Category: How To

By Jayakumar (Jay) Kurup, Global Sales Engineering Director at Morphisec

Securing operational technology (OT) creates unique challenges.

Zero tolerance of downtime in factories, ports, banks, treatment plants, and other OT environments means that standard security practices like patch management or deploying protective solutions onto endpoints can be almost impossible to uphold.

Sometimes this is due to cultural reasons (management’s fear of even the slightest chance of disruption); other times, it is technological. OT systems often come as closed systems with firmware and software installed by a supplier.

Despite these challenges, securing OT environments is still something that needs to happen. So, what do you do with an inherently vulnerable system that you don’t want to touch? You try to air-gap it. Great in theory. In practice, however, air-gapping an OT system or firewalling its protected network is only the beginning of hardening its overall security.

OT Attacks Are on the Rise

Whether for geopolitical purposes or to collect a ransom, disrupting or threatening the performance of OT systems can be a huge win for threat actors. This has always been the case, but with OT cyberattacks rising by 87% last year, the threat level to OT is higher than ever.

Since the kinetic conflict between Russia and Ukraine began, a cyber war has been fought in parallel. The result has been a global wave of OT attacks compromising companies like Rosent, Nordex, the UK postal service, and more.

Threat actors are also finding more ways to compromise OT environments.

Only a minority of infrastructural attack chains are the kind of “pure” OT compromises we famously saw in 2010 with Stuxnet, the 2018 Shamoon attacks on Saudi Aramco and more recently with 2020 EKANS ransomware attacks against Honda and Enel. Instead, attacks can come from various vectors, including insiders, the business networks that connect to protected networks and OT assets, and downstream supply chain compromise, i.e., “Chinese Spy Cranes.”

These different vectors are all a threat to OT systems because fully air-gapping an OT system is impossible.  Industrial control systems (ICS) need to connect to corporate TCP/IP networks periodically, and when they do, they can end up plugged into the wider network, exposing the system to potential vulnerabilities and risks.

Ransomware or malware that disrupts the flow of data into a system threatens connections between endpoints (as we saw in the Nordex attack), or infiltrates proprietary information, can shut down operations too.

The rise of remote access capabilities and business connectivity also means that OT networks are plugging into IT environments more than ever. Even in the most secure networks, blind spots and security gaps will emerge. OT users need point solutions to plug these gaps in a way that complements their legacy systems and security technology.

What OT Security Controls Need to Do

No single layer of security can be relied on to protect OT systems, and layering security (aka “defense in depth”) is critical. However, defense in depth isn’t possible without effective security controls. This is where many OT security programs struggle. Security solutions must overcome three serious challenges to stop threats in and around unconventional, resource-constrained, and reliability-focused OT systems.

First, anything deployed on an OT or OT adjacent system needs to avoid the problem of false positive alerts. In OT environments, processes cannot be shut down due to false positives.

Second, protection must happen efficiently when deployed on resource-constrained devices and within low bandwidth with complex network topologies. In OT environments, solutions reliant on downloading updates (which can inadvertently expose assets) create risks.

Third, and most importantly, any OT security solution needs to stop advanced threats from propagating from an IT (IT/business) network to the IT/OT DMZ and into the OT (operational) network. This is critical because these environments are targets for some of the world’s most well-resourced ATPs, who can and will use zero days, fileless worms, trojans, and customized ransomware and malware to attack valuable targets.

Outside of OT environments, scanning-based solutions such as endpoint detection and response (EDR) platforms are being used to protect IT endpoints. In OT environments, however, they are not suitable solutions and will often heavily underperform. This is important since EPPs and EDRs rely on continual telemetry for signature and behavioral pattern updates and threat feeds. As a result, EDRs cannot operate properly in an air-gapped situation.

As these solutions scan for malware hooks, they use up scarce computing resources. Most EDRs are also incompatible with the diverse range of legacy OS, hardware, and applications that exist in a typical OT environment and create many false positives. None of which bodes well for their longevity in any sensitive site.

Most importantly, the biggest issue with using EDRs to protect OT adjacent systems and networks is that they fail to detect fileless and evasive attacks reliably. Many threats don’t create the recognizable signatures EDR looks for. Advanced threats (such as Cobalt Strike) also operate in unscannable environments like device memory during run time.

The same applies to solutions that use similar technology in other parts of the IT environment, such as NDRs deployed to analyze network traffic.

Protecting OT Environments with AMTD

Automated Moving Target Defense (AMTD) is a super lightweight, preventative solution that can be deployed in and around OT systems to shut down attack pathways.

AMTD is fundamentally suitable for OT environments because it stops threats without needing to detect them. It also does not require an internet connection, updates to date telemetry, or modern OS versions.

Able to stop zero days, fileless, and evasive attacks, AMTD randomly morphs runtime memory environment to create an unpredictable attack surface and leaves decoy traps where targets were.

