John Anthony Smith: Close The Front Door Open A Back Window

Monday, June 7, 2021 - by John Anthony Smith
John Anthony Smith
John Anthony Smith

(John Anthony Smith, CEO of the fast-growing Conversant Group on the Southside, advises on Internet security after recent attacks by cyber gangs - first on a U.S. pipeline company, then on a huge beef producer and later a major media company.)


I was asked recently during an interview, “In two minutes, can you tell me why many organizations are not prepared for cyber threats?”

 

The answer is simply this:

  1. The world has changed.

    The threat actors have become far more sophisticated in how an attack is orchestrated and organized.

  2. Many organizations’ mitigating controls are reminiscent of what they might have been in the late 90s; in many cases, the controls used have not evolved very much.

  3. Internal IT professionals spend most of their time keeping the business moving and the users functional.

Years ago, an attacker or small group of attackers would individually find a vulnerability, craft software or methods to breach systems leveraging that vulnerability, then orchestrate the breach themselves. Often, there were one to a few threat actors working to carry out the tasks to orchestrate an attack. Now, threat actors are working en masse in a collaborative manner. One person or group may write or construct the methods and code to find and leverage a specific vulnerability to breach systems. The first actor or group of actors then make their code and methods available to others (secondary and sometimes third parties) willing to give them a cut of all the dollars they harvest with the tools and methods. Thus, a threat actor does not need to be good at writing code, finding flaws, breaching systems, and exploiting companies. A single threat actor can focus on the portion of a breach chain where that individual or group is most effective. The threat actors are far better orchestrated than they once were.

Nearly every company has three basic controls (or at least believes they do):

  1. A firewall

  2. Antivirus

  3. A backup

Depending on the firewall technologies being employed, I would argue in many cases firewalls are basically performing similar function as they did in the late 90s, nothing more than a basic fence, because namely, 85%+ of the Internet is now encrypted. If the firewall hasn’t been configured to perform deep packet inspection of HTTPS, the firewall is blind to a majority of traffic. Many companies also have only one control on the endpoint, but the battle is usually ultimately won or lost on the endpoint. Backups are rarely checked, often misconfigured, rarely tested, and rarely immutable (meaning if a delete command is sent or the backups are encrypted, the backups are not actually deleted or destroyed; they can be recovered). The reality is that mitigating controls’ implementations within many companies have not evolved that much; however, the threats and risks continue to increase. There is an old saying, “If you are not changing, you’re dying.” That is certainly the case as it relates to managing and mitigating digital risks.

 

I asked a question in return, “How much of your IT staff’s time is spent on managing risk?” I told him that I thought it was likely less than five percent; he agreed that my guesstimate was probably accurate. Technology adds efficiencies, but it also imposes organizational risks. These risks are often unnoticed and unmanaged.

 

The threat actors are cunning and crafty. They must only find one open window, crack, crevice, or door. Your IT professionals must find and close them all. Couple this with the fact that IT resources are often understaffed, underfunded, and improperly focused: you have a recipe for a disaster. Usually, internal IT professionals are spending most of their time keeping systems running, users happy, and reacting (not proactively planning and orchestrating) to imminent risk. They have little time to manage risks holistically.

 

It breaks my heart to see organizations’ users, leaders, and IT professionals suffer. We do breach recovery work for this reason. We extend our hand to those who find themselves in breach situations. We want to help!

 

There is a better way. Many digital risks, especially the common ones, can be known, mitigated, and managed. I hope to educate our business community regarding what, why, and how these events are occurring.

* * *

John Anthony Smith can be reached at:

423-305-7890

 

 

 

 

John.Smith@conversantgroup.com

1513 Cowart Street

Chattanooga, TN 37408




Police Blotter: Man Retrieves His Stolen Tools From Thief; Lottery Tickets Stolen At 7-11

Latest Hamilton County Arrest Report

Chattanooga-Based Rent My Equipment Site Aims To Be "The Airbnb Of Equipment Rental"


A man on Lynnbrook Avenue said his brother saw via a security camera an older white male stealing tools from the back of the man’s vehicle. The man confronted the suspect and he took off in a ... (click for more)

Here is the latest Hamilton County arrest report: AMERINE, NATHANIEL RAYMOND 7307 FAYE AVE CHATTANOOGA, 37421 Age at Arrest: 37 years old Arresting Agency: Hamilton County Booked for ... (click for more)

Chattanoogan Mark Williams began looking around in his garage at all the tools, equipment, and sporting goods that he had collected over several years and began searching for an app that would ... (click for more)



Breaking News

Police Blotter: Man Retrieves His Stolen Tools From Thief; Lottery Tickets Stolen At 7-11

A man on Lynnbrook Avenue said his brother saw via a security camera an older white male stealing tools from the back of the man’s vehicle. The man confronted the suspect and he took off in a green Ford F150 with his tools. The man was able to locate the suspect a short while later. He said when he confronted the suspect again, the suspect returned his tools. The man does not wish ... (click for more)

Latest Hamilton County Arrest Report

Here is the latest Hamilton County arrest report: AMERINE, NATHANIEL RAYMOND 7307 FAYE AVE CHATTANOOGA, 37421 Age at Arrest: 37 years old Arresting Agency: Hamilton County Booked for Previous Charges or Other Reason(s) ARCHER, JADEN STORM 6655 SANDALWOOD CIRCLE HARRISON, 37341 Age at Arrest: 43 years old Arresting Agency: Hamilton County FAILURE TO APPEAR ... (click for more)

Opinion

Great Service From The Hamilton County Health Department Hotline

My wife woke up this morning and thought she might have COVID. We called the Hamilton County Heath Department hotline and someone answered on the third ring. Not a voice mail, a real person. She told us they they were already out of their supply for rapid testing but recommended two pharmacies, one on Highway 58 and one on Hixson Pike. We chose the one on 58. A pharmacist ... (click for more)

I Remember Chattanooga’s First March For Life

This Saturday, Jan. 22, 2022, Greater Chattanooga Right to Life will hold its March for Life assembling at 10:30 a.m. at the Coolidge Park Pavilion. I hope you will attend. I remember the first March for Life in Chattanooga held 35 years ago on Jan. 22, 1987. The march consisted of 14 people: Dan Martino, Doyle Ratterree and his wife who was carrying their infant daughter in ... (click for more)

Sports

Chattanooga Women Host UNC Greensboro Saturday

The Chattanooga women’s basketball team will look to keep the excitement going Saturday afternoon against UNC Greensboro at The McKenzie Arena. Chattanooga is riding a three-game win streak and sitting third in the Southern Conference standings after claiming its 900th program win against Western Carolina on Thursday. The Mocs are 5-14 overall and 3-1 in league play. UNCG is ... (click for more)

John Shearer: Retiring Mark Guhne Looks Back With Fondness On UTC Golf Coaching Career

Mark Guhne did construction work building houses for nearly 20 years before he realized he wanted to build something else – a college golf program. After being hired as the UTC men’s golf coach in a rather unusual manner, he went on to lead the Mocs through probably their most successful period in history in terms of being able to compete with bigger schools and reach the ... (click for more)