software - All Articles - CISO Platform2024-03-28T15:53:03Zhttps://www.cisoplatform.com/profiles/blogs/feed/tag/softwareIs the MSI Hack an IT Supply Chain Attack?https://www.cisoplatform.com/profiles/blogs/is-the-msi-hack-an-it-supply-chain-attack2023-04-25T16:41:58.000Z2023-04-25T16:41:58.000ZMatthew Rosenquisthttps://www.cisoplatform.com/members/MatthewRosenquist<div><img src="https://storage.ning.com/topology/rest/1.0/file/get/11036073661?profile=RESIZE_400x&width=400"></div><div><p class="graf graf--p">When I heard of the MSI compromise, I had similar fears of an IT supply chain attack. However, after walking the logic and high-level details I felt that the current attack was unlikely a sophisticated play to compromise downstream consumers of MSI products.</p><p class="graf graf--p">The cybersecurity risk assessment logic:</p><p class="graf graf--p">Although adding a trojan to an update file is easy, firmware exploitation that includes remote telemetry, backdoors, and software surveillance is much more challenging, certainly difficult enough to require significant time, development, and testing resources — something likely a nation-state would be willing to commit and able to accomplish.</p><p class="graf graf--p">A ransomware/data breach of a hardware/firmware organization is a much simpler matter. Compromise the system, exfiltrate the data, and encrypt key data systems. This is the happy domain of cyber criminals looking for a quick payout.</p><p class="graf graf--p">Ransomware activities are loud, brash, and obvious. Whereas if an attacker spent the requisite effort to compromise the firmware with the intent of a supply chain attack, they would want to be as clandestine and stealthy as possible, so victims remain unsuspecting for the longest possible time.</p><p class="graf graf--p">MSI was confronted with ransomware and extortion demands. If we apply Occam’s razor and look at the least complicated scenario, then it seems like they have been victimized by cybercriminals seeking personal financial gain and not a nation-state looking to conduct a sweeping supply chain attack against MSI customers.</p><p class="graf graf--p">Theories are great, but I am really glad the Eclypsium team took a look at the actuary low-level data to confirm. See their report at <a class="markup--anchor markup--p-anchor" href="https://eclypsium.com/blog/msi-incident-part-2-binary-analysis/" target="_blank">https://eclypsium.com/blog/msi-incident-part-2-binary-analysis/</a></p><p class="graf graf--p">But now that nation-states have access to MSI data, it seems like a great opportunity for them to explore if they could accomplish a supply-chain attack that meets their objectives. The exposure of MSI data has enabled more serious attackers. I fear this story is not over. If an aggressive nation chooses to develop a sophisticated exploit, the customers of MSI may be in real trouble!</p></div>The Problem of Banning Offensive Technology Saleshttps://www.cisoplatform.com/profiles/blogs/the-problem-of-banning-offensive-technology-sales2021-11-26T17:53:01.000Z2021-11-26T17:53:01.000ZMatthew Rosenquisthttps://www.cisoplatform.com/members/MatthewRosenquist<div><img src="https://storage.ning.com/topology/rest/1.0/file/get/9853247859?profile=RESIZE_400x&width=400"></div><div><p class="graf graf--p">I like the concept of ‘banning’ the sale of offensive cyber weapons to potential adversaries, but what defines technology as offensive versus defensive?</p><p class="graf graf--p">Israel just announced it will ban the sales of hacking and surveillance tools to 65 countries: <a class="markup--anchor markup--p-anchor" href="https://amp.thehackernews.com/thn/2021/11/israel-bans-sales-of-hacking-and.html" target="_blank">https://amp.thehackernews.com/thn/2021/11/israel-bans-sales-of-hacking-and.html</a></p><p class="graf graf--p">Tech is just a tool. It is how you use it, that will determine if it is offensive or defensive.</p><p class="graf graf--p">Is a vulnerability scanner offensive? Sure, attackers can use it to find weaknesses to exploit in their targets. However, in the hands of the cybersecurity team, it is used to identify vulnerable systems that need to be patched, thereby improving security.</p><p class="graf graf--p">Perhaps, such bans should apply to all digital technology. If you don’t trust how potential customers may use a tool, you shouldn’t be selling them anything. But in doing so, you limit the prosperity, influence, and value of your own organizations.</p><p class="graf graf--p">Finding a practical balance is very difficult. Not sure any country has it figured out, but it is something that needs to be done.</p><p class="graf graf--p">Cyberethics must play a more prominent role in our global digital ecosystem!</p></div>Vendor Security Assessment Checklist to Evaluate IT Project Vendorshttps://www.cisoplatform.com/profiles/blogs/checklist-to-evaluate-it-project-vendors2014-06-24T14:30:00.000Z2014-06-24T14:30:00.000Zprithahttps://www.cisoplatform.com/members/pritha<div><p><a href="http://www.cisoplatform.com/profiles/blogs/checklist-to-evaluate-it-project-vendors" target="_blank"><img src="http://i62.tinypic.com/30l06ra.jpg" class="align-left" alt="30l06ra.jpg" /></a>For many organizations the success or failure of IT initiatives is predicated on the selection of the appropriate technology vendor. Despite the critical nature of this process, many organizations underestimate the time and effort it takes to make a well-informed decision. This article is my personal experience & learning while doing complete IT projects in Pay Point India is meant to serve as a guide to help you understand and think through the critical steps in the vendor selection process.</p>
<div><p>As you read this, please keep in mind that as an organization goes through the vendor selection process it is not uncommon for other business processes or organizational needs to be revealed. It is important to remember that technology projects are often not just about the technology, but rather the health and effectiveness of the entire organization. This learning experience focuses on the process of selecting a vendor, and assumes that other important organizational change management issues are being addressed in concert to support this process.</p>
<p>( Read more: <b><a href="http://www.cisoplatform.com/profiles/blogs/technology-implementation-status-in-various-top-verticals-india">Security Technology Implementation Report- Annual CISO Survey</a> </b>)</p>
<p> </p>
<p><strong>Seven Step Model</strong></p>
<ul>
<li>ASSESS FEASIBILITY - Is this viable for my organization?</li>
<li>GATHER REQUIREMENTS - What does my organization need?</li>
<li>RESEARCH & REFINE OPTIONS - What solutions/vendors might fit my needs?</li>
<li>EVALUATE VENDORS - What is the best fit for my organization’s needs?</li>
<li>SELECT & ENGAGE VENDOR - Is this a reasonable price and contract?</li>
<li>MANAGE IMPLEMENTATION - Has the vendor delivered on its promises?</li>
<li>SUPPORT & MAINTENANCE - How will we maintain the solution and support it?</li>
</ul>
<p> </p>
<p><strong>STEP 1: ASSESSING FEASIBILITY</strong></p>
<p><strong>Organizational Readiness</strong> - Consider important elements to project success such as getting buy-in from staff and overcoming technology fears and resistance to change.</p>
<p><strong>Budgeting</strong> - Ensure that you have the appropriate budget level to successfully execute on the project. Make sure that your budget can withstand reasonable variances from original estimates. Technology projects have varying degrees of financial risk based on the complexity of the project. At a minimum, your project budget should be able to withstand a 15% variance.</p>
<p><strong>Staff Availability</strong> - Most technology projects require a significant investment of time by your organization’s staff. Your staff will be involved in many stages of the process, such as requirements gathering, training, testing, and disruptions during deployment. You will also need to designate a project advocate from your staff to manage the vendor relationship and internal resources associated with the project. Before embarking on any large technology project, ensure that your organization can free up time from the appropriate staff members to make this project successful.</p>
<p><strong>Sustainability</strong> - Ensure that you have the proper resources in place to sustain the technology at the conclusion of the project. This could include budgeting for ongoing support, hiring a technology manager, or giving ownership of maintenance to a staff member.</p>
<p><strong>Return on Investment (ROI)</strong> - Is the project worth the investment? Will it allow you to serve your constituents better or serve more of them? Will it improve your operations and/or lower costs?</p>
<p><strong>Arriving at a Decision</strong> - After careful review of the aforementioned factors, you are now ready to make a decision. Most organizations will have a clear “go” or “no-go” decision. If the limiting factor is budget or staff availability you may decide to opt for a “go-later” decision.</p>
<p>OUTCOME: “GO”, “NO GO”, “GO LATER” DECISION</p>
<p></p>
<p><strong>STEP 2: GATHER REQUIREMENTS</strong></p>
<p><strong>Review Business Strategy</strong> - Identify the business goals you hope to accomplish with this technology project.</p>
<p><strong>Ensure Alignment</strong> - Make sure that the application of technology will be an enabling factor and will not create a disruptive influence on the organization.</p>
<p><strong>Process Mapping</strong> - Document critical business processes that your organization performs. This understanding will be critical for a vendor to understand how its solution should be implemented at your organization.</p>
<p><strong>Process Re-engineering</strong> - Technology implementation often provides an opportunity to change the way certain business tasks are managed at your organization. Consider this element and make a determination if it would be valu-able to include.</p>
<p><strong>Requirements Analysis</strong> - Identify critical requirements (such as number of users, current technologies in use, need for remote access, training, etc.) that you will need as a part of your technology solution.</p>
<p><strong>Prioritization of requirements</strong> - Prioritize your list of requirements and determine which ones are essential and which ones are “nice to have” but not required for success.</p>
<p><strong>Environmental assessment</strong> - If your project involves environmental or physical location factors, make sure a thorough assessment is conducted and that all findings are well documented. </p>
<p><strong>Technical assessment</strong> - Document your current technology and catalog all areas that may interface with your new solution.</p>
<p>OUTCOME: REQUIREMENTS DOCUMENT/REQUEST FOR PROPOSAL</p>
<p>( Read more: <b><a href="http://www.cisoplatform.com/profiles/blogs/5-application-security-trends-you-don-t-want-to-miss">Top 5 Application Security Technology Trends</a> </b>)</p>
<p></p>
<p><strong>STEP 3: RESEARCH & REFINE OPTIONS</strong></p>
<p><strong>Buy/Blend/Build</strong> - Most technology solutions can be categorized into one of three areas: Buy an off-the-shelf solution, Build a custom solution, or Blend a solution by combining an off-the-shelf product with some customization.</p>
<p><strong>Establish Evaluation Criteria</strong> - Develop a set of criteria on which you would like to evaluate your prospective vendors. Appendix A has an example of some common criteria used in evaluations.</p>
<p><strong>Conduct Research</strong> - Use the resources at your disposal to learn more about existing products or solutions that could meet your needs. Discuss your project objectives with related organizations, trusted advisors, and technology consultants.</p>
<p><strong>Define Targeted List</strong> - Based on your requirements and your research into solutions, create a short list of vendors who may be able to meet your requirements. The size of your short list of vendors should correlate to variability in proposed solutions and project complexity. For instance, for a small defined project a short list of 3 vendors may be appropriate. For large complex projects with many different approaches, you may consider a list as large as 8 vendors. Make sure that you keep your short list of vendors to a manageable scale.</p>
<p><strong>Send RFP</strong> - Send the vendors your requirements information and ask them to submit a proposal. Typically requirements are sent in the form of a Request for Proposal (RFP) document.</p>
<p>OUTCOME: TARGETED LIST OF VENDORS/SOLUTIONS TO PURSUE</p>
<p> </p>
<p><strong>STEP 4: EVALUATE VENDORS</strong></p>
<p><strong>Evaluation Matrix</strong> - Develop an evaluation matrix (see Appendix B) to help you objectively evaluate each vendor’s proposal and product demonstration.</p>
<p><strong>Proposals</strong> - Each invited vendor should respond to your RFP with a written proposal. Carefully evaluate each proposal and encode the proposal information into your evaluation matrix.</p>
<p><strong>Product Demonstrations</strong> - Many vendors will request an in-person or web-based opportunity (a “demo”) to show-case the capabilities of your solution. Demos are a valuable way to get more information and also evaluate intangible aspects of a vendor.</p>
<p><strong>Reference Checks</strong> - Don’t forget to check the vendor’s references as a part of your evaluation process. Consider site visits if you are making a large investment.</p>
<p>OUTCOMES: VENDOR PROPOSALS, VENDOR DEMOS, WEIGHTED VENDOR MATRIX</p>
<p></p>
<p><strong>STEP 5: SELECT & ENGAGE VENDOR</strong></p>
<p><strong>Primary and Secondary Options</strong> - At the conclusion of your evaluation process, you will need to identify a primary option (your winner) and some secondary alternatives.</p>
<p><strong>Negotiations</strong> - Do not burn the bridges with secondary option vendors as they will serve as a valuable resource in the negotiation process. While you are in the negotiation process, keep in mind your secondary options as they serve as your best alternative if your negotiation falls through. Make sure that the final deal you strike with your preferred vendor is at least as favorable as your secondary options. </p>
<p><strong>Contracting</strong> - Identify a clear set of objectives, deliverables, timeframes, and budgets for your project with the vendor. Make sure these are clearly written in the terms of the contract.</p>
<p>OUTCOME: FINAL VENDOR SELECTED & CONTRACTED</p>
<p>( Watch more : <b><a href="http://www.cisoplatform.com/video/attacks-on-smart-tv-and-connected-smart-devices">Attacks on Smart TV and Connected Smart Devices</a> </b>)</p>
<p></p>
<p><strong>STEP 6: MANAGE IMPLEMENTATION</strong></p>
<p><strong>Dedicate Project Manager</strong> - Your organization should dedicate one or more staff to oversee the solution implementation .These staff should have regular checkpoints with the vendor to ensure that delivery matches expectations.</p>
<p><strong>Ensure Timely Delivery</strong> - Vendors often juggle many clients at once and as such it is important for your organization to keep track of deliverable dates and ensure that the vendor is meeting them. Be conscious of your deadlines and deliverables to your vendor so they can make their target delivery dates. Keep an eye out for contract terms that apply additional fees for late delivery of necessary project materials from you to the vendor.</p>
<p><strong>Ensure On-Budget Delivery</strong> - If your organization negotiates a Time & Materials (T&M) contract with vendor, then it will become imperative to track hours spent and budgeted hours remaining on a project. Without careful consideration of these elements, project costs could spiral out of control.</p>
<p><strong>Manage Scope</strong> - The greatest area of risk for most technology projects is in controlling project scope. Once an organization begins to see the possibility of technology, they often attempt to do too much in the initial development and launch of the solution. If this is the case, consider your project with the vendor a “Phase 1 deployment” and try to push back on new additions until a future phase. If a new addition is essential to a project, then you should clearly define it in an addendum to the scope of work and negotiate the price with the vendor.</p>
<p><strong>Manage Expectations</strong> - Manage the expectations of all parties involved in the implementation support. Be sure to provide realistic timeframes and advance warning of any variances in budgets and timeframes.</p>
<p>OUTCOME: ON TIME & ON BUDGET DELIVERY OF EXPECTED SOLUTION</p>
<p> </p>
<p><strong>STEP 7: SUPPORT & MAINTENANCE</strong></p>
<p><strong>Resources:</strong> Ensure that the appropriate resources are dedicated to support the technology on an ongoing basis. Your support and maintenance plan could include some or all of the following:</p>
<ul>
<li>Support Hours/Contract</li>
<li>Hiring of tech resources to manage it</li>
<li>Assignment of staff member to take ownership</li>
<li>Patches & Maintenance</li>
<li>Ongoing Training</li>
</ul>
<p><br /> <strong>Upgrades:</strong> If the technology solution becomes mission critical, plan an upgrade path for it. Technology tends to change dramatically every 3 years and should never be considered a one-time investment.</p>
<p>OUTCOME: STABLE & EFFICIENT TECHNOLOGY SOLUTION THAT EMPOWERS THE ORGANIZATION</p>
<p> </p>
<p><strong>CONSIDER EXTERNAL FACTORS</strong></p>
<p>The framework proposed in this paper assumes that your organization is operating in a completely neutral framework and has great latitude in making a decision. Our experience of working through this process with many clients indicates that this is often not the case. Most vendor selection efforts are often influenced by external factors such as foundation recommendations, group purchasing decisions, or donations/discounts discovered through board contacts. Consider these external factors in your assessment phase. The presence of these external factors does not mean that you should forgo the vendor selection process; however, it can mean considering your options in a different light.</p>
<p>These external factors can sometimes lead to significant benefits such as discounts with vendors, financial support, leveraging existing research on vendors, implementation experience, and technical support. The equation you should take into consideration is whether the cumulative benefits outweigh the costs of potentially selecting a less optimal vendor.</p>
<p>Is your organization being asked to use a vendor that really doesn't match your needs? If such a case does <br /> arise, the vendor evaluation matrix can become a huge asset for your organization. Conduct the evaluation <br /> using the externally recommended vendor as a baseline and see where your options fall. You can then present the evaluation matrix to your funders or board members to make an argument for or against a specific <br /> course of action.</p>
<p>( Read more: <a href="http://www.cisoplatform.com/profiles/blogs/how-to-build-your-personal-brand"><b>5 easy ways to build your personal brand</b> !</a> )</p>
<p></p>
<p><strong>APPENDIX A: DIMENSIONS OF EVALUATION FOR VENDORS</strong></p>
<p>The following list contains typical dimensions along which vendors can be evaluated. While comprehensive, the list is not exhaustive and you should consider adding your own dimensions to the evaluation criteria.</p>
</div>
<p></p>
<div><p><strong>FEATURES</strong></p>
<p>■ Essential Features</p>
<p>■ Cool to Have Features</p>
<p>■ (Add Requirements Criteria)</p>
<p> </p>
<p><strong>VENDOR STABILITY</strong></p>
<p>■ Vendor Size</p>
<p>■ Vendor Financials</p>
<p>■ Years in Business</p>
<p>■ Number of Clients</p>
<p>■ Size of Tech Team</p>
<p>■ References</p>
<p>■ Future Direction - Roadmap</p>
<p> </p>
<p><strong>TECHNOLOGY ELEMENTS</strong></p>
<p>■ Usability/Ease of Use</p>
<p>■ User Interface/Visuals</p>
<p>■ Flexibility</p>
<p>■ Extensible? Customizable?</p>
<p>■ Compatibility</p>
<p>■ Security</p>
<p>■ Backups</p>
<p>■ Virus Protection</p>
<p> </p>
<p><strong>GENERAL IMPRESSIONS</strong></p>
<p>■ Positives</p>
<p>■ Risks</p>
<p>■ Friendliness</p>
<p>■ Responsiveness</p>
<p>■ Experience/Skill Level</p>
<p>■ Actual Project Team</p>
<p> </p>
<p><strong>PRODUCT STABILITY</strong></p>
<p>■ Performance Levels</p>
<p>■ Uptime Percentage</p>
<p>■ Last Downtime</p>
<p>■ Duration of Downtime</p>
<p>■ Load/Capacity</p>
<br clear="all" /><p><strong>TIMEFRAME FOR DEPLOYMENT</strong></p>
<p>■ Phase 1</p>
<p>■ Phase 2</p>
<p>■ Additional phases (if any)</p>
