The placement of a CISO within the organization significantly affects how cybersecurity risks are managed and addressed. If a CISO is buried deep within the organizational hierarchy, the risks associated with cybersecurity may be diluted or misunderstood by multiple layers of management. These risks could eventually lose urgency or visibility before reaching decision-makers. For a cybersecurity program to be effective, the CISO must have a direct line to senior leadership, ensuring cybersecurity risks are treated with the gravity they deserve.

Reporting to Chief Legal Counsel

In some organizations, particularly those dealing with heavy compliance requirements, the CISO may report to the Chief Legal Counsel. This setup can be advantageous, especially when cybersecurity and legal compliance are tightly linked. However, not every organization has a dedicated legal counsel or sees the value in tying security to the legal function. For companies that do, this reporting structure ensures that the CISO has a legal perspective on data breaches, cyber risks, and compliance, which can be critical in regulated industries. However, without a strong understanding of technology, this arrangement can also slow down security decision-making. Another disadvantage of this reporting structure is that it may make the cybersecurity function more compliance focused.

Reporting to the CIO

Another common reporting structure is for the CISO to report to the Chief Information Officer (CIO). While this might seem logical at first glance, given the CIO’s responsibility for the organization’s technology landscape, it can create a conflict of interest. The CIO’s primary role is to drive innovation and ensure that IT systems meet business demands. This often involves implementing new features and technologies, which can conflict with the CISO’s need to prioritize security, sometimes slowing down or complicating the development process. The pressure to prioritize business goals over security concerns can be significant in this reporting line, which might lead to compromised cybersecurity protocols.

Reporting to the Chief Risk Officer

The Chief Risk Officer (CRO) is another potential reporting line for the CISO, especially in organizations where risk management is a central business function. Reporting to the CRO allows cybersecurity to be viewed through a broader risk management lens, ensuring that cybersecurity risks are balanced with other operational and financial risks. However, many organizations do not have a dedicated CRO, making this a less common reporting line. Still, this setup aligns cybersecurity with the organization's overall risk strategy, which can be particularly useful in industries such as finance.

Reporting to Internal Audit

Some organizations place the CISO within the internal audit department, but this setup often involves a serious conflict of interest. The internal audit team is responsible for independently assessing the effectiveness of internal controls, including cybersecurity measures. If the CISO reports to internal audit, there may be pressure to downplay security issues during audits, which could compromise the integrity of the cybersecurity program. Therefore, while this structure may offer a sense of oversight, it can be problematic in practice.

Reporting to the CEO

One of the most effective reporting structures for a CISO is directly to the CEO. This gives the CISO a voice at the highest level of the organization, ensuring that cybersecurity is treated as a business issue rather than just a technical one. In this structure, the CISO can work closely with other executive leaders, and decisions on security measures can be aligned with overall business objectives. The primary benefit here is that the CISO’s influence is maximized, and the importance of cybersecurity is embedded into the business strategy from the top down. The downside of this reporting structure is that the CEO may already be preoccupied with other business priorities.

Tailoring the Reporting Structure to the Organization

Ultimately, the optimal reporting structure for a CISO depends on the specific needs of the organization. Industry trends, business goals, and regulatory requirements will heavily influence the decision. For example, companies in heavily regulated industries like finance, healthcare, or defense might benefit from placing the CISO closer to legal or risk management functions. In contrast, organizations with a significant focus on innovation and growth may find it more appropriate to have the CISO report directly to the CEO or the CIO, with proper safeguards to avoid conflicts of interest.

In all cases, the success of the CISO depends not only on where they report but also on the relationships they build across departments. A CISO who can foster trust and collaboration with peers and senior executives will have far more success in implementing effective cybersecurity measures, regardless of where they sit within the organizational chart. Therefore, while organizational structure is important, the CISO’s ability to communicate and influence at all levels is often the largest predictor of success.

Are there any reporting structures for a CISO that you believe should be avoided entirely? Join the discussion on Discord or WhatsApp (Yaksas Cybersecurity Infoshare).

The Power of Collaboration

The corporate audit team and cybersecurity team share a common goal: protecting the organization from financial, operational, and compliance risks. By actively partnering with the audit team, a CISO can better align cybersecurity goals with broader risk management and compliance objectives, allowing both functions to complement each other effectively.

For instance, one way a CISO can push their message across to senior executives and the board is by participating in the annual audit-planning process. When cybersecurity is integrated into the audit planning, it creates opportunities for risk areas to be identified early, allowing for more proactive mitigation efforts. By having the audit team focus on cybersecurity risks, it becomes easier to present cybersecurity not just as a technical issue but as a critical business risk that deserves executive attention and investment.

Influence Through Data and Reporting

The audit team has a direct line of communication with the board, especially concerning regulatory compliance and risk management. A partnership with the CISO allows for cybersecurity risk data to be included in audit reports, making it more likely to capture the attention of senior leadership. When the audit team highlights cybersecurity risks as part of its findings, it validates the CISO's message, lending credibility and urgency to funding requests and program expansions.

Take the case of a financial services firm that was initially struggling to secure funding for an enhanced cybersecurity program. The CISO collaborated with the audit team to include a detailed analysis of cyber risks in the annual audit report. When this data was presented to the board alongside financial compliance risks, the executives were more receptive to the cybersecurity budget increase, as they could clearly see the connection between cyber risks and overall business impact.

Trust Is the Foundation

For this partnership to work, trust between the CISO and the audit team is crucial. Both teams need to rely on each other for accurate, timely information and the sharing of insights. The audit team must trust the CISO’s technical assessments of risk, while the CISO needs to rely on the audit team to present a clear and business-aligned view of these risks to the board.

Building this trust takes time and consistent effort. A CISO can start by being transparent about cybersecurity challenges and working collaboratively on risk assessments. Similarly, the audit team can support the cybersecurity function by emphasising the importance of cybersecurity in their audit findings. This mutual support improves the ability to secure necessary resources and board approval for cybersecurity initiatives.

Conclusion

The partnership between the CISO and corporate audit team is a powerful way to strengthen an organization’s cybersecurity posture. By aligning objectives, sharing data, and building trust, both teams can better influence the board and executives, driving necessary changes and securing funding for critical cybersecurity initiatives.

In what ways can the audit team in your organization benefit from closer collaboration with the cybersecurity team? Join the discussion on Discord or WhatsApp (Yaksas Cybersecurity Infoshare).

The Indian Computer Emergency Response Team, aka CERT-In, was conceptualized as part of the Indian Information Technology Act 2000 (section 70B). It was formally established in 2004 under the Ministry of Communications and Information Technology with Dr. Gulshan Rai (former National Cybersecurity Co-coordinator) as one of the first Director General. This post is currently held by Dr. Sanjay Bahl.

What are the primary responsibilities of CERT-In?

Their primary responsibilities include (a detailed account of CERT-In's roles and responsibilities can be found on their website):

• Collection, analysis and dissemination of information on cyber incidents

• Forecast and alerts of cyber security incidents

• Emergency measures for handling cyber security incidents

• Coordination of cyber incident response activities

• Issue guidelines, advisories, vulnerability notes and whitepapers relating to information security practices, procedures, prevention, response and reporting of cyber incidents

• Create awareness on cyber security issues through dissemination of information on its websites

What powers are conferred to CERT-In?

The notification G.S.R 20(E), dated 16 January 2014 confers certain powers upon CERT-In to fulfill it's responsibilities. These are (note: the following list is written in simplified language. Reader is advised to read the notification document for verbatim text):

• Certain officers of CERT-In may seek information from service providers, intermediaries, data centers, body corporate and any other person for carrying out it's functions.

• It may collect and analyze information relating to cyber security incidents form individuals, organizations, and computer resources.

• Under certain circumstances, it may disclose relevant information to stakeholders in national interests.

• Issue directions or advisories to service providers, intermediaries, data centers, body corporate and any other person with a view to enhance the cybersecurity if the information infrastructure in the country. The service providers, intermediaries, data centers, body corporate and any other person will need to comply with these directions and advisories. Any non-compliance must be reported to CERT-In.

• CERT-In may file a complaint before the court post review of the non-compliance report.

• CERT-In may monitor and collect traffic data in accordance with the provisions of section 69B of the Information Technology Act, 2000 and Rules.

CERT-In in action

• CERT-In handles an average of 1 million+ security incidents during a year. These include phishing, unauthorized scans, vulnerable services, malware etc.

• CERT-In has published 1150+ advisories till date covering various enterprise, IoT, web, mobile and desktop software.

• Cyber Swachhta Kendra tracked 44,36,41,608 botnet/malware infections in India and notified end users in collaboration with Internet Service Providers and organizations.

• CERT-In has empaneled 96 Information Security Auditing organizations, on the basis of stringent qualifying criteria, to carry out information security audit, including the vulnerability assessment and penetration test of the networked infrastructure of government and critical sector organizations.

• CERT-In has conducted 64 Cyber security exercises of different complexities, including table top exercises, with participation from about 800 organizations covering various sectors of Indian economy from Government/Public/Private.

How can one engage with CERT-In?

CERT-In provides various avenues to engage with them:

• Organizations can share cybersecurity incident and vulnerability information with the Indian CERT to alert them about a potential cyber attack.

• Organizations can also integrate CERT-In issued advisories and vulnerability notes in their threat intelligence feeds.

• Companies operating in cybersecurity space can apply to become CERT-In empaneled auditors.

• Individuals can go through various security guidelines available on their website to become more cyber aware and improve their cyber safety.

• Professionals can participate in CERT-In facilitated trainings and workshops.

Recent milestones

• In 2017, CERT-In established Cyber Swachhta Kendra for detection of compromised systems in India and to notify, enable cleaning and securing systems of end users to prevent further malware infections.

• In 2020, CERT-Fin (or CSIRT-Fin) was established to provide focused cyber threat intelligence and monitoring to financial sector.

• In 2021, CERT-In became the listed member in Task Force for Computer Security Incident Response Teams / Trusted Introducer (TF-CSIRT/TI).

• In 2021, CERT-In was authorized by the CVE Program, as a CVE Numbering Authority (CNA) for vulnerabilities impacting all products designed, developed and manufactured in India.

International Collaborations

Over the years, CERT-In has collaborated with agencies from various countries such as, Korea, Japan, Mauritius, USA, Australia, Singapore, Malaysia, UK, Vietnam, Uzbekistan, Bangladesh and Morocco. These collaborations included, participating in joint drill exercises, signing MoUs with other nation-specific CERTs, conducting trainings and workshops for delegates from other countries and membership in global agencies such as APCERT, FIRST, TF-CSIRT/T.

Conclusion

The Indian Computer Emergency Response Team was one of the first national agencies to be setup to address risks and threats to the Indian cyberspace. Over the last twenty years, the role of CERT-In as the guardians of the Indian cyberspace has evolved significantly, specially with the onset of massive cyber attacks such as Wanna Cry or Not Petya and life threatening games such as the Blue Whale game. The team, comprised of 70+ members, handles 1 million+ security incidents that if left unaddressed could impact 1.4 billion citizens of India.

Join the discussion on Discord or WhatsApp (Yaksas Cybersecurity Infoshare).

There are many ways in which this problem could be tackled. You can unplug the webcam, puncture the lens or simply, cover it (works for both laptop and smartphone). The last one is less complex and easy to implement. It allows the use of device cameras without compromising one's privacy. Here are five free, do it yourself, and one paid way(s) to do this:

Scotch tape

Scotch tape is a commonly used household item. It's translucent nature makes it a good cover for webcams and it keeps the beauty of laptop intact. Can be used as a permanent solution.

Webcam Covered with Scotch Tape

Level of privacy provided by Scotch Tape

Post-it Notes

Got a stack of post-it notes lying around? Here's another way they can be used. They provide better privacy than scotch tape and you can write short message as well (for example, 'Remove at your own risk'). Can be used while working at desks, bedroom etc. not advised for meetings or conferences though (unless you're okay with a post-it sticking out of your laptop screen).

Webcam covered with a Post-it note

Level of privacy provided by a Post-it note

Piece of cloth

In case of an emergency, any piece of cloth can be used as a webcam cover. Just place one over the webcam. It can be held at place by using paper or binder clips. In the image below, I've used a hand towel as webcam cover and binder clips to hold it. It's a bit sore on eyes but provides good privacy.

Webcam covered with a piece of cloth

Level of privacy provided by a piece of cloth

Tissue Paper

Tissue paper is another common household item that could be used as a device camera cover. They provide decent privacy and can be used for short intervals (as they keep falling off the screen).

Webcam covered with tissue paper

Level of privacy provided by a tissue paper

Cardboard

Cardboard can be used to make creative webcam covers. The level of privacy provided is at par with that of a piece of cloth. Below is a sample design, created by the redditer Alhessar. Here's another design and a detailed do it yourself tutorial created by Ilona of I Love Green Grass.

Sample design of a cardboard webcam cover

Paid Webcam Covers

There are ample of commercially available webcam covers (I find them a bit overpriced though). The one shown below, one from C-Slide, is the most commonly used design. In case you find yourself at a security conference, look out for goodies, these are usually included.

Webcam cover from C-Slide

In the light of recent hacks, more and more people are using webcam covers to safeguard their privacy. Recently, it was revealed that Mark Zuckerberg, founder of Facebook, uses tape to cover the webcam and microphones of his laptop. It doesn't harm to take precautions, specially when they come at no cost. Also watch out for suspicious behavior of the webcam LED. It shouldn't be on if you're not using the webcam.

Got a device camera cover hack or design of your own? We'd love to hear about it. Join the discussion on Discord or WhatsApp (Yaksas Cybersecurity Infoshare).

Traditional vs. Modern Password Policies

The traditional model for password management in organizations, which mandates frequent changes, stems from a belief that regularly updating passwords minimizes the chances of password-related breaches. The PCI DSS (Payment Card Industry Data Security Standard) has historically mandated regular password changes for environments handling sensitive financial information. Similarly, the ISO/IEC 27001 standard, a widely accepted information security framework, also advocated for password policies requiring regular updates.

However, while frequent changes make sense in theory, they often lead to undesirable consequences in practice. Many users, faced with the burden of remembering numerous passwords, resort to weak password creation strategies, such as slight modifications to existing passwords, writing down passwords, or even using easily guessable patterns. This significantly undermines the strength of password security.

On the other hand, recent guidelines, such as the NIST Special Publication 800-63B, suggest a shift toward long, complex passwords with less frequent changes. NIST recommends using passwords that are at least 8-12 characters long, with a preference for even longer passwords, and advises that passwords only need to be changed if there is evidence of compromise. This new approach reduces the frustration on users while maintaining strong security, as a longer password is much harder to crack through brute-force attacks.

Industry Standards Supporting Long Passwords

Industry standards have evolved to reflect the benefits of longer passwords and less frequent changes. NIST’s guidelines, which are influential in the cybersecurity community, explicitly reject the frequent password change policy unless there is a suspected compromise. ISO/IEC 27001 has also started acknowledging that password length is more critical than password rotation.

The PCI DSS has remained more cautious but is slowly adapting to similar trends, particularly in environments where multi-factor authentication (MFA) is in place. MFA provides an additional security layer, making the need for frequent password changes less pressing.

Real-World Adoption of New Trends

Many large organizations have already embraced the shift toward longer passwords with infrequent changes. For instance, Microsoft stopped recommending regular password changes in 2019, aligning its policies with NIST guidelines. They recognized that frequently changing passwords was more likely to harm than help security, as users were more inclined to create weaker passwords when forced to remember new ones every few months.

Similarly, Google has been at the forefront of password policy evolution, pushing users towards stronger, longer passwords while also encouraging the use of MFA and password managers to simplify password management.

Another example is the UK’s National Cyber Security Centre (NCSC), which recommends that organizations focus on password length and complexity, only requiring changes when evidence suggests a compromise. This approach aligns with the growing consensus that security can be improved by addressing password strength rather than frequency.

Why the Change Matters

Longer passwords with less frequent changes reduce the cognitive load on users while providing a robust defence against attacks such as brute-force attempts. Length is a critical factor in password strength, and attackers require significantly more time and resources to crack a long password. Furthermore, when users are not burdened with frequent password changes, they are less likely to take shortcuts like reusing or creating easily guessable passwords.

As organizations continue to adopt this modern approach, the pressure on users decreases, security improves, and the likelihood of password breaches decreases significantly. However, it's essential that these policies are coupled with other security measures, such as MFA, to provide a layered approach to cybersecurity.

Do you prefer a long password that you change less often, or do you feel more secure changing your password frequently? Why? Join the discussion on Discord or WhatsApp (Yaksas Cybersecurity Infoshare).

What is PoshC2?

PoshC2 is a command and control software. It is used to carry out post-exploitation tasks such as persistence, privilege escalation, lateral movements etc. during penetration testing and red teaming exercises. It supports Python3, PowerShell (v2 and v5), C# and C++. The official documentation is available here.

All of PoshC2 functionality can be divided into five components:

PoshC2 Server - Serves payloads that can be executed on target machine(s) and send a connection back to PoshC2. The server console also displays the output of command(s) executed on an implant. The server is written in Python.

Implants Receiver - Listens for the incoming implant connections and aggregates them. It is also used to load modules and execute commands on a single, multiple or all implants.

Payloads - Commands, shellcode, executable binaries that when executed on target machine(s) (aka implants) sends back a connection to Implant receiver. Payloads are developed using C#, Python, PowerShell, JavaScript, VBScript and support Windows, Linux (Python) and MacOS (Python).

Implants - Target machine(s) connected to PoshC2.

Modules - Scripts (PowerShell and Python) and executable binaries (C#) that help in conducting various post-exploitation tasks such as enumeration, privilege escalation, lateral movement, hash dump, port forwarding etc. A comprehensive list of modules is available here.

How to use?

The following video shows how to get PoshC2 up and running quickly. It covers:

• Installation on Kali Linux 2020.2

• Configuring PoshC2

• Running Posh-server and implants receiver

• Managing implants

• Modules

• Loading C# and PowerShell modules on an Implant

• Running commands on an implant

Read this to learn more about the lab environment used in this video.

Useful Commands (C# Implants)

Selecting Implant(s)

• To select a single implant, enter the ImplantID

• To select multiple implants, enter a comma separated list of ImplantIDs

• To select all implants, enter ALL

Quick Reference List of Commands

Issue the following command when connected to an implant(s)

help

Bypass AMSI

bypass-amsi

Upload files

upload-file <source file path> <destination file path>
Example: upload-file /usr/share/windows-binaries/nc.exe C:\Users\Public\nc.exe

Download files

download-file <file path>
Example: download-file 'C:\\Users\\Public\\supersecretdata.txt'

This will save a copy of the target file in the PoshC2 project directory.

List Modules

To list implant specific modules, select an implant and issue the following command:

 listmodules

To list all modules, issue the following command at implant selection prompt:

listmodules

Load a C# Module

loadmodule <module name>
Example: loadmodule SharpView.exe

Load a PowerShell Module

pslo <module name> 
Example: pslo powerview.ps1

You can also use loadmoduleforce to load modules.

Execute a PowerShell Command

sharpps <command> 
Example: sharpps Get-ChildItem -Force -Recurse

Convert Username and Password to a PSCredentials object

sharpps [string]$userName = 'IND\user.ind02'
sharpps [string]$userPassword = 'Sup3rStr0ngP@ssw0rd'
sharpps [securestring]$secStringPassword = ConvertTo-SecureString $userPassword -AsPlainText -Force
sharpps [pscredential]$credObject = New-Object System.Management.Automation.PSCredential ($userName, $secStringPassword)

After executing above commands, $credObject can be passed as a value to -Credential parameter in PowerShell commands which accept this parameter.

Enumerate an Implant

ls-recurse <directory path>
Example:  ls-recurse C:\Users
get-userinfo
get-computerinfo
loadmodule Seatbelt.exe
seatbelt all
sharpup

Port Scan

portscan <IP> <port> <delay-in-seconds> <max thread>
Example: portscan "192.168.3.8" "1-1000" 1 100

A well designed Command and Control (C2) infrastructure is critical to the success of an adversary emulation exercise. During an engagement, established C2 sessions may get disconnected frequently. Whenever this happens, there might be a temptation to re-exploit the target and establish another C2 session. This is not only time consuming but also not recommended during an active engagement. For one, it can put the entire engagement at risk as re-exploitation may lead to unwanted consequences. To avoid this, C2 mechanisms are deployed in a layered (or tiered) manner.

What are the three Command and Control tiers?

C2 mechanisms are generally deployed into following three tiers:

• Interactive - C2 mechanisms in this tier are used more frequently than others. They are primarily used for issuing commands, enumeration, scanning and data exfiltration. The callback time is usually within minutes. For example, C2 agents deployed on target machines.

• Short-Haul - C2 mechanisms in this tier are used to re-establish interactive mechanisms. The callback time is within 12-24 hours. For example, a cronjob that downloads the C2 agent and executes it every 12 hours.

• Long-Haul  - C2 mechanisms in this tier are used to re-establish short-haul mechanisms. The callback time is 24 hours or more. This is the slowest mechanism of all three and should not be used for interactive purposes. For example, a start-up script to create the cronjob mentioned before.

What to keep in mind while deploying multiple C2 tiers?

• Use a tier for it's intended purpose only. For example, a short-haul C2 mechanism should not be used to run commands interactively.

• Use different C2 channels (HTTPS, DNS, SSH, SMB etc.) for different tiers. This will ensure that even if one channel gets blocked an alternate is available to use.

• Use encryption to avoid detection via network security devices.

• Minimize C2 callback volume wherever possible. This will help in avoiding unnecessary exposure.

• Avoid dropping binaries on target machines as this may trigger the anti-malware solution and alert the Blue team.

Other posts in this series

• What is adversary emulation?

• Red Team Operations Attack Lifecycle

• Introduction to MITRE ATT&CK Framework

• PoshC2: A Red Teamer’s Notes

If you want to beat your adversaries, think like them. A common adage we have all heard. MITRE ATT&CK is just that. A framework to think like adversaries and beat them in their game. It is a culmination of years of efforts of studying various cyber Adversaries' Tactics, Techniques and turning them into Common Knowledge (ATT&CK).

What is ATT&CK framework?

As per ATT&CK's design and philosophy document, ATT&CK is a behavioral model that consists of the following core components:

• Tactics, denoting short-term, tactical adversary goals during an attack;

• Techniques, describing the means by which adversaries achieve tactical goals;

• Sub-techniques, describing more specific means by which adversaries achieve tactical goals at a lower level than techniques;

• Documented adversary usage of techniques, their procedures,and other metadata;

• Software, used by adversaries to implement a technique or a sub-technique; and

• Mitigations, preventing adversaries from achieving their tactical goal by blocking the execution of a technique or a sub-technique.

The following figure will help in understanding the relationship between various ATT&CK components.

Why was ATT&CK created?

MITRE's goal behind creating this framework was to improve post-compromise detection of threats by tracing out the steps that could have been taken by an adversary. It was born out of the need to categorize adversary behavior as part of conducting adversary emulation exercises within MITRE’s Fort Meade Experiment (FMX) research environment.

What does it contain?

There are three variants of ATT&CK framework:

• Enterprise

• Mobile

• ICS (Industrial Control Systems)

Originally, the Enterprise variant focused only on Microsoft Windows. However, later it was expanded to include macOS, Linux, PRE, AWS, GCP, Azure, Azure AD, Office 365, SaaS, Network platforms as well.

Each variant contains various tactics, techniques, sub-techniques and procedures that could be used by an adversary. The best way to visualize the framework is ATT&CK Navigator. It is an interactive web application, through which you can create layered views of the framework, as per your requirement.

Use cases

ATT&CK can be used for various purposes, such as:

• Adversary emulation

• Red teaming

• SOC assessments

• Defensive gap assessments

• Behavioral analytics development

• Cyber threat intelligence enrichment

MITRE provides an excellent getting started guide that shows how to utilize ATT&CK framework for these use cases.

Adversary Emulation is a form of cybersecurity assessment. During this assessment assessors replicate a specific threat scenario. For example, assessors may assume the role of cyber criminals who want to exfiltrate customer data out of the organization. Another scenario could be assessors trying to infect the organization's software product(s) and mimic a supply chain attack.

How to perform Adversary Emulation?

These exercises are performed by red teams. The responsibility of defending lies with blue teams. Usually an attack methodology is created or followed to conduct these exercise. This can be in form of a process, such Red Team Operations Attack Lifecycle. Or well defined attack plans such as MITRE Adversary Emulation Plans. Cyber threat intelligence sources also play a key role during this exercise. They often serve as a starting point for most exercises.

Benefits

The aim of this exercise is to see how the organization's defenses will fare in the event of a real cyber attack. Such exercises are helpful in identifying vulnerabilities missed during other assessments (such as penetration testing) as such assessments are usually limited in scope and attack surface. For example, Facebook is leveraging adversary emulation to protect their infrastructure from sophisticated attacks.

Featured Image Source: Freepik

This post is part of our course Adversary Emulation 101: Mimicking a real-world cyber attack.

The lifecycle consisted of following phases, with phases 3-6 being cyclic in nature:

1. Recon (Information Gathering) – In this phase, publicly available information (website, company profile, social media pages, employee profiles etc.) is gathered about the target organization.

2. Initial Compromise (Foothold) – In this phase, information from Recon phase is analysed to identify and exploit a vulnerability or launch a phishing attack that helps in establishing a foothold within the target network.

3. Privilege Escalation - In this phase, the attacker attempts to escalate privileges to an administrator (Windows) or root (Linux) account on the compromised host. Usually, this is done each time a new host is compromised.

4. Establishing Persistence – In this phase, the attacker installs a persistence mechanism (usually a Command and Control (C2) agent) to maintain presence in the target network. This enables the attacker to communicate with compromised hosts without having to exploit it again in case the original connection dies out. Usually, this is done each time a new host is compromised.

5. Internal Recon – In this phase, the attacker leverages the compromised host to gather information about the internal network. Usually, this is done each time a new host is compromised and is thought to have access to more resources. For example, if an attacker compromises an Active Directory domain joined machine, they can use that machine to enumerate the Active Directory network.

6. Lateral Movement – In this phase, the attacker tries to expand their access by compromising new hosts within the target network. The information collected during Internal Recon phase is leveraged here.

7. Data Analysis – As new hosts are compromised, the attacker scans each of them for interesting information (employee records, financial statements, PII, credit card information, customer databases etc.).

8. Exfiltration – Anything that the attacker deems useful is pulled out and downloaded onto the attacker machine (or their chosen location).

9. Deleting footprints – Once the attacker has achieved their objective, they delete all files, logs, emails etc. created by them during the exercise to hide their presence.

What Are Passkeys?

Passkeys are a form of passwordless authentication that use a combination of cryptographic keys for secure logins. Instead of relying on a password (something you know), passkeys leverage the security of biometrics (or patterns or PIN) and public-private key pairs. The private key is stored securely on your device, while the public key is shared with the server you’re trying to log in to. Since the private key never leaves your device and cannot be easily compromised, passkeys offer a much higher level of security than traditional passwords.

How Do Passkeys Work?

The magic behind passkeys lies in asymmetric cryptography. When a user wants to sign into a service, they use their device (e.g., smartphone, laptop) to confirm their identity through biometric recognition such as Face ID, fingerprint scanning, or a device PIN. The device then generates a cryptographic signature using the private key, which is verified against the public key on the service’s server. This process eliminates the need for typing or remembering a password, making login faster and more secure.

Passkeys are stored on a user’s device and can sync across multiple devices via secure mechanisms such as cloud-based storage, adding an extra layer of convenience for users switching between devices. This synchronization ensures you can log in seamlessly across your devices.

Why Are Passkeys Replacing Passwords?

Passwords have been a fundamental part of authenticating users for decades, but they come with numerous challenges. Users often create weak passwords, reuse them across different platforms, or fall victim to phishing attacks and data breaches, putting their personal and financial data at risk. Passkeys address many of these shortcomings.

For one, passkeys are inherently phishing-resistant. Unlike passwords, which can be intercepted through social engineering or malicious websites, passkeys never leave the user’s device, meaning there is nothing for a hacker to steal during the authentication process. They also eliminate the risk of credential stuffing—where attackers use previously compromised usernames and passwords across multiple accounts. Passkeys ensure that login credentials are unique to each user and service, reducing attack surfaces significantly.

Benefits of Using Passkeys

The benefits of passkeys extend beyond security. First and foremost, they simplify the user experience. People no longer need to memorize complex passwords or rely on password managers, which can also have vulnerabilities. Biometric-based passkey systems streamline login processes, making authentication fast and frictionless.

From a security standpoint, passkeys drastically reduce the risk of account compromise. Even if a service provider is hacked, there is no password for an attacker to steal and reuse. Passkeys are also highly resilient against man-in-the-middle attacks, ensuring that only the legitimate user can authenticate with their private key.

Another significant advantage is scalability. Organizations can deploy passkeys across large user bases without needing to train users on proper password hygiene, significantly reducing support costs and improving security posture.

Major Organizations Encouraging the Use of Passkeys

Several industry giants have already begun integrating passkey technology into their systems. Apple, Google, and Microsoft are leading the charge, all part of the FIDO Alliance, a consortium working to improve online authentication standards. These companies have implemented passkeys into their ecosystems. By adopting passkeys, these organizations are signaling a shift away from the password-dependent era.

The World Wide Web Consortium (W3C) and the FIDO Alliance have also published the WebAuthn standard, which supports passkey-based authentication, providing a roadmap for developers and businesses to transition away from passwords. WebAuthn, part of the broader FIDO2 framework, is a critical industry standard encouraging the adoption of passkeys. It not only provides security but also maintains a focus on user privacy, ensuring that no Personally Identifiable Information (PII) is shared during authentication.

Conclusion

Passkeys offer a much-needed solution to the problems that passwords present. By relying on cryptography and biometrics, they provide a higher level of security and an easier user experience. As passkeys gain traction across major platforms and industry standards like FIDO2 and WebAuthn promote their adoption, it’s becoming clear that the days of passwords may be numbered.

Do you think passkeys will completely replace passwords in the near future, or will we still rely on passwords? Join the discussion on Discord or WhatsApp (Yaksas Cybersecurity Infoshare).

On 13th September, 2017, Armis, a US-based security lab, published a research article titled, BlueBorne. In this article they have explained eight flaws through which a mobile device can be compromised. They have termed these flaws as BlueBorne. These flaws exist in the way Bluetooth functionality is applied in mobile devices. As a result, an ill willed hacker can take full control of the device without any action on the part of the user. When using these flaws the hacker doesn't even need to pair their device with the target mobile device. This makes BlueBorne a dangerous attacking technique. Imagine, you're walking in a local market with your mobile device in pocket. If your device's Bluetooth is enabled, then anyone who can detect your device can, potentially, take control of your device. Of course, they would need the knowledge and skills to take advantage of these flaws.

BlueBorne flaws exist in all devices that are equipped with Bluetooth and running Android, iOS (9.3.3 and below), Windows (Vista and above) and Linux operating systems. At the time of writing there are approximately 8.2 billion such devices across the world.

How to protect your device?

Here are few steps you can take to protect your device from these flaws:

• Keep your mobile device's Bluetooth disabled if not required.

• If you have an Android device, you can check if it's vulnerable using this app released by ArmisLabs.

• Update your mobile device to the latest version of the operating system released by the device manufacturer.

• If an update is not available for your mobile device:

  • Avoid using device's Bluetooth capability in public places

Join the discussion on Discord or WhatsApp (Yaksas Cybersecurity Infoshare).

What is a Security Champions Program?

A Security Champions program appoints select employees, often from development teams, to act as liaisons between their team and the security department. These champions receive specialized training on security best practices, which they then relay to their peers. The idea is to make security a shared responsibility rather than the sole domain of the IT or security department. This creates an organizational mindset where security is considered at every stage of a project—from initial planning through deployment—ensuring that security is "baked in" rather than "bolted on" at the end.

Benefits of Implementing a Security Champions Program

1. Evangelizing Security Standards: One of the key benefits of a Security Champions program is that it helps promote security standards across the organization. Security Champions are responsible for educating their colleagues about best practices, ensuring that security becomes a part of the daily routine for everyone involved in software development. By embedding security knowledge within the teams, the program helps create awareness and accountability, making it easier to follow policies and adhere to security guidelines.

2. Making Security Approachable: Traditionally, security teams can seem distant and overly technical, which can lead to miscommunication or a lack of understanding between them and other departments. Security Champions act as translators, making security concepts more approachable for their peers. This fosters a collaborative environment where questions can be asked freely, and concerns are addressed without the stigma that security is a specialized domain meant for experts only. This ultimately leads to fewer misunderstandings and robust security practices.

3. Providing Security Training: One of the pillars of a successful Security Champions program is continuous training. Champions receive ongoing security education, which they then disseminate to their teams. This proactive approach also allows employees to develop a deeper understanding of how security affects their day-to-day work, rather than treating it as a last-minute checklist item.

4. Integrating Security Early in the Process: A critical advantage of this program is that it encourages developers to think about security from the outset of the development process. Security Champions are embedded in development teams, meaning that security concerns are raised early in the software lifecycle, reducing the risk of vulnerabilities being introduced later. This "shift-left" approach to security is vital in reducing the time and cost associated with fixing security issues after a product has already been built.

5. Helping Developers: For developers, a Security Champions program is a game changer. It provides them with the tools, knowledge, and support they need to integrate security best practices into their work without sacrificing speed or creativity. Developers often feel the pressure to meet deadlines, and security can be seen as an obstacle to fast delivery. However, by having a security expert within their ranks, developers can address potential vulnerabilities as they code, ensuring they can meet security requirements without adding extra time at the end of a project.

Conclusion

A Security Champions program is an effective strategy to embed security into the DNA of a company, promoting security-conscious behaviour, building awareness, and preventing vulnerabilities from slipping through the cracks. By encouraging collaboration and empowering developers with the right skills and mindset, companies can ensure that security is part of the process from the very beginning, ultimately resulting in a more secure and resilient organization.

In your opinion, what qualities should a Security Champion possess to be most effective? Join the discussion on Discord or WhatsApp (Yaksas Cybersecurity Infoshare).

The CISO’s Role as a Risk Advisor

The core responsibility of a CISO is to advise on cybersecurity risks that threaten the organization. They identify, assess, and communicate these risks to business leaders, ensuring that each risk is understood in the context of the organization’s strategic objectives. However, risk management often spans multiple areas of the business. The CISO oversees these areas from a security perspective but does not control these areas operationally. Consequently, the CISO should be considered as a guide to business units without bearing the ultimate responsibility for owning the risk itself.

Why CISOs Should Not Be Risk Owners

The reasoning behind separating the roles of advisor and owner is simple: ownership of risk typically rests with the people who can take action to mitigate or transfer it. Business units and CXOs have the ability to make decisions that directly impact their areas of operation. On the other hand, a CISO’s expertise is in assessing and advising on risks, not in controlling business processes outside the security domain. This creates a conflict when the CISO is expected to own risks that they do not have the authority to mitigate or influence fully.

Treating a CISO as a risk owner misaligns responsibilities. It shifts focus away from their role as an impartial assessor of risk and forces them to make decisions that could be better handled by business leaders.

Convincing the Executive Leadership: CISO as Advisor

One of the most important tasks for a CISO is to convince the executive leadership, including the CEO, that they should function as a risk advisor. This begins with clear communication about the limitations of the CISO’s authority. For instance, while the CISO can advise on the potential consequences of a cyberattack or a data breach, they may not be able to dictate operational changes in areas like supply chain management or customer service that fall under other business units (in some cases they can, provided they can back it up with solid data).

The CISO must work closely with executives to define their role in the risk management framework. This includes explaining that cybersecurity risks intersect with broader business risks, such as financial and operational risks, which need to be managed by respective departments.

Establishing a Risk Ownership Charter

The CISO can advocate for the establishment of a clear charter where risk ownership is formally assigned to business unit heads or other CXOs who are equipped to handle specific types of risks. Such a charter would detail the distribution of responsibilities across the organization, specifying that business unit leaders are responsible for risks tied to their functions. The CISO, in turn, serves as a consultant, providing insights and guidance on cybersecurity risks but leaving the decision-making to the respective risk owners.

This charter also helps build a culture of shared responsibility. By establishing risk ownership across different units, organizations can avoid the common pitfall of overloading the CISO with expectations they cannot fulfill. The CISO’s advisory role remains focused on assessing risks, aligning security measures with business goals, and ensuring that risk owners take action based on informed guidance.

Building Trust with the Board and CXOs

For a CISO to successfully operate as an advisor, they must build trust with the board, CXOs, and business unit leaders. This can be achieved through transparent communication, frequent updates on emerging threats, and ensuring that cybersecurity strategies are aligned with business priorities. When the leadership recognizes the value the CISO brings in guiding risk decisions, they are more likely to embrace the advisor model and promote risk ownership across the organization.

As the advisor, the CISO can foster informed decision-making by offering a strategic view of cybersecurity risks. This ensures that the organization is prepared to respond to threats while each business unit retains ownership of risks specific to their domain.

As a CISO, how do you ensure that your advisory role is respected and that business units are fully engaged in managing their own risks?

Join us on Discord or WhatsApp.

The DPDP Act addresses the growing concerns over data misuse and breaches. The Act's emphasis on consent, data fiduciaries, localization, and stringent penalties positions it as a robust framework for data protection. Although it shares similarities with the GDPR, particularly in safeguarding privacy and regulating data handling, key differences in scope, consent management, and cross-border data flow highlight the distinct approach India has taken in ensuring digital privacy for its citizens.

Here’s a bullet-point summary of the key points of this Act:

• Data Fiduciaries:

  • Entities that determine the purpose and means of processing personal data.

  • Must obtain explicit consent, ensure transparency, and protect personal data.

• Significant Data Fiduciaries (SDFs):

  • Designated based on factors like the volume of data processed and potential risk to privacy.

  • Must appoint a Data Protection Officer (DPO), conduct Data Protection Impact Assessments (DPIAs), and undergo regular audits.

• Data Protection Board of India:

  • Established to oversee compliance, adjudicate complaints, and enforce the DPDP Act.

• Appointment of Data Protection Officer (DPO):

  • Mandatory for Significant Data Fiduciaries.

  • Ensures compliance and serves as a contact point for the Data Protection Board.

• Privacy Rights of Individuals (Data Principals):

  • Consent: Personal data can only be processed with explicit, informed consent.

  • Right to Notice: Individuals must be informed about the purpose, duration, and type of data being collected.

  • Right to Access: Data principals can request access to their data and know how it’s being processed.

  • Right to Correction: Individuals can request corrections if their data is inaccurate.

  • Right to Deletion: Data principals can request deletion of personal data if no longer necessary.

  • Right to Grievance Redressal: Individuals can file complaints if their data rights are violated.

• Explicit Consent vs. Deemed Consent:

  • Explicit Consent: Data processing requires clear, informed permission.

  • Deemed Consent: Allows data processing in specific situations like legal obligations or emergencies without explicit consent.

• Cross-Border Flow of Data:

  • Sensitive personal data can be transferred outside India only with government approval.

  • Emphasizes data localization, requiring certain data to be stored in India.

• Penalties:

  • Violations can result in fines between ₹50 crore and ₹250 crore, depending on severity.

• Data Minimization:

  • Organizations must only collect the minimum amount of data necessary for the specified purpose.

As the use of digital platforms and services expands, this legislation seeks to create a structured framework to regulate how organizations handle personal data. The DPDP Act aims to provide clarity on data processing practices while balancing innovation and user privacy.

Did you find this article useful? Share your thoughts on DPDP Act, 2023 with us. Join us on Discord or WhatsApp.

