Artificial Intelligence Powered Attacks on The Rise!

Cyber crime is extremely detrimental to organizations, with serious implications to the future of the business. The effects can be longer lasting than anyone could ever expect. A study by Cybersecurity Ventures predicts these crimes will cost the world $6 Trillion a year by 2021.

Reports like that need to be a wake up call to businesses everywhere. That number is astronomical, but it should be no surprise to anyone who has followed the malicious exploits of hackers and online scammers. Cyber crimes have become big news, with large data breaches happening almost monthly and security breaches with major organizations generating news headlines. Additionally, there have recently been reports of foreign actors, from countries such as China and Russia, threatening and tampering with U.S. businesses and elections.

CyNtell’s cyber security specialists have analyzed and researched various emerging threats; compiling a list of trends and terms that could pose a threat to organizations within the coming year. They have analyzed the impact posed to businesses, governments, and individuals. What they found was that a large number of emerging threats would come from threat actors using Artificial Intelligence (AI) for criminal exploitation.


Artificial Intelligence Threats to Watch Out for in 2021


  1. AI powered cyber attacks

Hackers create programs that mimic human behaviors using artificial intelligence. The hackers then use these programs to manipulate people into giving up their personal, financial, or proprietary business information. AI powered attacks pose a significant threat to ANY organization, as it is a constantly learning and evolving system.


  1. Deepfakes

A combination of 2 words, “deep learning” and “fake;” deepfakes happen when AI (Artificial Intelligence) technology creates fake images and/or sounds that appear to be real. This usually appears in the form of video content or social media posts.

A deepfake might create a video in which a politician’s words are manipulated, making it appear the politician said something they never did. Other deepfakes superimpose the face of popular actors or celebrities onto other people’s bodies.

This can be especially harmful to an organization if a CEO or other executive officer is targeted and is made to appear, they said or did something against ethical, moral, or standard social behaviors.


  1. Deepfake voice technology

This technology allows people to spoof the voices of other people – often politicians, CEO’s or celebrities – using artificial intelligence. Using the deepfake voice technology, threat actors can convince individuals to complete a variety of actions that benefit the threat actor.

One of the most common scams using deepfake voice technology is to convince targets that one of their relatives is in danger and the only way to protect them is to have large sums of money moved into the threat actors account as ransom payment. The actor uses the voice technology to convince the target that they have the “victim” under captivity by using the voice technology.


  1. Synthetic Identities

Synthetic identities are a form of identity fraud in which threat actors use a mix of real and fabricated credentials to create the illusion of a real person. The threat actors use a mix of AI and machine-learning algorithms to collect the data on individuals without exerting much effort.

A threat actor may create a synthetic identity that includes a legitimate physical address. The Social Security number and birth date associated with that address, however, may not be legitimate. Using this method, the threat actor may be able to then spoof access credentials, such as key cards and ID badges; thus, allowing the threat actor access to potentially restricted areas or data.


  1. Vehicle cyber attacks

Bluetooth has become a standard feature in almost every new car manufactured, some luxury models even contain Wi-Fi capabilities. While these features make your daily commute and long road trips more enjoyable, it also presents a new security threat. Hackers now have the ability to gain access to your vehicle, accessing GPS data to find out everywhere your vehicle has been, in addition to live vehicle tracking. A hacker may even have the skills to take control of the vehicle safety features, access any devices connected to the vehicle, and even install malware on the vehicle and connected devices.



Artificial Intelligence is relatively new and extremely powerful; these new and emerging technologies accelerate our daily lives to new levels.They allow us to make seamless transitions between home and work, create engaging apps and media services; they work for us in a variety of ways we never imagined. These technologies come at a cost however, providing threat actors with new attack vectors. As researchers develop and discover more powerful ways to implement artificial intelligence so will hackers. The responsibility of protecting our private lives and work data rests on the individual which means everyone must be aware of any new threats.



CyNtell’s cyber security experts are here to protect and support your organization and to keep threat actors from using these powerful capabilities against you.

Schedule a call with one of our experts today and let us protect your organization.




Watch Out Wednesdays

No threat facing businesses and individuals has grown quite like that of cyber threats. They appear in all forms, from phishing emails to exploited vulnerabilities in software.

Starting July 2020, this “Watch Out Wednesdays” blog will be updated weekly to include the latest vulnerabilities and large-scale hacks that you should Watch Out for. While this list is updated weekly, it does not contain a full list of vulnerabilities or hacks, the list will only contain the largest data breaches, hacks, and security vulnerabilities that have been released to the public.

Looking to improve your cyber security monitoring practices and reduce vulnerabilities? Take a look at CyNtell’s Continuous Monitoring or Cyber Security Protection packages.

September 2020

7-13 September

New Flaw in Visa Contactless Payment:
– A new flaw has been discovered with Visa’s contactless payment. Read the CyNtell blog about Visa’s contactless payment woes here.

31 Aug-6 September

Critical WordPress File Manager Exploit:
– The File Manager plugin for WordPress has been found to contain a critical remote execution vulnerability. File Manager allows WordPress administrators to edit, delete, upload/download, archive, copy and paste files and folders directly from the WordPress backend. The vulnerability would allow a threat actor to run arbitrary code om the target due to the inclusion of the open-source file manager library called elFinder. At the time of discovery, File Manager was used on over 700,000 websites; the vulnerability has since been patched. Read the full details on the vulnerability here.

Cisco Issues Warning Over Zero-Day Flaw:
– Cisco has issued a warning for a zero-day flaw in its router software. The flaw would allow a threat actor to carry out memory exhaustion attacks on devices affected by the vulnerability. A memory exhaustion attack is when an attack exploits the weakness within a system that allocates memory to occupy a significant amount of memory resources. The flaw, CVE-2020-3566, was first discovered at the end of August 2020 and affects all Cisco devices running Internetwork Operating System (IOS) XR Software.While the vulnerability has been addressed by Cisco, there is no timeline for when a patch for the vulnerability will be released. Learn the full details of the vulnerability and follow along with developments on the patch here.

August 2020

24-30 August

High-Severity Bug in Google Chrome:
– A critical high-severity bug found in Google Chrome (CVE-2020-6492) has been patched. The flaw is a use-after-free vulnerability in the Web Graphics Library (WebGL) element of Chrome Browser. This element of the Javascript API could have allowed for threat actors to control the use-after-free exploit allowing them to execute arbitrary code. A use-after-free specifically refers to when someone intentionally attempts to access memory after is has been freed; in the case of a use-after-free flaw exploit can result in the potential of arbitrary code execution or in some case enable complete remote code execution capabilities. Read the full release on the Google Chrome bug here.

Flaws in Apache Web Server Software:
– Three critical flaws in the Apache Web Server Software, uncovered by a Google Project Zero researchers, has been patched by the Apache Foundation. One flaw allowed for remote code execution making it possible for threat actors to change or delete data. The second critical flaw may have led to memory corruption due to concurrent log pool usage. The most worrisome flaw used a specifically designed “Cache-Digest” header to cause memory corruption leading to a crash and denial-of-service. Read more about the flaws and how to make sure your Apache Web Server is patched here.

17-23 August

Emotet Is Running Again:
– Emotet an email-based malware was fixed and began botnet-driven spam campaigns and ransonware attacks again on August 6th. In early February 2020, researchers found a vulnerability in the malware Emotet that acted as a kill-switch and stopped the malware from being able to operate between Feb 6 and Aug 6, 2020. Unfortunately for us, the malware has been patched and is running now. Read more about Emotet here.

Canadian Government Systems Attacked:
– Canadian officials detected around 300K attack attempts to access accounts on at least 24 government systems this over the two past weeks. Threat actors attacked a CRA portal using a botnet to unleash a technique called “credential stuffing” to access GCKey accounts. GCKey accounts allows Canadians to access Canadian government services such as Employment Insurance, Veterans services, My Service Canada accounts, and more. Read the full scope of the attacks here.

10- 16 August

Microsoft’s Patch Tuesday Release:
– The August Patch Tuesday release from Microsoft included 120 vulnerabilities. 17 of the addressed vulnerabilities are labeled as critical and 103 as important as affect Microsoft Windos, Edge HTML-based, Chromium-based, ChakraCore, Internet Explorer, MS Office, MS Office Services and Web Apps, Microsoft Windows Codecs Library, .NET Framework, and Microsoft Dynamics. Two of the vulnerabilities are zero-days in the Windows OS and related products. See the full release here.

Amazon Alexa Has A New Skill:
– Cyber security researchers have discovered several critical vulnerabilities in Amazon’s Alexa. With one vulnerability threat actors can install malicious software allowing them to spy on individuals remotely using only a web link.The vulnerabilities originated from a flaw in one of Amazon’s subdomains. Check out the researchers complete findings here.

3-9 August

Vulnerability Scanning Tool for Kubernetes:
– KubiScan, not a vulnerability but a scanning tool was showcased at Black Hat USA 2020. This open source Kubernetes tool was announced and show cased on the opening morning. KubiScan will all cluster administrators with containerized environments to be able to shrink their attack surface. Read more about the tool here.

High-Risk Windows TeamViewer Vulnerability:
– The software application TeamViewer has been found to contain a vulnerability with the severity rating of 8.8. The TeamViewer software was designed to allow remote control, desktop sharing, online meetings, and more which has seen an uptick in usage since the beginning of remote work due to the COVID19 pandemic. The vulnerability, named CVE-2020-13699, would allow threat actors to remotely attack and crack user passwords which could lead to a more complete system exploitation. Learn the complete details on the vulnerability here.


July 2020

27-2 July/August

Cisco Read-Only Path Traversal Vulnerability:
– Security Advisory released by Cisco for the actively exploited Read-Only Path Traversal vulnerability (CVE-2020-3452). This vulnerability is located in the interface of Adaptive Security Appliance (ASA) Software and Firepower Threat Defense (FTD) Software, researchers found over 85,000 ASA/FTD internet-accessible devices. If the vulnerability is exploited, a remote attacker will be able to read sensitive files on the device as well as carry-out directory traversal attacks. Read the Cisco Security Advisory here.

7.5m Records of Users Leaked:
–  Security breach of analytics platform Waydev, former partner of, allows over 7.5 million users personal data to be leaked. While was notified of the breach in early July, user data was found on a website for hackers weeks later. Read more about the breach and release of data from the hackers here.

Orange Confirms Ransomware Attack:
– Orange, the fourth largest mobile phone operator in Europe, confirmed that the organization was a victim of a ransomware attack the night of July 4th. Nefilim, new ransomware actors, have claimed they are behind the attack that affected the business services division of the company. Read more about the Orange ransomware attack here.

GRUB2 Vulnerabilities for Linux & Windows Systems:
– Multiptle vulnerabilities affecting billions of devices that run on Windows or Linux; including laptops, servers, workstations, and even IoT devices. If this vulnerability was to be exploited it would allow the operating systems booting system to be compromised to carry out arbitrary code. As of Aug 5th, patches have been released to secured the vulnerability but booting issues remain after the patch has been utilized. Learn more about the patching issues here.

20-26 July

Garmin Hit with Ransomware:
– Garmin suffered a global outage on their website, Garmin Connect product, as well as navigation and flight plan services for aircraft nav systems. Early reports also say their phone systems, email, and chat applications were also affected. After suffering for two days of outages and much speculation from their customers, media, and global cyber community, Garmin was hit with a $10m Ransom. This confirms many suspicions that the company was hit with the WastedLocker ransomware. As of July 27th, has a note at the top of the site mentioning the outage and inability to communicate with customers, though articles say Garmin is in the final stages of recovery. Follow the latest in the Garmin ransomware attack here.

Microweber CMS Critical Security Vulnerability:
– A per-authentication flaw was found in the controller.php script “leftover from the early days of Microweber’s development” according to a penetration tester at Rhino Security Labs. This critical vulnerability leaked administrator credentials deemed “easy-to-crack” and a variety of other user information. Read the full details on the vulnerability here.

Adobe Critical Bugs Fixed In Second Round of Patches:
Only a week after releasing critical patches, Adobe has released another set up of patches that addresses 13 vulnerabilities. The in a second round of patches, 12 of the vulnerabilities are critical out-of-bounds read or write flaws in Prelude, Photoshop, or Bridge; the 13th bug affects the mobile reader for Android apps. Access the latest and all Adobe patches here.

13-19 July

Zoom Zero-Day Critical Vulnerability Allows RCE:
– The latest Zoom vulnerability allows an attacker to execute remote code on the victim’s system without triggering a security warning. The flaw has been found in all versions of Zoom for Windows but it can only be exploited in Windows 7 or older versions of Windows with system-specific configurations. As of 15 July, Zoom has patched the vulnerability. Learn more details of the vulnerability here.

Microsoft Releases Security Bulletin Address 123 Vulnerabilities:
– Microsoft’s July Patch Tuesday security updates has been released. A total of 123 vulnerabilities were addressed; 18 showed as critical; 105 as important. All of the critical bugs are RCE and EoP that can be found in Internet Explorer, Windows, Microsoft Lync Server, Microsoft SharePoint, and Visual Studio Code, and more. There were no publicly disclosed zero-day, vulnerabilities, or live attacks with the Patch Tuesday release. See the full list of patches here.

Twitter Bitcoin Scam:
– Over 100 accounts with a high volume of followers were hacked and sent out the same message for Bitcoin requests. The tweets that went out asked for $1000 in Bitcoin to be deposited to a specific wallet that would later send back $2000 in Bitcoin to all that participated. It appears that the hack was done on Twitter directly with the help of an employee that had access to the Twitter admin panel. The hackers seemingly walked away with over $120,000 in Bitcoin before Twitter shuttered accounts that were targeted. As of, 17 July this is still a developing story, learn more about the hack and developments here.

6-12 July

A New Round of Citrix Bugs:
– Citrix has just announced they have found 11 more vulnerabilities in their software. While it took them a month to create a patch for the critical vulnerability they found in January 2020; this time they have patches ready to go for the new-found vulnerabilities. The latest vulnerabilities, to all appearances, won’t create the same panic as the new year vulnerabilities but they still need to be addressed.  Check out the latest on the Citrix vulnerabilities here.

Indicators of Attack vs. Indicators of Compromise

Indicators of Attack and Indicators of Compromise are two important elements of a cyber-attack. Understanding these key elements can help you ensure that your organization’s cyber security policies and procedures are optimised to identify an attack before it even begins.

Indicators of Attack vs. Indicators of Compromise

The first thing you need to know are the definitions and key differences between an Indicator of Attack (IOA) and an Indicator of Compromise (IOC). An IOA focuses on detecting the intent of what an attacker is trying to accomplish, this is typically an alert or notification BEFORE a network or application is exploited. While an IOC is after the fact, An IOC is often described in the forensics world as evidence on a computer that indicates the security of a network has been breached. 


A Real World Example

Let’s use a real-world analogy to better understand these important indicators. A smart bank robber would begin by doing some reconnaissance on the target bank; during this step the robber wants to know what kind of security measures are in place, the best time and tactics to use, and any defensive capabilities before beginning the heist.

The robber then proceeds to execute the attack. IOA’s in this scenario would be the actions the robber does before starting the attack on the bank, such as driving around the bank scouting out any security features and identifying the type of vault used. On the flip side IOC’s would be the evidence left behind after the thief has emptied the vault, such as any fingerprints/footprints, or evidence of tampering, an empty vault, and possibly any tools the robber left behind. 


Which Is More Important

Now, you might be thinking to yourself “well these both sound super important”, and right you would be. But think of it this way, would you rather be notified that you are in the process of being hacked, or notified after the bad actor has already gained access to your systems? In almost every case, you would want awareness of the attack, at the first indication of malicious intent or the IOA stage, when observation and planning for the attack begins. This would allow you to fortify your systems before an attack gains access to your network, applications, or data.

If you do not know about an attack on your systems until you notice Indicators of Compromise, everything you do afterwards will be damage control and recovery. Allowing an attack to happen means a loss of valuable time regaining control of your own systems, identifying what was taken and how deep the threat exists. You will lose working hours on current projects, likely notify clients and employees their data has been compromised suffer a loss of trust from your stakeholders.  


What To Do

Knowing the difference between Indicators of Attack and Indicators of Compromise is crucial for organizations and you might be thinking, “well shucks how do I identify Indicators of Attack?”

That is where CyNtell comes in to help. Our experts utilize various tools to run constant deep scans of your network in order to identify any vulnerabilities and positively identify indicators of attack and indicators of compromise, then remediate the vulnerabilities to protect your organization. With a combined 35 years of experience, our cyber solutions experts provide the security you are looking for while maintaining a comfortable, transparent, and close relationship with your organization to ensure your valuable digital assets remain secure. 

 CyNtell’s variety of cyber security services that will help your organization maintain a strong cyber security posture. Take a look at all of our expert cyber security solutions.

Looking to speak with a CyNtell Cyber Specialist?
Schedule a Call

What is a vCISO?

You may be familiar with the term CISO (Chief Information Security Officer), but if you’re reading this, you’re probably not the most familiar with a vCISO or virtual CISO. This quick 5 minute blog will help you to understand what a vCISO is and why having a vCISO for your organization may be the best thing you do this year.

Chief Information Security Officer

A Chief Information Security Officer is the senior-level executive in an organization who is responsible for the creation and management of security protections for information assets and technologies that keep in line with the organizations vision, mission, and strategic goals. They are charged with ensuring the proper protections are in place and maintained for the business to reach established objectives. Their scope of responsibility will also include communications, applications, infrastructure, including policies and procedures that apply to all lines of business within the organization.

A virtual CISO (vCISO) is a proven security expert who works with your organization, but not directly for, to accomplish the requirements of an in-house CISO. This individual works to strengthen and reinforce your established information security or information technology team.


Benefits of a vCISO

 One of the largest benefits of hiring a vCISO is that your organization will receive the knowledge and skills of an established security professional without having to pay them a full-time salary. With a median salary of $228,612, according to, the cost of a full-time CISO is exorbitant and many smaller businesses simply cannot afford to hire a full-time CISO. Virtual CISO’s however can be used on-demand and cost a fraction of the price.

Another benefit of a vCISO is that they will not require training on the organization as a whole. Their job role and function for the organization is focused on results. As such, they will be unafraid of “playing nice” when it comes to being direct about security measures and goals.


A Good vCISO

Individual organizations have different goals for their business, in addition almost every industry has a set of regulations and standards they must follow.  A good vCISO will be able to hit the ground running when they begin working with an organization to align business goals, security goals, and compliance standards. A vCISO will incorporate the goals of the organization into their strategic plan for information security, compliance, and risk management.

The “good” vCISO for your organization will be able to effectively communicate the risk and mitigation strategies for those risks as deemed appropriate. They will establish controls and procedures to mitigate risk within the organization. However, the vCISO will also maintain a working relationship and open communication with the in-house information technology/security team to ensure the security roadmap is meeting the needs of the organization.


Hiring a vCISO

Hiring a vCISO isn’t the right move for all companies. They are best suited to work with small to medium sized businesses who are looking to support their existing teams. Since the role of a vCISO within an organization differs from company to company and within industries, it is important to find a Virtual CISO that has experience with the challenges an organization faces. These challenges include compliance regulations, security threats, industry standards, and more. When hiring a vCISO organizations should also take into account focused industry experience and overall experience.


The ultimate goal of the vCISO should be keeping the organization they work with protected and secured so that the organization can focus on business goals.

Interested in Learning More About CyNtell’s vCISO Services?

Schedule A Call

Data Breaches: Are You Protected?

The year is 2020 and the internet as we know it has been around for roughly 30 years. (No, we aren’t counting ARPANET) As the internet continues to expand and evolve, so do the threats. In 2019, according to, there were roughly 80 reported data breaches/cyber-attacks each month. In January 2020, we learned Microsoft fell to cyber-attacks, leaving 250 million records in their customer support eco system exposed. But what you may not have known is that there was a total of 61 reported data breaches and cyber-attacks, which exposed around 1,505,372,820 records.

Left Unprotected

Does 61 disclosed breaches in January sound like a low number? That’s because it is, last month rang in as the new 6-month low in the average number of data breaches per month. However, these are only reported data breaches and cyber-attacks. According to Varonis, cyber-attacks happen every 39 seconds—which means in a year there are approximately 809,152 cyber-attacks each year, or 67,430 attacks a month. These attacks can range from a small phishing attempt on an individual, to a large-scale breach similar to the Microsoft breach.

On the list of disclosed breaches from January the majority of the list of breaches and attacks contained a number of smaller enterprises. These organizations may have been aware of the data security threat but thought something similar to “I’ll never get hacked, I’m too small.”

This is an all too common way of thinking for small organization executives. This thinking is the complete opposite of a hackers however. Hackers target small organizations because their defenses are more likely to be easier to penetrate.

In fact a recent survey found that 60% of enterprises (of varying sizes) say they are not prepared to handle data breaches. The study discusses how roughly 73% of surveyed enterprises continue to experience unplanned downtime due to poorly managed digital certificates and PKI (public key infrastructure).

Mismanaged digital certificates aren’t the only risks to businesses though. The ones you hear about most are ransomware, malware, phishing, and denial of service attacks. However, social engineering is on the rise as more people familiarize themselves with other forms of cyber-attack and data breach styles.

Protect Yourself

The stark reality is that hackers and malicious threats aren’t going anywhere anytime soon. And while many small businesses tend to fall more into a category of reactive, rather than proactive there are steps you can take to protect an organization.

  1. Conduct a security audit.
  2. Identify weak points
  3. Develop a data breach prevention plan
  4. Increase awareness of security risks
  5. Create an employee security policy training
  6. Encrypt sensitive data

Protecting your organization from malicious threats may seem like a daunting task. But it needs to fall high on the list of business priorities. If customers are your biggest asset, protecting their data is your biggest liability.

Learn More About How CyNtell can help you Protect. Comply. Relax.

Privacy versus Security

Privacy and security are rapidly converging especially in the realm of compliance. A comprehensive program for information security management and planning must include privacy concerns and meet such confidentiality objectives. The two disciplines become “siloed” when information security is regarded as an IT issue and privacy as a legal issue. The truth is they are both a management data protection issue with board room level implications. Management must look at all forms of information and provide for its protection in accordance with privacy, Cyber Security, and include continuity of operations as these three components of business assurance have congruent requirements.

After a recent presentation on Cyber Security at a financial services conference, I was asked what the differences are between privacy and information security. I thought I would share my answer with you in hopes that it improves collective understanding.

What is Privacy?

Privacy is centered around customer and employee information most people would reasonably consider private and only for trusted disclosure. Such information includes, but is not limited to:

  • Personally Identifiable Information (PII) – This is information that could lead a third-party to identify who you are and how to contact you including email addresses and phone numbers. PII extends to data values that can lead to identity theft like your social security number and birthdate.
  • Personal Health Information (PHI) – This is information that could identify you and reveal health diagnosis, illnesses, prognosis, and treatments.
  • Personal Financial Information (PFI) – This is information that could identify you and provide information about your investments, credit status, loans, liens, wages, and taxes.

The primary protection focus is the confidentiality (prevention of unauthorized disclosure) of such information. The main threat is a breach of information in which an unauthorized party can access data. A breach could lead to identity theft resulting in company legal liability and loss of company confidence.

What is Information Security?

Information security focuses on the protection of data while stored, in transit, and during processing, and the related informational assets like servers and mobile devices. The objectives are information confidentiality, integrity and availability (C-I-A). Compromise of one or more of the objectives could result in a breach of information to unauthorized parties, inaccuracy in data elements and records, and destruction or denial of access to mission critical data.

Privacy and Security Laws and Regulations

European nation states are serious about privacy. Germany is one of the leaders in this area based on its history of violations towards citizens. Well known North American laws, like the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) and the U.S. Health Insurance Portability and Accountability Act (HIPAA), set the standard for data privacy in the western hemisphere. In the U.S., there are very few federal laws regarding privacy protection beyond HIPAA which puts pressure on the individual states. Thus, U.S. companies that operate across multiple states must always be aware of various state laws and implement controls commensurate with the most restrictive.

Unlike privacy, information security has very little by way of laws requiring protection. Don’t misunderstand, there are numerous regulations regarding companies having a security program, but government statutes are lacking. Most U.S. congressional statutes in this realm have to do with cybercrime or refer back to data privacy. More recent laws in the U.S., like the Cyber Security Act of 2015, give companies legal rights to protect their data. Stay tuned as many more laws across the international landscape will quickly rise in the remaining years of this decade.

Privacy and Security Frameworks and Standards

A trending industry approach is to focus on creating an organization standard through the lens of privacy and information security frameworks like ISO 29100 and ISO 27000. ISO 29100 is a privacy framework that can be adapted to any organization that stores, transmits, and processes PII; and ISO 27000 series is a set of mature security techniques that can be used by organizations to protect various types and states of data. Both address protection via the implementation of information technology controls and the two frameworks have a direct relationship (according to ISO).

For several years in the U.S., the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) has been the standard for information security within federal government agencies. RMF has a provision for privacy and all systems using this framework must conduct a privacy impact assessment. In May 2015, NIST drafted a Privacy Risk Management Framework (PRMF) for protecting and assessing federal systems processing personal information. As with ISO, there is a direct relationship between information security and privacy as it pertains to RMF and PRMF.

Most U.S. industries are highly regulated and new regulatory standards require safeguards for privacy and programs for Cyber Security. Most of these regulations make a direct reference to NIST guidelines and frameworks. For regulated organizations, NIST provides guidance via the Cyber Security Framework (CSF) which includes a smidge of privacy techniques. My prediction is that more privacy protection guidance will be incorporated over the coming years of this maturing framework.

Business Privacy and Security Implementations

Privacy and information security, although not the same, are closely related and critical for every business. Privacy should be regarded as an element of information security specifically providing for the confidentiality of PII, PHI, and PFI. The requirements for both are complex and evolving. Every business has a responsibility to understand their legal, civil, and social obligations for data protection. For small to medium sized businesses, the convergence of privacy and security is essential to an efficient and effective data protection program. For certain medium to large sized companies, it makes sense to separate, yet closely relate, the two functions as each can benefit from concentrated focus and management.

Global Ransomware Cyber-Attack

Cyber Security Requires Policy and Program

Part 1 – Thwarting the Global Ransomware Attack Threat Made Simple

The recent global cyber-attack has raised our collective awareness that having a Cyber Security policy is not the same as having a Cyber Security program. The ransomware attack codenamed “WannaCry” takes advantage of a vulnerability found in the Windows operating system. The key word in the last sentence is the present verb tense “takes” as this ransomware threat has yet to be contained and there are now warnings of malicious code copycats. Just as concerning is that the threat should never have been as successful as it is since Microsoft provided the means of protection months ago. The critical, security patch aimed at addressing the known vulnerability was released in March both through Microsoft’s update service and the built-in antivirus software, Windows Defender.  Therefore, having a Cyber Security program with a mature, consistent approach to patch management and disaster recovery would have saved many of the victims from either becoming a victim in the first place, or escape paying the ransom since a recent backup copy or image of the system(s) could be used to restore those infected.

I hate to say, but we are only at the early stages of such cyber-attacks. For cybercriminals to build and execute such malware is relatively inexpensive with great opportunities for success, especially when small to medium sized businesses (SMB) are reluctant to invest time and money into implementing a program for adequate protection and only seek the appearance of compliance. Most solutions are simple and inexpensive, but still require proper operational process integration and consistent tactical practice. To achieve a Cyber Security program that truly provides prevention, detection, and recovery capabilities takes experience, and professionals with expertise are not free. Nevertheless, investing in the firm’s policy and program is better than worrying if it will be the next victim of cyber-attack and what such damages and costs could result.

To learn more about Claude L. Williams, follow on Twitter @ClaudeLW and/or http://www.LinkedIN/in/ClaudeLW

To learn more about CyNtelligent Solutions, follow on Twitter @CyNtelligent and/or LinkedIn