An electric utility company takes cybersecurity beyond the perimeter

The challenge


This client, like most utilities, possesses a strong culture of safety and a similar commitment to security. As a utility, it also operates in one of the 16 sectors designated by the US Cybersecurity and Infrastructure Security Agency (CISA) as part of the United States’ critical infrastructure. This means that the organization faces a specific set of requirements, which include disciplined cybersecurity practices.

Traditional cybersecurity has focused mainly on the internal environment and on data layers within the organization. For that reason, the organization sought a solution that expanded the purview and practice of cybersecurity beyond its walls. Management felt the need to identify and address vulnerabilities in the data “out there,” where more than 90% of cyberattacks now originate.

They also wanted an external perspective to support an outside-in approach to security. They wanted to know how malicious actors could gather information about users to mount an attack on the company. What could those actors find on social media profiles and what messages could they use to launch socially engineered attacks? What could they learn about the organization’s hardware and software and its methods of authentication? What could they learn about its supply chain: What products does it buy? From whom does it buy these products? How does it pay its vendors? What could attackers learn about the leadership team, the Board, employees, investors, and other stakeholders that would make the organization vulnerable to attacks?

Another goal was to broaden the conversation about cybersecurity within the organization. Given the exposures that can be unwittingly created by users with legitimate access to the organization’s systems, leaders had come to see that cybersecurity is everyone’s responsibility. They also wanted to go beyond simply training and coaching people on how to “be careful” when using their laptops and devices; they wanted easy-to-use tools to support users’ efforts to keep systems secure.

Before learning about Picnic, the security team had worked to understand which publicly available data could create vulnerabilities and, to address reputational risk, what people were saying about the company. Yet these efforts were ad hoc, such as monitoring social media feeds, and they employed few tools, such as customized scripts and open-source tools. They wanted to harness data science to see across the internet and to identify the controls they really needed to have in place.

In sum, the security team realized that their environment lacked a defined perimeter, which meant that firewalls, endpoint protection tools, and role-based access controls could no longer provide the needed level of security.

The solution

Picnic provided both ease of enrollment for employees and tools that enabled employees to easily remove publicly available data on themselves.

Picnic’s capabilities let a user simply agree to be deleted from multiple sources of public data gathering, which Picnic handled for both the user and the organization.

The Picnic Command Center enabled analysts from the security operations team to seek out types of data that expose the organization to risk. That, in turn, positioned the team to educate employees about ways in which an attacker could use a particular type of information against themselves or the company. This created a clear division of responsibility: The organization flagged the risks while the employees controlled the data they deleted or left up.

The organization presented Picnic as a benefit to employees, which it is. Although other identity protection tools are presented that way, they are primarily geared to post-event remediation. In contrast, Picnic enables each employee to identify and deal with their publicly available data in private, so they can lower their individual risk, and by extension risk to the organization. Each employee gets to make changes dictated by their own preferences rather than their employer’s. With information from Picnic, they were able to, for example, adjust the privacy settings on their social media accounts so that only specific family members and friends can view them. Whatever steps they took reduced their exposure to attack—a benefit to them and to the organization.

Clear and consistent communications during rollout clarified both the rationale and use of the tools. Integration with the organization’s existing technology was straightforward, with Picnic tools fitting readily into existing solutions. The client/Picnic team took an agile approach to both the development methodology and operational implementation.

The impact

Picnic has assisted the security staff in identifying vulnerabilities and assisted employees in monitoring and limiting their risk exposures. The tools have provided protective controls for employees while minimizing extra steps and added work on their part. It has also helped the security staff to more effectively identify where potential threats might originate and the various forms that attacks could take.

Yet the impact of Picnic extends beyond what the platform itself does. It has enabled the security staff to launch a broader and deeper conversation about cybersecurity at the organization. This has created the opportunity to better understand, explain, and contribute to the organization’s culture of security. The security staff does not usually use the term “culture of security” with employees but the leadership team discusses it and works to create that culture. Picnic has accelerated that effort.