In India, digital payment methods saw rapid adoption during the demonetization process. Ever since, the awareness about them has grown and more people are using them as their preferred means of payment. Even vendors are rapidly adopting them as a means of accepting payments. Do a quick survey of your local market and you'd notice that most shops are now accepting payments through one or more mobile wallet providers.

Digital payment methods are also a good way to get rid of that extra cash in your physical wallet. Below are few safety tips that would enable you to adopt them with ease:

1. Protect your phone with a device-lock mechanism: Payment modes like mobile wallets, UPI based apps, mobile banking etc. are primarily driven through apps on mobile devices. Without a device-lock, anybody who has access to your phone, can access these apps easily. A device-lock also protects your information from misuse in case the mobile device is lost or stolen.

2. Protect your payment apps with an app-lock mechanism: Most payment apps support an additional layer of security by allowing the user to lock the app. They often also provide an option to set a custom pass-code or use the device-locking mechanism to lock / unlock the app. This ensures that even if your mobile device is in other hands, your financial information stays protected.

3. Add only the required amount of currency in mobile wallets: Loading mobile wallets with more currency is not advisable. It increases your exposure to loss in case your mobile wallet gets compromised. Most mobile wallet service providers also restrict the amount users can add in a month.

4. Ensure that your card details are protected: Do not share information such as CVV number, PIN, Card number etc. with anyone. Remember, banks will never ask you for these details on call. Ensure that the merchant is well-reputed and trusted before storing card details with them. As an additional safety measure, you can scratch the CVV number off your card after memorizing it.

5. Check for HTTPS before performing an online payments: Most service providers and banks use a secure (encrypted) communication channel for online payments. This channel is known as Hyper-Text Transfer Protocol over Transport Layer Security or HTTPS. The most common way to identify this is a green pad-lock icon in the left corner of the address bar.

6. Keep an eye on payment transaction alert messages: Anytime you perform a payment transaction, the concerned bank sends a SMS alert regarding the same. If you haven't opted for this service, do so today. Alert SMS helps you in keeping track of activity on your bank account. If you come across any suspicious alert, report the same to the concerned bank immediately.

7. Enable Two-Factor Authentication (2FA): Wherever possible, enable 2FA on your payment apps and accounts to add an extra layer of security.

8. Avoid Public Wi-Fi for Transactions: Public Wi-Fi networks are often unsecured and can expose your payment data to hackers. Use a secure, private connection when making payments.

9. Update Software Regularly: Ensure that your phone’s operating system, apps, and security software are updated to the latest versions to protect against vulnerabilities.

10. Report Lost/Stolen Devices Immediately: In case your device is lost or stolen, report it to your bank or payment service provider immediately to block access to your accounts.

Did you find these tips useful? Do you have any tips of your own? Share them with us. Join us on Discord or WhatsApp.

Building Trust at the Executive Level

M&As are sensitive transactions, where a security breach or misstep could significantly impact the deal. This makes the CISO’s ability to gain and maintain trust with the board and executive leadership critical. The CISO is expected to provide a comprehensive view of the cybersecurity risks that could affect both entities. In many cases, the CISO will need to perform due diligence and assess hidden threats, such as undiscovered vulnerabilities, regulatory violations, if any, within the acquired company. By doing so, they help mitigate potential financial, operational, and reputational damage, which is why the CISO needs to be proactive and transparent with the board and the executive team.

Moreover, the CISO should act as a bridge between various departments. Engaging with these stakeholders early on can demonstrate the CISO's understanding of both technical and business challenges, thus building credibility and trust during these negotiations.

Infrastructure Integration

A significant part of the CISO’s role during M&A is the complex task of integrating two organisations' IT and cybersecurity infrastructures. This involves aligning disparate technologies, systems, and protocols while maintaining business continuity. One of the key challenges is merging different security cultures—every organisation has its unique approach to cybersecurity. Harmonizing these can be a daunting task, requiring the CISO to identify strengths and weaknesses within both entities and craft a unified security strategy that leverages the best practices from each side​.

Technological compatibility is another issue the CISO must address. The acquired company may use different security platforms or tools, making integration tricky. Whether adopting a hybrid model or transitioning to a unified platform, the CISO must ensure that the merger does not disrupt day-to-day operations while keeping systems secure​.

Skills and Experience Needed

To navigate such high-stakes projects successfully, a CISO needs a blend of strategic foresight, technical expertise, and leadership acumen. Experience in managing large-scale integrations, particularly those involving different security systems, is essential. CISOs must also possess strong risk management skills, as they are responsible for identifying potential threats not just within IT systems but also in operational processes and business functions.

Another vital skill is communication. CISOs must articulate technical issues in a way that board members and executives can understand, ensuring that cybersecurity is seen as a critical element of the business deal rather than an afterthought. Furthermore, their ability to collaborate with various departments—from legal to finance to HR—helps in creating a holistic security strategy that addresses both technological and organisational vulnerabilities.

Ensuring a Smooth Transition

The final aspect of the CISO’s role involves developing a clear plan for risk mitigation during and after the merger. This may include conducting thorough due diligence on the acquired company’s cybersecurity posture, identifying the top risks, and establishing a timeline for addressing these issues. By doing so, the CISO can help ensure that both companies maintain a secure operational environment as they transition into a single entity​.

Additionally, the CISO must be vigilant for external threats during the merger process, as cybercriminals often exploit the chaotic period to launch attacks. This calls for a well-coordinated effort between both companies' security teams, ensuring that no gaps are left unmonitored​.

Conclusion

In conclusion, the role of a CISO in M&A is varied, requiring technical know-how, strategic thinking, and effective communication. By establishing trust with leadership and carefully navigating the integration of two entities, the CISO plays a critical part in the success of mergers and acquisitions, protecting the deal’s value and ensuring a secure future for the combined organisation.

What challenges have you faced while navigating M&As, and how did you address them? We'd love to hear your insights.

Join us on Discord.