10/19/22 – InformationWeek
“Services You Should Expect From Your Cyber Insurance Provider“
“Carriers have become a bit more savvy when it comes to cyber risk and loss management, fueled by an almost seemingly endless portfolio of claims underwritten over the last few years — many of which have involved significant dollar payouts,” observes Kevin Novak, managing director of cybersecurity at risk management firm Breakwater Solutions. “As such, you can expect carriers to demand considerably more information about your company’s cyber programs; particularly to those areas that have proven to contribute most significantly to recent large-scale breach events, such as multi-factor authentication, end-point security, and privileged access management.”
Though not always contractually mandatory within a cyber policy, carriers often provide expert support to clients who suffer a cyber event, according to Breakwater Solutions’ Novak. “So, while it’s always recommended that a company integrate involvement of their insurance company into their cyber incident response plans, carriers have a vested interest in making sure that a client manages cyber events rapidly and holistically; else they risk higher payouts. As such, carriers often have dedicated cyber response teams or have vetted and partnered with cyber consulting firms that can help a company respond to cyber events.”
8/25/22 – Security Magazine
“Twitter lacks cybersecurity & data privacy best practices, says ex-security chief“
Whether you cut your teeth on Mainframes or Commodores, Windows or Solaris, there is no doubt you know the name “Mudge”; his reputation precedes him across the globe from technologists to hackers alike. He’s known for not only his technological and security knowhow but also his appreciation for what is, and more importantly, is not a material cyber threat. It should come as no surprise, then, why security practitioners around the world are challenging Twitter’s allegation that Peiter “Mudge” Zatko was let go for poor performance and not his act of openly painting a less than stellar picture of Twitter’s cyber practices to his Board of Directors in defiance of his management’s wishes.
The role of the Chief Information Security Officer (CISO) has changed considerably over the last decade as it has been thrust out of the back room and into the board room. CISOs today are challenged with wearing an array of differing functional hats that range from Legal to Marketing, to Technology, to Physical Security, to Privacy and Compliance, to Human Resources. They are required to speak the most technical language when managing in the trenches and shift on a dime to provide cyber risk and financial loss analysis to Board Members. Further, CISOs have now been thrust into the world of personal accountability with threats of prosecution when they don’t do ENOUGH to force cyber change internally, like that of former Uber CISO, Joe Sullivan, who was recently charged with obstruction by U.S. Prosecutors. While I’m certainly not in position to comment on whether Joe Sullivan acted inappropriately, the challenge for most CISOs when it comes to reporting major concerns, is that most CISOs only have a perceived degree of independence.
The fact is, most CISOs go out of their way to shine a light on those insecurities that threaten an organization and its clients, and good CISOs even craft their message in terms that business executives understand: the potential for Lawsuits, Financial Fraud, Damage to Reputation, Loss of Operations, Government Sanctions, and Regulatory Scrutiny to name a few. But bringing those messages to your manager, Sr. Executives, or the CEO is very different than answering openly and transparently to Board of Directors; particularly when you’ve been discouraged from doing so by your management team.
Speaking candidly, openly, and transparently to the board is often considered “career limiting,” and you’ll often hear CISOs use language like: “I’m aligned with my manager, and we’re working through any challenges we’ve encountered.” So CISOs often have to choose between evils when facing the dissonance of knowing that their firm is acting recklessly: They can quit, speak openly and honestly, then face termination for not being a team player or, more likely for “poor performance”, or Whistle blow. None of these options is very appealing to the CISO, as each is profoundly impactful on their professional career, but they are issues that CISOs around the world face regularly.
It’s the reason that many regulators and regulatory doctrine have begun encouraging more independence for the CISO, reporting to the Board or CEO directly and not through a litany of management that might change their message before it can be heard by those who hold a fiduciary duty for protecting not only their own firm but that of the public at large.
Time will tell when it comes to the case of Twitter vs. Mudge, but our hope is that the bad practices it elucidates brings positive change to the industry and helps CISOs going forward.