Picnic has also reduced burdens on the security team. It has helped to establish that everybody needs to maintain high awareness of how their social media settings or internet presence create risks. By their nature, the tools dramatically increase employee engagement in cybersecurity in ways that training sessions or video tutorials cannot.

The Picnic toolset has delivered capabilities that allow security staff to see risks outside of their corporate walls and to mitigate them. The security team can now not only alert users to the risks they face; they have also initiated new controls, such as multi-factor authentication on items that could be of use to an attacker. They have added new controls over remote access and other attack vectors where an attacker could access personal information from a data log or a compromised website. The organization is also using password reset tools that make users’ lives easier, while increasing their efficiency and effectiveness.

While no single solution can eliminate every data security issue, Picnic has broadened the organization’s view of its threat landscape and positioned it to better address risks. It has also reduced its attack surface, broadened the conversation about cyber risk and security, and delivered increased security to employees and the organization. This has occurred in the context of Picnic’s sound and sustainable methodology, process, and program for identifying and addressing social engineering threats.

1 https://www.cisa.gov/critical-infrastructure-sectors

REDTEAM RAW, EPISODE #4: Dhruv Bisani on his journey to becoming the Head of Red Teaming at a UK Cyber Security Consultancy

In the fourth episode of RedTeam Raw, Picnic’s Director of Global Intelligence, Manit Sahib, sits down with Dhruv Bisani, the Head of Red Teaming at a leading UK Consultancy, Eurofins Cyber Security (AKA Commissum).

Dhruv Bisiani talks through his day in the life of a Covert Ethical Hacker (Red Teamer), maintaining good Operational Security to fly under the radar and go undetected (OPSEC), some Red Team war stories, breaking into a Zero Trust environment, Phishing & leveraging Social Engineering. We also run through tips for those looking to get into Cyber Security, the difference between the Red Teaming and Penetration Testing (commonly confused) and the evolution and increase of Purple Teaming and Threat Intelligence.

We explore Dhruv Bisani’s journey of being an international employee (and its challenges and misconceptions), gaining a VISA and sponsorship to work in the UK for a big 4 consultancy PwC, the value of CREST Certifications, CCT APP, CCT INF, CCSAS, CSSAM, and becoming the Red Team Lead for Eurofins Cyber Security. We also explore challenges in the work environment and how to deal with them.

Like and subscribe for future episodes of RedTeam Raw here.

REDTEAM RAW, EPISODE #3: Dimitris Pallis on how he became an experienced penetration tester, ethical hacker, and current Security Consultant at Claranet

In the third episode of RedTeam Raw, Picnic’s Director of Global Intelligence, Manit Sahib, sits down with experienced penetration tester, ethical hacker, and current Security Consultant at Claranet (previously Sec-1), Dimitris Pallis!

We discuss Ukrainian IT army cyberwarfare, Dimitris’ journey to becoming an ethical hacker, how to keep your OpSec when sending out your personal info in your CV, Dimitris’ tips for people wanting to level up in the industry and best resources for preparing to get a job, how to manage time when getting your certifications, red team stories with an important lesson from Dimitris, skills needed to be a good ethical hacker, the problem of social engineering, where things are going in the industry, the need for companies to reduce their attack surface/presence online, tools for OSINT reconnaissance, the need for basic awareness about giving out personal info with two recent dangerous examples from LinkedIn, the lifecycle of a ransomware incident, and final tips from Dimitris.

Like and subscribe for future episodes of RedTeam Raw here: https://www.youtube.com/channel/UCVn3…

RedTeam Raw, Episode #1: Marcello Salvati on how he became a leading Red Teamer (and Cyber Security Expert)

In the very first episode, Picnic’s own Director of Global Intelligence, Manit Sahib, talks with InfoSec legend Marcello Salvati, most famously known as the creator of CrackMapExec and SilentTrinity. He is the founder and CEO of Porchetta Industries, Security Engineer at SpaceX, and is known on Twitter as @byt3bl33d3r. We discuss his perspectives on InfoSec, advice for those getting started in this space, how he got to where he is now, overcoming burnout and managing time, red team stories, and where he thinks InfoSec is heading over the next 10 years.

