onShore Security

Because Security Gives Us Freedom.

onShore Security CEO Stel Valavanis to Join PDA Cybersecurity Committee

By

Cyberleader and CEO of onShore Security Stel Valavanis has been asked to join the cybersecurity committee of the Private Directors Association, a national non-profit business association with more than 3000 members, including executive board members, company owners, officers of family-owned businesses and more. Its mission is to advocate for and teach board formation and governance and to create a network of business owners and leaders. One of the fastest growing areas of the organization is the cybersecurity leadership team, offering education such as webinars and white papers, as well as offering guidance in long-term strategic planning to improve security posture.

This collaboration will further allow Stel and onShore Security to promote cybersecurity awareness and education at the board level, allowing boards to make better informed and forward-looking decisions regarding security. This understanding is vital not only to improve the value and performance of board members but also to make it clear that security affects every part of an organization and that it should be a board-level concern.

As Stel prepares to join the board, he looks forward to adding his experience and vision to those already working to achieve the forward-thinking goals of the organization. Stel says, “I joined PDA as a member, realizing the need for board development from the various boards I sit on where my cybersecurity background has been valuable. But PDA has a bigger vision, one that provides tools and support on many levels. The opportunity to have an impact is tremendous because the gap in cybersecurity is big. The assembled committee is impressive, making my participation even more of an honor.”

Robert Barr, Co-Chair of the Cybersecurity Committee and Enterprise Strategy Director of Oracle, says, “The Private Directors Association National Cybersecurity Committee is better enabling private company boards to create short and long-term value in tomorrow’s economy while strategically mitigating key risks and driving to healthier margins. We are pleased to welcome Stel aboard.”

For more information about The Private Directors Association, please visit their website. 

onSecurity – Compliance and Security

By

Episode 1: Compliance and Security


onShore Security CTO Steven Kent joins Stel to discuss the intersection of compliance and security. As the author of an oft-cited saying at onShore, “security is a process, not a product”, Steven Kent is the reason that onShore has been able to satisfy the complex needs of clients in the banking industry.

onShore Security Launches New Vulnerability Management Offering

By

onShore Security relaunches vulnerability management services, massively expanding the previously offered service. Vulnerability management is necessary for organizations today and required by all cybersecurity compliance frameworks. This newly launched service goes way beyond standard Common Vulnerabilities and Exposure (CVE) scanning, ingesting policies, configurations, and full cloud assets with an automated continuous scan, all incorporated into our Elastic cluster for correlation. Unlike its competitors, onShore Security’s service includes a monthly analyst briefing. The briefing helps organizations make sense of the findings and provides insights that other providers overlook. On top of that, these features are fully integrated with our Elasticsearch-powered Panoptic SIEM®.

Steve Kent, CTO of onShore Security, said, “By correlating found vulnerabilities with system and network activity, we can prioritize critical patches within specific environments, and help reduce our client’s risk exposure – both in the immediate and long term.”

“This is a complete revamp of our CVMaaS offering,” Stel Valavanis, CEO of onShore Security adds. “Because vulnerability management, beyond just regular scanning, has risen to the level of a required GRC [Governance, Risk, Compliance] process for enterprise, we’ve added continuous scanning and full analytics via our Elastic Stack big data platform. Add to this much deeper inspection of AD, GPOs, Azure configurations, etc., and you get a whole other level of offering that begs for a new name.”

To find out more about this new service, go to www.onshore.com/continuous-vulnerability-management/.

Game-Changing FDIC regulations will make us safer

By

Game-Changing FDIC regulations will make us safer

– Stel Valavanis

Arlington FDIC office

In today’s dangerous world of omnipresent cyber risk, it’s difficult to believe that a banking organization could experience a cyber security incident with no requirement to disclose it. But that has been the case, until now.

The FDIC is enforcing new guidelines beginning this spring  for how information is shared about cyber incidents. The new regulation called The Final Rule states that banking organizations need to notify their primary federal regulator of any significant computer-security incidents as soon as possible and no later than 36 hours after the banking organization has determined that a cyber incident has occurred. 

These notifications are will now be required when incidents have the following attributes:

  • An incident has materially affected, or is likely to materially affect, the viability of a banking organization’s operations
  • The banking organization cannot deliver its usual banking products and services to customers 
  • The incident has the ability to affect the stability of the financial sector

Additionally, the FDIC notes that when it has been determined that a computer security incident has materially affected, or is likely to affect, an organization’s customer base for four or more hours, customers must also be notified. This rule is set to go into effect on April 1, 2022, allowing banks to comply by May 1, 2022. Clearly this is not an easy task even for organizations with more mature cybersecurity, but it is necessary and here’s why.

Proper detection needs to be available in order to comply with these regulations. The notice of a cyber incident cannot be made if the breach is never detected in the first place. Organizations need to deploy necessary cybersecurity to be vigilant of these threats. Even with cybersecurity present, if a breach is made, accurate information needs to be reported to those who can fix it. This information can be used to better protect areas that have shown vulnerability. Data needs to be properly collected, analyzed, and modeled in order to fully understand what a possible attacker may want. Data allows analysts to do forensics and be better prepared for future incidents that may occur.