8/24/22 – InformationWeek
“DevOps and Security Takeaways From Twitter Whistleblower’s Claims”
An organization such as Twitter probably has guidelines for how to handle data that is the most critical and personally identifiable, says Kevin Novak, managing director of cybersecurity with Breakwater Solutions. Such policies might say access is provided on a “need-only” basis, he says, but Zatko’s concerns put Twitter in the spotlight, especially if more people than necessary have access to information they do not need. “They could influence that information, access that information, change processes about how it is used,” Novak says. “It’s just over-empowering.”
There is pressure on developers, Novak says, to update and deliver products through constant iterative development. “There’s that constant push for developers to have free rein to be innovative,” he says. This can lead to enterprises taking risks and granting developers carte blanche. “It’s really why you need a really robust, secure software development lifecycle set of guidelines and principles,” Novak says.
Governance that allows for free rein within certain guardrails, he says, is necessary for companies. This can let developers work in an agile, innovative environment in a way that does not violate certain principles. While such practices seem simple enough to follow, there may be temptations to move as fast as possible regardless of possible risks. “Companies that don’t put those governance guardrails in place are just trying to get their market share, because they recognize that speed to market has become a critical component of being able to gain market share,” Novak says.
8/3/22 – ISS Source
“Cost of Data Breach Over $15M: Report”
“Small to mid-sized businesses (SMBs) are particularly susceptible, and very financially exposed, to threats today,” said Kevin Novak, managing director at security provider, Breakwater Solutions. “To compete, they are being forced to deliver technological capabilities that rival their larger competitors, but they simply don’t have the benefits of scale that those larger companies have to support that technology. In fact, we often see SMBs without any formalization of cybersecurity within the enterprise but maintain a significant online presence.
“Often, when thinking about cybersecurity, an enterprise will consider things like data being leaked, or bank accounts being compromised. Their decision making around these threats leads to only partially informal decisions about loss appetite. They fail, unfortunately, to consider many of the other aspects of cyber risk including cyber events that, for instance, create operational downtime or a complete unrecoverable loss of company data,” Novak said.
Kevin Novak, Breakwater Solutions, said the fast and easy transition to public cloud providers such as Google Cloud, Microsoft Azure, and Amazon Web Services provides a false sense of security to many organizations.
“While in-house, captive data centers are certainly not immune to accidental misconfigurations (particularly as it pertains to things like leaving remote access portals accessible through the firewall), these environments have been around much longer, and the hardening of these environments tends to be slightly more well-understood,” Novak said.
Novak advised organizations to “enforce mature, tested security controls and governance protocols” to avoid becoming the next news item.
3/24/2022 – CPO Magazine
“Hacking Group Claims It Compromised Authentication Services Provider Okta; Causing Widespread Concern Over Security Breach”
Though it is not clear if Okta has accurately represented the security breach, its authentication services clients should certainly hope that it has given that LAPSUS$ issued a statement saying that it is “only” focusing on Okta clients at the moment. Kevin Novak, Managing Director for Breakwater Solutions , notes that this puts these companies in a difficult position: “Of major concern to all is: “what then?” If the Okta environment is compromised, companies can’t simply flip a switch and authenticate/authorize on a different platform. These are embedded platforms that require time to swap … While some have made conjectures about whether this hack contributed to another breach here or there, it would seem that a full compromise of Oktas backend would have become far more obvious by now, but we’ll see more over the next few months.”
3/22/2022 – Channel Futures
“Lapsus$ Hacking Group Reportedly Hits Microsoft, Okta”
Kevin Novak is managing director at Breakwater Solutions. He said if the compromise involved a successful assault on client information, such as client credentialing, key materials or source code pertaining to environments that may lead to client compromises, then Okta may suffer much greater scrutiny from the field for its “lack of adequate, timely notification of the event.”
“Security professionals around the world are debating the list of compromise possibilities based on the pictures posted about the hack, but no definitive word has been shared by Okta,” he said.
If hackers compromised Okta’s environment, companies can’t “simply flip a switch” and authenticate/authorize on a different platform, Novak said. Embedded platforms require time to swap.
“While some have made conjectures about whether this hack contributed to another breach here or there, it would seem that a full compromise of Okta’s backend would have become far more obvious by now, but we’ll see more over the next few months,” he said.
