惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

小众软件
小众软件
量子位
博客园 - 叶小钗
Apple Machine Learning Research
Apple Machine Learning Research
U
Unit 42
IT之家
IT之家
F
Fortinet All Blogs
GbyAI
GbyAI
MongoDB | Blog
MongoDB | Blog
H
Hackread – Cybersecurity News, Data Breaches, AI and More
大猫的无限游戏
大猫的无限游戏
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
The Register - Security
The Register - Security
NISL@THU
NISL@THU
Webroot Blog
Webroot Blog
A
Arctic Wolf
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
V
Visual Studio Blog
Recent Announcements
Recent Announcements
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Blog — PlanetScale
Blog — PlanetScale
L
LangChain Blog
P
Palo Alto Networks Blog
Y
Y Combinator Blog
WordPress大学
WordPress大学
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
AWS News Blog
AWS News Blog
有赞技术团队
有赞技术团队
Engineering at Meta
Engineering at Meta
C
Cybersecurity and Infrastructure Security Agency CISA
aimingoo的专栏
aimingoo的专栏
Know Your Adversary
Know Your Adversary
Cyberwarzone
Cyberwarzone
Martin Fowler
Martin Fowler
The Hacker News
The Hacker News
P
Privacy International News Feed
T
Threat Research - Cisco Blogs
G
GRAHAM CLULEY
宝玉的分享
宝玉的分享
博客园 - 聂微东
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
The GitHub Blog
The GitHub Blog
S
Securelist
T
The Exploit Database - CXSecurity.com
T
Threatpost
Microsoft Azure Blog
Microsoft Azure Blog
The Cloudflare Blog
F
Full Disclosure

Black Hills Information Security, Inc.

Bad Habits: An ANTISOC Operation Same Problem, Different Angles: When Red Team and Blue Team Actually Talk to Each Other How to Identify and Exploit New Vulnerabilities Swapper – A Pure Regex Match/Replace Burp Extension A Practical Guide to BloodHound Data Collection Network Engineering Basics Signed, Trusted, and Abused: Proxy Execution via WebView2 Getting Started In Pentesting – Advice From The BHIS Pentest Lead Cloud Security: Tips and Resources for Securing the Cloud Lessons From A Chatbot Incident How to Lead Effective Tabletops Understanding GRC: How to Navigate Risks and Compliance Standards The “P” in PAM is for Persistence: Linux Persistence Technique Malware Analysis: How to Analyze and Understand Malware OSINT: How to Find, Use, and Control Open-Source Intelligence What to Do with Your First Home Lab When the SOC Goes to Deadwood: A Night to Remember Social Engineering and Microsoft SSPR: The Road to Pwnage is Paved with Good Intentions Common Cyber Threats Finding the Right Penetration Testing Company Deceptive-Auditing: An Active Directory Honeypots Tool The Curious Case of the Comburglar How to Set Smart Goals (That Actually Work For You) Inside the BHIS SOC: A Conversation with Hayden Covington Abusing Delegation with Impacket (Part 3): Resource-Based Constrained Delegation Why You Got Hacked – 2025 Super Edition Abusing Delegation with Impacket (Part 2): Constrained Delegation Abusing Delegation with Impacket (Part 1): Unconstrained Delegation GoSpoof – Turning Attacks into Intel Model Context Protocol (MCP) Bypassing WAFs Using Oversized Requests Getting Started with AI Hacking Part 2: Prompt Injection Wrangling Windows Event Logs with Hayabusa & SOF-ELK (Part 2) DomCat: A Domain Categorization Tool Wrangling Windows Event Logs with Hayabusa & SOF-ELK (Part 1) Microsoft Store and WinGet: Security Risks for Corporate Environments Default Web Content MailFail Commonly Abused Administrative Utilities: A Hidden Risk to Enterprise Security Stop Spoofing Yourself! Disabling M365 Direct Send Bypassing CSP with JSONP: Introducing JSONPeek and CSP B Gone Offensive Tooling Cheatsheets: An Infosec Survival Guide Resource DNS Triage Cheatsheet GraphRunner Cheatsheet Burp Suite Cheatsheet Impacket Cheatsheet Wireshark Cheatsheet Hashcat Cheatsheet EyeWitness Cheatsheet Nmap Cheatsheet Netcat (nc) Cheatsheet Hunt for Weak Spots in Your Wireless Network with Airodump-ng from the Aircrack-ng Suite Detecting ADCS Privilege Escalation Vulnerability Scanning with Nmap Getting Started with NetExec: Streamlining Network Discovery and Access How to Use Dirsearch Augmenting Penetration Testing Methodology with Artificial Intelligence – Part 3: Arcanum Cyber Security Bot How to Design and Execute Effective Social Engineering Attacks by Phone Abusing S4U2Self for Active Directory Pivoting Why Use a Macro Pad? Espanso: Text Replacement, the Easy Way Caging Copilot: Lessons Learned in LLM Security Augmenting Penetration Testing Methodology with Artificial Intelligence – Part 2: Copilot Augmenting Penetration Testing Methodology with Artificial Intelligence – Part 1: Burpference Intercepting Traffic for Mobile Applications that Bypass the System Proxy How to Root Android Phones Communicating Security to the C-Suite: A Strategic Approach Offline Memory Forensics With Volatility Getting Started with AI Hacking: Part 1 Go-Spoof: A Tool for Cyber Deception How to Test Adversary-in-the-Middle Without Hacking Tools Canary in the Code: Alert()-ing on XSS Exploits How to Hack Wi-Fi with No Wi-Fi Why Your Org Needs a Penetration Test Program Burp Suite Extension: Copy For Light at the End of the Dark Web Wi-Fi Forge: Practice Wi-Fi Security Without Hardware Avoiding Dirty RAGs: Retrieval-Augmented Generation with Ollama and LangChain Gone Phishing: Installing GoPhish and Creating a Campaign 5 Things We Are Going to Continue to Ignore in 2025 John Strand’s 5 Phase Plan For Starting in Computer Security Questions From a Beginner Threat Hunter GRC for Security Managers: From Checklists to Influence AI Large Language Models and Supervised Fine Tuning Attack Tactics 9: Shadow Creds for PrivEsc w/ Kent & Jordan One Active Directory Account Can Be Your Best Early Warning Introduction to Zeek Log Analysis Indecent Exposure: Your Secrets are Showing Creating Burp Extensions: A Beginner’s Guide Pitting AI Against AI: Using PyRIT to Assess Large Language Models (LLMs) The Top Ten List of Why You Got Hacked This Year (2023/2024) ICS Hard Knocks: Mitigations to Scenarios Found in ICS/OT Backdoors & Breaches Intro to Data Analytics Using SQL Finding Access Control Vulnerabilities with Autorize The Detection Engineering Process Intro to Desktop Application Testing Methodology What Is Penetration Testing? Adversary in the Middle (AitM): Post-Exploitation Pentesting, Threat Hunting, and SOC: An Overview QEMU, MSYS2, and Emacs: Open-Source Solutions to Run Virtual Machines on Windows
Cyber Risk Lessons We Can Learn From Hurricane Preparedness
BHIS · 2024-11-14 · via Black Hills Information Security, Inc.

Risk is real. To better understand cybersecurity risk, let’s compare cyber risks to risks in the natural world from hurricanes. We can learn lessons from hurricanes and unnamed storms in Florida and apply them to cybersecurity.

Cybersecurity risk management can be daunting. Sometimes, it can sound academic. Did you learn the standard formula?

Cyber risk = Threat x Vulnerability x Consequence

Cyber risk can be a dry subject, involving many ‘what ifs.’ It’s a topic often left to governance and compliance specialists in quiet offices, but cyber risk management should be obvious, active, and involve the whole organization.

Why Risk Management Matters

It’s not dusty formulas; it’s dynamic, like the weather.

We did not expect three major storms in less than one month in Sarasota, County, Florida. The county of Sarasota, the city of Venice, and Florida Power and Light are proficient at categorizing and preparing for natural disasters. Good risk management saved lives and homes.

We still check the weather every day in the Sunshine State. Do you evaluate your organization’s cybersecurity risks regularly?

Below, I will discuss how to handle cyber risk and provide some tools to better manage cybersecurity risks.