OT threats don’t follow standard playbooks. They are often unknown and dynamic, and, with OT systems firewalls dissolving, coming from more places. This is what a changing threat landscape looks like. As always, the best response is to double down on prevention. AMTD is a proven solution for preventing the worst threats OT security teams will ever experience.

The post How to Protect Operational Technology (OT) from Cyber Threats appeared first on Cybersecurity Insiders.

Ransomware attacks have become a growing concern in recent years, with cybercriminals targeting individuals, businesses, and even government organizations. The ability to track these attacks is crucial for mitigating their impact and ensuring appropriate response measures are taken. In this article, we will explore various strategies and techniques to effectively track ransomware attacks, enabling organizations to enhance their cybersecurity defenses and minimize the potential damage caused by such malicious activities.

Establish a Robust Monitoring System: Implementing a robust monitoring system is fundamental to detecting and tracking ransomware attacks. By utilizing advanced security tools and technologies, organizations can continuously monitor their networks, endpoints, and servers for any suspicious activities or indicators of compromise. Intrusion detection and prevention systems, network traffic analysis tools, and security information and event management (SIEM) solutions are among the key components to consider.

Stay Informed with Threat Intelligence: Leveraging threat intelligence sources is vital for tracking ransomware attacks. Organizations should subscribe to reputable threat intelligence feeds and information-sharing platforms, such as industry-specific forums and government agencies’ cybersecurity bulletins. These sources provide up-to-date insights on emerging ransomware variants, attack techniques, and indicators of compromise, allowing organizations to stay one step ahead of potential threats.

Analyze Malware Samples: When a ransomware attack occurs, analyzing the malware samples involved can provide valuable information for tracking and responding to the incident. Security teams should utilize specialized malware analysis tools and sandboxes to dissect the ransomware, identify its unique characteristics, and determine its behavior patterns. This analysis can assist in understanding the attack vector, identifying possible origins, and developing countermeasures.

Monitor Dark Web and Underground Forums:The dark web and underground forums are known hotspots where cybercriminals trade ransomware, discuss attack strategies, and negotiate ransom payments. Tracking these platforms can yield vital information regarding ongoing ransomware campaigns and potentially lead to identifying the attackers. However, engaging with these forums should only be done by trained professionals, as it involves significant risks and potential legal implications.

Collaborate with Law Enforcement Agencies: Reporting ransomware attacks to law enforcement agencies is crucial for tracking and investigating cybercriminals. Organizations should establish relationships with local and international law enforcement entities, such as national cybercrime units or specialized agencies. Sharing relevant information and indicators of compromise with these authorities can aid in identifying the attackers, disrupting their operations, and potentially retrieving encrypted data.

Engage with Cybersecurity Communities: Active participation in cybersecurity communities and information-sharing platforms is an effective way to track ransomware attacks. By collaborating with other security professionals and researchers, organizations can benefit from collective knowledge and expertise. These communities often share insights, threat intelligence, and best practices, allowing for a better understanding of the evolving ransomware landscape and potential tracking techniques.

Implement Robust Incident Response Procedures: Having well-defined incident response procedures in place is essential for efficiently tracking and mitigating ransomware attacks. Organizations should establish an incident response team, including individuals from various departments, such as IT, legal, and communications. The team should be well-versed in handling ransomware incidents, conducting forensic investigations, and coordinating remediation efforts to minimize the impact and prevent further spread.

Conclusion:

Tracking ransomware attacks requires a multi-faceted approach that combines proactive monitoring, collaboration with law enforcement agencies, leveraging threat intelligence, and engaging with cybersecurity communities. By implementing these strategies and techniques, organizations can enhance their ability to detect, track, and respond effectively to ransomware incidents. Staying informed, investing in robust security systems, and fostering strong partnerships within the cybersecurity ecosystem are key to mitigating the risks posed by ransomware attacks and protecting critical data and systems.

The post How to Track Ransomware Attacks: A Comprehensive Guide appeared first on Cybersecurity Insiders.

By Aaron Sandeen, CEO and co-founder at Securin

In 2023, you can divide organizations into two categories: those who have been hit by a ransomware attack and those who will be soon.

Ransomware is ubiquitous, inescapable, and—despite widespread efforts to combat it—ever-escalating. It has caused the death of patients in critical condition, disrupted the Colonial Pipeline supply on the East Coast, affected daily operations of entities as diverse as the San Francisco 49ers, the Costa Rican Government and the Los Angeles Unified School District. It doesn’t matter where your organization is or what it does. Ransomware doesn’t discriminate. If you have data to exfiltrate, if you have money that can be extorted, a ransomware attack will be coming for you, and soon—if it hasn’t already.

The current situation in cybersecurity is akin to an ongoing cyber-arms race between ransomware groups and cybersecurity experts. As ransomware groups become more sophisticated, cybersecurity experts work to develop new tools and strategies to combat them. This cat-and-mouse game is a never-ending war of attrition with no clear winners. However, despite the challenge, there is no reason for hopelessness. While some aspects of the situation may be beyond the control of IT teams, there are still countless precautions that can be taken to minimize the risk of a ransomware attack or the harm a successful attack might cause.

IT teams know this—and yet, per research from Securin, there are still many hundreds of vulnerabilities that have been left exposed by organizations. Until these vulnerabilities are addressed, the problem of ransomware will only get worse. Here is a quick run-through of the four most common types of vulnerabilities that organizations should watch out for.

1) Vulnerabilities Allowing Intruders into Networks

According to Securin’s research, services such as external remote services, VPN, and public-facing applications contain 133 vulnerabilities associated with ransomware that could be exploited for initial access.

External remote services refer to services like Windows Server Message Block (SMB) or Microsoft’s Remote Desktop Protocol. These services have become more widespread since the onset of the pandemic and the rise of work from home (WFH). They can be highly vulnerable to attack, as some are rife with misconfigurations or exploits well-known to cyber-criminals. For example, the 2017 WannaCry ransomware attack—one of the biggest in history—exploited an SMB vulnerability. There are many other vulnerabilities out there that have continued to go unaddressed: the Log4Shell vulnerability, for instance, which affects 176 products from 21 vendors and was exploited by six ransomware groups, including Conti and AvosLocker.

2) Vulnerabilities Requiring User Action

It’s important to note that ‘vulnerabilities’ don’t simply refer to problems with software or hardware—they also refer to human error. In fact, a large percentage of ransomware attacks can be chalked up to precisely that.

Ransomware threat actors are highly skilled at social engineering to achieve their goals: say, by posing as their target’s friend, colleague, or boss. This can lead users to inadvertently execute malicious code by opening harmful email attachments, links, or adversary-placed files. Unfortunately, as everyday users grow more sophisticated on noticing social engineering, the bad guys refine their tools in turn.

As this is a human problem, it requires a human response to combat it: namely, intensive and thoughtful in-person training where IT team members explain to people in other departments how to identify a potential threat (and what to do if they’ve unknowingly allowed someone into the system). It’s imperative that IT departments stay on top of current social engineering trends and regularly update their organizations on what to look out for.

3) Vulnerabilities Providing Elevated Access

The vulnerabilities we’ve discussed so far have addressed techniques used by hackers to try to get into your network. Unfortunately, that is usually only step one. Once hackers have exploited vulnerabilities to enter your system, they can then take advantage of additional vulnerabilities—ones that allow privilege escalation to penetrate deeper into the network and execute malware.

Put otherwise: if your attacker has a sophisticated-enough understanding of the vulnerabilities at play in your system, they can break into an account with limited permissions and use that understanding to turn themselves into an administrator and gain access to even more sensitive information.

According to the aforementioned Securin research, there are 75 vulnerabilities with ransomware associations that could enable ransomware actors to elevate privileges and easily facilitate lateral movement across organizational domains, including the Windows CLFS Privilege Escalation vulnerability and the Microsoft Exchange Server Elevation of Privilege vulnerability.

4) Vulnerabilities Allowing Stealthy Movement

Increasingly, we’re seeing malicious actors use tactics like disabling security software or blocking script execution to invade and move laterally across vulnerable networks without being identified. One well-known example of this is the Mark-of-the-web bypass (T1553.005), which ransomware groups use to abuse specific file formats and override controls.

Or take the example of BlackByte, a significant new ransomware gang that the FBI issued a warning about last year. BlackByte has become known for a technique that, according to ZDNet, “allows attacks to bypass detection by security products by exploiting a vulnerability in more than 1,000 drivers used in antivirus software.” This problem—which researchers describe as “Bring Your Own Driver”—suggests a significant and troubling new front in the war against ransomware attacks.

Ransomware attacks are on the rise, and it’s becoming increasingly apparent that every organization, regardless of industry or size, is at risk. No one can hope to protect themselves from ransomware attacks fully.  What organizations can do is avoid easy mistakes—properly training staff, getting a clearer sense of their system’s vulnerabilities, and taking serious steps to fix them.  The war against ransomware might not be ending anytime soon, but we can take steps to limit the casualties along the way.

The post The Top 4 Ransomware Vulnerabilities Putting your Company in Danger appeared first on Cybersecurity Insiders.

by John Spiegel, Director of Strategy, Axis Security

Gartner just released the 2023 version of their “Magic Quadrant” for Secure Service Edge or SSE. Cheers are being heard from the companies who scored upper righthand and jeers being shouted for those companies who did not enjoy where they landed on Gartner’s matrix. Over the next few months, there will be a lot of noise coming from all the vendors. Some are useful, and some just distracting. Overall, SSE now has a place in the industry. This is good. As you read the news, cyber-attacks are still on the rise and now we’ve drifted into national security concerns with the leaks about the war in Ukraine by a junior-level, 21-year-old Massachutures National Guard airman. SSE provides a framework to finally bring together networking and security in a modern manner to secure our future in a truly least privileged way.

