What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2020-10-26 11:00:00 | Observations from the digital trenches (lien direct) | When AT&T Incident Response Consultants first engage a client during a ransomware incident, the situation is often very chaotic. The client's ability to conduct business has stopped; critical services are not online, and its reputation is being damaged. Usually, this is the first time a client has suffered an outage of such magnitude. Employees may wrongly fear that a previous action is a direct cause of the incident and the resulting consequences. This fear can propagate amongst the team, impacting their ability to communicate knowledge and expertise and leading to inefficient recovery efforts. As trusted advisors, AT&T has a responsibility to educate our clients on the stress of these moments. The situation requires the efforts of your team on multiple complex tasks. Rebuild/Recover critical applications and services Communicate with key stakeholders (external and internal) on the status of the restoration of services Conduct a forensic investigation in parallel with rebuild/recovery efforts Implement near term security controls to bring the operating environment to an acceptable level of risk In this article, we highlight our insights into the primary access vectors seen in ransomware attacks investigated by AT&T. We also provide recommendations on how to configure your systems to be proactive in collecting data to help protect systems before an attack, and to support forensic investigations if breached. Paradigm shift One of the questions always asked while rebuilding from a ransowmare breach is, "Are the threat actors still in my network?" This is usually the moment when a paradigm shift happens with the client’s security and IT staff. Until this point, the underlying assumption was the network and its assets were protected from attacks, or the level of risk was considered acceptable. But breaches have a way of sliding the scale of acceptable risk to a lower level. Usually, its because the breach is tangible; you see its effects and can measure its impact. The impact could be several hundred thousand dollars or more in ransom, an immediate stop to all revenue-generating business processes, and several long work days restoring services. The long-term implications are discovering the root cause of the attack and implementing adequate controls to help prevent future attacks. The root cause analysis often shows several additional vulnerabilities besides the one that granted attackers access, leading to the larger revelation that previous security controls were not as effective as initially believed. The paradigm shift is complete. "I am not as protected as I thought." This leads back to the question, "are the threat actors still in my network?" The answer is, "it depends." It depends on several factors. How long have the threat actors been in the network? What are the available data sources for forensic investigators? Did they install tools and software that were inadvertently copied as part of a backup process? Does the root cause analysis identify the attack vector used to gain access? The answer to these questions are needed to continue to bring systems and applications back online and to operate under a reasonable belief that they are protected. Otherwise, you must accept a higher level of risk and worry about the threat actors return. The challenges There are two primary access vectors for ransomware attacks, phishing and patch management. These vectors have not changed since attackers figured out that encrypting someone else's data can lead to massive profits. However, only focusing on strong controls in these two areas is no guarantee of success. For one, cybersecurity is mostly a reactive function. This is because, in order to program cybersecurity software (.e.g. Antivirus, EDR, etc.), you hav | Ransomware Malware Vulnerability Threat Guideline | ||
|
2020-10-26 05:01:00 | Mobile device security explained (lien direct) | This blog was written by a third party author. With recent global health events resulting in a surprise shift to an either completely remote or hybrid remote workforce for many organizations, the need to leverage mobile devices as work endpoints has grown significantly. This has created challenges for IT in maintaining both the ability to manage a wide range of devices, as well as securing them in a way that achieves corporate security objectives and governance. With a majority of organizations reporting being the victim of a successful endpoint attack in a recent Ponemon Institute study, it’s imperative that organizations include the securing of these mobile devices to corporate networks, systems, applications, and data. This is the basis for implementing mobile device security. What is mobile device security? Mobile Device Security refers to the protection of critical, sensitive, and otherwise valuable data that either exists on or is transmitted to/from a mobile device that includes smartphones and tablets, . And because mobile devices are not necessarily corporate-owned, the entirety of the BYOD movement can be included. Accomplishing this is done using a number of solutions – used either individually or in concert – to create an environment where a consistent level of mobile device security is established and maintained, regardless of the device operating system and it’s sometime limiting capabilities around conformance to organizational security needs. Securing mobile devices is usually achieved using one or more solutions that include: Unified Endpoint Management (UEM) – Central visibility into and management of devices regardless of operating system is critical. This should include both your traditional endpoint OSes like Windows 10 and MacOS, as well as mobile OSes including iOS and Android. They unify the application of configurations, management profiles, device compliance, and data protection. Customers have a single view of multidevice users, enhancing the effectiveness of end-user support and gathering detailed workplace analytics. These solutions act as a coordination point to orchestrate the activities of related endpoint technologies such as identity services and security infrastructure. Mobile Threat Defense (MTD) – Mobile devices face unique threats due to the form factor, but they too are important endpoints that need protected. MTD can help protect against these unique mobile threat vectors on smartphones and tablets including device, application, network, and social engineering attacks such as phishing. UEM integrated with MTD – By integrating the MTD solution into your UEM solution, this powerful combination can help you accomplish your security policy enforcement, allow for offline detection of attacks when the mobile device is not connected to the internet, and have automated remediation measures taken if malicious activity is detected on the device. The use of such solutions helps to achieve a consistent baseline of security for corporate-owned devices. BYOD and other mobile security concerns In many cases, the only mobile device accessible to the remote worker is that of a personal device – in order to allow these personal devices to access corporate information, there are management and security policies that should still be enforced. Unified endpoint management (UEM) plays a vital role in helping organizations establish a modern BYOD security stance. Effective UEM maintains user experience for employees regardless of device ownership, while enforcing BYOD policy. Ultimately, UEM makes it possible for organization | Threat | ||
|
2020-10-22 11:00:00 | SPAM text messages vs SMiShing and defending against it (lien direct) | The rise of SPAM text messages Businesses want to connect to their users and meet them where they are. One growing way to communicate to them is through text messages including providing coupons, recent news, and other marketing materials. When these marketing efforts are unwanted by the customer, this is when they cross the line into the SPAM category. SPAM has taken many forms throughout history such as junk mail in your mailbox and robocalls. Then, with the birth of the internet, digital SPAM emerged in the form of email and has now expanded to the web, social media, text messages, and more. These digital spam efforts are very easy and low-cost methods to reach large amounts of people. Legitimate businesses honor and respect this line between wanted and unwanted communications through opt-in/opt-out and subscribe/unsubscribe capabilities to allow users to manage how and when they want communications. But beyond managing the sheer number of text communications, what happens when a malicious actor decides to use these texting techniques to target you with a phishing expedition? What is SMiShing? SMiShing is phishing that uses texting to lead you to fake websites and phone numbers that imitate real companies. This is a type of social engineering that fraudsters use to get personal information from you with malicious intent. Today, phishing is the number one security threat and the worst part is- when it comes to phishing attempts on a mobile device, it works! For example, according to Lookout, 56% of mobile users have received and tapped on a URL that bypassed existing layers of phishing defense. And on average, a user will click on approximately six phishing links from their mobile device each year. You may be asking yourself, how could someone be fooled by these? Part of the reason is the form factor of a mobile device which makes it harder for the user to spot these social engineering techniques. Another reason is we’re often in a hurry or distracted while using the mobile device. And finally, many people believe they are safer on their mobile device than traditional laptops and desktops which in today’s world may not be the case. Mobile device manufacturers, wireless carriers, and regulators have all been working closely together to curb the issues around SPAM and SMiShing. For example, AT&T monitors the network 24/7 and supports legislation to end text spam. Also, AT&T will never ask someone to send personal or account information via email or text message. But with many types of security efforts, combating social engineering attempts like SMiShing is a shared responsibility, and both the individual and business owners need to take measures to help protect themselves and their data. Defend yourself against SPAM and SMiShing AT&T is vigilant about protecting customers from unsolicited text message spam but there is no simple fix to block these. As individuals, we can all take certain steps to help protect ourselves such as: If you are an AT&T customer, report them: Alert AT&T by forwarding the suspicious text to 7726 (SPAM) on your device. Messages forwarded to 7726 are free. They don't count toward your AT&T text plan. If you're not able to view the number, forward the entire message to abuse@att.net. On AT&T’s website: | Spam Threat Guideline | ||
|
2020-10-21 21:03:00 | Cloud firewall explained: what is firewall as a service? (lien direct) | This blog was written by a third party author As organizations continue moving away from hosting services and applications with onsite servers, the use of virtual machines and cloud-based security solutions like Firewall-as-a-service (FWaaS) is trending upward. With this shift away from traditional network security solutions, cloud firewall deployments have become the norm for many businesses. Here are answers to some of the most common questions about cloud firewalls. What does “cloud firewall” really mean? Unlike firewall appliances, which are typically hosted within an organization’s data center or branch office, cloud firewalls are software-based and hosted by a third-party provider. The purpose of a cloud firewall is the same as legacy firewalls: to block malicious traffic and prevent unauthorized access to private networks. Although the functionality is similar, cloud firewalls may be more suitable for modern business requirements because of their scalability and ease of deployment. Much like a traditional firewall is deployed to protect an organization's internal network, think of a cloud firewall as a virtual protective wall surrounding applications, infrastructure and platforms in the cloud. In addition, cloud firewalls also protect premises-based assets. Just because a firewall is a cloud firewall does not necessarily mean that its capabilities are cutting edge and meet the demand of today’s advanced threat landscape. The “cloud” in cloud firewall only means that the firewall is hosted in the cloud. A firewall’s form factor is not the relevant criteria here, and what’s most important for any firewall is the functionality. Learn more about different firewall types here. Are cloud firewalls also next-generation firewalls (NGFW)? Cloud firewalls (or virtual firewalls, or Firewall-as-a-Service (FWaaS)) can undoubtedly be a next-generation firewall. However, not all cloud firewalls are NGFWs. Typically, most cloud firewalls will boast some NGFW capabilities. Remember the key difference: NGFW is all about the firewall’s capabilities, whereas the “cloud” in cloud firewall indicates where the firewall resides. What are the benefits of a cloud firewall service? One of the key benefits to cloud firewalls is that they typically offer a lower upfront cost since there are no appliances to purchase. In addition, overhead is reduced when the hardware doesn’t have to be hosted in your datacenter. FWaaS can be managed, configured, and updated by a third-party vendor to ease the management burden for your company. Ongoing maintenance, such as firmware updates, is usually included in these vendor-managed services and are often deployed much faster than when done in house. In addition to the cost and resource benefits, there are a handful of additional cloud firewall benefits that aren’t quite as tangible. Perhaps the most significant advantage is the scalability and availability factors. With a more straightforward deployment, organizations can easily scale their security solution to support additional locations or higher bandwidth requirements without the complexity or cost of replacing appliances. When bandwidth is upgraded, cloud firewalls adjust automatically for consistency in cases such as mitigating a DDoS attack, for which bandwidth limits wouldn’t be a concern. When it comes to cybersecurity, availability is one of the three pillars (along with integrity and confidentiality). Cloud firewalls providers, wi | Threat | ||
|
2020-10-21 11:00:00 | Internet of Things toys are fun but raise privacy and socio-political concerns (lien direct) | This blog was written by an independent guest blogger. An estimated 38 billion devices are connected to the internet this year, highlighting the fact that the Internet of Things (IoT) is not a farfetched futuristic concept, but the reality for most of the modern world. Many of these connected devices are toys that children enjoy, but no matter how fun they may be, challenges have come to the surface due to privacy concerns and socio-political issues pertaining to gender-neutral toys. It turns out, toys are a complicated issue that revive many age-old worries that fuel one important societal concern - the protection of every child. IoT toys and perceived risks In a world where a whopping 90 percent of children under the age of two are already connected online through their toys or their smart devices, many parents are now keeping themselves abreast with the latest updates to ensure that they do not inadvertently purchase toys that are not good for their kids. While smart devices are still a cause for concern among parents, they have been around for a while, and households already know how to manage them. IoT toys, on the other hand, are new, and the very concept is a double-bladed sword that can shape a generation while exposing them to the possibility of being listened to or watched. The public agenda in the United States and internationally revolves around the risks associated with kids and their internet-based toys. Risks such as stranger danger, pornographic and violent content, cyberbullying, and data misuse come to mind. But these risks can be mitigated as long as parents are armed with the right tools and knowledge. Gender-neutral toys and IoT Gender and gender conformity has impacts on children, making it a common contention point for decades. Adding IoT toys into the mix makes it a new phenomenon though, as gender-neutrality is not yet applied in this new environment. There are several examples in the realm of IoT that differentiate games and toys by gender, and this can be seen in their marketing campaigns whenever they use overt markers such as colors and names. While this is done purely for commercial reasons, segmentation is no longer the norm, as 76 percent of parents now steer their daughters to boys’ toys and their sons to girls’ toys based on a Pew Research released in 2017. Doing the opposite may be a good idea, according to researchers, but it is still important for parents to understand the importance of gender-neutral toys and their role in IoT and in society in general. Every human being’s childhood needs to be a nurturing one, and one way to do this is for parents to assure their sons and daughters that they can follow their interests by encouraging the type of play that they want to engage in. Girls do not need to be boxed in a clearly defined role, and boys do not need to be in one either. Gender-neutral toys are all about giving children unlimited possibilities, an attitude that they will bring with them throughout their adulthood. It is predicted that IoT will blur the lines between genders soon enough, as the industry will likely focus on toys that parents demand. IoT toys are beneficial to children IoT toys are not only fun and interactive | |||
|
2020-10-19 11:00:00 | PSPs vs. OPA Gatekeeper: Breaking down your Kubernetes Pod security options (lien direct) | This blog was written by an independent guest blogger. Organizations are increasingly turning to Kubernetes, but they’re having trouble balancing security in the process. In its State of Container and Kubernetes Security Fall 2020 survey, for instance, StackRox found that 91% of respondents were using Kubernetes to orchestrate their containers and that three quarters of organizations were using the open-source container-orchestration system in production. Even so, nine in 10 respondents told StackRox in its poll that they had experienced a security event in their container and Kubernetes environment in the last 12 months. Two-thirds of organizations said those incidents had involved a misconfiguration. These findings highlight the need for organizations to enhance the security of their Kubernetes environments against misconfiguration incidents. In this blog post, we’ll narrow our focus and discuss how one type of misconfiguration in particular—embracing default pod communication—endangers organizations’ security. We’ll then discuss how organizations can use either Pod Security Policies (PSPs) or OPA Gatekeeper to ensure the security of their pods. Understanding the Security Challenges of Pod Communication To understand the security challenges inherent in default Kubernetes pod communication, it’s important that we first define what a pod is and does. Pods consist of one or more containers, shared storage/network resources and specifications for running those containers, according to the Kubernetes website. When framed in Docker terms, pods act as groups of Docker containers that share namespaces and filesystem volumes. These small computing units help organizations to group containers together and have these resources collaborate on specific projects or sets of work. Where organizations run into challenges is the way in which pods communicate by default. As noted elsewhere on Kubernetes website, the standard configuration for pods is non-isolated in that they are capable of accepting traffic from any source. This is a problem, as this type of open communication potentially enables malicious actors to abuse the Kubernetes environment for nefarious purposes. Digital attackers could stage an attack in which they create a malicious container and use that to compromise its corresponding pod, for instance. That actor could then abuse unrestricted communication between pods to move laterally throughout the Kubernetes environment, deploying cryptominers and installing infostealing malware along the way. Using Security Context to Address These Challenges Fortunately, organizations can address these security challenges associated with pods using what are known as security contexts. Kubernetes notes on its site that security contexts function as configurations that help to define the security properties of a pod or a container. These configurations include access controls that govern who can access a pod or container and whether a Kubernetes resource is privileged. With the right security contexts, organizations can therefore prevent unauthorized actors from gaining access to a container, from elevating privileges on a compromised resource and from moving laterally on the network. Enforcing Security Context with Pod Security Policies When it comes time to enforce a security context, organizations may choose to use pod security policies (PSPs). These cluster-level resources manage the specifications under which a pod is allowed to run on a s | Malware | Uber | |
|
2020-10-15 17:08:00 | CMMC compliance explained: what is the Cybersecurity Maturity Model Certification? (lien direct) | With an escalating cybersecurity threat risk that doesn’t appear to be slowing down, the Department of Defense (DoD) has taken proactive measures in creating the Cybersecurity Maturity Model Certification (CMMC). The CMMC will soon be a requirement for any defense contractors or other vendors that are, or wish to be, working with the DoD . What is CMMC compliance? The primary goal of the Cybersecurity Maturity Model Certification is to safeguard what is referred to as Controlled Unclassified Information (CUI) across the DoD supply chain. The DoD’s definition of CUI refers to any information or data created or possessed by the government or another entity on the government’s behalf. The interpretation of data is broad here — and can take into account financial, legal, intelligence, infrastructure, export controls, or other information and data. The CMMS framework incorporates the processes, practices, and approaches for the purpose of standardizing the assessment of a DoD vendor’s capabilities. The requirements for CMMC certification, broken into practices and processes, are dependent on the level of certification. Each certification level builds upon the requirements from levels beneath it; for example, a level 3 certification would include requirements for levels 1 and 2. Here is a brief description of each certification level: Level 1 demonstrates “Basic Cyber Hygiene” – DoD contractors who wish to pass an audit at this level must implement 17 controls of NIST 800-171 rev1. Level 2 demonstrates “Intermediate Cyber Hygiene” – Here, DoD contractors must implement another 48 controls of NIST 800-171 rev1 plus seven new “Other” controls. Level 3 demonstrates “Good Cyber Hygiene” – To achieve level 3 certification, the final 45 controls of NIST 800-171 Rev1 plus 13 new “Other” controls must be implemented Level 4 demonstrates “Proactive” cybersecurity – In addition to the controls in levels 1 through 3, 11 more controls of NIST 800-171 Rev2 plus 15 new “Other” controls must be implemented Level 5 demonstrates “Advanced / Progressive” cybersecurity – To achieve this highest level, DoD contractors must implement the final four controls in NIST 800-171 Rev2 plus 11 new “Other” controls To achieve each certification level, contractors and vendors must meet the requirements for practices and processes associated with that level across 43 different capabilities spanning 17 capability domains. The capability domains are as follows: Access Control (AC) Incident Response (IR) Risk Management (RM) Asset Management (AM) Maintenance (MA) Security Assessment (CA) Awareness and Training (AT) Media Protection (MP) Situational Awareness (SA) Audit and Accountability (AU) Personnel Security (PS) System and Communications Protection (SC) Configuration Management (CM) Physical Protection (PE) System and Information Integrity (SI) Identification and Authentication (IA) Recovery (RE) Who does CMMC directly affect? Any contractor or vendor doing business with the DoD is affected, and will eventually be required to obtain a CMMC certification. The definition of contractor or vendor includes all suppliers across every tier of the supply chain, small businesses, foreign suppliers and commercial item contractors. The certification process is handled by the CMMC Accreditation Body (CMMC-AB), who coordinates directly with the DoD | Threat | ||
|
2020-10-15 11:00:00 | What is threat modeling? (lien direct) | This blog was written by an independent guest blogger. A lot of cybersecurity terminology can sound complex and esoteric. You may hear defensive security specialists, the people who work to secure computers and their networks, talk about threat models and threat modeling a lot. So what is threat modeling? It’s actually pretty simple, and it’s a concept that can not only be applied to computer security, but also to ordinary people in our everyday lives. Threat modeling in a nutshell If your organization has a particular amount of resources and a limited cybersecurity budget, prioritizing the allocation of your funds and resources according to how your network is most likely to be cyber attacked is common sense. From there, you can prioritize defending against the most expensive cyber attacks over the least expensive cyber attacks. You need to conduct thorough analysis to model threats effectively. You must understand that there are vulnerabilities in all software, hardware, and networks. Nothing will ever be 100% secure, your job as a cybersecurity professional is to keep your systems as secure as reasonably possible while understanding that there will always be limits, and no security hardening is ever perfect. So threat modeling is a way of thinking and planning. Usually your blue team will focus on threat modeling when they’re at the design phase of a computer system or application. Security is a constant, everyday process. But designing a system to be more secure starts with effective threat modeling at the beginning. What’s a threat model? Threat models can take many, many different forms. The evolving cyber threat landscape and your imagination are the only limits. But here are a few examples of threat models, to give you an idea of what they can be. Executable malware can be file binded to email attachments, such as images or documents. If your employee opens a malicious email attachment, malware could execute on their client machine! The malware could be ransomware, spyware, or conduct other malicious actions. This is a very common cyber threat in workplaces. We can mitigate this threat by doing the following: Configure antivirus scanning in our email server. Email attachments must pass a scan in order to open. Configure antivirus software that automatically updates and scans our network’s client machines within their operating systems. Train employees to only open emails from senders they recognize and trust. Limit user permissions to restrict what malware can do if it’s executed on a client machine. Whatever you do, don’t give users administrative privileges! Our web application runs on a SQL server and it contains forms which allow for user input. But those web forms can be exploited to conduct SQL injection attacks. We can mitigate this threat by doing the following: Avoid dynamic SQL as much as possible. Design our web application with prepared statements, parameterized queries, and stored procedures instead. Limit the privileges we assign to accounts that connect to our SQL database. Those accounts shouldn’t have administrative privileges. This will restrict what SQL injection attacks could possibly do. Connect our web application to a WAF, a web application firewall. Carefully configure rules that can prevent the common sorts of malicious actions that a SQL injection attack can do. Write error messages carefully so they don’t divulge useful information about your database. | Malware Vulnerability Threat | ||
|
2020-10-14 17:39:00 | Penetration Testing Services: what to look for in a pen test provider (lien direct) | These days computers and the software that operate upon them touch practically every part of our professional and personal lives. The information they store, process and transmit is the foundation upon which businesses are built, how customer experiences are delivered, and how we find the best takeout food in our immediate area. So why is it so hard to keep them highly secure? Computer security can be thought of as a never-ending sports season played between our “home team” of network and application administrators on one side and the various groups of cyber threat actors on the other. As in any such contest, it pays to know the other team’s playbook so that you can adjust your strategy accordingly. One of the best ways to do this is through Penetration Testing Services. AT&T Cybersecurity Services’ team of professional penetration testers conduct cyber-attack simulations that are reflective of current, real-world methods used by the threat actors your administrators face off against every day. How does a penetration testing service typically work? Penetration testing services are a cornerstone of any mature security program. Such exercises are used to validate that technical controls, applications and configurations are operating as expected, identify gaps in detective and preventative controls and supporting processes, and obtain a practical understanding of exposures arising from user-targeted attacks. As a result, it is important to understand, from an organizational perspective, what you want to achieve as a result of your penetration test. What is it you are hoping to learn by the results? What additional security assurance are you hoping to obtain? Ultimately these objectives will determine the scope, duration, and cost of the penetration test. With objectives firmly in mind, translated into a technical scope it is time to begin testing. How the testing will proceed will be determined by the rules of engagement that are agreed upon between the organization and the penetration testing provider. This agreement will cover things like testing timeframes, notification requirements, exploitation objectives or limitations, and known critical or sensitive systems or applications that require special care when testing to avoid outage. As the technical testing progresses, it is important to have regular check-in’s with stakeholders as well as escalation procedures for any urgent matters that must be addressed during the assessment and cannot wait for the final deliverable. What you should expect a pen testing provider to accomplish? The penetration testing provider that your enterprise selects should be able to consult with you on how to get the most out of any assessment. It is your organization’s goals, objectives, security and compliance needs that drive the consumption of these services and as such those requirements should be kept front and center. How mature is your security program? Would a more advanced approach to penetration testing bring more value to your organization? Does your scope meet your compliance requirements, or might there be a surprise down the line when the time comes to provide supporting evidence to your auditor? From a technical perspective, your assessment provider should have the capabilities necessary to get the job done and done right. By utilizing industry-recognized methodologies and tools your provider should be able to offer consistent results across multiple engagements. The ability to apply creative thinking and problem solving to accomplish penetration testing objectives is arguably the core value of any penetration test team. Having a broad team of deeply skilled security professionals is key to accomplishing this as individual assessors can draw upon the collective experience of the entire team to achie | Threat | ||
|
2020-10-13 11:00:00 | What is search engine clickbait and how do hackers trick Google\'s crawlers? (lien direct) | This blog was written by an independent guest blogger. Search engine optimization (SEO) works with algorithms to ensure that the most relevant and most popular webpages show up first in an internet search. SEO makes sure that the best websites get the biggest boost. However, SEO has a lesser-known, evil twin called black hat SEO. This term refers to a common trick of cybercriminals. Black hat SEO is meant to circumvent algorithms, exploit weaknesses, and create fraudulent links. The goal of these actions is to push malware-laden websites and other nefarious web pages on to unexpecting users. In this article, I will discuss the top ways cybercriminals hijack search engines and some examples of successful black hat SEO attempts. Understanding how cybercriminals operate and spotting their tricks can be an effective way to protect remote workforces and keep casual users safe. Stealing SEO Hackers want to catch users off guard when they are browsing the internet. They want you to click on their links and download their files so they can install malware, ransomware or other viruses on your computer. One way they can achieve this is by piggybacking off the popularity of well-established websites. This rudimentary technique can be used by even the most novice hacker. For example, some websites allow users to post comments or upload files on their webpage. Hackers can post a link to their malware or upload a file that contains a virus on a popular webpage. They know that the website has a large audience, so chances are someone will click on it. A hack like this recently happened on the UNESCO website and a Cuban government website, among a few others. A user under the moniker m1gh7yh4ck3r uploaded PDF files offering help in hacking into online accounts. When users clicked on the links, it led to a variety of scam websites that urged visitors to download files in exchange for the program. All the websites used an outdated Drupal CMS system tied to a Webform module that had vulnerabilities in the file share function. Modern websites can avoid having these glaring vulnerabilities by using SAST (Static Application Security Testing) to automatically scan written code for weaknesses. Coronavirus clickbait This particular hacking technique takes advantage of the coronavirus global health crisis. This technique exploits the fact that so many people around the world rely on the internet to provide them with information. This hack is very similar to the hack that was successfully used on the UNESCO website. It doesn’t take extensive Cybersecurity IQ training to understand. Researchers recently discovered fraudulent, online drugstores using credible health websites with coronavirus-related headlines to gain web traffic. The cybercriminals visited high-profile health websites with comments sections or forums and used bots to post a multitude of messages linking to their website. Of course, most of the messages enticed users by claiming to have cures for coronavirus, or by promising those who click easy access to illicit drugs. An additional benefit for the bad actors is that websites with many coronavirus-related keywords will rank higher on a Google search due to high public interest. The bad actors with the dangerous links gain SEO credibility by the increased traf | Ransomware Malware Hack Vulnerability | ||
|
2020-10-07 11:00:00 | Get smart and stay safe: Best practices to protect you from digital financial fraud (lien direct) | This blog was written by an independent guest blogger. The past two years have seen a 391% rise in fraudulent attempts that target digital transactions around the world. The research carried out by TransUnion also saw a specific increase of 347% in relation to account takeover so the average consumer needs to up their understanding of financial fraud risks. When data breaches and cyberattacks occur, it impacts society in various ways like lowering consumer trust and damaging foreign politics. Ultimately, the most damaging consequence of cyberattacks to hit North Americans is digital financial fraud. So how can you best protect yourself from digital financial fraud? Learn the different types of digital fraud There are several types of digital and e-commerce fraud that is perpetuated across the world. One of the more common types of digital fraud is identity theft. Around 71% of merchants and businesses are concerned about their clients being targeted for identity theft, according to Worldpay. The same study found that 66% worry about phishing and 63% worry about account theft. Each of these fraudulent schemes has specific targets like your information or the sites you use. Learning more about these different types of digital fraud improves your ability to spot traps as you navigate through your digital transactions. Regularly check your credit score A startling 56% of Canadians have never checked their credit score, according to Simple Rate. The same study also found that only 14% check their scores annually. Your credit score is calculated by going through your payment history, credit usage, credit history length, and several other factors. If you are unaware of what your credit score is, you may not realize that you have already been a victim of digital financial fraud. This can cause serious damage to your credit score and financial progress. As such, it is a smart practice to regularly check and monitor your credit score. Doing so gives you the chance to spot any sketchy transactions right away so that you can contest them swiftly. Build a strong relationship with your bank In an increasingly digital world, it is not odd for your bank to know your email, phone number, and other sensitive information. Scammers and fraudsters now try to spoof the number of banks and try to get consumers to share their PIN to access their accounts. To avoid this type of financial fraud, it’s important to build a strong relationship with your bank. Get to know what their practices are and have their official numbers saved to your phone. So, if you get a suspicious call, you can simply tell them you’ll call back and get in contact with your actual bank. It’s also a smart practice to only use your bank’s official apps and websites and keep abreast of any notices they send out of any scam attempts so you can protect yourself accordingly. Practice Smart and Safe Internet Usage Over 41% of internet users aged 18-35 say they have posted personal information online, according to Webroot. This wealth of information is precisely what criminal elements use to carry out their digital financial frauds. To avoid this from occurring, you need to practice smart and safe internet usage. Installi | |||
|
2020-10-05 11:00:00 | Insider threats: What are they and how to prevent them (lien direct) | This blog was written by an independent guest blogger. Companies need to establish a secure system to avoid insider threats and other online issues that could destroy a business. There are different online threats that businesses face every day. The most common of which is phishing attacks were the victim accidentally clicks on an unsafe link and log in. Other commonly known threats to businesses are malware, ransomware, weak passwords, and insider threats. Most of these online attacks are due to what is known as insider threats. But what is an insider threat? What is insider threat? Most think that the word insider threat means an employee or a former employee intends to cause harm or steal data from the company. It might contribute to what is called insider threats, but there are also other causes of it, such as careless users or employee and negligent data breach. Here are the latest statistics that show what causes insider attacks. 71% are caused by unintentional or are an accidental data breach. 65% are data breaches that happened due to ignoring policies. 60% of data breaches happened intentionally. How much will you lose from an insider attack? An insider attack costs a lot of money for an organization. It may even lead to bankruptcy, especially for small businesses. It often cost an average of $270,000 up to $20 million. Sometimes, it depends on the data stolen and the size of the organization. Furthermore, businesses who experienced cyberattacks will also need to pay for a forensic issue to discover the cause of the incident. This is to know what happened and what can be done to prevent future attacks. Investigating and spending money on an attack that can be prevented is a time-consuming task, and it’s an additional expense to the company. Types of insider threats We have mentioned earlier that inside attacks can be of many forms. It includes people who unintentionally forget or have no knowledge of their actions that can harm the company. And, some have motives behind the attack. Listed below are different types of inside attacks that are commonly known. It is crucial to learn about these attacks for companies to be aware of and how they can prevent them. PAWN These are employees who are manipulated to unintentionally disclosing the company’s data. The most popular form of this attack is known as spear phishing or social engineering. The employee unknowingly downloads a link sent to them via their email. The link contains malware that could steal the company’s data. Or, someone in person manipulates an employee into giving them the company’s credentials. COLLABORATOR Collaborator requires two bodies working together to spy or gain access to potential data. The term corporate or company espionage is one good example of collaborator attacks. A company or a government body will hire a former employee or another company to gather information regarding the target business. Collaborators often gain access to intellectual property and information of customers. This form of attack can disrupt the flow of business operation and could cause mistrust and loss of customers. THE LONE WOLF As the term implies, these are cybercriminals who work by themselves. They have no external access or anyone to manipulate. Often these criminals have access to the administrative department or even the executives. They can access more crucial data from the system. GOOF | Malware Threat Guideline | ★★★ | |
|
2020-10-02 18:12:00 | Deep packet inspection explained (lien direct) | What is deep packet inspection? Deep packet inspection (DPI) refers to the method of examining the full content of data packets as they traverse a monitored network checkpoint. Whereas conventional forms of stateful packet inspection only evaluate packet header information, such as source IP address, destination IP address, and port number, deep packet inspection looks at fuller range of data and metadata associated with individual packets. Deep packet inspection will not only scrutinize the information in the packet header, but also the content contained within the payload of the packet. The rich data evaluated by the deep packet inspection provides a more robust mechanism for enforcing network packet filtering, as DPI can be used to more accurately identify and block a range of complex threats hiding in network data streams, including: Malware Data exfiltration attempts Content policy violations Criminal command and control communications Deep packet inspection capabilities have evolved to overcome the limitations of traditional firewalls that rely upon stateful packet inspection. To understand the advancement offered by deep packet inspection, think of it in terms of airport security. Stateful packet filtering would be like validating the safety of baggage by checking luggage tags to make sure the origination and destination airports match up against the flight numbers on record. In contrast, filtering using deep packet inspection would be more like examining bags through an x-ray to ensure there's nothing dangerous inside before routing them to their proper flights. Use cases for deep packet inspection Analysis of traffic flows through deep packet inspection opens up a range of new and improved security use cases. Blocking malware When paired with threat detection algorithms, deep packet inspection can be used to block malware before it compromises endpoints and other network assets. This means it can help filter out activity from ransomware, viruses, spyware, and worms. More broadly, it also provides visibility across the network that can be analyzed through heuristics to identify abnormal traffic patterns and alert security teams to malicious behavior indicative of existing compromises. Stopping data leaks Deep packet inspection can be used not only for inbound traffic, but also outbound network activity. This means organizations can use that analysis to set filters to stop data exfiltration attempts by external attackers or potential data leaks caused by both malicious and negligent insiders. Content policy enforcement The added application visibility afforded by deep packet inspection allows organizations to block or throttle access to risky or unauthorized applications, such as peer-to-peer downloaders. Similarly, the deeper analysis from DPI opens the path for organizations to block policy-violating usage patterns or prevent unauthorized data access within corporate-approved applications Benefits and challenges of DPI The added visibility provided by DPI's probing analysis helps IT teams to enforce more comprehensive and detailed cybersecurity policies. This is why many firewall vendors have moved to add it to their feature lists over the years. However, many organizations have found that enabling DPI in firewall appliances often introduces unacceptable network bottlenecks and performance degradation. First of all, these on-premises appliances are tied to corporate networks and require organizations to backhaul traffic from remote users through this infrastructure for packets to run through DPI inspection checkpoints. This introduces tremendous latency for this growing body of users and is increasingly unworkable as so many companies have been forced to support completely distributed workforces. What's more, these performance issues are likely to s | Malware Threat | ||
|
2020-09-30 05:01:00 | Next generation firewall (NGFW) explained: What is a NGFW? (lien direct) | What is a next generation firewall? Traditional firewalls have been around for decades. But NGFWs, uninhibited by the same technology limits, take advantage of significant advancements in storage space, memory, and processing speeds. The feature set for NGFWs build upon traditional firewall features by including critical security functions like intrusion prevention, VPN, and anti-virus, and even encrypted web traffic inspection to help prevent packets containing malicious content from entering the network. Many NGFWs are also capable of integrating with modern networking topologies like software-defined wide area networks (SD-WAN). Look around at the different firewall solutions today, and you’ll discover that most vendors label their solution as NGFWs. However, without a consensus from the security industry about what a next-gen firewall is and what it is not, organizations must look at all the features and decide if the solution fits their business needs. What are the benefits of a next generation firewall? Compared to traditional firewalls, there are myriad benefits to be aware of. At a high level, NGFWs provide comprehensive application visibility and control, can distinguish between dangerous and safe applications, and can help prevent malware from penetrating a network. Here are five of the most important aspects of how an NGFW helps organizations: Protects the network against viruses and trojans NGFW’s application awareness inspects the header information and the payload against pre-defined application signatures to provide that the application is exactly what it claims to be and one that has been approved for use. This could be a critical feature for any organization that allows network users to download applications from the internet. Blocks known productivity wasters With application control, the enterprise gains granular control over which applications can run, which features of an application can be used, and which applications should be given priority for bandwidth (such as VOIP). Applications such as Facebook, Twitter or YouTube, for example, can be blocked for users that don’t require them as part of their job function but allowed for departments that do need access (such as marketing). Another option is to enable posts to social media but disable the ability to chat. Identifies bandwidth hogs and mitigates risk NGFW’s identity awareness utilizes existing enterprise authentication systems such as Active Directory or LDAP. This feature allows for traffic monitoring by user or device as well as the ability to control the type of traffic a user may send or receive. As a result, organizations can identify users who gobble up bandwidth and help mitigate risk by allowing only legitimate business traffic to enter or leave the network. Simplifies administration, helping save money Integrated intrusion prevention systems (IPS) can detect attacks to the network by comparing traffic to a table of known threats or through anomaly-based or behavior-based detection methods. Before NGFWs, intrusion prevention systems had to be purchased separately alongside a traditional firewall, so this integration in one device is an ideal solution. Saving time and resources NGFWs allow organizations to tap into external security sources — including directory-based policies, allow lists, and block lists. No need to reinvent the wheel when there’s a whole world of information readily available. Why invest in a next-generation firewall? The primary function of any firewall is to help protect against unwanted or malicious traffic entering or exiting a network. However, as threats evolve and bec | Malware Threat | ||
|
2020-09-29 05:01:00 | Zero Trust Architecture explained (lien direct) | This blog was written by a third party author. With the increase in frequency, sophistication, and cost of cyberattacks, the global focus on cybersecurity is at an all-time high. However, the goalposts for those tasked with protecting businesses have shifted. Hackers have a growing number of ways they can compromise a business and are frequently looking to move laterally within an organization, using credentialed (and often elevated) access. On top of this, insider threats are on the rise where trusted users take advantage of their access for nefarious purpose. This means that the tried-and-tested concept of perimeter-based security and defenses (where anything located on the corporate network it is assumed to be trusted) is no longer enough. Security teams need to shift their thinking from the perimeter to the authentication and access of resources. This means looking at methods of both restricting access and monitoring access requests to ensure those utilizing the environment are doing so appropriately. This is where a Zero Trust Architecture comes in. What is Zero Trust Architecture? Zero Trust Architecture should be a core part of a company’s cybersecurity planning, combining identify, access policy, authentication, and more. The concept of Zero Trust is “never trust, always verify”, which effectively means assuming that all devices and users represent a potential threat and cannot be trusted until they can be properly authenticated. Once authenticated users are allowed access only to the bare minimum, they need to perform their job efficiently. Therefore, if a device (or user account) is compromised, Zero Trust aims to ensure that the damage is either mitigated (by not allowing access) or, at worst, is limited in scope. The concept of Zero Trust has been growing over the past decade; however, the challenge has been implementing it without sacrificing user experience and productivity. Zero Trust Architecture relies heavily on some critical capabilities – namely identity management, asset management, application authentication, network segmentation, and threat intelligence. The technologies needed to achieve these were once only available to larger organizations but are now readily available in the mainstream. How can an organization implement Zero Trust Architecture? Successfully implementing a Zero Trust Architecture means going beyond rolling out a series of integrated tools and technologies, which are supported by a set of operational policies and authentication requirements. This has to be a strategic initiative that supports the formation of the Zero Trust architecture outside of a tool and technologies acquisition. The latter should outline what Zero Trust will look like as it relates to authorization to specific resources both on-premises and in the cloud, as well as how Zero Trust technologies will interact with data, threat intelligence, public key infrastructure, identity management, and vulnerability management systems. Once this foundation has been established, companies can determine how further to define their Zero Trust Architecture; for example, using software-defined perimeters, micro-segmentation, by identity, or a combination therein. In terms of setting user policy, understating accountability, authority, and capability are critical to establishing the level of trust of an individual user. The implementation of a trust algorithm can involve a score-based approach, as well as contextual based or an approach involving certain criteria that must first be met. When it comes to rolling out the technology to support your Zero Trust environment, it’s advisable to run a pilot program first. This will allow you to get the kinks out, adjust KPIs and teach you how to operate in a ZTA overall with limited impact to your business. Pilot programs should focu | Tool Vulnerability Threat | ||
|
2020-09-28 11:00:00 | Stories from the SOC – Cloud and On-site Protection (lien direct) |
This blog was jointly authored by Josue Gomez
Stories from the SOC is a blog series that describes recent real-world security incident investigations conducted and reported by the AT&T SOC analyst team for AT&T Managed Threat Detection and Response customers.
Executive Summary
One of the benefits of having your managed detection and response (MDR) service managed by AT&T Cybersecurity is the visibility into threats from a large number of customers of all sizes and across different industries. This allows the team to take what they learn from one customer and apply it to another. Our security operation center (SOC) analysts were able to use an OTX alarm and an AWS correlation rule to discover open ports on public facing servers for two different customers in 24 hours.
Investigation
Initial Alarm Review
Indicators of Compromise (IOCs)
In a 24-hour period the AT&T SOC analyst team identified open port vulnerabilities which malicious actors were attempting to exploit on two different customer instances. While the environments of these two customers are very different, the sensors that are deployed as part of the AT&T Unified Security Management (USM) platform provide flexibility and help customers to stay protected across multiple platforms.
Customer 1’s initial alarm is below. In addition to the OTX indicator, the fact that the alarm was based on a public URL and the event outcome was “Accept” led our analyst team to speculate that the alarm was accurately indicating a successful system compromise.
The Customer 2 initial alarm came in when an IP located in a foreign country was observed attempting to brute force authenticate via SSH port 22 on one of Customer 2’s cloud-based security management servers.
Unlike Customer 1 who has a primarily on-premises environment, Customer 2 has a largely cloud based infrastructure. The analyst team performed a deep dive into the targeted AWS cloud asset and observed logs showing multiple IPs located in the foreign country attempting to establish a connection over the open vulnerable port.
Expanded investigation
Alarm Detail
In the case of Customer 1, the analyst team determined the IP identified by OTX had been scanning multiple public facing assets in the hours before the alarm was triggered. Logs indicated the malicious actor was focusing on scanning for a Telnet service until they found an open Port 23, at which point scanning ended. A search for that malicious IP on the destination side showed an outbound connection from Customer 1’s web server with an “Allow” outcome, confirming a two-way connection had been established over Telnet. The analyst team communicated the details of the investigation to Customer 1 and recommended they close all the server’s ports, aside from Port 80 and Port 443, as is the best practice for a public facing web server.
For Customer 2, the team prioritized the malicious activity on their AWS instance as High severity and quickly jumped on a call to inform the customer of the SSH brute-force attacks occurring against one of their internal cloud assets. The built-in Amazon Guard Duty plugin, paired with the cloud monitoring capabilities available in the USM platform, allowed the team to capture this malicious activity in real |
Threat | ||
|
2020-09-24 23:08:00 | BYOD security explained: what is a BYOD policy? (lien direct) | This blog was written by a third party author What is bring your own device (BYOD)? Bring your own device (BYOD) describes the practice of using a personal device such as a smartphone or tablet to conduct business on an organization's network or with its data. Organizations constantly walk a tightrope with their BYOD policies to balance employee productivity and satisfaction against the effective management of cybersecurity risks. Early in the evolution of mobile devices, many enterprises were hesitant to officially sanction any personal device use on their networks due to numerous BYOD security concerns, including: Potential insecurity of devices and their threat as a malware vector on the network Amplification of insider threats from both malicious and negligent BYOD users Data breaches of personally identifiable information (PII) or intellectual property (IP) due to device loss or malware This led to many draconian BYOD policy bans against personal devices on the network that often created a disconnect between employers and their workers. Employees were frustrated with having to carry around a work phone and a personal device on the road, with the limitations of outdated corporate devices, and with the inflexibility of not being able to use the tools they felt they needed to get their work done effectively. In reaction to restrictive BYOD policies, many employees, managers, and even executives chose to find policy end-arounds, pushing a wave of shadow IT assets onto the network. These unmanaged devices often created more BYOD security problems than if an organization had found a way to develop more lenient BYOD polices and invested in the means to track and enforce how those devices were used to interact with network and applications. How should an organization approach BYOD security? Many organizations seeking to tackle shadow IT and enable digital transformation had already been working on transitioning to more flexible BYOD policies prior to 2020. With the world rocked by the radical shift to a suddenly remote workforce, business sustainability now mandates that nearly every organization accelerate the process of updating their BYOD security stance. Consider: COVID-19 closures pushed the incidence of U.S. full-time employees working from home from 33% to 61% From January to April 2020, access to the cloud by unmanaged, personal devices doubled 84% of organizations report they're likely to continue to support remote work flexibility long after stay-at-home orders are lifted 70% of large businesses believe remote work makes them more vulnerable to cyberattacks These statistics indicate that the genie is now fully out of the bottle with regard to BYOD. Highly distributed workforces will not only be more prevalent moving forward, but the variety of personal endpoints that employees use to connect to corporate assets will also likely grow. Security teams must contend with BYOD not just as a mobile phenomenon but also one that encompasses user-owned PCs, connected personal devices like smartwatches, and a full slate of other IoT devices. As a result, BYOD security programs must be equipped to provide highly secure remote access to corporate data from any device, and any location. Similarly, ef | Malware Vulnerability Threat Guideline | ||
|
2020-09-23 09:39:00 | (Déjà vu) IDC MarketScape Names AT&T a Leader in Worldwide Managed Security Services (lien direct) | IDC recently published the IDC MarketScape: Worldwide Managed Security Services 2020 Vendor Assessment, in which primary author Martha Vazquez and team studied 17 organizations that offer MSS globally. The report provides a comprehensive look at MSSP vendors, including AT&T, and how managed security services are evolving to meet the needs of customers today. This is especially relevant as security teams are being challenged on many fronts – new risks in the wake of COVID, a quickly evolving technology and threat landscape, and lack of cybersecurity talent in the market. In addition, they are being asked to “do more with less", i.e. protect a more distributed network and remote workers, while facing stagnate security budgets heading into 2021. For many organizations, it makes sense to seek the help of a third-party as they tackle these challenges. As such, the IDC MarketScape report provides timely research and guidance on what security professionals should be considering when thinking about an MSSP partner. Whether looking for additional support and monitoring to shore up threat detection and response (including help with incident response), desiring protection against potential DDoS attacks, or looking for guidance in developing a strategic road map on a journey to Zero Trust, MSSPs and their consulting/professional services partners can provide real value. However, not all MSSPs are created equal, nor are they all suitable for every organization. In the words of Vazquez, “Choosing the right provider is critical, and buyers of MSS should consider their organization's IT requirements, geographies, verticals, and overall strategic business goals when choosing a provider.” However, according to the report, the key considerations everyone should be thinking about include: Breadth of MSS portfolio across the security stack Digital consulting capabilities to provide you are developing a comprehensive, holistic security approach Ability to deliver managed detection and response across hybrid environment Threat intelligence, threat hunting and other advanced capabilities Visibility across endpoint, network, and cloud Integrations of orchestration and automation processes Global security operations center (SOC) presence Investment in R&D, especially in cloud security, IoT/OT infrastructures, IR playbooks, etc. Security expertise and support on the SOC MSSP teams Cloud security strategy, especially the ability to deliver across multi-cloud environments Portal reporting and capabilities AT&T was named as a worldwide “leader” in this year’s report, with the IDC MarketScape highlighting our breadth of services, including Cyber Strategy and Risk, Identity and Fraud, Unified Endpoint, Network Security, and Threat Detection and Response. The IDC MarketScape also pointed out the ability of AT&T MSS to scale to the needs of large, global enterprises, integrated threat intelligence, global channel support, and ease of deployment. As security leaders take stock of their current posture, and plan for the future AT&T offers resources on multiple fronts. Here are two you can start with: ·Benchmark your cybersecurity maturity. Use our free online assessment to measure your maturity as it relates to risk mitigation against survey results of 500 security professionals. Understand where gaps may exist (especially post-COVID) and where you have strengths. Talk to AT&T Cybersecurity Consulting for a more comprehensive risk assessment and gap analysis or to support your digital transformation, including deploying Zero Trust. Finally, get an excerpt of the IDC MarketScape report | Threat Guideline | ||
|
2020-09-23 09:39:00 | IDC assesses most significant Managed Security Services Providers, Highlights AT&T Cybersecurity (lien direct) | IDC recently published the IDC MarketScape: Worldwide Managed Security Services 2020 Vendor Assessment, in which primary author Martha Vazquez and team studied 17 organizations that offer MSS globally. The report provides a comprehensive look at the top MSSP vendors, including AT&T Cybersecurity, and how managed security services are evolving to meet the needs of customers today. This especially relevant as security teams are being challenged on many fronts – new risks in the wake of COVID, a quickly evolving technology and threat landscape, and lack of cybersecurity talent in the market. In addition, they are being asked to “do more,” i.e. protect a more distributed network and remote workers, while facing stagnate security budgets heading into 2021. For many organizations, it makes sense to seek the help of a third-party as they tackle these challenges. As such, IDC’s report provides timely research and guidance on what security professionals should be considering when thinking about an MSSP partner. Whether looking for additional support and monitoring to shore up threat detection and response (including help with incident response), desiring protection against potential DDoS attacks, or looking for guidance in developing a strategic road map on a journey to Zero Trust, MSSPs and their consulting/professional services partners can provide real value. However, not all MSSPs are created equal, nor are they all suitable for every organization. In the words of Vazquez, “Choosing the right provider is critical, and buyers of MSS should consider their organization's IT requirements, geographies, verticals, and overall strategic business goals when choosing a provider.” However, according to the report, the key considerations everyone should be thinking about include: Breadth of MSS portfolio across the security stack Digital consulting capabilities to provide you are developing a comprehensive, holistic security approach Ability to deliver managed detection and response across hybrid environment Threat intelligence, threat hunting and other advanced capabilities Visibility across endpoint, network, and cloud Integrations of orchestration and automation processes Global security operations center (SOC) presence Investment in R&D, especially in cloud security, IoT/OT infrastructures, IR playbooks, etc. Security expertise and support on the SOC MSSP teams Cloud security strategy, especially the ability to deliver across multi-cloud environments Portal reporting and capabilities AT&T Cybersecurity ranked as a global “leader” in this year’s report, with IDC highlighting our breadth of services, including Cyber Strategy and Risk, Identity and Fraud, Unified Endpoint, Network Security, and Threat Detection and Response. IDC also pointed out the ability of AT&T MSS to scale to the needs of large, global enterprises, integrated threat intelligence, global channel support, and ease of deployment. As security leaders look to take stock of their current posture, and plan for the future AT&T offers resources on multiple fronts. Here are two you can start with: ·Benchmark your cybersecurity maturity . Use our free online assessment to measure your maturity as it relates to risk mitigation against survey results of 500 security professionals. Understand where gaps may exist (especially post-COVID) and where you have strengths. ·Talk to AT&T Consulting for a more comprehensive risk assessment and gap analysis or to support your digital transformation, including deploying Zero Trust. Finally, get a copy of the IDC MarketScape report | Threat Guideline | ||
|
2020-09-23 05:01:00 | What is mobile device management? MDM explained (lien direct) | This blog was written by a third party author. Not too long ago, the desktop computer was the primary computing device for enterprise employees. With the rise of mobile endpoints like smartphones, laptops and tablets, employees are connecting to corporate networks from a wide variety of places and devices. Today, especially with the popularity of the WFH (work from home) model, managing the multitude of mobile devices is more complicated than ever before. The statistics tell a sobering tale. For example, 70% of breaches originate on the endpoint, making it the number one target for attacks. Even more concerning, according to a recent study, 60% of breaches were linked to a vulnerability where a patch was available, but not applied. The moral of the story: mobile device management is critical for any corporate network. What is mobile device management? Mobile device management (MDM) is a software tool for IT departments and administrators that allows management of all mobile endpoints, including smartphones, laptops, tablets, and IoT devices. Endpoints can be owned by either the company or the employee, and the MDM solution can be hosted onsite or in the cloud. The goal of an MDM is to find the right balance between management, productivity and policy compliance. As personal devices proliferate onto enterprise networks, MDM plays a vital role in securing corporate networks while allowing employees to continue to work more efficiently. Mobile Device Management software relies on the client/server model to function. Using a management console, the server component allows IT administrators to configure and assign policies. The client component resides on each mobile device and receives whatever directives have been assigned from the management console. MDM is now a mature platform that has seen significant advances. Client-initiated updates are a thing of the past, as modern MDM software can instantly discover any new endpoint making a connection to the network. Today’s MDM is much more streamlined. Managing BYOD with MDM The line between a mobile user and an on-premise employee has blurred as almost everyone brings some type of personal device into the workplace. The BYOD (bring your own device) movement in many organizations is no longer a movement but more of a norm. The need to monitor and manage these endpoints has never been greater. While the benefits of BYOD are clear — lower equipment costs and more time available for IT personnel come to mind — if endpoints are not actively managed and monitored, the security risks are significant. Mobile device management is a critical component of any BYOD policy, as it allows the business to maintain control of their company data and how it is accessed. Tablets and smartphones can be difficult enough to manage in the BYOD era. After all, they’re arguably less secure than laptops and desktops due to a lack of pre-installed malware protection. But when IoT is added to the mix, especially if employees aren’t aware of the security threat it poses, the importance of the MDM multiplies. According to a recent Infoblox report, a staggering 80% of IT professionals surveyed discovered shadow (unreported to the IT department) IoT devices connected to their network, and 29% of them discovered more than 20. These devices could be smart TVs, kitchen devices, cameras, or personal health monitors. We’ve discussed IoT security before; by default, devices are inherently in | Malware Tool Vulnerability Threat | ||
|
2020-09-22 11:00:00 | Data privacy and data governance fundamentals of the NIST Privacy Framework (lien direct) | As of January 16, the National Institute for Standards and Technology (NIST) published the first version of their privacy framework. For those of you familiar with NIST frameworks you will already be accustomed with the way NIST presents control categories, controls, sub controls, et cetera. This framework includes the following categories: Identify Govern Control Communicate Protect Some of these controls have some corollaries in other frameworks, such as NIST’s Cybersecurity Framework (CSF), but Govern, Control, and Communicate are completely brand new. Many of the controls under the familiar categories have changed as well. These controls provide guidance for organizations to create a strong privacy program, and one that could be integrated into existing cybersecurity operations. Privacy is quickly becoming a top concern for organizations across the board, both due to a shift in consumer interests and because of increased legal requirements. This framework is one of the first of its kind to help businesses understand what constitutes a good privacy program. What’s in the framework? As noted above this framework includes five new control families that are broken out into individual categories and sub-categories. NIST also sprinkles in areas from other frameworks such as the detection requirements from the CSF. The five categories can be summarized as follows: Develop the understanding to effectively manage privacy risks Create an internal culture and corporate structure to support risk management and data governance Develop policies, procedures, and practices to effectively control and protect data Provide that communication channels are in place and regularly communicated for employees to ask questions and raise issues related to privacy and data management Implement technical, administrative, and physical controls to protect and maintain the integrity of data. These five categories share similar themes to the rest of NIST's security standards, emphasizing how security and privacy can work hand-in-hand to create safer and more efficient workflows.Organizations should be sure to work with a certified privacy attorney when developing their privacy program to provide that it meets all legal requirements. How to use this framework Within the framework NIST provides guidance on how to utilize this framework to either create a new privacy program or improve an existing one. They break down the process into three steps: Ready The first step is to create an understanding of the organization, its mission, and the overall business environment. This environment includes things like risk tolerance, legal requirements, et cetera. This step is covered by the Identify and Govern functions. It is important that organizations focus on creating clear guidelines and values that are communicated to the staff. As with security, effective implementation of this framework requires the support and efforts of all employees. Set Once the foundation has been laid, the next step is to outline what categories and subcategories are already implemented, partially implemented, or not implemented at all. Informed by the values and requirements established in the first step organizations can better prioritize the remaining controls for implementation. The second step should result in a clear plan that outlines the status of all controls, and a prioritized schedule for implementing the remainder. Go The last step is the actual implementation of the action plan developed above. The categories can be implemented in any order so the plan should be highly customized to meet the specific needs of the organization. As controls are implemented the second step ‘Set’ can and should be rep | |||
|
2020-09-22 11:00:00 | Why misconfigurations are such an issue in your containers and Kubernetes (lien direct) | This blog was written by an independent guest author. Organizations are increasingly incorporating containers and Kubernetes into their IT infrastructure. As reported by ZDNet, Flexera’s “2020 State of the Cloud Report” found that about two-thirds (65%) of organizations were using Docker and that another 14% intended to begin using it at some point. Slightly fewer organizations (58%) were using Kubernetes at the time of the survey, by comparison, with 22% of participants saying they planned to adopt it. Even so, misconfigurations with both containers and Kubernetes are posing a problem. StackRox’s “State of Kubernetes and Container Security Winter 2020” report found that nearly all (94%) of respondents had experienced a security incident in their container environments over the past 12 months, per Security magazine’s coverage. The majority (69%) of those security events amounted to a misconfiguration incident, followed by runtime issues and vulnerabilities at 27% and 24%, respectively. In keeping with those experiences, 61% of survey participants cited misconfigurations as their most worrisome security risk for their container and Kubernetes environments followed by vulnerabilities (27%) and runtime attacks (12%). These findings beg the question: why are misconfigurations such an issue for organizations’ Kubernetes and container environments? This blog post will answer this question by first defining containers and Kubernetes and explaining the benefits of each technology. It will then explore how misconfigurations open the door for attacks from malicious actors. Finally, it will briefly provide a few recommendations on how organizations can reduce the probability of suffering a misconfiguration incident. Why use containers and Kubernetes? According to CIO, a container contains everything that’s needed to run a software program. It includes an application along with its dependencies, libraries and other components. Bundling these components together enables a container to run regardless of the system’s OS distribution or the underlying infrastructure. Those aren’t the only benefits of containers, either. Containers might be only tens of megabytes in size, for instance. A server can therefore host more containers than virtual machines, notes CIO, as a virtual machine consists of an entire OS that might be several gigabytes in size. Consequently, virtual machines usually take several minutes to boot up and begin running, while containers can run almost instantly. This quality makes containers more dynamic in that organizations can spin them up and wind them down at a moment’s notice. Finally, organizations can take advantage of containers’ smaller size and dynamism to split an application into several modules that extend across several containers. Under this approach, developers can make changes to a module and deploy them without needing to redesign the whole app. As the number of containers grows, organizations need some way of managing them all in an organized fashion. That’s where Kubernetes comes in as an orchestration platform. Per its website, Kubernetes enables organizations to manage their containerized workloads and services. It allows organizations to load balance and distribute network traffic in order to stabilize a deployment. It also enables organizations to restart containers that fail and kill those | Malware | Uber | |
|
2020-09-22 05:01:00 | Security awareness training explained (lien direct) | This blog was written by a third party author. Cyberattacks are an almost daily occurrence for many IT and security professionals, and there are a host of different security solutions in the marketplace today that look to help companies detect and prevent those attacks. However, despite all the technology organizations have in place, their users remain their weakest link. Phishing is still one of the top initial attack vectors. Why? Because, for a wide range of different reasons – from lack of knowledge to lack of responsibility – users are prone to fall for email and web-based scams. Organizations looking to create a more secure environment need to shore up every vulnerability that exists – and that includes their users. One effective way to help users become a part of the security solution and not a part of the problem is through security awareness training. What is security awareness training? Security awareness training aims to help your users understand the key role they play in helping to protect an organization’s data and other key assets. It also educates them on threat tactics, the use of social engineering, and the scam themes used in order to improve their ability to spot malicious content before they become a victim. It’s crucial that this training includes everyone within your organization – from the CEO to the person in the mail room – as each one can be utilized as part of a cyberattack. It should also include temps, contractors and anyone else who performs authorized functions online within your business. All these people have a role to play in ensuring an organization’s data is as secure as possible. Which organizations should pursue security awareness training? Security awareness training isn’t just something for large enterprises; employees across all business sizes need to be aware of the security threat landscape. Small businesses are just as vulnerable to attack as large ones, in fact often more so as they lack the assets to put in place the technology to protect themselves. A recent study revealed that 67% of small businesses reported a cyber-attack in 2018, up from 61% in 2017. Plus, many small businesses can act as a gateway to the assets of a larger organization for whom they perform work. Indeed, for many organizations security awareness training is essential to meet compliance regulations, such as CCPA, PCI, HIPAA, GDPR, or Sarbanes-Oxley. Security awareness training can take many different forms, but most successful training starts with either traditional classroom-based training or online training and is then supported by regular reminders. These can include follow-up emails outlining new threats and reminding people of their role in defending against them, visual aids around the office to help reinforce the security messaging, and even simulated phishing campaigns where your security team will send out a spoof phishing email and see who clicks on it. This latter one being a very clear way of showing how successful your training has been. Importantly, though in all this you need to remember that security awareness training is not a one-time thing; it is an ongoing process to ensure that security remains front of mind for everyone within your organization. Building a security awareness program At the core of a good security awareness program is ensuring that everyone within your organization has the appropriate level of understanding about the security threats your company faces, along with an understanding of the role and responsibility they play as part of your company’s cyber defenses. If you’re going to build out your own security awareness training program, there are a few key essential you’re going to need: Security champion | Vulnerability Threat | ||
|
2020-09-21 06:00:00 | Cyber safety tips for virtual events (lien direct) |
This blog was written by an independent guest blogger.
Since the start of the Covid-19 pandemic, the use of video chat software like Zoom has increased to 300 million meetings held per day. Unfortunately, hackers have taken to crashing private meetings and flooding them with objectionable content — a phenomenon known as Zoombombing. If you’re planning a virtual event, it’s important to pay attention to potential security issues and follow safety tips to keep the experience as safe and secure as possible for everyone involved.
Control event access
In order to hold a secure online event, you must first know exactly who’ll be attending. You’ll then have an easier job of preventing, spotting, and ejecting unwanted attendees. A virtual event platform with integrated event registration provides an easy way to set up and host a virtual event while controlling approved participants and limiting the risk of hijacking.
Establishing a registration page allows you to collect contact information while simultaneously generating awareness for your virtual event. Once an attendee registers, you can then share the event link with them. Never share even links publicly on social media or other advertisements as you may attract unwanted guests. Set a password or similar authentication requirement to allow attendees to join the event. You can also prevent access to the event after a specific time to keep out unwanted users (however, be sure to let your attendees know about this time well in advance).
Prioritize network security
Network security ensures your corporate network is protected against unauthorized intrusions. While endpoint security protects individual devices, network security works alongside it to protect any interaction between those devices regardless of location. Good network security is therefore essential for virtual events, which typically include attendees from multiple locations all over the country and potentially the globe. In particular, a network-based firewall lets you protect your network with ultra-secure inbound and outbound internet access via security gateways. Useful features like security management reporting tools allow you to easily assess your bandwidth usage, configure firewall security services, and take care of security-related compliance issues.
Security tips for participants
Roughly 90% of data breaches are the result of human error, so it’s important to let your attendees know about cyber safety best practices. Before the event, send out an email to participants outlining important security tips they can take. Most importantly, they should use a private wifi network — not a public one as these aren’t secure and vulnerable to hackers. Attendees should also have updated antivirus software installed to prevent, detect, and remove malicious viruses and software. During the virtual event, they should also be careful not to accept unexpected chat requests from users with fake or suspicious profiles — especial |
|||
|
2020-09-17 05:01:00 | What is DDoS mitigation and how does it work? (lien direct) | This blog was written by a third party author. Distributed denial of service (DDoS) attacks are a favorite method for attackers to disrupt or debilitate firewalls, online services, and websites by overwhelming systems with malicious traffic or transaction requests. DDoS attackers accomplish this by coordinating an army of compromised machines, or 'bots', into a network of devices they control from a remote location that focus a stream of activity toward a single target. These botnets may be used to perpetrate DDoS with a range of malicious techniques including: Saturating bandwidth with massive volumes of traffic, Filling up system resources with half-open connection requests Crashing web application servers with voluminous requests for random information What is DDoS mitigation? DDoS mitigation is the practice of blocking and absorbing malicious spikes in network traffic and application usage caused by DDoS attacks, while allowing legitimate traffic to flow unimpeded. DDoS mitigation strategies and technologies are meant to counteract the business risks posed by the full range of DDoS attack methods that may be employed against an organization. They are foremost designed to preserve the availability of resources that attackers seek to disrupt. But DDoS mitigation is also meant to expedite the amount of time it takes to respond to DDoS, which is frequently used by the bad guys as a diversionary tactic to carry out other kinds of attacks, such as exfiltration, elsewhere on the network. Techniques and strategies for DDoS mitigation There are several crucial strategies and techniques that typically contribute to DDoS mitigation's ability reduce the impact of these attacks. The foundation of DDoS mitigation certainly rests in building up robust infrastructure. Keeping resilience and redundancy top-of-mind through the following are all crucial first steps for DDoS mitigation: Strengthening bandwidth capabilities Securely segmenting networks and data centers Establishing mirroring and failover Configuring applications and protocols for resiliency Bolstering availability and performance through resources like content delivery networks (CDNs) However, beefier architecture and CDN services alone are no match for modern DDoS attacks, which require more layers of protection for effective DDoS mitigation. Security researchers are increasingly running into massive DDoS attack volumes over 500 Gps and even over 1 TBps and intensely long attacks that can last over days and even weeks. What's more, attackers are increasing the cadence of attacks and the diversity of protocols and system types they target with their DDoS attempts. Without some means of detecting and blocking malicious DDoS traffic, the most resilient system resources—even those backed by CDN services--can still easily be exhausted by modern DDoS techniques, leaving none left to fulfil legitimate connections and activity requests. This is why effective DDoS mitigation requires some method for scrubbing out the bad traffic in as quickly as possible without impeding legitimate traffic, connection requests, or application transactions. Additionally, most organizations bolster their DDoS mitigation strategies through effective incident response planning. This includes developing playbooks for numerous attack scenarios and regularly stress-testing capabilities to ensure that defenses can perform as expected. What people or technologies are needed to respond to an attack? Security teams running DDoS mitigation programs usually seek out technolog | Threat | ||
|
2020-09-16 05:01:00 | Dark Web monitoring and scanning explained (lien direct) | This blog was written by a third party author. Shady deals often occur in darkness – criminal activities require secrecy to cloak their illicit nature. Today, you can find those dark places on the fringes of the internet, known as the Dark Web. More often than not, this is the place where cybercriminals go to monetize the data they’ve acquired as the result of a breach. What is Dark Web scanning? As the name suggests, Dark Web scanning works by searching the Dark Web to locate any stolen personal data and then alerting you if personal information is found for yourself or members in your organization. This enables you to then take the appropriate steps to help mitigate any potential damage/incidents. It should be noted that not all data exposed in data breaches ends up on the Dark Web, so if your data isn’t found this doesn’t guarantee that you haven’t been breached. Why scan the Dark Web? The Dark Web is host to all kinds of stolen personal information, from credit card details and bank account numbers, through to people’s personal log-in details for any number of web-based services, social security numbers, and even medical records. You’ll also find a broad brush of corporate data on there, such as customer lists, intellectual property, and employee usernames and passwords. Why is this corporate data so valuable? If your customer database is stolen, complete with email addresses, a would-be attacker could buy the list and then send out emails pretending to be from your company; this would potentially give them the credibility they need to execute a successful phishing attack and get their targets to share credit card information or online credentials. Alternatively, if your internal data is stolen, attackers can use employee log-on credentials to access corporate applications, systems, and networks to steal data, execute fraud, install ransomware, or use you as the go-between to target a larger partner or customer. So, while we wouldn’t recommend people should visit this internet underworld any time soon, companies do need to keep an eye out for their data being traded on the Dark Web. Finding stolen user emails and passwords on the Dark Web can be a strong indicator that either your company, or a third-party application or website that your employees use, has been compromised. This puts your business at risk of further exploitation. A good Dark Web monitoring service can help you find this data online and stay one step ahead of your attackers. Dark Web monitoring vs scanning The terms “Dark Web monitoring” and “Dark Web scanning” are often used interchangeably. The key difference being that scanning is invariably used to refer to the one-off activity of scouring the Dark Web. However, if this is offered as an ongoing service it would be referred to as Dark Web monitoring. Dark Web monitoring protects organizations in a number of important ways: Reduce potential damage: If someone steals credentials from your employees, especially those with access to sensitive data, you could face a major attack. Monitoring allows organizations to be alerted to any compromised credentials found, empowering your IT or security teams to change credential passwords and specifically look for attempts to breach your managed networks using detected credentials. This can help you shut down attacks before they occur or contain the damage during an active attack. Investigate and strengthen defenses: Once alerted to a breach based on credential use, you can begin the process of discovering where your security measures failed. If, for example, you find that attackers exploited an unpatched vulnerability and then used compromised credentials to access internal resources, you can patch and prevent a second attack wave. Mitigate brand damage: If a breach occurs, you have t | Vulnerability Guideline | ★★★ | |
|
2020-09-14 11:00:00 | Preparing for Zero Trust and planning your strategy (lien direct) | I listened in on a neat webcast recently, which was jointly produced by AT&T Cybersecurity and Palo Alto Networks: “Preparing for Zero Trust and Planning your Strategy.” Panelists were John Kindervag, Field CTO, Palo Alto Networks, Steve Sekiguchi, Director, AT&T Chief Security Office, Bindu Sundaresan, Director, AT&T Cybersecurity and Tawnya Lancaster, Lead Product Marketing, AT&T Cybersecurity. You can catch the hour long webcast recording here. The webcast focuses on five key areas, and it’s currently available on demand: Who to put on your Zero Trust team to help work toward success What essential factors must be considered ahead of time Where to start when assessing your organization’s readiness for Zero Trust Why Zero Trust strategy and planning must happen from the inside out How to avoid common pitfalls when starting (or continuing) your progression to ZT targets” Here are some of the key nuggets I enjoyed from the webcast. John Kindervag gave a great overview of Zero Trust from his experience over the past 12 years, making a point that Zero Trust is NOT a product, but rather a strategic framework. He also pointed out that Zero Trust is meant to be a straightforward framework that can be broken down to four key design concepts: Focus on business outcomes Design from the inside out Determine who/what needs access (we give too much access to employees who don’t need it) Inspect and log all traffic We in cybersecurity are familiar with the idea of the “attack surface,” and for years cybersecurity professionals have been focused on the macro vision of protecting that attack surface. Zero Trust turns this concept on its head, advocating for security being brought closer to the workload. John suggests organizations should be breaking down the macro attack surface into what he calls the “protect surface,” which is made up of at least one of the following elements: data, applications, assets, or service (DAAS). Organizations should be designing their security architecture to highly secure individual protect surfaces. This accomplishes many things, including limiting the ability of threat actors to move laterally within your network and limiting the blast zone should a breach happen. Zero Trust protections are essentially layer 7 policy, with a single policy for each DAAS element. Data – credit card info, personal info, intellectual property, etc. Apps – CRM, HR, ERP, etc. Assets – IT, IoT, etc. Services – DNS, DHCP, AD, NTP AT&T CSO Director, Steve Sekiguchi, agrees with the importance of establishing highly secure zones through the use of microsegmentation technologies, which include microperimeters or software-defined perimeters (SDPs) that can isolate devices and applications closer to the workload/service being protected. He also suggests there are many other tools for microsegmentation, including next–generation firewalls (NGFWs), network overlays, software–defined network (SDN) integration, host–based agents, virtual appliances, containers, security groups, and more. As with any approach to security, Zero Trust is a journey, and Bindu Sunderesan suggests organizations should consider deploying Zero Trust in phases. Phase 1 begins with identifying the business criticality for Zero Trust and understanding your current security posture. This is especially true for organizations who are considering Zero Trust in the wake of COVID, which most likely drove extensive c | Threat Guideline | ||
|
2020-09-11 05:01:00 | Inside the Infographic: “Cybersecurity by the Numbers” (lien direct) |
The ongoing cybercrime epidemic has triggered a cybersecurity calls to arms, as organizations around the world are looking for some 3.5 million skilled workers to help fight a $6 trillion problem. One of the cool features of the University of San Diego’s comprehensive new Cybersecurity Jobs Report is a shareable graphic that spotlights the cybercrime epidemic, the ongoing shortage of skilled cybersecurity professionals and the need for talent at the top companies across all industries.
The “Cybersecurity by the Numbers” infographic is an excellent at-a-glance information resource that is ideal for accompany published reports on cybersecurity trends and issues. It includes current statistics and data from a number of reputable cybersecurity resources, such as Cybersecurity Ventures, (ISC)2 Cybersecurity Workforce Study and Cyberseek.org.
The infographic also features insight from cybersecurity experts and breaks down what job seekers need to know, including how to gain a competitive edge, career outlook, and average salaries and earning potential.
      |
|||
|
2020-09-10 05:01:00 | Firewalls explained: the different firewall types and technologies (lien direct) | This blog was written by a third party author. Finding the right network security tools to secure your sensitive data can be a significant challenge for any organization. Choosing a firewall may seem like a simple task, but companies can get overwhelmed by the different firewall types and options. Making the distinction between a firewall and other security solutions can also pose challenges. Here are the answers to some of the most common firewall questions. What is a firewall? And what isn’t a firewall? A firewall is a network security perimeter device that inspects traffic entering and leaving the network. Depending on the security rules assigned specifically to it, the firewall either permits safe traffic or denies traffic it deems as dangerous. A firewall’s main objective is to establish a barrier (or “wall”) that separates an internal network from incoming external traffic (such as the internet) for the purpose of blocking malicious network packets like malware and hacking. When discussing firewalls, it is critical to clear up any confusion regarding what constitutes a firewall and what does not. For instance, intrusion detection systems, routers, proxy servers, VPNs and antivirus solutions are not firewalls. Many firewall architectures are built into other security solutions, and many security solutions are built into firewalls. How does firewall technology work? Firewalls carefully analyze incoming traffic arriving on a computer’s entry point, called a port, which determines how external devices communicate with each other and exchange information. Firewalls operate using specific firewall rules. A firewall rule will typically include a source address, a protocol, a port number and a destination address. Here’s an analogy to explain the components of a firewall rule. Instead of protecting a network, think of a giant castle. The source address represents a person wishing to enter the castle. The port represents a room in the castle. The protocol represents a mode of transportation, and the destination address represents the castle. Only trusted people (source addresses) may enter the castle (destination address) at all. Or perhaps only people that arrive on foot (protocol). Once inside, only people within the house are permitted to enter certain rooms (destination ports), depending on who they are. The king may be allowed in any room (any port), while guests and servants may only access a certain number of rooms (specific ports). In this analogy, the firewall would act like an elaborate alarm system. Types of firewalls and deployment options Adding to the confusion of what constitutes a firewall, there are numerous firewall types to be aware of. First, firewalls are classified by what they are and where they reside. For example, firewalls can either be hardware or software, cloud-based or on-premises. A software firewall resides on an endpoint (like a computer or mobile device) and regulates traffic directly from that device. Hardware firewalls are physical pieces of equipment that reside between your gateway and network. Cloud-based firewalls, also known as Firewall-as-a-service (FaaS), act like any other internet-based SaaS solutions, performing their work in the cloud. Next, and this is the most common distinction between types, firewalls are classified by functionality. The most common firewall types based on methods of operation are: Packet-filtering firewalls Proxy firewalls NAT firewalls Web application firewalls Next-gen firewalls (NGFW) Packet-filtering firewalls Packet-filtering firewalls, the most basic firewall type, examine packets and prevent them from moving on if the specific security rule is not met. This firewall's function is to perform a simple check of all data packets a | Malware Threat | ||
|
2020-09-09 11:00:00 | What you need to know about securing your APAC business and the recent data law changes (lien direct) | Data breaches are growing in frequency and intensity amidst the recent Coronavirus pandemic, having increased by nearly 273% in the first quarter compared to the same time frame last year. In fact, 2020 may very well be remembered as the year when cybersecurity became a business problem rather than a technology issue. The driving factor here is the recent shift in workforce culture. More and more organizations are now setting up remote working teams. In addition to this, the introduction of the latest cybersecurity laws across the Asia Pacific (APAC), along with changes to data protection rules, has created a need for business owners to actively review their cybersecurity and data handling strategies. Why do companies need to rethink their cybersecurity approach? APAC businesses have to transform their cybersecurity strategy, especially since the existing landscape is becoming increasingly complex. There is also greater exposure to major data breaches, and the bad news here is it's only escalating. Today, 74% of executives belong to organizations that are actively involved in digital transformation activities. While this digitization can certainly work wonders for boosting efficiency and staying at the top of things, it shouldn’t be at the cost of safety, which is a potential problem as businesses start operating online. Existing tools and security approaches may not be as effective (or completely redundant in some cases) since hackers are adopting more insidious tactics and focus. Luckily, a few browsers have upped their game to make the internet safe and private, but additional measures are still required. We all have to keep in mind, however, that not all browsers are made equal. If you prioritize your privacy, you’ll definitely like to know which browsers will keep your activity private without compromising your internet experience. An April study found that 56% of the participants had encountered hacking attempts, which is a 5% increase over the previous quarter. Hackers are leaving no stone unturned to stay undetected, and in case they get exposed, they also have ways to fight back. So it’s crucial for businesses to do a better job in identifying underlying problems before manifestation. And the only way to do this is through regular threat hunting that spans across the entire information supply chain. Critical cybersecurity tips for APAC businesses to enhancing network security The following are a few cybersecurity tips for APAC businesses to continue functioning without any disruptions amidst the ongoing pandemic: Accepting and Adapting to a Remote Workforce Culture Despite the ongoing debate about the suitability of remote work, the current pandemic has created circumstances forcing businesses to make an instant transformation to accommodate the same. Plus, owners have to understand that work from home arrangements are only going to move forward from this point. This change has bought them face-to-face with the requirement of having efficient IT support in terms of both infrastructure and people. APAC businesses are now more exposed to various security vulnerabilities. | Data Breach Threat | ||
|
2020-09-09 05:01:00 | What is Incident Response? (lien direct) | This blog was written by a third party author. As new types of security incidents are discovered, it is absolutely critical for an organization to respond quickly and effectively when an attack occurs. When both personal and business data are at risk of being compromised, the ability to detect and respond to advanced threats before they impact your business is of the utmost importance. As the threat landscape broadens, having to defend yourself is no longer an “if” but a “when.” Data breaches and cyberattacks can wreak havoc on your organization, affecting a wide range of business assets — including customer trust, company time and resources, intellectual property, and brand reputation. According to Ponemon’s Cost of a Data Breach Report, organizations boasting robust security Incident Response (IR) capabilities have reduced breach-related costs by an average of about $2 million USD. The savings here differentiate organizations with a dedicated Incident Response team that tests their plans and those with no IR team or testing. As the average cost of a data breach hovers around $3.86 million, or $150 per lost record, the “time is money” proverb is validated. Incident Response defined An Incident Response Plan (IRP) is a set of procedures used to respond to and manage a cyberattack, with the goal of reducing costs and damages by recovering swiftly. A critical component of Incident Response is the investigation process, which allows companies to learn from the attack and be more prepared for potential attacks. Because numerous companies experience breaches at some point in time, one of the best ways to protect your organization is a well-developed and repeatable Incident Response plan. The goal of incident management is to identify and respond to any unanticipated, disruptive event and limit its impact on your business. These events can be technical — network attacks such as denial of service (DoS), malware or system intrusion, for example — or they may result from an accident, a mistake, or perhaps a system or process failure. Today, a robust Incident Response Plan is more important than ever. The difference between a mere inconvenience and a total catastrophe for your organization may come down to your ability to detect and assess the event, identify its source and causes, and have solutions readily available. Incident response best practices Tyler Cohen Wood, former Senior Intelligence Officer with the Defense Intelligence Agency, explains that some of the most successful IR practices include response steps for various realistic scenarios. “An IR program should outline steps to take in the case of ransomware attacks, integrity attacks (manipulation of sensitive data), and exfiltration of sensitive data,” she advised. “Another best practice is performing periodic simulated cyberattack exercises to test your IR program and ensure that everyone involved understands exactly what to do and who oversees the response.” Wood, who has helped the White House, DoD, federal law enforcement, and the intel community thwart national cyber threats, also recommends that best practices consist of knowing exactly where, what, and how your most sensitive data is stored. This information, she said, should be included in the IR process. Equally important for any sized organization is to recognize and plan for cyberattacks that seek to alter or manipulate data rather than steal it outright. “This type of breach can be more difficult to ascertain,” she explained. “For this reason, it's critical to have data manipulation attacks on your radar and incorporated into your threat detection as well as your Incident Response plan.” Building an Incident Response Plan An Incident Response Plan serves | Ransomware Data Breach Malware Threat | ★★★★ | |
|
2020-09-08 11:00:00 | 6 Crucial password security tips for everyone (lien direct) | This blog was written by an independent guest blogger. These days, everyone has passwords. Lots and lots of passwords! When I think of how many user accounts with passwords that I have, I probably have dozens. A few for social media platforms like Twitter and LinkedIn, a few for my favorite media streaming services, one for Nintendo Switch and another for the PlayStation Network, a few for my utilities including electricity and my ISP, a few with Amazon and other online retailers, one with the government to file my personal income taxes, my home WiFi password, a Gmail account for all of my Google and YouTube stuff, accounts to authenticate into a couple of different web browsers, an account for my bank’s website, and there are probably at least a dozen more. And I’m a pretty typical technology user. So chances are, you have many similar online accounts as well. Our 21st century reality where we each need lots of user accounts in order to fully participate in society makes us all susceptible to being harmed in data breaches. And the scary thing is, data breaches happen constantly. All the time. For every data breach you read about in the news, there are lots more that people don’t know about. Passwords are an imperfect method of authentication. Many people in the cybersecurity industry would love to see passwords be completely replaced. We do have other means of authentication, such as the biometrics you may sometimes use to unlock your phone with your face. But we haven’t been able to completely get rid of passwords yet. So in the meantime, it’s up to all of us to be conscientious about how we use them. Here are some things you need to know about passwords so you can improve the security of your digital life. The most important factor in creating passwords that are difficult to crack is to use as many characters as possible. The days of eight character passwords are hopefully over. There are mathematics involved in password cracking, so each additional character in your password multiplies the time it would take a cyber attacker’s software to crack it. When you create a password, use as many characters as the application will allow. If an online service allows passwords of up to 20 characters, make a 20 character password. If you’re allowed to make a 50 character password, do it! If you have to remember a really long password, try making a sentence with multiple words you can remember. Maybe try a line in a favorite poem or song lyric. Be sure to throw some numbers and special characters in there and “YouCanCreateAVeryStrongPasswordLikeThisOne_2BSure!” Use a password manager, both in your desktop web browser and on your phone. Password managers have two very useful features. The first is obvious, being able to store the usernames and passwords you use with dozens or even hundreds of different online services and applications. The second really useful feature that pretty much all password managers have is the ability to create very secure randomly generated passwords for you. They can create really long passwords with random combinations of upper case and lower case letters, numbers, and special characters-- the kind that are very difficult for human beings to remember. When you use a password manager, difficult to remember passwords are fine because you don’t have to remember them! The password manager will remember them for you. Most major web browsers have password managers built-in, but many people prefer third party password managers and find that they’re well worth the monthly or annual fee that they pay for the service. They can be installed as both web browser plug-ins and as an app on your phone. Research online and see which password managers people recommend. Your password for your main email account is probably one of the most important passwords that you have, other than perhaps the master password for your password manager or the password for your hom | Data Breach | ||
|
2020-09-02 11:00:00 | How Covid-19 has increased vulnerabilities in Industrial Control Systems (lien direct) | This blog was written by an independent guest blogger. By now, most are aware that the Covid-19 pandemic has led to a spike in cyberattacks. This sharp increase in malicious activity related to COVID has taken the typical form of adversaries seeking to benefit financially, gain unauthorized access to networks for immediate and long-term strategic benefit, and spread misinformation with political agendas. Much of this is a direct result of the work from home (WFH) phenomenon. With organizations and businesses rapidly deploying systems and networks to support remote staff, criminals can’t help themselves. Increased security vulnerabilities have offered the opportunity to steal data, generate profits, and generally cause havoc. In one four-month period (January to April) some 907,000 spam messages, 737 incidents related to malware, and 48,000 malicious URLs – all related to COVID-19 – were detected by one of INTERPOL’s private sector partners. There are a number of other threats, though, that have also been caused by the pandemic but that are less visible. One of these is the increased vulnerability of industrial control systems. The threat The most up to date data on the vulnerability of industrial control systems, and how this has been affected by the pandemic, comes courtesy of the ICS Risk & Vulnerability Report, released this week by Claroty. This research contains an assessment of 365 ICS vulnerabilities published by the National Vulnerability Database (NVD) and 139 ICS advisories issued by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) during the first half of 2020, affecting 53 vendors. The findings are striking, and particularly so given how many systems engineers now work from home. Fully 70% of the vulnerabilities published by the NVD can be exploited remotely, while the most common potential impact is remote code execution, which is possible with 49% of the vulnerabilities. When combined with the fact that recent research has found that 83% of firms are simultaneously struggling to ensure the security of remote working systems, this is highly concerning. In practice, this means that if an organization’s remote working systems are insecure – which seems likely, given the difficulties that many have reported in recent months – then hackers may be granted an increased capability to remotely execute malicious code on industrial systems. The Impact The increased likelihood of this kind of attack should concern all organizations working with industrial control systems, but especially those companies employing centralized systems such as DCS, SCADA, or PLS. In recent years, these solutions have been used for networking previously discrete industrial systems together. While this has allowed organizations to dramatically increase their efficiency and productivity, it potentially leaves these systems open to laterally-deployed cyberattacks. This risk is compounded by a similarly worrying trend in international cyber warfare. Tho | Spam Hack Vulnerability Guideline | ||
|
2020-09-02 05:01:00 | Red Team testing explained: what is Red Teaming? (lien direct) | This blog was written by a third party author. In the world of cybersecurity preparedness, there are a variety of strategies organizations large and small can take to help protect their networks and data from cyber-attacks. One such strategy involves an organization testing its own environment for security vulnerabilities. But because security weaknesses come in different forms, it’s necessary to have a focused security team that comprehensively searches for vulnerabilities that go beyond simple risk assessments. Part of this dedicated security team can include a Red Team. What is a Red Team? Whether internal or external, Red Teams are responsible for running simulated cyberattacks on either their own organization (in the case of an internal Red Team) or other organizations (in the case of Red Team services as part of contracted external security services) to establish the effectiveness of the organization’s security programs. While Red Teams use many of the same tools and techniques used in penetration tests or “ethical hacking”, the objective of a Red Team is different. Attacks employed by Red Teams are multi-layered simulations designed to gauge how well a company’s people, networks, applications, and physical security controls can detect, alert and respond to a genuine attack. What is Red Team testing? Red Team testing is also known as an Adversary Simulation or simply Red Teaming. During Red Team testing, highly experienced security professionals take on the guise of a real attacker and attempt to breach the organization’s cyber defenses. The attack scenarios they enact are designed to exercise various attack surfaces presented by the organization and identify gaps in preventative, detective, and response related security controls. These attacks leverage a full range of tools available to the most persistent attackers—including social engineering and physical attack vectors, from careful crafted phishing emails to genuine attempts to breach onsite security and gain access to server rooms. Prior to the assessment, rules of engagement are established between the Red Team members and the smallest possible set of participants within the organization to be tested. This number will vary but is typically no more than 5 people in key positions to view the organizations detection and response activities. Based on the rules of engagement, a Red Team may target any or all of the following areas during the exercise: Technology defenses – In order to reveal potential vulnerabilities and risks within hardware and software-based systems like networks, applications, routers, switches, and appliances. Human defenses – Often the weakest link in any organization’s cyber defenses, Red Teaming will target staff, independent contractors, departments, and business partners to ensure they’re all as secure as possible. Physical defenses – Physical security around offices, warehouses, substations, data centers, and buildings are just as important as technology defenses, and as such should be stress tested against a genuine attack. Something as seemingly innocuous as holding a secure door open for someone without having them tap in can provide the gap an attacker needs to gain access to unauthorized systems. Through this process, Red Team testing helps security teams identify any loopholes or weak points that could provide opportunities for attackers (either internal or external) to gain access to a company’s systems, which could then result in a serious data breach. Most importantly, this highlights gaps in the detective and response capabilities of the organization meant to identify and counter such malicious activities on a day to day basis. Who is Red Team testing suitable for? The harsh reality of today’s | Tool Threat | ||
|
2020-09-01 11:00:00 | PCI DSS logging requirements explained (lien direct) | This blog was written by an independent guest blogger. As a consumer, I feel more confident about using my credit card online and in brick-and-mortar stores when I know retailers are being careful about PCI DSS compliance. Breached financial credentials can wreak havoc not only on the lives of consumers, but also on the well-being of merchant businesses. I think the PCI DSS is an excellent example of how security standards can be improved when organizations cooperate and collaborate. Prior to the first version of PCI DSS in December 2004, Visa, MasterCard, American Express, Discover, and JCB each had their own separate card processing security standards. Imagine being a retailer taking those multiple methods of payment and having different compliance standards for each one! So the invention of PCI DSS made payment security simpler for business. Still, there’s a lot retailers and restaurants should know about PCI DSS’s logging requirements. Fortunately, you’ve found a quick guide which should make the logging requirements easier to understand. While you’re here, I also recommend finding answers to any questions you may have on the PCI Security Standards website. So, let’s get started! Here’s what you need to know to help make PCI DSS compliance easy as far as logging requirements are concerned. 8 tips for PCI DSS requirements Always keep PCI DSS Requirement 10 in mind-- track and monitor all access to network resources and cardholder data! This is the Golden Rule of PCI DSS logging compliance. Let this be your motto for all of the other details to be guided by. If you ever wonder whether or not a network vector or any component of your point of sale (POS) system should be logged, it’s better to log everything than not log enough. There are log analysis tools and SIEM systems you can route all of your network logs through to help make thorough logging manageable-- whether your networks are on premises, on the cloud, or a hybrid. Absolutely all actions in your network should be recorded and attributable to a specific user or process. Protect access to your logs. Only administrators should be able to view or make any changes to your logs and audit trails. And everything an administrator does in your POS systems and other networks should also be logged and attributable to them. If any user who isn’t an administrator can view or modify your logs, the integrity of your POS data will be at risk unnecessarily. Each user in your networks must have a unique username. Do not let more than one human being have a user account or specific username in your network. If any action a person conducts in your networks can’t be attributed to a specific individual, PCI DSS compliance audits will likely fail. Examine your logs on a regular basis. Otherwise, you cannot be sure of the integrity and reliability of your logging. You could fulfill this requirement by having a specifically trained person look at your logs manually. But it’d likely be more effective to utilize automated tools for log analysis and event monitoring. Plus, your organization will be better able to prevent cyber incidents before they can do harm to your POS systems and your retail organization as a whole. Timing is everything. Therefore, you must make sure that the time clocks which guide your systems and applications are set accurately. The timestamps in your logs will be made based on the time set in your applications and devices. Proper system configuration can make adjustments for events like when daylight savings time starts and ends, automatically. Whether a customer makes a purchase, or an unauthorized user tries to access your sensitive POS data, you must know exactly when it happened in order to have logs which me | |||
|
2020-09-01 05:01:00 | Cloud-based SIEM explained (lien direct) | This blog was written by a third party author. Security information and event management (SIEM) solutions offer businesses the ability to collect, store, and analyze security information from across their organization and alert IT admins/security teams to potential attacks. In today’s complex digital environments, SIEMs allow IT teams to more effectively detect and respond to a wide range of threats across broad networks. However, with businesses moving more and more workloads and workflows to the cloud, their security defenses need to move with them. What is a cloud-based SIEM? Cloud-based SIEM (also referred to as SIEM-as-a-Service), takes SIEM to the next level, providing IT teams with greater convenience, flexibility, and power when managing threats across multiple environments – both on-premises and in the cloud. This is particularly important at a time when both the workforce and critical workloads are no longer within the four walls of the organization. Cloud-based SIEM provides an effective and efficient way to constantly monitor all devices, servers, applications, users, and infrastructure components on your network. And all from one central cloud-based dashboard. From the “single pane of glass” of a cloud-based SIEM platform, you can… Monitor systems, applications, and workloads, whether physical or virtual, anywhere in your network, whether in your data center, in a private cloud, or across one or more public clouds Get real-time alerts on security incidents Serve as the basis for risk analysis and audits Consolidate and manage security and event log data Automate compliance reporting How has cloud infrastructure redefined threat detection? The ultimate goal of any SIEM platform is to improve an organization’s security posture. However, with businesses moving to the cloud, the threat landscape has changed and with it the way we need to perform threat detection and response has also changed. The new infrastructure and deployment models that come with cloud deployment have brought not only new security models, but also new attack surfaces. One key area of change is responsibility. In on-premises deployments, companies are responsible for the entire security stack, from the physical hardware infrastructure to the data stored on it. However, with cloud infrastructures there is a split. The shared responsibility models of AWS, Microsoft, Google and the like, set out that while the cloud service provider (CSP) takes responsibility for the security and maintenance of any supporting hardware, it is the individual organization’s responsibility to secure and maintain the data on those systems. If not managed correctly, this creates a potential visibility gap in the business’ attack surface. The highly dynamic nature of cloud workloads means that systems can come and go in seconds, and confidential information can be exposed to other users or to the CSP because no control is provided over the existing hardware. On top of this, the introduction of multiple access and management capabilities makes it hard to manage, track, and audit administrative actions when users can access cloud resources from both inside and outside the corporate environment. All this renders traditional approaches to monitoring traffic flow ineffective. So new controls need to be applied. Looking at things from an attacker’s perspective, cloud-based systems offer variability in administrative access models which gives the attacker two different angles of attack. Firstly, via traditional means of accessing systems inside the enterprise network perimeter and escalating to an administrative account that has cloud resources. Secondly, the attacker can bypass all the above by compromising credentials from an administrator account that has remote administrative capabilities or CSP administrative access. Cloud-based | Threat | ||
|
2020-08-31 11:00:00 | Aviation cybersecurity: Hurdles of staying secure on the ground and at 36,000 feet (lien direct) |
This blog was written by an independent guest blogger.
Image Source: Pexels
Digitization has made its way into every industry. With this shift comes many benefits as well as the risk of a cyber attack. This is especially true in aviation. No matter how securely companies can build networks to ward off cyber attacks, the risk is never absent.
With planes operating thousands of feet off the ground — often full of commercial passengers — a digital attack can potentially cost lives as well as millions in damages. To mitigate these risks, aviation companies operate strict cybersecurity processes.
Even still, there are hurdles to cybersecurity both on the ground and in the air that airlines are working to address as the future slips into increasingly digital territory. Here, we’ll explore these threats and the means with which progress is being made in aviation cybersecurity.
Cybersecurity Hurdles on the Ground
The safety of any flight starts on the ground. While an airplane sits on the tarmac of an airport, data and digital processes are at-risk within the terminal.
One of the primary methods that cybercriminals may go about an attack on an airline is through the use of ransomware. Ransomware works by holding a computer system hostage until a ransom is paid to the criminal. It is a frequent method of attack on large organizations, comprising the biggest threat to security in the modern world.
In the case of Albany County Airport in New York, a cybercriminal seized airport information through encrypting files on the maintenance server until a ransom was paid. While this particular instance reportedly did not result in stolen traveler data, it demonstrated how at-risk airport information is.
With travelers utilizing wireless devices all the time — along with the connected tech on the plane — ransomware and other malware attacks are more than just a financial concern.
Cybersecurity Hurdles in the Air
In the air, planes are at risk of cyberattacks through a variety of channels. Connected devices and smart tools utilizing the Internet of Things (IoT) give access points for potential criminals. Drone use and hacking impact safety. Additionally, the means with which airplanes are managed and tracked leave them open to interference.
Wireless Devices and IoT
The Internet of Things is what allows for smart devices to communicate with a broader network for data tracking and digital access. Everything from in-flight entertainment systems to devices that track needed repairs and fuel efficiency operates within an IoT network. At every access point, data and operations are at risk for hacker interference and attack, potentially creating safety issues on-flight in addition to the financial damages that can occur from stolen data.
Drone Use
Drones present a risk to aviation cybersecurity in a variety of ways. With the ability of a drone to spy on procedures and systems through the same IoT in-flight systems as well as with cameras, the use of drones presents a rising threat to aviation cybersecurity.
Since their remote-controlled, network-based structures leave them open to attack, aircraft have to take the risk of drones exc |
Ransomware Malware Threat | ||
|
2020-08-26 11:00:00 | Amazon scammers are becoming oddly specific (lien direct) | This blog was written by an independent guest blogger. A friend contacted me the other day about a scam call purporting to come from Amazon’s customer support department. She wasn’t home at the time, so the scammer left a message stating that a charge of $749 appeared on her account. Of course, she didn’t actually order anything for that price, and, although she suspected it was a scam, something about it caught her attention, so she called the phone number displayed on her caller I.D. In the old scam days, calling the number on the caller I.D. would have connected her to the scammers, however, when she called, it connected her to the real Amazon customer service center. The Amazon representative explained that the call she received was definitely a scam, however, he too was mystified that the caller I.D. was for the real Amazon customer service line, rather than to the scammers. He also told her that Amazon does not call customers; they communicate via the registered E-Mail address on the account. When she called me to ask about it, she wanted to know what may have been the reason for all this. My guess is that the scammers want to remain untraceable, so rather than leave a number to connect back to them, they mask their number, hoping that they get a live person on the line, and the true customer service number is just a crafty way of adding legitimacy to the scam in case the scammers call back later. The original message was the standard lingua-scamma, asking a person to “press 1 to be connected to a (fake) customer service representative”. If she was home at the time, and she pressed 1 on her phone, the scam would have launched into the usual social engineering attack. I asked her what compelled her to call, failing to immediately recognize that it was a scam? She said that it was the “oddly specific $749 amount on their call. Why not $700, or $750, or some other round number?” Again, I can only speculate, but it reminded me of a negotiating technique that I first learned about in Chris Voss’ compelling book “Never Split The Difference”. In the book, Mr. Voss explains that a person will respond better to an odd number than a nice, round number, as it gives the illusion that the number was carefully calculated. For example, we all know that when we purchase something at $1.99, or $4.99, it gives us a different sense of the price than if that number increases by a penny. Likewise, when selling a house, if you want $500,000, a realtor will advise you to price it a $499,000, as buyers will set their search range ending at $500,000, thus eliminating your house from consideration for that final $1,000 price point. These little tactics seem obvious when carefully thought through, but in the heat of the moment, such as the possibility that your Amazon account was charged $749, our calculating mind fails us. The oddly specific number grabs our attention, albeit in a negative way that has a greater potential of forcing us to engage with the scammer. Have the scammers become more adept at psychology to realize the effectiveness of this ploy, or was it just lucky? Have they studied the fast and slow thinking systems made famous by Daniel Kahneman? One can only wonder. How can you protect yourself from these scams? I advised my friend that, aside from using a good password with a password manager, she should set up multi-factor authentication on her Amazon account. By taking these simple steps, we can all be sure that our account is safe from any unwanted | |||
|
2020-08-26 07:01:00 | IoT security explained (lien direct) | This blog was written by a third party author. The Internet of Things (IoT) is a term used to describe a system of interconnected computing devices that use the internet to send and receive data without requiring human to computer or human to human coordination. The world of IoT encompasses a wide variety of technologies, vendors, and connectivity methods. While cameras, smart kitchen appliances and smart locks often come to mind, IoT devices are prevalent in all industries. IoT has broad applications across the enterprise and provides numerous benefits — including increased operational efficiencies, improved customer experiences, better business decisions, and keeping workers safe. For the organization looking to adopt IoT to any degree, security challenges must be overcome using more than typical network security solutions alone. Given the inherently insecure nature of the IoT space due to the lack of industry standards, new security complications arise. Any cyber risk related to an IoT deployment requires a proactive approach with security built-in from the start. Not unlike any new technology that enables digital transformation, the goal for IoT should include strategies that align the technology with the company’s current cybersecurity systems and policies. What are the security vulnerabilities of IoT? The use of IoT is expanding astronomically. According to research published in May 2020 by Transforma Insights, by the end of 2019, 7.6 billion IoT devices were active. By 2030, the number is expected to balloon to 24.1 billion. The rush to meet the growing demand for IoT devices is giving rise to favoring functionality over security. Connected and unprotected devices are vulnerable to botnet and distributed denial-of-service (DDoS) type attacks. Despite plans to adopt these devices in greater numbers, a Trustwave report notes that only 28 percent of organizations consider IoT-specific security strategies as “very important.” Alan Mihalic, founder and president of the IoT Security Institute, says that despite the incredible number of IoT devices, most are unsecured. “IoT devices provide an easy and attractive entry point for criminals seeking to enter an organization's network,” he said. “Moreover, their omnipresent nature provides access to opportunities never before possible within the technology environments; a presumably innocuous twenty-dollar IoT device can become the catalyst for a major cyber breach.” The IoT attack surface One look at the sheer amount of possible devices in the production environment gives us a window into the magnitude of threat possibilities. Because securing IoT devices requires real-time authentication and authorization, complexity is escalated — providing opportunities for bad actors to carry out many types of attacks. Whether it’s man-in-the-middle (MitM) attacks, leveraging stolen access credentials, spoofing or cloning, or encryption attacks targeting key algorithms, a hacker’s arsenal is well-stocked. But at its most basic level, IoT security is not built in from the ground up. Compromising a device is far simpler than most people think. Sadly, the most common userid/password combinations are support/support, admin/admin and default/default. For many devices, security is an afterthought. The mere act of changing a device’s default password can go a long way to pave the way for a robust IoT solution. How common are IoT attacks? IoT attacks are frequent, and they’re escalating. In the first half of 2019, honeypot | Threat Patching | ||
|
2020-08-25 07:11:00 | Security risk assessments explained (lien direct) | This blog was written by a third party author. What is a security risk assessment? A security risk assessment is a formal method for evaluating an organization's cybersecurity risk posture. Comprehensive security risk assessments take stock in business objectives, existing security controls, and the risk environment in which the business operates. When done well, the assessment identifies security gaps in existing controls as compared with industry best practices. Assessments then prioritize opportunities to close the gaps based on the significance of the cyber risk to which they expose the business. Security risk assessments provide a foundational starting point and an ongoing yardstick for developing a risk-based cybersecurity program. Systematically documenting technical and process deficiencies and scoring them by the potential to materially impact ongoing business missions lays the groundwork for: Holding meaningful discussions with executives on the business implications of security risk Providing the waypoints for disciplined investment in new security measures Measuring reduction of risk as improvements are made Proving compliance and ensuring investments meet regulatory standards No matter where an organization is on its journey toward security maturity, a risk assessment can prove invaluable in deciding where and when it needs most improvement. For more mature organizations the risk assessment process will focus less on discovering major controls gaps and more on finding subtler opportunities for continuously improving the program. An assessment of a mature program is likely to find misalignments with business goals, inefficiencies in processes or architecture, and places where protections could be taken to another level of effectiveness. The risk assessment process The time it takes to conduct a full security risk assessment varies by the organization's size and complexity. Risk assessments for smaller or less complex organizations may be completed in less than a week, while those for larger, more complex, or highly regulated organizations can take significantly longer. The process is typically kicked off by a discovery phase that will include exercises such as: Interviewing key business stakeholders to gain understanding of the core business goals that security is meant to support Conducting technical inventories and documenting data flows and standards to map existing IT architecture Collecting documentation and performing technical testing to review the security tools and controls currently in place within the architecture Initial information gathered during this discovery phase is then married up relevant regulatory requirements and a cyber risk management framework of choice to discover where controls gaps exists. A framework informs a security risk assessor by cataloging security best practices, providing industry benchmarks, and offering established methodologies for analyzing and scoring risk incurred by control gaps. Among the most popular frameworks guiding security risk assessment today is the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), which provides an end-to-end map of the activities and outcomes involved in the five core functions of cybersecurity risk management: identify, protect, detect, respond, and recover. Using CSF provides a way for assessors to score maturity based on existing controls and in the context of progress made by industry peers, offering maturity profiles for different types of organizations, with implementation tiers broken down and shifted based on the industry. After performing a risk analysis, the assessment is then organized into a report that offers full documentation of the business priorities supported, assets at risk, controls in place, existing vulnerabilities and controls gaps found across the organization. The repo | Vulnerability | ||
|
2020-08-24 11:00:00 | 2020: the year cybersecurity went from a technology problem to a business issue (lien direct) |
In March when businesses enforced a work-from-home policy because of the pandemic, many probably thought the move would last a few weeks or so. Well, here we are, in the heat of the summer or depth of winter, depending on your hemisphere, and some businesses are still working remotely, while others have made the return to the office. Regardless of where you are working from today, businesses are moving from a reaction to the pandemic to looking to the future and how to support a workforce that is forever changed.
When the sudden shift to remote work took place, cybersecurity teams were in a reactive mode, laser-focused on dealing with tactical activities to keep businesses operational and safe. Tactically, cybersecurity teams were concerned with VPN licenses – did they have enough under the enterprise license agreement (ELA) or did they even have VPN licenses? Did employees have access to cloud storage or was local storage the norm and now that local storage was on an employee’s dining room table, if employees did not have a laptop to use for remote work would they be connected to the corporate network on the family tablet that was used for video streaming and pre-school lessons? These were problems most cybersecurity professionals probably never imagined.
With the initial chaos of providing business continuity over, we wanted to check the pulse of cybersecurity professionals to see what they were most concerned with as we move to a time of return and recovery. Our suspicion was that cybersecurity professionals have moved through the crisis curve, from purely reacting to the crisis to understanding the business and technology impacts.
We ran a LinkedIn poll from August 5 – 12, 2020, asking “What's the biggest security concern within your organization with employees working remotely?”
Our answer choices:
Phishing scams
VPN connectivity at scale
Ransomware
Prioritization of security investments
293 cybersecurity professionals responded:
Phishing scams – 24%
VPN connectivity at scale – 37%
Ransomware – 11%
Prioritization of security investments – 28%
The results are in line with how organizations move through the crisis curve from react and respond to understanding the business and technology impacts.
Our poll shows that VPN connectivity at scale is still a concern, however, as ELAs are refined and hardware constraints are removed, VPN concerns should subside.
The more interesting number is that 28% of our poll respondents identified “prioritization of security investments” as a top concern. This tells us that investment in cybersecurity is a top issue and concern for organizations.
As we move through the crisis curve to understand business and technology impacts, understanding how cybersecurity is viewed in an organization and how investments in technology should be made are critical.
This interest in prioritization of security investments shows that businesses understand the critical nature of cybersecurity to business continuity, adaptability, and resilience. Moving through the crisis curve typically puts some amount of scrutiny on spending, however, we are seeing that spending on security, while still being managed, is a priority.
While 2020 will historically be remembered as the COVID pandemic year, it will also be remembered as the year cybersecurity went from being a technology problem to a business issue. From here forward, digital transformation initiatives will be led with a security-first mindset. After all, helping to protect the business is our primary goal.
|
|||
|
2020-08-20 18:09:00 | Work from home cybersecurity explained: should your business have a WFH policy? (lien direct) | Global organizations are sharpening their strategies that enable their employees to work from virtually any location at any time. But working in different types of remote settings brings with it the potential for significant cybersecurity threats that must be anticipated, defended against, and quickly remediated. Working outside the traditional office setting has accelerated during the past decade. Organizations have stepped up their network transformation efforts to align with such trends as telecommuting, working while traveling, and the rapid adoption of web-based applications. But now, these “work outside the office” trends have moved into hyperdrive. Businesses are under intensified pressure to develop new, efficient, flexible, and safer ways for employees to work from virtually anywhere. But with the growing trend toward remote work comes a looming challenge: Organizations are struggling to offer their employees, customers, and partners highly secure access to vital applications and essential data. Work from home security challenges Along with remote access challenges, another major problem is becoming increasingly clear. Although malware, phishing, social engineering, and ransomware are all well-known threats, new campaigns are becoming more targeted and are expanding to include attacks on many types of devices. To add to the complexity, most devices, whether corporate-issued or personally owned, are being used off network, which often means a loss of visibility and control, and subsequently an increased risk for breach. When corporate assets, networks applications, and cloud services are being accessed by under-secured or unmanaged endpoints, the cybersecurity threat vector created by the work-from-home phenomenon broadens. The trend toward remote work that began in earnest during a time when ample network bandwidth, inexpensive endpoint computing devices, and highly functional remote access tools became commonplace is likely to accelerate. It is also probable that cybersecurity threats that target applications, devices, and networks will surge in remote access settings. Without new strategies and tools, organizations are likely to fall victim to a higher number of cybersecurity breaches, which could take longer to detect and be costlier and more complex to recover from. Understanding WFH cybersecurity risks for remote workers Over the years, IT organizations have put in place tools to help employees and other members of the virtual enterprise work remotely. The number of people working remotely has steadily increased, as has the total amount of work produced outside the traditional office setting. As a result, many virtual private networks (VPNs)—which were never designed to support so many simultaneous users—is straining under the surging demand. Another consideration is that the VPN was deployed with the expectation that employees and other remote users would likely be using corporate-issued devices and software, all with the proper and most recent security settings and privileges. Clearly, that no longer is the case, nor is it likely to be so in the future. At the same time, Security Operations Center (SOC) staff is overwhelmed, trying to triage substantially more alerts each day with an often-overworked staff and a tight budget. The pressure on SOC analysts and their cybersecurity tools is caused by the rapid expansion in the number and complexity of threats to remote users. These include everything from mobile malware and email-based phishing to ransomware, identity theft, and machine-learning-based hacking algorithms. Then, add in a stark reality: Many, many end users fail to practice good cybersecurity “hygiene” on everything from passwords to social engineering, particularly without the watchful gaze of on-site IT and security professionals to help and “encourage” those remote workers. Secure remote access challenges With far mor | Ransomware Malware Threat | ||
|
2020-08-20 11:00:00 | Security policies for your remote workforce (lien direct) | This blog was written by an independent guest blogger. Current events are driving dramatic changes to many business industries around the planet. One of the most notable shifts is how the office-based framework for employees transformed to a remote workforce environment. Remote working has now become the norm for many enterprises and organizations worldwide. While the remote working environment is not new in the market, it has gained momentum because of the current pandemic. Many people are now turning their home to be their extended office. However, as this happens, many security challenges are also following suit. One of the many concerns businesses face is the lack of a security framework for the remote workforce scenario. Most organizations' design is to operate in a 9-5 work hour office setting, which makes the sudden change more challenging. It is vital to ensure that your company will not be compromised as you continue to lean in on the new norm on the working landscape. It would be best to implement security policies that will ensure safety and will not make your hard-earned business susceptible to attacks. Security policies you need to implement for your remote workforce As you move your team into becoming a remote workforce, here are some security policies you can consider implementing to make your business attack-resistent. 1. Implement two-factor authentication This first policy may sound basic, but two-factor authentication (2FA) is a strong defense against attacks on your remote workforce. Having 2FA means adding another security layer that will make it harder for hackers and cybercriminals to compromise your remote workers. This security feature can help lower the chance of losing your data to hackers, experiencing fraud, or even identity theft. Failing to establish this security check can be catastrophic. 2FA can be an excellent way to shield your business and business' information, so make sure you require your remote team to implement this in their corporate email, and other work they are doing from home, such as editing the company website, and other applications that they need to access to do their work. 2. Require strong passwords Passwords can be the first line of defense from any possible attacks. They can protect a website, essential data, and, eventually, the whole business in the long run. It is a must strategy to ensure that any system is always protected. Having a 2FA should never be an excuse to use a birthday, a name, or even a pet's name for a password. No one should be lax enough to use a password that is easily guessed by anyone. Leaning on these weak and easy-to-access passwords can easily make cybercriminals infiltrate any system they target. Password re-use is especially problematic. To be sure your business is protected well, require your remote workforce to have robust passwords. Having complex passwords can help protect the system, the company website, or other related accounts. Make sure that their passwords consist of upper and lower cases, specials characters, numbers, and at least 16 letters long. 3. Lean on VPN Virtual Private Network or VPN is another way to protect your remote workforce team from attacks. It allows them to connect to networks reduced risk of having hackers pry on their connection. VPN works by providing a tunnel for your device as it connects to the internet. It can hide your essential data by encrypting it, thus making it unreadable for someone trying to intercept w | Malware | ||
|
2020-08-19 17:03:00 | User and Entity Behavior Analytics (UEBA) explained (lien direct) | This blog was written by a third party author What is UEBA? User and Entity Behavior Analytics (UEBA) is an area of cybersecurity that focuses on analyzing activity – specifically user behavior, device usage, and security events – within your network environment to help companies detect potential insider threats and compromised accounts. While the concept has been around for some time, it was first defined in detail by Gartner in 2015 in its Market Guide for User and Entity Analytics. How Does UEBA Work? In essence, UEBA solutions create a baseline of standard behavior for users and entities within a corporate network and look for deviations to the baseline, alerting network admins or security teams to anything that could indicate a potential security threat. To do this, UEBA solutions collect live data that includes user actions (such as applications used, interactions with data, keystrokes, mouse movement, and screenshots), activity on devices attached to the network (such as servers, routers, and data repositories), as well as security events from supported devices and platforms. Advanced analytical methods are then applied to this data to model the baseline of activity. Once this baseline of behavior has been established, the UEBA solution will continuously monitor behavior on the network and compare it to the established baseline, looking for behavior that extends beyond an established activity threshold to alert appropriate teams of the detected anomaly. UEBA vs UBA Initially this technology was referred to simply as User Behavior Analytics (UBA). As the name implies, this concept focused exclusively on activity at the user level in order to indicate potential threats. However, Gartner later added the “entity” to reflect the fact that “other entities besides users are often profiled in order to more accurately pinpoint threats”. Gartner defined these other entities as including managed and unmanaged endpoints, servers, and applications (whether cloud-based, mobile-based, or on-premises based). This expanded scope then includes looking for any “suspicious” or anomalous activity that may be based on network traffic or requests sent from a specific endpoint to unusual ports or external IP addresses, operating system process behavior, privileged account activity on specific devices, the volume of information being accessed or altered, or the type of systems being accessed. By broadening the scope of its focus to cover non-human processes and machine entities, Gartner’s UEBA definition means UEBA can analyze both sources of data to gain greater context and insight around activity to produce a more accurate profile of the baseline of activity within an IT network. This results in the solution being able to more accurately pinpoint anomalies and potential threats, including things that would often have gone unnoticed by “traditional” security monitoring processes such as SIEM or DLP. Does SIEM offer UEBA? With many corporate security teams having already implemented security information and event management (SIEM) solutions, a common question is whether UEBA and SIEM offer the same protection. After all, they both collect security-related information that can indicate a potential or active threat. UEBA solutions typically include the following benefits: The ability to use behavioral baselining to accurately detect compromised user accounts Automation to create improved security efficiency The use of advanced behavioral analytics helps to reduce the attack surface by frequently updating IT security staff and network admins about any potential weak points within the network The key difference is that SIEM solutions are traditionally more focused on log and event data, which wouldn’t allow you to create a standard baseline of overall user and network environment beh | Threat Guideline | ||
|
2020-08-19 16:15:00 | Zero Trust Network Access (ZTNA) explained (lien direct) | This blog was written by a third party author In today’s ever-changing cybersecurity landscape, Zero Trust is here to stay. Before the concept of Zero Trust was well known, organizations followed the belief that anything within the network is trusted, and anything outside of it is untrusted. Zero trust is built on the idea that all traffic, whether incoming or outgoing, should be inspected, regardless of the source. Traditional remote connectivity solutions, like VPN, fall short of meeting this requirement because they connect users to an entire network segment, which in many cases provides access to a lot more than what is required to do their job. With many organizations having to support a suddenly remote workforce, major performance concerns have arisen with VPN since it was never designed to support thousands of employees working remotely and connecting simultaneously. Zero Trust Network Access can help address both of these concerns. Users and applications are already in the cloud, so it follows that secure access should be granted through the cloud. This cloud-based solution leverages software-defined perimeters (SDPs), created specifically for a cloud-based environment — putting organizations in a better position to embrace Zero Trust. What is Zero Trust Network Access? ZTNA solutions provide seamless and secure connectivity to applications without placing users on the network or exposing applications to the internet. Relying on legacy solutions to access network applications is no longer required with ZTNA. With ZTNA, granting access based on an IP address is replaced by locally enforced and cloud-managed secure policies. With this type of visibility, user-specific access to apps is granted solely to those users with authorization to view or use them. Instead of connections to internal networks, all access is contextual. By isolating access in this manner, risks to the network brought about by potentially infected devices is drastically reduced. ZTNA’s user-to-application methodology transforms the inherently insecure internet into today’s corporate network. ZTNA is achieved through a software-defined perimeter (SDP), a term created by the Cloud Security Alliance. For the enterprise, an SDP favors software over traditional network security appliances to seamlessly connect remote users with applications running in their data centers and cloud environments. It’s important to note that while replacing your VPNs may provide motivation for ZTNA adoption, ZTNA products should not be considered a VPN replacement. What are the benefits of ZTNA? The benefits of ZTNA deployment are diverse. Like a traditional VPN, any ZTNA connection offers encryption to provide confidentiality. But unlike VPN, ZTNA boasts significant upgrades in agility, policy management, user experience, and adaptability. ZTNA is a solution that contributes to digital transformation projects, driven by cloud-based applications and employees working remotely. Other notable benefits not already mentioned above include: Improved UX (user experience) Improved content access granularity More centralized policy management that leverages both network and application access control as well as user access control with MFA Visibility into what applications are being used, including previously undiscovered programs and the ability to provide access to specific applications by role or by user Reduced risk of distributed denial of service (DDoS) attacks by not exposing the applications to the public internet ZTNA use cases ZTNA opens the doors to a multitude of use cases previously unattainable with traditional access methods. With access dictated more by user, application, and service, the enterprise can adapt to the growing requirements for today’s new normal. With ZTNA, organizat | |||
|
2020-08-19 11:00:00 | How to check the effectiveness of phishing (lien direct) | This blog was written by an independent guest blogger. You can install the latest generation of security software to protect against evil hackers, but what is the use of it if your employees continue to follow phishing links? Several security companies conduct social and technical research of real-life phishing attacks aimed at different businesses and are impressed with the scale of the problem. The purpose of such studies is not only to understand how hackers deceive the staff and which hooks do they use but also to draw the right conclusions about what type of security awareness training to use and how often it is needed. One of the security companies I work with sent more than 15 thousand “phishing” emails to corporate mailboxes in 2019. Let’s see their results. What is inside the phishing email? According to statistics, last year, phishing became the most popular tool for penetrating the companies’ infrastructure. Attackers used this method in 70% of attacks. The second place took RDP hacking. Globally, all phishing emails are trying to provoke a user to one of two actions - click on a phishing link or open a malicious attachment. During pentest projects, depending on the final task, researchers send employees several letters with a link to a web form for entering account credentials or Microsoft Office documents with malicious macros. Most messages use harmless files that allow researchers to track only the fact of following the links or opening attachments. But sometimes, researchers send documents that contain macros that allow them to get remote access to workstations. Using such messages, researchers can check not only the vigilance of employees but also the reliability of the means of protection. The main task of each such project is to make the “phishing” email to look as realistic as possible. Researchers try to craft letters and build the overall logic of the attack in the way a real cybercriminal would do it, assuming, for example, that the goal of the attacker is to gain access to the correspondence of the company’s top management personnel. Usually, attackers start with harvesting information about the company using open sources. In one of the cases, our “attackers” discovered Outlook Web App, as well as news about the presence of a 0-day vulnerability in a browser used by this company. An attacker, preparing for an attack, considers all possible ways to achieve the desired goal and selects the most suitable and effective way. What was found? From our experience, users are more likely to open file attachments rather than provide their data via a web form. In each of the companies that were tested, several employees open attachments without any delay. Among email topics used, corporate bonus programs (employee discounts, corporate offers from partner companies) turned out to be the most effective. About 33% of addressees reacted to such letters. The second place took letters that asked employees to read the new corporate rules or other important corporate documents. Especially successful are attacks that have to do with current events. For example, in December, it is highly effective to offer the victims to check the work schedule for the upcoming holidays or find out about discounts on holiday events. This spring, the hottest topic, of course, was COVID-19. 15% of the | Malware Tool Studies | ||
|
2020-08-18 11:00:00 | Security concerns and solutions regarding blockchain use in healthcare (lien direct) |
Image Source: Pexels
The healthcare industry is transforming with the integration of ground-breaking technologies capable of storing patient records electronically. The shift to the digitization of systems makes a variety of healthcare solutions possible that never could have been imagined — but it also puts healthcare data at risk to hackers and cyber attacks.
In answer to this problem, blockchain technologies are emerging as a viable option for the storage and updating of electronic health records (EHRs). Blockchain software offers potential solutions to security risks as well as many other issues in managing patient data in healthcare.
So what’s holding the healthcare industry back from adopting blockchain tech? What security concerns does blockchain usage present? And how might blockchain solve these problems?
Here, we’ll examine the state of blockchain usage in healthcare, its concerns, and the solutions made possible through blockchain technologies.
Blockchain in healthcare
Blockchain, simply defined, is a digital record composed of data in components called blocks. These blocks are stored within a decentralized ledger system that allows for an interactive ecosystem in an often-public market. Since block data is immutable and therefore unable to be tampered with, it allows for security and ease-of-access across networks and geography.
In healthcare, decentralized storage of records in a blockchain system has been pushed as a solution to many problems the industry faces. Data breaches and medical fraud as well as often outdated systems of record storage and management are commonplace in the medical field, where Medicare fraud alone costs taxpayers as much as $30 billion a year.
In fact, 1 in 4 data breaches occurs in the healthcare industry, according to Duquesne University. The massive scale of this illegal activity makes for a difficult problem to solve for healthcare and IT professionals as they attempt to navigate solutions to managing healthcare records with the kind of transferability and analysis necessary in the modern world.
Security concerns proliferate in the healthcare industry. Without secure cloud services incapable of corruption at scale, everyone is at risk. Blockchain in healthcare has the potential to change that by offering secure, perpetual records accessible only with verified keys.
But blockchain usage does not come without its own concerns.
The concerns
Though the potential of blockchain stands to resolve so many problems of the current state of medical data, the issues of interacting with an open, decentralized database or a private one through a specific vendor still present problems for patient data security and the care facilities in charge of protecting it.
There are two forms of blockchain systems: public chains and private chains. Each comes with its own set of security concerns.
Public chains
These are the blockchain systems that are most common and prevalent, ecosystems like Bitcoin in which users across the world can participate. This is appealing in medical use because of the transferability and freedom patients would have with their data. However, a public chain would raise a few big concerns with the security a |
|||
|
2020-08-17 11:00:00 | Cloud security (lien direct) | Introduction / Overview There’s no doubt that the adoption of public cloud deployments has accelerated for most organizations recently. In fact, according to metrics released by Oracle recently, nearly half (49%) of all respondents to the Oracle and KPMG Cloud Threat Report expect to store most of their data in a public cloud by the end of 2020. Effectively managing the security and compliance of public cloud deployments can be tricky for many organizations. The same study revealed that 38% of the respondents indicated that detecting and responding to cloud security incidents is their number one cybersecurity challenge. There are multiple factors that contribute to the issues associated with deploying and maintaining highly secure cloud environments. In this article we’ll explore three of the issues most often encountered: Shared responsibility model Lack of visibility Misconfiguration / Configuration Drift An exacerbating factor in all three common issues noted above is the lack of common terminology amongst components associated with the various public clouds as documented below: Amazon Microsoft Google Cloud Name Amazon Web Services (AWS) Azure Google Cloud Platform (GCP) Machine Instance Virtual Machine (VM) Compute Instance Storage S3/EBS/Glacier Blob Storage Google Cloud Storage Serverless Code Function Lambda Azure Functions Cloud Functions In addition to the differing terminology for components between the various public cloud providers, also keep in mind that the individual components themselves often require broad capabilities to effectively monitor and provide the security to maintain the various components within a cloud deployment. For instance, the machines deployed within the cloud may be most effectively monitored using conventional solutions often used in traditional on-prem deployments. T | Threat | ||
|
2020-08-14 11:00:00 | The Forrester Wave™: Global Managed Security Services Providers, Q3 2020 (lien direct) |
AT&T Cybersecurity is ranked among the top managed security service providers in The Forrester WAVE™: Global Managed Security Services Providers, Q3 2020.
Among the findings, Forrester recommends customers look for MSSPs that can offer remediation support across hybrid environments and help create efficiencies within your environment.
AT&T Cybersecurity managed security services offers:
Visibility and coverage across your on-prem, multi-cloud, and endpoint platforms
The expertise and experience of managing security for global enterprises
Expansive service offerings backed by best-of-breed security technologies
Efficient customer collaboration through the AT&T Unified Security Management platform to speed investigations and response
Fast access to support and guidance when needed with zero-dollar incident response retainers
Continuously updated threat intelligence from AT&T Alien Labs™
The report notes key differentiators as: native cloud support, automation, and remediation.
As legacy approaches to managed security services become outdated and less effective, improved action-oriented services will dictate which providers will lead the pack. Vendors that can provide native cloud support, automation, and remediation position themselves to successfully deliver action- and resolution-driven services on all types of infrastructure to their customers.
Download your complimentary report today to see what Forrester had to say.
|
Threat Guideline | ||
|
2020-08-13 11:00:00 | AlienApps and plug-ins combined into one framework (lien direct) |
The heart of any detection and response solution is the ability to collect events from the environment, perform corrective response actions, and integrate with customer workflows. Today, we’re proud to announce the launch of a complete redesign of the user interface for these third party integrations. We’ve updated our design to make it easier for customers to find the integrations they need, centralize the configuration of them, and identify any operational problems with the integrations.
What exactly have we done?
Previously, we’ve had two types of integrations with other security and IT products - plug-ins and AlienApps. Plug-ins were basic data collection tools used to collect, normalize, and enhance event logs from your environment. AlienApps performed a variety of functions including collection of event data via API polling, requesting third party response actions such as blocking dangerous internet destinations, and sending notifications to ticketing systems such as Jira or ServiceNow®.
Now, we’ve streamlined the entire process by combining plug-ins and AlienApps into one framework. We have also simplified finding the right tool by combining redundant or overlapping ones. For example, some products previously had different plugins for handling different log formats. We’ve collapsed all these into one for the sake of simplicity, without any functional changes in event handling.
From a practical perspective, all AlienApps provide one or more of the following capabilities:
Data Collection - capable of collecting events from your environment, including processing syslog messages, retrieving from log aggregation services (such as CloudWatch Logs, or an S3 bucket) and polling API’s.
Response - will help your security team “do things” - or, as we say, orchestrate the response - by taking action to investigate or respond to threats. Examples include things like querying an agent for additional host telemetry, adding an IP or domain to a block list, or disabling a cloud service account.
Notification - help the SOC team be more productive by sending data to third party services and applications such as Jira, ServiceNow, or Box Notes. The most common use case here is opening a case in your existing workflow.
Head over to “Data Sources>Alien Apps” for a look at the new GUI. The apps currently in use will be shown on this page, along with some useful graphs about application use. If any of the apps have configuration errors, you’ll see a red bar along with information about what needs to be fixed. See figure 1.
To add new integrations to a USM deployment, click “available apps” and search for the vendor. This will reveal all the apps available for that vendor. Note that there can be more than one app per vendor - there is one for every product or product line, depending on how that vendor organizes their products. See figure 2 for an example.
Using Response and Notification Actions
Nothing has changed about how AlienApp response actions work. If you haven’t tried them before, manual response actions can be taken in the event or alarm view by clicking on an individual event or alarm, then clicking “Select Action”. This will bring up a series of dialogs asking you to select the AlienApp you’d like to use, along with other relevant information such as the IP address or host, and any fields needed such as the case name if you are opening a ticket. Once everything is configured, simply click “run” and the response action will be initiated |
Tool Threat |
To see everything:
Our RSS (filtrered)
