What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2021-04-14 10:00:00 | Phishing towards failed trust (lien direct) | This blog was written by an independent guest blogger. Phishing exercises are an important tool towards promoting security awareness in an organization. Phishing is effective, simply because it works. However, any social engineer can devise a marvelously deceptive message with an irresistible link that only the most tech-savvy person would spot as a phishing test. Sometimes, the phish can be sent at a time of day that catches the recipient off-guard, which causes a person to click the malicious link. These techniques are so effective, that even the most experienced people have gotten fooled, not only by phishing tests, but also by real scams. As social engineers, it is easy to play on people’s vulnerabilities; their fears, hopes, and dreams. Fears, such as those used in scams against the elderly; hopes, such as those used against the optimistically trusting; and dreams, such as those used against the wistfully romantic. However, with any security practice, we have to temper our thrill of victory, that is, the adrenaline rush of the “gotcha” moment when a person falls for our brilliantly crafted phishing test, with the reality of our true purpose, which is to educate, and build trust. With that in mind, we must ask ourselves, when have we gone too far? For example, according to a report that was published at the height of the pandemic, Covid-related scams rose to an all-time high. The cybercriminals have been hard at work, trying to capitalize on our fears, and our desires to seek information, and more recently, our desire to become vaccinated. Has your organization used the pandemic in any recent phishing exercises? How effective were they? Was the “hit” rate high? More importantly, did the people who failed the test thank you for showing them the error of their ways? I doubt it. I am not stating this merely to make enemies in the security community. As a 20+ year veteran in the industry, I too understand the struggles and the frustrations of building a security culture in an organization. However, let’s look to the legal profession for a moment to try to understand why Covid-based phishing exercises are simply wrong. The problem at hand is one of our freedom to act recklessly. If we look to the landmark U.S. Supreme Court case of Schenck v. United States, we are met with the famous quote about how freedom of speech does not give one the right to “Yell ‘Fire!’ in a crowded theater”. In a later case, Rochin v. California, the phrase “Shocks the conscience” became part of legal doctrine. An action is understood to "shock the conscience" if it is "grossly unjust to the observer." Contrary to helping an already stressed staff, does a Covid-based phishing exercise succeed in anything other than violating the senses, as well as bordering on a cavalier abuse of our “expertise”? There are so many ways to educate | Tool | ||
|
2021-04-13 10:00:00 | Advanced mobile protection through the AlienApp for MobileIron (lien direct) |
Companies of all sizes need clear and cohesive security visibility over every aspect of their organization. As data and assets are trending to mobile, it’s critical to be equipped with the right tools to gain insights on mobile devices and users on the endpoints and mitigate threats whenever needed.
Collecting threat data from mobile devices and discovering mobile assets on the network is a core requirement to help detect malicious activity. USM Anywhere makes the ability to detect malicious activities on mobile devices a reality by incorporating mobile assets and threat data into the platform for easier management and threat detection. The biggest benefit is that it enables companies to act automatically on those threats, which is crucial for the success of security teams who are in charge of protecting the overall organization.
Knowing the importance of threat detection and response for mobile devices, AT&T has teamed up with MobileIron (recently acquired by Ivanti) to introduce the newest Advanced AlienApp for MobileIron Threat Defense. This Advanced AlienApp also introduces the first Mobile Asset Discovery capabilities for the USM Anywhere platform.
This collaboration between USM Anywhere and MobileIron provides near real-time threat detection and response, asset discovery, auditing, reporting, User Behavior Analytics (UBA) enrichment, and more. The Advanced AlienApp for MobileIron Threat Defense enables security teams to view threats through the power of MobileIron Threat Defense and the power to mitigate those threats in the same place using MobileIron Cloud’s Unified Endpoint Management solution.
USM Anywhere with the Advanced AlienApp for MobileIron Threat Defense also enables security teams to orchestrate actions that help streamline incident responses and provide even deeper visibility into the assets on the company’s network.
MobileIron Threat Defense
Mobile devices are now the number one source of personal data consumption, and this pattern has extended to the workplace, especially in light of the COVID-19 pandemic. The ability to access all company data from mobile devices virtually anywhere and anytime is a doubled-edged sword. That’s because cybercriminals are increasingly targeting mobile devices as the means to infiltrate an organization’s most valuable assets.
MobileIron Threat Defense helps to detect and mitigate attacks on Android & iOS mobile devices. And all this happens in one place: at the endpoint level, providing protection against attacks on applications, the network, and the device, as well as social engineering attempts such as phishing.
MobileIron Threat Defense provides detection for mobile devices even if they are offline.
Built in protection means users don’t have to take any action
Remediation happens automatically, helping to protect against malicious applications on subscribed devices.
MobileIron Threat Defense has the power to defend against known and unknown threats.
MobileIron Threat Defense can be added as an option to MobileIron Cloud’s Unified Endpoint Management solution
MobileIron Blue is a unique bundle of the MobileIron Cloud ____ bundle plus MobileIron Threat Defense
How USM Anywhere, AT&T Alien Labs & MobileIron Threat Defense take threat detection and response to the next level
The true icing on the cake is the collaboration among USM Anywhere, AT&T Alien Labs, and MobileIron Threat Defense. USM Anywhere acts as a single pane of glass that displays all the threats detected by MobileIron Threat Defense, so customers can have full visibility over all their mobile a |
Threat | ||
|
2021-04-09 17:51:00 | What is a cybersecurity strategy and how can your business develop one? (lien direct) | The number of users, devices, and resources on company networks is growing exponentially. With this expanding attack surface, a company’s assets, intellectual property, reputation, staff and customer data are all at risk. It’s no wonder cybersecurity has increased in prominence, with many organizations investing in more sophisticated technical solutions. But just because you have all the network security solutions in place, it would be unwise to get complacent about your security posture. While technological solutions are certainly an essential piece of the defense puzzle, those resources can only take you so far if you lack a cybersecurity strategy. Business leaders, decision-makers and key stakeholders that devote the time to assess their specific organizational priorities, customer and employee requirements and overall risk profile are typically in a much better position to minimize risk exposure. What is cybersecurity strategy? A cybersecurity strategy is comprised of high-level plans for how an organization will go about securing its assets and minimizing cyber risk. Much like a cybersecurity policy, the cybersecurity strategy should be a living, breathing document adaptable to the current threat landscape and ever-evolving business climate. Typically, cybersecurity strategies are developed with a three-to-five-year vision but should be updated and revisited as frequently as possible. While cybersecurity policies are more detailed and specific, cybersecurity strategies are more of a blueprint for your organization to guide the key stakeholders as the company and business environment evolve. Goals for your cyber strategy One of the most critical goals for any cybersecurity strategy is achieving cyber resiliency. To be resilient, business leaders must remember that each organization is unique and requires a customized approach to strategy. Much like relying upon one security product or vendor to completely eradicate all threats, there is no single cybersecurity strategy that adequately addresses every business's needs. To achieve the ultimate goal of resilience, your cybersecurity strategy will require a mindset shift from reactive to proactive. Instead of focusing on reacting to incidents, the most effective strategies stress the importance of preventing cyber-attacks. That said, any robust cybersecurity strategy also puts you in a better position to respond to an attack. In the event your organization is victimized, a successful strategy can make the difference between a minor incident and a major one. Benefits of proactive cybersecurity When it comes to managing risk, a proactive approach is always superior to a reactive one. But being proactive, especially when new threats are discovered and detected at such an alarming rate, is easier said than done. Unfortunately for most organizations and cybersecurity departments, taking a reactive approach is the norm. A recent Ponemon Institute study, which surveyed 577 U.S. IT and IT security practitioners, provides the numbers to underscore the struggle toward proactivity: 69% of respondents admitted their company’s approach to security is reactive and incident driven 56% of respondents expressed concern that their IT security infrastructure contained coverage gaps, allowing attackers to get around network defenses 40% of respondents do not track or measure the company’s IT security posture A proactive cybersecurity approach not only puts you ahead of attackers but can help you maintain and even exceed regulatory requirements. Proactive strategies offer the structure and guidance that help you stay prepared and avoid confusion that may arise. With uncertainty and confusion minimized, measures for incident prevention, detection an | Threat Guideline | ||
|
2021-04-09 10:00:00 | The difference between SASE and Zero Trust (lien direct) |
Customers often ask me: What is the difference between Zero Trust and SASE? My answer is almost always the same: Nothing….and, everything. Both have taken the industry by storm over the last couple of years, and even more so with the security and access demands on the business driven by the existing remote workforce, but both have different implementation approaches. It is important to understand, however, that one does not fully provide the other; in fact, they reinforce each other. As you read through Gartner’s research that introduced SASE to the network and cybersecurity world, you’ll note that there are a number of similarities that can lead you to believe that implementing SASE can also implement Zero Trust. While that may be the case in part, it is not a complete approach. And just as there is not one product that will get you to Zero Trust, there is also not one product that fully meets Gartner’s vision for SASE.
Zero Trust Network Access (ZTNA)
One key area of similarity is in ZTNA. ZTNA focuses in on providing whitelisting capability for access to services. This is undoubtedly why it is considered one of the core components of SASE. Zero Trust is based on a set of principles, or tenets. One of these tenets is that all network flows are authenticated before being processed, and that access is determined by dynamic policy. Another tenet requires authentication and encryption applied to all communications independent of location and that security must be performed at the application layer closest to the asset. These alone are foundational to ZTNA. ZTNA secures access to services at the application layer (layer 7), rather than a complete network, like traditional remote access VPN implementations. Therefore, it provides for the means to only provide authorized and authenticated users with access to approved applications.
Monitoring for risk and trust levels
Gartner lists core components of SASE to include SD-WAN, secure web gateway (SWG), ZTNA, firewall-as-a-service and cloud application security broker (CASB). One thing that often does get overlooked in their whitepaper is that a SASE solution needs to have the ability to identify sensitive data, and have the ability to encrypt and decrypted content with continuous monitoring for risk and trust levels. Zero Trust eliminates trust from all network communications and seeks to gain confidence that the communications are legitimate. This level of confidence is applied using trust levels (ironically) and scoring techniques. Therefore, the implementation of a trust / risk engine that applies contextual scoring capabilities is crucial in a Zero Trust Authorization Core , and SASE provides a means to accomplish this through core component technology.
Dynamic secure access
As stated earlier, a tenet of Zero Trust is that access is determined by dynamic policy. Another tenet of Zero Trust is that technology is utilized for automation in support of user/asset access and other policy decisions. This monitoring of user and device behaviors along with automation that drives p |
Guideline | ||
|
2021-04-07 10:00:00 | Do customers really care about SASE? Absolutely, and here\'s why (lien direct) | As IT and security leaders adapt to business operations in the “new normal,” they are simultaneously being charged with priming the business to win in the next era of distributed computing. This involves myriad updates to the business’ IT systems, and in some cases, a comprehensive overhaul for network modernization, cloud migration, and edge design and deployment — all tightly wrapped with security. The pressure is high because leaders know the decisions they make today will vitally impact the ability of the business to remain resilient and competitive tomorrow. To this point, many are researching or actively considering new security approaches that are better suited to a distributed computing model where employees, customers, suppliers and more need secure access to applications, data and services anytime and from anywhere. It’s no surprise then, that many are also considering how to merge various technologies within networking and security to help reduce network complexity and overlapping technology capabilities, improve network performance and security, and potentially reduce costs. (After all, reductions in cost can then be redistributed to developing and protecting emerging edge environments.) One “new category” that is garnering a lot of attention brings together multiple network and security technologies, including but not limited to: Software-Defined Wide-Area Network (SD-WAN), firewall-as-a-service, Secure Web Gateway, Cloud Access Security Broker (CASB), and Zero Trust Network Access (ZTNA). Gartner has coined the term Secure Access Service Edge (SASE). Other firms have given their own labels: IDC (Software-Defined Secure Access), ESG (Elastic Cloud Gateway), and Forrester (Zero Trust Edge). Whatever the name, SASE in one form or another is being considered by customers across industries. Buzz aside, the question remains: “Are customers actually adopting SASE? And if so, why?” The answer is yes, and we at AT&T can provide some insight. In March, we launched AT&T SASE with Fortinet, expanding our managed security services portfolio by unifying SD-WAN with some of the essential security functions listed in the SASE framework. And because SASE can be quite complex, we offer support for deployment and 24x7 management. This official launch of AT&T’s first SASE offering, though new in terms of branding, has evolved from the work we’ve been doing for several years with customers who have been moving to SD-WAN and want security to be part of that conversation — a trend accelerated by COVID. These customers tend to be national or multi-national organizations, and if they were not on the path to network transformation already, the sudden need to solve for an expanded remote workforce and increasing number of remote sites, branches, or pop-up locations, pushed them along | Guideline | ||
|
2021-04-06 10:00:00 | Use AI to fight AI-powered cyber-attacks (lien direct) | This blog was written by an independent guest blogger "AI is likely to be either the best or worst thing to happen to humanity.” ~Stephen Hawking Cyber-attacks are commonly viewed as one of the most severe risks to worldwide security. Cyber-attacks are not the same as they were five years back in aspects of availability and efficiency. Improved technology and more efficient offensive techniques provide the opportunity for cybercriminals to initiate attacks on a vast scale with a higher effect. Intruders employ new methods and launch more comprehensive strategies based on AI to compromise systems. Similarly, organizations have started using robust defense systems that use Artificial Intelligence (AI) to fight AI-powered cyber-attacks. AI in the security world Security professionals spent a lot of time researching how to use AI to exploit its abilities and integrate them into technology solutions. AI enables defense methods and services to identify and respond to cyber threats. The use of AI in security has proven to be beneficial. According to many IT professionals, security is the main reason for AI adoption in corporations. Not only does artificial intelligence increase overall cybersecurity, but also it automates identification and mitigation operations. According to a Capgemini Research Institute, 69% of corporations agree that AI is vital for security because of the growing number of attacks that traditional methods cannot prevent. According to the findings, 56% of companies say that security experts are overstressed. 23% say they are unable to prevent all attacks. According to a TD Ameritrade study, registered investment advisors (RIAs) are more ready to spend in emerging artificial intelligence security projects. With these funding possibilities, the AI cybersecurity industry will grow at a 23.3% CAGR from $8 billion in 2019 to $38 billion in 2026. Organizations use security information event management (SIEM) for threat detection to capture a large amount of data from across organizations. It is impractical for a user to go through such information to identify possible vulnerabilities. Moreover, artificial intelligence helps search for anomalies throughout technology and user tasks. AI-based methods efficiently scan across the system and compare different information sources to detect vulnerabilities. Anomaly detection is a domain where AI is helpful in a companys’ security defense. It also finds various functionalities to prevent attacks by looking at past incidents (Machine Learning). Applications of AI in security AI in Antivirus Services Antivirus software with artificial intelligence detects network oddities of processes that behave suspiciously. AI antivirus detects and prevents network assets from exploit when malicious software is launched in a network. Modeling user behavior AI simulates and assesses the behavior of network users. The aim of evaluating how users engage with the system is to spot overthrow attempts. AI also observes the users’ actions and identifies odd behavior as anomalies. When a new user logs in, AI-powered machine | Vulnerability Threat | ||
|
2021-04-02 10:00:00 | 5 steps to respond to a data breach (lien direct) | This blog was written by an independent guest blogger. You’ve just been breached. What do you do next? Depending on personality, preparation, and ability under crisis, there are a variety of responses to choose from, some effective and some not. Hopefully, you’re the rare breed who plans in advance how to respond. Even better if this planning includes how to prevent them. But to execute a logical, effective response, keep reading. In this guide, I’ll take you through a methodical process of handling a data breach and how to stop it from happening again. Let’s get to it. 1. Stop the breach At the risk of resembling Captain Obvious, before anything else you need to stop the data leak. But to do that you have to recognize a data breach exists. For some organizations the problem with data breaches isn’t responding to them – it’s knowing they are happening at all. Research indicates that breach detection can take half a year or longer on average. That should be a mind-boggling statistic and testament to the general widespread lack of effective cybersecurity. By the time the problem is spotted, potentially private data has been leaking into the wrong hands for a long time. So... contain it quickly. Isolate the systems that have been compromised and immediately take them offline. Late though it might be, it’s critical to stop the problem from spreading to other parts of your network. Shut down any user accounts that you believe have been used to steal data – it’s better to be safe than sorry. You can restore them later. 2. Assess the damage Next, get ready to undertake some forensics. These should be focused not just on tracing how your data was accessed, but the likely impact of it being released to the general public, in the unfortunate event that happens. While determining whether it’s a data breach, leak, or compromise, you should also ask yourself (and your team) a number of questions: What was the attack vector? Was the attack based on social-engineering tactics or through user accounts? How sensitive is the breached data? What is the type of data affected? Does the data contain high-risk information? Was the data encrypted and can it be restored (did the company backup their data)? It’s crucial that you perform this analysis before going on to the next step. Otherwise, your response to the breach could look uninformed and casual to an outsider. Get the facts straight, in other words, before customers start asking awkward questions. 3. Notify those affected Then it’s time to come clean. Inform everyone who is likely to be affected by the breach at the earliest possible opportunity. While it’s not a terrible idea to make sure your systems are safe before breaking the news, that doesn’t give you a license to wait months “just in case.” It’s tempting to play down the breach. Maybe omit some damaging details in hopes of preserving your brand integrity. Unthink those thoughts! If you are not totally honest and it’s discovered later - which it almost certainly will be - brand damage could be much, much worse. There is also the possibility of legal action. Any nasty, negative online comments the breach gen | Data Breach Hack | ||
|
2021-04-01 10:00:00 | Endpoint Security: Helping to realize the benefits of SASE (lien direct) | Endpoint security is at the forefront of digital transformation due to the very nature of needing to protect devices outside the company’s network perimeter. This started with traditional devices such as laptops and desktops. Endpoint security then quickly expanded to include mobile security, for smartphones and tablets. And, as more data moved to the cloud endpoint security came to include servers and containers, both inside and outside of the network perimeter. In contrast, network security is designed to protect the corporate data that resides on-premise or between specific office branch locations. This leaves endpoint security as one of the few ways to manage and help protect that data from anywhere else. And because of this, the endpoint security technology has been forced to drastically improve over time to keep up with the evolution of the workplace to more remote work and the ever-growing threat landscape. The future is fast and highly secure With new technologies emerging, such as 5G and Edge solutions, a whole new era of digital transformation will take place to take advantage of the fast speeds and ultra-low latency these new technologies enable. New use cases will develop that weren’t possible before such as enabling an electrician to operate more efficiently through augmented reality assistance, or for a clothing store to allow customers to virtually try on clothes, or other highly interactive and immersive customer experiences with real time analytics that help improve brand image. All these new use cases happen through interaction on an endpoint of some type and these endpoints must be protected. Today, there are highly sophisticated unified endpoint management (UEM) solutions that can enforce management policies on all types of devices. There are next-generation endpoint security solutions that incorporate Artificial Intelligence (AI) and Machine Learning (ML) to help protect against known and unknown threats. And, mobile security solutions to address the unique challenges brought about from the proliferation of smartphones and tablets. All these solutions have been purpose-built to address the changing dynamics of remote workers and cloud adoption. SASE: the next-gen network security solution As this digital transformation occurs with faster speeds, edge technologies, and improved endpoint security, network security elements remain on-premise creating several potential issues. Security gaps between on-premise, cloud, and endpoints leave businesses vulnerable to malicious actors who take advantage of these weaknesses. Also, this on-premise network security model creates unsustainable latency that inhibits businesses from realizing some of the most advanced and immersive use cases they want to pursue. Thankfully, new methods and frameworks to approach network security are emerging such as Secure Access Service Edge or SASE (pronounced “sassy”). SASE places network controls on the cloud edge as opposed to the corporate data center, closer to the service being accessed. This is a very exciting next phase of technology and that endpoint security solutions welcome with open arms. This emerging SASE framework holds the promise of providing highly secure network access as close to the end user as possible and is designed to further enable use cases that rely on ultra-low latency and fast network speeds and help bridge the final layer between endpoint security and network security. SASE doesn’t replace endpoint security Today’s endpoints are highly sophisticated- processing vast amounts of data quicker than ever. And, endpoint technology improves by the day. New ways of processing data, AI, and ML are all contributing to the path of advanced solutions that change the way we live, work, and play. But with any endpoint capable of this high processing power, they are also susceptible to cyber-attacks of all types. No amount of network, edge, or cloud security can replace security on the endpoint | Ransomware Threat Guideline | ||
|
2021-03-30 10:00:00 | What educational institutions need to do to protect themselves from cyber threats (lien direct) | This blog was written by an independent guest blogger. Educational institutions are reaping the many benefits and new possibilities offered by online learning, but these new methods of educational instruction come with serious cyber security concerns. These institutions are also a prime focus for hackers because they often host a lot of sensitive data about teachers and students. Furthermore, schools and universities are an easy target because not every teacher or professor is technologically savvy. In fact, many educational institutions have been caught off guard amidst the pandemic and had to rush to implement a remote learning framework that they weren’t hitherto prepared to roll out. The increase in the different amount of devices used to connect to a network from a wide variety of locations adds another factor of complexity when it comes to cyber defense. To make matters worse, there are laws and regulations in place that require schools to abide by certain standards. Failure to comply with these regulations can result in loss of government funding or hefty fines. In this article, we will talk about the most common cyber attacks facing educational institutions today and top tips on how to prevent them. Cyber crime is on the rise As our society increasingly embraces a digital world, partially out of necessity due to the coronavirus pandemic, opportunities for cyber criminals grow more plentiful. In March 2020, the month that marked the onset of the confusion, fear and subsequent lockdowns caused by the global health crisis, organizations experienced a 148% increase in ransomware attacks. When possible, educational institutions should make efforts to allocate or obtain funding for experts that can assist in the area of cyber security. It’s not difficult to find statistics like the one mentioned above that indicate a great need for heightened vigilance towards cyber criminals. Ideally, a cloud-based help desk program can be vital to the cyber security of your organization, enabling staff or students to send alerts if they have reason to believe they have been hacked. A cyber security team that offers security measures such daily backups and regular security patches that can go a long way towards protecting your institution. As the saying goes, an ounce of prevention is worth a pound of cure. Top methods of attack used by cyber criminals against educational institutions According to Red Canary’s “Threat Detection Report,” the top three methods of attack facing educational institutions are from process injection, windows admin shares and scheduled tasks. Windows admin shares Most of us are familiar with the “administrative access” request from Windows, which is sometimes prompted when we need to install new programs or otherwise make changes to our settings. If a hacker can find a way to guess or steal an administrative user’s password, or access this through brute force, the entire system becomes compromised. Scheduled tasks Windows task scheduler allows users to arrange for a program or script to be run at a specific time or under certain circumstances. For example, some users might schedule for an antivirus program to run a scan on their computer late in the evening when the user is less likely to be on the computer. Alternatively, a user can schedule that a certai | Ransomware Malware | ||
|
2021-03-29 10:00:00 | Adaptive cybersecurity: 3 strategies that are needed in an evolving security landscape (lien direct) | This blog was written by an independent guest blogger. Cybersecurity is no longer an outlandish concept to many business enterprise executives. What is still relatively unfamiliar to many organizations and their leadership, however, is the task of evaluating their cyber strategy and risk to determine how best to adapt and grow to stay secure while remaining competitive. Executives must initiate thorough evaluations of their existing cybersecurity strategies to figure out which types of new technologies and risk management strategies they need the most. Apart from remaining competitive with other businesses that are also increasing their cybersecurity posture, it's vital for businesses both large and small to implement more adaptive cybersecurity to combat the ever-looking threat of data breaches and attacks from cybercriminals. To that end, let’s take a look at the top three most important strategies that enterprise executives need to adopt to keep up with an evolving security landscape and a high prevalence of threats to data security: Regular surveillance of the application security layer Organizations have good reason to be concerned about cybercrime such as phishing emails and ransomware attacks, which witnessed a 37% increase last year and resulted in total average business costs of nearly $4.5 million. Adaptive cybersecurity and the strategies that come with it are the best hope business executives have to stave off increasingly sophisticated cybercrimes such as ransomware. Any business with an established digital presence or eCommerce store knows that their customers need 24/7 access to their web applications and software. There's no question, then, that application security is an important part of a larger adaptive cybersecurity strategy. Consider that approximately 84% of software breaches exploit application layer-level security vulnerabilities, and you'll begin to understand why executives need to adopt application security testing tools to keep their customers' data as well as their own organizational data assets secure from threats. To secure and protect data at the application layer-level, executives require a single platform that they and their IT department can use to regularly assess security risks that face their applications. According to the cybersecurity analysts at Cloud Defense, you can use a unified platform to secure custom code, open source libraries DKs (software development kits), and APIs (application programming interfaces) to catch security bugs early and often before they impact users or systems. Platforms such as these make it easy to enforce security policies, secure custom code and open source libraries, ultimately achieving preventative security to catch bugs early and often. The future of mitigating threats at the application layer requires tools and approaches that ensure the layer;s security requires careful control of user input. Executives can direct their IT departments to lock down session security and user access as well as harden apps against threats such as SQL injections. Ultimately, the future of application-layer security requires that business executives lean on an adage of the past: never fully trust the user. Blending AI and cybersecurity The modern lan | Ransomware Threat Guideline | ||
|
2021-03-26 05:01:00 | SD-WAN vs. MPLS: how do they compare from a security perspective? (lien direct) | This article was written by an independent guest author. SD-WAN and MPLS are two technologies that are often perceived as either-or solutions. For many organizations, however, SD-WAN and MPLS can complement each other. This article will define and compare the technologies, explaining how, in many cases, they work together. We’ll also explore SD-WAN’s popularity and its role in enabling modern security architectures like SASE. Defining SD-WAN and MPLS SD-WAN Software-defined wide area networking (SD-WAN) is a distributed networking technology that provides a sustainable alternative to high-latency hub-and-spoke network topologies. Before SD-WAN, hub-and-spoke networks directed branch office traffic to a centralized data center, often through MPLS dedicated lines, as remote and home-based workers connected through VPN. While this model worked well in the past when all applications were installed on the desktop or data center servers, the rapid proliferation of cloud applications and services overloaded MPLS circuits. This latency and poor user experience represent a significant roadblock to cloud optimization. To address these issues, SD-WAN enables branch office and remote users to connect directly to the internet when a direct accessing resources hosted in the cloud. SD-WAN uses software that makes intelligent traffic routing decisions based on priority policies and QoS settings. Its flexible mesh of network links can connect directly to the internet, the data center, or other branches depending on its application. SD-WAN uses a variety of transport services—including MPLS, commodity broadband services and LTE. MPLS Multiprotocol Label Switching (MPLS) directs network traffic and data through a path using labels—instead of requiring complex routing table lookups at each network point. MPLS technology requires proprietary hardware and operates much like switches and routers. To make data forwarding decisions, MPLS uses packet-forwarding technology and labels (which virtually isolate packets). MPLS is often implemented on high-performance, distributed networks and can deliver packets reliably with a high QoS (Quality of Service). With MPLS, packet loss for higher priority traffic is minimal and keeps an organization’s most important traffic flowing. For real-time protocols like VoIP, high-level QoS and reliability is essential. The SD-WAN & MPLS comparison When comparing SD-WAN and MPLS, the most significant distinction is the infrastructure: SD-WAN is virtualized while MPLS is hardware-based. MPLS connections essentially operate like a dedicated leased line and offer lower packet loss but higher bandwidth costs. SD-WANs, on the other hand, can handle multiple types of network connections, including MPLS lines. While MPLS is distinctly reliable, agile organizations requiring distributed networking capabilities are turning to SD-WAN to augment their existing MPLS circuits. SD-WAN’s scalability, performance, visibility and global availability are attractive benefits to most businesses. Besides, SD-WAN can be quickly put in place and adjusted to suit business requirements. Private-based networking technologies like MPLS will always be an attractive option for organizations with specific security and connectivity requirements. It’s important to remember that SD-WAN can incorporate MPLS into its infrastructure but not the other way around. Can you combine the two options? Absolutely. Combining MPLS with SD-WAN allows companies to gain the best of both worlds. Less-critical data can be transferred through the internet, while sensitive real-time information can be automatically routed to the MPLS. The speed and reliability of MPLS sometimes aren’t compelling enough to use for all connectivity, due to the costly implementations. But SD-WAN is affordable and typically | |||
|
2021-03-25 10:00:00 | Cybersecurity strategy…. To Plan or not to plan…That is the question (lien direct) |
What is a strategy? As defined by Merriam Webster…. ‘a carefully developed plan or method for achieving a goal or the skill in developing and undertaking such a plan or method.’ A cybersecurity strategy is extremely important, but many organizations lack a strategy, or they have not kept their strategy and subsequent roadmap current. A strategy is especially important in this day of digital transformation and for key initiatives like Zero Trust.
Cybersecurity requires a holistic approach, implemented uniformly throughout the enterprise. A practical cyber / information security strategy, aligned with business objectives, built on an industry-accepted framework, and adjusted to the applicable threat landscape, can help create a predictable and consistent environment and minimize business risk. An effective strategy is instrumental in setting the direction for the cybersecurity program and decision-making information security budget allocation, information security initiative prioritization, and objective measurement of the effectiveness of the program.
Having a unified strategy enables enterprises to focus their information security efforts to be more inclusive, cohesive, and efficient. Furthermore, an information security strategy developed without regards and alignment to the overall business and IT strategy in the organization will likely lead to inefficiencies and inconsistencies at best, or ineffectiveness and increased operational losses, diminished brand /reputation, at worse. An information security strategy defines the goals, objectives, and methodologies used to address internal and external threats faced by the enterprise. The strategy drives moving from a reactive posture to a proactive approach. As the business objectives change and the threat landscape evolves, so must the cybersecurity strategy. This is not a one-time effort but a continuous process. However, evolving with a solid foundation makes it much easier to adjust the strategy and subsequent cybersecurity posture.
Organizations must first adopt a framework of security requirements based upon appliable laws and regulations they must comply with, industry standards, and other drivers, such as customers or business partner requirements. It is crucial to align with the business. What are the business strategies and how can cybersecurity enable them? What inputs must be obtained?
Business requirements
IT strategies
Enterprise risk appetite
Enterprise risk assessment
What are the key activities to determine the current security posture?
Gap analysis against the framework
Determining program maturity and security capabilities
Benchmarking against industry peers
Industry state and threat landscape
Once the current state is understood organizations can determine where they want to go. This should all be grounded in aligning with business and IT strategies and reducing risk. In addition, prioritization takes into account risk management principles, compliance requirements, resources, budget, timelines and dependencies across the organization. Because this is a process and not a one-time effort, measures and scorecard should be established to show iterative progress in meeting defined targets.
The implementation of the strategy is facilitated by a strong communication plan across the enterprise-from key stakeholders to all employees. Communication is about garnering support, providing education, establishing the ‘cybersecurity brand,’ adjusting the culture, a |
Threat Guideline | ||
|
2021-03-24 10:00:00 | Stories from the SOC – Propagating malware (lien direct) |
Stories from the SOC is a blog series that describes recent real-world security incident investigations conducted and reported by the AT&T SOC analyst team for AT&T Managed Threat Detection and Response customers.
Executive Summary
While freeware does not have monetary cost, it may come at a price. There may be limitations to freeware such as infrequent updates, limited support and hidden malicious software. Some freeware programs may have added software packages that can include malicious software such as trojans, spyware, or adware. It’s important to have additional layers of defense to provide that your environment is protected.
The Managed Threat Detection and Response (MTDR) analyst team was notified of malware on a customer’s assets who frequently uses freeware. The primary piece of malware that was detected by Cisco® Secure Endpoint (formerly AMP for Endpoints) did not appear to be particularly malicious, so the investigation was originally reported as a medium severity. After some time, several alarms were raised due to additional malware that was encountered on multiple assets within the customer’s environment and it was determined they were likely caused by freeware. After some investigating, a report was created by the analyst containing a list of infected machines, files, and their related malware families. The severity of the investigation was changed to a high severity, and the customer was notified based on their incident response plan (IRP) to begin immediate remediation efforts.
Investigation
Initial Alarm Review
Malware Infection
Cisco Secure Endpoint – Threat detected
The Initial alarm was raised due to a piece of malware detected by Cisco® Secure Endpoint that was indicative of a single malware infection. The first detection that emerged appeared to be benign, as it was reported by multiple open source intelligence (OSINT) sites as known-clean files. Due to the detection of this original file, this investigation was set at a medium severity as a precautionary measure.
After some time, additional alarms were raised that were indicative of a deeper, more malicious infection. It became clear that additional investigation was necessary. During the investigation, nearly two hundred events of varying malware infections were detected, indicating there was propagating malware.
 
The detected events of malware were filtered for benign hashes using the AT&T Alien Labs Open Threat Exchange (OTX) as well as other OSINT sites. The malicious files were organized into a report with infected files, hashes, as well as a list of the fifty suspected infected assets. After the report was organized and the additional alarms were posted within the investigation, the severity was increased from medium to high to prompt immediate customer response and quarantine of these threats.
Expanded Investigation
|
Malware Threat | ||
|
2021-03-23 10:00:00 | Cybersecurity and accessibility for Ecommerce platforms: Is it possible? (lien direct) | This blog was written by an independent guest blogger. Ecommerce store losses to online payment fraud are expected to reach $25 billion by 2024, a new Juniper report reveals — up from just $17 billion in 2020. Undoubtedly, cybersecurity should be a top priority for ecommerce owners. At the same time, accessibility is another pressing concern, with the need for websites to comply with the World Wide Web Consortium's Web Content Accessibility Guidelines (WCAG 2.0 AA). However, captchas — essential for making online shopping more secure — lack accessibility, while user-friendly input assistance potentially poses a security risk. Fortunately, it’s possible to make your ecommerce site accessible to customers with disabilities without compromising the strong security standards needed in this digital age. Importance of accessibility Ultimately, WCAG 2.0 AA compliance means that customers with either hearing or sight impairments, learning disabilities, or physical limitations will be able to visit your store. Your website will be compatible with the special software and assistive technologies these visitors may use to access and navigate it. Moreover, by making your ecommerce store accessible, you’ll inevitably reach a wider audience and increase conversions. The secure and streamlined checkout process — an important part of website accessibility — will give customers a faster and more appealing shopping experience. Again, this further boosts conversions, and customers will be more likely to want to repeat such a smooth and stress-free purchase. Best practices for site optimization and accessibility also go hand in hand. For example, images with descriptive text, site maps, breadcrumb links, alt text, and readability will all boost your site’s organic SEO equity. Ecommerce SEO will give you a competitive edge and place your site higher up in the search results. Alternatives to captcha Although captchas are important for strengthening website security, they’re typically inaccessible to people with disabilities who’re unable to clearly see and hear words, letters and numbers. Fortunately, alternative options can bolster security while maintaining accessibility. For example, if you use the captcha to verify that it’s a human visiting your site (and not a robot), try text and/or audio versions that clearly communicate the details of the captcha. So, this could mean including text that reads “type the word in the image” and an audio clip that announces “type the letters spoken in the audio.” Additionally, you can use other accessible alternatives, including human test questions, server-side spam filters, honeypot traps, and heuristic filters. Incorporating a combination of effective and reliable security options will ensure your ecommerce site remains accessible to people with disabilities without increasing the risk of security breaches. The issue of input assistance Input assistance is an essential feature that can help make your ecommerce site more accessible; it essentially works to help correct a customers' | Spam | ||
|
2021-03-22 10:00:00 | Texas power failures highlight dangers of grid attacks (lien direct) | This blog was written by an independent guest blogger. In mid-February, a winter storm left more than 4 million people in Texas without power. These outages lasted days, leading to substantial property damage and even death, and they paint a grim picture for the future. Should a cyberattack successfully infiltrate U.S. power grids, the results could be deadly. The Texas power failures did not result from a cyberattack, but they highlight how destructive grid outages can be. As the threat of terroristic cybercrime rises and electrical networks become increasingly crucial, these potential emergencies demand the nation’s attention. Without improved cybersecurity infrastructure, the country’s power grids represent glaring vulnerabilities. Grid integrity is more crucial than ever Digital technologies play a critical role in virtually all aspects of life today, making grid integrity essential. With so much relying on the cloud, data center power losses could render much of an organization’s operations useless. While places like hospitals and factories often have standby generators, not every building has reliable backups. Several people died during the Texas outages trying to stay warm when the power went out, and it could’ve been worse. Officials say the state was minutes away from catastrophic failure that would’ve caused outages lasting for months. When the world relies on electricity to stay alive, power failures can turn fatal. Grid integrity is also crucial to modern business, with server downtime costing 25% of companies $301,000 or more an hour. That’s an expensive and dangerous problem to mitigate, considering how the government relies on these systems. Severe outages could compromise emergency communications and hinder response times. Most grids are vulnerable The Texas grid outages arose because power companies failed to winterize their equipment properly. Environmental protections aren’t the only area in which power grids are vulnerable, though. Much of the nation’s energy infrastructure lacks robust cybersecurity, opening it to cyberattacks. Many power plants now feature automatic controls and remote access, which, while convenient, create vulnerabilities. Energy companies can use these tools safely, but protecting them is expensive, so many don’t. Cybersecurity typically falls far from the top of power providers’ priorities, yet attacks against energy infrastructure have occurred, even in the U.S. In 2015, a cyberattack left more than 230,000 people in Ukraine without power for several hours. In 2019, the North American Electric Reliability Corp. revealed that firewall exploits caused widespread communication outages. As cybercrime rates rise around the globe, power grid cybersecurity is a must. Protecting against grid attacks This problem is a pressing one, but there’s a solution. While the government has taken steps to protect grids from cybercrime, | Threat Guideline | ||
|
2021-03-18 11:01:00 | What is a security operations center (SOC)? Explaining the SOC framework (lien direct) | This article was written by an independent guest author. If you’re responsible for stopping cyber threats within your organization, your job is more challenging than ever. The exposure to threats for any organization continues to escalate, and breaches are occurring every day. Consider: The average cost of a data breach is approximately $3.92M On average, it takes 280 days to identify and contain a breach If your company doesn’t have a security operations center (SOC), it may be time to change that. In fact, a recent study indicates 86% of organizations rate the SOC as anywhere from important to essential to an organization's cybersecurity strategy. What is a SOC? The security operations center (SOC) identifies, investigates, prioritizes, and resolves issues that could affect the security of an organization’s critical infrastructure and data. A well-developed and well-run SOC performs real-time threat detection and incident response, allowing SOC analysts to rapidly deliver security intelligence to stakeholders and senior management. The SOC framework was introduced by The Open Web Application Security Project (OWASP), a nonprofit foundation established to improve software security as a means for responding to cybersecurity incidents. The framework includes technical controls (Security Information and Events Management (SIEM) systems), organizational controls (processes), and also includes a human component (detection and response). Perhaps the most crucial function for a SOC involves a detailed and ongoing attack analysis. This means gathering and reporting on attack data that provides answers to these questions: When did the attack start? Who is behind the attack? How is the attack being carried out? What resources, systems, or data are at risk of being compromised or have already been compromised? A proactive and reactive mechanism Beyond attack analysis, the SOC also provides critical cybersecurity functions that should be a cornerstone for every business today: prevention, detection and response. An effective SOC prioritizes a proactive approach rather than relying on reactive measures. The SOC typically works around the clock to monitor the network for abnormal or malicious activity, which might stop attacks before they happen. How does this work? SOC analysts are well-equipped to prevent threats because they have access to comprehensive network data and possess up-to-date intel on global threat intelligence stats and data covering the latest hacker tools, trends, and methodologies. When it comes to response, think of the SOC as a first responder, carrying out the critical actions that “stop the bleeding” from an attack. When the incident is over, the SOC will also assist or lead restoration and recovery processes. What are the goals of a well-functioning SOC? A well-functioning SOC provides a multitude of benefits, but in order to get the most out of your security operations center, you’ll need to ensure you have experienced personnel to make u | Data Breach Threat Guideline | ||
|
2021-03-18 10:00:00 | Enterprise-Grade Mobility takes another step forward with new mobile security offers (lien direct) |
Companies and organizations of all sizes need mobile technology built for the rigors of business—it’s a must for businesses seeking to stay competitive. Enterprise-grade mobility offers additional business options, features, and services, helping companies perform functions beyond just enabling employees to work remotely. The right mobility solutions can significantly help increase productivity, reduce inefficiencies, improve Quality of Service (QoS), and manage compliance requirements— while enabling the same security protections on mobile devices as organization’s have on laptops and desktops to help protect critical business information.
With today’s highly sophisticated attacks, traditional security elements designed to protect the network infrastructure are not enough to fully protect this critical business information on mobile endpoints. AT&T understands the unique needs of mobile devices to both operate at their highest performance and be properly secured from these emerging threats. Because of this, AT&T is taking another step forward to provide our business customers with Enterprise-Grade mobile security, designed for businesses of any size.
AT&T wants to make mobile security an easy choice
Now, customers with AT&T Business Mobile Select - Pooled plans can add Lookout Mobile Endpoint Security (MES) Comprehensive for a greatly reduced price per device license per month! Businesses no longer need to make the choice between great security and great savings. This Lookout MES Comprehensive plan provides customers with industry leading mobile security at a deeply discounted price. Additionally, AT&T is bringing the Lookout MES Threats offer to customers at a price that helps make mobile security an easy decision for businesses. Both offers include Lookout’s installation and 24X7 support so customers can get up and running with ease. To learn more about these new offers, visit us at https://cybersecurity.att.com/products/lookout.
Enterprise-Grade mobile security
Truly, businesses of all sizes need to understand the importance of mobile security and how to best protect their mobile devices. And, in the ever-evolving threat landscape, businesses should not rely solely on the end-user to self-remediate threats. Rather, implement solutions that can enforce automated remediation through integration with a Mobile Device Management (MDM) solution or Unified Endpoint Management (UEM) tool while also providing real-time alerts to the end user who can immediately take action.
Furthermore, mobile security should also provide the ability to create custom policies and integrate into the business’s wholistic ecosystem. With AT&T, customers can get the right mobility solutions and mobile security solutions for their business.
Reach out to us today to learn more about how AT&T can help with both your Enterprise-Grade mobility and Enterprise-Grade security solutions.
 |
Tool Threat Guideline | ||
|
2021-03-18 05:01:00 | What is managed detection and response? (lien direct) | This article was written by an independent guest author. The last 12 months have seen massive upticks in the frequency, sophistication, and intensity of cyberattacks. This comes at a time when business operations have changed drastically with shifts to more cloud resource use in order to increase access, availability, productivity, and profits. The challenge for IT has become how to monitor the state of security of this complex mix of systems, platforms, applications, and environments while being able to quickly and effectively respond to detected potential or active threats. Organizations like yours have long realized their limitations around staffing and expertise to properly address this growing need within a security strategy, causing security service providers to fill the void with managed detection and response services. What is managed detection and response (MDR)? Managed Detection and Response (MDR) is a managed cybersecurity service that provides organizations with 24x7 active monitoring and intelligence-based detection of threats, helping to quickly respond and remediate detected threats. Outsourced teams of experienced security analysts augment your internal team and enhance your security solutions with threat intelligence that is designed to detect advanced threats on endpoints and the network. The analyts also work with your team to define processes and workflows to aid in investigation and remediation activities. In short, MDR provides your organization with a security operations center (SOC) and dedicated analysts working to ensure the security of your environment. Some MDR offerings also include threat hunting as part of the service. Where does the term MDR come from? MDR has evolved from Managed Security Service Providers (MSSPs), who historically have offered managing and monitoring of network security, but left the investigation and remediation activity to internal IT teams. This put the burden of identifying real threats and performing incident response actions back on the already overtaxed IT staff. One common challenge for internal IT teams is that no one is a cybersecurity expert; your team is made up of primarily generalists with some degree of specialty. When we’re talking about identifying and responding to a potential cyberattack, your organization needs an expert. Thus, MDR was born. MSSPs are more focused on security monitoring and alerting, so MDR takes this much farther by including detection, response, and threat hunting. While both typically utilize vulnerability scanning and Security Incident and Event Management (SIEM) functionality, MDR services use additional solutions that provide visibility all the way down to the endpoint to ensure a complete picture of any potentially malicious activity, as well as response orchestration to automate remediation. The MDR’s monitoring includes: 24x7 alarm monitoring by a SOC team The reliance upon state-of-the-art threat intelligence Security analyst review and validation of alarms to eliminate false positives and non-actionable alarms, as well as escalation of actionable alarms to a Tier 2 analyst Incident investigation and notification to internal IT teams Execution of response plans tasked to the SOC team The key benefits of MDR MDR provides organizations seeking to have continual security monitoring and response in place with a number of benefits over taking this on internally: SOC complexity is eliminated – it’s going to take a tremendous effort and budget to establish an internal SOC; in many cases quarters to get up and running. MDR services include the use of a world-class SOC that already exists, meeting the organizations SOC need. Rapid deployment – With a SOC already in place, deploying MDR services takes weeks instead of quarters. Access to security experts & | Tool Vulnerability Threat | ||
|
2021-03-17 10:00:00 | Security checklist for using cryptocurrency in online casino transactions (lien direct) | This blog was written by an independent guest blogger. Cryptocurrency (crypto) transactions are solely reliant on the online space. Billions of people have access to online platforms. The autonomy provided by cryptosystems exposes users to more danger as there are no centralized authorities. Thus, expert fraudsters such as hackers may be able to access your transactions via their computer. Therefore, you must care about security when making crypto transactions. It is not just a matter of checking your crypto gambling guide and jumping in to play. Despite the dangers, there are certain ways to ensure safety. It would be best if you had a security checklist to ensure your transactions' privacy and correctness. Let’s take a look at some primary points you should consider to stay safe. Use a secure internet connection and VPN Before you make any crypto transaction, ensure your internet is stable and secure. Avoid public Wi-Fi. It potentially exposes you to hackers with malicious intent. Through vulnerabilities in the software, a middleman can get in between the connection of the public network and your device. This grants them access to your private information. They may also slip you malware. These are just some of the numerous dangers possessed by public wi-fi. To stay safe, ensure you use a VPN whenever you go online. VPN service alters your location and IP address. This helps you remain invisible to malicious people, and your browsing activity remains confidential. Set strong passwords This is no secret that most people use easy-to-guess passwords like their dates of birth. This puts them at risk of hacking as anyone can figure out such passwords and easily access their devices. Thus, create strong passwords using a mix of symbols, small and capital letters, punctuation marks, and digits. Ensure you use lengthy passwords as it reduces predictability. It would be best if you also use different passwords for different devices. Also, change your passwords regularly. Use 2-step verification Through this system, you add another layer of protection to your crypto accounts. Most crypto-friendly platforms support this type of authentication. To log in, you receive a code through your mobile phone or your e-mail address and enter it into the relevant field. As a strategy of preventing hackers from guessing your password, the code changes every thirty seconds. Thus, they may come up with your password successfully, but they cannot access your account if they do not have access to your phone or e-mail. In case you are a crypto gambler, set this feature up for both your e-wallet and account. Pick safe online casinos only The demand for crypto services is considerably high. Thus, to feed this market, numerous companies offer crypto gambling services. Before choosing a company, carry out a proper background check. Analyze whether the site runs through a reputable company, which has exemplary records and is financially stable. Ensure their customer service is excellent and support for customers is continuously available. Also, check their systems to ensure they are fair, which gives you an equal chance of winning. To gather credible information, make use of crypto gambling review sites. Sign up for genuine bitcoin services With bitcoin being arguably the most popular cryptocurrency, we’ll focus on it from here on out. There are complementary bitcoin services that you need to | |||
|
2021-03-16 10:00:00 | AT&T Cybersecurity announces 2021 \'Partners of the Year Awards\' Winners (lien direct) | It is with great pleasure we announce today Softcat as AT&T Cybersecurity’s ‘2021 Global Partner of the Year’. Softcat are among seven other category winners who have achieved exceptional growth in 2020, demonstrating great dedication and collaboration to the AT&T Cybersecurity Partner Program. It is a honor to work with such a resilient and hardworking partner community, who throughout one of our most turbulent years in our lifetime, have continued to perform at an exceptional level. I’m delighted to share our full list of winners for the 2021 Partner of the Year Awards, along with their comments below: Global Awards Global Partner of the Year: Softcat We are absolutely delighted to be named AT&T Cybersecurity’s Global Partner of the Year 2021. We are so proud of the collaborative relationship we have developed with the AT&T team over the last 4 years and this award is a testament to that and the significant growth we have delivered with them during what has been a challenging year. It also reflects our ambition to always provide our customers with the best Managed SIEM solution available in the marketplace. Matthew Helling, Head of Cyber Security Services at Softcat Growth Partner of the Year: AVCtechnologies AVC Technologies is truly honored and thrilled to win this award. It is a testament of our hard-working SOC (Security Operations Center) who continue to deliver exceptional service and value around the AT&T USM platform along with our high-flying sales team that has done an excellent job demonstrating the business value to our customers. We look forward to another great year of explosive growth with AT&T! Faisal Bhutto, President Cloud & Cybersecurity New Partner of the Year: Spark New Zealand Spark New Zealand is delighted to be recognised as New Partner of the Year for 2021. Spark is a prominent reseller of USM in New Zealand and also provides 24/7 security support to customers. The combination of AT&T and Spark’s security offering have been attractive within our highly competitive market. Thank you to AT&T who have been so supportive in this relationship. We look forward to delivering more great outcomes for our shared customers. Josh Bahlman, Chief Information Security Officer Distributor of the Year: Ingram Micro Today’s cyber-attacks and the criminals behind them are relentless and growing in sophistication. As an industry we must work together across the varying platforms to build and manage security. AT&T Cybersecurity continues to answer the call from our channel partners for comprehensive and scalable cybersecurity solutions they can deploy and manage with confidence. As a distribution partner for AT&T Cybersecurity, it is an honor to once again be recognized with this award. Eric Kohl, vice president, Security and Data Center, Ingram Micro Regional Awards These awards recognize partners that had the highest sales bookings in each of the 4 regions during last year. North American Partner of the Year: Avertium It is truly an honor | Guideline | ||
|
2021-03-15 10:00:00 | Is automated vulnerability scanning the best way to secure smart vehicles? (lien direct) | This blog was written by an independent guest blogger. To those who pay attention to such things, it seems like a new vulnerability in smart car systems is found every week. In 2020, the numbers beat all previous years. The inescapable conclusion is that smart cars are now among the favorite targets of hackers and APT (Advanced Persistent Threat) actors. One of the main reasons for this is the sheer number of different systems that the average connected car contains today. Quite apart from advanced features like autonomous driving and automatic braking, even less expensive cars now offer extensive Bluetooth and WiFi connectivity. As we’ll explore in this article, this makes securing these cars against cyberattack almost impossible for human analysts. Instead, we should think more seriously about turning to automated systems – and soon – in order to make sure that our smart vehicles are safe as they can be. Connectivity vs. Security Connected vehicles pose something of a unique challenge for cybersecurity engineers. This is because the way in which these vehicles are designed and built, as well as how they interact with the real world that you and I inhabit, is quite different from the average mainframe. In most cases, for instance, the connectivity offered by smart vehicles is often designed by automotive product designers, or at very best UI designers, who have little understanding of the way that their desired level of connectivity will affect security. In other words, smart cars are generally keen to connect to any other device that comes within range – whether this be a smartphone, pen drive, set of headphones, or Wifi router – and often does so in a highly insecure manner. This gives rise to a number of consequences: some obvious, some less so. One is that the long-running debate about whether vulnerability scanning vs. pen testing has been resolved, at least as it relates to smart vehicles. They are incredibly easy to penetrate, and so scanning for vulnerabilities becomes the only practical way to protect them. Even insurance companies have been forced to become at least somewhat knowledgeable when it comes to pricing out their service. In short, it now costs more to cover tricked-out supercars loaded with the latest in technology. More connected systems means there is greater opportunity for hackers to execute a successful cyber-carjacking. The supply chain Unfortunately for the network engineers attempting to protect smart vehicles, it gets worse. Not only are connected cars keen to connect to everything without performing any due diligence, but the sheer number of different manufacturers that contribute to a finished vehicle makes the idea of standardizing security almost impossible. In the trade, this issue is known as the “supply chain problem,” and is a real headache for engineers. In practice, it goes something like this. They could spend time researching which auto manufacturer has the largest market share for connected cars and try to build systems that would isolate, say, the Bluetooth connectivity that turns the car on and off. But just as they manage to achieve this, their product manager could quite easily swap suppliers for the Bluetooth aerials and render the whole process obsolete. And then, unbelievably, it gets even worse again. Because it’s not jus | Hack Vulnerability Threat | ||
|
2021-03-15 05:01:00 | What is network segmentation? NS best practices, requirements explained (lien direct) | This article was written by an independent guest author. If you follow cybersecurity current events, you may know that the cost and frequency of a data breach continue to skyrocket. Organizations are constantly under attack, and the shift to remote work is only exacerbating the problem. According to IBM’s 2020 Cost of a Data Breach Report, most respondents are concerned that identifying, containing, and paying for a data breach is more burdensome today than ever before. Seventy-one percent feel that remote work will increase the time to identify and contain a breach, while almost the same number believe remote work increases the cost of a breach. The numbers agree: remote work has added $137,000 to the average breach cost. In 2021 and beyond, reactive security measures—typically cumbersome and costly—are no longer sufficient. Instead, proactive strategies that anticipate potential risks or vulnerabilities and prevent them before they even happen are required. One such strategy, network segmentation, is critical for any organization. If you’re not deploying network segmentation, it’s time to get started. What is network segmentation? Network segmentation is a process in which your network is divided into multiple zones, with specific security protocols applied to each zone. The main goal of network segmentation is to have a better handle on managing security and compliance. Typically, traffic is segregated between network segments using VLANs (virtual local area networks), with firewalls representing an additional layer of security for application and data protection. By separating your network into smaller networks, your organization’s devices, servers, and applications are isolated from the rest of the network. Potential attackers that successfully breach your first perimeter of defense cannot get further, as they remain contained within the network segment accessed. How does network segmentation compare to micro segmentation? The concept of micro segmentation was created to reduce an organization’s network attack surface by applying granular security controls at the workload level and limiting east-west communication. While micro segmentation began as a method of moderating lateral traffic between servers within one segment, it has evolved to incorporate traffic in multiple segments. This intra-segment traffic would allow communication between both servers and applications, as long as the requesting resource meets the permissions set out for that host/application/server/user. Microsegmentation can also be used at a device level. For example, protecting IoT or connected manufacturing or medical devices—since many ship without endpoint security or are difficult to take offline in order to update endpoint security. The key differences between the two strategies can be boiled down like this: Segmentation works with the physical network, policies are broad, limits north-south traffic at the network level, and is typically hardware-based Micro segmentation works with a virtual network, policies are more granular, limits east-west traffic at the workload level, and is typically software-based. An analogy: if your network is a collection of castles, segmentation is like the huge walls surrounding the buildings, while micro segmentation is like armed guards outside each castle door. When deciding between segmentation and micro segmentation, it shouldn’t be a question of one over the other. Incorporating both models into your security strategy is best: segmentation north-south traffic and micro segmentation for east-west traffic. Best practices for segmenting network traffic However you go about segmenting your network, you’ll want to ensure the seg | Data Breach Vulnerability Guideline | ||
|
2021-03-12 11:00:00 | Stories from the SOC – DNS recon + exfiltration (lien direct) |
Stories from the SOC is a blog series that describes recent real-world security incident investigations conducted and reported by the AT&T SOC analyst team for AT&T Managed Threat Detection and Response customers.
Executive summary
Our Managed Threat Detection and Response team responded to an Alarm indicating that suspicious reconnaissance activity was occurring internally from one of our customer's scanners. This activity was shortly followed by escalating activity involving brute force activity, remote code execution attempts, and exfiltration channel probing attempts all exploiting vulnerable DNS services on the domain controllers. The analyst was able to alert the customer to the activity before any successful exfiltration activity had taken place and the customer was able to confirm that it was a planned red team exercise.
Investigation
Initial alarm review
The initial alarm came from an Event in Microsoft® Advanced Threat Analytics that detected possible reconnaissance and discovery activity coming from an asset with a naming convention that indicated it was an enterprise scanner. Scanners frequently have external exposure, are typically easier to brute force against, and host multiple legitimate services like DNS, SMTP, SMB, that can be used to hide malicious activity.
Expanded investigation
Soon after this, brute force activity and remote code execution attempts were reported involving Windows® Management Instrumentation (WMI) exploitation coming from a compromised service account that shared a naming convention with the scanner’s hostname, indicating the scanner and service account were compromised and now pivoting activity was occurring with the attacker attempting to gain further entry into the network.
These remote code execution (RCE) attempts were flagged with behavior associated with a DNS service vulnerability that had known patches available. Vulnerabilities in DNS Server Could Allow Remote Code Execution (2562485)
Vulnerability Reference: https://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-058
After the WMI RCE attempts were flagged, multiple assets with naming conventions that matched domain controllers generated alarms by attempting to contact well known external DNS servers. However this activity was also flagged as suspicious since these assets were not configured for DNS services or had previously been associated with DNS activity.
This, combined with the firewall events denying external traffic over port 53, indicated that these servers were not authorized to perform DNS services and that this activity was likely a probing attempt to find methods of exfiltration, such as DNS tunneling.
Response
The customer was alerted to the activity by the analyst and was able to confirm that it was part of a planned red team exercise. While this particular example was an internal effort, the customer commended our efforts at detecting the threat and responding quickly.
 |
Vulnerability Threat | ||
|
2021-03-11 11:00:00 | A plea to small businesses: Improve your security maturity (lien direct) | Never have I been so compelled to help educate small businesses on the need for cybersecurity. On Saturday morning, March 6, 2021, I awoke to the Wall Street Journal article describing the Hafnium attack. This attack on Microsoft Exchange Servers was shared publicly on March 2nd with a patch for the issue released on Wednesday, March 3rd. This patch appeared to spark action from the hacker who ramped up and automated their attack for maximum scale. Other articles went on to say that 30,000 US businesses were compromised. The worst part- it was mostly small to medium sized businesses. Why was this? Because larger businesses, with stronger and more mature security practices, had the defenses in place to keep this bad actor from infiltrating their company while many small businesses did not. Cybersecurity is for businesses of any size Security maturity is not based on the size of the business. Recent research on security maturity and business outcomes found that there is not a dependency on company size in relation to having a strong security posture. “The fact that there is no correlation between company size and maturity level indicates to us that doing cybersecurity well is less a function of resources and more a function of thoughtful consideration, planning, and organizational culture.” – Tawnya Lancaster, AT&T Cybersecurity. Organizations who work to align with industry best practices, such as the NIST CSF, are better equipped to handle zero-day threats as well as enable their businesses. To improve upon a business’s security maturity, there are 4 key categories every business should address: cyber strategy and risk, network security, endpoint security, and threat detection and response capabilities. Evaluate your cyber strategy and risk Small businesses want to stay focused on running their business, not necessarily the cybersecurity elements needed to protect it. Employing a trusted advisor to help evaluate where your business is today, and how you plan to adapt and grow to stay competitive, will help your security measures stack up to the needs of your business now and as your business grows and transforms. A trusted advisor can also assist with evaluating compliance and regulatory requirements as part of achieving a successful security program. Through the guidance of experienced consultants, small businesses can help to improve their resilience against a growing threat landscape. Networks should be protected end-to-end Every connected network needs proper security elements in place to help keep that network protected. In today’s modern networks, small businesses can simplify their network security by turning to one vendor that can meet both the connectivity needs and security elements needed to help protect that connectivity. And, with proper visibility and reporting, businesses can not only demonstrate their efforts to remain compliant with industry regulations but also their commitment to the customer to help protect their privacy. Endpoints should be managed and protected Endpoints are a crucial component of every business and are the doors through which businesses run – both internally and out to their customers. These endpoints need to both be managed, such as pushing out software patches for these vulnerabilities, but they also need to be highly secured with solutions able to detect these zero-day a | Threat | ||
|
2021-03-10 11:00:00 | Deepfake cyberthreats – The next evolution (lien direct) | This blog was written by an independent guest blogger. In 2019, we published an article about deepfakes and the technology behind them. At the time, the potential criminal applications of this technology were limited. Since then, research published in Crime Science has delved into the topic in-depth. The study identified several potential criminal applications for deepfakes. Among these categories, the following were deemed the highest risk: Audio/video impersonation Tailored phishing Blackmail Driverless vehicles being used as weapons Disrupting AI-based systems Fake news created by AI This list sparked the idea for this article. Considering that ransomware claims a new victim every 14 seconds, we decided to explore the topic of deepfake ransomware. Is that a real thing? You may never have heard the terms together before, but they’ll certainly play a large role in cybercrimes of the future. How are criminals leveraging this technology? Technically, they aren’t, but criminals are an innovative bunch. We had a taste of what they can do with deepfakes in 2019. A British CEO received a call from the company head, asking him to transfer $243,000. He did so but later became suspicious when he received a second call for another transfer. This is a modern take on email whaling attacks. In this case, however, the victim verified the caller’s identity because he knew the voice. Experts believe that AI made it possible to spoof the company head’s voice and intonations. While we may never know if the CEO was speaking to a bot or not, it shows that criminals can leverage AI-based technology. How does ransomware come into the equation? Ransomware essentially holds your computer hostage. But how can the two seemingly deeply divergent technologies work together? To understand that, we might have to broaden our definition of ransomware. To do so effectively, we should consider some real-world examples. Imagine you received a video message from your CEO asking you to complete an online form. You know the CEO’s face and voice and can see it on the screen. The idea that the video is fake doesn’t enter your mind, so you click through to the link. Bam!, your computer is infected with ransomware. It might be a traditional form of this malicious threat or a more modern version. Say, for example, you’ve used your work computer to check your Facebook page or store photos. The malware is now able to sniff out pictures and videos of you. Thanks to facial recognition software, this process is automated and simple to complete. This isn’t just run-of-the-mill software, though. It’s a highly sophisticated program with AI built into it. It can not only detect images but use them to create content. It can also sniff out other personal details online and on your computer. It puts all of these together to create a video of you. The footage makes it look like you did something that would damage your reputation. You’re innocent, but the video seems convincing. If you don’t pay the ransom, it’ll be released. The ransom might be in the form of cash or information about your company or clients. Perhaps you don’t care about your reputation. What about that of your family? The idea of ransomware put to this use is a scary one but plausible. Automation makes these attacks more frightening Spearphishing, also known as whaling attacks, requires an intense amount of research. They&rs | Ransomware Malware Hack Threat | ||
|
2021-03-04 11:00:00 | Tips for minimizing security risks in your microservices (lien direct) | This blog was written by an independent guest blogger. Organizations are increasingly turning to microservices to facilitate their ongoing digital transformations. According to ITProPortal, more than three quarters (77%) of software engineers, systems and technical architects, engineers and decision makers said in a 2020 report that their organizations had adopted microservices. Almost all (92%) of those respondents reported a high level of success. (This could explain why 29% of survey participants were planning on migrating the majority of their systems to microservices in the coming years.) Containers played a big part in some of those surveyed organizations’ success stories. Indeed, 49% of respondents who claimed “complete success” with their organizations’ microservices said that they had deployed at least three quarters of those microservices in containers. Similarly, more than half (62%) of the report’s participants said that their organizations were deploying at least some of their microservices using containers. The benefits and challenges of microservices Microservices present numerous opportunities to organizations that adopt them. They are smaller in size, notes Charter Global, which makes it possible to maintain code and add more features in a shorter amount of time. Organizations also have the option of deploying individual microservices independently of one another, thereby feeding a more dynamic release cycle, as well as of scaling these services horizontally. Notwithstanding those benefits, microservices introduce several security challenges. Computer Weekly cited complexity as the main security issue. Without a uniform way of designing them, admins can design microservices in different environments with different communication channels and programming languages. All of this variety introduces complexity that expands the attack surface. So too does the growing number of microservices. As they scale their microservices to fulfill their evolving business needs, organizations need to think about maintaining the configurations for all of those services. Monitoring is one answer, but they can’t rely on manual processes to obtain this level of visibility. Indeed, manual monitoring leaves too much room for human error to increase the level of risk that these services pose to organizations. Kubernetes as an answer Fortunately, Kubernetes can help organizations to address these challenges associated with their microservices architecture. Admins can specifically use the popular container management platform to maintain their microservices architecture by isolating, protecting and controlling workload through the use of Network Policies, security contexts enforced by OPA Gatekeeper and secrets management. Kubernetes network policies According to Kubernetes’ documentation, groups of containers called “pods” are non-isolated by default. They accept traffic from any source in a standard deployment. This is dangerous, as attackers could subsequently leverage the compromise of one pod to move laterally to any other pod within the cluster. Admins can isolate these pods by creating a Network Policy. These components | Uber | ||
|
2021-03-03 11:00:00 | Extended threat detection and response (XDR): Filling out cybersecurity gaps (lien direct) |
This blog was written by an independent guest blogger.
