Logos and Branding and Websites, Oh My!

By | Blog | No Comments

Welcome to Assura’s new presence on the web! New logo, new brand, new web design, new Internet domain, and a move of our headquarters to a new location. Whew! And that’s just the stuff you can see!

This marks a major milestone in our company’s history because this is the culmination of over two years of hard work by our team to build a comprehensive suite of managed services that put those capabilities within reach of small-to-mid-sized organizations. We call it democratization of cybersecurity.

We’ve spent the last couple of years building these managed services to achieve four primary goals:

  1. Making purchasing cybersecurity protection easier for buyers in small-to-mid-sized organizations by re-designing services such as Virtual ISO™ to be the easy button for cyber protection
  2. Driving out the high cost and budget unpredictability associated with building and maintaining a strong cyber-defense capability
  3. Build on our history and expertise to make all of our solutions equally applicable to both public and private sector organizations
  4. Maintaining the same high quality and client satisfaction that we’ve enjoyed throughout our company’s 11-year history

While we feel that we’ve achieved those goals, we still work every day to improve upon them. For us, “good enough” is never good enough.

While we have focused on building managed services, we haven’t abandoned our very strong project and advisory services. Managed services are “in addition to”, not “instead of”.

You can expect to see more of us on social media, our blog (yes, blogs are still a thing) and out and about at conferences, events that we sponsor, and even a podcast! Some of our clients joke that we’re “the best kept secret in cybersecurity”. Not anymore!

So welcome to the “new” Assura. Better than ever.

Karen Cole
CEO

The Dark Web

By | Blog | No Comments

The Surface Web is only 10% of the total size of the Internet. All sites on the surface web are indexed by search engines and are easily accessible. Examples of the surface web are Facebook, Twitter, YouTube, etc. The Deep Web and Dark Web contain the other 90% of the Internet.

The Deep Web includes: Non-public databases, password protected sites, torrent sites, private discussion forums.

The Dark Web includes: Black Markets, Botnets, Terrorists, Hoaxers, Hackers, Fraudsters, Phishing, Hitmen, Pornography (mostly illegal), and more…

“Bad guys” use the Dark Web to sell goods and services to make money. Here is a sample of how much they make:

  • Fake Facebook account with 15 friends: $1.00
  • Your Medical Records: $50+
  • Your Credit Card details: $0.25-$60
  • Your Banking Details: $1,000+

So how does one get to the Dark Web? The answer by using  a special web browser freely available for download called “Tor”. However, instead of using a web address that ends in .com, .org, .net, etc. you  use an address that looks like this:

http://3g2ipfel2j43nkr3m.onion

The number and letter combination is a randomly generated hostname or hidden service. The “.onion” is a domain suffix that is only reachable via Tor (an acronym for “The Onion Router” — hence, the “.onion” domain suffix). The purpose of Tor is to anonymize the communications of the people who access web sites in the .onion Internet domain. The Tor Project, Inc. is a not-for-profit organization dedicated to developing and propagating the Tor technology. So what is the purpose of Tor?

Tor, like many things in life, is a double-edged sword. True, it’s used by “scum and villainy” to sell illegal narcotics, child pornography, and contract killing. However, it’s also used by political dissidents in repressive regimes such as Iran, Cuba, China, and Russia to organize protests and agitate for change in those regimes. It’s also used by ordinary people who simply want to try to remain anonymous online without having every aspect of their surfing habits sold by large Internet conglomerates. The latter is the true intent of Tor. From The Tor Project web site:

Tor is free software and an open network that helps you defend against traffic analysis, a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security.

The good news is that law enforcement and the US intelligence community has had some success in peeling back the anonymity of the Tor onion and caught several purveyors of downright awful stuff. And sometimes they just get plain lucky. That’s also the bad news because those that use Tor for benign web surfing or to agitate for political freedom also risk their identities being compromised.

With respect to cybersecurity more directly, Dark Web marketplaces exist to sell the treasure trove of information that hackers siphon out of companies such as Social Security Numbers, credit card information, identities, and compromised user IDs and password pairs. There are also marketplaces that sell hacking toolkits, hacking services for hire, and undisclosed software vulnerabilities called “zero day vulnerabilities”. Why are they called “zero day vulnerabilities”? Well, because the world has literally zero days to secure their systems before the vulnerability is disclosed and being used actively to attack…well…whatever targets help them advance the attacker’s geopolitical and/or financial goals.

Companies such as Risk Based Security and IntSights are giving the rest of us a fighting chance at protecting ourselves through their monitoring of the Deep Web and Dark Web for threats and vulnerabilities that we would otherwise not know about until it’s too late.

In the meantime, best to stay away from dark web marketplaces and stick to regular web sites (your kids too).

One last thing about Tor. It’s slow. Really, really slow, even on a fast Internet connection. Without getting into the technical details, the way it’s designed makes it inherently slow. So it’s really bad for general purpose web surfing. So again, unless you’re super committed to your anonymity online, there are other ways to protect your privacy online such as VPNs and privacy-focused web browsers that will provide a much more pleasant experience. But we can get into those in another post.

You Don’t Have to Do Cybersecurity

By | Blog | No Comments

This is part 1 of a series that is going to teach small-mid-sized organizations how to navigate the complex world of cybersecurity, how to budget, plan for, and implement a cybersecurity program. This series will give you the tools to make the decisions needed that protects your reputation and your ability to do what you do best – whether it’s treat patients, help customers achieve their financial goals, run a state agency, county or city, educate children, or any other business. We will take you through the process of deciding whether you do it yourself or hire a service provider to handle it for you. We know this is daunting, but we’re here to help you navigate through the process using plain English. And do you want to know something? It can be done so that the cost is within the financial reach of most of those small-to-mid-sized organizations just like yours.

As the CEO of Assura, I am often asked why people are forced through laws, regulations, and directives to implement a cybersecurity program. The answer is simple. You really do not have to do cybersecurity. Nobody is holding a gun to your head to do anything. (Well, unless they really are holding a gun to your head right now. If so, you have bigger problems to focus on right now and should probably handle that instead of reading this blog.)

Now back to the topic. You’re probably shocked by that statement, especially coming from the CEO of a cybersecurity services firm. However, there is truth in that statement. You do not have to do anything. In fact, cybercriminals would prefer that you do nothing. I can hear what some of you are thinking right now, “Get real, Karen. The regulators are forcing us to do it or we can get hacked. We can’t delay it any longer.” That might be the case, but what I am trying to highlight here is that there is always a choice. What happens when people feel forced to do something? Do they step right up and get started or do they kick the can until the negative consequences of not doing something overpowers the benefit? The reality that I’ve seen time and again is that forcing someone to do something, they see no immediate benefit in doing, will only get them to comply with the bare minimum.I bring this point up because I have dealt with leaders from all walks of life. You name it: CEOs, government leaders, elected officials, and the list goes on and on. They are constantly faced with a long list of things they “have” to do and their auditors, IT executives, and other members of leadership are frustrated because they are advocating to get cybersecurity initiatives implemented because “the regulators are coming”.

The audit is coming! The audit is coming!

So, what’s the answer to resolve this tension between being told that you have to implement a formal cybersecurity capability and other, high priority business demands? Here are three that I believe can guide the way to the answer:

  1. Acknowledge the past and present.

The news is strewn with headlines about this data breach or that. They happen so frequently that it’s almost to the point of just being background noise. In fact, there is a whole site dedicated to tracking the daily breach headlines.

Ten years ago, the bad guys were going after the big targets like large banks, but it’s a different ballgame and even the smallest companies are targets. These days, the bad guys don’t care about size because it’s all a numbers game to them. They cast their net wide and if you get caught in it, it doesn’t matter whether you’re Bank of America or a small doctor’s office with patient’s protected health information. Cybersecurity is now the cost of business in all modern companies because every company relies on computers connected to the Internet to facilitate key business functions – even if it’s nothing more than keeping the books.

Time for decision is now. Decide if you want to avoid what is playing out (rather publicly) for other organizations. I have a feeling that most of you will decide that it is not in your best interest to continue to kick the can on cybersecurity. (Otherwise, why would you be reading this post on a cybersecurity website?) If that’s the case, then proceed to the next step. That said, I know that some people may need to process some additional considerations.

For folks still on the fence, I ask this: what does the constant fear, stress, and worry about becoming a data breach victim or coming under increased regulatory pressure buy you? If your answer is “nothing” and if it isn’t bothering you, then I give you the permission to do nothing. In fact, you do not need to read the rest of this blog post. Thanks for visiting.

  1. Think about the possibilities for the future.

For those of you still with me, I want you to think about a future. In fact, get a nice soft blanket and a warm cup of tea and think about what a world looks like with cybersecurity in your life.

  • Do you want to push the “easy button” and just have someone handle cybersecurity for you and your organization?
  • Do you want to appoint or hire someone to be guru of cybersecurity for your organization but don’t know where to begin or whom to select?
  • Could a hybrid solution where you make decisions about your cybersecurity, but do not necessarily do all the heavy lifting work for you?

Each of these approaches have their own merit from cost, strategic, and operational standpoints. I’ll be discussing those in a future post in this series. However, if you have an immediate need to answer those questions, feel free to contact me through our Contact Us page and I’d be happy to talk to you about those personally. And don’t worry, it won’t be a sales pitch and I won’t even send you a bill.

So think about a future where your operations aren’t disrupted by some faceless attacker across the world, where you maintain customer/constituent trust, and where you aren’t constantly playing catch-up to satisfy regulators and auditors.

Not an effective cybersecurity audit remediation strategy.

  1. Develop a Plan of Action.

No matter what decision you make, whether you use a company like Assura or decide to develop your cybersecurity capabilities in house; the very first thing you must do is to create a Plan of Action. In the immortal words of Yogi Berra, “When you see a fork in the road, take it.”

The biggest mistake we see people make with cybersecurity is that they jump in without a plan and just start addressing “the low hanging fruit.” I like to call it Cyber-Whack-A-Mole. While some of that work can be done immediately, you need to follow a structured process that empowers key decisions to be made by leadership. Once you’ve made the commitment to build a cybersecurity capability, taking time to define the process, tasks, and resources needed to achieve your goals is the single most important thing you can do to guarantee the success of your effort.

Whether you decide to become a cybersecurity conscious organization or continue to kick the can down the road, just keep in mind that it is a choice you are making. Not doing anything is just as much of a choice as doing something. You are in the driver’s seat and you are making the decision. Just understand the potential risks and go in with your eyes open.