insights from the Boeing Ransomware incident. We're seeing notable trends emerge that underscore the evolving landscape of cybersecurity threats for manufacturers. Firstly, the myth that manufacturers are immune to cyberattacks is crumbling. Many have believed they aren't prime targets due to limited personal data holdings, but recent events prove otherwise. Ransomware isn't solely about PII—it's about halting operations until demands are met, hitting manufacturers hard. Secondly, the ransom amounts demanded are soaring. The ransomware industry has matured, with negotiations becoming more complex and costly. A $200 million demand might seem steep, but for Boeing—a company with a substantial market cap (157 Billion in 2023) —it's a calculated fraction, albeit a painful one. Thirdly, Boeing's resolute stance against paying the ransom is commendable. Companies are increasingly refusing to yield to extortion, despite facing fallout like data leaks and disruptions to relationships with customers and partners. These trends underscore the urgent need for heightened cybersecurity measures and resilience strategies across industries. Let's stay vigilant and adaptive in the face of evolving threats. #Cybersecurity #RansomwareProtection #Boeing #Drip7 #Cybersecuritytraining

12

1 Comment

Fifteen years ago, IT Security was a backstage concern🔒. Fast forward to today, it's a boardroom staple📈. Yet, Abuse Management remains outside the boardroom's purview. Why the lag, and how do we bridge this critical gap?🤔 Abuse Management, the dark horse of organizational safety, is often overlooked but carries vast implications for user trust and safety🛡️. As digital platforms💻 become the lifelines of our economy, the urgency to protect users from abuse has never been higher. But here's the kicker: Abuse Management isn't just a safety net; it's a strategic advantage💪. It speaks volumes about a company's commitment to user safety, trust, and the overall quality of the digital experience. This is the narrative we need to bring into the boardroom🏢. How do we elevate Abuse Management to the boardroom level quickly? 1. **Quantify the Impact**: Start by translating abuse incidents into business metrics. Highlight the direct correlation between user trust, platform safety, and the bottom line💰. 2. **Educate and Advocate**: Board members may not be aware of the significance of Abuse Management. Create briefs, present case studies, and show the tangible benefits of proactive abuse management strategies📚. 3. **Integrate with Corporate Governance**: Embed Abuse Management within the broader corporate governance framework. This elevates its importance and ensures it's a regular item on the agenda, not an afterthought✅. 4. **Leverage Technology**: Demonstrate how innovative technologies can streamline Abuse Management, making it necessary, feasible, and efficient🚀. It's time to challenge the status quo. Let's not wait another 15 years to prioritize Abuse Management in the boardroom. Engage, discuss, and share your thoughts below👇. How can Abuse Management be a boardroom topic today, not tomorrow?

12

3 Comments

NEW PODCAST with Kevin Johnson, CEO of Secure Ideas, LLC and Elected Board Member of the OWASP® Foundation. My favorite part (aside from the chat about Star Wars and the 501st Legion) is the informational bit about Identity Protection Services and what to do if your email or personal info has been found in a data breach or on the dark web. That was eye opening for me.   He also breaks down the differences between all the cybersecurity conferences and picks his favorites. I plan to see him later this year (Sept 13th) at the BSidesRDU conference where he’ll be speaking. He raises awareness about the need for more corporate funding and memberships for OWASP® Foundation. They create free cybersecurity tools and resources. If you or your company values cybersecurity and wants to support OWASP consider becoming a member. For individuals, membership is only $50/year. He had the absolute best reaction I’ve ever heard when asked if he was optimistic or pessimistic about AI. I’ll be stealing that moving forward.   Had a blast talking with you Kevin Johnson! Thanks for joining man! Hope you crush it this morning on stage at RSA. 🚀   BTW – I’ll gladly take that extra TIE Fighter costume off your hands and put it to good use for the Carolina Garrison. 🤘   Timestamps: 2:56 – 501st Legion 12:10 – How Kevin landed in Cybersecurity 18:24 – Dealing with Recruiters (or not actually) 21:13 – They Ask, You Tell - Marketing Method 25:10 – Demand for Pen Testing & Vulnerability Assessments 27:11 – Difference between Pen Testing & Vulnerability Assessments 32:57 – Identity Protection Services & Data Breaches 38:15 – OWASP Foundation (he is an Elected Board Member) 46:01 – SamuraiWTF (Web Testing Framework, not that WTF) 47:07 – Cybersecurity Conferences he Attends & Speaks at 51:25 – Differences between Cybersecurity Conferences 55:21 – Top Sources of Info / 3 Recommended Newsletters 56:20 – AI Concerns (Pessimistic or Optimistic?) 59:56 – Recruiting Bots (should I be worried?) FOR JOB SEEKERS: I offer a 45 minute consultation for $250 which includes a resume & LinkedIn profile review, career positioning & job search advice, and elevator pitch refinement. Afterward the meeting you'll receive an updated resume in word and PDF format, directions on updating your LinkedIn profile section by section, and a custom LinkedIn banner to upload. Use this calendar link to schedule a consultation: https://lnkd.in/ed2K9jmV FOR HIRING MANAGERS: I'm actively seeking new job orders to work on. If you need recruiting support, schedule an intake meeting using this calendar link: https://lnkd.in/ewWttFcZ Or skip the meeting and fill out a New Job Order Search Request Form: https://lnkd.in/e245GVGX I'll review and get back to you ASAP if it's something I can help with. Watch on YouTube or Spotify - https://lnkd.in/e3PPWDcw

24

5 Comments

Secure by design. Assume breach. Shift right. TDIR. Threat-informed defense. Anti-fragility. ...I'm liking the trends in defensive thinking that I'm seeing at the moment, fundamental truths of information entropy and the defenders dilemma starting to appear in forward planning. In many ways this harks all the way back to to v1.0 of antivirus, which taught us the fragility of deny-lists, and the resilience of allow-lists. The speed of technology combined with the speed of adversarial innovation necessitates flipping the script.

