Tuesday, May 11, 2021

Cyber Security Ransomware and critical infrastructure

Snippet/quote of mostly first article by CNN and opinions () related to the recent ransomware interruption

What we know about the pipeline ransomware attack: How it happened, who is responsible and more

The operator of the biggest gasoline pipeline in the U.S. shut down operations late Friday following a ransomware attack that threatens to roil energy markets and upend the supply of gas and diesel to the East Coast.

Ransomware type and specific attack is still unknown or haven't been shared yet

What is a ransomware attack and did this happen out of the blue?

The Colonial Pipeline attack comes amid rising concerns over the cybersecurity vulnerabilities in America's critical infrastructure following a spate of recent incidents, and after the Biden administration last month launched an effort to beef up cybersecurity in the nation's power grid, calling for industry leaders to install technologies that could thwart attacks on the electricity supply.

Position used to be, don't pay however, that is now isn't as clear of a strategy

An April 2 blog by the cybersecurity firm Cybereason said the people behind DarkSide follow the "double extortion" trend in ransomware, meaning they not only encrypt user data but exfiltrate it and make it public if a ransom payment isn't made

Senior White House officials repeatedly said Monday their roles in addressing the latest ransomware incident were limited because Colonial Pipeline is a private company, even though it controls the gasoline supply to most of the eastern US.

Who is responsible?

The FBI confirmed Monday that a criminal group originating from Russia, named "DarkSide," is responsible for the Colonial pipeline cyberattack.

The group posted a notice on the dark web that their motivation was "only to make money" and claiming it did not carry out the attack on behalf of a foreign government, according to a cyber counterintelligence firm.

so, not a nation-state type attack but affects can be equally paralyzing

The group is part of what's called the "ransomware as a service" trend -- they "rent out their infrastructure to other bad guys," he added.

"You pay a fee to join their service. And then the main threat actor gets a cut of every successful ransomware payment that you make," Liska said.

Are ransomware attacks a new problem?

Simply put, no.

On average, ransomware demands exceeded $100,000 last year and in some cases, were up to tens of millions of dollars, according to the department.

A key lesson here is that while technology and automation is good, we must also have the ability to efficiently operate manually as well. Attacks will happen, but how quick can you recover and restore critical services?" he told CNN.

procedural and other separation between state and private companies will be drawn closer together

"The threat is not tomorrow's threat, but it is upon us," he said at a US Chamber of Commerce event.

More than $350 million dollars in victim funds were paid as a result of ransomware in the past year, and the rate of ransomware attacks increased over the prior year by more than 300%, he said.

Do victims usually pay the ransom?

While it varies from case to case, the FBI's standing guidance is that victims should not pay a ransom.

However, multiple sources have previously told CNN that the FBI will, at times, privately tell victims they understand if they feel the need to pay, something senior White House officials acknowledged on Monday, saying "companies are in a difficult position."

What does this attack mean for anyone who drives or flies?

Limited supply could mean higher fuel prices for motorists during the spring driving season. US gasoline futures for May delivery gained 1.5% on Monday, rising to $2.16 a gallon. Prices had spiked as much as 4% in early trading.

Many major East Coast airports maintain only three to five days worth of inventory, so a two to five day suspension of a pipeline that in some cases moves fuel directly to major airports -- such as Atlanta's Hartsfield-Jackson Airport -- can have a dramatic impact.

What is the Biden administration doing about it?

But the broader issue of security gaps in the nation's critical systems -- components of which are decades old -- remains a serious question for the White House, which is finalizing an executive order meant to better respond to cyberattacks.

The new task force will unify efforts across the federal government to pursue and disrupt ransomware attackers, according to the memo. Actions could include everything from "takedowns of servers used to spread ransomware to seizures of these criminal enterprises' ill-gotten gains," the memo continued.

Tuesday, February 23, 2021

4 Ways to Get More Done in Less Time by Amantha Imber

Good read: Work most effectively based on you chronotype, plan each day via night before, good habits need to be repeated and calendar's 100% blooked does mean being productive.

4 Ways to Get More Done in Less Time by Amantha Imber

Ever come out of a 12-hour workday feeling exhausted, yet not productive enough? We spend our days trying to tick things off our to-do list, and still, it feels like we haven't done enough, or worse, haven't been efficient. How we can be more productive in ways that feel manageable and good?

Fun fact: 96% percent of people check their mobile phone within one hour of waking up in the morning (and a whopping 61% take a peek within the first five minutes).

While it may seem harmless, checking our phones as soon as we open our eyes sets us up to have a "reactive" kind of day.

Think about it.

If the first thing you do when you roll out of bed is open your email, read your texts, or listen to your voicemails, you are essentially putting yourself second. Whether good, bad, or no news awaits, you are letting other people set your mood for the day.

Most of us are guilty of this, and it inevitably affects our productivity.

I spend most of time thinking about just that: how we can be more productive in ways that feel manageable and good. Over the past three years, I've interviewed people in every field — from publishing and entertainment to the corporate world — to figure out how we can proactively structure our days to get more out of them.

Through these discussions, I've heard time and again, that you can't let other people's priorities determine the course of your day. Rather, you must be deliberate about how you wake up, organize your time, and fit work into your schedule.

Here are four tips from highly productive people that have stuck with me — and that I hope will work for you too.

1) Align your most important work with your chronotype.

Your chronotype is just a fancy way of saying "your body clock." It refers to the natural 24-hour sleep-wake cycle we all experience. Everyone has a unique chronotype and it influences the peaks and troughs of energy we feel throughout our days.

Around 10% of people are stereotypical larks, who feel most energetic in the mornings. At the other end of the spectrum are the 20% of the population who are owls, or people who do their best work at night. Most of us lie somewhere in middle, and experience peak alertness before noon, an energy dip after lunch, and a second wind in the late afternoon.

Dan Pink, author of When: The Scientific Secrets of Perfect Timing, told me that paying attention to your chronotype and structuring your tasks around your energy peaks can help you get a lot more done in less time.

"On days I plan to write, I do it in the mornings, when I'm most alert," he told me. "I set myself a word count and I won't do anything until I hit it. I won't bring my phone into the office with me. I will not open up my email. Once I've hit my goal, I'm free to do other things." Pink takes full advantage of the energy he feels upon waking by using his mornings for deep, focused work — and avoiding any and all distractions.

When he has an energy dip in the mid-afternoon, he tends to stick with easier tasks. "I'll spend that time answering emails, filing and scanning things," he said. "Then, when I get my second wind, and come out of the trough around three or four o'clock, I do tasks that don't require me to be locked down and vigilant, like interviews. During this time, I feel more mentally loose, creative, and open to ideas."

As a result of sticking to this schedule, When was the only book Pink submitted to his publishers on time.

Pro Tip: To plan your workday better, start the process of restructuring your day by assessing your chronotype here. Align the work that requires your most intense brain power with your energy peaks.

2) Plan your day the night before.

A productive day doesn't just happen. It requires planning. When we write down what we intend to do — and when and where we intend to do it — we are far more likely to achieve our goals.

Google's executive productivity advisor, Laura Mae Martin, told me that she plans her day the night before. To start with, she writes down her top three priorities on The Daily Plan template she created. "Underneath the first priority, it says, 'Until this first task is finished, everything else is a distraction.' So that's my one thing I need to get done."

She then uses the same template to plan her day at a micro-level, hour-by-hour. "Even just writing down that I plan to work out between 7 am to 8 am makes me more likely to do that." Martin's process also includes what she refers to as "snack sized to-dos," which are tasks she can do in between meetings as they only require a few minutes, like making a phone call or replying to emails.

Pro Tip: Take control of your day with some meticulous planning. Try Martin's Daily Plan template for one week. The ideal time to fill it out is at the end of your workday so that whatever needs to be tackled tomorrow is still fresh in your mind.

3) Develop different rituals for different types of work.

Being deliberate about where you work from is another way to add structure to your day. Consider doing what Georgetown University Professor and author of Deep Work, Cal Newport does, and deliberately link different locations with different types of tasks.

"When I'm trying to solve a theoretical computer science proof, the rituals I use almost always involve various walking routes around my town," Newport explained.

But when doing writing work, you'll find Newport approaching this in a completely different way. "In my house, I had a custom library table built that was reminiscent of the tables at the university library where I used to work as an undergraduate. It had brass library lamps next to the dark wood bookcases. When I sit there, writing, I have a bright light shining right down on the desk, and it's just me and my computer."

Think about the main categories of work that you do, and start to create rituals around them. The rituals might involve your physical location or the time of day you complete a certain task. For example, you may prefer clearing your inbox while sitting outside on a sunny porch, and prefer doing your Zoom calls in the quiet of your bedroom.

Pro tip: Practice these rituals for at least a couple of weeks. It takes time to get into a flow, but when you do, it will become easier and happen more quickly the more your practice. Your brain will begin to associate cues — like your physical environment and the time of day — with certain types of work.

4) Avoid being 100% booked.

It's easy to assume that the most productive people are booked solid for 100% of their day. However, most of the people I've spoken to have said quite the opposite.

Darren Murph, the head of remote work at GitLab, the world's largest all-remote company, told me that being booked a 100% of the time is a huge risk.

"If you have your entire day blocked with meetings, it leaves no room whatsoever for real life to happen. If your child stubs their toe, for example, and you need to address that even for eight minutes of your day, it can have a catastrophic negative impact on your mental health and on the schedules of other people," Murph said.

When you have no free time on your calendar, you leave little room for yourself to have serendipitous conversations, or moments of creativity and inspiration.

Pro Tip: A fully blocked day can give you a false sense of productivity. If your calendar looks full, deliberately schedule time to do nothing. You can use this time as a buffer time for things that run over or unexpected tasks that crop up during the day. Or you can even use it for planned spontaneity – times for unexpected ideas to be sparked.

Productivity isn't about how many hours you work, or how many to-do's you're able to cross off your list. It's about doing what you need in order to work in an efficient and time effective manner. And that starts with being intentional about your day. Don't leave it to chance — use the tips above to get started.

4 Ways to Get More Done in Less Time by Amantha Imber

Wednesday, January 20, 2021

Six Habits of Merely Effective Negotiators by James K. Sebenius

Longer read but good article

https://hbr.org/2001/04/six-habits-of-merely-effective-negotiators?utm_medium=email&utm_source=circ_other&utm_campaign=subbenemail_20210117&hideIntromercial=true&tpcc=subbenemail&deliveryName=DM114990

Condensed snippet

As the pressure mounts, people often get deadlocked, leave money on the table, or allow conflict to spiral out of control
It's to understand the other party's interests and get him to choose what you want—for his own reasons
The first bad habit is neglecting the other party's concerns
It's tempting to say: "That's the other side's issue. Let them handle it. We'll look after our own problems."
But that's not being tough, as some negotiators might think. It's being shortsighted
If you don't see the deal from the other side's perspective, you can't solve their problems, which will hurt your chances of solving your own
If you want to change people's minds, you need to learn what they're thinking
A second bad habit is focusing too much on price
The hard-bargaining tactics that many negotiators use often leave potential gains unrealized
Even though price is important in deals, it's rarely the only factor
Emotional factors are just as important as economics in most deals
They focus on four factors besides price:

A strong working relationship with the other party
Shared expectations about the nature of the partnership
A respectful, straightforward, and fair process
And the interests of all the players who might affect the deal

It's not uncommon for merger negotiations to be torpedoed by people who were not at the bargaining table—such as investors, regulators, or key internal stakeholders
A third negotiating pitfall is concentrating too much on where the two parties stand on the issues
Skilled negotiators look at the underlying interests that are driving people to take their positions
If you see negotiation as a way of reconciling these, you can find solutions that address both parties' concerns
Negotiators often strive to craft win-win agreements by searching for common ground
Though common ground is generally a good thing, becoming too focused on it can be a mistake. This is the fourth bad habit
Differences in priorities are among the most frequently overlooked sources of value in negotiations
The fifth bad habit is neglecting your best alternative to a negotiated agreement—what's known as your BATNA
Essentially, it's the course you'll take if you decide to walk away from the table
The stronger this other option is, the more bargaining power you have
The sixth bad habit of negotiators: failing to correct for the biases that may be clouding their vision
Research shows that people unconsciously portray their own side as more talented, honest, and moral than it is, while vilifying the opposition
This leads to exaggerated perceptions of the other side's positions
And such views tend to be self-fulfilling prophecies. If you cling to the idea that the other side is stubborn or extreme, you're likely to trigger that behavior
Second, we all have a tendency to interpret information about our position in a self-serving way
What can you do to correct your vision? There are a few things
First, just recognizing that you're prone to biases will help
It's also useful to seek the views of disinterested outside parties
And you can readjust your perspective by having some people on your team prepare the strongest possible case for the other side
To become a top-notch negotiator—not a merely effective one—you'll need to correct the six bad habits
That means you'll take into account the other party's perspective, factors other than price, compatible interests, value-creating differences, the best alternatives on both sides, and any biases that could be skewing your vision

Wednesday, January 13, 2021

Understanding the Cost of a Breach - Wall Street journal

Interesting quotes and snippets from WSJ Pro Research article by Bob Sloan:

The costs involved in resolving an incident can be significant, with research showing costs in the U.S. are more than twice the global average at $8.64 million
System downtime following a data breach, ransomware incident or denial of service attack is often the largest single factor in the overall cost of a breach.
The Ponemon Institute's Cost of a Data Breach Report for 20202 is the 15th annual survey detailing the costs associated with cyber attacks that result in a data loss event as a result of a remote cyber attack by a foreign state or criminals, a deliberate theft by a malicious insider, or employee negligence
The Ponemon Institute study found businesses with over 25,000 employees incurred average breach costs of $4.25 million, while breaches at organizations with 5,001-10,000 employees actually cost more ($4.72 million).
Breaches that result in the loss of customer data records can more easily be compared than those where the attacker's aim is to disrupt and extort a business.
Over the last 12 months the ransom cost alone has increased steeply to almost $234,000, though some victims are paying seven- and eight-figure ransoms.
Unplanned system downtime can be part of a data breach incident, but is the hallmark of a ransomware attack and is the solitary aim of denial-of-service attacks. Coveware assessed the average system downtime of a ransomware victim in Q3 2020 to be 19 days10, an increase of 19% over the previous quarter and up from 12.1 days in Q3 of 2019.
Lost business, which includes customer turnover, lost revenue and the increased cost of acquiring new business as a result of the reputational hit taken by the victim, is the single largest cost factor in a data breach--40% of the average total cost representing $1.52 million12 according to the Ponemon Institute. NetDiligence research puts the figure for lost income for SMEs at an average of $343,000 for breaches that occurred between 2014 and 2018, though the median of $45,000 suggests some very large losses skewed the average costs upwards
Perhaps the least public of all attacks are the stealthy operations carried out by nation states. The aim in most cases is to steal trade secrets or intellectual property without being detected and these are among the costs most difficult (though not impossible) to assess. IP can constitute over 80% of a company's value today14, but its loss may not cause any financial impact to the victim.
Across all companies surveyed, 61% of total breach costs were incurred during the first 12 months, but this fell to 44% of costs in highly regulated industries. Companies operating in the retail, industrial, entertainment sectors (among others) had incurred 92% of costs within two years, while those in the energy, health or financial sectors (among others) incurred 15% of costs after two years.
The negative impact was found to hit a low point around 14 days after the breach announcement, falling on average 7.27%, but had (on average) recovered after six months23. The longer term impact (up to three years) was more difficult to establish and research findings differ, though most agree the effect diminished in the long term.
There is a lack of research on this subject. Sample sizes of studies tend to be reasonably small and those companies involved tend to be larger. 'Mega-breaches' involving the loss of tens or hundreds of millions of customer records can skew average figures and create substantial differences between mean and median costs. There is no single methodology for estimating costs, meaning different studies can produce very different results.

Source: Understanding the Cost of a Breach

Rob Sloan, Research Director, WSJ Pro

Wednesday, December 30, 2020

Action Item Mgmt. Article via Harvard Business Review

Taming the Epic To-Do List by Allison Rimm

The to-do list can be an indispensable tool when used to mindfully manage your time. But used indiscriminately, you become its servant. To get control of your priorities, you actually need three lists and a calendar.

List #1 is for important but non-time-sensitive projects.

List #2 is for items that need to be completed today.

The third list is a not-to-do list, to remind you of things you've consciously decided aren't worth your time.

The calendar is for blocking out time to accomplish important matters on schedule. With your long-term goals in mind, decide which tasks really have to get done — and get done by you. Then, put them on your list — and more importantly, on your calendar. The things that don't need to get done, or done by you, can go on your "not doing" list. Once you get control of your priorities, and recognize that time is a finite resource, you'll feel liberated to focus on what really matters to you.

Thursday, December 24, 2020

SolarWinds collection of articles

Found site/blog by CIEX, Inc.

Updates 2020-12-23

These are listed by date of discovery--some are several days older

Updates regarding SolarWinds 2020-12-22

SolarWinds Adviser Warned of Lax Security Years Before Hack(Bloomberg) From the article "Thornton-Trump said that in his experience SolarWinds didn't put enough investment into building a cybersecurity culture within the company."
SolarWinds Achieves SOC 2 Type II Certification (orangematter 2019-06-12
Understanding "Solorigate"'s Identity IOCs - for Identity Vendors and their customers. (ms)
SolarWinds Hack Victims: From Tech Companies to a Hospital and University (wsj)
SUPERNOVA: A Novel .NET Webshell (paloalto)
Microsoft identifies second hacking group affecting SolarWinds software (cyberscoop)
Microsoft president calls SolarWinds hack an "act of recklessness" (arstechnica)
Russian hackers hit US government using widespread supply chain attack (arstechnica from 2020-12-14
Hackers last year conducted a 'dry run' of SolarWinds breach (yahoo)
Treasury Department's Senior Leaders Were Targeted by Hacking
Cyber- Photokeratitis - Some Thoughts On The Events Associated with UNC2452 (prevallion)

New articles recently discovered, updates 2020-12-21

Billions spent on U.S. Defenses Failed to Detect Hack (nyt)
Richard Blumenthal: Classified briefing ... left me deeply alarmed
Second Hacking team targeting SolarWinds (reuters)
FireEye CEO says hack "totally unique" (cbs video)
DebUNCing Attribution: tracking threat actors
Chris Krebs says officials still tracking scope (msn)
Biden team and lawmakers raise alarms (wapo video)
Giant U.S. Computer Security Breach Exploited Common Software (Scientific American)
How U.S. agencies' trust in untested software opened the door to hackers (politico)
A "do not infect" list from the hack.
MS Analyzes the DLL, finds second malware (MS) [somehow this failed to get into yesterday's list]
SolarWinds/SunBurst hash exclusions (googledoc)
Does SolarWInds change the rules (scmagazine)
SolarWinds Hack is Historic Mess (wired)
Continue Clean-Up of Compromised SolarWinds Software (tripwire)
MS Says 40 customers hit by ongoing hack (npr)
A hack Foretold (slate)
An appropriate comment by Kate Moussouris, founder of @LutaSecurity: "So many illusions of control in these articles written about #SolarWinds No regulation is going to stop this from happening. No new requirements for certifications & attestations of security will make us less vulnerable. Knowing the ingredients in software won't fix it either"

Articles regarding SolarWinds, updated 2020-12-19

Hackers turned SolarWinds' dominance against it

SolarWinds Update Server could be accessed in 2019 with simple password

How hackers outed their massive cyberattack