onShore Security

Because Security Gives Us Freedom.

Everyone is a target for a cybercriminal

By

The following is an interview by the team at Cybernews. The original posting is available at Cybernews.

Stel Valavanis - CyberNews

Stel Valavanis, onShore Security:
“everyone is a target for a cybercriminal”

Recent global events negatively affected the cyber landscape, urging companies to search for the best ways to shield themselves from various cyberthreats.

Many enterprises, especially small businesses, still believe that they won’t be affected by cyber attackers. After all, cybersecurity requires investment, making it easier to rather stay unprotected and save money. However, if a cyberattack hits – huge financial losses are one of the main consequences.

Implementing cybersecurity solutions, such as managed security services, is never a mistake and should rather be prioritized.

To better comprehend the importance of cybersecurity, its solutions, and potential threats for businesses, we invited Stel Valavanis, the CEO and Founder of onShore Security – a company that offers managed security services.

What was the journey like since your launch in 1991? How did the idea of onShore come to life? 

Since launching in 1991, and even before onShore existed as a proper company, I’ve been involved in almost every part of Internet service. At one point in the company’s history, we started an ISP business practically overnight to serve clients that would otherwise have experienced a loss in their Internet service. The biggest part of our journey has been our complete shift to security, which began in 2015 and has been what drives us ever since. It was becoming clear that it was the most important thing not only for our clients but for the well-being and freedom of the Internet at large.

Can you tell us a little bit about what you do? What industries do you mainly work with?

Our main service is called Panoptic Cyberdefense. Panoptic means “all-seeing” and that is what we strive to do. Our service monitors your entire network and we ingest data from as many of your systems as we can to develop a full-picture view of your network operations. This data is analyzed and correlated by our expert analysts and then used to further refine your security, detect any anomalies or bad actors, and discover vulnerabilities before they can be exploited. 

One of the industries that we’ve specialized in working with, and these clients were a big part of why we’re focused on security, is banking. It’s perhaps not surprising that they would have high-security standards as they retain valuable data and are considered a profitable target, but they are also subject to regulations that often act as a bellwether for future regulations in other industries.

Similarly, charged with retaining valuable data, providing uninterrupted service, and complying with regulation and oversight, our other main industries are healthcare organizations, educational institutions, and construction firms.

You state that it takes more than just technology to protect your network. Would you like to share more about your approach?

One of the founding principles at onShore Security has been the importance of the human element in technology. The human cannot be automated out of the loop if security is to be up to the highest standards. Augmenting the continuously evolving automation and machine learning, the core of our company are our security analysts who use their experience, intuition, and creativity to correlate data from a network and see things that a computer cannot. This work by our analysts is often the difference between failure and success for bad actors.

How do you think the pandemic influenced the cybersecurity industry? Were there any new features added to your services as a result?

The pandemic sent many offices home and without much warning. Many companies likely had some remote work policies and supporting security measures in place, but not at the scale that the pandemic made remote work vital to business continuity. Short-term, crisis mitigating measures were put in place that are no longer sufficient, and will not be in the long-term future either. Our company shifted to remote-first at the outset of the pandemic, putting into place proper security to allow our company to be fully operational, with the safety of working out of our office. As we developed these systems, we’ve found that working remotely and setting policy to assume remote work as the standard has actually strengthened our security and increased adherence to security policy. 

As the networks that our clients work on pivot towards being distributed for remote work, our services continue to adapt. Things like multi-factor authentication and better VPN access were immediately in greater demand, but we’re finally seeing a significant shift towards a more advanced EDR offering, as well as more advanced vulnerability management offerings, and in general, something closer to a zero-trust approach over time. We’re finally seeing more organizations get serious about their security policies.

We love this because we’ve been arguing about this approach for a long time. It gives us far greater visibility into clients’ networks and at the same time, raises security posture.

Why do you think certain organizations push cybersecurity to the background, despite the growing rates of cybercrime?

Some organizations still believe that they are not the kind of organization that would be considered a target for cybercrime, but unfortunately, this is wishful thinking. Our experience shows that everyone is a target and bad actors expend so little effort in attacks that they don’t have to be choosy about targets.

Many companies see cybersecurity as a large investment and instead opt to remain in danger and hope for the best, though industry regulation is inspiring most companies to at least comply with basic security regulation.

I believe that many larger companies falsely assume that they are protected from harm because they have cybersecurity insurance policies. While cybersecurity insurance is certainly a helpful thing to have in case of a cyberattack, it does not begin to cover the cost of the disruption and impact of a cyberattack, nor will it fix the underlying problem of weak cybersecurity posture. There are growing implications outside of the organization that will not be addressed by insurance coverage, such as impact to clients, vendors, trade secrets, and other things that are susceptible.

Even though it may seem that large organizations aren’t being put out of business by cyberattacks, the damages are way more wide-reaching than is commonly understood. Of course, having proper protection in the first place is a good way to avoid much of this threat and to be ready for what new threats emerge.

We expect insurance companies to enforce much stricter requirements on their clients’ cybersecurity posture in the future and this will likely change the way things are done.

In your opinion, what are the worst cybersecurity habits that can do serious damage to one’s company?

At every level of the company, one of the biggest vulnerabilities to your cybersecurity is your employees. Employees often have bad habits when it comes to cyber hygiene, things like opening suspicious emails, ignoring password policy, and other little things that are the responsibility of all employees. These little things can be the cause of a large, damaging cyberattack. Management and remediation of bad security hygiene is a very quick, easy, and cost-effective process that your organization can undertake that will make a difference immediately. Having proper security policies in place, training for all employees, and a way to detect compliance reduces this threat to your office.

The other bad habit is when people assume that the Cloud is inherently secure or safer. Ever hear the saying that “the cloud is just someone else’s computer”? Well, it’s true and your lack of visibility into the security of your cloud provider may actually make you less secure. This assumption of security seems to extend to many vendors, and it’s a reason we’re always trying to highlight vendor risk management as a vital security tool.

As remote work becomes the new normal, what are some of the best practices organizations should follow to ensure secure operations?

Security is a process, not a product. The process should be dictated by, and to a good extent encoded in, policy. Developing and tuning your policies and procedures will give you the biggest bang for your buck.

One policy practice is to implement multi-factor authentication wherever you can on your network. This will ensure that your employees will only have access to the parts of your network they need and when they need it. Tools, such as authenticator apps and hardware keys, add this layer of security. Another important policy for remote workers is to maintain the same good security hygiene that they would at the office. A good data management policy for the office should be followed strictly at home as well. Clean desk, clean screen policies should still be in place and internal communication should be restricted to secure channels. Out-of-band communications should be deterred whenever and wherever possible.

In your opinion, what kind of threats can we expect to see more of in the next few years? What actions can individuals take to protect themselves?

Especially considering current events in the news, there is reason to believe that attacks deriving from foreign state-funded sources will continue and may grow in scope. It’s worth remembering that some of this visible growth was unintentional and actually caused the downfall of several hacking entities. I believe that world events, such as war, climate change, and future global pandemics, will be a big source of threat to nation-states, so expect increased espionage and even something like a cyber cold war which one could argue we’re already in.

Cybercrime will continue to grow and sophistication will increase. As the gap between proper defense and most companies’ security posture slowly closes, hackers still have a wide berth of vulnerability in which to attack. Expect attacks to increasingly occur in the form of carefully considered disruptions, such that backup practices are no longer adequate for recovery. Expect the criminal financial ecosystem to become more resilient to law enforcement investigations. Expect new forms of monetizing cyberattacks, such as blackmailing for disruption or attacking weaker parts of the supply chain.

Regulations will continue to grow and compliance will be a much larger part of your organization’s workload.

The role of cybersecurity insurance is going to change. We’ve already seen the cost of insurance policies grow by multiples. Insurance companies will become stricter about qualifications for insurance policies in the first place and for claims.

And finally, what’s next for onShore?

We continue to develop our product to meet the security demands of our clients and the business world. Our Panoptic Cyberdefense platform evolves as our clients’ networks change and we have bolstered our other offerings, such as our newly re-engineered Continuous Vulnerability Management service.

New regulations will mean new priorities for our clients, and we are planning and preparing to lead their organizations through the increasingly dense web of compliance.

We are also constantly considering new best practices and providing thought leadership in the security space. For example, we’ve been part of a growing call for zero-trust practices in cybersecurity, which is especially relevant in this new normal.

Digital Warfare in Ukraine and Abroad

By

onShore Security CEO Stel Valavanis joined WTTW’s Chicago Tonight on the evening of March 2nd, 2022 to discuss reported cyberattacks in Ukraine, domestic cybersecurity, and the future implications and growing concern of cyberwarfare.

Greater Security Enforcement is Leading to New SEC Fines

By

SEC Seal

Greater Security Enforcement is Leading to New SEC Fines –
What You Need to Know Now…
– Stel Valavanis, CEO of onShore Security

 

Notable Ransomware Attacks are Prompting Increased Accountability

Announcements this past summer have made it clear that the US Government, and particularly the executive branch, is taking ransomware seriously. This move is unsurprising, as attacks such as SolarWinds and the Colonial Pipeline attack demonstrated the risk that hackers pose to our national security and infrastructure. Supply chain attacks proved that high profile targets mean high levels of risk and greater amounts of collateral damage upon attack. Executive orders issued by President Biden and announcements by the SEC should be inspiring corporate cybersecurity stakeholders to make real changes and additions to their security operation, especially as the SEC is expected to make important proposals in Q4, creating legal precedent for disclosure issues that are already proving to be a legal vulnerability to companies and their leaders. 

Disclosure Rules

The disclosure issues that companies are currently having are, most notably, ill-advised intentional non-disclosure. In August of 2021, the SEC announced 8 brokerage firms and business entities that would be subject to large fines for failure to disclose breaches. Specifically, the SEC found that the firms violated “ Rule 30(a) of Regulation S-P, also known as the Safeguards Rule, which is designed to protect confidential customer information.” Two of the firms were also found to be in violation of Rule 206(4)-7, a rule relating to notifying clients about a breach. Essentially, they were fined for doing what many companies have gotten away with in the past: failing to stop a breach and then trying to hide that fact from their clients (and investors). The firms were censured, ordered to pay fines, and warned to cease and desist from future violations. These enforcement measures will likely be only the opening salvo of enforcement action by the SEC and other new precedents will be set as violations are announced and prosecuted.

Corporate Leaders Being Held Responsible

Not only does this new enforcement put companies and their ability to do business at risk (of being noncompliant and facing enforcement), but also puts at personal risk the cybersecurity leaders responsible for making security decisions at the highest level. In the case I’ve referred to, fines are being levied specifically for failure to follow the companies’ own cybersecurity policies surrounding multi-factor authentication. Public record and information for investors included this policy, requiring MFA whenever possible, but it was found that MFA was not in place before or after the undisclosed breaches. As the information regarding cybersecurity policies in place at the firms are part of the information investors use to make their choices regarding the company, it frames the coverup and further inaction as either negligent or intentional fraud. 

CISOs Beware

As a company faces actual enforcement, it will be in its interest to prove that the company itself is not at fault and to use its CISO as a scapegoat, whether or not they actually were negligent in the operation. CIOs and CISOs will have to protect themselves from their own organizations as well as from potential civil cases to be brought against them personally. 

It will become clearer in Q4 and the future what the SEC will do to enforce transparency for public companies and accountability for the leaders of those companies. A distinction will be made between security that actually protects information and customers and security operations that merely give the impression of effort.

The Ransomware Economy is in the Spotlight and Hackers are Feeling the Heat

By

The Ransomware Economy is in the Spotlight and Hackers are Feeling the Heat
– Stel Valavanis, CEO of onShore Security

Ransomware is hot. In 2020, it grew by 336%, with more than 370 million dollars in cryptocurrency paid to hackers and the “vendors” that support them. Ransomware is driving the cybercrime economy and helping it to grow, but it might also be its biggest problem.

From Solitary Attackers to Enterprise Operations

Ransomware has historically had the benefit of a reputation as a cottage industry, with the image of an attacker still being that of a lone black hat in a dark basement, but in reality, cybercriminals have the capability of  large, legal businesses, with access to a whole ecosystem of supporting vendors, franchise opportunity, and services specialized to allow what is being referred to as “ransomware as a service”. This empowers the criminals to target bigger organizations for bigger payouts and, while individuals may feel safer these days, it is actually even more likely to be hit by ransomware, and more likely to be affected when others get hit. The collateral damage, such as gas shortages, increases with the size (and importance) of the targets.

As ransomware gangs set their sights higher, attacking large organizations instead of individuals, their targets have begun to include assets that are under government protection and oversight. Government agencies have a vested interest in investigating and prosecuting such attacks. Ransomware is hot but, in fact, may be too hot. 

Enormous Capacity to Wreck Havoc and Gain Unwanted Attention

The recent attack on the Colonial Pipeline by the group known as DarkSide, for example, had a major impact on US infrastructure, specifically our energy and oil supply, and opened many eyes to the real danger that ransomware attacks pose. The scale of the attack made it reasonable to categorize the attack as terrorist activity and attract the additional scrutiny and interest that the terrorism label carries. Criminal hackers, who assumed the safety of obscurity, feared the level of attention and response an attack such as this might bring on the entire cybercrime ecosystem. This event itself precipitated calls for “moderation” amongst cyberattacks and a quick ban on discussion of ransomware on the forums where cybercriminals meet, discuss tactics and targets, and trade illegal tools and stolen information, in an attempt to avoid the attention that ransomware attacks have started to garner.

Because suppliers represent exposure, many criminal gangs are moving to end their outsourcing and do everything privately, “in-house”. The current “affiliate” model, by which criminals franchise their operation, offering their tools for a cut of the profit, may soon go away as it poses too much risk as legal and governmental agencies develop their understanding of the ecosystem and adopt more direct tactics to shut the many different parts of the ransomware machine down.

Evolving Ever More Dangerously Underground

Cybercriminals survive by being willing to adapt and it’s policy they’re responding to. The ransomware industry has grown quickly because it has had the room to do so, making moves that would typically be too risky for a criminal enterprise. Ransomware has become big business, with many of the same organizational risks that legitimate businesses face as they grow their operation. As ransomware operations change, we must not presume their death. Even DarkSide survived their moment in the spotlight, turning to a classic public relations maneuver for a company faced with scandal: they rebranded. The new “brand”, Black Matter, is following the new rules of engagement that President Biden tried to set at recent meetings with Russian leader Vladimir Putin. Black Matter is reported to be avoiding targets that are part of the U.S. infrastructure, and so it seems some of Biden’s cyberdiplomacy is working. 

A scarier shift is that some of these entities are testing out new technology as they change their focus. While criminal hacking gangs have historically been relatively unsophisticated in their technique, using lightweight, off-the-shelf (literally purchased) programs, the Hafnium attack and others display a potential for much greater attack capability, elevating the threat of many of these groups beyond petty cybercrime to cyberwarfare and cyberterrorism.

Putting Pressure on Nation State Support

Up to now, the majority of criminal hackers attacking the United States have done so from the safety of our adversaries, within Russia, China, and other countries, often unobscured, sometimes working in official capacities as government agents or members of the military, other times with less explicit support. The operations of these cybercriminal cells is covered up enough to offer their host country plausible deniability for anything that comes of out of the shop, and the hackers have historically been left alone or even protected by their home government, as long as they follow two simple rules: Don’t attack at home (often leaving the US as the main target) and don’t make too much noise. 

As the US starts to do some of the more basic footwork to stop ransomware (as seen in the effort to recover the ransom from the Colonial Pipeline attack), there will either have to be a greater effort on host countries to police the cybercrime in their jurisdiction, or they will have to do a better job of covering up their connections to the criminals. The cybercriminal world leaves much of their work visible to the public, relying on the lack of scrutiny to operate in the open. As the US government turns its sights on cybercrime, the preparation and effort put into tracking threats, stopping attacks, and improving our security posture puts pressure on cybercriminal gangs, and the state actors behind them, to stop attacks on the US government and people. We shall see if what doesn’t kill them makes them stronger.

Photo credit: KELA

312-850-5200

216 W. Jackson Blvd.
Chicago, IL 60606

info@onShore.com