65

17 Comments

Imagine being at the forefront 🚀 yet lagging in essentials.❌ XARF, which stands for Extended Abuse Reporting Format, is gaining popularity as the new standard for handling abuse reports.📊 It's not just a new standard, it's also becoming essential for effective digital communication📱 and security🔒. With dozens of reporters and hundreds of abuse teams already using it.👥 This is not just about adopting a format for Hosting Providers and other service providers. It's about commitment to safety, efficiency, and responsibility.🔐 If your systems balk at handling XARF or flinch at attachments in ARF or ACNS, it's more than a technical glitch.⚠️ It's a failure to meet the basic standards of your role in the digital ecosystem.⚡ Not being able to process these reports isn't a tiny oversight; it's a glaring gap in your capability to safeguard your network and, by extension, your users.👨‍💻 In a world where digital security is paramount, being unprepared is inexcusable.❗ Upgrade, adapt, and take action.📲 Your network's safety and users' trust depend on it.💼 Let's not wait for sympathy.🕓 Let's strive for excellence.🌟 Your move.🎯 What's it going to be?

10

Tactics over tools. Boy, I say that a whole lot. It's one of the core value props for PowerPSA Consulting But just had another reminder of it this morning. Look at the picture - which would you choose? On the left is the marketed version of a "top of the line" chicken waterer and deicer. about $140 bucks. It's what we bought when we got our first 6 chickens 2 years ago. Since then: - Found the chickens kick crap in it all the time. - Filling is an absolute pain; takes 15 minutes. - On really cold days, the edges freeze out. - Rusted out and unusable after 2 years. On the right, I present the $5 bucket (with a $35 deicer dropped in). $40 total. - High enough that stuff doesn't get kicked in... - If it does, settles to the bottom; fresh water! - Filling? 5 seconds to spray from the pump. - Open water all winter - even in -20 temps. - No rust. if it ever breaks, only $5 bucks. 🤦‍♂️ Got tricked by the marketing... How often do we as MSPs get caught up thinking a shiny tool is going to solve our problems? We'd probably be better served getting our processes and systems aligned so that the tools we *are* using are maximized, and new tools actually have the intended effect. So, take it from me (and the chickens)... Tactics over tools. #cybersecfarmers

33

11 Comments

One hundred and thirty eight billion in losses per this article. I share this to help senior executives and board members gain understanding and ultimately support to fund the evolution of Third Party Risk Management. The professionals in this space are some of the hardest working dedicated folks I know. They deserve to be heard as they articulate the depth and breadth of this challenge and the resources needed to address it. Tomorrow is the Third Party Risk Association (TPRA) - Third Party Risk Management virtual solutions conference. It’s time to evolve. Join us. Owlin

7

1 Comment

Lots of talk at #RSAC2024 about #nationstate threat actors and the risks they pose. Is that what we should be focusing on? Probably not. More on this week's Intentional Brief from Intentional Cybersecurity.

4

1 Comment

This breach at #GlobeLife serves as a reminder that security isn't a one-time setup — it's a continuous process. Regular audits of access permissions and user identity management are essential. Orgs have to continuously evaluate their security posture to address vulnerabilities before they are exploited.

3

Taking a look at what's new in cybersecurity news today, Frontier Communications is working to recover from a cyberattack. This has led to compromised personally identifiable information (PII) and required them to partially shut down systems. The culprit? Allegedly a cybercrime organization that gained access to Frontier's IT infrastructure. Operations have yet to return to normal while they undergo an investigation into the attack. Customers are struggling to get service from the telecom provider. To learn more about the status of Frontier, check out the link below. https://lnkd.in/ewh4aVbf #cybercrime #cybernews #cybersecurity #recovery #cyber #cyberattack #itinfrastructure #managedit #cybersecurityservices #pii #investigations Roman Shraga Evelina Fishman Neil Konstantoulas Carin Weiss Frank Binder Kenny Kulesz Keenen Reynolds

4

"Unlike many of the 8-K filings companies have submitted to the SEC following cyberattacks, Bassett Furniture admitted that the attack 'has had and is reasonably likely to continue to have a material impact on the Company’s business operations until recovery efforts are completed.' The attack comes as the tempo of 8-K filings to the SEC about cybersecurity incidents continues to increase precipitously. Controversial rules requiring companies to quickly disclose financially “material” cybersecurity incidents took effect for most companies on December 18, but smaller companies were given an extra 180 days to comply. ” How much down time can your organization withstand before a "material" or existential impact? #cybersecurity #cybercrime #cyberwar #infosec #businesscontinuity #BCP #DRP #manufacturing #advancedmanufacturing

1

Coalition, Inc. provides a unique perspective on cyber threats and trends in their 2024 Cyber Claims report, which reveals that over half of all cyber insurance claims in 2023 originated from email-related frauds like funds transfer fraud and business email compromise. The report also notes an increased risk from boundary devices such as firewalls and VPNs, with businesses using vulnerable devices like Cisco ASA and Fortinet being significantly more likely to file a cyber claim. Additionally, the report highlights an overall increase in the frequency and severity of cyber claims, including a significant rise in ransomware attacks and their associated costs. Blog: https://lnkd.in/eYixsgdA PDF: https://lnkd.in/enyRpnu3 Claims 2024 Download: https://lnkd.in/ecu_43zZ Threat Index 2024 Download: https://lnkd.in/eEhyFVtw #Coalition #cyber #risk #insurance #cybercrime #threat #CTI #threatintelligence #ransomware #exploits #cyberclaims

33