While the Gartner MQ provides a plethora of helpful information to the network and security leader, one area I found needing improvement was how these solutions are architected. As Winston Churchhill famously said, “We shape our buildings: thereafter they shape us.” Or said another way, “architecture matters”. More importantly, you need to understand how a particular solution deploys its network “points of presence” or PoP. To paraphrase a well-known movie from 2002, “SSE, it’s all about the PoPs.”

The fundamental concept of both SSE and its bigger brother Secure Access Service Edge (SASE) is to place network and security functions close to the employee and endpoint device. This is critical in overcoming the dilemma of selecting either network performance or security scanning. The PoPs are where the action happens. Through centralized policy, security treatments like malware scanning, web filtering, and data leakage protection, occur close to the employee, 3rd party, or device. These PoPs can be placed in the SSE providers owned regional data centers, and telecom hotels, as well as in several of the “Cloud Giants” (AWS, Azure, Google Cloud). The closer you place the PoPs to the employee and their device, the better the performance and security of a given application. How these PoPs are created, deployed, and managed also needs to be understood as they impact a given solution’s resiliency.

Before we dive into this critical topic, let’s take a step back and level set. Why should you care, and why are all PoPs not created equal? In the past, the WAN network, which both SASE and SSE are replacements for, was constructed on a private network owned by a large telecom vendor who would provide service level agreements. Performance was consistent and when there was an outage, the service vendor was on the hook for resolution. That was when applications lived in the private data center. Cloud changed the game in the 2010s and led the enterprise to move to an “internet as the WAN” for connectivity. Why? Gartner provides several statistics to help us understand the reason:

· Gartner surveys in 2020 showed 80% of enterprises using IaaS are multi-cloud
· In 2024, 60% of IT spending on application software will be directed at Cloud technologies.
· By 2026, SaaS workloads will dominate the enterprise software market.

As the internet is now the onramp for Cloud and SaaS-based applications/services, SSE and SASE will be the means to access them. Therefore, it brings up the question of resiliency and how you should build out your SSE/SASE platform as downtime is, in this day and age, not acceptable.

In another recent research paper, Gartner analysts Evan Zeng and Jonathan Forest called this out. The paper was titled “Leverage Cloud Connect Infrastructure to Improve Connectivity Experience for Cloud Workloads for SASE Solutions”. If you have access to a Gartner license, give it a read. If not, the cliff notes are – as applications become Cloud dominant, Secure Access Security Edge (SASE) product leaders must consider how to architect their WANs. Meaning, it is enough to purchase the service from either a vendor or a telecom and call it good? Application performance and security must be accounted for. As an example, if my company leverages Azure for PaaS services, is it good enough that my SSE/SASE vendor only runs on Google Cloud? Is it OK if my SASE vendor built out their PoPs in their own data centers? If so, I need to account for this and the result may be that I need to add my own interconnects into Azure or similar services. This costs money, adds complexity, and also increases the “keep the lights on” (KTLO) burden. It also, most importantly, causes the network/security engineer back into the performance vs security dilemma. Not ideal.

To address this, a few vendors in the space have taken a different path. One which puts the network/security engineer back in the driver’s seat. Instead of a “take or leave it approach” to the PoP that harkens back to the big telco days for WAN services, the engineer can select the best placement of a PoP to realize the value of SSE/SASE, and application performance with security. As an example, consider this option. Start with the Cloud Giants as a massive network underlay. Use all of them. AWS, Google Cloud, Azure, and Oracle Cloud. The result is this. You don’t need to transit from Google Cloud to access services in Azure. The SSE/SASE platform does the work for you. It also provides resiliency. If AWS suffers an unfortunate outage, PoP services can be handled by Azure, Google Cloud, or Oracle Cloud. Additionally, vendors are also offering a local edge option that can be installed in an on-prem data center. This is a smaller scale version of the standard PoP running in the traditional data center providing the full suite of services, Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), Data Loss Prevention (DLP) and Zero Trust Network Access(ZTNA). Then take it a step further. What if you are in an area where there is no option for a local edge and the closest Cloud Giant data center is 800 miles away? Are you in what is called a “PoP desert” and you have a latency-sensitive application? Can the SSE/SASE provider spin up a PoP as a colocation facility to extend their services closer to you?

Choice in how you construct, create resiliency, and provide performance with security must be at the core of how you evaluate the various SSE/SASE solutions on the market. While the Gartner MQ is a good first pass, it is critical to dive into the architecture of each of the solutions listed in the MQ and not included. Ask the critical questions. Ask about the location of a vendor’s PoPs. How quickly can they build a PoP? How can they increase capacity rapidly to meet your demands? How resilient is their network of PoPs. Are all services provided in each PoP. If their answer is one size fits all, think really hard before continuing the conversation. If their answer is fully redundant, ask how. Dive deep. Much like you would architect your data center network and power systems or your WAN, these answers matter. Ask them. You are the enterprise engineer on the front lines. Don’t be pigeonholed into a solution that is flawed or results in compromises and puts you right back into complexity with limited resiliency. Downtime and its cousin, the slow, insecure application is no longer acceptable.