Image source
Business technology generally advances on a rapid basis, however, so do the cyberthreats that can endanger your security.
According to BusinessWire, more than half of enterprises believe that their security cannot keep up, and according to IBM News Room, more than half of organizations with cybersecurity incident response plans fail to test them.
Because of overloaded security teams, poor visibility, and threat alert overload due to the many implemented technologies in place to fight this, for many of these enterprises, the difficulty constantly grows when it comes to detecting and effectively responding to cyber threats.
What is XDR?
XDR can be defined as a cross-layered detection and response tool. In other words, it collects and then correlates data over a variety of security layers, such as endpoints, emails, servers, clouds, and networks.
What this means is that, rather than focusing on end-point detection alone, it can enable your security team to detect, investigate, and respond to threats across multiple layers of security, not just the end-point.
This is due to the fact that today’s cyber threats are extremely tricky and complex, to the point where they can hide throughout different layers within an organization.
If you were to use a sideload approach, through the usage of different technologies, simply cannot provide a contextual view of all of the threats across the environment, and as such, can slow down the detection, investigation, and response.
It allows for improved protection, detection, and response capabilities as well as improved productivity of the operational security personnel, with lower costs associated with owning it.
Image source
XDR features
XDR was designed to simplify the security visibility across an organization’s entire cyber architecture. In other words, to allow an organization to analyze all of the layers associated with their security, not just the end-point, through an |
Tool Threat Guideline | Wannacry | |
|
2021-03-02 11:00:00 | Stories from the SOC – Beaconing Activity (lien direct) |
Stories from the SOC is a blog series that describes recent real-world security incident investigations conducted and reported by the AT&T SOC analyst team for AT&T Managed Threat Detection and Response customers.
Executive Summary
Beaconing analysis is one of the most effective methods for threat hunting on your network. In the world of malware, beaconing is the act of sending regular communications from an infected host to an attacker-controlled host to communicate that the infected host malware is alive and ready for instructions. It is often one of the first indications of a botnet malware infection, so it’s important to spot the beaconing behavior before the infected host can expose data or launch an attack.
The investigation began in response to an Alarm triggered by outgoing TCP traffic to an IP address that was flagged by the AT&T Alien Labs Open Threat Exchange (OTX) as associated with foreign advanced persistent threat (APT) activity and malware communications. The team conduct a further review of this IP address using additional open source intelligence (OSINT) sources and verified that the destination IP address had been involved in malicious activity and was considered a high threat. Due to the quick response time of our team in starting the Investigation, the customer was able to isolate the infected asset and perform remediation before the malware caused any further infection on their network.
Investigation
Initial Alarm Review
The initial alarm came from an Event showing TCP traffic to a known malicious IP address coming from one of the customer’s internal assets. This IP address was correlated with malicious activity that had been found in OTX and from pulses created by AT&T Alien Labs, the threat intelligence team at AT&T Cybersecurity, monitoring active threats. Further review of the customer’s system showed possible beaconing activity had begun recently and was actively being blocked by their Intrusion Protection System, preventing further communications with the malicious IP address.
Expanded Investigation
Once this beaconing activity was discovered, the team conducted a 30-day review of the customer’s entire environment to look for signs of further intrusion. The original IP address was then analyzed using a variety of OSINT sources to gather related IOCs and other IP addresses that would indicate further intrusion had occurred. This review showed that no other assets had traffic involving the malicious IP address or other IOCs related to the APT, and that no other assets were exhibiting beaconing activity or lateral movement.
Response
The customer complimented the work of the team, citing that due to the quick response and phone calls, they were able to identify and isolate the infected system before any further damage was done. This allowed them to perform a more in-depth investigation without fear of missing other underlying activity that would have been difficult to correlate on their own. The customer stated that they were very happy with the service and feel much more at ease knowing that the AT&T SOC has eyes on their network 24/7/365. This also led the customer to upgrade their storage tier from 3TB to 6TB so we could monitor more of their environment.
|
Malware Threat | ||
|
2021-03-01 11:00:00 | 5 Cybersecurity concerns surrounding the COVID vaccine (lien direct) | This blog was written by an independent guest blogger. COVID-19 vaccines are starting to roll out after a year of grappling with the pandemic. While this certainly inspires hope for the future, there are still risks on the road ahead. As distribution ramps up, vaccine-related cybersecurity concerns are also rising. Cybercrime has been a prominent side effect of the pandemic throughout the past year. This wave of cyberattacks shows no signs of slowing as vaccines roll out, with some threat actors targeting distribution. Here are five of the leading cybersecurity concerns surrounding the COVID-19 vaccines. 1. State-sponsored spear-phishing In early December, the Department of Homeland Security issued a warning about cyberattacks targeting the vaccine supply chain. Threat actors sent a series of spear-phishing emails to organizations involved in COVID vaccine storage and transport. These attacks sought to steal network access credentials and, perhaps more troubling, seemed to be government-sponsored. Security experts noted that these attacks seemed too sophisticated for a random criminal operation. While it’s uncertain what country could be behind the spear-phishing attempts, it’s a troubling prospect. Malicious nation-states may be aiming to incite civil or economic disruption. 2. Cold chain IoT attacks Spear-phishing isn’t the only threat that faces the vaccine supply chain. Given the vaccines’ cold storage requirements, some organizations have turned to IoT tracking devices to ensure their safe and timely delivery. These sensors are a potential life-saver for vaccine distribution, but any endpoint represents a potential vulnerability. Most IoT devices today feature little to no built-in security, leaving them vulnerable to criminals. If someone were to hack into these sensors, it could be disastrous. They could interfere with GPS data, adjust storage temperatures or otherwise jeopardize the vaccines. 3. Vaccine scams Since the vaccines have such a short shelf life, effective distribution relies on quickly reaching out to patients and scheduling appointments. Many health care organizations have turned to text-based outreach programs to streamline this process. Unfortunately, fraudsters have started mimicking these organizations to take vulnerable users’ money. Authorities have noticed an uptick in vaccine-related scams as the rollout continues. Many of these specifically target older patients who may be less likely to recognize a hoax. 4. Ransomware attacks As hospitals and other health care organizations vaccinate more people, they acquire more patient data. This highly sensitive information is a potential goldmine for hackers. Consequently, ransomware attacks targeting these organizations may increase as vaccine distribution continues. Ransomware is already a growing problem. Bitdefender’s Mid-Year Threat Landscape Report found that these attacks increased by more than 715% year-over-year in 2020. With vaccinations generating more valuable medical data, this trend could continue to rise. 5. Misinformation campaigns In late January, the European Medicines Agency re | Ransomware Hack Threat Guideline | ||
|
2021-02-24 11:00:00 | Quantifying CyberRisk- Solving the riddle (lien direct) | In the late 1990’s and early 2000’s there was a concept that was bandied about that was coined “Return on Security Investment” or ROSI. Borrowing from the common business term Return on Investment (ROI) where a return on a particular investment (capital investment, personnel, training etc.) could be quantified, the cybersecurity industry attempted to quantify a return on security investment. Fundamentally, the primary failing of this concept is that it is mathematically impossible (approaches mathematical impossibility) to quantify an event “not occurring”. In short, if a company has “zero” security events that impact them deleteriously in a given year, was the $5 million security expenditure appropriate? Should it have been less since there was no security event that caused a loss? If the company experienced an event, was the return on the investment then the difference between the expenditure and the overall losses from the incident? It simply did not work, as it was mathematically flawed. Fast forward to 2021 and companies once again are fixated on quantifying cyber risk and, more importantly, cybersecurity exposure. The question is similar and is asked: “Can companies accurately quantify cybersecurity risks today?” This is a complex question but to attempt an answer it is first important to have a working definition of several terms. Risk- is an artificial construct which can be easily expressed as the function of the likelihood of an adverse event occurring (often provided as a statistical probability) and the impact, should the event be realized (in business, and for the purposes of this article, it will be expressed in monetary terms.). In short R=fPI. Probability- refers to the extent to which something is probable; the likelihood of something happening. It can be either quantified (in which case it is deterministic) or qualified in which case it refers to the belief that something will happen (non-deterministic). Frequentist probability models quantify risk and conditional probability models qualify risk using subjective interpretations. There is an ongoing debate amongst statisticians and probability folks as to which model is more accurate in predicting actions in real life. Security is a very important concept that can be defined simply as the implementation of controls commensurate with the identified risks. Understanding the above, we can use a real-world example to understand the failings of attempting to quantify cybersecurity risks using traditional models employing frequentist probability theory. Suppose for a moment that you find natural gas on your property and you decide to build a natural gas well. Being concerned for the environment and the safety of your workers, you want to provide that the natural gas well is engineered correctly against failure which could release gases and have deleterious impacts on people and the environment. One primary piece of the well is the “Mark Ie Main Actuation Recumbent Key valve” (Mark-Ie MARK). The manufacturer states that the Mark Ie MARK has a mean failure rate (MFR) of 1 in 2 million actuations causing a catastrophic failure and total destruction of the well. This means that the valve could fail on the first actuation or never fail as long as it is used, however, given a large enough population of valves tested there will be a | Threat Guideline | ||
|
2021-02-23 11:00:00 | Cybersecurity and online gaming: Don\'t be a victim (lien direct) | Theresa Lanowitz collaborated on this blog. Introduction The proliferation of technology and internet connectivity has made it possible for people to seek out most things online, and gaming and gambling are not exceptions. In addition to online video games, social media, music, and video streaming, there are also online casinos and gambling for real money. Well, for gambling in the USA there are state laws to mind, but in some states online gambling is permitted. Many players have registered on online gaming and gambling sites to enjoy the action right in their homes or wherever they may be (although with COVID-19, people may be stuck at home more than they want.) The demand for VIP membership to online casinos is rising. With online gambling in particular, on top of cybersecurity awareness and safe practices, there is the additional need to review and find the online casinos with a good reputation, and robust online security. Check for scams related to a new site. Anything involving money gets the attention of cyber criminals. The popularity of online games on marketplaces is growing. You can play for free, but many fun features are offered “for fee”. The rest of the article will focus on online gaming, as that’s legal pretty much everywhere. Risks and threats in online gaming As you enjoy your gaming session, you need to know the risks involved to take precautions and highly secure your data from unauthorized access. The most common threats to online gamers include the usual lineup: Computer viruses Almost all internet users have encountered computer viruses, as they are quite common. It’s pretty basic, but antivirus is basic protection against old, known attacks. Opening unsolicited emails, downloading free software, and sharing devices like flash disks are ways viruses can infiltrate your computer. Ransomware attacks Online gamers need to bear in mind they are subject to infection with ransomware. A tell-tale sign that your computer is under attack from ransomware is when you cannot access your files unless you pay a hefty ransom. Phishing scams & Identity theft Say you receive an email from an online gaming outfit you’ve played on before with a neat offer. How can you be sure it’s really from them and not a phishing attack? Phishing attacks happen when cybercriminals mimic trustworthy individuals or institutions to obtain private information like passwords. With the stolen information, these criminals can access your credit, use your identity to open bank accounts, make PIN changes, or even sell your identity to con artists. Spyware If you’re dealing with a disreputable online gaming operation, especially if the service is free, they might be spying on you and selling your personal information. Spyware does precisely what spies do; studying your every move and action while using the internet without your permission. Your browsing history quickly finds its way to third parties, which is a serious privacy breach. Trojan malware Especially when | Ransomware | ||
|
2021-02-17 06:01:00 | What is an incident response plan? Reviewing common IR templates, methodologies (lien direct) | This article was written by an independent guest author. In today’s threat landscape, it’s no longer if an incident will happen, it’s when. Defending your organization and having a plan for what to do if an incident occurs is more critical than ever. And frankly, the benefits of having an incident response plan are quantifiable. Ponemon’s Cost of a Data Breach Report compared organizations boasting robust security Incident Response (IR) capabilities with those that do not. Well-prepared businesses reported less breach-related costs by an average of about $2 million USD. What is an incident response plan? An Incident Response Plan (IRP) serves as a blueprint, outlining the steps to be followed when responding to a security incident. Think of the IRP as a set of guidelines and processes your security team can follow so threats can be identified, eliminated, and recovered from. It is an essential tool for minimizing damage caused by threats, such as data loss, loss of customer trust, or abuse of resources. With a robust IRP, your company’s team can respond quickly and more efficiently against any type of threat. No matter what type of attack an organization faces, all cyberattacks require incident response. The best scenarios are those in which sufficient preventive measures are in place, including threat detection and intelligence integration tools. For organizations looking to get started with an IRP, there are many templates and frameworks available. Two industry standard incident response frameworks are the National Institute of Standards and Technology (NIST) framework and the SysAdmin, Audit, Network, and Security (SANS) institute framework. We’ve compared the SANS and NIST frameworks here. Whichever playbook, template or framework you choose, make sure you have the right team in place and are prepared to dedicate the time and resources to this critical organizational process. Who should carry out an incident response plan? While a robust incident response plan is incredibly important, having the right people with the relevant skillsets to execute the plans is equally crucial. To handle a cybersecurity incident effectively, your company should have an incident response team in place. In some organizations, it’s called a Computer Security Incident Response Team (CSIRT) and others may refer to it as a Security Incident Response Team (SIRT) or Computer Incident Response Team (CIRT). The team’s mission is to execute on the incident response plan as soon as an incident is discovered. The incident response team is divided into several groups, each playing a key role in mitigating an incident's potential damage. The team should be comprised of technical and non-technical people who can work together to identify, manage, eradicate and recover from any threat. They are responsible for collecting, analyzing and taking action based on incident data and information, and well as communicating with other stakeholders in the organization and critical third parties, including press, legal, affected customers and law enforcement. The best-prepared CSIRTs should include the following specialized teams: The Security Operations Centers (SOC), | Data Breach Tool Threat | ★★★★★ | |
|
