Articles & Blogs

The role of the modern CTO with regards to Cybersecurity

February 12, 2020 | By Accorian

How the times have changed. 15 years ago, cyber-security consisted of making sure you had an anti-virus program running on your machines. It didn’t matter if it was effective, but the presence was enough to assuage our cybersecurity requirement. Though phishing, ransomware, data breaches, and compliance existed, we never treated it as a primary concern. Today’s threat landscape is quite different. With a mixture of well-funded, sophisticated attackers leveraging AI and script-kiddies using simple techniques like ransomware, we have to ensure that our internal, IP, and client data are all secured in a regulated and dynamic environment. The result: more breaches and thefts, increasing ransom costs, and more operational lag. For some time, I have wanted to create a starting point to help us CTO’s navigate these turbulent waters, and here is what I have come up with:

Pick a Security Framework — Even if you don’t need to satisfy any compliance requirements, pick a framework that is modern and up to date. A few examples are HITRUST CSF, SOC 2, ISO 27001, and NIST CSF. By selecting a security framework, you can ensure you are looking at an overall security plan that covers the full breadth of threats that modern companies are exposed to. Often, we are too optimistic with regards to our weaknesses, so we settle for a sub-par security solution that only protects us from one or two possible vulnerabilities attackers will be looking to exploit. My preference would be either HITRUST or SOC 2 as both can be objectively measured against.

Budget for Security Expenditure — As the prevalence of cybercrime increases, updating and testing your technology assets is crucial. You never want to be caught sleeping, without the ability to quickly mobilize in the case of a breach or an attack. Having a coherent plan in place allows you to have an informed conversation with your management team regarding the benefits of security investment.

Create Policies and Procedures — I never wanted to believe our company could be the victim of cybercrime, especially if you have invested a healthy sum in security technology. Unfortunately, the largest security weaknesses in any enterprise are employees. Having policies and procedures for access controls, password management, endpoint protection, patch management, spam emails, and employee termination can go a long way to shoring up unwanted loose ends in your overall security environment.

Measure Against Industry-Standard Compliance — If you are required to be compliant to a specific security or regulatory framework, how do fare in comparison to guidelines? Try assess yourself objectively. Whether its HIPAA, PCI, GDPR, etc., I have seen too many companies and too many people be over optimistic on where they really stand. As technologists, not only are we doing a disservice by assuming risk and compliance away, but we are also putting our accreditation and, therefore, enterprise in jeopardy.

I hope this serves as a starting point to my fellow CTOs. Two things to keep in mind:

  1. Attackers are looking for any and all vulnerabilities they can use to earn a quick payday.
  2. You may not want to believe it, but you do have sensitive data.

Recent Blog

Article

CHOOSING THE RIGHT FIRM FOR YOUR PENETRATION TESTING SERVICES

Written by Premal Parikh Numerous security firms perform penetration testing and red teaming. However, determining the security firm suitable for your organization is difficult. So how do you select the right firm for your Pentesting services? One must consider factors such as the firm's experience, methodology, and cost-effectiveness while making the right choice.Security threats are increasing at an alarming rate in today's dynamic digital world. The year 2022 saw nearly 236.7 million ransomware attacks worldwide. With organizations being more vulnerable to cyberattacks, businesses of all sizes should conduct penetration testing and regularly improve their security.Furthermore, it is critical to recognize that lack of vulnerabilities discovered during penetration testing can indicate one of two things:Either there are no vulnerabilities in the application/network being tested; orYour testing team has failed to identify existing vulnerabilities.Unfortunately, if it's the latter, you'll usually find out when the vulnerability is exposed in a breach or when your client conducts their testing and discovers the problem.Key Factors to Consider When Hiring a Security Testing Firm1. CertificationsWhen choosing a penetration testing firm, it is critical to consider the testing team's certifications, such as CEH (Certified Ethical hacker), OSCP (Offensive Security Certified Professional), and other relevant qualifications. However, evaluating the company's credentials to ensure competence is equally important.Surprisingly, only a few companies have obtained the two important credentials, PCI ASV & CREST, which necessitate rigorous assessments and process reviews to demonstrate their competence to the councils. These credentials demonstrate that the company meets the established high standards, and it ensures that only the best of firms are chosen.PCI ASVPCI (Payment Card Industry) has a credit card connotation, but to become an ASV (Approved Scanning Vendor), a company must undergo an intensive test in which an environment is set up. The company must find and report vulnerabilities in that environment to the PCI council. The environment is designed to mimic a real-world production environment, and the report generated could easily be several hundred pages long. Many significant investment and financial services firms have mandated that their vendors be tested by a PCI ASV, even if there are no credit cards in the environment, to differentiate the firm's quality.CRESTCREST is a European-based certification that verifies that the testing team follows consistent processes and tools (among other things) across their team and that it is not up to the individual tester to 'figure it out.' It seeks to transform testing from an art to a science wherever possible.2. ScalabilityIs your security company available when you need them? Do they have a large enough team to respond quickly if you need something tested? Do they have experience in various environments? On a multi-test contract (either testing multiple times a year or for multiple years), they can also frequently change the person performing the test. Although this is slightly less efficient than having the same person do it for years, it allows a different perspective on the application or network, as well as attack scenarios. As much as we try to make testing a science, there is also an element of art to it.3. Delivery Process and PlatformThe delivery process and platform are crucial when hiring a security testing firm. It is essential to understand how the testing results will be delivered, how the report will be accessed and secured, and whether there will be a platform for analyzing the results over time and collaborating on vulnerability fixes. Furthermore, clear communication and regular updates on the test status can aid in the delivery process.4. FAQs to Ask Yourself When Choosing the Right Security Maximizing Your InvestmentWhen looking for a security testing firm to partner...

View More

Article

HIPAA UPDATES 2023

Written By Vigneswar Ravi & Vignesh M R The Latest on HIPAA Compliance HIPAA Compliance will be undergoing significant changes, this year in 2023, which you need to be aware of. But, let's look at its history before we get into the upcoming changes in the HIPAA Privacy Rule.The United States established HIPAA in 1996.  However, there were no set rules for gaining access to medical records till then. In fact, all the local and state governments had established their own rules and fees. HIPAA established standardized rights and responsibilities for managing and safeguarding Protected Health Information (PHI).However, changes in working practices and technological advancements over the last ten years have given rise to various issues with HIPAA. To address these concerns, the department of Health and Human Services (HHS) Office for Civil Rights (OCR) had to issue HIPAA guidelines to clarify misunderstandings about HIPAA requirements rather than make rule changes. The major HIPAA update was enacted a decade ago, and changes to HIPAA Rules are now required. The latest response was due earlier this year but has been postponed until March 2023. Proposed HIPAA Updates to the Privacy Rule in 2023 PART 1Allowing patients to examine their PHI in person and take notes or photographs.Reducing the maximum time for providing PHI access from 30 days to 15 days.Restricting the rights of individuals to transfer ePHI to a third party maintained in an Electronic Health Record (EHR).Confirming that an individual has the authority to instruct a covered entity to transmit their electronically Protected Health Information (ePHI) to a personal health application upon the individual’s request.Specifying when individuals receive ePHI free of charge.Mandating that covered entities notify individuals about their entitlement to receive or authorize the transfer of their Protected Health Information (PHI) to a third party, in cases where they are provided with a summary of the PHI instead of a complete copy.Extending the authorization of the armed forces to disclose or use the PHI to all uniformed services.Adding a definition for electronic health records.Modifying the language to enhance the ability of a covered entity to disclose PHI to prevent a potential threat to health or safety in circumstances where the harm is "reasonably and significantly predictable.”Creating a pathway for individuals to direct the sharing of PHI maintained in an EHR among covered entities.Obtaining a written acknowledgment from a person for receiving a Notice of Privacy Practices will not be required by covered entities.Requiring HIPAA-covered entities to publish on their website the estimated fee schedules they charge for PHI access and disclosures.Furnishing personalized cost estimates for supplying individuals with a copy of their PHI will be required of HIPAA-covered entities.Broadening the scope of healthcare operations to include care coordination and case management.Requiring HIPAA-covered healthcare providers and health plans to respond to records requests from other covered entities when individuals exercise their HIPAA right of access.Granting authorization to covered entities to utilize and disclose certain Protected Health Information (PHI) if they genuinely believe it is in the individual’s best interest.Introducing an exemption to the minimum necessary standard for individual-level care coordination and case management purposes, irrespective of whether these actions are classified as treatment or healthcare operations.PART 2In November 2022, Office for Civil Rights (OCR) and the Substance Abuse and Mental Health Services Administration (SAMHSA) issued a Notice of Proposed Rulemaking (NPRM) which sees both Part 2 and HIPAA changes to align these regulations better.Part 2 protects patient privacy and treatment records for substance use disorder (SUD), with HIPAA governing protected health information. Since SUD records are highly sensitive, they require more safeguards and restrictions than other types of health information covered...

View More

Article

THE vCISO SUPERPOWER: A Virtual Chief Information Security Officer for your Cybersecurity Goals

Introduction There is a famous adage by Spiderman in Marvel comics, "With great power, comes great responsibility," and that’s how important a vCISO (Virtual Chief Information Security Officer) is in an organization. Today's digital transformation goes beyond automation and embraces technology for a broader range of tasks. The cybercrime epidemic is threatening, with a 15% annual growth rate. With the increased use of technological platforms, the threat of cybercrime costs organizations millions of dollars. In response to this growing threat, the global cybersecurity market is expected to grow at a compound annual growth rate of 13.4%, reaching USD 376.32 billion by 2029. (From USD 155.83 billion in 2022). With the rise of sophisticated threats and the growth of cybercrime, a Chief Information Security Officer (CISO) in senior management is required for organizations. The CISO can provide a comprehensive cybersecurity framework and requirements tailored to their business needs. However, employing a full-time CISO can be costly. Instead, a virtual CISO can be used to meet the exact needs of multiple companies. The vCISO can effectively address the organization's cybersecurity needs and collaborate with senior management to provide a cost-effective strategic cybersecurity plan. Who is a vCISO? A vCISO (Virtual Chief Information Security Officer) is an external security advisor and expert whose responsibilities vary depending on an organization’s business requirements. They are responsible for keeping critical systems and sensitive data protected from cybercriminals. They provide organizations with on-demand access to experienced security expertise, eliminating the need for a full-time employee. This provides organizations with the resources and knowledge they require to protect themselves from cyber threats without incurring the high costs associated with a full-time employee. How Can A vCISO Accelerate Your Business? 1. Making security a growth lever By bringing on a vCISO, you can ensure that your security is up to date, in compliance with regulations, and capable of enabling growth opportunities. With the vCISO in charge of security, the organization can concentrate on activities that directly contribute to business growth. 2. Assisting in ensuring that your internal security posture is excellent A vCISO can assist you in establishing a secure internal security posture and conducting security audits to identify existing vulnerabilities and potential security threats. This can aid in discovering and mitigating existing vulnerabilities, as well as the development of strategic plans for data access control, authentication, and authorization protocols. With a vCISO on board, the organization can be confident in the strength and security of its internal security posture. 3. Complying with security regulatory requirements Having a vCISO on board can also assist in complying with applicable regulatory requirements. The vCISO is familiar with many different regulatory bodies' security requirements and can ensure that the organization meets them. Furthermore, the vCISO can assist with periodic audits and assessments to ensure that the organization complies with all applicable regulations. Why Should Your Organization Hire A vCISO? ​ A vCISO can help your organization with strategic advice, roadmap creation, query resolution, board consulting, and client conversations. They can also manage programs, oversee tactical and operational tasks, as well as provide a comprehensive view of the organization's information security landscape. Furthermore, a vCISO is critical to an organization's cyber defense, assisting in the security of systems, processes, and data while aligning security with the organization's overall goals and objectives. Roles & Responsibilities Responsible for overseeing the implementation of security protocols and policies. Guide security-related topics, such as encryption, authentication, and risk management, to protect the organization against potential threats. Provide strategic advice to an organization and ensure that the organization's security practices are current. This includes identifying and recommending ways to close any...

