Feds Move Toward Mandatory Cybersecurity

/in /by

Mandatory cybersecurity is coming, according to details published by Slate of the Biden Administration’s National Cybersecurity Strategy now circulating in Washington. The document, which is expected to be approved in the coming weeks, details significant, meaningful changes in the way the United States approaches cybersecurity that every business owner needs to understand.

Mandatory Cybersecurity Is Coming to Some Sectors

Over the last few decades, as business owners know, cybersecurity has been voluntary. Business owners faced costly liability for failing to secure customer data, including the costs of credit monitoring and lawsuits, but there were no cybersecurity regulations or mandates. Government relied on conscience and customer pressure to convince business owners to do the right thing.

In recent years, the failure of the voluntary cybersecurity model has been plain. Cyber attacks have reached record highs each year. The most brazen attacks have gone after municipal government systems and what the Federal Government defines as “critical infrastructure”: pipelines, water supplies and electrical systems. The new guidelines present a direct response to the failure of voluntary compliance, and while their initial reach is limited, they point to a future of growing government oversight and regulation.

There are two main components to the Biden Administration plan:

  1. The United States Government will take direct action against cyber criminals. For the first time, offensive cyberattacks, conducted under the supervision of the FBI’s National Cyber Investigations Joint Task Force. Organizations that conduct repeated attacks against U.S. targets, or that attempt to infiltrate critical infrastructure will now face retaliation designed to degrade and destroy their capabilities. This is, essentially, a declaration of cyber war on hackers.
  2. Mandatory cybersecurity requirements will apply to organizations with critical infrastructure, including banking, utilities, telecommunications and emergency management. In areas where the Biden Administration lacks the authority to impose mandatory cybersecurity via an executive order, it is expected to seek Congressional authorization to do so.

Every U.S. Business Will Be Affected

The new U.S. government approach to cybersecurity reveals frustration at the current state of cybersecurity defenses. Although it will target critical infrastructure initially, these regulations will eventually impact any organization that conducts business online or uses the Internet for communications.

Directly and in the short term, any business that works with or supplies an organization subject to these rules will be required to follow them as well. Expect compliance with to be part of any service or sales contract for businesses that support, supply or collaborate with critical-infrastructure organizations. Law firms and managed service providers will be among those facing new regulations before the end of 2023.

Over the long term, the standards developed to protect critical infrastructure will be handed down to all businesses and likely enforced at the Federal level. Those standards are not currently known, but based on FTC Safeguards Rule compliance, they are likely to include end-to-end encryption of all data, regular employee training and penetration testing and restrictions on how and where data can be stored. Some level of certification or accreditation for cybersecurity oversight is also likely. Business owners in some sectors, including banking, mortgages and real estate appraisals, already must file compliance paperwork, along with third-party vendors who support these businesses. Those requirements will eventually extend to all businesses and will present particular problems for those who develop their own software, apps or websites.

Businesses must begin to prepare now for tighter cybersecurity regulations, which will fall into three categories:

  1. Hardened Infrastructure. All systems will need to be secured and all data will need to be encrypted. Passwords will need to be strong, and two-factor authentication is likely to become mandatory.
  2. Employee Training: Cyber security awareness and anti-phishing training will be required on an annual basis. Employee response testing may be a requirement as well.
  3. Breach Monitoring and Response: Businesses will be required to monitor for data loss and intrusions, and to have written policies to respond to cyber attacks, which will include notification requirements both for law enforcement and customers.

By taking a comprehensive approach to cybersecurity now, businesses will find it easy to pivot to any new mandatory cybersecurity requirements. Businesses that already have some level of security in place may find it helpful to employ a Virtual CISO to review threat readiness and compliance, if only to establish a relationship with a cybersecurity professional in the event that new regulations require one.

Protect Now provides complete cybersecurity training and compliance support for small- and mid-sized businesses, specializing in the real estate, legal, managed hosting and municipal sectors. Our services can be customized to meet your specific needs and to work with legacy systems and decentralized operating environments. Contact us online or call us at 1-800-658-8311 to speak to a cybersecurity professional.

Ransomware Group Posts Sensitive Police Files to Dark Web

/in /by

A ransomware group known as Vice Society has taken credit for an attack on California’s Bay Area Rapid Transit (BART) police that saw unredacted police reports published on the Dark Web. A review by NBC News found six documents that included information on endangered children, including names and birthdates. Anyone named in a BART police report may be impacted by the leak, which included more than 120,000 documents.

The Dark Web Threat from Ransomware

Risks from ransomware have changed over the last several years. These were once regarded as nuisance attacks on unwary, underprepared victims, who would have their systems and data held for a cryptocurrency “ransom” that would provide a de-encryption key. Threats to post data on the Dark Web were typically an intimidation tactic aimed at victims who refused to pay the criminals.

Hackers have since evolved their tactics and methodology. Ahead of a ransomware attack, it is now common for hackers to create a duplicate of the target’s data and systems. This allows them to ask for two ransoms: One to unencrypt systems, and a second to keep data off the Dark Web. This allows criminals to make twice as much money as they would from a straightforward ransomware attack. Paying the ransom is no guarantee of protection; criminals will post it online if they believe they can monetize it. Certain types of data, including credit card numbers, Social Security numbers and passwords, will almost certainly be sold by hackers.

The Dark Web Threat Against BART

Reporting on the recent BART hack suggests that only part of the police department’s system was compromised. This is similar to another attack against The Guardian, which saw criminals exfiltrate personal information, including passport data and bank accounts. Those data, which have not yet been published online, were acquired as part of a wide-ranging attack against the media stemming from a phishing attack.

In BART’s case, investigators suggested that criminals published the police reports to the Dark Web as punishment for failing to pay the ransom. The risk remains for The Guardian; once criminals have sensitive data, they are likely to try and make money through future extortion attempts or simply by selling it.

This exposes one of the hidden threats that criminals exploit: Less-secure systems connected to highly secure systems. BART revealed that criminals only breached the system that held police reports, while The Guardian faced a wide-ranging attack that succeeded in exfiltrating a subset of personnel data.

Both cases could point to systems that are partially but not fully secured. In many organizations, there are dedicated systems for functions such as document storage or HR. Access to these systems may have robust front-end protection but lack defenses against intrusions from someone who has breached those defenses. In other cases, access to data-use and retrieval systems may be secure, but the data are held in a less-secure environment.

These situations arise when organizations rely on older systems or third-party solutions, which is often necessary. Any integration between systems generates potential cyber risk. Sensitive data are coveted by cyber criminals, who will find any way to access the records themselves, with or without access to systems normally used for data retrieval.

Dark Web Monitoring Reveals Breaches

Regular Dark Web monitoring is the best protection against breaches and ransomware attacks. In some cases, Dark Web chatter can alert an organization to a pending attack. Dark Web monitoring can also reveal a breach, if regular review discovers new or unexpected data circulating or offered for sale.

Every organization that collects and stores sensitive data, which include any non-public records about employees, clients or business operations, should know what is already on the Dark Web and have alerts in case new data are found. Protect Now provides affordable Dark Web monitoring as part of our cyber security suite built for SMBs in the real estate, legal and financial sectors. We also offer Virtual CISO services that can help organizations integrate and secure legacy and third-party systems, as well as cyber security training to prevent phishing attacks. To learn more, contact us online or call us at 1-800-658-8311.

Let’s Be Honest About SMB Cybersecurity Risks

/in /by

There is a disconnect between the reality of small- and mid-sized business (SMB) cybersecurity risks, the way SMBs think about them and the services that cyber security companies offer. This disconnect is most obvious for law firms and real estate agencies that may have office WiFi, or even a cloud-based server, but that lack central IT and cybersecurity support.

Everyone at the firm or agency has their own laptop. They likely use their own devices for work at home. They use their own phones at all hours of the day to conduct business. If this describes your SMB, then this cybersecurity guidance is for you.

Let’s start by dispelling the biggest SMB cybersecurity myth:

SMBs Face Lower Cybersecurity Risks

You run a small firm or agency. You have no custom code or central client database loaded with credit cards or passwords for criminals to steal. No one would bother to target you.

This is at once true and untrue, and this is the largest source of the disconnect between SMBs and cybersecurity firms. The attacks that make headlines involve the theft of tens of thousands of customer records, or disrupt operations that impact thousands of customers. It is true that the cyber criminals and state-sponsored attackers who commit these crimes are very unlikely to target a single-office law firm or a Main Street real estate agency.

But those crimes are just the tip of the iceberg. The most recent report from the Anti-Phishing Working Group (APWG) documented 1,270,883 phishing attacks in the third quarter of 2022, the third quarter in a row to see a record number of these attacks. The report also revealed that U.S. businesses are the most frequently targeted by ransomware attacks and are nearly five times more likely to report one, accounting for 39% of all attacks reported. England and France tied for the second-most targeted, with 5% of ransomware attacks each.

Legal services accounted for 5% of ransomware attacks in the third quarter of 2022. These attacks happen because the majority of criminals are simply trolling for easy targets. If you have a website, if you have a Linkedin presence, if you have a social media profile that identifies what you do, you are a target.

IT Providers Protect Online Systems

A firewall is not sufficient cyber security, and even the best protection can fall to a basic phishing attack. Law firms, real estate appraisers, small insurance agencies and real estate professionals are uniquely vulnerable to phishing because employees deal directly with a large number of clients on an irregular schedule. Opening attachments, handling sensitive information and responding to emails are all part of the job. Amid a flood of emails, it is easy to click the wrong link or respond to the wrong address. Criminals know this, and low-level cyber criminals target small firms and agencies looking for vulnerabilities.

Your IT provider may do a good job of keeping your systems running, protected and patched, but they likely do not provide ongoing anti-phishing training and simulated attacks that improve awareness. Without regular training and reinforcement, you are vulnerable to an attack.

Cyber security also does little to prevent Business Email Compromise (BEC) attacks, where criminals impersonate your employees or clients in an attempt to steal money. Vigilance is the only way to thwart these criminals.

Law Enforcement/Our Insurance Company Will Protect Us

Anyone who has been a victim of a low-level cyber attack will tell you that there is little to nothing that law enforcement can do. Local police, even state police and the FBI have little authority to prosecute extrajudicial crimes launched from overseas. In most cases, they lack the ability or resources to properly investigate low-level cyber crimes. You will be told to pay the ransom or write off the monetary loss. They will collect details on the crime, and some day years from now you may get a tiny fraction of restitution. None of that will get your systems running again or repair the reputational damage a cyber attack can cause.

Insurance may cover your losses, but only if you are in full compliance with the terms of your cyber liability insurance policy. You may be required to have a CISO overseeing your systems, or to provide regular cyber security training to file a claim.

SMBs Have Limited Liability for Cyber Attacks

This situation is changing. Between the expansion of the FTC Safeguards Rule, which mandates SMB cybersecurity for any business defined as a “financial institution” by the Federal government, to the suspension of a municipal IT director to government sanctions against the CEO of Drizly. regulators are placing a far greater burden for strong cyber security on employees and business owners. This situation is similar to the fallout from the Enron scandal, which led Federal regulators to require executives and CPAs to sign off on all financial reports under the penalty of fines or prison time if they knowingly misrepresented results.

A similar trend is taking shape around cyber security. Faced with growing complaints from cyber crime victims, the U.S. government is placing the burden of developing and following best practices on the shoulders of business owners, with no exception for SMBs.

Existing Cyber Security Solutions Are Unaffordable

This is the last major disconnect in SMB cybersecurity. The online conversation is driven by big firms that serve big clients, leaving a gap for SMBs that lack full-time CISOs or centralized systems. In some cases, the services offered are incompatible with the way small firms operate. You may not have the ability or employee support to restrict the use of devices, manage all communications through a central source or send the staff off for a week of training.

A cursory search of the options available can be disheartening, especially for SMBs that know they need help but have no idea where to begin. Protect Now exists to fill this gap. We built our business around the cyber security needs of real estate agencies and financial services providers, helping small and mid-sized firms get the training and support they need to conduct business efficiently and safely. We welcome all SMB cybersecurity enquiries and can tailor a program to meet the specific needs of your business. Contact us online or call us at 1-800-658-8311 to speak to a cyber security expert.

2013 Boston Marathon: My Best Worst Day Ever

/in , , , , , /by

Like Big Papi said “This is our f–king city.”  It’s the 10th anniversary of that beautiful – tragic day. The new Netflix documentary “American Manhunt; The Boston Marathon Bombing” 

Front Page Boston Globe Robert Siciliano Above the Fold

has me sobbing in my kitchen. I’ve watched the movie Patriots Day with Mark Wahlberg countless times. This week I was asked to speak at a high school on my 12 years of Boston Marathon preparation, fundraising and the planner asked about the possibility of me discussing my experience on Boylston St that day, which I wasn’t expecting to do. And leading up to the moment I got on stage, I didn’t realize how shaken I still am. I could barely talk without my voice cracking. Thankfully, the moderator kept the dialog light and we talked about the training, fundraising and fun memories.

And heres the thing, NOTHING HAPPENED TO ME. Nothing happened to anyone in my family. My wife and two little girls, my dad, my sister-in-law, and some friends were all at the finish line, 100 yards away from the first bomb, which scared the hell out of me, but still. Completely unscratched. I just saw some sh#t. Ran right by it actually, which is part of the problem. Thats it. But it haunts me. And it makes me think about actual front line military, law enforcement and paramedics who deal with violence, trauma, and tragedy as a vocation. How do they even deal?

Training for a marathon is a taxing, physical, emotional and expensive process. For me personally, that has meant multiple cortisone shots, almost a hundred physical therapy appointments and a few arguments with my wife. Why do it? Why climb a mountain? Why be a police officer? Why be an emergency room nurse? Why detonate a bomb in a crowd of innocent people? We all make choices others wouldn’t and we justify our decisions based on our interests, options and perspective.

Shortly after the bombings, evacuating the city, carrying my 40lb child after running 26 miles. Hurt, angered, saddened and grateful to get to my family.

Shortly after the bombings, evacuating the city, carrying my 40lb child after running 26 miles. Hurt, angered, saddened and grateful to get to my family.

For me, I just wanted to lose weight, get fit and finally give back to a charity. When you’re 50 with a young family and your health and marriage are good, bills are paid and life is settled, words like “health,” “gratitude” and “grace” begin to have more meaning. And when you become a runner, you join a special club of conscious people who enjoy challenging themselves and understand our time is limited .

In 2013 I was on my way to run about a 4:10 (my best time ever), but was stopped at mile 26 due to some terrorists’ agenda.

During the 2013 Boston Marathon, my improved time put me on Boylston Street shortly after the blasts. There were two loud bangs, and as I rounded the corner I saw the finish line through dissipating smoke. Boston police immediately corralled runners from going any farther down Boylston because it was now a volatile area and potential crime scene. At 2:52 PM I called my wife, who was at the finish line, about 100 yards from the first bomb, and got no answer. A minute later, I got my dad on the phone; he was with my wife and the kids and he confirmed they were OK. I instructed him to leave ASAP, as another bomb could go off any moment. I told him to “walk down the center of the street and avoid any cars!”

But nothing was going to keep me away from them; I couldn’t just sit there and wait. In my mind, there were bombs going off between my family and myself. As a father, son and husband, the instinctual need to get your family to safety overpowers every sense of reason. I dodged a couple of police officers and ran down Boylston, the only runner on the field, putting myself in jeopardy and now also causing law enforcement to chase after me. At the 26-mile mark, I saw people on the ground, bloody and getting medical attention from the few paramedics that were on hand to take care of runners expected to be injured in more predictable, less violent ways. I made a decision to keep going. Which still doesn’t sit well. It felt like a 3D movie where the scene was pushing me back in my chair, but the sound was off. I know the scene was loud with sirens and screams, but I heard nothing.

Then I heard an angry cop (rightly so) blasting his voice in my ear before he wrestled me off the course. Eluding further apprehension, but onward to my family, I hopped a fence and ran down a back alley behind the restaurants, bars and shops that were evacuating people through their back doors. What I saw was people—many victims who must have made their way on their own or with the assistance of others—screaming, crying and making frantic phone calls…and there was blood. Some victims I saw lost anywhere from pints to whatever; I don’t know. I just remember freaking out and not wanting to run in it.

I ended up behind the finish line and found a way to cross Boylston. I made my way to the Weston Hotel, where I found my family, scooped up my four-year-old and hiked another half mile to my vehicle. Leaving behind two vehicles, we piled nine adults and children into my Yukon and evacuated.

Maria Menounos and Robert Siciliano

Maria Menounos and Me at the Media Compound the day after.

Out of relative danger, our attention now turned to our two children and damage control. To gauge my seven-year-old’s feelings, I calmly asked her, “Did you have fun today?” She said, “Yes, today was awesome! Until the bombs went off!” Knowing she was shaken, the radio stayed off and adults did what they could to speak in code. Note to adults who may try this: It doesn’t fool a seven-year-old.

By this time my phone was going nuts, Facebook and Twitter were buzzing and my mother, who couldn’t get in touch with us, was in complete meltdown.