The post Architecture Matters When it Comes to SSE appeared first on Cybersecurity Insiders.

Coming May 14th, 2023, most of the world will be celebrating Mother’s Day for this year. So, obviously many of the daughters and sons will be shopping to gift for their loved ones and this is where scammers will be preying on innocent victims by exploiting their sentiments on the special occasion.

False online retailers, false ads related to holidays, fake coupons and gift cards, Facebook Marketplace scams, AI based voice scams, Impersonation threats, investments and delivery scams phishing are some of those you ought to be aware of; if you want to keep away from trouble.

So, how to avoid falling prey to Mother’s Day Scams

Its simple, do not fall for the advertisements that are too good to be true- Like links pointing at web portals that promise an iPhone for just $80 and such.

Never click on links passed on through emails and messages as they can be information gathering platforms.

Always use trustworthy portals to purchase gift cards and never fall for pop-ups that promise big for a very low cost.

Shop on websites that are known for years like Amazon and Target as they have proven their record of presence in the marketplace for years.

Avoid sharing of personal information on messaging apps and on phone as they can reach a receiver with nasty intentions.

Do keep an eye on donations paid to charities and investigate whether they are truly spending the amount as per the intended objective of their establishment.

And last but not the least, a VERY HAPPY MOTHER’S DAY to all you mothers out there!

The post How to avoid mothers day scams appeared first on Cybersecurity Insiders.

By Sameer Hajarnis, CPO, OneSpan

With the digital economy flourishing, both organizations and consumers are becoming more comfortable making high-value transactions online. To keep up with Web3, organizations have had to offer flexible, digital alternatives to their business processes. Among these processes is the electronic signature, or rather “e-signature,”– the digital alternative to signing documents in person. Although e-signatures ease the consumer process, many organizations neglect security practices throughout the transaction lifecycle. In parallel, remote online notarization is also becoming more commonplace, with high-value transactions including contractual agreements, mortgages, and powers of attorney, becoming digitized. As the threat landscape continues to progress, there is a growing concern that hackers will increasingly manipulate the integrity of digital agreements, especially as more transactions of higher and higher value are taking place online.

According to MSB Docs, 65% of companies using pen and paper report that collecting physical signatures add an entire day to their work process. In addition to accelerating workflow, E-signature improves customer experience, eliminates errors, tracks processes, etc. The commoditization of e-signatures happened so quickly, but it was so convenient that many organizations neglected security measures when implementing these digitized processes.

Along with this, cyberattacks are becoming increasingly sophisticated; recently, The Neustar International Security Council found that only about half of companies have the necessary budgets to meet their current cybersecurity requirements. This is especially alarming for industries that conduct high-value transactions online, such as banking, healthcare, government, etc., because a person’s most critical information could potentially be exposed. According to the Insurance Information Institute, there was a 45-percent increase in identity theft in 2020, and the rapid digital transformation that took place during 2020 would not have helped improve this figure.

The main reason why companies continue to abandon cybersecurity is because they believe it will disrupt the customer journey. Abandonment and customer drop-off are through the roof and today, the slightest inconvenience will turn consumers away. While customers are looking for digital trust, many organizations believe security processes can disrupt the customer experience, but Digicert’s 2022 State of Digital Trust Survey found that 47% percent of consumers have stopped doing business with a company after losing trust in that company’s digital security. Another 84% of customers would consider switching providers.

With those consequences in mind, organizations should consider the following cyber initiatives to secure digital interactions.

Compliance

Organizations must comply with e-signature security requirements. Electronic signature solutions are regulated by the ESIGN and UETA. These acts were passed to (1) solidify the legitimacy of e-signatures in the business world, (2) ensure all parties have consented to conduct business electronically, and (3) authenticate the signer’s identity. Depending on a company’s location and/or industry, these regulations may differ.

In the past year, nine in ten Americans encountered a fraud attempt. To safeguard users’ identities and critical information, the government stepped in to enforce strict security measures. It is of the utmost importance that e-signature solutions act in accordance with these laws, as they ensure the highest level of security and reduce the probability of identity fraud.

When it comes to remote online notarization, the compliance requirements become even more complex. Where a traditional notarization calls for an in-person screening to help protect the personal rights and property from threat actors, a remote online notarization requires organizations to authenticate the applicants’ identities virtually. Applicants must virtually verify their identity through ID Verification and Knowledge-based Authentication (KBA) and then execute the e-signature before being affixed by the notary. Failure to meet these compliance requirements may result in notaries facing civil liability or the loss of their license.