3/22/2022 – Threatpost
“Lapsus$ Data Kidnappers Claim Snatches From Microsoft, Okta”
Kevin Novak, managing director of Breakwater Solutions, suspects that the scope of Okta’s backend breach is likely limited. Otherwise, given Okta’s massive customer base, we’d likely know it by now. “While some have made conjectures about whether this hack contributed to another breach here or there, it would seem that a full compromise of Okta’s backend would have become far more obvious by now, but we’ll see more over the next few months,” he said.
“If … the compromise involved a successful assault on client information, such as client credentialing, key materials, or source code pertaining to environments that may lead to client compromises, then Okta may suffer much greater scrutiny from the field for its lack of adequate, timely notification of the event,” Novak noted.
3/21/2022 – MSN
“Biden warns Americans are at high risk of Russian cyberattacks after Ukraine invasion: What you should do right now”
With technology delivering so many of our basic needs, those repercussions can be wide-ranging, from supply shortages at your local grocery store to widespread power outages, says Kevin Novak, managing director of security firm Breakwater Solutions.
“So while at the moment I do not believe that private U.S. citizens should cower in fear over Russia’s capability of adversely impacting them via cyberattacks, it is reasonable to expect that their lives will be impacted in some ways by cyber retaliatory actions that result from U.S. sanctions and other political maneuvering,” Novak said.
3/9/2022 – Express
“Is Russia launching cyber attacks? How Ukraine faces battle on TWO fronts”
Speaking to US magazine The National Interest, Kevin Novak, managing director of Breakwater Solutions, a cybersecurity firm, said Russia has chosen to go “kinetic” first.
Any pursuit of cyber warfare won’t have nearly the same commitment, designed “purely” to complement the initial assault.
Mr Novak explained the cyberattacks would work to “debilitate” Ukrainian military capabilities and lay the ground for eventual surrender.
In this case, an online campaign would pick at Ukraine’s financial system and attempt to shift public favour in Russia’s direction.
The country could also use attacks to “compensate for sanctions imposed globally against Russia”, Mr Novak added.
…
Their latest activities have seen them accomplish what Mr Novak suspected Russia might attempt.
3/6/2022 – The National Interest
“Why Hasn’t Russia Launched a Major Cyber Attack Against Ukraine?”
“I am not a strategic military analyst, but from what I’ve seen, Russia has already gone kinetic—they have boots on the ground,” explained Kevin Novak, managing director of cyber security firm Breakwater Solutions.
“The use of cyber-attacks will be purely complementary,” Novak said via email. “They will be used to debilitate Ukraine’s military capabilities, create economic pressure to surrender, and shift public opinion in their favor. It may also be used as a means by which to compensate for sanctions imposed globally against Russia—something that will not be confined to Ukraine alone. Several news reports have already cited seven to eight times increases in Russian-based phishing attacks around the world over the past week.”
….
Experts note that while the Ukrainian military was focused on countering the invading Russian forces on the ground, the government was also prepared to protect the country from cyber threats. “I’m quite certain that Ukraine is doing all it can to defend against Russia and is undoubtedly employing cyber defenses in a similar fashion, as best it can,” said Novak. “We’re also seeing allies – possibly public, and definitely private—to both sides entering the ring, and at least from a cyber perspective, we may be looking at a more global initiative.”
It is also possible that Russia may have already gained a foothold into other Ukrainian public and private sector entities that simply haven’t been detected yet. “I suspect we’ll see more over the coming weeks,” Novak continued. “Russia may also be gauging public opinion and political backlash from their actions so far, or they may somehow be impaired. That is a good question for our intelligence community.”
3/1/2022 – WBZNewsRadio
“Americans Now At Higher Risk Of Russian Cyberattacks – Here’s What To Do”
Nayyar said it’s unlikely that cyber attackers would target Americans individually, but noted that “the reality is that any cyberattack can have repercussions on individuals,” which Kevin Novak, managing director of security firm Breakwater Solutions, told USA TODAY includes a wide-range of problems such as supply shortages at grocery stores caused by power outages.
“So while at the moment I do not believe that private US citizens should cower in fear over Russia’s capability of adversely impacting them via cyberattacks, it is reasonable to expect that their lives will be impacted in some ways by cyber retaliatory actions that result from US sanctions and other political maneuvering,” Novak said via USA TODAY.