<p>■ Project Completion</p>
<p>■ Training</p>
<p> </p>
<p><strong>COSTS</strong></p>
<p>■ One-Time (Setup, Configuration, Development)</p>
<p>■ Ongoing (Maintenance, Licensing)</p>
<p>■ Add-Ons</p>
<p>■ Hardware/Software</p>
<p>■ Training</p>
<p>■ Support</p>
<p>■ Data Migration</p>
<p>■ Fixed or Variable</p>
<p>■ TCO = Total Cost of Ownership</p>
<p> </p>
<p><strong>TRAINING & SUPPORT</strong></p>
<p>■ Support Availability</p>
<p>■ Support Coverage Hours</p>
<p>■ Support Response Time</p>
<p>■ Training Plan</p>
<p>■ Online Help Resources</p>
<p>■ Availability of Support Talent</p>
<p>■ Documentation</p>
<p> </p>
<p><strong>OTHER CONSIDERATIONS</strong></p>
<p>■ Hosted Externally/ASP</p>
<p>■ Additional Equipment</p>
<p>■ Platform Considerations</p>
<p>■ Locked In to Vendor Solution?</p>
<p>■ Implementation Plan</p>
<p>■ Data Migration</p>
<p> </p>
<p><strong>SECURITY & BACKUPS</strong></p>
<p>■ Backup Policies</p>
<p>■ Recovery Procedures</p>
<p>■ Virus Protection</p>
<p>■ Data Security</p>
<p>■ Application Security</p>
<p>■ Hardware Security</p>
</div>
<p>( Watch more : <b><a href="http://www.cisoplatform.com/video/south-asia-a-cyber-security-landscape-after-the-snowden">South Asia's Cyber Security Landscape after the Snowden Revelations</a> </b>)</p>
<p></p>
<p><strong>APPENDIX B: CREATING A WEIGHTED VENDOR EVALUATION MATRIX</strong></p>
<p>It is important to keep yourself objective when going through the vendor evaluation process. It is easy to get swayed by an impressive product demonstration or an eloquent sales representative. In order to avoid falling into this trap, we often use a weighted matrix to rank vendors. Below is an example of how to structure your own vendor evaluation matrix.</p>
<p> </p>
<p><strong>SAMPLE WEIGHTED MATRIX :</strong> (for 3 Vendor evaluation )</p>
<p></p>
<p><a href="http://www.cisoplatform.com/profiles/blogs/checklist-to-evaluate-it-project-vendors" target="_blank"><img src="http://i57.tinypic.com/29fcaad.jpg" class="align-full" alt="29fcaad.jpg" /></a></p>
<p> </p>
<p>A spreadsheet program is a great tool for plotting your evaluation matrix. When developing the matrix, you will need to make decisions regarding the following:</p>
<p> </p>
<ul>
<li>How important is each of the dimensions to your organization? For instance, if support hours are critical, you may <br /> assign it 10 points instead of 4.</li>
</ul>
<p> </p>
<ul>
<li>How do the scores relate to each other? For instance, if you are evaluating three vendors it is usually good to score <br /> using a 3 point scale or a multiple of a 3 point scale. The vendor who performs best in this category would get a 3 and the worst performer would get a 1. If two vendors are equal on a given dimension, then give them the same score. If the dimension is a very important one, you may make it worth 12 points with the top vendor getting 12, the second getting 8, and the last one getting 4.</li>
</ul>
<p> </p>
<ul>
<li>What is a substantive difference in scores? If you are evaluating on a 100 point scale and you get a final list of three <br /> vendors all within a score range of 51 to 59, then there may not be a substantive difference between them. Take a deeper look at the relative strengths and weaknesses of each vendor before making a final decision.</li>
</ul>
<p> </p>
<p>Do not add any elements to your weighted scores that are worth more than 25% of the total points on the matrix. These dimensions should be looked at side by side with the weighted scores. The two most common elements we normally do not include in our weighting are PRICE and TIMEFRAME. Including elements such as these in the matrix would really skew the results, so it works better to consider them independently.</p>
<p> </p>
<p>YOUR END RESULT should be something like the following:</p>
<p> <a href="http://www.cisoplatform.com/profiles/blogs/checklist-to-evaluate-it-project-vendors" target="_blank"><img src="http://i57.tinypic.com/2vx3cy1.jpg" alt="2vx3cy1.jpg" /></a></p>
<p></p>
<p><em>- With Sachin Lokhande, Pay Point India Network Ltd on How To Evaluate A Vendor in IT Projects <a href="http://ctt.ec/guLUH" target="_blank">ClickToTweet</a></em></p>
<p><em>Which above steps will be the most helpful for your organizations ? Share your thoughts with us below in the comments or <a href="http://www.cisoplatform.com/profiles/blog/new" target="_blank">Write your article here</a><br /> <br /></em></p></div>Beyond Secure Software Development Life Cycle (SDLC) : Moving Towards Secure Dev-Opshttps://www.cisoplatform.com/profiles/blogs/beyond-secure-software-development-life-cycle-sdlc-moving-towards2016-02-20T09:00:00.000Z2016-02-20T09:00:00.000Z23j0c848tmyvuhttps://www.cisoplatform.com/members/23j0c848tmyvu<div><p>We have heard a lot about secure SDLC (Software Development Life Cycle). So, what next? Everything transforms with time and now is the time for Secure SDLC to be transformed. Secure SDLC is probably going to get metamorphosed into Secure Dev-Ops.</p><p><strong style="font-size:14pt;">What is Dev-Ops?</strong></p><p>Dev-Ops is a software development methodology which focuses on the communication, communication and integration of Developers and IT managers. In short it is an integration between Development and Operations. Historically Development and Operations worked in separate silos. Now with the advent of Agile and focus on releasing new versions in just days the collaboration/integration of development and operations has become an unavoidable truth.</p><p></p><p><span class="font-size-4"><strong>Why is Secure SDLC not enough?</strong></span></p><p>Let’s face the fact: Secure SDLC is not enough. That’s why the industry has adopted Dev-Ops. In order to achieve faster releases,Agile methodologies are the practice of the day. SDLC is gradually getting transformed in Dev-Ops. So it is quite obvious that the need of the day is Secure Dev-Ops and not just Secure SDLC.</p><p>( <span id="docs-internal-guid-7e7ed265-3774-9947-8fb3-a501e7ae5fe9"><span>Read More:</span> <a href="http://www.cisoplatform.com/profiles/blogs/top-it-security-conferences-in-the-world"><span>Top IT Security Conferences In The World</span></a></span> )</p><p></p><p><span class="font-size-4"><strong>What is Secure Dev-ops?</strong></span></p><p>Just like the industry has adopted (or is adopting) secure SDLC, we need to do the same with Secure Dev-Ops. In Dev-Ops the communication, Collaboration and integration of Software Developers and IT Operations is the key. Hence this has created new processes to roll out faster releases.</p><p>As a part of the secure Dev-Ops program we need to ensure that entire thread of development to release follows the right kind of security practices.</p><p></p><p><span class="font-size-4"><strong>How do you implement Secure Dev-ops?</strong></span></p><p>Secure Dev-Ops would not demand substantially new principles in security. However, it would demand process changes and coordination, understanding between the Development and Operations folks/processes. Some of the basic elements of Secure Dev-Ops would be:</p><p>• Nimble security testing<br /> • Secure Coding + Secure Operations+ Secure Collaboration<br /> • Faster communication between Development and Operations on Vulnerability Information<br /> • Faster patching/closure of vulnerabilities<br /> • Defining a process of collaboration between Development and Operation<br /> • Single manager/management system for security during the release cycle</p><p></p><p><span class="font-size-4"><b>What are advantages of implementing secure Dev-ops?</b></span></p><p>The following are the benefits of implementing secure Dev-ops:</p><ul><li>Software features are released quickly and more often</li><li>Increases trust in your software</li><li>The customer’s needs are met quickly with highest quality</li><li>Trust and cooperation built between development and operations team</li><li>Releases are anticipated, making cost effective and putting less stress on the team.</li></ul><p></p><p><span id="docs-internal-guid-99e3c9ef-3775-d7f3-ce96-2a00a87c07e3" class="font-size-4">More: <a href="http://www.cisoplatform.com/page/be-a-speaker">Want to become a speaker and address the security community? Click here</a></span></p></div>6 Free Log Management Toolshttps://www.cisoplatform.com/profiles/blogs/6-free-log-management-tools2016-08-01T12:30:00.000Z2016-08-01T12:30:00.000Zprithahttps://www.cisoplatform.com/members/pritha<div><p>Log management is one of the primary requirements for building an enterprise class SOC. In security, Log analysis is often the first step in incident forensics. Operating systems such as windows, Unix, Linux and other network devices such as routers, firewalls etc. offer native log management capabilities but are not sufficient for organizations because of a variety of reasons. First, due to storage constraint older logs are overwritten by the most recent logs. Second, log collection for network devices, OSs are not reliable and are often not in the same format rendering analysis difficult. Another challenge is that the logs are distributed across devices and are not centrally stored or managed.</p>
<p></p>
<p><a href="http://www.cisoplatform.com/profiles/blogs/6-free-log-management-tools" target="_blank"><img width="750" src="{{#staticFileLink}}8669808064,original{{/staticFileLink}}" class="align-full" alt="8669808064?profile=original" /></a></p>
<p style="text-align:right;"><span class="font-size-1">image courtesy: <a href="https://www.flickr.com/photos/purpleslog/2870445260">https://www.flickr.com/photos/purpleslog/2870445260</a></span></p>
<p></p>
<p></p>
<p></p>
<p><strong><span class="font-size-6">Some of the benefits of log management are :</span></strong></p>
<ul>
<li>Logs often provide the first hand evidence in cyber forensics and are often invaluable in investigating security incidents and auditing. Log management help make forensics and investigation much easier.</li>
<li>Logs feeds SIEM solution for continuous security monitoring. A better log management speeds-ups the correlation engine and provide better insights by reducing noise in analysis results.</li>
<li>Log management helps managing compliance requirements as they require organizations to index log events for easy accessibility and search capability</li>
<li>Log management can help optimize the storage requirements by discarding unimportant logs</li>
</ul>
<p></p>
<p>( <span id="docs-internal-guid-3db729e7-4617-45bb-8586-d9aa7a6bb748"><span>Read More:</span> <a href="http://www.cisoplatform.com/profiles/blogs/checklist-to-evaluate-siem-vendors"><span>Checklist To Evaluate SIEM Vendors</span></a></span> )</p>
<p></p>
<p></p>
<p></p>
<p>Below is the list of couple of open-source Log Management tools which provide the capability of reliable log collection, Log normalization and relaying of Log messages to a central location for their log time storage.</p>
<p></p>
<p><span class="font-size-4">1. <a href="https://syslog-ng.org/#_ga=1.33680484.438722512.1468905382">Syslog-ng</a></span></p>
<p>syslog-ng allows you to flexibly collect, parse, classify, and correlate logs from across your infrastructure and store or route them to log analysis tools</p>
<p></p>
<p><span class="font-size-4">2. <a href="http://www.rsyslog.com/">rsyslog</a></span></p>
<p><b>Rsyslog</b> is an open-source software utility used on UNIX and Unix-like computer systems for forwarding log messages in an IPnetwork. It implements the basic syslog protocol, extends it with content-based filtering, rich filtering capabilities, flexible configuration options and adds features such as using TCP for transport.</p>
<p></p>
<p><span class="font-size-4">3. <a href="https://github.com/log2timeline/plaso/wiki">Log2timeline</a></span></p>
<p>Log2timeline is a tool designed to extract timestamps from various files found on a typical computer system(s) and aggregate them. Plaso is a Python-based backend engine for the tool log2timeline.</p>
<p></p>
<p></p>
<p><span class="font-size-4">4.<a href="http://www.logalyze.com/">Logalyze</a></span></p>
<p>LOGalyze is an open source, centralized log management and network monitoring software. If you would like to handle all of your log data in one place, LOGalyze is the right choice. It supports Linux/Unix servers, network devices, Windows hosts. It provides real-time event detection and extensive search capabilities.</p>
<p></p>
<p></p>
<p><span class="font-size-4">5.<a href="https://www.graylog.org/">Gray Log</a></span></p>
<p>Graylog2 collects and aggregates events from a multitude of sources and presents your data in a streamlined, simplified interface where you can drill down to important metrics, identify key relationships, generate powerful data visualizations and derive actionable insights.</p>
<p></p>
<p></p>
<p><span class="font-size-4">6. <a href="http://www.fluentd.org/">Fluentd</a></span></p>
<p>Fluentd is an open source data collector, which lets you unify the data collection and consumption for a better use and understanding of data.</p>
<p></p>
<p>( Read More: <a href="http://www.cisoplatform.com/profiles/blogs/top-10-incident-response-siem-talks-from-rsa-conference-2016">Top 10 'Incident Response & SIEM' talks from RSA Conference 2016 (USA)</a> )</p>
<p></p>
<p></p>
<p></p>
<p><b>Pre-Register for SACON International 2017. Click on the image below to pre-register</b></p>
<p></p>
<p><a href="http://sacon.io" target="_blank"><img width="620" src="{{#staticFileLink}}8669802070,original{{/staticFileLink}}" class="align-center" alt="8669802070?profile=original" /></a></p>
<p></p>
<p></p></div>Open source network security:Top 10 Open Source Software Security Toolshttps://www.cisoplatform.com/profiles/blogs/top-10-open-source-or-free-it-security-tools2016-09-27T05:30:00.000Z2016-09-27T05:30:00.000ZVaibhav Singhal (CISO Platform)https://www.cisoplatform.com/members/VaibhavSinghalCISOPlatform<div><p>Short of resources, but still want to have a strong IT-security ecosystem? There are multiple tools in the market specially for small to medium enterprises who can use these open source tools. Although, they can't match the capabilities as provided by the premium tools provided by big vendors which comes with hefty price tags. But still they provide quite a decent features without burning your pocket. We bring you the list of <strong>Top 10 Open Source or Free IT-Security Tools:-</strong></p><p></p><p><span class="font-size-4"><span><span style="font-size:13px;">1.</span><span style="color:#ff6600;"><em style="color:#3366ff;font-family:arial, helvetica, sans-serif;font-weight:bold;"> </em><span style="color:#3366ff;"><strong><span style="text-decoration:underline;"><a href="http://blog.securityonion.net/" target="_blank"><span style="color:#3366ff;text-decoration:underline;">Security Onion</span></a></span></strong></span></span></span></span><span style="text-decoration:underline;"> </span><strong>(Category: Package with multiple capabilities)</strong> is a Linux distro for intrusion detection, network security monitoring, and log management. It's based on Ubuntu and contains Snort, Suricata, Bro, OSSEC, Sguil, Squert, ELSA, Xplico, Network Miner, and many other security tools. It is a great asset in the defender’s toolkit. It is a Linux distro for intrusion detection, network security monitoring, and log management.</p><p></p><p>2. <span style="color:#ff6600;"><span class="font-size-4" style="color:#3366ff;"><span style="text-decoration:underline;"><strong><a href="http://ossec.github.io/" target="_blank"><span style="color:#3366ff;text-decoration:underline;">OSSEC</span></a></strong></span></span> </span><strong>(Category: IDS/IPS)</strong> is fully open source and free for your use. You can tailor OSSEC for your security needs through its extensive configuration options, adding your custom alert rules and writing scripts that take actions in response to security alerts. You are free to modify the source code to add new capabilities. OSSEC watches it all, actively monitoring all aspects of Unix system activity with file integrity monitoring, log monitoring, root check, and process monitoring. </p><p><span style="font-size:12pt;"><br /> ( Read More:</span> <a href="http://www.cisoplatform.com/profiles/blogs/top-it-security-conferences-in-the-world" style="font-size:12pt;">Top IT Security Conferences In The World</a><span style="font-size:12pt;"> )</span></p><p></p><p>3. <strong><span style="text-decoration:underline;font-family:arial, helvetica, sans-serif;color:#3366ff;" class="font-size-4"><a href="https://www.cuckoosandbox.org/" target="_blank"><span style="color:#3366ff;text-decoration:underline;">Cuckoo Sandbox</span></a></span> (Category: Endpoint Detection and Response)</strong> is an advanced, extremely modular, and 100% open malware analysis system with infinite application opportunities. By default, it is able to:</p><ul><li>Analyze many different malicious files (executables, document exploits, Java applets) as well as malicious websites, in Windows, OS X, Linux, and Android virtualized environments.</li><li>Trace API calls and general behavior of the file.</li><li>Dump and analyze network traffic, even when encrypted.</li><li>Perform advanced memory analysis of the infected virtualized system with integrated support for Volatility.</li></ul><p></p><p>4. <strong><span style="text-decoration:underline;color:#3366ff;"><span class="font-size-4"><a href="https://cirt.net/nikto2" target="_blank"><span style="color:#3366ff;text-decoration:underline;">Nikto</span></a></span></span> (Category: Application Security)</strong> is an extremely popular web application vulnerability scanner. Web application vulnerability scanners are designed to examine a web server to find security issues. Identifying security problems proactively, and fixing them, is an important step towards ensuring the security of your web servers. It checks for a number of dangerous conditions and vulnerable software. Running it on a regular basis will ensure that you identify common problems in your web server or web applications.</p><p><span style="text-decoration:underline;"><strong>Features Includes:</strong></span></p><ul><li> SSL Support (Unix with OpenSSL or maybe Windows with Active State's Perl/NetSSL) </li><li> Full HTTP proxy support</li><li> Checks for outdated server components</li><li> Save reports in plain text, XML, HTML, NBE or CSV </li><li> Template engine to easily customize reports </li><li> Scan multiple ports on a server, or multiple servers via input file (including nmap output)</li></ul><p></p><p>5. <strong><span style="text-decoration:underline;color:#3366ff;"><span style="font-family:arial, helvetica, sans-serif;text-decoration:underline;" class="font-size-4"><a href="https://www.metasploit.com/" target="_blank"><span style="color:#3366ff;text-decoration:underline;">Metasploit</span></a></span></span><span style="text-decoration:underline;color:#ff6600;" class="font-size-4"><em> </em></span>(Category: Vulnerability Assessment)</strong> A collaboration of the open source community and Rapid7. Their penetration testing software, Metasploit, helps verify vulnerabilities and manage security assessments.</p><p><span style="text-decoration:underline;"><strong>Features Includes:</strong></span></p><ul><li><strong>Utilize world's largest exploit database:</strong> Leading the Metasploit project gives Rapid7 unique insights into the latest attacker methods and mindset. Rapid7 works with the community to add an average of 1 new exploit per day, currently counting more than 1,300 exploits and more than 2,000 modules.</li></ul><ul><li><strong>Simulate real-world attacks against your defenses:</strong> Metasploit evades leading anti-virus solutions 90% of the time and enables you to completely take over a machine you have compromised from over 200 modules.</li></ul><ul><li><strong>Uncover weak and reused credentials:</strong> Test your network for weak and reused passwords. Going beyond just cracking operating system accounts, Metasploit Pro can run brute–force attacks against over 20 account types, including databases, web servers, and remote administration solutions</li></ul><p></p><p><strong>6. <span style="text-decoration:underline;color:#3366ff;"><span style="font-family:arial, helvetica, sans-serif;" class="font-size-4"><a href="https://www.bro.org/" target="_blank"><span style="color:#3366ff;text-decoration:underline;">Bro</span></a></span></span> (Category: IDS/IPS) </strong>is a powerful network analysis framework that is much different from the typical IDS you may know. While focusing on network security monitoring, Bro provides a comprehensive platform for more general network traffic analysis as well. Well-grounded in more than 15 years of research, Bro has successfully bridged the traditional gap between academia and operations since its inception. Today, it is relied upon operationally in particular by many scientific environments for securing their cyber infrastructure. Bro's user community includes major universities, research labs, super-computing centers, and open-science communities.</p><p><span style="font-size:12pt;"><br /> ( Read More:</span> <a href="http://www.cisoplatform.com/profiles/blogs/top-6-reasons-why-datalossprevention-implementation-fails" style="font-size:12pt;">Top 6 Reasons Why Data Loss Prevention (DLP) Implementation Fails</a><span style="font-size:12pt;"> )</span></p><p></p><p>7. <span style="text-decoration:underline;color:#3366ff;"><strong><span style="font-family:arial, helvetica, sans-serif;" class="font-size-4"><a href="https://www.wireshark.org/" target="_blank"><span style="color:#3366ff;text-decoration:underline;">Wireshark</span></a></span></strong></span> <strong>(Category: Package with multiple capabilities)</strong> It is the one of the foremost network protocol analyzer. It lets you see what's happening on your network at a microscopic level. It is the de facto (and often de jure) standard across many industries and educational institutions.</p><p><span style="text-decoration:underline;"><strong>Features Includes:</strong></span></p><ul><li>Deep inspection of hundreds of protocols, with more being added all the time</li><li>Live capture and offline analysis</li><li>Standard three-pane packet browser</li><li>Multi-platform: Runs on Windows, Linux, OS X, Solaris, FreeBSD, NetBSD, and many others</li><li>Captured network data can be browsed via a GUI, or via the TTY-mode TShark utility</li></ul><p></p><p>8. <strong><span style="text-decoration:underline;color:#3366ff;"><span style="font-family:arial, helvetica, sans-serif;" class="font-size-4"><a href="http://openvas.org/" target="_blank"><span style="color:#3366ff;text-decoration:underline;">OpenVAS</span></a></span></span> (Category: Vulnerability Assessment)</strong> It is the advanced Open Source vulnerability scanner and manager. It is a framework of several services and tools offering a comprehensive and powerful vulnerability scanning and vulnerability management solution. The powerful and comprehensive solution is available as Free Software and maintained on a permanent basis.</p><p></p><p>9. <span style="text-decoration:underline;color:#3366ff;"><strong><span style="font-family:arial, helvetica, sans-serif;" class="font-size-4"><a href="https://www.kali.org/" target="_blank"><span style="color:#3366ff;text-decoration:underline;">Kali Linux</span></a></span></strong></span> <strong>(Category: Package with multiple capabilities)</strong> is an open source debian distribution that has pre-installed pen testing tools.</p><p><span style="text-decoration:underline;"><strong>Features Includes:</strong></span></p><ul><li><strong>Full Customization of Kali ISOs:</strong> Full customization of Kali ISOs with live-build allowing you to create your own Kali Linux images – Kali Linux is heavily integrated with live-build, allowing endless flexibility in customizing and tailoring every aspect of your Kali Linux ISO images.</li></ul><ul><li><strong>Kali Linux ISO of Doom and Other Kali Recipes:</strong> The Kali Linux ISO of doom – a great example of the flexibility of live-build, and the types and complexity of customization possible.</li></ul><ul><li><strong>Kali Linux Live USB with Multiple Persistence Stores:</strong> Kali Linux Live USB with multiple persistence stores – What’s more, Kali Linux supports multiple persistence USB stores on a single USB drive.</li></ul><p></p><p>10. <span style="text-decoration:underline;color:#3366ff;"><strong><span style="font-family:arial, helvetica, sans-serif;" class="font-size-4"><a href="https://www.alienvault.com/products/ossim" target="_blank"><span style="color:#3366ff;text-decoration:underline;">OSSIM, Alien Vault's</span></a></span></strong></span> <strong>(Category: Security Information and Event Management)</strong> Open Source Security Information and Event Management (SIEM) product, provides you with a feature-rich open source SIEM complete with event collection, normalization and correlation. Launched by security engineers because of the lack of available open source products, OSSIM was created specifically to address the reality many security professionals face: A SIEM, whether it is open source or commercial, is virtually useless without the basic security controls necessary for security visibility.</p><p></p><p><span id="docs-internal-guid-1ff6476f-6a3c-78d9-3067-1480fc4ebbe5" class="font-size-3">( Read More: <a href="http://www.cisoplatform.com/profiles/blogs/top-10-incident-response-siem-talks-from-rsa-conference-2016">Top 10 'Incident Response & SIEM' talks from RSA Conference 2016 (USA)</a> )</span></p><p></p><p><span class="font-size-4"><em>What are the IT Security Tools you use the most & find very helpful ? Share with us in comments below.</em></span></p><p></p></div>Software Attacks on Hardware Wallets (Black Hat Conference 2018)https://www.cisoplatform.com/profiles/blogs/software-attacks-on-hardware-wallets-black-hat-conference-20182018-09-27T09:30:00.000Z2018-09-27T09:30:00.000ZShubham Guptahttps://www.cisoplatform.com/members/ShubhamGupta<div><p><span>Almost all security research has a question often left unanswered: what would be the financial consequence, if a discovered vulnerability is maliciously exploited? The security community almost never knows, unless a real attack takes place and the damage becomes known to the public. Development of the cryptocurrencies made it even more difficult to control the impact of an attack since all the security relies on a single wallet's private key which needs to stay secure. Multiple breaches of private wallets and public currency exchange services are well-known, and to address the issue a few companies have come up with secure hardware storage devices to preserve the wallet's secrets at all costs.</span><br /> <br /> <span>But, how secure are they? In this research, we show how software attacks can be used to break in the most protected part of the hardware wallet, the Secure Element, and how it can be exploited by an attacker. The number of identified vulnerabilities in the hardware wallet show how software vulnerabilities in the TEE operating system can lead to a compromise of the memory isolation and a reveal of secrets of the OS and other user applications. Finally, based on the identified vulnerabilities an attack is proposed which allows anyone with only physical access to the hardware wallet to retrieve secret keys and data from the device. Additionally, a supply chain attack on a device allowing an attacker to bypass security features of the device and have full control of the installed wallets on the device.