Certificates of Completion

Vendors must provide immediate proof of completion upon the execution of an electronic agreement. That certification of completion must include the associate IP address, email address, date, timestamp, names, and all other aspects of a transaction. The certificate will act as a legal record of the transaction and should be stored on a secure site to avoid any tampering. By doing so, organizations can be confident that all e-signatures are lawful and will hold up in court. When notarizing a document online, consumers must obtain a digital certificate that provides evidence of the notarization.

Authentication

To ensure the highest level of security, e-signature providers must also provide a two-key encryption system, such as public key infrastructure (PKI), and/or two-step verification. This helps avoid attacks such as man in the middle (MITM), a common attack where an attacker positions themselves between two parties and attempts to intercept the information passed between them. Authentication also reduces the overall likelihood of compromising information.

For online notarizations, organizations can mitigate security risks with identity verification, KBA, and built-in security controls preventing participants from signing on behalf of others.

Digital processes and customer interactions must be secured at every touchpoint throughout a transaction. Most providers will require one-time verification, which may seem secure for consumers when carrying out a transaction. But, in order to secure e-signatures and notarizations, continuous authentication is essential– organizations must secure every interaction throughout the customer journey.

The digitization of high-value transactions lends many benefits to an organization, but it also poses quite a few risks if its associated cyber threats remain ignored. In the world of Web3, organizations must be made completely aware of such cyber attacks, insider threats, and compliance failures, threatening the validity of online transactions. When focusing on online notarizations, it is  important that they occur in a secure environment, as they operate across industries where valuable information is transferred (automotive, banking, real estate, legal, and insurance).

Following such awareness, security needs to be interwoven into all choices application providers are making. Solution providers must adopt an increased level of security to be integrated into the fabric of all transactions and agreements. Organizations, especially those that handle high-value transactions, should invest in alternative e-signature and notarization solutions that utilize multi-factor authentication, identity verification, encryption, and other secure processes. These processes safeguard important information and ensure those completing the transaction are who they say they are.

The post Signed, Secured, Delivered: Authenticating Digital Agreements in the Time of Web3 appeared first on Cybersecurity Insiders.

By Ratan Tipirneni, President and CEO, Tigera  

While cloud-native technologies are relatively new to many businesses, Global 2,000 companies have run containers and distributed applications at scale for over a decade. Although these household-name companies are high-profile targets for hackers, they have avoided devastating security incidents. This is evidence of their holistic security strategies and advanced tactics.

Based on our work with them, here are a few lessons other businesses can apply to cloud-native application security.

Take a zero-trust approach 

First and foremost, these companies have adopted a zero-trust approach. Choosing zero trust as the foundational pillar is one way Fortune 100 companies keep their environments secure. In a zero-trust model, everything is denied access by default except the things that need to be able to communicate. Zero trust is crucial in securing distributed applications and containers, as it prevents threats from sneaking in as they are deployed and maintained. It is nearly impossible to secure these environments without a zero-trust foundation.

The concept of zero trust has existed for many years, long before it was named or widely adopted. Zero trust exemplifies the importance of returning to the basics and learning from successful companies rather than chasing after new solutions that often overpromise and underdeliver.

Address infrastructure and security holistically

In addition to a zero-trust approach, companies that have secured their cloud-native environments take a holistic approach to security. Hackers and bad actors do not always target the most obvious entry points and can find–and exploit–vulnerabilities in any open door or window. Therefore, it is crucial to secure all potential attack vectors. This requires a comprehensive approach to security rather than focusing on just a few key areas.

Treat security as code

Another key lesson from these leading companies is the importance of treating security as code. Unless security and IT leaders treat security as code, they initially configure security to secure all their doors and windows, but once they get into the day-to-day operations, it is only a matter of time before one of those points of entry flips open.

With a security-as-code approach, security is programmed in along with the software so that the security controls move wherever the software goes. Incorporating security into the development process and treating it as an integral part of the software makes it much easier to ensure that security controls are consistently applied. This is particularly important in cloud-native environments, where applications and infrastructure constantly evolve and change.

Strip down infrastructure and rebuild it 

We work with a customer who completely strips down their entire infrastructure and rebuilds it regularly. They clean their entire stack every three weeks and reinstall through automated scripts. Stripping down their infrastructure flushes out potential threats that may have infiltrated the application or infrastructure. However, doing this on a large scale requires a high degree of automation and underscores the need to treat everything as code. Without treating security as code, the highly advantageous ability to rebuild that stack on an ongoing basis would be infeasible.

Democratizing this level of security

Fortune 100 companies have been running cloud-native apps at scale for years; they started long before the current array of cloud-native security solutions was available. These companies had the monetary resources and talent pool to build their own solutions and processes. Now, cloud-native technology adoption has exploded, and smaller teams and companies are using cloud-native solutions for daily operations.