2/28/2022, Updated 3/21/22 – USA Today
“Biden warns Americans are at high risk of Russian cyberattacks after Ukraine invasion: What you should do right now”
With technology delivering so many of our basic needs, those repercussions can be wide-ranging, from supply shortages at your local grocery store to widespread power outages, says Kevin Novak, managing director of security firm Breakwater Solutions.
“So while at the moment I do not believe that private U.S. citizens should cower in fear over Russia’s capability of adversely impacting them via cyberattacks, it is reasonable to expect that their lives will be impacted in some ways by cyber retaliatory actions that result from U.S. sanctions and other political maneuvering,” Novak said.
2/9/2022 – SC Magazine
“One-third of employees who quit their jobs take company IP with them”
Part of the difficulty companies have in detecting insider threats is that they are dealing with individuals who have been granted legitimate access to the data they are exfiltrating, said Kevin Novak, managing director at Breakwater Solutions.
Novak said security programs for most firms are designed to protect the confidentiality, integrity, and availability of data from individuals who don’t have legitimate access. He said the way to understand if a legitimately entitled individual is stealing data or otherwise violating policies or employment agreements, an enterprise must have the following:
Data classified (manually or automatically).
Entitlements clearly defined so that it’s understood what data an individual should have access to, and what actions that person can perform with that data.
Tools and protocols in place to prevent that person from performing actions that are contrary to their designated level of entitlement. This often comes down to simple detect/hold technologies like DLP tools, and more sophisticated tools that detect anomalies in an individual’s behavior: they try to download an entire list of client records, even though they normally only look at one record at a time.
1/28/2022 – HelpNetSecurity
“Healthcare industry most common victim of third-party breaches last year”
Kevin Novak, Managing Director, Breakwater Solutions: “By attacking third parties, attackers gain the benefit of hitting an aggregated target; particularly when they can compromise the product being provided by that third party…a software package that then gets distributed to end-users for instance. It’s no wonder why the supply-chain vector has increased so broadly as a preferred target of cyber-attacks. Suppliers are data rich and have significant impetus to pay ransoms lest they lose customers who are paying for their services to remain online and for their data to remain secure.”
“While it is certainly the case that some ransomware attacks are all about ransom and quick returns, a sizeable percentage of ransomware attacks have a more protracted lifecycle that includes deployment of a ransomware across the enterprise, but also includes other objectives too. In these cases, attackers will attempt to find opportunities to commit fraud or exfiltrate data, leaving ransomware as a final parting gift.”
“Whereas ransomware, phishing, unauthorized network access, malware (ransomware being a type), zero-day vulnerabilities, etc., are all methods, these attacks are not all perfectly detached from one another. A phishing attack may lead to unauthorized network access, which might lead to discovery and exploitation of a zero-day vulnerability, that leads to account compromise, that finally give an attacker the ability to deploy ransomware throughout the organization. Sometimes there are fewer steps in the process (phishing that self-propagates ransomware enterprise-wide), but this often isn’t the case.”
1/18/2022 – TechNewsWorld
“Data Breaches Affected Nearly 6 Billion Accounts in 2021”
Kevin Novak, managing director of cybersecurity consulting at Breakwater Solutions a risk mitigation, data management and analytics company in Austin, Texas explained that shifts from a predominantly captive workplace to a predominantly remote one, as a result of the pandemic, have been a driving force behind shifts in how attackers have pursued their targets.
“Since an exceedingly large percentage of attacks focus on the end-user, this move to remote has proven very fruitful for attackers,” he told TechNewsWorld.
“Similarly,” he continued, “the pandemic has dramatically changed the way goods and services are manufactured, dispatched and consumed. These changes acted as an unnatural tailwind that has driven enterprises to rapidly adopt a new digital persona.”
“The pace and newness of this adoption have created a more fertile and consolidated attack surface for attackers who will leverage enterprise misconfigurations until they’ve learned how to manage these new platform paradigms.”
“The scale, complexity, and cost of breaches increased dramatically in 2021,” he added.
“Though we certainly saw our share of low-hanging-fruit attacks, we also saw some of the most sophisticated and impactful breaches of all time,” he said.
###
Media Contact
Alan Brooks
alan.brooks@breakwatersolutions.com
917.985.8831