2021-02-15 11:00:00 | CISOs report that ransomware is now the biggest cybersecurity concern in 2021 (lien direct) | This blog was written by an independent guest blogger. As the number of remote working arrangements rose substantially in the last year, cybercriminals were quick to take advantage of these new opportunities. Spam and phishing emails increased in number even more rapidly than telecommuting, and company cybersecurity officers found themselves struggling to keep up. Phishing emails often came with a sinister sidekick - a ransomware attack. It is not surprising then that a recent survey of IT and cybersecurity officers revealed that ransomware attacks are the primary security concern for these professionals in 2021. Organizations have good reason to be concerned about ransomware attacks. Not only are they highly effective, but often companies find that it is simply easier to pay the ransom than try to rectify the problem. This is far from the best solution as it encourages the criminals to continue their attacks, fails to provide any long-term sense of security for the organization, and may incur liability for the organization. This article provides an overview of the rise of ransomware attacks and discusses how security professionals can prepare for and prevent attacks. The anatomy of a ransomware attack Ransomware is essentially a virus that loads onto a user’s computer, where it scans connected drives for files that it then encrypts. The user is also typically locked out of their machine and can only view a screen showing how to make a ransom payment. Ransomware attacks can take many forms, although the most common is to prevent a user from accessing encrypted files or using their machine until the ransom is paid (cryptocurrencies preferred). More malicious ransomware attacks threaten to release sensitive data to the internet broadly (doxware) or to delete data permanently. Ransomware can reach a user’s machine using a number of vectors, the most common of which is a phishing attack. However, malicious websites or popups may also provide access for ransomware attacks. Ransomware attacks can also be directly injected into an organization’s network through unsecured network connections (i.e. if no VPN is used). Or, even more simply, criminals may simply use brute force to hack weak passwords and directly insert the ransomware themselves. Ransomware can also attack vulnerabilities in applications arising during the software development process. It is therefore important to use testing methods, such as static and dynamic application security testing (SAST/DAST), that identify these security vulnerabilities continuously while your applications are running. The prevalence of ransomware attacks Overall ransomware constitutes a small portion of all malware attacks; however, they are also some of the most damaging forms of malware-based attacks as the financial and operational consequences can be devastating. The FBI saw a 37% increase in the reporting of ransomware attacks from 2018-2019, and an associated increase of 147% in financial losses. Average ransom demands also soared, reaching nearly $200,000 by the end of 2019. And the total average business costs resulting from a ransomware attack (post-attack costs, lost business costs, new cybersecurity investments, etc.) reached nearly $4.5 million as of early 2020. Exacerbating the ransomware concern is the fact that cybercriminals are now offering | Ransomware Spam Malware Hack | ||
|
2021-02-11 11:00:00 | The Kubernetes API Server: Exploring its security impact and how to lock it down (lien direct) | This blog was written by an independent guest blogger. Organizations are increasingly turning to Kubernetes to manage their containers. As reported by Container Journal, 48% of respondents to a 2020 survey said that their organizations were using the platform. That’s up from 27% two years prior. These organizations could be turning to Kubernetes for the many benefits it affords them. As noted in its documentation, Kubernetes comes with the ability to distribute the container network traffic so as to keep organizations’ applications up and running. The platform is also capable of moving the actual state of any deployed containers to a desired state specified by the user as well of replacing and killing containers that don’t respond to a health check. The double-edged growth of Kubernetes clusters The benefits mentioned above trace back to the advantage of the Kubernetes cluster. At a minimum, a cluster consists of a control plane for maintaining the cluster’s desired state and a set of nodes for running the applications and workloads. Clusters make it possible for organizations to run containers across a group of machines in their environment. There’s just one problem: the number of clusters under organizations’ management is on the rise. This growth in clusters creates network complexity that complicates the task of securing a Kubernetes environment. As StackRox explains in a blog post: That’s because in a sprawling Kubernetes environment with several clusters spanning tens, hundreds, or even thousands of nodes, created by hundreds of different developers, manually checking the configurations is not feasible. And like all humans, developers can make mistakes – especially given that Kubernetes configuration options are complicated, security features are not enabled by default, and most of the community is learning how to effectively use components including Pod Security Policies and Security Context, Network Policies, RBAC, the API server, kubelet, and other Kubernetes controls. The last thing that organizations want to do is enable a malicious actor to authorize their Kubernetes environment. This raises an important question: how can organizations make sure they’re taking the necessary security precautions? Look to the Kubernetes API Server Organizations can help strengthen the security of their Kubernetes environment by locking down the Kubernetes API server. Also known as kube-apiserver, the Kubernetes API server is the frontend of the control plane that exposes the Kubernetes API. This element is responsible for helping end users, different parts of the cluster and external elements communicate with one another. A compromise of the API server could enable attackers to manipulate the communication between different Kubernetes components. This could include having them communicate with malicious resources that are hosted externally. Additionally, they could leverage this communication channel to spread malware like cryptominers amongst all the pods, activity which could threaten the availability of the organization’s applications and services. Fortunately, organizations can take several steps to secure the Kubernetes API server. Presented below are a few recommendations. Stay on top of Kubernetes updates From time to time, Kubernetes releases a software update that patches a vulnerability affecting the Kubernetes API server. It’s important that administrators implement those fixes on a timely basis. Otherwise, they could give malici | Malware Vulnerability | Uber | |
|
2021-02-10 11:00:00 | Budgeting in cybersecurity - Can businesses afford it? (lien direct) | This blog was written by an independent guest blogger. Creating an annual budget is challenging because business owners must consider all expenses in the coming year. Apart from ensuring that everyone is paid, and taxes are taken care of, cybersecurity should be one of the most important factors to consider. Even though there are many methods businesses can use to prevent cybercriminals from stealing information, hackers are always inventing new ways of breaching closed systems. If you’re concerned about cybersecurity, keep reading, and we’ll tell you why it’s crucial for your business. Cyberattacks are on the rise No matter how small or large your business might be, you should know you’ll always be a target for cybercriminals. Cybercrime has been an issue ever since the internet was invented, and even though we have many different methods of preventing these criminals from stealing information, they always come up with new methods that are hard to detect. According to this research, around 50% of all cyberattacks target small businesses, and over 68% of small businesses reported some type of cybercrime in 2018. Criminals have become more sophisticated, making it hard for small businesses to keep up with security measures. Phishing, ransomware, malware, and data breaches are still a severe threat for companies worldwide. In fact, things have gotten even worse in the past few years. COVID-19 has made cybersecurity even more important It’s no secret that the world wasn’t ready to cope with a pandemic. The spreading of COVID-19 has shown that we all live in a fragile world where things can change completely overnight. As businesses and offices went into lockdown, business owners had to change the way they get things done. Offices closed to prevent the virus from spreading, and most businesses reorganized their operation to work remotely. Employees started working from home rather than the office, which only increased the risk of data breaches and other criminal activities. Instead of working in a closed local network, all of the work has to be done online, which gives cyber criminals plenty of opportunities to steal information. Business owners must extend cybersecurity features to each employee, which is much harder to control and more expensive. The security of the entire system now depends on employees’ understanding of cybersecurity. One small mistake is enough to jeopardize the entire company. That’s why cybersecurity is essential more than ever before and why you have to invest in educating employees on the dangers of cybercrime. Proactive budgeting approach Creating a budget for the following year comes with all kinds of difficult challenges. Traditional budgeting is often tough to figure out, and the smallest mistake can lead to problems that could lead to severe implications, in some cases completely shutting down organizations. Small businesses working on a tight budget often can’t afford to make mistakes in their calculation. That’s why proactive rather than reactive budgeting is the best option. Instead of creating a budget based on past experiences, this approach is focused on the future. The budget is calculated according to the plans for the next year, not previous years’ performance. That way, businesses can plan a budget to cover only the expenses they will need. Cybersecurity should be one of their biggest concerns, so investing more in | Threat Guideline | ||
|
2021-02-09 11:00:00 | Zero Trust policies - Not just for humans, but for machines and applications too (lien direct) | This blog was written by an independent guest blogger. Hackers are continually finding more and more pathways into an organization’s internal environment. Not only is access widely available, it can also be alarmingly simple. Rather than having to actively hack systems, hackers often just log in using easily-obtained or compromised user identities and credentials. To avert these types of attacks, many organizations have adopted zero trust policies that require a user to provide additional authentication before accessing an organization’s resources and data. Traditional, identity-centric zero trust practices focusing solely on protecting the credentials of human users ignore a substantial set of vulnerabilities, namely those involving interactions between machines, applications and workloads. “Machine identities,” which now outnumber human identities 20:1, present organizations with additional security challenges. To address those challenges, businesses must implement effective processes for recognizing machine identities, provisioning their access to resources, and continuously authenticating identities during interactions with organizational resources. What is Zero Trust? Zero trust security models assume that no identity is inherently trustworthy. All identities are equally distrusted - whether customer, employee, device or process - and require additional authentication. A well-known example of a zero trust policy is the use of multi-factor authentication to verify a user’s identity. Identity authentication issues for machine identities, while similar, become a bit more complicated. But, as discussed below, there are policies and processes an organization should consider when implementing zero trust programs that will effectively protect both human and machine identities. Effective application of Zero Trust policies to machine identities Effective zero trust policies require frequent and continuous validation of all “users.” But to be as effective as possible, the policy must address the question “Who or what constitutes a user?” It is quite normal to think only of human users when the word “identity” is used. But there are any number of intermediate nodes between a human end user and the resources they access within an organization, including devices, applications and networks, as well as the organization’s databases that contain relevant data. In addition to having their own identities, each of these nodes can be associated with and accessed by a number of other identities, whether they be other devices, workloads, microservices, applications or human users. And each identity involved in an interaction, from human user identities to the machine identities, is a potential target for a hacker. Many businesses reach the point of zero trust too late, after a problem such as a breach or a failed security audit has already happened. Prudent businesses, however, implement strong zero trust policies proactively. Effective policies require strong, well-protected, frequently modified credentials and limit access to essential processes and data without negatively impacting interactions and workloads. Zero trust is not a perfect solution with respect to machine identities, but it can be effective. Organizations should consider the f | Hack | ||
|
2021-02-09 06:01:00 | What is cybersecurity testing? Reviewing testing tools, methodologies for proactive cyber readiness (lien direct) |
This article was written by an independent guest author.
What does cybersecurity testing really mean?
Your organization may boast all the best cybersecurity hardware, software, services, policies, procedures and even culture. If this is the case, you’re way ahead of the curve. But no matter how confident you are about your overall cybersecurity posture, how can you really know?
Knowing is where cybersecurity testing comes in. Cybersecurity testing is all about validating that you’ve got all the security controls in place and that they are working correctly.
The value of regular cybersecurity testing
The main reason testing is so critical is because cybersecurity is so dynamic and constantly shifting. The threat landscape today may be completely different from what it is next month or even next week.
Sure, your teams might be working diligently to implement secure solutions frequently. But gaps are always a possibility: it could be a lack of understanding about new threats, perhaps it’s insufficient training, or maybe people have made mistakes. Or, what if systems have been unintentionally (or intentionally) misconfigured?
Periodically, you’ll need to get an internal or external third-party to test your systems to identify gaps and misconfigurations you may have missed. Having a third-party that brings a fresh perspective and expertise is critical in finding those little details that often go unchecked.
What constitutes a “test” in cyber?
A cybersecurity test can take many forms, leveraging different validation methods and levels to assess a company’s cybersecurity weaknesses. The most common tests you’ve probably heard about are penetration tests and vulnerability assessments.
People often confuse these two complementary forms of cybersecurity tests. Vulnerability scanning typically leverages software and automated processes to look for known vulnerabilities in various systems, and reports are generated on risk exposure. Penetration testing (or pen tests) leverages manual processes and is usually conducted by cybersecurity expert or experts as they find holes and exploits within your system architecture.
Essentially, all types of cybersecurity tests involve internal teams or third parties performing various activities and assessments that validate your security posture. When complete, testers create reports based on their findings so your organization can mitigate the risks and fix any problems.
The most common types of cybersecurity tests
To test the effectiveness of your cybersecurity controls, you have many options available, including vulnerability assessments and penetration tests mentioned above.
We’ve included a quick summary of each below.
 Cybersecurity audit
A cybersecurity audit is an assessment of a company’s cybersecurity policies, procedures, and operating effectiveness. The purpose of the audit is to identify internal controls and regulatory weaknesses that may pose risk to the organization.
Some audits provide details as to whether a control is effective or ineffective, while other audits won’t go into that detail. Auditors will typically interview key personnel and review system reports to determine if you have the right controls in place. In some cases, auditors may test your systems, depending on the access provided to them.
Auditors will always employ industry-standard best practices and adjust the audit to match your organization and industry.
Cybersecurity risk assessment
A cybersecurity risk assessment is much like an audit but may take things to the next level by determining the effectiveness of security controls. The purpose of the risk assessment is to identify, estimate, and prioritize risk to a co |
Vulnerability Threat | ||
|
2021-02-08 11:00:00 | A beginner\'s guide to SASE (lien direct) |
If you are in the security or networking industry, there is no doubt that you’ve been hearing the latest Gartner inspired buzz word being dropped in conversations with your colleagues, customers, and vendors alike. In case you haven’t already guessed, I am referring to SASE (pronounced “sassy”). Although it is a hot topic of conversation, it is clear to me that there is still a considerable amount of confusion about what SASE is, its purpose, and what sort of level of urgency it should be given.
SASE stands for Secure Access Service Edge and is an architecture model (I’ve also heard it referred to as a concept or framework) developed by Gartner in 2019 that combines software-defined wide area networking (WAN) with comprehensive security functions in order to support the dynamic nature of today’s modern workforce. Applications are moving out of the data center and into the cloud, more employees are working from remote locations than ever before, and data is being accessed from a wide range of company and personally owned devices. All of these factors make it very difficult for network and security administrators to know what applications and data are being accessed by whom as well as their usage. And what you cannot see, you cannot manage or secure. Some of the key principles of SASE are:
The data center is no longer the center of the network and organizations that continue to route all of their network traffic through the data center, using a legacy hub-and-spoke topology, will create a situation where their network becomes a business inhibitor. Backhauling remote users’ traffic to the data center that is destined to the cloud inevitably produces latency and affects productivity.
Access to data should be based on identity, not the location of the user. The old approach to security was that everyone on the network was trusted while traffic originating from outside of the network should be scrutinized. This philosophy does not work in today’s environment of employees and partners working from just about anywhere and conducting business off network. But besides being antiquated, providing open access to anyone on network is just reckless because it does not take into account the possibility of insider threats.
Users and applications are more distributed than ever before, therefore technologies that offer worldwide points of presence and peering relationships should be an important consideration. Having a point of presence that is geographically near a user facilitates a shorter logical path between them and the resource they are accessing, allowing them to focus on accomplishing their job duties or tending to customers, as opposed to waiting for applications and web pages to load.
Consolidating the number of vendors can help reduce the complexity of management. This is especially true when network and security technologies are integrated to share data in order to provide contextual intelligence and automation or when they can be managed through one pane-of-glass.
These digital transformation trends and diversification within vendor portfolios started well before Gartner had coined the phrase SASE, but businesses have been very receptive to their recommendations for how they should approach networking and security in the future.
Something important to note, and I cannot stress it enough, is that despite what all of the great marketing may lead you to believe (and this is coming from a marketer), there is not one off-the-shelf SASE solution on the market. That’s because there is no cut and dry definition of what combination of technologies must be offered to be called SASE.
Gartner does specify that there are fi |
Malware Guideline | ||
|
2021-02-04 11:00:00 | Rooting out the cybersecurity risk in your CI/CD pipeline (lien direct) | This blog was written by an independent guest blogger. When it comes to productivity, agility, and efficiency - continuous integration/continuous delivery (CI/CD) pipelines are great. When it comes to ensuring cybersecurity, they leave a lot to be desired. In fact, and especially given the popularity of CI/CD pipelines now, securing continuous environments might turn into the most important security challenge of the next decade. Some of the managerial and legal tools that will be used to meet this challenge are already available. Advanced vulnerability management programs are now able to deal with continuous environments by default, and the IoT cybersecurity act that has just been signed into law contains provisions that specify the liability of developers in the event of an embedded device getting hacked. On the technical side, however, cybersecurity has yet to catch up with the flexibility and complexity of CI/CD pipelines. In this article, therefore, I want to sketch a holistic way forward: a roadmap for how these environments can begin to be secured in the years to come. This roadmap contains five main pillars: 1. Leadership First, and arguably most importantly, finding security vulnerabilities in your CI/CD pipeline requires brave, involved, and forward-thinking leadership. The central challenge of CI/CD pipelines, from a cybersecurity perspective, is that they are constantly evolving. Security solutions that were developed for the environment of three years ago no longer offer adequate protection. In response, leaders need to inspire every member of an organization to adopt the DevSecOps mindset, in which every individual who interacts with a piece of software takes responsibility for its security. This means that managers need to put in place systems and processes through which developers can work with operations staff and through which software can be designed in a way that all key stakeholders know the risks it is exposed to. In addition, leaders should take a long-term view of security in their organizations. CI/CD pipelines provide a great deal of flexibility when it comes to software design and development, but they also require (at least) a three-year, horizon-scanning approach to security flaw identification. 2. Design for DevOps A related point to the one above is that developers must ensure that the code they write and ship via their CI/CD pipelines is designed for the DevOps approach. This means that all source code should be pre-checked with static analysis tools prior to committing to the integration branch. This verifies that it does not introduce critical code vulnerabilities into real world software. This is particularly important today, because of the range of devices on which the average piece of software is deployed. One of the main promises, and advantages, of CI/CD pipelines is that they allow developers to work in a way that is platform-agnostic. However, this can sometimes blind them to the sheer range of places in which their code will eventually be deployed and potentially exposed to attack. Of particular concern here is the (sometimes unauthorized and often unexpected) deployment of code on smartphones. In 2020, we passed a notable watershed – for the first time in history, the majority of internet traffic originates from cell phones. Given this, it seems absurd that the majority of software is still written, by default, for desktop environments. Making sure that code is thor | Tool Guideline | ||
|
2021-02-04 06:01:00 | Intrusion Prevention Systems explained: what is an IPS? (lien direct) | This article was written by an independent guest author. The goal of every cybersecurity strategy is to stop cyberthreats before they have a material impact. This has resulted in many organizations seeking to be more proactive in their response to potential threats by employing solutions to detect and prevent specific types of cyberattacks by monitoring for the earliest indicators of attacks found within network traffic. Nearly every type of cyberattack (with the exception of malware-less phishing attacks that rely solely on social engineering) includes some use of network communications as part of the attack to retrieve commands, perform actions, authenticate, or otherwise interact with external hosts. For that reason, the idea of watching network traffic for leading indicators of threat activity has stemmed an evolution of network monitoring to be used specifically for detecting threatening network activity. And by adding in the ability to respond to detected threats in network traffic, the result is intrusion prevention systems. What is an intrusion prevention system? An Intrusion Prevention Systems (commonly referred to as IPS) is a form of network security that continuously monitors network traffic entering and leaving your organization’s network. It watches for potentially suspicious and/or malicious traffic, alerts IT and security staff, and then takes action to stop the suspect traffic from continuing. IPS solutions are also used to identify and remediate internal violations of corporate security policy by employees and network guests. But, considering the frequency and intensity of external cyberattacks today, the more prevalent use of IPS is to protect against external attacks. Some of the more common attacks IPS security solutions are used to stop include brute force attacks, denial of service attacks, and attacks seeking to exploit known vulnerabilities in internal systems. IPS performs real-time deep packet inspection, examining every packet that traverses your network. Its methods of detection can be either signature-based (where network packets match a known malicious pattern) or anomaly-based (where an instance of traffic is unusual or has never been seen, such as communications to an IP address in a remote part of the world from an internal endpoint). Should malicious or suspicious traffic be detected, the IPS can utilize any one of the following actions: Network sessions can be terminated, blocking the malicious source IP address and user accounts from continuing to communicate with a given internal application, resource, or network host, preventing a detected attack from continuing Firewall policies and/or configurations can be updated to prevent this kind of attack from happening in the future, as well as preventing the offending source IP address from having access to internal hosts Malicious content that continues to reside within the corporate network – such as infected attachments within email – can also be removed or replaced by IPS solutions How IDS compares to IPS In addition to IPS, there are also intrusion detection systems (IDS) that are often mentioned in the same breath. However, these solutions do not produce the same end result. The difference is found in their names. IDS merely detects and notifies IT, security teams, or a SIEM solution. IPS detects, but also takes action to protect the network from further abuse and attacks. The challenge with only using an IDS solution is the lack of immediacy with regard to response. With internal staff only notified of a detected threat, lag times can exist from the pure human response (or lack thereof) element. IT or Security staff need to first determine an appropriate response (that is, what new configuration or change should be mad | Threat Guideline | ||
|
2021-02-03 11:00:00 | (Déjà vu) New 5G consumption trends demand a new approach to security (lien direct) | This blog was jointly authored with Lakshmi Ananderi Kandadai of Palo Alto Networks. We are in the midst of unprecedented transformation – both business transformation and technical transformation. From a technology perspective, 5G will change where and how we harness compute power and promote unforeseen product and service innovation. Once 5G attains critical mass with a robust ecosystem, it will touch nearly every organization, promising new revenue potential across a myriad of industries. The recent AT&T Cybersecurity Insights™ Report: 5G and the Journey to the Edge shows that globally 93% of respondents are either researching, implementing, or have completed a 5G initiative. And, firms that have completed 5G implementation expect approximately 57% growth in Internet of Things (IoT)-connected devices over the next 18-36 months. 5G is revolutionizing intelligent connectivity—driving massive adoption of the IoT. A report from industry analyst firm IDC estimates that 41.5 billion devices will be connected to the internet by 2025. Another projected statistic is that there will be 1.9 billion 5G cellular subscriptions by 2024. The inherent vulnerabilities present in IoT devices make them a target-rich environment to be weaponized with botnets for the purpose of carrying out distributed denial-of-service, or DDoS attacks. The AT&T Cybersecurity Insights Report highlights security priorities as IoT projects move from researching phase to implementing to completion. Vulnerability management becomes a higher priority as organizations reach the implementation and completion phases. Competitive business differentiation is driving the adoption of 5G. We should expect to see 5G play a major role in areas such as smart cities, fleet management, smart factories, robotics, connected health, etc. The greater reliance on cloud and edge compute for these applications, creates a highly distributed environment spanning multi-vendor and multi-cloud infrastructures. Further, end-to-end stand-alone 5G networks will be built based on cloud native service-based architectures. These emerging network architectures vastly impact the network security postures for service providers as well as the industry verticals they serve. Businesses need to establish a strong security posture that can stop cyber attackers from infiltrating their networks, disrupting critical services. The AT&T Cybersecurity Insights report highlights that enterprises are “cautiously optimistic and preparing for the impact of 5G”. The survey data indicates that almost 64% of survey participants rank their confidence in their organizations’ preparedness for the challenges 5G may bring to security as “medium to medium-high”. Service providers and enterprises continue to face new malware-based incidents that threaten network availability and subscriber confidentiality. According to the report, 76% of enterprises believe 5G will enable entirely new types of threats, those that are not simply extensions of today’s threats. These expanding threats and vulnerabilities— previously focused on the internet peering interfaces—can now exploit the application layer in other mobile network interfaces, degrade the customer experience, create network performance challenges, and affect operator revenues. Our partnership with Palo Alto Networks brings the | Vulnerability | ★★★★★ | |
|
2021-02-03 11:00:00 | New 5G Consumption trends demand a new approach to security (lien direct) | This blog was jointly authored with Lakshmi Ananderi Kandadai of Palo Alto Networks. We are in the midst of unprecedented transformation – both business transformation and technical transformation. From a technology perspective, 5G will change where and how we harness compute power and promote unforeseen product and service innovation. Once 5G attains critical mass with a robust ecosystem, it will touch nearly every organization, promising new revenue potential across a myriad of industries. The recent AT&T Cybersecurity InsightsTM Report: 5G and the Journey to the Edge shows that globally 93% of respondents are either researching, implementing, or have completed a 5G initiative. And, firms that have completed 5G implementation expect approximately 57% growth in Internet of Things (IoT)-connected devices over the next 18-36 months. 5G is revolutionizing intelligent connectivity—driving massive adoption of the IoT. A report from industry analyst firm IDC estimates that 41.5 billion devices will be connected to the internet by 2025. Another projected statistic is that there will be 1.9 billion 5G cellular subscriptions by 2024. The inherent vulnerabilities present in IoT devices make them a target-rich environment to be weaponized with botnets for the purpose of carrying out distributed denial-of-service, or DDoS attacks. The AT&T Cybersecurity Insights Report highlights security priorities as IoT projects move from researching phase to implementing to completion. Vulnerability management becomes a higher priority as organizations reach the implementation and completion phases. Competitive business differentiation is driving the adoption of 5G. We should expect to see 5G play a major role in areas such as smart cities, fleet management, smart factories, robotics, connected health, etc. The greater reliance on cloud and edge compute for these applications, creates a highly distributed environment spanning multi-vendor and multi-cloud infrastructures. Further, end-to-end stand-alone 5G networks will be built based on cloud native service-based architectures. These emerging network architectures vastly impact the network security postures for service providers as well as the industry verticals they serve. Businesses need to establish a strong security posture that can stop cyber attackers from infiltrating their networks, disrupting critical services. The AT&T Cybersecurity Insights report highlights that enterprises are “cautiously optimistic and preparing for the impact of 5G”. The survey data indicates that almost 64% of survey participants rank their confidence in their organizations’ preparedness for the challenges 5G may bring to security as “medium to medium-high”. Service providers and enterprises continue to face new malware-based incidents that threaten network availability and subscriber confidentiality. According to the report, 76% of enterprises believe 5G will enable entirely new types of threats, those that are not simply extensions of today’s threats. These expanding threats and vulnerabilities— previously focused on the internet peering interfaces—can now exploit the application layer in other mobile network interfaces, degrade the customer experience, create network performance challenges, and affect operator revenues. Our partnership with Palo Alto Networks brings the | Vulnerability | ||
|
2021-02-02 11:00:00 | Card-Not-Present fraud (CNP): Five things retailers can do to protect themselves from CNP attacks (lien direct) | This blog was written by an independent guest blogger. Cybercriminals have been well ahead of the curve when it comes to cybersecurity in the online retail industry. Specifically, criminals have been exploiting changes in purchasing behavior that favor online transactions and adapting their methods to take advantage of the authentication challenges arising when a card is not present (CNP) at the time of the transaction. Indeed, in recent years, CNP fraud has become the predominant form of credit card fraud, accounting for more than 50% of all credit card-related financial losses. Unfortunately, when it comes to CNP attacks, both consumers and online retailers are only too willing to give hackers a helping hand. Consumers frequently fall victim to phishing attacks, lose their data to skimming attacks (where card data is stolen during a physical card transaction) or fail to verify that their transactions are taking place on secure websites. Meanwhile, numerous online businesses (particularly smaller, less sophisticated businesses) fail to properly secure their networks or implement sufficient methods of authenticating the identity of the card user during a transaction. Fortunately, as detailed below, there are a number of precautions online retailers should consider to protect themselves and their customers from CNP attacks and provide the most secure online shopping experience possible. While many can be implemented internally, it is also always a good idea to consult a reliable provider of compliance solutions, particularly if an organization is not well-versed in cybersecurity. 1 - Ensure that your payment processing application is PCI compliant As businesses continue to shift to online sales models, there is an increasing need for robust payment processing systems that can identify and defeat CNP attacks. Online retailers can suffer significant reputational effects when they have to disclose a large-scale attack affecting consumers’ financial data, as well as potential financial liabilities associated with individual attacks as they process chargebacks following a consumer’s challenge of a fraudulent transaction. This is why Compliance with Payment Card Industry (PCI) standards for payment processing software is not just a good idea, it’s an essential obligation of any business that collects credit card data or uses it in consumer transactions. In early 2019, PCI released new standards designed to maximize security throughout the software development lifecycle (SDLC) of payment software, as well as during use in alpha, beta and commercial products. One of the most important standards for organizations to follow is to have adequate testing of payment processing software during the development cycle. Developers should approach testing using both “white box,” inside-out testing early on in the SDLC (static application system testing of SAST) and “black box,” outside-in testing later in the SDLC (dynamic application system testing or DAST). SAST helps identify issues as the code is being built, while DAST identifies issues that arise in the runtime environment. Because each of these approaches has benefits and drawbacks, as software engineer Mark Preston of Cloud Defense discusses, a multi-layer approach is always required in order to ensure that the software you create is secure. 2 - Use additional authenticati | |||
|
2021-02-01 11:00:00 | Protection for your e-commerce needs (lien direct) |
Image Source: Pexels
This blog was written by an independent guest blogger.
One of the biggest barriers to successful e-commerce business is protecting user data. If online shoppers don’t feel their information is safe, they won’t make a purchase.
Luckily, there are actions you can take to secure your own e-commerce experience, whether you’re running a digital business or shopping with one. These protections make e-commerce safer at a time when it’s desperately needed. Cyberattacks are on the rise, and with more people shopping online, data is at risk.
By understanding the evolving needs of an e-commerce strategy, you can better protect yourself when buying or selling online. Here’s what you should know.
The evolving needs of e-commerce business
The e-commerce environment is changing. With COVID-19 shuttering many brick-and-mortar retail stores, the pressure has mounted on online sales. At the same time, the broad shift to remote work and virtual meeting places has initiated a wave of cybercrime.
As a result, the field of cybersecurity is growing at a rapid pace in an attempt to counter this wave. By 2026, cybersecurity is expected to grow by 28% as companies across industries add cybersecurity specialists to their payrolls.
For e-commerce businesses, having cybersecurity specialists and protections on hand is especially vital. All types of modern digital threats can affect an online store, potentially causing thousands of dollars to resolve and resulting in an invaluable loss of business. These are just a few of the major threats that digital retailers face:
Malware
Ransomware
Phishing attempts
Distributed Denial of Service (DDoS) attacks
Credit card fraud
Any instance of a cyberattack can cause irreparable damage to both the financial and the reputational integrity of a business. Whether the threat is from phished employee login info or a DDoS attack that causes your entire site to go down, the modern e-commerce industry requires substantive protections for safely conducting business.
No matter how you are engaging with e-commerce, you can take the following steps to help protect your data and business.
How to protect yourself when buying or selling online
You never know when a cyberattack is going to affect you. With $17,700 lost every minute due to phishing attacks alone, according to CSO, shopping and selling online requires utilizing every best practice and technological advantage at your disposal. Luckily, there are actions you can take ranging from free to high-end that will give you a safer experience and protect your and your customers’ data.
Here’s what you should know.
Sellers
Any business operating online should make use of all the tools available to them when it comes to protecting customer data. Failure to do so can result in a loss of trust from which it may be impossible to recover. While no strategy is a guarantee of safety, these tips will offer a good foundation for safe e-commerce:
Prepare the proper tools.