The same level of security the Fortune 100 has achieved should be available to companies across the globe. The next step in cloud-native security solution development should be taking what these leading companies have done, codifying it, packaging it into a repeatable solution, and rolling it out as a service so that smaller organizations can use it to secure their environments.

Security is an ongoing process

As the threat landscape changes and evolves, businesses must constantly re-evaluate and adapt their security measures to stay ahead of potential threats. Security is not a one-time effort; it’s an ongoing process that organizations of all sizes must prioritize. By learning from the successes of Fortune 100 companies, businesses can adopt best practices and build a secure foundation for their cloud-native environments.

Author Bio

Ratan Tipirneni is President & CEO at Tigera, where he is responsible for defining strategy, leading execution, and scaling revenues. Ratan is an entrepreneurial executive with extensive experience incubating, building, and scaling software businesses from early stage to hundreds of millions of dollars in revenue. He is a proven leader with a track record of building world-class teams.

The post Lessons From the Fortune 100 About Cloud-Native Application Security  appeared first on Cybersecurity Insiders.

Omer Carmi, VP of Threat Intelligence, Cybersixgill

When I was in elementary school, we had a routine fire drill. The alarm bells would ring, and we were expected to drop everything and run outside as quickly as possible. As a young child, this was frightening, even upsetting, and we initially took it very seriously. The drills continued through our school years, yet we responded in a much different way by the time we reached high school: The alarm bells would ring, we’d shrug, pick up our stuff and shuffle outside for what we knew was just another break from class. We’d become numb to the alarm bell ringing because we knew there was no fire.

When the cybersecurity community deals with every patch day like we dealt with school fire drills, it runs the risk of becoming numb to the severity of some of the vulnerabilities and blind to which vulnerabilities should be prioritized.

Statistics show that threat actors never exploit 94 percent of the disclosed vulnerabilities. That means IT staff is spending valuable time on CVEs that:

  1. Will never be exploited.
  2. Don’t apply to your organization or industry.
  3. Are completely misjudged at the beginning of their life cycles.
  4. Take away attention from the 6 percent of vulnerabilities that will be exploited.

CISOs should expand the scope of vulnerability management programs so they are better able to decide in real-time if a CVE is indeed one of the 6 percent that demands immediate attention.

Taking into account multiple criteria, including the potential impact of a vulnerability and the likelihood of its exploitation, can create a more balanced order of urgency for an organization.

Take, for instance, the recent hype about OpenSSL vulnerabilities earlier this month. Early indicators pointed to a complete apocalypse – some likened the scenario to HeartBleed 2.0. The media picked up on the sense of urgency, and reports of the expected severity traveled worldwide at record speed. All the alarm bells were ringing, but then the severity was downgraded from “critical” to “high.” That’s a perfect example of the fire drill mentality I’m talking about: it’s inefficient, and it depletes our valuable resources if we continue to listen to “the boy who cries critical.” It doesn’t mean we shouldn’t treat every vulnerability with extra care, it means that we should change the lens we use to examine vulnerabilities.

How can we move away from severity-driven patching cycles and change the fire drill approach to patching? 

Constant patching creates the same feeling as Whack-a-Mole, where a new vulnerability pops up when you’re done patching an old one. Patch, watch for updates, patch, repeat. It never ends.

Let’s say a prominent software company sends out a release rating a CVE as critical, saying it should be immediately patched. Industry media will pick up on that and start ringing the alarm bells, probably reasoning that it’s better to be safe than sorry.

The problem with following the media’s lead is that most software companies base their patch announcements on the potential severity of the CVE (best characterized by CVSS), without considering the probability that this CVE will be successfully exploited. Remember, only 6 percent of vulnerabilities are actually exploited. If you base your patching on a severity-driven approach, you fail to distinguish between a fire drill and the real thing.

Software companies should get better at providing context for the CVEs they are warning us about and highlighting key risk parameters. It’s no longer enough to just offer a severity score. At a minimum, we should also know:

  1. Whether a CVE has already been exploited in the wild.
  2. How much chatter there is about this CVE in cybercrime forums.
  3. Are exploit codes for this CVE shared on the dark web.
  4. Are there other risk factors beyond severity that can help cybersecurity teams make a patching decision
  5. How critical are your assets which are vulnerable to this CVE?

And media outlets should examine their role in creating a fire-drill mentality by encouraging more attention given to risk-based parameters, not just severity.

Vulnerability disclosures will still dominate headlines  and attention in 2023, because that is the only way to create awareness of new vulnerabilities across the cybersecurity community and the public. This process has a lot of merits in it.

But the culture shift away from what I call a fire drill mentality has to come from the inside of cybersecurity departments. It has to come from strong CISOs who understand that a high severity score without any context is not enough to set the alarm bells ringing, and the negative consequences it has.

The post Firing the Vulnerability Disclosure Fire-Drill Mentality appeared first on Cybersecurity Insiders.