Once I got home and got the kids situated, we ordered a bunch of pizza because that’s what you do when a bomb goes off. People need to feel normal.

My mom showed up at our home shortly after we got there. She was a total mess, and after the kids saw her emotional state, they understood the gravity of the situation. Today, they are showing a tremendous amount of affection and gratitude, which seems to be a side effect of their trauma.

I posted a brief note on Facebook: “Im OK, I was on Boylston St. when it happened. I saw smoke, I saw blood and people on the ground. My family was 300 yards away, waiting for me and I got to them and evacuated from the city. More later.” And the comments and “likes” poured in.

Shortly after, I provided an update: “I was right there, bomb went off. Boston police removed everyone, I kept running toward the bombs because my family was at the finish line. Police got me off the road, I resisted then another cop almost tackled me (rightly so). I ran in the back alleys, people spilling into the alleys from the explosion, screaming, crying, blood, got my dad to get my wife and kids out of there concerned for another explosion. I’m telling it to Dr. Drew on CNN between 9:15ish and 9:30ish tonight.”

Again, comments poured onto my page like never before. People offering an outpouring of help and support. I never knew I had that many real friends.

I feel I have to explain the part about Dr. Drew and CNN. It may seem opportunistic, but frankly, for me, it’s therapy. I do lots of media as the expert. My network is “the media.” So when I send a blast email to raise money for charity, my network knows I’m running the Boston Marathon. When I logged into Facebook and email, the requests came in from CNN, Extra and Canadian TV, along with a few radio shows too. So I spent the evening after the run as an eyewitness. And, because it’s who I am, I gave security tips too.

My Rockstar cousin, who is an Iraq and Afghanistan soldier and flies one of those crazy killer helicopters, reached out to me via Facebook and said, “I think your situation was much worse than many Middle East situations I’ve been in.” Which I thought odd because he’s had his best buddy blown up right next to him. Then he said, “When I deploy I’m armed, geared up and expecting to fight. You were at a peaceful gathering around families and innocent civilians, not expecting bombs. That makes it much worse.”

We accept the possibility of death and destruction when we sign our contracts. I’m sure no one who signed up for the marathon expected this.

This completely messed me up, putting into perspective just how awful this situation is.

I only slept three hours that night, on edge, emotional and fragile. The next day, I headed to the media compound near Boylston to meet with Maria Menounos from Extra, who is a Greek Boston girl. I connected with Maria, and within two minutes we were both crying. She started talking about how she loves Boston so much, then I started crying, then she started crying…which completely messed me up. I tell you this because she told me people should know this is real and they can’t forget. She was professional, but she was real. She put me at ease and we got through the interview.

Since then I’ve done more media on this than I wished, including the Boston Globe,  Dr. Drew, Extra, Current TV, Canadian TVagain and again, Fox Boston and some radio.

In early May after the blasts, I was asked to speak to the North Eastern Massachusetts Law Enforcement Council on the benefits of social media to law enforcement and how social can help get the word out in a tragedy. When I walked into the room to speak, everyone was in uniform. What I didn’t know was many of the men and women attending were the first responders saving lives at the finish line, and others who were involved in the capture of the bombers.

That was a very emotional speech for me. Check out the Huffington Posts blog on how the Boston Police did a stellar job using Twitter during the bombing.

Cowboy Hat-Wearing Boston Marathon Hero Carlos Arredondo and Robert Siciliano

At this point, my family and I are safe, like most of America. Emotions are still high for some. Even as I update this post from 10 years ago its messing me up. We were and still are angry.  This celebratory event will forever be marked by the visual of a plume of smoke that symbolized the evil intent of misguided people that do not value human life and have no regard for our freedoms.

We caught the bastards and while there are no real answers, we may never get them. The movie Patriots Day actually did an amazing job of telling the tragic story through a composite character. And the Netflix doc really brings it home.

On behalf of my Boston, we are proud of our city, its first responders and its people, who showed the true measure of the human spirit through powerful acts of kindness and displays of citizen courage. We are strong as a city, undivided as a country and unbowed by this attack. No terrorist will be allowed to alter our nation’s course.

Robert is running his 12th Boston Marathon for Dana-Farber Cancer Research Institute. Please consider a donation: http://danafarber.jimmyfund.org/goto/robertsiciliano

Robert Siciliano personal security and Cyber Security Expert and speaker, is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud.