Share This

Wednesday, 22 February 2023

How to prepare for cyber risks


Minimising the chances of attacks Cyber threats are evolving and escalating at an alarming rate for asset-intensive industries such as the energy sector.

ARE organisations only concerned with undertaking the right measures to mitigate cyber risk after they have been cyberattacked?

This may be the case in most situations but the more important question to ask is – what are the cybersecurity controls that should be considered by organisations?

The answer is straightforward – the controls that have the biggest impact on reducing the likelihood or the impact of a successful cyberattack.

Cyber risk is generally defined as the threat to the system, the system’s vulnerability and the resulting consequences. 

Therefore, to successfully protect information technology (IT) and operational technology (OT) systems, companies must understand the tactics, techniques and procedures (TTPS), which threat actors use to achieve their desired objective.

Here are several examples of well documented cyberattacks on critical national infrastructure over the past two decades:

In 2010, arguably, the most sophisticated cyberattack was executed on an Iranian uranium enrichment facility that exposed the weakness of cybersecurity controls and vulnerability of OT environments.

The STUXNET worm was designed specifically to target these environments which allowed the threat actor to exploit and disrupt production operations causing downtime and business impact.

STUXNET was the eureka moment for the energy and manufacturing industries that OT environments can be breached and what impact it can have on their business, human lives, environment and economies.

Unfortunately, it was also an eureka moment for threat actors too. OT cyberattacks surged rapidly and suddenly the attack techniques from threat actors, in terms of creativity and smartness of achieving their malicious objectives, evolved since then.

In 2015, Ukraine was hit by another massive cyberattack that shut off power at 30 substations and left millions of people without electricity for up to six hours. SCADA equipment was rendered inoperable and power restoration had to be completed manually, which further delayed restoration efforts.

So how was this achieved – must have been very sophisticated? Actually, not.

Spear phishing was used to introduce the Blackenergy malware that exploited the macros in excel-based documents on computer systems at the plants. Meaning that the threat actors did nothing different than using known TTPS for cyberattacks on IT environments.

The same exploitation tools were used to find user credentials to escalate their privileges to move laterally in the network or to send malicious commands to disrupt plant operations.

The 2015 cyberattack seemed like an experiment as barely a year later the Ukraine Power Grid was attacked again and this time the capital city Kiev went dark, breakers tripped in a large number of substations.

However, this time the threat actors also jammed the utility’s call centres to prevent customers from reporting the outage by launching Telephone Denial of Service (TDOS) attack.

The approach was more sophisticated as the threat actors directly manipulated the SCADA systems using CRASHOVERRIDE – the first known malware specifically designed to target the power grids directly around the globe with the ability to wipe or delete files, disable processes like malware protection and even the software from OT vendors.

This was another eureka moment – national power grids are not safe from threat actors either.

One of the most concerning cyberattacks was in 2017 where the TRITON malware targeted the specific safety critical Programable Logic Controller’s (PLCS) in the Middle East. The function of these PLCS is to protect plants and people from disasters caused by mechanical failure.

In 2018, advanced persistent threat attacks on industrial environments continued to rise, and industrial espionage increased.

After 2019, there was a drastic increase in ransomware activities in OT environments including the manufacturing, water treatment and pipeline industries.

Recently, Cybersecurity and Infrastructure Security Agency launched the Cross-sector Cybersecurity Performance Goals as a prioritised subset of IT and OT cybersecurity practices, aimed at meaningfully reducing risks to critical national infrastructures and the community it supports.

These cybersecurity controls are not meant to be the only considerations for organisations. The purpose is to form the foundation to protect IT and OT infrastructures against cyberattacks as part of the defence-in-depth cybersecurity strategy.

These are some of the logical first steps to consider:

User account security

User accounts are generally one of the first gateways for threat actors to gain access to the network to establish a foothold and move laterally. On the surface, this may seem simple but maintaining user account security hygiene has been a long-standing challenge for many organisations.

Here are the suggested foundational controls that should be considered:

> enable the detection of unsuccessful user login attempts

> change all default passwords and implement multi-factor authentication

> update the minimum password strength > separate user and privilege accounts > enforce unique user credentials (not just email addresses as commonly used)

> revoke the credentials of departing employees.

Device security

Device security are measures taken to secure computing devices (hardware and software) from cyber threats but also to maintain service continuity.

Here are the suggested foundational controls that should be considered:

> approval process for new hardware and software deployment

> the disablement of macros by default > maintaining an up-to-date asset inventory

> prohibiting the connection of unauthorised devices

> documenting device configurations.

Data security

The purpose is to protect sensitive and confidential data from unauthorised access, theft, loss and destruction.

Here are the suggested foundational controls that should be considered:

> strong and agile encryption

> enable log collection

> secure storage of the said logs.

Governance and training

A strong governance structure is a key success factor for any cybersecurity strategy and operations to manage cyber risks effectively and to ensure adequate protection of data and systems.

Here are the suggested foundational controls that should be considered:

> appointment and empowerment of a single leader to be accountable for cybersecurity

> a single leader to be responsible for Ot-specific cybersecurity

> basic cybersecurity training for all employees and third parties

> OT specific cybersecurity training for OT managers and operators

> establish an effective relationship between IT and OT cybersecurity to improve the response effectiveness for OT cyber incidents.

Vulnerability management

To reduce the likelihood of threat actors exploiting known vulnerabilities in IT and OT systems, the following foundational controls should be considered:

> mitigate known vulnerabilities

> gather vulnerability intelligence by security researchers and enable the researchers to submit discovered weaknesses or vulnerabilities faster

> blacklisting of exploitable services on the Internet

> limit OT connections to public Internet > conduct third-party validation of control effectiveness.

Supply chain/third party

To ensure the integrity and reliability of supplier products and services the following foundational controls should be considered:

> establish supplier cybersecurity requirements

> immediate disclosure of known cybersecurity incidents and vulnerabilities to enable rapid response.

Detection, response and recovery

Here are the suggested foundational controls that should be considered:

> capability to detect relevant threats and TTPS

> a comprehensive response and recovery plan (including appropriate back-ups) in place helps organisations be prepared for the inevitable security incidents that will occur and ensures that they have the processes and resources in place to minimise the impact and recover effectively.

Network segmentation

Network segmentation reduces the likelihood of threat actors accessing the OT network after compromising the IT network and vice versa.

Here are the suggested foundational controls that should be considered:

> segment IT and OT networks

> segment safety critical systems form other systems

> segmentation of temporarily connected devices

> segmentation of wireless communications

> segmentation of devices connected via untrusted networks/internet.

Email security

By implementing effective email security measures, organisations can reduce the risks from common email-based threats and ensure the confidentiality and integrity of email communications.

Here are the suggested foundational controls that should be considered:

> Email encryption

> Email account authentication

> and email filtering.

In conclusion, cyber threats are evolving and escalating at an alarming rate for asset-intensive industries such as the energy sector.

Strengthening the cybersecurity foundations are imperative to build a defence-indepth model that would reduce the chances of cyberattacks and safeguard IT and OT environments.

By JACO BENADIE Jaco Benadie is partner, Ernst & Young Consulting Sdn Bhd. The views expressed here are the writer’s own. 

Source link

 

Related:

 

Exclusive: Hacker group with members from Europe, North America found to have launched cyberattacks against China

Chinese cybersecurity experts have exposed a hacker group, with its core members coming from Europe and North America, which has been launching sustained cyberattacks against China as its primary target, posing a serious threat to the country's cybersecurity and data security, the Global Times learned from a Beijing-based cybersecurity lab on Sunday. 

 

 

Related posts:

 

Beware links asking for banking details, it's likely a scam, say cops. With online businesses on the rise, the scammers are getting more..

 

THE FIGHT AGAINST CYBERCRIME IN FINANCIAL SERVICES

China captures powerful US NSA cyberspy tool

 

Sunday, 19 February 2023

Know your fit­ness lingo

To nav­ig­ate the fit­ness world, it helps to have know­ledge of cer­tain terms and acronyms.

When it comes to strength train­ing, using your body­weight to per­form the exer­cise is adequate for begin­ners. — Pho­tos: 123rf.com 

On your act­ive recov­ery day, gentle stretch­ing is a good way to relax the body. 

 

 

 Little jumps that can raise your heart rate count as car­dio activ­ity.

GYM-GOERS and some per­sonal train­ers like to throw jar­gon and acronyms around, even if they may not fully under­stand what the terms mean.

A few months ago, I met a col­lege-going chap who had just star­ted lift­ing weights and I quer­ied him on his workout regime.

Most of his know­ledge was taken off the inter­net – he was work­ing out his arms and legs on altern­ate days six days a week, and look­ing tired, but good.

“I’m set­ting a PR every day,” he proudly told me.

PR? I was puzzled (I’m old school) and asked what that was because I only knew of PB (per­sonal best).

The PR that I’m famil­iar with is the abbre­vi­ation for pub­lic rela­tions – after all, as media prac­ti­tion­ers, we fre­quently deal with PR pro­fes­sion­als.

“Per­sonal record, aunty!” he said, smil­ing while won­der­ing which era I came from.

“Oh, that’s pos­sible to do on a daily basis, huh?” I com­men­ted, intrigued.

Try­ing to keep up with the young­ster, I then ques­tioned: “Are you doing super­sets or tris­ets?

“And don’t you suf­fer from DOMS, espe­cially if you’re lift­ing so fre­quently?”

He gave me a blank stare because the terms threw him off.

Never assume middle-aged souls with mini muscles don’t know much!

So, I patiently explained them to him.

This encounter is not quite reflect­ive of the gen­er­a­tional gap, but is bound to hap­pen to any­one as the fit­ness world has its own lingo and it’s tough to keep up with all the abbre­vi­ations and acronyms, espe­cially the newly-cre­ated ones.

And it can be daunt­ing for the begin­ner who enters the gym or has a con­ver­sa­tion about fit­ness.

Upon check­ing with my per­sonal trainer friends, I dis­covered that PR (the fit­ness acronym) is gym lingo that can be used for any kind of fit­ness activ­ity.

It is, however, nor­mally asso­ci­ated with the heav­iest weight you’ve lif­ted for a par­tic­u­lar exer­cise, or the max­imum num­ber of repe­ti­tions you per­formed using a cer­tain weight.

People usu­ally toss around this acronym when speak­ing about big lifts.

There are no hard and fast rules over using PR, but some people sub­sti­tute it for PB.

They also use it to refer to other isol­a­tion exer­cises such as biceps curls, jump height, sprints, or even the length of time it takes to run a cer­tain dis­tance.

Here are a few com­mon fit­ness terms you might want to know – and use – when neces­sary.

Car­dio

Car­dio, or car­di­ovas­cu­lar or aer­obic exer­cise, is any rhythmic activ­ity that makes your heart beat faster and increases your breath­ing.

This is as you would require more oxy­gen to keep up with the pace of move­ment.

Examples of car­dio activ­it­ies are run­ning, brisk walk­ing, cyc­ling, march­ing in place, etc.

Get­ting your heart pump­ing at a faster rate on a reg­u­lar basis keeps it in shape and healthy, thus redu­cing the risk of heart dis­ease.

The role of car­dio exer­cises is to help burn cal­or­ies so that you can shed weight.

Strength/res­ist­ance train­ing

This form of exer­cise is inten­ded to increase mus­cu­lar strength and endur­ance.

It involves exer­cising muscles using some form of res­ist­ance, i.e. weights, bands, or even your own body­weight work­ing against grav­ity.

To lose weight faster, com­bine your car­dio with strength train­ing, and watch how your body trans­forms.

Your bones can bene­fit from res­ist­ance train­ing too.

Stud­ies have shown that doing res­ist­ance train­ing con­sist­ently can main­tain or increase bone mass and dens­ity.

This is something most doc­tors are ask­ing their older patients to do as it also helps improve bal­ance and sta­bil­ity.

Hyper­trophy

This refers to an increase or growth in muscle size achieved through strength-train­ing exer­cises.

This style of train­ing is pop­u­lar within the body­build­ing com­munity, where there is often a focus on the growth of cer­tain muscles, e.g. thighs, calves, biceps or arms, to achieve an ideal physique.

Achiev­ing this hap­pens via mod­er­ate weight-lift­ing and mod­er­ate repe­ti­tions.

On the oppos­ite end, muscle atrophy is the decrease in size and wast­ing of muscle tis­sue.

Rep/set

Rep is the short form for repe­ti­tion, i.e. how many times you do the exer­cise.

One rep means one time, two reps mean two times, and so on.

The term “set” tells you how many times you are to repeat a par­tic­u­lar num­ber of repe­ti­tions of a given exer­cise.

For example, if you are doing squats, say­ing three sets of 15 reps means you’ll be doing 15 squats three times in total, with a rest (for an allot­ted time, per­haps 30 seconds or a minute) in between sets.

Super­sets/tris­ets/giant sets

Super­sets are doing two exer­cises back to back with no break.

Giant sets are doing four or more exer­cises back to back with no break.

Dur­ing these sets, you can either pair exer­cises that are non-com­pet­ing, i.e. oppos­ing muscle groups, or you can tar­get the same muscle.

For example, you may do one set of 12 reps of chest presses, fol­lowed by another set of 12 reps of push-ups.

This is a super­set exer­cising the same muscle group.

Or you may do one set of 12 reps of push-ups, fol­lowed by another set of 12 reps of squats, then another set of 12 reps of calf raises.

This is a triset exer­cising dif­fer­ent muscle groups.

DOMS

All of us exper­i­ence DOMS, or delayed onset muscle sore­ness, at some point from doing any activ­ity that is either new, done for a longer dur­a­tion, and/or at a harder intens­ity.

It’s caused by inflamed muscle and con­nect­ive tis­sues.

Symp­toms range from muscle ten­der­ness or sore­ness, to severe debil­it­at­ing pain.

The tem­por­ary dis­com­fort starts a day or two after a workout, and eases off by day three or four.

The sore­ness is a sign that your muscles have been worked and your fit­ness is pro­gress­ing, but you shouldn’t be get­ting DOMS after every workout unless you’re exer­cising only once a month!

HIIT

High intens­ity inter­val train­ing (HIIT) is a form of car­dio exer­cise char­ac­ter­ised by short peri­ods of all-out exer­cise, inter­spersed with rest or act­ive recov­ery ses­sions.

It com­bines both car­dio and strength train­ing, with the inten­tion to max­im­ise ath­letic per­form­ance.

It incor­por­ates sev­eral rounds that altern­ate between sev­eral minutes of high intens­ity move­ments to sig­ni­fic­antly increase the heart rate to at least 80% of one’s max­imum heart rate, fol­lowed by short peri­ods of lower intens­ity move­ments.

There is a ratio that is fol­lowed, i.e. the amount of time spent work­ing versus the amount of time spent recov­er­ing – also known as the work-to-recov­ery ratio.

For example, when you per­form 60 seconds of work, fol­lowed by 60 seconds of recov­ery, your HIIT ratio is one-to-one.

Tabata

This is another form of HIIT con­sist­ing of short workout blocks.

Tabata train­ing breaks a workout down into clearly defined inter­vals – typ­ic­ally, 20 seconds of a push-it-to-the-limit exer­cise, fol­lowed by 10 seconds of rest.