By: Daron Hartvigsen, Managing Director, StoneTurn and Luke Tenery, Partner, StoneTurn

When insider threat or insider risk is discussed in a corporate context, often the relevant topics include misconduct, fraud, misuse, or even the idea that insiders can be unwitting accomplices to social engineering exploitation. The recent slowing of the US economy and volatility in the digital asset market have surfaced some less talked about aspects of insider risk that companies should consider.

Security: Often a Single Point of Failure

Whether it’s cryptocurrency, social media, or software engineering, it commonly occurs in startups and new innovations that a very small cadre of individuals propel the entire endeavor forward. Unfortunately, it often happens that these early leaders retain critical information about the project (design, developments, infrastructure, technology) in one location: their own brains. If this information is not properly documented and accessible, it can prove catastrophic if a key individual departs or is unavailable when something fails. Cue the chaos that can ensue.

As an example, StoneTurn has worked with very successful companies who operate IT systems supporting the storage, exchange, and/or trading of digital assets. Unfortunately, we often find these companies rely on infrastructure built by early innovators who fielded systems without the knowledge, funding, or motivation to build a more secure and redundant platform. When the Crypto “winter” hit in late 2022 and prices plunged, it was not surprising to see allegations of unauthorized and untraceable theft of digital assets from companies who laid off some of the very employees responsible for the IT systems that experienced the theft.

In some cases, the employees understood critical logging gaps or had oversight of the security measures intended to thwart unauthorized internal activity, and thus were able to exploit them. Initial build strategies for some players in the digital asset ecosystem focused solely on investing in protections from unauthorized external access, client fraud, or defenses from other external threats. Investment in internal access control, auditing, and logging are often seen as secondary risks. As a result, policies and protocols insufficient to prevent or detect insider risk are implemented and only become a priority when there is a loss or impactful security event.

Intellectual Property/Institutional Knowledge: Can Disappear Overnight

Companies that build a new product from the ground-up and rely on infrastructure built by a small team of innovators often do not plan for the eventual departure of that talent.

We have worked on more than one case where an entity worth more than $100 million USD relied on ONE person’s institutional knowledge to keep things going. When that situation goes bad, investigators like StoneTurn are called to understand what happened. What are the impacts to the core production environment when the person who built it and maintains it is laid off or quits? The short answer: it could be significant if redundancy in knowledge was not planned for. But it can go much deeper.

During the latter stages of 2022 we worked with clients who did lay off staff and downsize teams, and as a result created environments where the company’s ability to support key technologies just disappeared, essentially overnight. As headlines have indicated, this trend has carried over into 2023, with entities large and small across sectors continuing to make cuts in staffing. While a large company may be able to fill in the gaps, for a smaller digital asset exchange, the departure of foundational technical staff could cause a much more significant disruption.  Getting ahead of these disruptions is critical and companies can do many things to defend themselves from disappearing institutional knowledge. Those defenses need to be implemented early and built into engineering, security, and growth plans.

Bottom Line: Plan to Protect

Building a business off a great idea, maturing that idea into a product, and serving the market successfully are key goals many innovators reach for and something that is celebrated in the business ecosystem. Today, however, building a successful technology-enabled business must include a much broader set of goals to avoid common pitfalls.

  • Plan to protect intellectual property and institutional knowledge from the beginning.
  • While building out IT infrastructure, it is wise to secure what is valuable from day one and to do so with an eye to both external and internal risk.
  • Test controls and protocols frequently to ensure they are not circumvented, whether maliciously or for sake of perceived “efficiency.”

For today’s leaders, the end goal must change: Build a secure business off a great idea and plan to secure the IP associated with that idea right away. Mature the idea into a secure product with redundancies that defend against a single point of failure. By doing so, organizations can better serve the market successfully by securing fundamental business and client information in the long-term.

###

About Daron Hartvigsen

Daron Hartvigsen, Managing Director with StoneTurn, is a cyber threat response and pursuit expert having served both commercial and U.S. government information security domains. He brings a combined nearly 30 years of experience in commercial, U.S. intelligence, counter-intelligence, and law enforcement, and has conducted incident response, cyber threat pursuit, law enforcement investigations, counterintelligence operations, intelligence analysis, and cyber threat degradation activities.

About Luke Tenery

Luke Tenery brings over 20 years of experience helping leading organizations mitigate complex cybersecurity, data privacy, and digital risks. He applies expertise in cyber investigations, threat intelligence, incident response, and information risk management to assist clients—from prevention to detection, mitigation through to remediation and transformation.

Luke specializes in situational cyber risks, including assisting public companies and their Boards in addressing digital risks and remediation of complex cyber incidents. Luke has also advised on cyber issues at the intersection of risk and compliance, as well as those related to financial fraud and data integrity.

The post Insider Risk: Unconventional Thoughts and Lessons Learned appeared first on Cybersecurity Insiders.