Like and subscribe for future episodes of RedTeam Raw here: https://www.youtube.com/channel/UCVn3…

Cybersecurity is a new HR benefit

Cybersecurity has traditionally been seen as a job for IT departments – and most employees assume that cybersecurity is simply a technical issue. But an examination of current threat types shows that social engineering attacks on employees is now a major concern for corporate security. However, protecting employees from social engineering attacks means protecting the whole person – at work and at home. The challenge becomes the line between what is corporate and what is personal. Innovative Human Resources (HR) departments have a solution. Cybersecurity can be a gift to employees, not unlike health insurance. This new benefit further underlines HR’s important role in promoting a healthy corporate culture…including cybersecurity.

Cybersecurity – The role of HR in mitigating risk

It is estimated the financial impact of cybercrime costs the global economy nearly $3 million per minute with 27% of all cyberattacks resulting from employee errors. Many companies are aware that employees are the weakest link in an organization’s cybersecurity. 9 out of 10 times, it is unintentional. Yes, you might get the odd disgruntled employee, but more often than not, employee negligence is the primary source of data breaches. From falling afoul of phishing, to accidental installation of malicious apps and using unsecure networks, the variety and prevalence of cyber-traps are growing daily. Even common behaviors that seem trivial, like shared passwords, lax BYOD habits, remote working, and leaving devices laying around – all can lead to loss of data or even large sums of money.

Since people are a key factor in many cybersecurity-related issues, HR should be involved to minimize the risk. Why? HR is uniquely equipped to humanize and promote security within an organization. Whether it’s through the onboarding process, providing security guidelines or educating employees, the HR department can cover the majority of cybersecurity threats – and your company will be much safer for it. “HR leaders can engage employees in recruitment, culture, and education to boost awareness and adoption of new policies to help IT teams develop a “human firewall” for your organization, turning employees – your greatest security threat – into your greatest asset,” says Marcy Klipfel  of Businessolver.

Some forward-thinking companies already employ the skills and insight of their HR teams to enhance risk mitigation. But as the digital footprint of an individual continues to grow like a ripple effect, and the lines continue to blur between personal and business use of technology, modern cybersecurity requires more than firewalls, antivirus and HR polices. If a business is serious about protecting itself and its employees, it’s time the business started thinking about offering cybersecurity as a HR benefit.

Cybersecurity as an HR benefit

We live in a digital era and, as such, it’s likely that most, if not all, of your employees have a digital footprint. This is normal. Daily, most of us engage in some form of online activity, such as photo sharing, online dating, banking, shopping, gaming, and social/professional networking. Like it or not, these all add to one’s digital footprint. And that’s not all. Others may post photos or information about us online. And then there are search engine histories, smart phone geolocation data, etc.

While an individual’s growing online digital footprint and relentless tracking of all their thoughts and data might not be a problem to them, it may be exploited by those with malicious intent. What your employees do and say online, or how they use digital devices, can make them and your organization vulnerable to a range of security threats. Most hackers are just looking for that one right chance and an employee’s online activities can create an ideal passageway into your company, potentially resulting in unintended, or even catastrophic, consequences.

Unplugging yourself or an employee from the rest of the world is not really an option. But what is an option is that your company can help protect its employees – while protecting itself. While it’s a novel concept, data hygiene management should now be considered the newest employee benefit. Like a person’s health, if things go bad, cybercrime can be very costly for the individual. Like health insurance benefits, cybersecurity benefits reduce the financial risk and give peace of mind.  

Future of cybersecurity

The biggest challenge for HR is explaining the threat of social engineering to individuals while not being perceived as “Big Brother.” Employees can be very wary of privacy, though at the same time may not be very aware of the vulnerability of their personal digital footprint. But everyone is susceptible to cyberattacks and the impact can be severe for both individuals and their employers. The perceived value of cybersecurity as an HR benefit will only increase with time – and with the preponderance of cybercrime. Prescient employers are making moves now to bolster their cybersecurity culture and offer a competitive benefit that will be attractive to employee candidates.