Orchestra's Blog
Recently Uncovered Linux Security Issues Create Another Wi-Fi Attack Vector
Linux has had long standing issues with memory leaks. These exposures often give attackers the means to crash devices, create denial of service, and in some cases, extract sensitive...
So what Exactly is Machine Reasoning, and How do you Teach an AI Model to Behave like an Attacker?
If you create a semantic graph for cyber threats, it will be able to discover which attack vectors your organization is exposed to. So what exactly is machine reasoning...
Do You have an Evil Twin?
Top Five Wireless and IoT Threats Unlike wired networks, wireless networks can be accessed by anyone. Even restricted wireless environments can be penetrated from nearby. Wireless networks host a wide...
Threat Susceptibility: Achieving Cyber Resiliency Goals
Cyber resiliency goals (i.e., anticipate, withstand, recover, and adapt) support the linkage between the risk management decisions at the mission or business process and system levels and the organization’s...
Threat Susceptibility: From Risk Management To Active Defense
In our previous blog post in this series, Threat Susceptibility: Countermeasures and Risk Remediation Options, we continued our MITRE ATT&CK example and focused on identifying mitigations and security controls...
Threat Susceptibility: Countermeasures and Risk Remediation Options
In the blog post, ‘The Art of Attack vs The Science of Resilience’ Omri wrote “Cyber risk analysis and management is completely dependent on an understanding of how attackers...
Threat Susceptibility Assessments: Challenges & Opportunities
What are some of the challenges in assessing cyber threat susceptibility? Penetration Testing is probably the most well-known and most used method for assessing threat susceptibility. These human-driven assessments...
Assessing Risk using Threat Susceptibility
What are the targets of cyber threats? In the NIST cybersecurity framework core function of ‘Identify,’ organizations are tasked to do ‘Asset Management’ where they need to discover...
The Art of Attack vs. the Science of Resilience
From personal experience I can definitively say that there is no such thing as 100% cyber security. As we can see from the ever growing number of cyber attacks...
Urgent Update: CVE-2021-44228 Log4j Vulnerability
Summary On December 9, 2021 a serious vulnerability in the Java-based logging package Log4j was disclosed. This is a remote code execution (RCE) vulnerability, meaning that it allows an attacker to...
Israeli cybersecurity co Orchestra acquires Netformx
The acquisition will expand Orchestra’s information security platform and enable it to discover network vulnerabilities while increasing its global footprint.
Governance and Policy in Practice
Part 4. Rethinking cybersecurity from the viewpoint of risk There are two principles to planning good governance: you automate away toil to ensure reliability and quality, but you...
Policy Bow Ties and Risk Based Policy
Part 3. Rethinking cybersecurity from the viewpoint of risk Policy is the centrepiece of both cybersecurity and risk management. Having a policy, as well as knowing it and...
Digital Risk Management By Promise
Part 2. Rethinking cybersecurity from the viewpoint of risk The ability to estimate risk presumes a certain level of insight into relationships, both technical and human. Yet, too much...
Risk Paralysis and Cyber-insecurity
Part 1. Rethinking cybersecurity from the viewpoint of risk Did we get cybersecurity wrong? Thirty years after the infamous Internet Worm was loosed upon an unsuspecting world, ravaging the...
Airspace Vulnerabilities in Healthcare
Wireless adoption is quickly emerging in every industry vertical that is using digitalization to simplify operations. The issue is that from a security perspective, the move to wireless creates...
Why Should You Care about Cyber Threat and Risk Assessment?
Cyber risks are evolving fast and organizations need to deal with them in more efficient ways. This requires an all-inclusive and agile approach to identifying threats and then eliminating...
Risk Based Vulnerability Management
Cyber defense is moving to a risk management and operations paradigm (see previous posts on effective cyber risk management and policy based cyber risk management). One aspect of risk...
SOAR vs. XIP – Reactive to Proactive Cyber Security Operations
The NIST Cybersecurity Framework identifies five functions (Identify, Protect, Detect, Respond, and Recover) as the five primary pillars for a successful cybersecurity program. These functions focus on cybersecurity management...
Orchestra Group conducts first APAC distie deal with emt Distribution
Will offer Orchestra’s full range of Harmony security products in the region. Cyber security vendor Orchestra Group has signed its first distribution agreement for Australia, New Zealand and Asia...
Press Release: Aplikacje Krytyczne – Poland selected Harmony IoT by Orchestra Group
Aplikacje Krytyczne deployed Harmony IoT to enhance and strengthen its airspace security and overcome its wireless-born cyberattacks blind spots. The world is full of connected devices. We are...
Risk of Delay
Many organizations have security policies that have an associated time frame. For example a patch policy could be that a patch must be applied to a vulnerable server within...
Smile – You’re on Camera
Verkada Hack 150,000 security cameras, this time – belonging to Verkada, were exposed in the most recent security breach. This should come to us as no surprise and is...
Exchange, Solarwinds and Supply Chain Attacks
Another major cyber issue is making the rounds this week – the Microsoft Exchange vulnerabilities published last week. The issue is the known exploitation of a set of unpublished...
5 Good Practices for Policy based Cyber Risk
A risk management approach is fundamentally different than the standard approach to cyber security. It requires that organizations explicitly decide on what risks to ignore – an outcome of...
…and Cisco Scores a Perfect 10!!
Cisco just published a vulnerability that could allow an unauthenticated, remote attacker to bypass authentication on an affected device. The CVE-2021-1388 vulnerability ranks 10 (out of 10) on the...
All the (cyber) World’s a Graph
Graphs are about the connectedness of objects. Graph’s show us correlation and dependence between seemingly random objects as well as the degrees of freedom and separation from other objects. Social...
Back to the Future: A 2023 Report on Effective Cyber Risk Management
I talk to a lot of companies about cyber risk management vs. cyber security. I seem to get one of two possible responses – the first being a blank...
Groundhog Vulnerabilities
Groundhog Day is celebrated each year in the United States and Canada on February 2. It comes from a superstition that if a groundhog emerging from its burrow on this day sees its...
Will Solarwinds be the Crisis Cybersecurity Needs?
All of us in the cybersecurity business like to believe that cybersecurity is a boardroom issue and has been for the last few years. On the other hand we...
3 Clear and Present Cyber Dangers in 2021
According to the recently released World Economic Forum (WEF) Global Risks Report 2021, cyber risks continue ranking among the top ten clear and “present dangers” (high probability risks over the...
Threat Intelligence + Threat Scenarios = Predictive Cyber Security
Cyber Threat Intelligence (CTI) involves analyzing information about threats and producing guidance on how to respond. An interesting 2020 survey by the SANS institute on CTI (requires registration) found...
Capitol Breach and Cyber Threats
Last week pro-Trump rioters occupied portions of the U.S. Capitol building. This is a real issue for cyber defense since once there is known or presumed loss of physical...
Surprise: CISOs are Human
The CISO role is generally considered one the highest stress, least appreciated executive\managerial jobs. Even before the COVID crisis, nearly 9 out of 10 executives holding the title of...
Supply Chain Risk Management
NIST Special Publication 800-161 on “Supply Chain Risk Management Practices for Federal Information Systems and Organizations” was issued about 5 years ago (it is currently going through a revision)....
CISOs, Purple Teams and Cynefin
Cynefin is sense making framework created in 1999 by Dave Snowden. Cynefin offers five decision-making contexts or “domains”: obvious, complicated, complex, chaotic, and a center of disorder. Figure by Snowded (Own work,...
Microsoft, SUNBURST and Supply Chain Attacks
Continuing my tracking of the Solarwinds trojan (SUNBURST), I came on an article about Microsoft’s response – “Microsoft unleashes ‘Death Star’ on SolarWinds hackers in extraordinary response to breach”....
More SWAG – This Time Thanks to the US Treasury
There was another breach this week that made headlines – the breach of the US Treasury Department. This time it is assumed to be a supply chain attack through...
SWAG Security Analysis
Here in Israel there were two security breaches that made big headlines over the last couple weeks. The first was a an ongoing ransomware attack on an Israeli insurance...
DORA the (Threat Led) Explorer
As financial firms become more digital, the EU decided these firms need to focus on ensuring their operations are as cyber resilient as possible. Cyber resilience means the ability...
When a Zero Day is Old News
This week Microsoft released a zero day patch for an unpatched local privilege escalation (LPE) vulnerability affecting all Windows 7 and Server 2008 R2 devices. The LPE vulnerability stems from the...
Outcome based Cyber Security
Donald Rumsfeld was the US Secretary of Defense from 1975-1977 and once answered a security question using the terms known knowns, known unknowns and unknown unknowns. The language is...
Trump, Biden and CVSS
Businesses use predictive metrics all the time. For example, forecasting next quarter’s revenue is a predictive metric used widely in business. When looking at any predictive business metric there...
Security, Compliance and Privacy Risks in the Energy Sector
The energy sector faces a cyber double whammy, IT infrastructure that is vulnerable to the same security, compliance and privacy risks faced by any IT organization, along with the...
Digital Security: CISO, TISO, BISO, BASE
First a little history. CIOs in the 80s and early 90s were focused on the technical side of the job. They would tend to have a technical background, and...
Security in Numbers
Security (or Safety) in numbers is the hypothesis that, by being part of a large physical group or mass, an individual is less likely to be the victim of a...
Cybersecurity and Continuous Improvement
The busy folks at NIST have just released the official version of NISTIR 8286 Integrating Cybersecurity and Enterprise Risk Management (ERM). It focuses on converging cybersecurity risk management (CSRM)...
Protecting Airspace, WLAN, Wireless and WiFi – Oh My
The interest in protecting organizational wireless networks is growing and so are the number of guidelines, best practices and standards being proposed and adopted (see Wireless Red Teams). One...
800-53 Revision 5 – Outcome Based Security and Privacy Control
NIST released Special Publication 800-53 Revision 5 earlier this month. In my mind it is actually different enough from previous releases to be considered version 1 of a new...
Wireless Red Teams: Evil Twins, Eavesdropping, and Password Cracking
Many companies operate wireless networks to allow greater flexibility through mobile computing. In many cases IT departments deploy wireless networks but ignore the dangers of wireless connectivity, assuming that...
Red, White and Blue Make Purple
Vulnerability scanning, penetration testing and red teams are the main detective controls for residual cyber risk – i.e. the risk that remains given controls already in place. Vulnerability scanning...
Red, White and Blue Cybersecurity Risks
Cybersecurity is moving away from using threats, vulnerabilities and exploits as the management metaphor towards risk-based cybersecurity management. Using risk terminology, penetration testing is a standard detective control used...
Lack of Standard Metrics
Lack of standard metrics to measure, manage and benchmark cyber risk limits security efficiency and effectiveness, making it difficult to prioritize and coordinate cyber defenses Single security truth from...
Fragmented technologies
Organizations’ cyber security stack consist of 100-150 different disconnected point tools or technologies making it difficult to assess and act on the big picture. Organizations based their security operations...
Constantly Shifting Business Needs
In today’s modern world business needs are constantly shifting, IT and cyber risk landscape require a constant stream of attention and resources. CISOs role isn’t just about security, but...
Is Cyber Security Fit-to-Purpose?
ITIL (IT Infrastructure Library) is a set of detailed practices for IT service management (ITSM) that focuses on aligning IT services with the needs of business. ITIL is used by CIOs (especially...
Cyber security: Emphasize Protect or Detect?
I am a subscriber to the NIST cyber security framework school of thought. Even though it is officially called the “Framework for Improving Critical Infrastructure Cybersecurity” it isn’t just about securing...
Measuring the Value of Cyber Security
A value-driven approach to cyber security would help businesses understand where to spend their cyber security budget, and how much to budget. One way to estimate how to spend...
Visibility, Analytics, Policies and Control are the Lynchpin of Cyber Security
Visibility is context. Analytics combine context with events. Policy translates that into a ”plan of action implemented by controls. Another way to put it is “Given” a context, “When”...
Is Cyber Defense Simple, Complicated or Complex?
Cynefin is a sense making framework that divides problem response into simple, complicated and complex. The goal is choose the right response paradigm so that when a problem occurs the...
5 Indicators a Market is Ripe for a Platform
What is a Platform? The word “platform” even though it is used quite often, is a chameleon word – meaning different things in different contexts and to different people....
A Cyber Product Platform Stack for MSSPs (Managed Security Services Providers)
There are three business types that lend themselves to becoming a platform – infrastructure management businesses, product innovation and commercialization businesses, and customer relationship businesses [from John Hagel’s post...
The Pure Platform Approach
Another option for starting a platform is a pure platform play, in essence, “let’s bet the bank that we guessed right approach”. This is an expensive approach since you...
Emergent Platform Approach is Best
The best way to create a platform combines an immediate solution approach with an emergent platform play. It requires a market ripe for a platform (see my earlier post...
The Accidental Platform
Creating a platform is the embodiment of the chicken and egg problem. If there are no consumers – producers have no one to sell to. If there are no...