SSupported by cloud hosting provider DigitalOcean – Try DigitalOcean now and receive a $200 when you create a new account!

RockCyber Provides Cybersecurity Services, Customized For Your Individual Business Needs And Goals

Listen to this article


* – This article has been archived and is no longer updated by our editorial team –

RockCyber is a Cybersecurity strategic consulting firm specializing in aligning Cybersecurity strategy to enterprise business goals. Below is our recent interview with Rock Lambros, CEO and Founder at RockCyber:

Rock Lambros

Q: Could you provide our readers with a brief introduction to RockCyber?

A: We work with businesses who are looking to grow in a competitive environment, that may have both traditional IT and/or Operational Technology environments that may leverage cloud, industrial control systems and/or Internet of Things (IoT) technologies, and with individuals who are open-minded, are prepared to be challenged and are amenable to change. We do this in order to proactively address both business market demands and changes to the threat landscape, to leverage Cybersecurity to develop and maintain sustainable competitive advantage over existing and new competition and to also leverage Cybersecurity to drive high-growth and revenues. We do this by suggesting and implementing strategic plans focused on achieving desired business outcomes, aligning cybersecurity strategy to enterprise business strategy, reducing enterprise risk through strong governance and compliance programs, and delivering operational excellence and process improvement.

Q: What kinds of services do you provide to your clients?

A: Right now, there are three primary service offerings we provide to our clients:

1) Virtual/Fractional Chief Information Security Officer (CISO): Most small and medium sized businesses (SMBs) cannot afford, nor do they need a full-time CISO. However; the security and compliance requirements of an SMB are full-time. Laws, regulations and best practices often don’t discriminate against the size of a company’s balance sheet, and neither do the ever-changing cyber risks and threats that organizations face daily. RockCyber provides Cybersecurity services, customized for your individual business needs and goals, to help your organization meet these challenges.

2) Cybersecurity consulting services: Our main goal here is to ensure that your security program enables your enterprise’s business goals, is aligned to your acceptable risk posture and maintains operational excellence. Whether it is cloud security, industrial control security, the Internet of Things, regulatory compliance (SOX, PCI, FERC NERC, FISMA, GDPR etc.) or framework gap analysis (NIST CSF, ISO, ISA/IEC 62443, etc.) we do not believe in the word “no” when it comes to Cybersecurity. We believe in the word “how“. How can you achieve your business goals while maintaining a solid security posture? Our Cybersecurity Consulting services include advising on the gamut of security functions – from strategy, governance, risk management and compliance to architecture, engineering and operations.

3) Advisory board services: Our advisory board services are geared towards C-suite executives and/or entrepreneurs who are looking for an outside and unbiased opinion of their Cybersecurity strategy and direction. This could simply be in the form of needing consistent access to a trusted Cybersecurity advisor, or perhaps it could be in the form of a startup Cybersecurity company looking for advice from a seasoned CISO on challenges facing the industry today, and on how to develop the story and messaging of their new product or service to appeal to other CISOs. Ultimately, we can sit on your organization’s Corporate Advisory Board in those capacities and be that trusted partner.

RockCyberRecommended: Zubie Brings The Power Of Connectivity To The Cars, Vans, And Trucks We Already Own

Q: What trends in cyber-attacks have you seen in the last two years?

A: There has been a proliferation of ransomware attacks, cryptojacking attacks, attacks against cloud infrastructure, critical infrastructure and attacks that leverage Internet of Things devices. All of these types of attacks could result in financial damage, physical damage and/or data breaches.

Ransomware attacks are a type of attack where an attacker prevents access to your system or data, whether through a lock screen, or through the encryption of files, and then demands a “ransom” to be paid for the unlock code or for the decryption key (usually in the form of Bitcoin or other crypto-currency). The most public of this type of attack over the past couple of years is WannaCry. WannaCry impacted an estimated 200,000 systems across 150 countries causing anywhere from several $100s million to $4 billion in damages.

Cryptojacking attacks are newer on the scene, but according to a report by Symantec, these attacks grew by 8500% in 2017 so they are not to be ignored. The booming cryptocurrency market has led to the development of these attacks. Some of these attacks are as simple as gaming and media sites using unused CPU resources on your machine to mine for cryptocurrency in order to generate an additional revenue stream and reduce their need for advertising. Others are complex and coordinated by cybercriminal organizations in order to fund their operations. Either way, cryptojacking is a relatively easy attack to execute. The impact may start simply as performance issues but could quickly escalate to machines overheating and to significant financial implications especially if the organization is leveraging cloud services where they are billed for CPU usage.

Speaking of cloud services, as cloud usage has grown over the last several years, so have attacks against cloud infrastructure. Ironically, in many cases, the cloud services provider is not at fault. Rather it is a misconfiguration of the security settings on cloud storage instances by the cloud customer due to a lack of knowledge or understanding that is to blame. Attackers can leverage these misconfigurations to dump data, or even replace good files with malicious ones. This type of attack led to data breaches at a top US defense contractor leaking 60,000 files, including employee security credentials and passwords to a US government system, to the leaking of 14 million Verizon customers records including names, addresses, account details and even some PINs by a Verizon partner, and to the leaking of personal details of over 198 million American voters.

Attacks against critical infrastructure have certainly made the news over the past few years. The first one that was widely publicized was Stuxnet back in 2009, but the attack against the Ukrainian power grid in 2015 was much more impactful. Hackers were able to temporarily shut down the Ukrainian power grid, in the middle of winter, to thousands of homes and businesses. This was a complex attack that started by sending malicious emails to targeted employees, thus establishing a “back door” into the network. As a result, the attackers were able to take control of SCADA systems, turn substations off, damage components such as uninterruptable power supplies and RTUs, destroy files, and launch a denial-of-service attack against the utility’s call center so that customers could not call to report issues or receive updates. A more recent attack named TRISIS took place in the Middle East in November 2017. This attack targeted safety control systems, also known as Safety Instrumented Systems (SIS), that maintain safe conditions in an operations environment if other failures occur.

The final trend I have seen are attacks leveraging the Internet of Things (IoT). Business and market drivers, such as the need for more data, analytics and automation, combined with the commoditization of CPU and memory leading to cheap data collectors (i.e. sensors) and analytics processing has led to IoT bursting onto the scene. The fundamental problem here is that the needed changes in security practices have not caught up to the speed of IoT deployments. As such, there is no universal framework for securing IoT devices, and attackers are leveraging this gap to do harm. The most visible of these attacks was the Mirai botnet. Mirai was able to leverage approximately 50,000 connected devices across 164 countries to launch a denial-of-service attack against Domain Name System provider Dyn. These compromised devices consisted of everything from network routers and CCTVs to DVRs and home refrigerators (think about that for a second). This caused many internet services and platforms to be unavailable to users across the US and Europe, including Amazon, Twitter, Netflix and CNN.

Q: What are the consequences of not having adequate cyber security measures in place?

A: First and foremost, organizations need to realize that Cybersecurity risk is a business risk, and not just an IT risk. Cybersecurity attacks can impact your company’s bottom line due to recovering from damages and/or from lost revenue because of a disruption in service to your customers. It’s not just an issue for large enterprises, either. Per Verizon, 58% of breach victims in 2017 were small businesses, 76% of breaches were financially motivated, and 68% of breaches took months or longer to discover. McAfee and the Center for Strategic and International Studies released a report that stated cybercrime cost in 2017 was between $445 and $608 billion globally. As I stated previously, ransomware attacks have shut down entire organizations, IoT attacks practically shut down the Internet and with the Global Data Protection Regulation (GDPR) going into effect in the European Union in May of this year, financial penalties for violations could cost up to 4% of an organization’s global revenue.

RockCyberRecommended: Sagitec Delivers Software Solutions For Pension Administration And Unemployment Insurance

Q: Looking ahead to the next five years, what do you see as being most concerning in cyber security?

A: As long as data is worth money, cyber attacks and data breaches will continue to escalate; however, not all attacks will be financially motivated. More and more attacks are going to be politically motivated. Attacks against critical infrastructure will increase as traditional IT and Operational Technologies, such as industrial control systems and scientific systems, converge. Enabling this convergence is IoT, and as I mentioned earlier, security practices haven’t kept up with the pace of business demand and IoT implementation. This also loops back into cloud security because the cloud offers the capability to store and analyze the enormously huge data sets IoT implementations can produce.

The challenge is that securing the IoT involves a change of mindset from focusing on information, data and technology to focusing on business outcomes. Technological innovation has given us access to data that we never before dreamed of accessing for both business insight and for automation. This has led to an entirely new market of data scientists and system integrators who aren’t necessarily focused on Cybersecurity. Unfortunately, this newfound access to data also comes with increased complexity and coordination requirements across the business that leads to an increased attack surface for cyber criminals.

Another concern I see is the change in the regulatory landscape. High profile breaches such as Equifax, Uber and Verizon, and the privacy concerns raised by the Facebook/Cambridge Analytics scandal, have lawmakers calling for stricter regulations to protect user data and to minimize the impact of such incidents. In the U.S., Congress has failed to pass any meaningful comprehensive Cybersecurity regulation, so organizations have to contend with a hodge-podge of overlapping laws and standards at both the industry and state level. For instance, HIPPA regulates the healthcare industry and the FERC/NERC CIP standards regulate the power grid (via the Energy Policy Act of 2005). At the state level, just about every state and the District of Columbia have passed their own data breach notification laws. Finally, at a global level, there is now GDPR, the legal framework that governs data security and privacy for EU citizens. Although GDPR is a European based regulation, every company that collects data from an EU citizen, regardless of whether or not the company is based in the EU, is in scope. With all of these different laws, regulations and standards flying around, it is just about impossible for an organization to keep track of them all. Unfortunately, I do not see a consolidation of these laws and regulations in the near future.

Activate Social Media: