What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2020-06-01 11:00:00 | Top Cybersecurity threats For seniors (lien direct) |
There are around 39.5 million people in the U.S. aged over 65, and a high percentage of them, particularly women (nearly 40%) live alone. Living alone makes seniors more reliant on technology, which can be a savior (think Zoom, Skype and other communication-centered technology) as well as a threat (from phishing to fake antivirus software and bitcoin scams). Are seniors more vulnerable to cybersecurity threats, and if so, what can be done to reduce their risks?
Are Seniors More Vulnerable To Online Scams?
You may be surprised to learn that millennials are actually more vulnerable to online threats than seniors. A Federal Trade Commission report shows that “40 percent of adults age 20-29 who have reported fraud ended up losing money in a fraud case” (only 18% of adults aged 70+ are affected). However, the median loss for seniors is significantly higher - $1,092 compared to $400 in the 20-29 aged group.
Common Cybersecurity Threats For Seniors
Cyber criminals often use psychological strategies to attack the elderly. Many retirees have nest eggs that are targeted by fraudsters in ways that prey on specific vulnerabilities. Research published in the journal PLOS One showed that older internet users had almost twice the chance of being victimized by phishing attacks as younger users (53.46% compared to 26.37%). Criminals can also prey on a senior’s loneliness, using dating and romance scams, selling ‘medications’ and inviting users to donate to false charities. Fake websites abound with hidden charges or non-existing products. Finally, overtly simple or repeated passwords or PIN numbers can be hacked in a number of minutes.
Helping Seniors Stay Safe
Trust in scammers sometimes ensues because seniors feel unsafe in their homes. Family members can help by creating a safe environment in which smart home systems boost accessibility and security. Seniors who are able to communicate needs and concerns to family members, make requests regarding their needs, and learn to use technology such as voice assistants can be more empowered against scammers trying to abuse their disabilities or vulnerabilities. Family members living far from senior loved ones can also ensure that seniors have access to video call software, especially if they are deaf or mute and use sign language to communicate. The more secure a senior feels in terms of mobility, communication and security, the more likely they are to discuss proposed purchases of software, devices and other items with family members. This sense of safety can help seniors avoid the impulsive purchases or email responses that arise when people are in a state of panic or fear.
Cybersecurity Awareness
In addition to helping seniors install antivirus software and firewalls, it is important to help family members or clients raise awareness about common types of scams and red flags. For instance, pop-up windows, warnings of a virus and computer issues, and typical phishing email scams should be pointed out to seniors. Equally vital is informing seniors of the dangers of logging into bank and other private accounts through a link. The safe way, of course, is for seniors to directly enter into their financ |
|||
|
2020-05-31 11:00:00 | Explain how VPN works (lien direct) | Global health events in 2020 have accelerated a trend. Office workers are working from home more frequently. This is great for many reasons. Companies can save money on office space. People are often more productive in the environment they’re most comfortable in, their homes. Rush hour can be mitigated with fewer cars on the road. When people connect to their company networks from home, cybersecurity is just as important as when they’re working on their employer’s premises. A lot of sensitive data is on those networks. And a man-in-the-middle attack on their remote connections from home can grant an attacker a dangerous amount of access. The most effective way to secure their communication channels between their workplaces and home is by routing through a VPN. Why VPNs are top of mind right now Consumers are also becoming more aware of cyber risks. It’s now understood that all network data should be encrypted, even for everyday internet use. Commercial VPN services have become a popular way to secure internet traffic through both encrypted and unencrypted internet ports. VPN use is on the rise for industries and consumers alike. It’s important to understand how VPN works to optimize both security and functionality. What is a VPN and how does it work? A VPN is a series of virtual connections routed over the internet which encrypts your data as it travels back and forth between your client machine and the internet resources you're using, such as web servers. Many internet protocols have built-in encryption, such as HTTPS, SSH, NNTPS, and LDAPS. So assuming that everything involved is working properly, if you use those ports over a VPN connection, your data is encrypted at least twice! PCs, smartphones, tablets, dedicated servers, and even some IoT devices can be endpoints for a VPN connection. Most of the time your client will need to use a VPN connection application. Some routers also have built-in VPN clients. Unlike proxy networks such as Tor, VPNs shouldn't noticeably slow down your internet traffic under usual circumstances. But some VPNs are faster than others, and one of the most important factors is how many VPN clients are using a VPN server at any given time. A VPN connection usually works like this. Data is transmitted from your client machine to a point in your VPN network. The VPN point encrypts your data and sends it through the internet. Another point in your VPN network decrypts your data and sends it to the appropriate internet resource, such as a web server, an email server, or your company's intranet. Then the internet resource sends data back to a point in your VPN network, where it gets encrypted. That encrypted data is sent through the internet to another point in your VPN network, which decrypts the data and sends it back to your client machine. Easy peasy! Types of VPN technologies Different VPNs can use different encryption standards and technologies. Here's a quick list of some of the technologies that a VPN may use: Point-to-Point Tunneling Protocol: PPTP has been around since the mid 1990s, and it's still frequently used. PPTP in and of itself doesn't do encryption. It tunnels data packets and then uses the GRE protocol for encapsulation. If you're considering a VPN service which uses PPTP, you should keep in mind that security experts such as Bruce Schneier have found the protocol, especially Microsoft's implem | |||
|
2020-05-27 11:00:00 | How malware mimics the spread of COVID-19 (lien direct) | It’s a weird time to be alive. Millions of people globally are living under government lockdowns, as we collectively endure the COVID-19 pandemic. COVID-19 has brought to light some fundamental truths about humanity, including our deep-seated need for social interactions. It has also highlighted how reliant we are on critical infrastructure like our healthcare systems and internet connections, both of which are currently strained. One of the most fascinating by-products of the COVID-19 pandemic for me personally, however, is how it has suddenly brought science and public health back to the fore of conversation. We are all washing our hands more, practicing social distancing, and acutely aware of how our choices may impact other people. Those of us in white-collar professions, including the technology field, are also now working from home in order to practice safe social distancing, which has created a host of significant cybersecurity vulnerabilities. I graduated with my Masters in Public Health from UC-Berkeley in 2011, and I love understanding the spread of disease and the impact of interventions like vaccines (and more mundane things like trash cans!). In 2014 I entered the field of cybersecurity via IBM, which then led me to complete a Masters in Cybersecurity from Brown University in 2018. These two degrees seem very different from one another, but the two fields have clear parallels. Much of our language in cybersecurity is borrowed from healthcare. A computer gets “infected” with a “virus” that spreads across endpoints. Sound familiar? You just replace computer with “human” and endpoints with “population,” and you essentially have a pandemic. As the world has adjusted to living under the threat of COVID-19, I began thinking about how similar a pandemic is to malware. Can understanding COVID-19 help us understand malware or vice versa? Let’s explore this together and see if the analogy holds. To do this, we will break down how the COVID-19 pandemic works first, along with the mitigation efforts, and then explore the parallels to malware and cybersecurity. What is a pandemic? According to the CDC, “A pandemic is a global outbreak of disease. Pandemics happen when a new virus emerges to infect people and can spread between people sustainably. Because there is little to no pre-existing immunity against the new virus, it spreads worldwide.” Enter COVID-19 COVID-19 is the name of the disease caused by the novel coronavirus, SARS-COV-2. SARS-COV-2 spreads from person to person, through droplets or aerosols, by entering the nose, mouth, or eyes. Aerosol spread is particularly infectious, because it means that an asymptomatic person can spread the disease just by talking, and the virus particles can live in the air up to three hours. When you become infected by SARS-COV-2, you have COVID-19 (the disease state), even if you are asymptomatic. Stopping the spread As COVID-19 spread around the world, “hot-spots” developed in China, then Italy and other parts of Europe, followed by New York City. Social distancing became a primary means of mitigating the spread. Countries like South Korea and New Zealand implemented vast testing protocols early and began contact tracing, so that huge parts of society did not have to shut down for long periods of time. Time to contrast the COVID-19 pandemic with malware. What is malware? Malware is an abbreviation of “malicious code.” NIST defines malware as “hardware, firmware, or software that is intentionally includ | Malware Vulnerability Threat | ||
|
2020-05-26 11:00:00 | (Déjà vu) Stories from the SOC - System compromise with lateral movement (lien direct) |
Executive Summary
Stories from the SOC is a blog series that describes recent real-world security incident investigations conducted and reported by the AT&T SOC analyst team for AT&T Managed Threat Detection and Response customers.
Malicious network traffic from foreign IPs was observed trying to establish communication to a compromised internal system. The internal system was then observed trying to execute lateral movement to other internal systems by undertaking nefarious actions that were essentially blocked by the on-premises Host Intrusion Detection System (HIDS).
Investigation
Initial Alarm Review
Indicators of Compromise (IOC)
Image 1 - Initial Alarm
Observing the initial alarm, the first event captured was an internal IP out-calling to a known malicious C2 IP (208[.]100[.]26[.]245). This simple event is an initial clue into the internal system potentially being compromised. A hasty review could suggest that the alarm could be closed out as auto-mitigated, given that we’re observing that the session had been denied. But, a good analyst should dig a little deeper in order to confirm that no persistent threat remains within the internal system that tried to out-call the malicious C2 IP.
Expanded Investigation
Events Search
Image 2 - Pivot on IP/Events
In order to further investigate the alarm, we dropped down to the child server/customer deployment to pivot on events logged by internal IP (asset 1), in order to correlate/identify any suspicious activity observed within the internal system.
The analyst should take full advantage of the visibility into the different data sources compatible with USM Anywhere in order to build a more complete profile of the traffic being generated by the asset in question. In the alarm/event, we observed firewall and endpoint events associated with the internal IP. This obviously indicates that the internal IP/asset was undertaking activities that are being blocked/denied by these two security tools. Further investigation should be undertaken.
IOC - Malicious C2 server:
Reviewing the different endpoint and firewall logs, we confirmed that the internal system was in fact compromised and observed an attacker attempting malicious lateral movement. Specifically, they were trying to access port 445 SMB and attempt a brute force authentication against another internal asset. As seen in the screenshot below, event ID 6045 was generated and indicates an "SMB Brute Force Attack" with threat severity "Critical”.
Image 3 - Lateral Movement
Reviewing for Additional Indicators
The agent installed on the compromised endpoint was able to give deeper insights into the actual system such as services running, open ports, and installed software.
By analyzing the enriched data reporting back from the agent and previous scans, the compromised system had SMB port 445 open and was running an EOL version of Windows XP. This indicates that no Microsoft security updates have been installed and some of the most exploitable vulnerabilities, such as Bluekeep, affecting SMB over IP were surely to be found on the compromised system. This evidence further confirmed the asset as a probable entry point for the compromise and built the beginnings of our remediation and containment recommendations.
Referencing the |
Malware Threat | ||
|
2020-05-26 11:00:00 | Stories from the SOC - System compromise with ateral movement (lien direct) |
Executive Summary
Stories from the SOC is a blog series that describes recent real-world security incident investigations conducted and reported by the AT&T SOC analyst team for AT&T Managed Threat Detection and Response customers.
Malicious network traffic from foreign IPs was observed trying to establish communication to a compromised internal system. The internal system was then observed trying to execute lateral movement to other internal systems by undertaking nefarious actions that were essentially blocked by the on-premises Host Intrusion Detection System (HIDS).
Investigation
Initial Alarm Review
Indicators of Compromise (IOC)
Image 1 - Initial Alarm
Observing the initial alarm, the first event captured was an internal IP out-calling to a known malicious C2 IP (208[.]100[.]26[.]245). This simple event is an initial clue into the internal system potentially being compromised. A hasty review could suggest that the alarm could be closed out as auto-mitigated, given that we’re observing that the session had been denied. But, a good analyst should dig a little deeper in order to confirm that no persistent threat remains within the internal system that tried to out-call the malicious C2 IP.
Expanded Investigation
Events Search
Image 2 - Pivot on IP/Events
In order to further investigate the alarm, we dropped down to the child server/customer deployment to pivot on events logged by internal IP (asset 1), in order to correlate/identify any suspicious activity observed within the internal system.
The analyst should take full advantage of the visibility into the different data sources compatible with USM Anywhere in order to build a more complete profile of the traffic being generated by the asset in question. In the alarm/event, we observed firewall and endpoint events associated with the internal IP. This obviously indicates that the internal IP/asset was undertaking activities that are being blocked/denied by these two security tools. Further investigation should be undertaken.
IOC - Malicious C2 server:
Reviewing the different endpoint and firewall logs, we confirmed that the internal system was in fact compromised and observed an attacker attempting malicious lateral movement. Specifically, they were trying to access port 445 SMB and attempt a brute force authentication against another internal asset. As seen in the screenshot below, event ID 6045 was generated and indicates an "SMB Brute Force Attack" with threat severity "Critical”.
Image 3 - Lateral Movement
Reviewing for Additional Indicators
The agent installed on the compromised endpoint was able to give deeper insights into the actual system such as services running, open ports, and installed software.
By analyzing the enriched data reporting back from the agent and previous scans, the compromised system had SMB port 445 open and was running an EOL version of Windows XP. This indicates that no Microsoft security updates have been installed and some of the most exploitable vulnerabilities, such as Bluekeep, affecting SMB over IP were surely to be found on the compromised system. This evidence further confirmed the asset as a probable entry point for the compromise and built the beginnings of our remediation and containment recommendations.
Referencing the |
Malware Threat | ||
|
2020-05-19 12:00:00 | TrickBot BazarLoader In-Depth (lien direct) | Ofer Caspi, a fellow Alien Labs researcher, co-authored this blog. Executive Summary AT&T Alien Labs actively tracks the TrickBot group through an automated malware analysis system, hunting, and in-depth technical research. On April 20th, 2020 independent security researchers “pancak3lullz” (@pancak3lullz) and Vitali Kremez (@VK_Intel) posted a Tweet regarding two new TrickBot modules aptly named “BazarLoader” and “BazarBackdoor” after attempted Command and Control (C2) communications with the Emercoin DNS (EmerDNS) .bazar domains. EmerDNS is desirable for attackers because it is a distributed blockchain that is decentralized, cannot be censored, and cannot be altered, revoked or suspended by any authority. Alien Labs’ automated malware analysis engine had picked up these samples a few days earlier (Ex: 7c93d9175a38c23d44d76d9a883f7f3da1e244c2ab6c3ac9f29a9c9e20d20a5f) BleepingComputer posted a blog with input from Vitali Kremez regarding a phishing campaign distributed through the Sendgrid email marketing platform delivering COVID-19 lures that ultimately led to the TrickBot BazarBackdoor. The purpose of this blog is to provide additional technical details and an in-depth study of the signed TrickBot BazarLoader. Background Since TrickBot was discovered in 2016 it has been involved in information stealing, credential theft, ransomware, bitcoin mining, and loading other common crimeware malware as a first or second stage loader. For initial access as a first stage loader it typically accomplishes its objective through spear phishing links (T1192) or spear phishing attachments (T1193) using macro enabled Microsoft Office files. As a second stage payload and Dynamic Link Library (DLL) it is frequently loaded by Emotet. To a lesser extent TrickBot has been loaded by Ostap JavaScript Downloader and Buer Loader. In higher priority, higher profile TrickBot Anchor campaigns that target enterprises, PowerTrick and more_eggs/TerraLoader have been used to load other frameworks. TrickBot has recently added a Remote Desktop Protocol (RDP) brute force scanner module, an Active Directory (AD) harvesting module, and the mexec executor module. There are some indications that TrickBot may be moving away from their mshare, mworm, and tabDll modules for retrieving payloads from URLs in favor of the “nworm | Malware Threat Guideline | ||
|
2020-05-18 12:00:00 | Disruption on the horizon (lien direct) | Innovations in technology have been a prime agent for disruption throughout much of human history. Advancements in materials science gave English archers, with their superior longbows, the advantage over the French in many conflicts during the Hundred Years War; such as the Battle of Agincourt. In the late 2000’s, the music industry was forced to reinvent itself in the face of changing consumer consumption models as a result of technological advancements or become irrelevant. As cyber security professionals we are often caught in the wake of disruptive changes as a result of technology adoption (i.e. Cloud), changes in operational paradigms (i.e. DevOps), or regulatory/compliance developments (i.e. GDPR, CCPA, etc.). Recognizing this, how can we proactively identify such changes before they start to impact our operations? While practically any technology or process can potentially upend your security paradigm, currently cited examples of disruptive technologies typically include some, or all, of the following: Edge computing Disappearing perimeter Distributed Ledger solutions Machine Learning / AI Quantum Computing Infrastructure as Code / Software Defined Everything 5G Cloud / Microservices / Serverless Functions IoT Digital Transformation In reviewing these technologies, we can see common themes begin to emerge. Regardless of the benefits or new business opportunities they may bring to the organization, these solutions, either individually or in combination, are also likely to: Increase the attack surface of the organization Create a skills gap in current IT and security staff Become a double-edge sword by increasing the effectiveness of threat actors as well as organizational security staff Bypass or undermine the effectiveness of existing physical or logical controls Enable data proliferation prior to the availability of platform specific, proven security controls or architectures Expose gaps in security policies or business continuity plans which do not have a precedent established For example, Quantum Computing will dramatically improve the efficiency of computation for certain kinds of workloads. This leap forward in computing capabilities could lead to new discoveries in a number of fields. However, Quantum Computing will also undermine the effectiveness of many of the current encryption solutions that have provided security for our communications and data transactions to date (https://www.businessinsider.com/7-emerging-technologies-that-cybersecurity-experts-are-worried-about-2019-10#quantum-computing-could-easily-crack-encryption-2). State sponsored threat actors will have access to such platforms very early on (and likely already do). However, since broader access to such computing platforms will likely be made available in the cloud, other threat actor groups will be able to utilize these platforms sooner than you might think. Given an organization’s compliance concerns, the risk posed to legacy encryption solutions for data at rest and in transit will likely require updates to security policies and requirements for how data is encrypted and potentially where encrypted data resides. Even at a high level, this thought exercise illustrates how innovations can impact the technical and operational environments, but in this, not all businesses are created equal. The degree of disruption caused by a technology innovation, or combination of innovations, is both industry dependent and business specific. Revisiting the music industry example, the rise of compressed digital music formats when c | Threat Guideline | ||
|
2020-05-14 12:00:00 | The importance and security concerns of staying connected during the COVID-19 pandemic (lien direct) |
Unsplash
The COVID-19 pandemic sweeping the globe has effectively put a stop to the bulk of face-to-face interactions. With social distancing and shelter in place orders in effect, people are stuck at home and relying on the Internet as not only a tool for communication and entertainment but as their only way to earn money during this hectic and uncertain time. With this new and unexpected reliance on connectivity, both companies and consumers should take extra precautions in ensuring that their data is protected. Cybercriminals are using this chaotic situation to try to obtain sensitive materials.
Online Access Is More Important Than Ever
The COVID-19 pandemic has left millions unemployed or working exclusively from home without warning or time for preparation. Fortunately, many Internet providers are offering low-cost options and waiving late payment fees to ease the financial burden on those who are stuck at home without gainful employment. Regardless of whether people are working from home or not, they still rely on the Internet for socialization and entertainment since both of those “in-person” options have been taken away unceremoniously.
As more and more people find themselves using their Internet connections for work and leisure during their time indoors, solid and reliable service has become vital for many. Outages could have potentially disastrous results, not only for individuals but for entire companies and their workforce. Everyone has now been moved exclusively online. This situation has put tremendous pressure on the Internet infrastructure throughout the world and has heightened the need for cybersecurity measures across the board.
Whether working from home or simply using the Internet for entertainment purposes, the increased number of people who are online means that there are more opportunities to fall prey to cyber-attacks. It is important for those who find themselves spending significantly more time online to exercise increased caution in the coming weeks and months to protect themselves and their workplaces from criminals who seek to do serious harm.
How Cybercriminals Are Taking Advantage
Working from home, while being a great opportunity for many to continue making money, has also introduced many workers to online work-related software for the first time. This inherently increases the risk of cyber-attacks and phishing schemes due to increased online traffic from people who may not be well-versed in cybersecurity practices.
Phishing schemes can prey on anyone who uses the internet. They work by getting users to click on malicious links or documents. The risk of this has increased during the COVID-19 pandemic due to the sheer number of e-mails being sent to and from employers and employees, providing the opportunity for cybercriminals to prey on those who aren’t used to practicing basic cybersecurity as part of their daily work.
With so many workers turning to their smart devices to work, mobile application security is paramount to the cybersecurity of both personal files and sensitive data that they might have access to through work. While many people ar |
Tool Threat Guideline | ||
|
2020-05-13 12:00:00 | Why cybersecurity In the healthcare sector needs improvement (lien direct) |
Photo by Hush Naidoo on Unsplash
This blog was written by an independent guest blogger.rA recent attack on a hospital in Brno, Czech Republic (a COVID-19 testing center)ehowed the extent to which weaknesses in a health center’s cybersecurity system can endanger the lives of patients. During this attack, patients had to be redirected to other hospitals and vital surgeries were postponed - all during a time in which vital testing needed to be carried out and releases needed to be sped up. A study published in the journal Technological Health Care by CS Kruse et al. has found that “The healthcare industry is a prime target for medical information theft as it lags behind other leading industries in securing vital data.” It is vital, warn the researchers, to invest time and funding in protecting healthcare technology and in ensuring the confidentiality of patient information.
Time is of the essence in healthcare
Cybersecurity attacks interfere with vital work undertaken in the health sector - for instance, when ransomware makes crucial data inaccessible. Cyber attacks also lengthen already excessive waiting times, clogging systems during health crisis such as the current COVID-19 pandemic. A recent The Guardian article revealed that in many American hospitals, health insurance authorization can take days, leaving patients stuck in the hospital at a time when beds are needed. Some groups in particular - including military veterans - have coverage that can take time to receive authorization for. This is because not all vets are covered by TRICARE or the Veterans Health Care Program. If they have a high enough disability factor, they may be enrolled in different benefits plans than those without disabilities. Bureaucratic requirements can also vary depending on the institution and its verification requirements.
What are the most common attacks on the healthcare sector?
Attacks on hospitals and other centers that obtain and record data include ransomware attacks and (currently) Covid-19 themed phishing attacks. Healthcare professionals such as nurses and doctors - who have access to a wide array of data - are often the target of phishing scams. The new importance of remote work has also led to big weaknesses in security systems, with individual home systems often lacking the safety features that in-hospital systems rely on daily. Threats also include cloud threats owing to the lack of proper encryption, misleading websites that are similar to trustworthy sites, employee errors (weak passwords and failure to comply with security protocol), and blind spots in encryption systems.
Crucial steps for health organizations
To combat these attacks, healthcare organizations need to adopt optimal centralized security with enhanced detection and response. They also need to review current security systems to spot potential weaknesses and take into account all aspects of current operations - including employees’ wearable devices, smartphones, cloud sharing systems, and the like. Health |
Ransomware Guideline | ||
|
2020-05-12 12:00:00 | The relationship between security maturity and business enablement (lien direct) |
A seminal report exploring the correlation between cybersecurity and positive business and security outcomes
Now more than ever organizations globally want to better understand, manage, and minimize security risks. To achieve this, security leaders should be regularly assessing their processes and programs to gain a sense of their organization’s security maturity, where gaps exist, and what can be done to improve security posture.
In March 2020, AT&T Cybersecurity and Enterprise Strategy Group (ESG) completed a benchmark survey aimed at helping organizations understand what a mature cybersecurity program looks like and how that maturity influences security and business outcomes.
Results from the 500 security professionals surveyed on their processes, policies, and controls were mapped into the NIST Cybersecurity Framework’s (CSF) five foundational cybersecurity functions: identify, protect, detect, respond, and recover.
The goal of this unique research was to validate if — and to what degree — organizations in better alignment with best practices prescribed by the NIST CSF can operate more secure environments and better enable their businesses. This was accomplished through the creation of a data-driven model that segments respondents into three levels of cybersecurity maturity:
Emerging organizations
Following organizations
Leading organizations
By comparing survey results across these levels, the model allows us to use data to quantify the differences in security and business outcomes that exist as maturity level improves.
One of the more interesting findings that came out of the research (and quite hopeful), is that cybersecurity maturity is not directly dependent on company size. One might assume only the largest organizations, with the most resources, would be able to implement a cybersecurity program sophisticated enough to achieve “leader” status. However, the research shows that the median company size is identical across all three maturity levels – “leading”, “following”, and “emerging.”
The fact that there is no correlation between company size and maturity level indicates to us that doing cybersecurity well is less a function of resources and more a function of thoughtful consideration, planning, and organizational culture. While technology and staff investments matter, the research indicates that organizations of any size can achieve a highly mature cybersecurity program.
To read these research findings, download the full report. There's also a nice infographic.
In addition to our research, AT&T Cybersecurity and ESG have developed a free self-assessment tool that enables organizations to measure their security maturity based on the survey’s benchmark data and the NIST cybersecurity framework.
Take the free maturity assessment.
 |
Tool Guideline | ||
|
2020-05-11 12:00:00 | Stories from the SOC - Office365 Credential Abuse (lien direct) |
Executive Summary
Stories from the SOC is a blog series that describes recent real-world security incident investigations conducted and reported by the AT&T SOC analyst team for AT&T Managed Threat Detection and Response customers.
The most critical element in combating malicious attempts on technology today is visibility. When considering the sheer amount of various cloud, firewall, IDS/IPS, anti-virus, etc. offerings, integrations are a necessity to enable effective security. Unified management is unachievable unless you can effectively consume and correlate a variety of log feeds that can be analyzed through the proverbial “single pane of glass.” By leveraging the AlienApp for Office365, we presented a compromised Office365 account to the customer who then confirmed our suspicion, reset the account, and implemented multi-factor authentication for that user. Though the AlienApp provides an incredibly insightful view of an Office365 environment, the ability to correlate events across multiple data sources enables an analyst to understand and determine the baseline activity of our clients, enhancing our detection and response capabilities.
Investigation
Initial Alarm Review
Indicators of Compromise (IOCs)
The initial alarm surfaced as the correlated result of two UserLoggedIn events that were within 10 minutes of each other but originated from 2 distinct countries. The abnormalities in login behavior indicate that a user’s credentials were most likely compromised.
Figure 1 - Initial Alarm
Expanded investigation
Alarm Detail
Also included in the alarm details is the associated MITRE ATT&CK® rule attack ID, which afforded the ability to efficiently and expeditiously gather relevant information about this potential attempt to compromise the customer’s Office 365 account. The synopsis for this attack technique is defined as the attempt to “… steal the credentials of a specific user or service account using Credential Access techniques or capture credentials earlier in their reconnaissance process…”
Correlation Rule Logic
Figure 2 - Correlation Logic
Correlated Events
Figure 3 - U.S. Login Event
Simultaneous logins were detected from both the United States and a foreign country, generating two events, like the one pictured above, with different source countries. These successful logins occurred within two minutes of one another; thus, triggering the Credential Abuse alarm.
Response
Building the investigation
The successful login attempts’ origin and volume deriving from the United States fall within the baseline activity for this user. However, there was a sudden surge in attempts from a foreign country that aligned with the timeline of when this account had appeared to have been successfully compromised.
Customer interaction
In order to effectively articulate the login irregularities to the customer, our team did a retrospective query to analyze successful authentication attempts for this particular Office365 user. Utilizing advanced query capabilities within USM Anywhere |
Threat | ||
|
2020-05-07 12:00:00 | Remote workers making mobile management and security first priority (lien direct) | Your employees are remote, are your endpoints protected? In recent years, many businesses had already begun planning for a gradual shift towards an increasingly remote workforce, yet fewer had implemented a mobile-first strategy, and some were still formulating strategies. At a gradual pace, IT administrators could handle a small percentage of remote workers and saw the management features of device enrollment programs and network security measures as enough to manage a few remote devices and cyber risks. Enter the new reality of 2020 and a sudden, unplanned thrust towards an almost entirely remote workforce: many businesses have been scrambling to mobilize; employees are using personal devices to stay connected to work; and IT administrators are straining to keep up with the huge influx of managing and protecting devices. Whereas at the start of 2020, manual device management processes and little, if any, mobile security may have been good enough, the almost-instant change in circumstances makes manual device management cumbersome and a lack of robust mobile security controls leaves businesses exposed to cyber risk. Now more than ever, businesses must move quickly to assess and adapt for resiliency across their entire ecosystem, especially their remote and mobile workforces. Unified endpoint security should be one of the top priorities. Hearing the term “endpoint,” one primarily thinks of a laptop or desktop. However, endpoints are really anything connected to the company network or the internet. This includes mobile phones, smartphones, tablets, servers, and even specialized hardware such as Point of Sale (POS) systems and other Internet of Things devices. And in this current environment, it also means corporate-owned and bring your own devices (BYOD) as well as various operating systems. Ultimately, this suggests that “endpoint security” encompasses many unique variables that need to be managed. Implementing an industry-leading Unified Endpoint Management (UEM) solution is paramount given these circumstances. UEMs onboard, deploy, configure, and enroll devices so that the workforce can get up and running quickly. They help devices stay compliant with industry- and company-mandated regulations. UEMs today are also able to do advanced IT management actions like view or remote in on a device as if they had the device in their hand to help troubleshoot issues. All key capabilities when the IT manager can’t be in the same room as the device. UEM describes only the management aspects of unified endpoint security. Businesses must also consider the security elements needed to protect endpoints from advanced cyber threats. Endpoints have a huge target on them for cyber criminals with 70% of breaches originating on the endpoint. Cyber criminals recognize that endpoints are an effective way to launch an attack. Recent mobile device testing revealed up to 25% of employees are fooled into clicking phishing links. Although businesses recognized | Malware Threat Guideline | ||
|
2020-05-06 18:00:00 | Recalling the ILOVEYOU worm from 20 years ago (lien direct) |
Twenty years ago, the ILOVEYOU worm utilized the most basic human emotion, the desire to be loved. It replicated itself at unprecedented rates that spurred the imagination of hackers and the cynicism of the general public. The on-line world was never the same.
As with all worms, the ILOVEYOU worm operated as a standalone program. It is a Visual Basic script that was circulated as a file named LOVE-LETTER-FOR-YOU.TXT.vbs. It came attached to an e-mail with a three-word subject line, and a body that consisted of one sentence.
And that’s it. There was no urgent push to “Read now! Now! Now!” No promise of good fortune if you open the attachment. No threat of your bank account being closed if you don’t open it. It was just a handful of words asking you to please open the attached love letter.
And when you did, (in the original strain) it made copies of itself, hid itself, became persistent on bootup, manipulated your media files, and of course propagated to more computers by sending the same email to everyone in your address book. So, on May 5, 2000 the whole world was getting love letters via email. It appeared to the reader as if it were from a familiar source and had none of the spammy language users were accustomed to watch for by then. And every single hopeful or curious double click to see the contents of the letter resulted in another batch of the worms being sent out.
It is estimated that in less than 24 hours, the virus spread to 45 million computers around the world and ultimately (after inspiring over 26 strains) caused $15 billion in damage reaching 10% of the world’s computers. This may not sound significant compared to the cost of ransomware and damages from other cybersecurity incidents we have seen since 2000 but, at the time, this rate of spread was unheard of.
The year 2000 was a different time when anti-virus wasn’t seen as a necessity for every computer. Many companies mitigated the risk by simply disconnecting their mail servers. Can you imagine any company shutting down their mail server today for risk mitigation? The world, having earlier survived the theorized Jan 1, 2000 Y2K meltdown and feeling optimistic about the role of computers in our lives, went to bed a less trusting on-line community twenty years ago.
We live in a much different world than the one upon which the ILOVEYOU worm was released, but the underlying human exploit is still there. The desire to feel loved among other basic human emotions are buttons waiting to be pushed by malicious actors.
In these days of uncertainty caused by the COVID-19 biological virus, fear is a button begging to be pushed. These fears make it more likely for someone to click on an attachment or link claiming to provide updates and warnings about the situation. So please stay alert for those COVID-19, Zoom™, Teams, and other work-from-home themed phishing attempts and let’s avoid creating any new anniversaries for worldwide malicious events.
  |
Ransomware Threat | ||
|
2020-05-06 12:00:00 | Balancing security and flexibility with a remote workforce (lien direct) |
This blog was written by an independent guest blogger.
According to the Pew Research Center, last year, roughly seven percent of U.S. workers regularly enjoyed the option of working from home. Well accustomed to the nature of remote work, these individuals were equipped with stable internet connections, collaboration and communication tools, and security technologies that helped them excel from their home offices.
As concerns regarding the spread of COVID-19 grew, , nations around the world opted to enforce social distancing guidelines to prevent the infectious disease from spreading. In response, companies of all sizes have been forced to embrace remote work without much time to plan ahead. Some businesses have shifted to as much as one hundred percent of their employees working from home.
As all parties involved adjust to this new way of working, critical concerns regarding the security of data and systems have surfaced and must be addressed to prevent cyber breaches. Here are five tips every enterprise should consider for better security of remote workers:
Ensure your information security policy covers remote work use cases
In companies unaccustomed to remote work, information security policies tend to be written under the assumption that employees are on site. This has led to gaps in guidance on how workers should maintain the security of data and applications while working remotely. The sudden shift to home office setups requires that policies and procedures be established or updated to account for this new reality. Examples of relevant remote security policy components include, but are not limited to, mobile device management, access control, acceptable use, and more. For example, a Mobile Device Management (MDM) policy should describe the controls required to secure, monitor, and manage mobile devices used by employees. An access control policy is another common policy that already exists in most companies; however, it may not have been written with remote work in mind. This policy should include guidance on granting, monitoring, and terminating remote access for employees and third parties.
Photo by Dan Nelson on Unsplash
Address security risks associated with employees working on personal devices
Some employees are now required to use personal devices to access sensitive information for work-related tasks. This increases the risk of potential data loss or leakage, and also makes it challenging to maintain visibility into employee actions. Defining a Bring Your Own Device (BYOD) strategy is an essential step in enhancing company security when employees may begin using their personal devices for business purposes. The policy should include guidelines on the minimum required device security controls, acceptable use cases, prohibited actions, and information on any company-sanctioned security tools that can be used to conduct business securely. It’s also important to discuss any employee rights or privacy implications when managing personal user devices that are connected to the corporate network. Lastly, the strategy should include plans for addressing lost or stolen personal devices that may have included sensitive company information.
Get a handle on growing third party risks
A |
Malware Guideline | ||
|
2020-05-04 12:00:00 | 5 defensive COVID-19 actions IT managers can take now (lien direct) | As if there wasn’t enough to worry about these days, cyber attacks have taken a sharp uptick since the COVID-19 pandemic began this year. From January to March, AT&T Alien Labs Open Threat Exchange (OTX) saw 419,643 indicators of compromise (IOC) related to COVID-19, including a 2,000% month-over-month increase from February to March. Cybercriminals are taking advantage of the shift to remote working, increasing their volume of attacks by nearly 40% in the last month. Home routers have been hijacked. COVID-19-themed phishing attacks have jumped 500%. And most of 4,000 new COVID-19 domains are suspected of criminal intent. Companies large and small are in a bad spot on this one. Asking staff to come to the office could worsen the health crisis. Having them work at home creates a vastly increased attack surface that cybercriminals can easily exploit. And in the meantime, trying to highly secure every employee’s home is about every IT Manager’s worst nightmare. I have the advantage of working for a large company, where there is not much difference between working at the office or at home. But for most, the new remote work environment ushers in an entirely new security landscape overnight. Long term, this means acceleration of cloud security and zero trust models. But for the short term, here are a few suggestions that I’d like to offer. These may be basic concepts, but in security, the basics matter most, and they are often easy to implement. 1. Teach staff how to “socially distance” their home networks. When you think about who is using a home WiFi network in an average American family, it is unlikely that many of them are particularly cyber-savvy. If one or more adult members of a typical family are connecting to the office by remote these days, that leaves gaps for children, visitors and non-working adults who may also be accessing the internet via that home network. The first and easiest “fix” that staff should do is to partition their home internet access. They should try to avoid children, their schoolmates, and even adult friends playing video games, checking email, and downloading movies on the same network connection that is used to log into the office. This opens the door to a tidal wave of unknown vulnerabilities. Staff should also avoid logging in on the same connection utilized by home IoT devices such as smart thermostats, wireless doorbell cameras, and virtual personal assistants. If you need any convincing of the vulnerability of those sorts of endpoints, read this article. Isolating a home network connection no longer requires particularly deep IT skills. There are many home and small office routers at around the $100 price point which offer VLAN support of one type or another. Most WiFi kits offer the ability to set up a “guest” network. IT departments can provide easy, step-by-step instructions to employees working remotely on how to set this up on common routers and impress upon all managers the import | Malware Vulnerability Threat Guideline | ||
|
2020-04-30 12:00:00 | AT&T Cybersecurity receives Frost & Sullivan award in Managed Security Services (lien direct) |
Recently, we learned the good news from industry analyst firm, Frost & Sullivan, that we received the 2019 Frost Radar Award for Growth, Innovation & Leadership (GIL) in the Global Managed Security Services (MSS) Market. Frost & Sullivan’s global team of analysts and consultants recognized our achievements in innovating and creating new products and solutions that serve ever-evolving customer needs.
The criteria analyzed by Frost & Sullivan to determine the award were innovation, scalability, research and development, product portfolio, mega trends leverage, customer alignment as well as business factors including market share, revenue growth, growth pipeline, vision and strategy, sales and marketing. In particular, the analysts noted AT&T Cybersecurity as one of the most significant contributors to the rapid growth of the security market, as well as the overall pace of technological innovation.
This recognition is noteworthy. It validates our years of experience in helping to protect network assets and our deep industry expertise; it supports our approach to helping enterprises fight the complexity and cost of cybercrime that is integrated, automated, and orchestrated with the right people, process, and technology. With our portfolio of managed security services, including AT&T Managed Threat Detection and AT&T Global Security Gateway, organizations can help to reduce business risk and achieve cybersecurity efficiency within budget.
And, the Frost Radar Award demonstrates we are at the forefront of the changing cybersecurity landscape and the increasing adoption of MSS. There are several reasons for this MSS growth. More organizations are realizing fighting cybercrime is not their core competency, and they don’t have the resources to tackle it; especially during the current global health crisis. It is difficult to evaluate, adopt, implement, and actively manage up to 75 or more different cybersecurity solutions needed to meet today’s security needs. Also, transitioning to next-generation services such as 5G, IoT and Edge Computing, as well as cloud-based business models, adds to the complexities of managing cybersecurity as IT environments become more complicated.
Ultimately, we understand cybersecurity is a journey, not a destination. Our mission is to be the trusted advisor for enterprises on the road to cybersecurity resiliency, making it safer for them to innovate.
For more information on our Frost Radar award, visit our resource center.
  |
Threat Guideline | ||
|
2020-04-29 12:00:00 | Have you started working from home? Secure your endpoints! (lien direct) | This blog was written by an independent guest blogger. Due to recent international events, there are likely millions of people in the United States and around the world who have just started working from home. There are a lot of office jobs that could move from the company’s workplace to employees’ homes-- accountants, web designers, application developers, network administrators, lawyers, clerical jobs, stock traders, data entry people, call center agents, tech support agents, and probably many other white collar roles. I write web content about cybersecurity for a living, and I’ve always worked from home. Welcome to my world, millions of people! Try to save watching a TV show or playing a video game for after you’ve done your tasks for the day. But if your work has frustrated you by lunchtime, a nice long relaxing shower often helps. Maybe you have young children or pets at home who want your attention. You will need to shift your attention between playing Paw Patrol for your kids and walking the dog, and getting back to your task at hand. But there’s an upside. If you make yourself a yummy lunch and put your leftovers in the fridge, your coworkers won’t be able to steal them! Maybe your kid or spouse will, but you won’t resent them enjoying your pasta casserole. Now your home PC may be your office. And when you connect it to your company’s network, it will become one of its endpoints. Chances are your company’s network administrators and various security practitioners have taken some care to secure the endpoint (PC) that the company owns. Your user account probably has access to some files and folders on your employer’s servers, but no access to others. There’s likely some sort of information security policy that’s being enforced. If there’s some anomalous activity on your work PC, your IT department or security operations center should be investigating if it’s an indication of a cyber attack. But you’re not in your company’s office anymore. You’re at home. And your own home PC is just as attractive of a target to cyber attackers as the PC your company provides you in your workplace. Especially if your home PC is connected to your company’s network. So even though you can eat fish at your desk without your coworkers complaining, cybersecurity should be taken just as seriously. And because you own this endpoint, you have the responsibility to security harden it. So here are my tips for you. Only you should access your home endpoint As I said, when your home PC connects to your company’s network, it becomes one of the network’s various endpoints. Chances are you’re authorized to access some data resources on the network that a cyber attack would love to have. Financial data, internal documents and memos, internal applications, logs, and likely other sorts of sensitive data as well. And even if you’re not an administrator, an attacker may want to access your user account and perform privilege escalation attacks until they’ve acquired admin access. But they can’t privilege escalate if they don’t have access to your user account in the first place. Put a strong password in your user account in your operating system, whether it’s Windows 10, macOS, or even if you’re a desktop Linux-using weirdo like me. It should have more than ten characters, with upper and lowercase letters numbers, and special characters. Don’t make your password “Tabby” because that’s your cat’s name and only you and your family have physical access to your PC. Assume that an attacker could acquire remote access to your PC through the internet. But a cyber attacker is unlikely to physically enter your home. So if you have to write your operating system password on a Post-it Note in order to make it really complex and still be able to use it, so be it. If your spou | Malware Patching | ||
|
2020-04-28 12:00:00 | Working from home? Use the spare time for professional development (lien direct) | This blog was written by an independent guest blogger. It’s 2020 and our world is rapidly evolving. Many conferences and training programs have been cancelled, most of us are working from home, and it may seem like learning opportunities are scarce. If you are locked in your house due to COVID-19, what could you be doing to improve your cybersecurity & information security skills? Let me share a few ideas. Let’s start with the most straightforward suggestion I give every person who wants to jump into infosec. In my opinion, it is the fundamental skillset that will lift you above any and all of your peers and most seasoned professionals. It is considered by many in the industry to be beneath them and boring work that it is often overlooked, but is so essential to almost all organizations that people who have this skillset within an organization become critical to infosec operations and can easily flip between blue team and red team operations. So what is my first recommendation? Learn Microsoft Active Directory. Microsoft Active Directory (AD) is the heart and brains of most organizations today. AD controls who and what is part of the corporate network, access and permissions rights, visibility, logging and reporting, and more. When malicious actors want to “stop by for a visit”, their initial goal is to gain access to AD so that they can accomplish their larger objectives. Think about this for a second, you wifi Access Point is nice, your endpoint is nice… but Admin privileges on the Domain Controller?!? With those, they can go anywhere and take anything on the network. Here’s a bigger secret: Most AD environments are a mess. Total disaster that is being held together by hopes and prayers… and it is only getting worse. Organizations buy products to enhance their security because they don’t know how to use Active Directory! If you learn how to build trust relationships, user permissions and shares, roles, a GPO set that actually works the way it is supposed to, PKI management, proper logging and reporting and apply that knowledge to your environment, you will have a very clear understanding of how malicious actors will attack you and how to identify and stop them. My second recommendation, if you are able to, is to learn how to use the security tools your organization owns. In my experience, many organizations purchase tools for a specific purpose rarely implementing all of the tools features. People that have a deep understanding of each of the tools become invaluable when something goes wrong. My secret? Start with the tools that the team takes for granted, the tools others don’t find interesting. Some examples I’ve seen throughout my career include Antivirus, endpoint encryption, multi-factor authentication, but sometimes it can be firewalls, EDR or other tools. Often it is the tools that team members have the least experience with or know the least about. Regardless, all of these provide an opportunity to learn more, enhance your skills, and become more valuable to the security organization. My third recommendation is to build your professional network. Now is a perfect time to join LinkedIn and Twitter. Now is a perfect time to join virtual meetups, free training sessions, and chat groups. It doesn’t matter how much you know, if this is day 1 or day 10,000 in cybersec, engaging (professionally and politely) with others is a great way to widen your perspective, learn new things, and develop professional skills. Added Bonus: developing and maintaining professional relationships now will help your career trajectory over time significantly. My fourth and final recommendation is to focus on learning more about your industry | |||
|
2020-04-27 12:00:00 | Stories from the SOC - Web Server Attack (lien direct) |
Executive Summary
Stories from the SOC is a blog series that describes recent real-world security incident investigations conducted and reported by the AT&T SOC analyst team for AT&T Managed Threat Detection and Response customers.
During the Investigation of a Web Server Attack alarm for a large multinational enterprise Customer, we conducted an Investigation that inevitably led to the customer isolating the system entirely. The sophistication of the Correlation Rules developed by the AT&T Alien Labs™ team recognized patterns that indicated an attack on the web server. Armed with the information presented by the alarm itself, we then expounded on those details which lead to the customer being informed that a public-facing server was actively vulnerable. While personally interfacing with the Customer, they conveyed they were unaware of this system being open and hastily took corrective measures; thus, resulting in the isolation of the vulnerable system.
Investigation
Initial Alarm Review
Web Server Attack – Multiple Web Attacks Alarm
The initial alarm surfaced as the correlated result of multiple Apache Struts Dynamic Method Invocation Remote Code Execution events. As detailed within the image below, this attack intent is associated with the Delivery & Attack phase of the Cyber Kill Chain®.
Figure 1 - Initial Alarm
Alarm Detail
Also included in the alarm details is the associated MITRE ATT&CK® rule attack ID, which afforded the ability to efficiently and expeditiously gather relevant information about this particular attempt on the customer’s system. The synopsis for this attack technique is defined as the “… use of software, data, or commands to take advantage of a weakness in an Internet-facing computer system or program in order to cause unintended or unanticipated behavior. The weakness in the system can be a bug, a glitch, or a design vulnerability.”. To better understand the vulnerability profile of the asset in question, I executed an authenticated vulnerability scan within USM Anywhere. The results indicated several Apache HTTP server vulnerabilities. Following the completion of my reconnaissance efforts, I presented the actionable information to the customer.
Response
Figure 2 – Analyst Comments
Customer Response(s)
Two members of our Customer’s staff reviewed the analysis that I provided, confirmed my trepidations pertaining to the active vulnerabilities, and shared the subsequent steps to be taken to remediate this activity. The NAT was removed, and the Public IP was discontinued.
The customer’s staff provided supplementary detail about the exposed and vulnerable system and the means by which he resolved continuing activity. The analyst indicated the targeted device was a digital video recorder (DVR) system that physically resided within one of the Customer’s warehouses and then outlined the actions taken to mitigate the risk:
The publication rule of the Watchguard in the warehouse was eliminated
The secondary public IP from the Watchguard configuration was removed
The public IP of origin of the attack on the Watchguard was blocked
Geolocation blocking from the foreign country to our entire network in the region was enabled
The DVR was isolated unti |
Vulnerability Threat Guideline | ||
|
2020-04-23 12:00:00 | Why cybersecurity needs a seat at the table (lien direct) | Introduction A shift has occurred in the bastion of corporate hierarchy in the last few decades that has fundamentally changed how organizations operate. This shift started about sixteen years ago in 1994 with Citibank/Citigroup. After suffering a cybersecurity incident, they created the role of Chief Information Security Officer (CISO); a role which has only grown in prominence since. It’s common today to see even small, privately owned, organizations feature a CISO or similar role on their executive team. Along with the growing presence of both executive and non-executive cybersecurity professionals, there has been an interesting dynamic introduced to the corporate environment. Instead of just dealing with the complexities of maintaining a technical environment; organizations are realizing they also need to contend with the security of them as well. Unfortunately, many organizations have not taken the requisite steps to properly integrate cybersecurity into their general operations. Why it matters Most professionals understand the importance of centralizing the mission of the corporation throughout all departments and initiatives. It’s a common component of most, if not all, business programs and is driven home time and time again. This message does not always translate to the Security or Information Technology (IT) teams, however. Even in the face of an ever-shifting technological landscape plagued with breaches and attacks, organizations regularly fail to appropriately consider the role cybersecurity plays in their business. Security is the most effective when it has multiple layers and is included from the beginning. Much like any form of design or construction, it is significantly easier to add features at the beginning than after the project is completed. Trying to shoehorn security components into existing systems or processes is both difficult and often costly, requiring significant buy-in from the organization to accomplish effectively. Failing to include security at the beginning of projects can also lead to acquiring or building systems that have fundamental security issues. This includes things like contracting with a vendor that does not practice due diligence or purchasing software with technical issues that may be exploitable by malicious third parties. What you can do Not all companies can afford, or even support a new executive-level security member or advanced security program. That does not mean that they can afford to leave cybersecurity out of the conversation. Instead of trying to rework your entire company or hire new leadership, organizations can instead utilize alternative solutions to accomplish similar effects. These solutions can be used either independently, or in concert, with each other to help facilitate meaningful collaboration between leadership, delivery teams, and security. The solutions below aim to be relatively inexpensive and as simple as possible. Change Advisory Boards Having a Change Advisory Board (CAB) is highly recommended for any organization. The CAB provides an additional layer of protection regarding changes to critical infrastructure, software, or overall business operations. Including cybersecurity here is an easy way to give them broad access to core projects without creating significant process changes. This group should include leaders from other departments to provide a robust knowledge base. The CAB should have insight into core projects and changes that may impact operations or security. Regular announcements Along with, or in some cases in-place of, CAB meetings it is strongly encouraged to produce regular announcements about major changes, upgrades, et cetera. This provides staff exposure to new ideas, process changes and technology while providing a forum to get input from those that will be affected by these changes. These announcements can also be paired with more informal meetings or townhalls to fu | Guideline | ||
|
2020-04-22 12:00:00 | Donating while you sleep (lien direct) |
This blog was written by an independent guest blogger.
By now, you have probably come to the stark realization that we are indeed living in the most interesting times. Even the most hard-core introverts have noticed the value of human interaction. It is how our species has survived. One of the biggest challenges of our new, isolated existence is our sense of Locus of Control. One common sentiment during times of uncertainty is the desire to help. Most people want to help, but not all have the means to do so. Fortunately, there is a way to help that costs no money at all.
Have you heard of distributed computing power? This is where a group of computers are given a task that is too great for a single computer to solve. The computer is used for the distributed computing task while the CPU is idle. Many folks never turn off their computers, so there are plenty of hours when the processor is doing nothing; just sitting, and awaiting some instruction. There is an effort underway to combat the COVID-19 virus using distributed computing. It is known as Folding@Home.
I first became aware of crowdsourced distributed computing back when it was being used in the Search for Extraterrestrial Intelligence, known as the SETI experiment. I chuckled that anyone would waste any computing cycles for such a trivial pursuit. Recently, however, in a Twitter post by Lesley Carhart, I learned of the existence of Folding@Home project. The distributed computing game has changed dramatically, finding uses in many disease research endeavors.
Of course, I was skeptical about the entire thing at first. As I researched it a bit, it appears to be legitimate. The involvement of many other folks in the InfoSec community added credibility to the project.
Currently, the aim of the Folding@Home initiative is to explore protein behaviors to seek therapies for the COVID-19 virus. You can read about protein chains, and how their behaviors affect all aspects of life on the FoldingAtHome.org web site. However, if you do not want to read all about it, I can assure you that you have seen protein folding behavior throughout your life. For example, just drop an egg into a hot frying pan, and you are seeing proteins change their shape in real-time. The understanding of protein behaviors could hold the cure that science is seeking.
You do not need a supercomputer to participate. The idea is that you become part of a larger computer’s processing power by donating your unused computing time. You can grab the software here. There are versions for all operating systems, and the installation is fast, and easy. I have mine running on an old laptop on which I installed a copy of Linux Mint.
As reported on April 8th, the Folding@Home effort had achieved more than an exaFLOP of computing power. This is incredible, and if you are part of the collective that helped to reach that milestone, I sincerely thank and a |
|||
|
2020-04-21 12:00:00 | How Blockchain could transform smart-home privacy tech (lien direct) | About the time that Bitcoin was becoming a household name in the cryptocurrency business, an associated up-and-coming technology called blockchain was making waves and being hailed as the next big thing. Then it all but disappeared from the pages of the tech journals and websites. In other words, the big splash never materialized. Looking back, the problem was that it was so new and revolutionary that nobody knew what to do with it yet. Fast forward to 2020 and it looks like we might be getting closer to finally putting blockchain to work protecting all those smart doodads (like the refrigerator that warns you when your milk is out of date) and mobile devices in the face of increasing cyberattacks. Blockchain: Supercharged Data Protection Here’s the funny thing. Though blockchain revolutionary technology is changing the way our financial system is structured, it’s not actually a good solution (yet, more on that later) to IoT privacy issues. At this point in time, blockchain is good for IoT security but bad for privacy. To the layman, this statement might seem contradictory and that’s because the tech media does a rather poor job at explaining the difference between privacy and protection. Protection for the Internet of Things For anyone even remotely familiar with technology, the term Internet of Things (IoT) is a recognizable commodity. This describes the millions and soon to be billions of smart devices in addition to your mobile phone or laptop that are connected to the internet. We’re talking about the aforementioned refrigerator, security systems, smart doorbells, remote access climate control, and many more. The problem that has arisen is that no one really planned for the IoT. It just happened. The trend in the past few years has been to move IoT network data flow to the cloud and benefit from that environment’s greatly increased security. But at the same time, there remains the inherent limitation of so many internet capable devices built with a hodge-podge of operating systems and security capabilities. Device manufacturers eschewed any standards and did their own thing. It wasn’t long before hackers realized that these devices offered a backdoor path (thanks to laughably easy to defeat security protocols) to attack any company or individual who installed a smart device on their network. Home networks, in particular, have been very easy targets for the bad guys. A Blockchain-powered, multiple VPN solution To date, security experts typically recommend consumers install a virtual private network (VPN) on their router as protection against basic cyber security threats. While the encryption and IP address rerouting offered by a VPN makes it exponentially harder to crack your home network, there’s a trust problem with the average VPN. While the majority of service providers are committed to the idea of absolute privacy of your personal data, the reality remains that your connection passes through their server | |||
|
2020-04-20 12:00:00 | Working from home - new reality for even small businesses (lien direct) |
I’m very fortunate in the COVID-19 situation. My job as editor of the AT&T Cybersecurity blog lends itself well to working from home. In fact, even before the virus I had the privilege to work from home some of the time – of course with a VPN and other security measures, on company equipment.
The biggest impact has been personal for me. I miss my colleagues at work. I miss the in-person laughs and socializing. This has been replaced with many online meetings where we take the time to chat and relax a bit before getting down to business. It’s not as good as in-person interaction for an extrovert like me, but it’s wonderful all the same.
Many others are finding it more challenging to work from home. I had the chance to speak to the sister of a friend who works for a small law firm (6 people) that previously didn’t allow employees to work remotely. With new work-from-home requirements, they had to adapt very quickly.
The Federal Consumer Credit Protection Act is a big concern to this small law firm. It provides valuable safety rights for consumers. On the flip side, it puts the onus on businesses to provide that these rights are protected. Definitely something to consider in erring on the conservative side and requiring employees to work in the office for the sake of security.
The main driver for requiring people to work in the office was data security. Fear of the cloud was holding them back. Larger companies have been using cloud-based applications and allowing remote work for years – but this is not the reality for many small companies. Although this company already had great policies, including not storing information such as social security numbers of clients in their records, cloud-based applications and remote work were a bridge too far for the firm. Until Covid-19, which forced them to cross that bridge.
Photo by Bjorn Snelders on Unsplash
COVID-19 forced innovation and protecting client security to the forefront. It forced them to cross an uncomfortable bridge.
They had to make the transition in literally a week. Schools were closing down and since most employees in this firm had kids, there was no option. They were fortunate to have a technical office manager who required very little third-party support from an IT contractor to make it happen. She was able to get the Office 365® suite in the cloud for everyone and set up ONEDRIVE® in a few days.
While this was a tough change, there are upsides. Avoiding a 45-minute commute each way was a bonus. Working at home with small kids – wow, a challenge. But manageable.
I believe COVID-19 will impact us going forward in unexpected ways. For this small law firm, once it’s proven that it works to allow employees to work from home securely, how many will change their policies even after the virus is defeated? It will be interesting to see.
Helpful ideas for small companies
Many small companies are in this position now. Remote endpoints are a tempting target for hackers Here are some helpful ideas:
Require employees to use a VPN and have them use only company equipment for work. Company equipment shouldn’t be used by non-employees.
Require Multi-factor authentication for critical application access.
Provide that any video conferencing tools and applications are password-protected.
Pre-install strong endpoint protection on company-owned devi |
Ransomware | ||
|
2020-04-17 12:00:00 | 5 most common mobile phishing tactics (lien direct) | Phishing is one of the things that keeps CISOs up at night. Phishing attacks are effective and simple to launch, and used by financially motivated attackers as well as more targeted attacks. In the case of a targeted attack, it may harvest login credentials to gain access to corporate or personal resources. In fact, sometimes corporate access can be used to steal personal data, and vice versa. Once inside the corporate network, attackers can launch full-scale cyber-espionage campaigns - silently stealing sensitive data and selling it on the dark web or obtaining admin server credentials to launch a full-scale network attack - which could cripple a company’s supply chain. Yet as concerning as phishing may be, an emerging risk is not even realized by CISOs or their end users: phishing is increasingly targeting users on their mobile devices. Attackers are getting a higher return on investment by phishing mobile users. Everyone has a mobile device these days and employees are using them far more for both work and personal life. Smaller screens display both work and personal messaging making it even more difficult to spot malicious phishing attacks. In fact, Lookout data shows that 1 in 50 enterprise users are phished on mobile devices daily. Mobile phishing rates have doubled for Lookout users of Office 365 and G Suite. This is a serious problem. Lookout data suggests that enterprise users are three times more likely to fall for a phishing link when presented on the small screens of mobile devices rather than when presented on the screens of desktop OS, like Windows or macOS. Phishing has moved to mobile Most think “email” when they hear the word “phishing” but it is different on mobile. Mobile phishing extends beyond email to SMS, MMS, messaging platforms, and social media apps. Attacks are technically simple but novel in their approach. They seek to exploit human trust along social networks using personal context. For example, a parent would click without hesitation on a message saying their daughter has been in an accident at school. Employees also find it easier to perform tasks on a mobile device than on a desktop. Depositing checks via mobile banking app, for example, is simple, fast, and convenient, and there are many other examples like this. So, organizations must remain vigilant to keep pace with phishing threats that are increasingly targeting mobile users. An Akamai study highlights the dynamic nature of phishing sites - of over 2 billion domains analyzed; nearly 89% of the domains commonly associated with malicious sites had a life span of less than 24 hours.This emphasizes the need for advanced detection capabilities. Historically, organizations have invested heavily in security solutions such as secure email gateways, inbox scans, and end user training. Yet, these techniques remain too narrowly focused on email and do not protect modern messaging, such as SMS, Slack, and Microsoft Instant Messaging. Combating sophisticated phishing attacks on mobile is the new battleground as attackers continue to employ sophisticated mobile phishing strategies. Most common mobile phishing tactics There are several techniques that cybercriminals use to make their phishing attacks more effective on mobile. Below are some of the more commonly used tactics that Lookout has observed in the wild: URL padding is a technique that includes a real, legitimate domain within a larger URL but pads it with hyphens to obscure the real destination. For example, hxxp://m.facebook.com----------------validate----step1.rickytaylk[dot]com/sign_in.html con | Threat | ||
|
2020-04-16 12:00:00 | 7 key steps to Zero Trust (lien direct) | This is part 3 of a 3 part blog series My last two blog entries provided some key elements of a Zero Trust Network (ZTN), which focused on the tenets of zero trust and how the confidence is gained for untrusted traffic and authorized on a continual basis. The comprehensive nature of Zero Trust can be a little overwhelming in a world of limited resources, time and budgets. As security breaches persist, organizations understand that something must be done, and Zero Trust is most certainly worth looking into. As an organization begins their journey to Zero Trust – first acknowledging that it is, in fact, a journey involving lengthy cycles of assessing, planning, architecting and designing, piloting and implementing – it is important to understand how far you want to take this journey and then follow an overall roadmap to get you there. At a high level, this plan or roadmap should cover the following: Develop a strategy – Understand first why you want to take the organization to Zero Trust. What are the overall goals of the business? Do you only want to target a specific portion of your network, or the entire enterprise? Will you only be implementing a software defined perimeter, washing your hands and saying “Done!”? Mapping the business’ goals to the cyber threats putting those goals at risk will help formulate the Zero Trust strategy to mitigate that risk. This will help you build your case and get executive buy-in because without that, you will not have the support you need to see this journey to the end. The length of your journey will be determined by the strategy. Given the broad nature of Zero Trust, many key departments of the business, such as development, finance, legal and HR should also be involved and/or consulted in the overall composition of the strategy. Involving the right people early on in the process not only fosters better communication, but also helps to provide for a successful deployment overall. Define your Element of Protection – As your strategy is being developed, you need to understand what you are trying to protect. Most likely your defined element or elements of protection is your business data. You need to determine what part of your business assets will be protected. Will it be only sensitive data? Customer data? All data? What are the varying levels of data you need to protect? PCI and ePHI data, for example, may have different classifications than financial records, or product designs. You need to classify all data to understand how it is to be protected. Enumerate your data & traffic flows – The next step is to see where that data is stored, where it is going, and who or what is handling that data. This is a critical step since it will drive a bulk of the policy decisions in your architecture. You also don’t want to complete your Zero Trust journey only to discover a breach still occurred because of some neglected area. Mapping these transaction flows will also utilize asset and application inventories, and an overall taxonomy of these will be used for other development areas. For example, a data transaction that is discovered running from an application server to a database will involve cataloging the access requirements of the application, the users that access that application, how they access the data, the application owners, system owners, supported developers, database owners and administrators, and the communication requirements on the network. As much information that can be obtained for each component of every step along the flow will gain you enormous ground in developing policy and the components of automation that dynamically change that policy. Assess Your Zero Trust Maturity – Many organizations already have various elemen | Vulnerability Threat | ||
|
2020-04-14 16:30:00 | Slack phishing attacks using webhooks (lien direct) |
Background
Slack is a cloud-based messaging platform that is commonly used in workplace communications. It is feature-rich, offering additional functionality such as video calling and screen sharing in addition to a marketplace containing thousands of third-party applications and add-ons.
Slack Incoming Webhooks allow you to post messages from your applications to Slack. By specifying a unique URL, your message body, and a destination channel, you can send a message to any webhook that you know the URL for in any workspace, regardless of membership. Webhooks take the format of https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX.
Generally, Slack webhooks are considered a low risk integration due to the following assumptions:
Webhook configuration requires selection of a target channel, reducing the scope of abuse to a single channel.
The unique webhook URL is secret.
The webhook only accepts data, and thus alone cannot expose sensitive data to third parties.
A deeper dive into webhooks shows that this is not entirely accurate.
First, a channel override allows you to override the previously specified webhook target channel by adding the “channel” key to your JSON payload. If you gain access to a webhook for one channel, you can use it in others. Considering sending to #general, #engineering, and other default or common channels to target a wider audience.
In some cases, this can also override channel posting permissions (such as admin-only posting).
Slack documentation suggests that allowed target channels are based on the original creator of the webhook: “posting_to_general_channel_denied is thrown when an incoming webhook attempts to post to the "#general" channel for a workspace where posting to that channel is 1) restricted and 2) the creator of the same incoming webhook is not authorized to post there. You'll receive this error with a HTTP 403.”
So if you can find a webhook created by an admin - congrats, you can post to admin channels!
A quick search on Github shows 130,989 public code results containing Slack webhook URLs, with a majority containing the full unique webhook value.
The last assumption is true - webhooks can only accept data. That’s where we get creative.
Slack webhook phishing with Slack apps
The process itself is fairly simple:
Discover leaked webhooks
Create a Slack app and allow public installation of the app
Send malicious messages to discovered hooks
Track workspaces that install the malicious app
Use the app to exfiltrate data from workspaces that install it
Discovery
As mentioned earlier, Github is a good start for scraping publicly committed webhook data.
App creation
First, create an app. You will also need a web server to handle the OAuth flow.
Slack apps don’t require OAuth, but in this case we will be using the Slack API to access data in workspaces where the malicious app is installed. When the user attempts to install the application, they must approve the requested OAuth scopes. Their approval is sent |
Guideline | ||
|
2020-04-14 12:00:00 | Can incident response be fun? (lien direct) | Cyber attacks are unfortunately inevitable. It’s important to security harden your networks as much as possible. But your organization must also be prepared for incident response. Effective incident response involves an awareness of various cyber risks and threats, having a plan to respond to the various ways they manifest, and having a team that can think quick on their feet when they actually occur. Sadly, many of the people in the cybersecurity industry who I speak with regularly tell me that many organizations aren’t ready for cyber incidents. Sometimes it takes a lot of caffeine and willpower for me to do my work. But I never need an excuse to play games. I’ll impulsively play a game on my phone while I’m on the subway. I unwind on my couch at home to play video games to relax. And when friends come to visit, I can’t wait to set up a good old fashioned board game. Games have a natural appeal to human nature. If you’ve heard of the word gamification before, you know that games don’t have to only be for entertainment. New York University’s Adam Penenberg studies gamification (turning learning or doing work into a game). He writes: “Turns out, gamification works great on students. And apparently employees like it just as much. Companies that train large volumes of staff are rushing to use games, in a variety of forms. The goal is the same: turn a boring, repetitive and difficult series of tasks into an enjoyable, interesting activity that gets better results. Games provide intrinsic motivation—that is, people play them because they want to—as opposed to bribing someone with a raise (an extrinsic motivation).” So what if gamification can prepare IT professionals to improve their incident response? Well, cybersecurity people are a bunch of nerds. And everyone knows nerds love tabletop roleplaying games like Dungeons and Dragons. CISO Michael Ball had an epiphany. He decided to turn incident response into a tabletop roleplaying game. His game is called Breach the Keep. I asked him what inspired him to invent the game. “I've done tons of executive training, both as the executive being trained, and as the trainer. Boring scripts, little engagement. No real team building. The CSIRT (computer security incident response team) has to be a team. Not just a group you pull together in an emergency! They have to know on another's roles, and how to communicate with each other and the corporate stake holders before the chaos of a breach. None of the training I've seen to date engages the executives to develop the camaraderie of a team.” Roleplaying games are all about using your imagination, and they’re often set in a high fantasy setting. Breach the Keep is no exception. As the datasheet describes: “We will take you back in time into the realms of medieval and have a little fun with our version of Dungeons and Dragons. Through multiple scenarios we can help enhance your company’s team building abilities, identify gaps within the team and improve real world incident response time. Although the game is designed to imply information security type scenarios, we are going to use our imaginations and move the entire group back 400 years into the past. Instead of datacenters, we're protecting the castle’s keep.” Ball describes the roles in the game. “The CEO is the King or Queen. The CIO is Commander in Arms. CISO is the Mage or Viseer. HR (human resources department) is Chancellor. Corp Comms is the Town Cryer. Network Admins are Cavalry, and Security Analysts are Knights.” The datasheet explains some of the basics of the game. “Players will be giv | Studies | ||
|
2020-04-09 15:30:00 | Assess and adapt for resiliency (lien direct) | Admittedly, we are in uncharted territory – what seemed routine a few short weeks ago – commuting to work, going to the gym, or gathering with friends – is now either a daunting task or a non-existent option. This shift has impacted our technology, our workforce, and our business environments almost overnight and with minimal warning. Given the rapid move for many to work from home, organizations have either been scrambling to quickly roll out solutions to keep employees connected or relying upon their contingency plan in place. As they work to make this happen, cyber risk must be addressed in parallel. Changes in business needs using the traditional methods to connect with corporate networks and data can introduce new security risks. Protecting your organization and its suddenly remote workforce is essential. Consider these immediate security needs and whether your solutions and services are resilient. Unified endpoint security – Consider whether your team has the resources or automation tools to onboard, deploy, configure and enroll their entire workforces on corporate-owned laptops, mobile phones and BYOD devices. Protect remote access – With more employees accessing the internet from home, consider whether IT administrators have the ability to grant access to specific applications hosted in the cloud or in the data center so remote workers can stay productive and protected against network-based threats. Internet browsing – When working from home, employees need to be able to connect to the internet in a highly secure manner, even when they are off the corporate network. Consider whether your IT administrators have what they need to enforce acceptable use policies and provide that websites employees visit are safe and appropriate for the business. Protect against email-based attacks -- With email phishing attempts that take advantage of global public health fears on the rise, consider whether IT administrators have the means to inspect inbound and outbound email for a wide range of threats including malware, imposter emails, and phishing attacks. Protect the increasing use of digital and cloud applications – As many businesses are no longer able to gather together in the same conference room with their employees or customers, they are accelerating their transformation to using digital and cloud applications for collaboration. With this change, the risk of security events is heightened. Security controls built-for on-premises environments may not readily provide continuous or centralized security across heterogeneous environments. Consider whether security controls, processes, and expertise for cloud applications can protect against threats as well as vulnerabilities related to configuration errors. And, consider whether there is sufficient ability to continuously monitor activity from public-facing web applications to identify and diagnose issues. New business realities – New business applications become more viable and important. For example, telemedicine is suddenly needed, and to meet demands, regulations are being relaxed. In a telemedicine world, doctors are practicing outside of the traditional confines of the hospital or medical office. Their applications used to collect data, tools used for collaboration, and laptops used for video must all be highly secure. Data, specifically medical data, is a valuable asset to bad actors. Consider whether your organization is prepared for the necessity of protecting data, devices, networks, and applications outside of “headquarters” to facilitate the movement to new business needs and realities. After we emerge from this new reality, business models may look different. For now, think about how your organization needs to assess and adapt for resiliency. A remote workforce brings | |||
|
2020-04-08 12:00:00 | The Zero Trust Authorization Core (lien direct) |
This is part 2 of a 3 blog series
The Foundation of a Zero Trust Architecture (ZTA) talked about the guiding principles, or tenets of Zero Trust. One of the tenets mentions how all network flows are to be authenticated before being processed and access is determined by dynamic policy. A network that is intended to never trust, and to always verify all connections requires technology that can determine confidence and authorize connections and provide that future transactions remain valid. The heart of any ZTA is an authorization core involving equipment within the control plane of the network that determines this confidence and continually evaluates confidence for every request. Given that this authorization core is part of a control plane, it needs to be logically separated from the portion of the network used for application data traffic (the data plane).
Based on the designed ZTA and the overall approach, components of the authorization core may be combined into one solution or completely stand on its own through individual hardware and/or software-based solutions.
Communication Agent – the source of the access should provide enough information for confidence to be calculated. Enhanced identity attributes such as user and asset status, location, authentication method and trust scoring should be included in every communication so that it can be properly evaluated.
Enforcement Engine – also known as an Enforcement Point. This should be placed as close to the element of protection (the data) as possible. You might think of this as the data’s bodyguard. The Enforcement Engine will authorize the requested communication based on policy and continually monitor the traffic to stop it, if necessary, as requested by the Policy Engine. An Enforcement Engine may prevent a system holding the element of protection from being discoverable, for example.
Policy Engine – makes the ultimate decision to grant access to the asset and informs the Enforcement Engine. The policy rules will depend on the implemented technology but will typically involve the who, what, when, where, why and how for access involving network services, endpoint and data classes.
Trust/Risk Engine – analyzes the risk of a request or action. The Trust/Risk Engine informs the policy engine of deviations in an implemented trust algorithm, evaluates the communication agent’s data against data stores and can utilize static rules and machine learning to continually update agent scores as well as component scores within the agent. A trust algorithm that is implemented to compute a score-based confidence level based on criteria, values and weights set by the enterprise, along with a contextual view of an agent’s history and other data provides the best and most comprehensive approach to eliminating threats. A score and contextual-based trust algorithm will identify an attack that may stay within a user’s role, versus an algorithm that does not take historical and other user data into account. For example, a score and contextual-based trust algorithm may pick up on a user account or role that is accessing data outside normal business hours in an unusual way or from an unrecognizable location. An alternative algorithm that relies solely on a specific set of qualified attributes may evaluate faster but will not have the historical context to understand that that access request seems odd and advise the policy engine to require better authentication before proceeding.
Data Stores –As stated, a preferred approach is to implement a score and c |
|||
|
2020-04-07 12:00:00 | (Déjà vu) AT&T Cybersecurity announces \'Partners of the Year Awards\' Winners (lien direct) | After weeks of deliberation, we are delighted to announce the winners of the AT&T Cybersecurity 2019 Partners of the Year Awards. Binary Defense has been crowned Global Partner of the Year for their phenomenal growth and commitment in 2019. They are amongst seven other category winners who have achieved outstanding growth in 2019, demonstrating strong collaboration and dedication to the AT&T Cybersecurity Partner Program.* The AT&T Cybersecurity Partner Program enables leading managed security service providers (MSSPs), VARs, system integrators, managed detection & response providers (MDRs) and corporate resellers to sell and support AT&T Cybersecurity solutions and deliver compelling services powered by USM Anywhere in the global marketplace. With a strong focus on partner enablement, the program is designed to help partners create new opportunities for business growth, expansion and profitability. Below is the full list of winners for the 2019 Partner of the Year Awards, along with their comments: Global Awards: Global Partner of the Year: Binary Defense To receive this award for three out of the past four years is quite an honor. As a managed security service provider, our mission is to help our customers improve their cybersecurity posture. Our partnership with AT&T continues to thrive because of their world-class SIEM platform and our 24/7/365 Security Operations Center that can tune, manage and monitor our customers’ SIEM instances. - Mike Hofherr, Chief Operating Officer Growth Partner of the Year: RoundTower Technologies The partnership with AT&T Cybersecurity enables us to provide our clients with deeper and more advanced Managed Security Solutions; delivering comprehensive visibility into their organization’s overall security posture and allowing our 24x7 Managed Security Solutions team to take proactive approaches to emerging threats. - Michael Swiencki, VP, Managed Services New Partner of the Year: Stefanini Rafael Seguranca E Defensa S.A. The AT&T Cybersecurity team aligns closely with our team and our strategy for the cybersecurity market. USM is flexible and, importantly, offers a point of differentiation. Our focus is on intelligence as well as USM’s SIEM functionality. We believe that the sales, implementation, and tech support offered by the AT&T Cybersecurity team has assisted our business immeasurably during the last year. Let’s move and win more deals in 2020. - Natal Da Silva, CEO Distributor of the Year: Ingram Micro INC. With the explosion of ransomware, and the sophisticated cyber threats facing businesses of all sizes, we must help our customers to identify and respond to attacks faster than ever,” says Eric Kohl, vice president, Security Business Unit at Ingram Micro. “In working hand in hand with market leading cyber companies like AT&T Cybersecurity, we are able to offer comprehensive solutions to our MSP’s and solution providers. We’re thrilled to be recognized by AT&T Cybersecurity with this award. - James Payne, Operations Manager Regional Awards: These awards recognize partners that had the highest sales bookings in each of the | Guideline | ||
|
2020-04-07 12:00:00 | AT&T Cybersecurity announces \'Partner of the Year Awards\' Winners (lien direct) | After weeks of deliberation, we are delighted to announce the winners of the AT&T Cybersecurity 2019 Partners of the Year Awards. Binary Defense has been crowned Global Partner of the Year for their phenomenal growth and commitment in 2019. They are amongst seven other category winners who have achieved outstanding growth in 2019, demonstrating strong collaboration and dedication to the AT&T Cybersecurity Partner Program.* The AT&T Cybersecurity Partner Program enables leading managed security service providers (MSSPs), VARs, system integrators, managed detection & response providers (MDRs) and corporate resellers to sell and support AT&T Cybersecurity solutions and deliver compelling services powered by USM Anywhere and USM Appliance in the global marketplace. With a strong focus on partner enablement, the program is designed to help partners create new opportunities for business growth, expansion and profitability. Below is the full list of winners for the 2019 Partner of the Year Awards, along with their comments: Global Awards: Global Partner of the Year: Binary Defense To receive this award for three out of the past four years is quite an honor. As a managed security service provider, our mission is to help our customers improve their cybersecurity posture. Our partnership with AT&T continues to thrive because of their world-class SIEM platform and our 24/7/365 Security Operations Center that can tune, manage and monitor our customers’ SIEM instances. - Mike Hofherr, Chief Operating Officer Growth Partner of the Year: RoundTower Technologies The partnership with AT&T Cybersecurity enables us to provide our clients with deeper and more advanced Managed Security Solutions; delivering comprehensive visibility into their organization’s overall security posture and allowing our 24x7 Managed Security Solutions team to take proactive approaches to emerging threats. - Michael Swiencki, VP, Managed Services New Partner of the Year: Stefanini Rafael Seguranca E Defensa S.A. The AT&T Cybersecurity team aligns closely with our team and our strategy for the cybersecurity market. USM is flexible and, importantly, offers a point of differentiation. Our focus is on intelligence as well as USM’s SIEM functionality. We believe that the sales, implementation, and tech support offered by the AT&T Cybersecurity team has assisted our business immeasurably during the last year. Let’s move and win more deals in 2020. - Natal Da Silva, CEO Distributor of the Year: Ingram Micro INC. With the explosion of ransomware, and the sophisticated cyber threats facing businesses of all sizes, we must help our customers to identify and respond to attacks faster than ever,” says Eric Kohl, vice president, Security Business Unit at Ingram Micro. “In working hand in hand with market leading cyber companies like AT&T Cybersecurity, we are able to offer comprehensive solutions to our MSP’s and solution providers. We’re thrilled to be recognized by AT&T Cybersecurity with this award. - James Payne, Operations Manager Regional Awards: These awards recognize partners that had the highest sales booki | Guideline | ||
|
2020-04-06 12:00:00 | Common focal points of DoS attacks (lien direct) | This blog was written by an independent guest blogger. Is your company at risk of a Denial of Service (DoS) attack? If so, which areas are particularly vulnerable? Think it’s a crazy question? Think again. In 2020, 16 DDoS attacks take place every minute. DoS attacks require fewer resources, and so pose an even greater threat. In this post, we’ll discuss what a DoS attack is and how it differs from a Distributed Denial of Service (DDoS) attack. We’ll then look at one of the latest techniques bad actors use to maximize the impact of their actions. What is a DoS Attack? A DoS attack is pretty much what it sounds like. The bad actors render a device or computer unavailable to authorized users. This is accomplished by interrupting the normal functioning of the item. DoS attacks will flood the target device with requests so that the device becomes overwhelmed. The device’s resources are all used to service these invalid requests. As a result, when a valid request comes along, there are no resources left. What’s the point of these attacks? There could be several reasons to launch a DoS attack. Some reasons include: Business rivalry A dispute against the company To earn a ransom to stop the attack To damage the business. What’s the difference between a DoS and DDoS Attack? Both use the technique of overwhelming the target device. The primary difference is in the number of computers used during the attack. With a DoS attack, just one computer is needed. With a Distributed Denial of Service attack, several machines or bots are used instead. Which form of attack is more effective? You might feel that the DDoS attack is more effective. It’s indeed easier to overwhelm a device or server with requests from more bots rather than fewer. It’s also true that the attack is more likely to be detected and blocked. One computer attacking the system might not have the same brute force, but you don’t always need brute force. Say, for example, that a cashier clones your debit card while you’re paying for your items. She notices that you get a message from your bank whenever you swipe your card. She’d like to shop for as long as possible without you noticing, so she gets a friend to launch a DoS attack on your phone. Her friend might use a buffer overflow attack technique on your phone. This attack uses up all the memory and processing power of your phone. You won’t receive messages or phone calls as a result. This is a simplified example, but it just goes to show that you don’t always need an army for these kinds of attacks. More advanced attacks According to Wired, we’re liable to see more DoS attacks with the Web Services Dynamic Discovery Exploit. This admittedly is a clever exploit and one that becomes more relevant with the Internet of Things expanding. With this attack form, the hacker ignores the primary system. Instead, they target vulnerable devices connected to the same network. These could be devices like printers, CCTV cameras, thermostats, etc. The point is that those devices usually don’t have the same level of protection that a company’s servers have. The hacker spoofs the target IP address and pings the device. The device responds to the legitimate target server and ties up resources. This attack is more difficult to detect than a direct attack because the requests are coming from devices authorized to use the network. Common focal points of DoS attacks DoS attacks fall into one of two basic categories: Flood attacks B | |||
|
2020-04-02 12:00:00 | Here is why your healthcare provider cannot accept Venmo payments (lien direct) |
This blog was written by an independent guest blogger.
Are you using Venmo to send and receive payments? People use Venmo for everything, and in these times when no one wants to handle actual money for fear of spreading infection, Venmo is a brilliant idea. Of course, the difference between Venmo and other mobile payment applications is that Venmo adds a social networking component to its process. While this makes things very easy for transacting payments, it creates some serious privacy concerns.
Privacy and confidentiality are cornerstones of many business interactions. Whether you are in treatment for a medical condition, or if you are seeing a psychotherapist to work through an anxiety problem, not only do you want your information protected, but you also do not want anyone knowing the identity of your healthcare provider. Unfortunately, Venmo has a flaw that does not allow for such confidentiality.
Please note that I am not bashing Venmo. As stated earlier, it is a fine application that is perfect during these tense, Covid-19 times.
Most of my friends who use Venmo had no idea of the problem, so here is a short demonstration to show what I am describing:
First, the way to keep your transactions private is by changing a setting in the application:
If you are just now discovering this setting, you can also hide all your past transactions so that all of your activity is hidden.
Of course, if you want to have some fun, you can just name your transactions to whatever you want, as one of my wise-guy friends did when sending some money to me:
Apparently, some folks are not joking, and are broadcasting all kinds of illicit activity through the platform. Please beware that illegal transactions could result in you getting kicked off the application, so it is not recommended.
The real problem is this: even if you set your Venmo to “private” mode, it is still leaking too much inferential information about all of your associations. If you go to a person’s profile page, there is a heading named “Friends” that allows you to see everyone in a person’s Venmo world:
This is a social engineer’s dream! The entire family of a total stranger can be accurately mapped just by scrolling through their “friends” list. This is exactly how the “grandparent scam” is so effective.
To take this to the next level, if a person happens to pay a medical provider with Venmo, a social engineer could use all the publicly available information to easily impersonate that person, leading to a full medical records breach. This is why your healthcare provider will not accept payments through the application.
When will Venmo lock down the Friends page? Why was that not built into the application from the start? Venmo is part of PayPal, and it is a safe way to move money between you and your friends and family. However, it just needs a bit of a privacy nudge.
|
Guideline | ||
|
2020-04-01 12:00:00 | The foundation of a Zero Trust architecture (lien direct) | Part 1 of a 3 blog series Organizations have placed a lot of time, effort and capital spend on security initiatives in an effort to prevent security breaches and data loss. Even the most advanced “next generation” application layer firewalls filtering malicious traffic at the network perimeter has only revealed equal if not greater threats within. To help counter this internal threat, organizations have invested heavily in internal monitoring and other advanced security controls that inspect traffic at all layers of the OSI stack to identify malicious activity, and stop it before it reaches the destination, or to alert on the activity alone. While these initiatives have been helpful, they rely on a connection first being malicious or a trigger on a pre-established set of criteria before any bells and whistles sound or prevention techniques are applied. By throwing more technology and controls at the problem, networks have become a chaotic mess of watchers, gatekeepers and agents as more and more technologies and controls are thrown into it, with legitimate business traffic trying to navigate its way to through it all. Yet breaches are still occurring at an alarming rate leaving organizations looking to a different approach. Zero Trust is gaining momentum as a different lens to data and network security. It casts aside complete reliance on a decades-old and easily neglected least privilege / whitelisting model by eliminating trust from every communication packet on the network, whether it originated from inside the organization or outside, and looks to gain confidence that the packet is legitimate. In short, rather than the traditional “trust but verify” approach, it never trusts and always verifies all traffic. Zero Trust is built on a set of foundational principles or tenets: All Network flows are authenticated before being processed and access is determined by dynamic policy. In a Zero Trust Network (ZTN), confidence must be gained in a requestor of access before access can be granted, and that confidence does not traverse the network. Authentication may involve an evaluation of attributes in identity or other artifacts, asset state, requestor state, behavioral attributes, and others. The transaction requiring authentication is evaluated against an ever-changing policy based on that transaction’s behavior over time. All transaction flows are cataloged in order to enforce access. Understanding what you’re trying to protect is just as important as where it is going. Assets (basically, anything with an IP address as well as data sources) must have value. Classification of data as well as its location must be known if it is to be protected. Mapping and cataloging network flows to assets will help build access policies and understand expected and unexpected traffic patterns. Security (authentication and encryption) is applied to all communications independent of location and must be performed at the application layer closest to the asset in the network. Communications must be secured and access requests from systems located within the enterprise network must meet the same requirements as external systems. Application layer security applied as close to the asset as possible eliminates upstream threats. Comprehensive vulnerability and patch management procedures must be followed. Device security issues will persist and, as such, a comprehensive vulnerability and patch management program will keep enterprise owned devices in their most protected and functioning state. Continuous monitoring of device and application state is required to identify and address security vulnerabilities as needed, or act on their access privileges accordingly. Technology is utilized for automation in support | Vulnerability | ||
|
2020-03-31 12:00:00 | 9 Reasons to hire an InfoSec candidate without experience: Focus on skillset vs. experience (lien direct) |
This blog was written by an independent guest blogger.
$37-$145k jobs for InfoSec specialists without experience. Hiring immediately.
This is what a simple internet search has to offer for people looking to get entry-level jobs in Information security (InfoSec), or cybersecurity. It seems like a good deal, considering that the requirements for candidates are much lower compared to many other jobs.
But hold on a second, why are employers willing to pay so much money to someone who has little or no experience?
There are at least nine legit answers to this question.
Below, I’m going to describe these reasons to help employers understand why hiring InfoSec candidates without experience is a good idea.
9 Reasons to hire an InfoSec candidate without experience
1. Talent shortage
There’s a shortage of skilled InfoSec professionals in all industries, which leaves valuable data more vulnerable to cyberattacks (and keeps companies looking for talent).
Surveys and studies suggest significant shortages already. According to iSC Cybersecurity Workforce Study 2019, for example, the global cybersecurity workforce gap is about 4.07 million.
The report suggests that the current cybersecurity workforce needs to increase by 62 percent to meet the needs of businesses.
That’s why organizations and businesses are taking the initiative by reducing the barriers to enter the field for young specialists.
2. Cyberattacks are becoming more frequent and successful
The global cost of cybercrime in 2018 alone was estimated to be over $45 billion, and this amount rises every year. Three kinds of attacks - ransomware, spoofing/BEC, and spear-phishing - have seen the most increase, says AT&T Cybersecurity report.
Besides, the attacks are becoming more sophisticated and successful (according to AT&T):
The average cost of a one successful cybersecurity accident involving data loss increased from $4.9 million to $7.5 million
88 percent of cybersecurity professionals have reported an increase in threats in the past year
Cybercrime is becoming commercialized, meaning that criminals sell attack components on the dark web
A person without coding knowledge can now launch and relaunch a sophisticated cyber-attack thanks to tools and code sold online.
3. The requirement to have a degree isn’t regulated by anyone
Unlike fields like medicine where one must have a degree to practice the profession, InfoSec entry-level specialists can freely begin their careers without one. The risk of being outcompeted by those with an academic degree in cybersecurity is lower compared to other fields.
For one, a lack of a degree in cyber-security doesn’t affect the salary.
According to the 2020 Cybersecurity Salary Survey, 55 percent of individuals working as a cyber “security analyst/threat intelligence expert” without a degree earn between $51K and $90K.
Credit: 2020 Cybersecurity Salary Survey
This finding was similar across many other professions, including penetration tester, network security engineer, security/cloud architect, and security directo |
Studies | ||
|
2020-03-30 12:00:00 | Stories from the SOC- RIG Exploit Kit (lien direct) |
Executive summary
AT&T Alien Labs® Open Threat Exchange® (OTX) recently created a pulse for a new threat entitled the RIG Exploit Kit which had been observed distributing ransomware to victim companies across a variety of industry verticals. This exploit was discovered by BroadAnalysis who outlined the exploit’s intricacies in a whitepaper that was released December 2, 2019. BroadAnalysis provided a step-by-step explanation of this exploit’s lifecycle, including all indicators of compromise (IOCs). Using the pulses created in OTX and threat intelligence from Alien Labs, AT&T’s Security Operations Center (SOC) was able to identify the initial behaviors of this threat and work in concert with the customer’s staff to mitigate the ongoing activity.
Investigation
Initial alarm review
Indicators of Compromise (IOCs)
The initial alarm surfaced as the result of a Domain Name System (DNS) request to the OTX IOC usa.lucretius-ada[.]com, an IOC associated with the first stage of the cyber kill chain.
Upon further review, we realized this alarm triggered on the basis of a DNS request. After preliminary analysis, we determined the traffic did not directly correlate to an infection occurring on the endpoint, so we made the conscious decision to expand the Investigation.
Expanded investigation
Events search
Given the fact that we had a positive hit on the domain as an IOC, we then conducted a query for all events that matched this domain. Subsequently, we discovered twelve firewall events egressing to this domain from varying points of origin, other than the initial source found in the alarm. After aggregating the related events, we determined there were six unique sources that had established connections to this domain.
Reviewing these source devices, two appeared to be cell phones based on their hostnames, and the other devices appeared to be either user endpoints or possibly servers. These assets are not registered assets in USM Anywhere; thus, we were unable to derive additional information. Given the limited knowledge of the unregistered assets, at this point we had to rely on interfacing with the customer to verify if these devices were vulnerable and how best to plan our avenue for thwarting this threat.
Event deep dive
Now that we observed successful network traffic to the malicious domain, we turned back to the white paper from BroadAnalysis. The indicator we are matching is a specific URL on this domain. Reviewing the white paper, the indicator is:
usa.lucretius-ada.com GET /zcvisitor/
We observed this URL in every firewall log from these six sources. At this time, we can confidently say that there are six devices who have successfully reached out to the malicious URL and that they are likely infected with this rig exploit.
Reviewing for additional indicators
After discovering these infected endpoints, we began building our notes for the Investigation. Simultaneously we reviewed the BroadAnalysis white paper to look for additional steps of the cyber kill chain being executed by these devices. Thankfully we were unable to discover any additional indicators and it appeared that we were still in the first stages of the exploit.
Response
Building the investigation
Given the urgency of the situation, we created a high severity Investigation for the customer. Utilizing the capabilities of USM Anywhere, we generated a CSV report with the full event activity we were able to observe so they could have visibility on the events and situation.
After attaching our report, we developed our notes to |
Ransomware Threat | ||
|
2020-03-25 12:00:00 | The future of cybersecurity for connected cars (lien direct) |
Connected cars have slowly become mainstream, with more than 700 million of them expected to be operating on roads by 2030. Most new vehicles are leaving production lines with a host of features that require a connection to the online world, including GPS, lane assistance, collision avoidance, and modern infotainment systems. However, while connected vehicles offer abundant opportunities for the consumer, automakers need to seriously consider what they mean for consumer privacy and security. Any software vulnerabilities could undermine the safety of connected car systems and features, putting the user's sensitive information at risk as well as their physical safety. As such, automakers need to adopt a cybersecurity culture that not only addresses the obvious exposures in their vehicle's software, but other hidden vulnerabilities that could arise from third-party components in their vehicles.
The current state of cybersecurity in connected vehicles
Cybersecurity is still an unstandardized anomaly in the automotive industry. According to a report by the Ponemon Institute, software security is moving at a much slower pace than technology in the industry, with only 10 percent of automakers having an established cybersecurity team. The economies of cybersecurity in cars are inherently unfair; with the right tools, attacks are affordable, low-effort affairs.
On the other hand, mounting a coherent defense against such attacks requires higher effort and investment. So far, the playing field is in favor of the attackers, and there have been a few incidents that have put this into perspective. For example, security researchers demonstrated that a Jeep Cherokee could be hacked when they took control of the wipers, air conditioning, brakes, and accelerator from 10 miles away. Some Tesla vehicles also had a vulnerability that could potentially allow hackers to start the vehicle or cut the motor remotely.
The role of automakers in improving cybersecurity
Automakers must start viewing security testing as an investment that will result in better quality vehicles, not as an expense with no direct payback. Since technical vulnerabilities can arise at any time, automotive players need to consider cybersecurity throughout the product life cycle, starting from the design stage. |
Vulnerability | ||
|
2020-03-24 12:00:00 | 10 tips for working remotely (lien direct) |
We’re all working together to help slow the spread of COVID-19 through new policies and guidelines such as working remotely and socially distancing ourselves from others. Working remotely can be challenging.
I can offer some advice about working remotely, as I have worked both remotely and in a travel capacity for over 10 years, and I really love working that way. Here are a few things I regularly do to ensure success while still managing a work-life balance.
Working from home can make it difficult to maintain a work-life balance because, well, you’re at home. So, you have to prepare your work daily and complete what you have prepared for yourself.
I plan every day, at the end of the day for how to the start the next morning. (I usually do it at night because I like to put in a few hours in the evening after I’ve spent some time with the family)
Document everything you do. I document what I do through a series of notes in OneNote and with my Outlook calendar and tasks.
If you do something ad-hoc throughout the day, allocate time on your calendar to account for it.
Make time to call some of your co-workers every day, not just for business, but for "chatting and having a few laughs" as well. You would do it in the office, why not do it from home too? It helps to keep your sanity and keeps those relationships active and current.
Take breaks, get a stand-up desk, sprinkle in little things to do for yourself. Do a home chore if you need to.
Make your working environment yours. Working on the coffee table is a no-no. It's not a good work environment and it doesn't do anything for productivity.
Don’t be afraid to break up your workday. Do your most productive customer facing activities during regular working hours and do your work that requires a higher level of concentration after-hours at your leisure, sometimes you will find that it's much easier than switching back and forth between phone calls and computer work.
Take good notes, set aside time to think, study and grow your knowledge. This is important to stay on top of your industry.
On a slow day, don't be afraid to walk outside to break up the scenery so that your work area doesn't become stagnant.
Take working from home as an opportunity to be there for your co-workers and family. We’re all working together to do our part in keeping each other safe. Please take care of yourself.
Thanks for taking a minute to read my post and I hope it helps make you more successful during your time spent working from home.
|
|||
|
2020-03-23 12:00:00 | Windows Server 2019 OS hardening (lien direct) | This blog was written by an independent guest blogger. Windows Server 2019 ships and installs with an existing level of hardening that is significantly more secure compared to previous Windows Server operating systems. Gone are the bloat of Xbox integration and services and the need for third-party security solutions to fill security gaps. Operating System (OS) hardening provides additional layers of security and preventative measures against both unauthorized changes and access. Hardening is critical in securing an operating system and reducing its attack surface. Be careful! If you harden an operation system too much, you risk breaking key functionality. Hardening approach Harden your Windows Server 2019 servers or server templates incrementally. Implement one hardening aspect at a time and then test all server and application functionality. Your cadence should be to harden, test, harden, test, etc. Mistakes to avoid Reducing the surface area of vulnerability is the goal of operating system hardening. Keeping the area as small as possible means avoiding common bad practices. Do not turn off User Access Control (UAC). You should move the UAC slider to the top: Always notify. The few extra clicks to make while trying to install a new application or change system settings might prevent system compromise in the future. Do not install Google Chrome, Firefox, JAVA, Adobe Flash, PDF viewers, email clients, etc. on your Windows Server 2019 operating systems unless you have an application dependency for these applications. Do not install unnecessary roles and features on your Windows Server 2019 servers. If you need to install a role such as IIS, only enable the minimum features you require and do not enable all role features. Do not forget to fully patch your Windows Server 2019 operating system and establish a monthly patch window allowing you to patch and reboot your servers monthly. Hardening Windows 2019 Server Core As a foundation to Windows Server 2019, the Core version of Windows Server 2019, should be installed. This version is Windows 2019 Server Core. Server Core removes the traditional GUI interface to the operating system and provides the following security benefits. • Server Core has a smaller attack surface than Server with a GUI • Requires fewer software updates and reboots • Can be managed using new Windows Admin Center • Improved Application Compatibility features in Windows Server 2019 Traditional Windows administrators may be apprehensive running Server Core due to a lack of PowerShell familiarity. The new Windows Admin Center provides a free, locally deployed, browser-based app for managing servers, clusters, hyper-converged infrastructure, and Windows 10 PC’s. Windows Admin Center comes at no additional cost beyond Windows and is ready to use in production. You can install Windows Admin Center on Windows Server 2019 as well as Windows 10 and earlier versions of Windows and Windows Server and use it to manage servers and clusters running Windows Server 2008 R2 and later. Secure the Local Administrator Account Local Administrator Password Solution (LAPS) If Windows Server does get compromised, the attacker will quickly try to move laterally across your network to find highly valuable systems and information. Credenti | Ransomware Malware Tool Vulnerability Patching | ||
|
2020-03-17 12:00:00 | Exploits, vulnerabilities and threat adaptation (lien direct) | Security, whether focused on physical, cyber, operational, or other domains, is an interesting topic that lends itself to considerable debate among practitioners. There are, however, basic concepts and underpinnings that pervade general security theory. One of the most important, yet often misunderstood concepts are those inextricably entwined concepts of vulnerabilities and exploits. These basic underpinnings are critical in all security domains. What are exploits and vulnerabilities and why are they important to the study of security? First, security cannot be considered a binary concept such as: “secure” or “not secure”. The appropriateness of any security strategy is relative to the controls implemented to address to identified risks. One cannot say: “my house is secure”. The measure of security is predicated upon the identified risks and the associated controls implemented to address those risks. One can say: “My house has been secured in a manner that is commensurate with the identified risks”. Second, security should be viewed as a function of time and resources. Finally, security, in any domain, can never be ‘assured’ nor can there be a ‘guarantee’ of security. The reason is simple. Technologies change and human threats are adaptive. According to the Department of Homeland Security’s Security Lexicon, Adaptive Threats are defined as: “…threats intentionally caused by humans.” It further states that Adaptive Threats are: “…caused by people that can change their behavior or characteristics in reaction to prevention, protection, response, and recovery measures taken.” The concept of threat adaptation is directly linked to the defense cycle. In short, as defenses improve, threat actors change their tactics and techniques to adapt to the changing controls. As the threat actor improves their capabilities the defensive actors necessarily have to change their own protections. This cycle continues ad infinitum until there is a disruption. The US Department of Homeland Security (DHS) lexicon defines a vulnerability as…”…characteristic of design, location, security posture, operation, or any combination thereof, that renders an asset, system, network, or entity susceptible to disruption, destruction, or exploitation” Expanding upon this it can be described as a susceptibility which would allow a single (or combination of) technique(s), tactic(s), or technology(ies) (exploits) to circumvent, bypass, or defeat the protection offered by the technique, tactic, or technology in place as protection (the control) against a(an) anticipated exploit(s). Succinctly, a vulnerability is a susceptibility to a given, identified exploit. While a given vulnerability in a system may not have been yet been identified, they may exist. Given enough time, effort, and the right tools, any security control can be circumvented. As stated previously, security can be expressed as a function of time and resources (S=f(TR)). It is also important to note that the concepts of exploits and vulnerabilities are inextricably entwined and mutually dependent. The common security noun “exploit” is adapted from the English verb “to exploit” which means to “use something to one’s advantage. It has been turned into a noun. An exploit is defined as something that…” | Vulnerability Threat | ★★★★★ | |
|
2020-03-16 12:00:00 | Do you have the GRIT to be a cybersecurity consultant? (lien direct) | As I read Angela Duckworth's GRIT, where she explains that the secret to outstanding achievement is not talent but a unique blend of passion and persistence she calls "grit," I was able to relate the need for this power of passion and perseverance to be a successful cybersecurity professional and more importantly a trusted cybersecurity consultant. It takes a combination of skills, education, and years of work experience. With the right leadership and the right organization, your security career is on the onward and upward from that point. Here are some things that I have learned along the way and want to share. Understanding of cybersecurity beyond technology and compliance As a cybersecurity consultant, you act as a trusted advisor, and this provides you the opportunity to work with customers to accelerate business security goals. You offer security recommendations that are designed to fit overall business objectives while providing compliance with the organization's regulations and policies. It is vital to hone in on practical communication skills. Effective communication is required to deal with security teams. You have to have regular effective communication with executives, department heads, and sometimes even the end-user. Without strong communication skills, it's nearly impossible to be a successful cybersecurity consultant. Beyond cyber speak, a cybersecurity consultant must be able to understand and explain the risks to the business operations when a security control fails. Ability to thrive under pressure Through all the years of delivering as a cyber consultant, one of the key attributes that I found to be common across all successful consultants is the ability to thrive in times of disruption. The consultant should have a passion for turning challenges and opportunities into long-term competitive advantages. An ability to prioritize your workload, work well under pressure, and concurrently manage customers' expectations is a vital part of being a good cybersecurity consultant. We often hear of folks wanting to be a cyber consultant ask about which tools to learn, which technologies to focus on etc. While all those are valid and relevant, having a practical business awareness and an understanding of the cybersecurity challenges faced by organizations is vital to be able to apply the right level of security controls. Team Player and Problem Solver As a cybersecurity consultant, you'll work as part of a team of problem solvers, helping to solve complex business issues from strategy to execution. It is necessary to understand how the consulting business operates and adds value to clients. One of the required critical attributes for a cyber consultant is to think broadly and ask questions about data, facts, and other information. You should be able to embrace diverse perspectives and welcome opposing and conflicting ideas. Knowledge and skill builder Develop your knowledge around national/international security standards, including NIST, PCI, CJIS, CMS, ISO, SOX, HIPAA, HITECH, and other regulatory requirements. Gain knowledge of network design, security protocols, and cloud integration security, with excellent analytical and problem-solving skills. Understanding the life cycle of network threats, attacks, attack vectors, and methods of exploitation with an understanding of intrusion set tactics, techniques, and procedures. In-depth knowledge of architecture, engineering, and operations of at least one enterprise SIEM platform. Advanced understanding of TCP/IP, standard networking ports and protocols, traffic flow, system administration, OSI model, defense-in-depth, and common security elements. Understanding of malware analysis concepts and methods. Familiarity with the Cyber Kill Chain methodology. Knowledge of v | Malware Guideline | ||
|
2020-03-12 12:00:00 | Malicious Actors and Medical Data: Where Are We Heading? (lien direct) |
Data is the hottest commodity in town, particularly on the dark web. But there’s one type of file that hackers are most interested in: your medical data. Whereas a credit card number or Social Security number can net a criminal $1-$15 depending on the data type, medical records can sell for the equivalent of $60 each (in Bitcoin).
What’s more, the theft of these files isn’t uncommon. Despite U.S. healthcare organizations’ mandatory compliance with the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, healthcare topped the charts for the number of data breaches in 2018. And hackers don’t need to break in to get the data: over half the incidents reported were the product of internal threats, either errors or bad actors.
As the medical community becomes more and more reliant on internet-connected technology and generates record amounts of personal data, they’re going to need to learn how to scale their cybersecurity efforts to the same extent. Patients’ privacy and even their lives depend on it.
The Medical Community Needs to Get Better at Security
Stories of hacked machines, demands for payment, and blackmail are appearing in the media with greater frequency than ever. That’s no surprise: ransomware attacks are a growing threat for healthcare organizations. Why? Because in a life or death situation, a hospital needs to decide whether to pay the hacker or lose the patient.
The medical community is increasingly facing threats at a greater rate than many other industries. Unfortunately, their security training practices don’t match the growing occurrence nor the obligation healthcare providers have under the law: a study by Kaspersky Lab in 2019 noted that only 29% of respondents knew and understood the HIPAA Security Rule, a fundamental part of their job. What’s more, 40% of workers weren’t aware of their organization’s cybersecurity rules and measures.
It’s easy to believe that nurses, doctors, and administrative staff don’t need comprehensive cybersecurity training. It should be the IT department’s role. Unfortunately, cybersecurity doesn’t work that way: hackers aren’t scaling walls to get into healthcare systems, they look for open doors first. And when a doctor or nurse doesn’t know how to encrypt their email, uses weak passwords, or clicks on an email infected with malware, then the hacker can walk right in.
Hackers Get in Through the Most Unlikely Doors
The problem goes beyond what happens within the confines of a doctor’s office or hospital setting. As healthcare organizations connect with patients through their personal devices, they’ll have to secure not only their own devices and programs but also compensate for side doors created through other unsecured apps and platforms.
In 2020, researchers reported that hackers were using the Google Play platform to distribute apps that screenshot sensitive user information. To do so, the |
Ransomware Vulnerability Threat Guideline | ||
|
2020-03-09 12:00:00 | The rising threat of drones to cybersecurity: What you need to know (lien direct) |
This blog was written by an independent guest blogger.
The Federal Aviation Administration (FAA) reports that there are nearly 1.5 million registered drones in the United States, proving them to be ubiquitous across the country - and there are plenty that are still unregistered, too. From military use to consumers who buy them to start a new hobby, drones are now used in many aspects of today’s society. Even Amazon plans on making drones part of their shipping process at some point in the future. However, the rising risks of cyber-attacks that involve drones prove they may be a threat to many.
How it’s possible
While it may seem impossible for a drone to affect cybersecurity, there are several factors that make it entirely possible for drones to carry out many malicious cybercrimes. For instance, drones equipped with cameras have been associated with spying. In fact, there have been many arrests for drone spying — and that’s not all a drone can do. In addition to taking bird’s-eye pictures and video, drones can also be used to spy on networks, capture data and block communications, making them a huge threat to cybersecurity as a whole.
The fact that drones carry this type of threat to cybersecurity is due to their vast capabilities. In addition to cameras, many drones come equipped with GPS, USB ports, and other means that can easily allow them to be hijacked. Hackers can use tools to easily tap into drones if the owner doesn’t install certain security measures. This leaves many commercial drones at risk of exploitation due to the fact that they communicate with their operators via WiFi and GPS, which often tend to be unencrypted.
An increasing risk to cybersecurity
With all that a drone can do, it comes as no surprise that they pose such a risk to cybersecurity. In addition to the privacy issue and the fact that drones are vulnerable to hackers, previous incidents prove how risky the small aircrafts can be. For instance, drones have created new risks for the security of the travel industry. It's important that drones are powered off for safety reasons during travel, and as such, there are regulations in place for traveling with them. This reduces the risks posed in airports.
For example, in December of 2018, Gatwick Airport in England experienced a drone incident where drones were reported in the airspace. This came as a threat to both the airport's aircrafts and travelers, which created delays, cancellations, and the disruption of travel plans for many. Even more recently, the FAA had to temporarily restrict airspace above the crash site of the helicopter crash that involved former professional basketball player Kobe Bryant, due to the number of drones and other aircraft that swarmed the area following the incident.
Security measures such as geofencing software attempt to restrict drones being flown near airports and other restricted areas, and radar detection is also helpful in locating nearby threats. However, in the future, the evolution of drone technology means that they may come equipped with even more advanced features, which can potentia |
Threat | ||
|
2020-03-05 13:00:00 | How to spot a fake app? (lien direct) | This blog was written by an independent guest blogger. There are billions of mobile phone users in the world, and every day, the number increases as people find convenience in the use of smartphones. As the number of smartphone user increases, technologies, apps, and software are continually created for these devices. However, as people shift their use to mobile devices, so are cybercriminals. Hackers are now finding ways they can to target mobile phone users. They have already deployed a lot of ways to target this population. One of the most common attacks they utilize is by creating fake apps. Fake apps are apps that mimic the original or legitimate app. It copies the look and function of the app to attract users to download it. Once a user downloads the fake app, multiple things can happen to the user's device. Sometimes it contains malicious content, making the mobile device acts strangely. Some fake apps aggressively display ads on a device, while other apps steal information from users. There are thousands of fake apps present in different app stores. In McAfee's 2019 Mobile Threat Report, they have detected 65,000 fake apps. Even Apple's app store, which is known to be the safest, has detected 17 apps to be infected with malware last year. All of the apps that contain malware in Apple's store originated from one developer. The problem is that many people cannot distinguish a fake app from a real one. That's why many fall victim to this attack. If you have been a victim or if you want to be sure not to download a fake app, you must know its characteristics. Fake apps do look similar to real apps, but they have some key points that make them different. Here are the ways you can spot a fake app on an app store. CHECK THE NAME Before downloading an app, make sure to check on the name of it. See if there misspelled words, or the logo looks different from the real app. Popular apps often have a fake alternative, that's why when you look for that app, you are given a lot of choices that look almost all the same. But you can check the name of it to know if it's real or not. CHECK THE DEVELOPER’S NAME If you want to download an app for your mobile device, you have to research the app. Get to know who the developer/s is/are and what company the app comes from. If you have an idea about the app's background, you can more easily spot if an app is not real. To be certain, you can search for other apps the developer has built. You can click on the developer's name, and see other of the apps they have designed. CHECK THE REVIEWS Reviews can tell you what other users have experienced with the app. Be cautious if you have noticed negative comments or people complaining about experiencing problems with their devices since downloading the app. It could indicate that the app might contain malware. CHECK ON THE DATE If an app is recently published, you'll be able to see this. A recently published app that is in demand can indicate that the app is fake. Most popular apps have been on the market for a while. That's why the published date should have the words "updated on" instead of a specific date. BEWARE OF DISCOUNTS Some apps offer discounts that are too good to be true. If you see apps promising you excellent features with a small price, this is an indicator that the app is counterfeit. It is a technique fake developers do to persuade people into downloading their apps. LOOK AT THE SCREENSHOTS If everything seems to look good, you can t | Malware Threat | ||
|
2020-03-04 13:00:00 | (Dis) Advantages of having your domain, email and website on separate providers (lien direct) | This blog was written by an independent guest blogger. Thinking about launching a new website? You’ll want a domain to go with that, as well as a brand spanking new email address. But here’s the thing: Before all the fun and excitement of creating a new website can begin, you first have to decide whether or not you want to host your domain, email, and website together with the same provider, or whether you want to keep them all separate. It’s a tough choice because, once you’ve made a decision, it’s pretty damn difficult to renege on it. But it’s totally cool - we’re here to help. In this article, we’re going to take a look at the (dis) advantages of having your domain, email, and website on separate providers so that you’re clearer about what you need to do. Advantages of having your domain, email and website on separate providers For some, having their domain, email, and website on separate providers looks appealing. Here are a few reasons why: Moving doesn’t have to be that tricky One of the common worries people have with their domain, email, and website on separate providers is that moving everything will be tricky. After all, you’ll need to move your domain, email, and website separately and that just sounds like a major effort. However, there are ways to get around this. One way is by moving your website to a CloudWays server. Does this mean you can take advantage of their migrator plugin that smooths over the transition process because their engineers take care of everything for you. The result is a clean website that’s moved from one place to another, and is bug-free. Another smart idea is to register your domains with NameCheap. Whenever it’s time to move your host, your domains won’t need to change because NameCheap helps you transfer a domain from one host to another. All you have to do is register your domain with NameCheap and then use the ‘Change Ownership’ option when it’s time to move host whilst keeping the same domain. It’s the same with email. If you choose the right host, you won’t need to worry about silly things like downtime or making changes to settings. Your emails will stay the same. You’ll feel more secure Online systems are not foolproof and cybersecurity continues to be a big issue in 2020. Every single online system is susceptible to attack. Isn’t that a little scary when your domain, email, and website are all with the same provider? Literally, everything you’ve worked hard on could be destroyed because all a hacker has to do is decode one login. Moreover, data loss doesn’t just affect you - it affects your clients, and their confidence and trust in you goes down. The stats show that 67% of all data loss is caused by system failures, while hackers are often also behind data loss. And no one is safe from an attack. Just last year in 2019, Microsoft Office 365 accounts were attacked by hackers. On the other hand, if your email, website and domain are all on separate providers, hackers need to figure out 3-4 logins. That is highly unlikely. Genesis web developer Andrea Whitmer has separated her email, domain and website and points out how much time it takes to recover everything if just one attack wipes you clean out. “A few years ago, my dad’s website got hacked. Not only | |||
|
2020-03-02 13:00:00 | How a small business can achieve Zero Trust security (lien direct) |
Contrary to popular belief, small businesses don’t need to be restricted by their budgets and productive capacity - especially when it comes to security. By using the right Zero Trust approach, businesses can prevent data breaches, all while continuing to grow.
New technologies such as databases, the cloud, the internet-of-things, and countless network devices help a business save money and time while making operations more efficient. Companies are now capable of taking brainstorming discussions about new apps, and make them into prototypes in a day - but while this new efficiency is yielding incredible results, correct security must be implemented to keep these businesses prospering in the long term.
Successful small businesses of any kind share a common trait between them: they move and grow rapidly. Broken down this means they’re bringing on new contractors and employees, experimenting with new technologies and ideas, expanding to new locations, and doing this all in a matter of days.
Image Source - https://unsplash.com/photos/JJPqavJBy_k
Experts in cutting edge technologies like app development, AI, machine learning are all brought on to modernize the business, while new sales and marketing experts are sourced to give the company its competitive edge.
Throughout this growth, new employees and contractors are given access to the companies cloud to get involved with the work, but in doing so, the security vulnerabilities begin.
Small businesses don’t have to make sacrifices for security
The speed that successful startups and small businesses experience can be addictive, but with this comes the belief that putting more work into security will cause them to slow down.
The American economy is growing, with the latest US Federal Reserve Board’s SCF survey finding that GDP has grown at an average rate of 2.2% since 2013. As a result of this growth, small businesses are financially better off than they were before, but their sensitive information will find themselves in hacker's crosshairs more and more frequently.
Luckily, with Zero Trust, businesses don’t have to sacrifice much of their speed to get their security in shape. By following the correct Zero Trust approach, businesses can secure their systems, time, and intellectual property by reducing their risk of falling prey to a massive data breach.
Here are the key security steps businesses can implement into their Zero Trust approach to ensure that costly, time sink data breaches aren’t stealing their data and hurting their momentum and reputation:
1) Track, monitor and audit all privileged account access in real-time, including metadata, to ensure you have a full picture of each user's intentions and actions within accounts. You need to know who is using your company’s network. Having a full chronology of the user's actions within accounts is invaluable when it comes to cybersecurity. It gives you a much stronger chance of preventing malicious use as it happens and also helps you to discover how these incidents hap |
|||
|
2020-02-27 13:00:00 | Online payment security: 8 Steps to ensure safe transactions (lien direct) | This blog was written by an independent guest blogger. Online shopping has become an increasingly popular trend in the past few years as people find it more convenient to buy from the comfort of their homes. You can get pretty much anything and everything from online stores: groceries, clothing, jewelry, electronics and other household items. Yet, we need to consider for a moment if all these online financial transactions taking place are safe – and how can we ensure our protection from online frauds such as identity theft and phishing attacks. It would be a little exaggerating to say that online transactions are highly insecure. Rather, most online payment systems are relatively secure. Still, online crime is a reality and bad actors are always lurking around looking for possible vulnerabilities to grab and exploit. Unless necessary precautions are taken by both merchants and customers, payment information can be leaked and subsequently compromised. Hence, it is important for both customers and merchants to understand the basic steps to keep online transactions save. Let us look at 8 fundamental steps to ensure safety transactions with online payments Be compliant with PCI DSS Before anything else, the first step to ensure safety is to make sure that your payment system is compliant with the Payment Card Industry Data Security Standard – an internationally accepted standard for secure card payments with 12 security requirements. PCI Security Standards Council was established in 2006 for regulating payment brands and helping merchants secure financial data of customers. Regardless of the size of your business, compliance to the standard is important to ensure that you meet fundamental security requirements to process customer transactions. PCI SSC also provides online safety education to merchants and assists them in taking important steps to improve their website’s safety. They analyze your transaction system, find and fix vulnerabilities. Their compliance team then creates a report and shares it with all banks and card brands associated with your business. Compliance with PCI DSS means that your company has implemented and the requirements for card payment security. Ensure data encryption The second step towards enhancing online payment security is to use data encryption to keep customer’s financial information private. Nowadays with open WIFI networks, identity theft is prevalent and relatively an easy task for hackers if the data is unencrypted. Websites that your business deals with for online transactions should be valid and with legitimate operators. Data encryption ensures that your sensitive information is only viewed by the authorized parties and does not fall into wrong hands. It also reduces password-hacking likelihood to a great extent. All these features combined proved an additional protection layer for customers during the transaction. Keep your network updated Hackers regularly come up with new ways to hack into systems, and while your network may be safe from them today, it may not be tomorrow. For this reason, it is really important that your business’s computer networks have security updates regularly installed on them. The best way is to sign up for automatic system updates to stay a step ahead from new threats. Automatic update will ensure that all important safeguards are installed, the absence of w | Hack Vulnerability | ||
|
2020-02-25 13:00:00 | How to harden your employees from the massive social engineering threat (lien direct) | This blog was written by an independent guest blogger. Social engineering is the art of human deception. In the world of cybersecurity, it’s how to fool human beings in order to conduct cyber attacks. Some of these cyber attacks can be very expensive to your business! In fact, many of the worst cyber attacks to your organization’s network start with fooling you or one of your employees. Penetrating a network without human interaction is really tough. But the people who work for your company have privileged access that can be easily exploited. I was at a Leading Cyber Ladies meetup in Toronto recently, where threat research expert Sherrod DeGrippo visited all the way from Atlanta to talk about how cyber threats often work these days, and what their attack chains are like. I had the idea to write about social engineering before I attended the meeting, but I wasn’t expecting to do research for this post by attending it. It was just a very fortunate coincidence that DeGrippo said some things about social engineering that really captured my attention. After the meeting, we had a quick chat and followed each other on Twitter. During her talk at the meeting, DeGrippo mentioned how she sees a lot of cyber attackers, from APTs to script kiddies, target human beings as an initial attack vector a lot more often than they used to. She said doing reconnaissance for a corporate network is very difficult, whereas doing reconnaissance on a person is a lot easier. We post about ourselves on social media all the time. We talk about the places we’ve visited and the things we like on Twitter. We talk about who our family and friends are on Facebook. And we tell LinkedIn our job titles, who we work for, and what we do there. An individual who works for a targeted company has privileged access to their networks and to their physical buildings. Socially engineer them, and you can get malware on their systems to send sensitive data to a command and control server, or you could possibly walk into an employees-only area of an office. The other thing she discussed which intrigued me is that she sees information security professionals targeted for social engineering attacks more often than ever before, and how we can be really lucrative for social engineering exploitation. Contrary to us thinking that we know better, it often works! I asked DeGrippo about it. She said: "Yes, targeting infosec professionals is my big concern lately. The more sophisticated actors are doing really specific targeting. This includes people in security roles and lots of people in software development roles. There is so much info out there. A job offer, a security report, a discussion of a new technology and a code snippet-- all potential social engineering lures to send to technical people with privileged access.” I said, “Maybe some of us are way too confident. That confidence can be dangerous.” "… totally. I worry about that. I worry that as an industry we are so focused on protecting others that we let our own opsec (operational security) slip or we just don’t have time to focus on it as much. It’s not really hubris in most cases, it’s just forgetting to do a threat model on ourselves.” She also spoke to me about how cyber attackers often choose their social engineering targets. “The thing I like to do is get into the psychology of a threat actor. If I could be anyone I wanted to be, but only online, who would I choose? A software dev at a fancy car company? I could hack some luxury car software to unlock for me anytime, anywhere! A junior HR admin at a large company? Steal a ton of identity and payroll data! Maybe I would be a fancy CFO’s assistant and make changes to deposit instructions for invoices to my own mule account | Malware Hack Threat Guideline | ||
|
2020-02-24 13:00:00 | Dawn of a new decade: Leaping from GRC to IRM - A building block approach (lien direct) |
This blog was co-authored by Carisa Brockman, GRC Practice Lead.
First things first: It is crucial to understand the difference between Governance, Risk and Compliance (GRC) and Integrated Risk Management (IRM) because this sets the stage for long term strategic risk management and breaks down the siloed approach to risk that exists in many organizations today. It is because GRC is sometimes implemented from a compliance-driven strategy rather than a risk driven initiative. Instead of delving into the name itself, let’s define the approach and get started with the key items to consider while making the transition from GRC to IRM, so that it feels less like a leap.
GRC can be defined as a set of tools for managing compliance and remains valuable for that specific challenge, but it aligns less precisely with today’s evolving definitions of risk and risk management. The answer is not to abandon GRC completely, but to evolve into an approach that is better suited to today’s multifaceted challenges, which is IRM.
What does it mean to adopt an integrated approach?
It involves managing risk at an enterprise level with risk-aware people, integrated processes working across business entities, and a centralized and enabling technology platform.
As organizations embark on this journey of implementing IRM, some of the everyday wish list items we hear about from our customers primarily include:
Unifying all of your risks across the organization
Adding automation to improve accuracy and consistency
Linking incidents, claims, risks, and controls to action plans
Providing the right metrics to assist with enterprise actionable decision making
Removing silos and building the link amongst ERM, Internal Audit, Legal, IT, Cybersecurity and overall business
Connecting the dots: It is our business to help protect your business.
Many organizations across industries are adopting an integrated approach to risk management across their business units and extended vendor network. This cohesive approach enables stakeholders to effectively coordinate and unify risk management activities across all business functions, simultaneously aligning their assurance programs gaining comprehensive visibility into both risk exposure and relationships.
Here are some building blocks to consider as you embark on this journey of identifying the IRM platform that will best fit your organization.
What is in a name?
Moving beyond acronyms: As you are putting together the building blocks of IRM and moving beyond GRC, some of the key considerations should be around the outcomes of the IRM initiative. Is this going to help build a risk-aware culture within your organization? A cyber strategy is closely linked to business strategy and risk-aware culture gets your cybersecurity initiatives a step closer to the business objective.
That brings about the need for a formalized risk strategy within your organization. It is not about listing out of all the potential risks but being able to tie it to business outcomes and more importantly, to see it through to risk mitigation. Today, we see many point solutions within organizations and the data generated from many sources never make it to the overall risk posture and do not feed into the actionable decision-making process.
With increased attention being paid to risk management as a critical driver for business success, more companies are thinking about the potential of an integrated risk management approach, and we hope this triggers an initial action plan that can be applied in that process.
|
Guideline | ||
|
2020-02-20 13:00:00 | Is the cybersecurity skills gap real? (lien direct) | An independent guest blogger wrote this blog. If you do a web search for “cybersecurity skills gap,” you’ll get many, many pages of results. It’s certainly a hot topic in our industry. And it’s a matter that security practitioners and human resources people often disagree on. But before I get further into the matter, it would help to know what it is we’re talking about when we use the phrase “cybersecurity skills gap.” From the perspective of employers, it means that potential job applicants don’t have the specific cybersecurity skills they’re looking for, and possibly the people they already employ don’t have the skills to be promoted into new cybersecurity related positions. This can be a really tricky area, because computer technology evolves very quickly, and often universities, colleges, and vocational schools cannot change their curriculum at the same speed. Accordingly, the cyber threat landscape can change quickly too! From the perspective of many job seekers and security people, including myself and many of my colleagues I’ve spoken with, the phrase “cybersecurity skills gap” can sound like a taunt. Some of us have spent years in computer science programs, and many more years in IT courses and acquiring industry specific certifications. So we don’t have a particular niche certification or ten years experience with Windows Server 2016. We have loads of related knowhow, and we match many of the other job requirements, why won’t employers give us a chance and let us learn the rest? A few others have had a knack for computing since childhood, but the expense of college tuition and certification exams can seem insurmountable when you’re just starting out and have little money. How do we get our foot in the door in the first place when you need experience for a job, but you can’t get experience until you get a job? The cybersecurity skills gap phenomenon can hurt people in the industry who want good jobs, but it hurts companies and the security of their networks even more. According to the 2018 (ISC)² Cybersecurity Workforce Study, more than 2.9 million cybersecurity related job positions worldwide were unfilled. In the time that’s passed, that number likely grew. These are positions spanning a wide range of roles, from SOC analysts to DFIR, from penetration testers to application security specialists. Not having people work in these positions that organizations have recognized as needs inevitably weakens cybersecurity everywhere, and companies lose huge amounts of money in cyber attacks and data breaches. I have my own personal views on the matter. But cybersecurity people on Twitter also talk a lot about unrealistic job posting expectations and their impact on the skills gap. Shawn Thomas is a SOC manager. He tweeted about his exasperation with job posting requirements. “If your entry level job in infosec requires: A masters At least 3 certs Prefers two years of experience. YOU ARE NOT ALLOWED TO COMPLAIN THAT ITS HARD TO FIND CANDIDATES Additionally the discouragement students have when they hear that should make you feel bad about yourselves.” I also have an industry friend who has done a lot of her own research into the skills gap matter. Plus she has experience hiring for cybersecurity roles, experience that I lack. Alyssa Miller is a security evangelist and hacker, and she shares her knowledge at so many security conferences that it’d overwhelm me to do the same. She has written many posts on her blog about the skills gap, so I wanted to learn a bit from he | Threat |
To see everything:
Our RSS (filtrered)