The faster that these incidents are reported, the less damage an organization, as well as those affiliated with that organization, will suffer. A swift and informed response indicates to customers and shareholders that they are in good hands. Taking control of a cyber incident as fast as possible is crucial. The FDIC implementing this policy is a great step in both highlighting and preventing cybercrime. The more visible these threats are, the more serious organizations will take them.  

Through the implementation of this new rule, increased visibility in the financial space will occur. The knowledge of what data might have been breached and how that affects individuals can lead to more informed decisions by both the consumer and the banks themselves. An emphasis on knowledge sharing can allow organizations to run more effectively. Additionally, this visibility provides information to vendors of these banking organizations. Banks have a variety of vendors that they need to disclose this information to. The faster a bank handles these issues, the faster associated vendors can minimize damage to themselves.

While this new rule appeals directly to customers and vendors, banks themselves may be hesitant about the 36 hour rule. For one, these organizations have reputations to uphold, and a cyber incident occurring could affect how the general public sees them. They have shareholders and large clients that they need to keep happy and a cyber incident could lead to a loss of trust. Additionally, complying to such stringent policies could be a burden on the IT department of these institutions. If an organization’s cybersecurity team is not well structured it could be an overwhelming task. Insurance rates could also dissuade banking organizations from disclosing their incidents. They have incentive to want to keep insurance companies unaware of the possible attacks they have faced. 

This regulation is coming a bit late, frankly the fact that without this regulation a banking organization could have had a cyber incident without disclosing is appalling. I truly believe this regulation will have an impact, these organizations will step up their policies and procedures, hold data longer, and in a more usable way, and perform tabletop exercises to make sure their incident reports are done well. These organizations will provide an even playing field for customers, vendors, and shareholders for they have to make these decisions. Let’s hope we see more smart regulation like this in future.

Photo Attribution: Coolcaesar at English Wikipedia

Greater Security Enforcement is Leading to New SEC Fines

By

SEC Seal

Greater Security Enforcement is Leading to New SEC Fines –
What You Need to Know Now…
– Stel Valavanis, CEO of onShore Security

 

Notable Ransomware Attacks are Prompting Increased Accountability

Announcements this past summer have made it clear that the US Government, and particularly the executive branch, is taking ransomware seriously. This move is unsurprising, as attacks such as SolarWinds and the Colonial Pipeline attack demonstrated the risk that hackers pose to our national security and infrastructure. Supply chain attacks proved that high profile targets mean high levels of risk and greater amounts of collateral damage upon attack. Executive orders issued by President Biden and announcements by the SEC should be inspiring corporate cybersecurity stakeholders to make real changes and additions to their security operation, especially as the SEC is expected to make important proposals in Q4, creating legal precedent for disclosure issues that are already proving to be a legal vulnerability to companies and their leaders. 

Disclosure Rules

The disclosure issues that companies are currently having are, most notably, ill-advised intentional non-disclosure. In August of 2021, the SEC announced 8 brokerage firms and business entities that would be subject to large fines for failure to disclose breaches. Specifically, the SEC found that the firms violated “ Rule 30(a) of Regulation S-P, also known as the Safeguards Rule, which is designed to protect confidential customer information.” Two of the firms were also found to be in violation of Rule 206(4)-7, a rule relating to notifying clients about a breach. Essentially, they were fined for doing what many companies have gotten away with in the past: failing to stop a breach and then trying to hide that fact from their clients (and investors). The firms were censured, ordered to pay fines, and warned to cease and desist from future violations. These enforcement measures will likely be only the opening salvo of enforcement action by the SEC and other new precedents will be set as violations are announced and prosecuted.

Corporate Leaders Being Held Responsible

Not only does this new enforcement put companies and their ability to do business at risk (of being noncompliant and facing enforcement), but also puts at personal risk the cybersecurity leaders responsible for making security decisions at the highest level. In the case I’ve referred to, fines are being levied specifically for failure to follow the companies’ own cybersecurity policies surrounding multi-factor authentication. Public record and information for investors included this policy, requiring MFA whenever possible, but it was found that MFA was not in place before or after the undisclosed breaches. As the information regarding cybersecurity policies in place at the firms are part of the information investors use to make their choices regarding the company, it frames the coverup and further inaction as either negligent or intentional fraud. 

CISOs Beware

As a company faces actual enforcement, it will be in its interest to prove that the company itself is not at fault and to use its CISO as a scapegoat, whether or not they actually were negligent in the operation. CIOs and CISOs will have to protect themselves from their own organizations as well as from potential civil cases to be brought against them personally. 

It will become clearer in Q4 and the future what the SEC will do to enforce transparency for public companies and accountability for the leaders of those companies. A distinction will be made between security that actually protects information and customers and security operations that merely give the impression of effort.

312-850-5200

216 W. Jackson Blvd.
Chicago, IL 60606

info@onShore.com