Living with Risk

We live with cybersecurity risks every day. No system is ever one hundred percent secure. Risk is always present. We can’t escape it. A breach, an incident, a misconfiguration is inevitable. We are human, after all.

What Can We Do with Risk?

Transfer
Most organizations have some form of cyber insurance, but an organization may not really know what will be covered until there is an incident of profound significance. Or, when the ***t hits the fan. While your organization is transferring the risk to the insurance company, you as a risk professional will still need to take some action steps:

  • Read your cyber insurance policy at least yearly. Understand which of your organization’s business units are responsible for actions defined in the cyber insurance policy.
  • Know how to contact your insurance carrier (email, phone, chat) and which team member is responsible to contact the carrier.
  • Have an offline copy of your policy and the phone numbers.

Mitigate
Your organization can reduce risk through cyber hygiene practices including patch management and vulnerability management. You can reduce risk, but you really can’t completely mitigate it. As cybersecurity professionals, if we can get this one concept across to our senior leadership and boards of directors, we have served them greatly.

Cybersecurity is complex, and the message of cybersecurity risk sometimes gets lost in technical details. Let’s not lose the message to our senior leadership. We can’t completely prevent cyber-attacks, but we can greatly reduce our attack surface through cyber hygiene. To learn more about cybersecurity hygiene, see the CIS Controls for a deeper conversation (www.cissecurity.org).

Accept and Prepare to the Best of Your Ability and Budget

10 days after the storm struck, there were complete houses buried in sand, without water and power. Vehicles were trapped inside of garages; neighbors couldn’t even get open the garage doors without digging and removing inches of sand. The city and county didn’t expect that.

Does your organization’s business continuity and disaster recovery plans address cybersecurity incidents such as ransomware or distributed denial of service attacks (DDoS)? What happens when your data center is so badly damaged, you can’t get your domain controller up? How long can your company function without directory services?

Prioritize Systems and Data Beforehand

You can’t have it all. Your organization must prioritize systems and data before the storm—the ransomware attack. Has your organization prioritized backup power or alternative data center if your data center is down? What data is the most crucial to your organization’s core business?

Expect the Unexpected

Hurricane Milton made landfall as a Category 3 storm at about 8:30 p.m. on Wednesday October 9th, 2024, near Siesta Key in Sarasota County, Florida. That evening, the roof at Sarasota airport blew off. I was at Wild West Hackin’ Fest and my updated boarding pass indicated that I was still landing at a closed airport. I had to convince the airline that the roof had indeed blown off and I needed to fly into another airport. Have you tried to convince an airline that the airport doesn’t have a roof?

Risk Toolkit

  • Build a realistic risk register. It doesn’t have to be fancy. A spreadsheet can work just fine. Can you access your risk register if your data center is down? If Microsoft is down?
  • Be direct and accurate about cyber risks. Don’t sugar coat the truth to senior leadership. Be truthful and provide them with the whole picture.
  • Conduct tabletop exercises, even for extreme situations. We learned after Hurricane Irma in 2017 that we could be without power for weeks. Your ransomware event could take weeks to resolve. Document lessons learned.
  • Prioritize. There can only be one Number One Priority. What is the ONE most important thing to your organization? Manufacturing? Email? Electronic healthcare records? I can’t tell you. Your organization’s leadership must make that decision and communicate it.
  • Document lessons learned.
  • Don’t deny cyber risks, even nation state actors.
  • Be prepared to make hard decisions when you already have decision fatigue. Acknowledge you may have decision fatigue. Seek trusted advisors.
  • Listen to trusted news sources.
  • Pick areas of interest and specialization for your team. One person knows ransomware well, another person knows DDOS scenarios well.
  • Use a simple risk gauge to communicate with businesses leaders. Everyone understands the stoplight analogy.

Final Thoughts

People during Hurricane Milton were shuttered in their homes without internet or power. They were sitting in darkness wondering if their roof was still attached and if their neighbors were uninjured. Frightening.

Cyber risks and incidents can be frightening too. But cyber incidences do end.

I’m preparing now for the next cyber storm. Are you?

Ready to learn more?

Level up your skills with affordable classes from Antisyphon!

Pay-What-You-Can Training

Available live/virtual and on-demand

此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。