One cycle is repeated eight times for a total of four minutes.

You can mix two exer­cises in a cycle, e.g. 20 seconds jump­ing jacks, 10 seconds rest, 20 seconds crunches, 10 seconds rest, then repeat.

The recom­mend­a­tion is to do four to five cycles for a 16-20 minutes’ workout – you’ll be sweat­ing buck­ets by then!

Tabata, foun­ded by Japan­ese sci­ent­ist Izumi Tabata, is a highly effect­ive train­ing style for build­ing power and car­di­ovas­cu­lar fit­ness.

However, bear in mind that Tabata is gruelling and you’ll need to be fit enough to meet its phys­ical demands without get­ting injured.

Also note that Tabatha is HIIT, but not all HIIT is Tabata.

Act­ive rest or recov­ery

This is usu­ally one day in a set time period when you give your body a “break” and do some sort of move­ment that is less intense than your reg­u­lar workout days.

But this does not mean you can lounge on the couch or scroll through social media throughout the day.

Instead, act­ive rest means schedul­ing a low-intens­ity activ­ity like a leis­urely stroll, foam-rolling or gentle yoga to help with cir­cu­la­tion. 

You can even opt for a mas­sage. Your body needs time to recover (just like the mind needs to recharge) so that the muscles can rebuild stronger.      

By Revathi Mur­ugap­pan, a cer­ti­fied fit­ness trainer who tries to battle grav­ity and con­tin­ues to dance to express her­self artist­ic­ally and nour­ish her soul. For more inform­a­tion, email star­health@the­star.com. my. The inform­a­tion con­tained in this column is for gen­eral edu­ca­tional pur­poses only. Neither The Star nor the author gives any war­ranty on accur­acy, com­plete­ness, func­tion­al­ity, use­ful­ness or other assur­ances as to such inform­a­tion. The Star and the author dis­claim all respons­ib­il­ity for any losses, dam­age to prop­erty or per­sonal injury suffered dir­ectly or indir­ectly from reli­ance on such inform­a­tion.

Related posts:

Science on high intensity interval training: HIIT, or SHIIT?


Weights and protein: Are protein supplements really the whey to go?

 

 

 

Happy and healthy, not hunky

 

Saturday, 18 February 2023

Learn­ing is key to resi­li­ence in busi­ness

 

NINE out of 10 learn­ing and devel­op­ment (L&D) pro­fes­sion­als in this region believe that pro­act­ively build­ing employee skills for today and tomor­row will help nav­ig­ate the evolving future of work.

L&D helps organ­isa­tions thrive amid uncer­tain eco­nomic times and a people-cent­ric cul­ture recog­nises that organ­isa­tional suc­cess depends on people’s suc­cess.

  

Man­age­ment, com­mu­nic­a­tion and sales are some of the top in-demand skills that are highly sought after by com­pan­ies in Malay­sia, accord­ing to Linkedin’s latest “Work­place Learn­ing Report”. 

Since upskilling and reskilling are essen­tial, over half of those L&D lead­ers across Malay­sia, Singa­pore and the Phil­ip­pines sur­veyed expect to have more spend­ing power in 2023.

The report said reten­tion is a big issue as 93% of organ­isa­tions are con­cerned over it.

This is so since many organ­isa­tions grappled with unpre­ced­en­ted employee turnover in the pan­demic’s wake.

And even while some lay­offs have made head­lines in recent months, tal­ent devel­op­ment pro­fes­sion­als con­tinue to grapple with skills short­ages and turnover risk for crit­ical tal­ent.

It is not sur­pris­ing that attri­tion anxi­et­ies per­sist.

People who are not learn­ing nor­mally leave organ­isa­tions as they do not fit or grapple to under­stand the new ways of doing things. 

Com­piled by B.k. SIDHU bksidhu@the­star.com.my 

Source link