</span></p><p></p><p><span class="font-size-5">Speakers</span></p><p></p><p><span><strong>Alyssa Milburn</strong><br /> <br /> Alyssa Milburn is a Security Analyst at Riscure where you can trust here to break stuff. She enjoys low-level computing, particularly compilers (including working with LLVM/gcc), kernel-level work and embedded platforms. She is fascinated by old computer games. She is also involved in various open source projects in this vein, in particular ScummVM, GemRB and openc2e. Reverse engineering is great fun too; as well as taking apart old computer games, she has also applied her skills for analyzing embedded firmware, and for security work.</span></p><p></p><p><span><strong>Sergei Volokitin</strong><br /> <br /> Sergei Volokitin is a security analyst at Riscure in the Netherlands where his work is mostly focused on security evaluation of embedded systems and security testing of smart card platforms and TEE based solutions. He has a number of publications on Java Card platform attacks and conference presentations on hardware security.</span></p><p></p><p></p><p></p><p><span class="font-size-5">Detailed Presentation:</span></p><p><iframe src="//www.slideshare.net/slideshow/embed_code/key/KPrdIhLjwNtQj2" width="595" height="485" frameborder="0" allowfullscreen=""></iframe></p><div style="margin-bottom:5px;"><strong><a href="//www.slideshare.net/cisoplatform7/software-attacks-on-hardware-wallets-116860623" title="Software Attacks on Hardware Wallets" target="_blank">Software Attacks on Hardware Wallets</a></strong> from <strong><a href="https://www.slideshare.net/cisoplatform7" target="_blank">Priyanka Aash</a></strong></div><p></p><div><p><strong>(Source: Black Hat USA 2018, Las Vegas)</strong></p><p></p><p><strong><a href="http://www.cisoplatform.com/main/authorization/signUp?" target="_blank"><img src="{{#staticFileLink}}8669820464,original{{/staticFileLink}}" width="750" class="align-full" alt="8669820464?profile=original" /></a></strong></p></div><p></p><p></p><p></p><p><span> </span></p></div>Is Penetration Testing on your 2020 To-Do List?https://www.cisoplatform.com/profiles/blogs/is-penetration-testing-on-your-2020-to-do-list2019-12-19T06:48:56.000Z2019-12-19T06:48:56.000ZRay Parkerhttps://www.cisoplatform.com/members/RayParker<div><p><span style="font-weight:400;">If you’re thinking that the industry you’re operating in is safe from cybersecurity threats then you might have to think again. In this article, we’ll specifically discuss the implications of breaches on healthcare businesses and why is annual penetration testing important for them.</span></p><p><span style="font-weight:400;">The healthcare sector is no different when it comes to paying the price for poor security systems. Information security experts warn that healthcare will be the biggest target for cybercriminals over the next five years. With the current cybersecurity environment in healthcare, health institutions need to guard Personal Health Information (PHI), patient records and their data that can be put at risk by credential-stealing malware, lost devices or corrupt staff. It’s time to consider foundational security elements in terms of maintaining cyber hygiene.</span></p><p><span style="font-weight:400;">To guard against these threats, first, you need a well-defined and effective risk management strategy built on the concept of end-to-end protection. You don’t want to waste your resources on something that yields no result. Without a proper plan, you’ll strangle your operations instead of supporting them. Therefore, it’s important to have policies that are effectively enforced, and bring an approach to cybersecurity that’s surgical – working from the inside out – to understand every fit and function of the organization. For this purpose, it’s recommended to acquire the services of a well-reputed</span> penetration testing company<b>.</b></p><p><span style="font-weight:400;">Yes, penetration testing is a considerable and probably the best solution if you’re looking to strengthen your security systems. This testing approach simulates a cyber attack on your systems to detect exploitable vulnerabilities that could lead to data breaches. There’s no need to worry since these attacks are conducted by certified ethical hackers who are well-aware of the rules and regulations and are closely monitored. This test is a manual process that dives deeper into your environment than an automated vulnerability scan does.</span></p><p><b>How is Penetration Testing Better than Automated Vulnerability Scans? </b></p><ul><li style="font-weight:400;"><span style="font-weight:400;">Keeps you ahead in the race with real hackers in exposing your weaknesses</span></li><li style="font-weight:400;"><span style="font-weight:400;">It can reveal concerned areas that need attention</span></li><li style="font-weight:400;"><span style="font-weight:400;">It provides an outside view of your security posture</span></li><li style="font-weight:400;"><span style="font-weight:400;">It simulates a real attacker scenario</span></li><li style="font-weight:400;"><span style="font-weight:400;">Help with meeting compliance with industry standards and regulations</span></li><li style="font-weight:400;"><span style="font-weight:400;">Help prioritize and tackle risks based on their exploitability and impact</span></li></ul><p><b>Conclusion</b></p><p><span style="font-weight:400;">In this age when cyberattacks are constantly making headlines, organizations can’t just sit and relax. The financial burden on attacked organizations is crippling, but the reputation risk is even greater. And reputation is a big factor when patients are entrusting their health and data to a health institution. So, be safe. Hire a <a href="https://www.kualitatem.com/penetration-testing/" target="_blank">penetration testing company</a></span><span style="font-weight:400;"> before it’s too late.</span></p><p><span style="font-weight:400;"> </span></p></div>Missing the Big Picture from the SolarWinds Hackhttps://www.cisoplatform.com/profiles/blogs/missing-the-big-picture-from-the-solarwinds-hack2020-12-15T22:57:43.000Z2020-12-15T22:57:43.000ZMatthew Rosenquisthttps://www.cisoplatform.com/members/MatthewRosenquist<div><p><iframe width="560" height="315" src="https://www.youtube.com/embed/HmIOoN5n01c?wmode=opaque" frameborder="0" allowfullscreen=""></iframe></p><p>The cybersecurity industry is consumed with scale and effectiveness of one of the biggest hacks in recent memory. The emerging narrative and stories are missing important pieces of the puzzle. The attackers, likely a nation-state, gained unprecedented access to the U.S. government, military, critical infrastructure, and most major businesses. </p><p>The full scope and reasons are not clear, but it is imperative to figure out. The mystery must be solved, for the benefit of everyone, so we can prepare for what is next.</p></div>