There are a host of systems and software out there for hosting and maintaining an e-commerce platform. However, true e-commerce cybersecurity protections require that you find the right firewalls and ho |
Threat Guideline | ||
|
2021-01-29 22:57:00 | What is Secure Access Service Edge? SASE Explained (lien direct) | This blog was written by a third party author Today’s “new normal” business environment is heavily focused on cloud. The ongoing trends we’re seeing today show no signs of letting up. Workloads moving to the cloud, an escalating number of devices accessing applications and data, and the more distributed nature of the workforce have been accelerated by last year’s global health events. While security centered on the data center makes deployment and management easy, in today’s modern environment this hub and spoke model isn’t as effective. With the increased amount of traffic flowing over the network links before heading out to the internet, combined with a growing number of employees working from branch office or remote locations, the latency is overwhelming. Secure access to services needs to be everywhere, not just at the datacenter. This is where Secure Access Service Edge (SASE) comes in. What is secure access service edge (SASE)? SASE (pronounced “sassy”) is a cloud-based model or architecture that addresses the limitations of the traditional ‘hub-and-spoke’ network infrastructure that connects users in multiple locations (spokes) to resources hosted in centralized datacenters (hubs), hosting the applications and data. Accessing those resources either requires a localized private network or a secondary network connecting to the primary network via secure leased line or VPN. Problems with hub-and-spoke In theory, the hub-and-spoke model is simple. However, the model cannot handle the complexities involved with cloud-based services like software-as-a-service (SaaS) and escalating distributed workforces. As more workloads, applications, and sensitive corporate data move to the cloud, organizations must re-evaluate how and where network traffic is inspected and how secure user access policies are managed. Rerouting all traffic through a centralized data center isn’t practical (due to latency) when many applications and data are hosted in the cloud. Adding to the latency issue, remote users may suffer when using a VPN to connect to a corporate network. It’s not uncommon for frustrated users to instead access company resources over an unsecured connection, exposing themselves to additional security risks. SASE to the rescue Enter SASE, which places network controls on the cloud edge as opposed to the corporate data center, closer to the service being accessed. SASE implementations do away with layered cloud services requiring separate configuration and management—streamlining network and security services to create a secure, seamless network edge. One of the key features of SASE is the use of identity-based, zero trust access policies on the edge network. With it, organizations can provide specific access to only the applications and data users need to complete their job duties, without having to connect to the network via VPN. The enterprise gains more granular control over network security policies and can do away with legacy hardware like VPNs and firewalls. The best of today’s security functions To support the ever-changing secure access needs of many organizations today, SASE incorporates various network security functions like secure web gateway (SWG), cloud access security brokers (CASB), firewall-as-a-service (FWaaS) and Zero Trust Network Access (ZTNA). These capabilities are delivered along with SDWAN and are primarily “as-a-service,” utilizing the identity of the connecting user or device, real-time context and security or compliance policies. Essentially, SASE is a new package of security functions that includes the aforementioned technologies as core abilities. Using these security functions, examples of what the SASE model can accomplish for organizations include identifying sensitive data or malware (using DLP), decrypting content at line speed (using NGF | Malware | ||
|
2021-01-28 11:00:00 | Serverless computing: Is it worth the risk? (lien direct) | This blog was written by an independent guest blogger. A new trend for developers is emerging, as many companies shift towards using serverless computing. The name is a bit misleading, as serverless computing still relies on servers for storing data, but those who use serverless computing leave the maintenance of the server to their provider. They pay only for the storage needed to execute the code they develop. In this way, developers can work in a “serverless” environment that allows them to focus solely on code rather than the provisioning of the servers they use. Although this model is very cost effective and is becoming more popular, giving up control of your servers can come with security risks. This article will look at the pros and cons of serverless computing, and discuss some of the common security risks that come along with it. We’ll also go over some common problems with serverless computing and information developers need to know to make sure they aren’t victims of a security breach. The benefits of serverless computing In our digital era, people expect ease and convenience from their technology. Many internet users will abandon websites after just a few seconds if the load time isn’t optimal. The speed with which DevOps teams are expected to roll out new applications is faster than ever. In the competitive landscape of the modern world, achieving work with speed and convenience is a high priority. Serverless computing is great because it allows developers to focus solely on code instead of server maintenance. Developers don’t have to be concerned with when to patch their operating system or whether they have to change their code so that it is still functional, for example. The sole concentration is on their business applications, freeing up time to focus on what they do best. Serverless computing is also beneficial because it is highly scalable, as companies only pay for what they need. Serverless computing is also becoming more popular due to the increase in reliance on cloud applications. This has been influenced by the current redirection of business application environments to microservices and containers. Coca Cola, Netflix and Nordstrom are examples of large companies that have adopted serverless computing. With serverless computing, operational concerns are removed from the focus of the company using them. Issues with fault tolerance, scalability, availability, over/under provisioning of VM resources and other infrastructure concerns are completely the responsibility of the serverless provider. Furthermore, growing companies don’t have to keep idle servers to ensure they have room for growth. Convenience can come at a cost, however. Even though serverless computing is more affordable than having dedicated in-house servers, relying on serverless cloud computing can potentially expose your business to cyber security risks. The risks of serverless computing Using a serverless computing model doesn’t absolve developers from responsibility in regards to cyber security. The developer is still in charge of code, data application logic, and application-layer configurations while sharing responsibilities with the serverless provider. Here are some of the most common security risks that arise in | Guideline | ||
|
2021-01-27 11:00:00 | TeamTNT delivers malware with new detection evasion tool (lien direct) |
Executive Summary
AT&T Alien Labs™ has identified a new tool from the TeamTNT adversary group, which has been previously observed targeting exposed Docker infrastructure for cryptocurrency mining purposes and credential theft. The group is using a new detection evasion tool, copied from open source repositories.
The purpose of this blog is to share new technical intelligence and provide detection and analysis options for defenders.
Background
AT&T Alien Labs previously reported on TeamTNT cryptomining malware using a new memory loader based on Ezuri and written in GOlang. Since then, TeamTNT has added another tool to their list of capabilities.
Analysis
The objective of the new tool is to hide the malicious process from process information programs such as `ps` and `lsof`, effectively acting as a defense evasion technique.
The tool, named libprocesshider, is an open source tool from 2014 located on Github, described as "hide a process under Linux using the ld preloader.'' Preloading allows the system to load a custom shared library before other system libraries are loaded. If the custom shared library exports a function with the same signature of one located in the system libraries, the custom version will override it.
The tool implements the function readdir() which is being used by processes such as `ps` to read the /proc directory to find running processes and to modify the return value in case there is a match between the processes found and the process needed to hide.
The new tool arrives within a base64 encoded script hidden in the TeamTNT cryptominer binary or ircbot (figure 1):
Figure 1. base64 encoded script, via Alien Labs analysis.
Upon binary execution, the bash script will run through a multitude of tasks. Specifically, the script will:
Modify the network DNS configuration.
Set persistence through systemd.
Drop and activate the new tool as service.
Download the latest IRC bot configuration.
Clear evidence of activities to complicate potential defender actions.
After decoding, we can observe the bash script functionality and how some malicious activity occurs before the shared library is created (figure 2):
Figure 2. Decoded bash script, via Alien Labs analysis.
The new tool is first dropped as a hidden tar file on disk, the script decompresses it, writes it to '/usr/local/lib/systemhealt.so', and then adds it preload via '/etc/ld.so.preload'. This will be used by the system to preload the file before other system libraries, allowing the attacker to override some common functions (figure 3/4).
Figure 3/4. bash script features, via Alien Labs analysis.
The main purpose of the tool is to hide the TeamTNT bot from process viewer tools, which use the file '/usr/bin/sbin' as you can s |
Malware Tool Threat | ||
|
2021-01-26 11:00:00 | JavaScript cybersecurity threats (lien direct) | This blog was written by an independent guest blogger. JavaScript is a very useful programming language. Netscape developers invented JavaScript in 1995, and it revolutionized the web. Before JavaScript, webpages could pretty much only contain text, images, and hyperlinks. JavaScript empowered web developers to make webpages interactive, dynamic rather than static. Think of picture menus that animated when your mouse cursor went over it, and applets that could give you your local weather forecast or tell you which web browser you’re using. And JavaScript can do many other things. As time went on, JavaScript became increasingly powerful. And it’s still commonly used, nearly 26 years later. The advent of HTML5 and later versions of CSS has given web developers more options for using client-side scripting to make webpages dynamic. But while Adobe Flash is dead, JavaScript is as popular as ever. I believe JavaScript is amazing. Unfortunately, as a certain superhero says, “with great power comes great responsibility.” If JavaScript is used in the wrong way, a user’s privacy and security can be at risk. JavaScript is often used to fingerprint users-- which web browser they’re using, which operating system they’re using, their IP address, and so on. Because of these privacy concerns, some clients such as Tor Browser warn about JavaScript being enabled and ask the user if they’d like to disable it. Unfortunately JavaScript is used so frequently across the web that disabling it can break the functionality of many popular websites and web apps in significant ways. Many web apps won’t even load at all without JavaScript being enabled. The web is one of the most common vectors for user-targeting cyber threats. So let’s examine some of them, and then consider some ways to deal with them. JavaScript skimmers Card skimmers are a common means of stealing credit card and debit card data from consumers through ATMs and point-of-sale devices. They usually manifest as a physical device that’s placed on top of a legitimate card reader. Retailers and banks are often unaware when a threat actor puts a card skimmer on one of their machines. JavaScript skimmers are a similar concept, but as JavaScript code injected into an online retailer’s software-based point-of-sale. One cyber attack group, Magecart, is known to inject JavaScript skimmers into ecommerce sites. Magecart started to become a significant threat in early 2020. They’re known to carefully study the vulnerabilities in specific ecommerce sites and design their web application penetration accordingly. Ecommerce retailers should conduct application security testing on their own websites so they can remove Magecart’s JavaScript skimmers and protect their customers accordingly. There isn’t much that users can do, as disabling JavaScript in their web browsers can break too much functionality. Online retailers need to be proactive. JavaScript ransomware One of the earliest examples of JavaScript-based ransomware emerged in 2016, and it’s called RAA. It appeared as a JavaScript file (.js) attached to an email. If opened on a Windows machine, it’d execute in Windows Based Script Host. This was an effective way to execute malware on a Windows machine, as a JavaScript file isn’t flagged as potentially harmful such as a EXE or BAT file. It’s Russian ransom note demanded about $250 in cryptocurrency for a user to recover their files. But these days, ransomware is more likely to target enterprise and institutional computers, demand greater ransoms, and even steal data from victims-- an attack on confidentiality, not just availability. ViperSoftX ViperSoftX is a JavaScript-based Remote Access Trojan that was discovered in 2019. It targets Windows vulnerabilities, and it’s designed to steal cryptocurrency. It steals cryptocurrency by looking for cryptocurrency | Ransomware Malware Threat | ||
|
2021-01-25 11:00:00 | How reliable is real-time security? (lien direct) | This blog was written by an independent guest blogger. Today’s world is a fast-paced one, and that reality means changing the approach to security. Traditional ways of securing networks or premises often involved responding to threats after they happened or preparing for the most likely attacks based on experience. Now, an option called real-time security — or real-time adaptive security — allows people to use a different method. Real-time setups monitor an entire network and collect details about traffic levels, connected devices, which parties try to access particular resources and when those attempts occur. They also learn what constitutes typical behavior, generating alerts when activity strays from the norm. However, many people understandably wonder about the reliability of real-time security systems. How could they minimize the chances of the technology causing false alarms? Real-time security could relieve team member burdens Many companies lack enough personnel to deal with all potential security threats. There is also a higher likelihood of attacks going undetected for too long, giving hackers more time to cause severe and costly damage. However, many real-time systems have automated artificial intelligence (AI) features that categorize threats and suggest which ones to tackle first. A 2019 IBM survey found that 76% of people who use cybersecurity automation in their organizations highly rated their ability to detect threats versus 53% of respondents who did not use automation as extensively. If a real-time security system successfully separates threats from harmless incidents, it could help overstretched teams better manage their time and prioritize their efforts. However, a poorly trained or overly sensitive real-time system could bombard people with too much information, making it challenging to find genuine dangers. As of February 2020, 887 law enforcement agencies had signed agreements with Ring, which offers real-time footage from connected doorbells. Many could not directly connect arrests to the camera footage, though. Some also said the way Ring makes it easy for people to share clips led to problems where residents asked the police to handle trivial issues, like raccoons in their yards. Real-time information — whether collected to improve physical or cybersecurity — can become reliable and valuable. However, the system must weed out irrelevant data. Effective real-time security requires contextual analysis The security sector is not the only industry to depend on real-time information. Health care providers rely on it to make faster, more personalized care choices for their patients. Research also showed that 92% of companies are increasing their investments in real-time analytics for financial decision-making. Successfully relying on real-time data requires looking at the information in context. Some people become fixated on single data points, failing to see the full picture. That could become problematic when someone tries to access a network’s resource. For example, what if a worker based in the United States provides the correct login information but does so from a German IP address? The lack of location consistency may be a clue to an attack attempt. Adaptive authentication solutions are becoming more widely utilized in the security industry. They use machine learning and | Guideline | ||
|
2021-01-21 11:00:00 | Education, certifications, and cybersecurity (lien direct) | The question of cybersecurity certifications comes up very frequently on discussion boards. What is the best certificate to get? Is a college degree better for getting a cybersecurity role? What education or skills are needed for various cybersecurity roles? And many, many more. In this post, I'll try to clarify some of these questions and more. Before heading down the certification path or degree path, ask yourself, what is my end goal? A career in Cybersecurity is relatively demanding and requires commitment. Cybersecurity is a vast field of endeavor that involves many skills, with so many different paths. For example, if your goal is eventually to become a Chief Information Security Officer (CISO), not having a degree could limit your opportunities. For other cybersecurity roles, the requirements vary considerably. On the other hand, if your passion is identifying weaknesses and vulnerabilities - being an ethical hacker, a college degree is not necessary. Let's begin with a list of typical roles in Cybersecurity, and explore some of the requirements for these roles. We'll follow up with some of the ways to meet these requirements and the education needed. Some of these roles are engineering-focused, while others require creativity, and some positions have legal or regulatory mandates. SOC Analyst – the SOC Analyst role means different things in different organizations; some may think of this role as a threat analyst. Others consider this role as a technology jockey that monitors firewalls and Intrusion Detection/prevention Services (IDPS). For this post, I’ll use the former term of threat analyst. To be a successful threat analyst, one needs to be able to apply deductive analysis techniques. In other words, decompose the actions that lead to an observable outcome. Useful skills for a threat analyst are the ability to troubleshoot and reverse engineer. Knowledge of networking and system administration are foundational to this role. Over time the threat analyst will understand threat actors Tools, Tactics, and Procedures (TTP). The threat analyst will spend much of their time using threat analysis tools like Security Information and Event Management (SIEM) or Security Orchestration, Automation, and Response (SOAR) tools. Many of the SIEM and SOAR vendors offer certifications that the analyst might want to pursue. Network Security Engineer – These engineers typically install, setup, configure, and maintain network security technologies, such as firewalls, proxy servers, Network Intrusion Detection and Prevention devices, and Network Access Controls (NAC). There are many vendor technologies that a network security engineer will have to master; thus, it is beneficial to pursue vendor certification for various technologies. Cloud Security Engineer – this role is similar to the Network Security Engineer and is focused on specific technologies. In this role, the engineer will design, implement, and maintain security controls in cloud environments. Desired skills for this role include an understanding of cloud-based technologies, security controls, and attack vectors. The major cloud vendors provide training and certifications for their offerings, including Cloud Security Engineering certifications. Additionally, the Cloud Security Alliance (CSA) and the | Threat Guideline | ★★★★ |
To see everything:
Our RSS (filtrered)