View More

Article

WebSocket Vulnerabilities: Keep Your WebSocket Connection Safe

Written by Somya Agrawal Introduction  WebSocket is a powerful tool for sending and receiving messages over a network. It enables quick and reliable data exchange by establishing two-way communication between the server and the client. It is used in everything from online gaming to real-time data streaming. Unfortunately, WebSocket only comes with flaws. Cross-Site WebSocket Hijacking (CSWSH) is a security threat that allows malicious actors to hijack a legitimate WebSocket connection, allowing them to intercept, modify, delete, and inject data. They are also vulnerable to Denial-of-Service attacks, which can prevent legitimate users from accessing the network. WebSocket can also perform man-in-the-middle attacks, allowing attackers to modify or inject data into the network without the user’s knowledge. Here's everything you need to know about WebSocket! What is WebSocket? WebSocket allows two-way communication between a website and its server in real-time. It is a protocol that allows the client and server to transmit messages over the channel at the same time. They're used for things like chat apps and updating information on a website without having to refresh the page. The WebSocket-based connection lasts as long as either party lays it off. When one party terminates the connection, the second party can no longer communicate since the link is automatically terminated. WebSocket, like HTTP, can be either encrypted or unencrypted, as defined by the WebSocket schemes ws and wss, where ws:// is an unencrypted WebSocket, and wss:// is an encrypted WebSocket over TLS. They act as a backdoor connection between your computer and the website. Instead of waiting for the website to send you information, you can ask for it and receive it immediately, and the website can also send you information without requiring you to refresh the page. It's like a two-way phone call in which you and the website can converse simultaneously. How Does WebSocket Work? The usual WebSocket interaction between client and server consists of the following steps: What are the Common WebSocket Vulnerabilities? Improper WebSocket implementation can lead to serious vulnerabilities. Some of the most common security flaws are: 1. Cross-Site WebSocket Hijacking (CSRF with WebSockets) If the WebSocket handshake relies on HTTP cookies for the session and does not include a Cross-Site Request Forgery (CSRF) token, an attacker can write a custom script on their domain to establish a cross-site WebSocket connection to the vulnerable application. Using this attack approach, an attacker might obtain sensitive information. You can find a common script below that can be used to exploit this vulnerability: 2. Unencrypted Communications A WebSocket, like HTTP, can be encrypted or unencrypted. It utilizes the WebSocket schemes ws and wss to differentiate between the two. In particular, ws:// represents an unencrypted WebSocket, whereas wss:// represents a WebSocket encrypted with Transport Layer Security (TLS). 3. Denial of Service The server may receive an endless number of connections via WebSocket. This allows an attacker to perform a denial-of-service attack against the server, which significantly strains the server and consumes all its resources, thus delaying communication. The script below frequently crashes the WebSocket server, affecting some versions of the WebSocket client: 4. Sensitive Information Disclosure This occurs when WebSocket fails to protect confidential information adequately and may allow unauthorized access to such information. Passwords, credit card information, private communications, and intellectual property are examples of sensitive data. Additionally, this type of security flaw can be vulnerable to various services and systems, including databases, operating systems, and network devices. 5. Input-Validation Vulnerabilities If an attacker has access to WebSocket communications and the server does not properly validate or sanitize the input, an injection attack may occur. An attacker, for example,...

View More

Article

UNDERSTANDING AI RMF 1.0 - The Artificial Intelligence Risk Management Framework

Written by Tathagat Katiyar & Harshitha Chondamma Introduction Artificial Intelligence is undergoing continuous growth and development, with new technologies and applications being developed daily. As AI becomes more prevalent and integrated into various industries, it is critical to ensure that these systems are trustworthy, secure, and transparent. This is where the Artificial Intelligence Risk Management Framework 1.0 (AI RMF 1.0) from the National Institute of Standards and Technology (NIST) comes in. This framework provides organizations with guidelines and best practices to help them confidently develop, deploy, and operate AI systems.In this blog, we will cover NIST AI RMF 1.0 in-depth, including its features, benefits, and how organizations can use it to ensure AI systems meet high security and compliance standards.On January 26, 2023, the National Institute of Standards and Technology (NIST) under the U.S. Department of Commerce) released a Risk Management Framework for Artificial Intelligence (AI RMF). The AI RMF is designed to assist companies in managing risks and promoting responsible development while deploying or using AI systems. Although compliance with the AI RMF is voluntary, it can be helpful for companies seeking to manage their risks, particularly in light of regulators' increased scrutiny of AI.The Artificial Intelligence Risk Management Framework helps organizations to establish a systematic approach for information security and risk management activities focusing explicitly on Artificial Intelligence.  A robust AI risk management framework offers organizations asset protection, reputation management, and optimized data management.  It can also protect against competitive advantage, legal risks, and missed business opportunities. What is NIST AI RMF 1.0? The NIST AI RMF 1.0 is a set of standards and practices for evaluating, maintaining, and improving the trustworthiness of AI systems. AI RMF 1.0 provides an adaptable, structured, and quantifiable process that enables organizations to address AI risks. The aim is to assist organizations in understanding the risks associated with AI, developing strategies to manage those risks, and evaluating the trustworthiness of AI systems prior to deployment.Organizations may voluntarily determine compliance with AI RMF 1.0. The framework is designed for organizations that operate, develop, or deploy AI systems. It also applies to government agencies, non-profit organizations, and private companies. Additionally, it can serve as a reference guide for meeting regulatory and compliance requirements and enhancing their AI systems' performance, transparency, and trustworthiness. Salient Features of NIST AI RMF The AI RMF consists of two main components: Section 1The first section outlines how organizations can frame AI risks and the features of trustworthy AI systems. Section 2This forms the framework's core and includes four specific functions to help organizations address risks associated with AI systems. These include: 1. Govern: Guides organizations on how to develop governance structures and processes for AI risk management.2. Map: Advises organizations on identifying, assessing, and prioritizing AI risks.3. Measure: Helps organizations evaluate and monitor AI systems to ensure they perform as intended and per the organization's risk management objectives.4. Manage: Assists organizations in implementing risk mitigation strategies and managing AI risks over time. Objectives of NIST AI RMF The framework is designed to be voluntary, preserve rights, be non-sector specific, and be agnostic to use cases. This gives organizations of all sizes, sectors, and industries the flexibility to implement the ideas in the framework. The core objectives are to: • Provide a resource to companies creating, developing, deploying, or utilizing AI systems.• Assist organizations in managing various risks associated with AI.• Promote the development and usage of AI systems that are trustworthy and responsible. Bias in AI extends beyond ensuring demographic balance and representative data. In other words, an AI system may still pose problems even if it distributes predictions...

View More

    Ready to Start?

    SECURITY COMPLIANCE & ASSESSMENT SERVICES
    CONSULTING & ASSESSMENT SERVICES

    PENETRATION TESTING

    RED TEAM ASSESMENTS

    TECHNOLOGY STAFFING

    Contact Info

    E. info@accorian.com

    T. +1-732-443-3468

    Contact With Us

    Office Address

    Accorian Head Office

    6,Alvin Ct, East Brunswick, NJ 08816 USA

    Accorian Canada

    Toronto

    Accorian India

    401,402, Prestige Towers, Residency Rd., Shanthala Nagar, Ashok Nagar, Bengaluru, Karnataka 560025, India

    Shukla CPA, d.b.a Accorian Assurance is a licensed, certified public accounting firm registered with the American Institute of Pubic Accountants (AICPA) and the Public Company Accounting Oversight Board (PCAOB). Esha IT Corp d.b.a Accorian is a global leader in cybersecurity and compliance professional services.

    © 2023 Accorian. All Rights Reserved.

      Ready to Start?

      Download Case study

      Download SOC2 Guide

      Human Resources Director

      Posted On: 09 May, 2022

      Drop your CVs to joinourteam@accorian.com

        Interested Position
        First Name
        Last Name
        Email
        Total Experience
        Mobile Number
        Upload Resume
        Cancel