Category: AlienVault

I. Introduction

AI’s transformative power is reshaping business operations across numerous industries. Through Robotic Process Automation (RPA), AI is liberating human resources from the shackles of repetitive, rule-based tasks and directing their focus towards strategic, complex operations. Furthermore, AI and machine learning algorithms can decipher the huge sets of data at an unprecedented speed and accuracy, giving businesses insights that were once out of reach. For customer relations, AI serves as a personal touchpoint, enhancing engagement through personalized interactions.

As advantageous as AI is to businesses, it also creates very unique security challenges. For example, adversarial attacks that subtly manipulate the input data of an AI model to make it behave abnormally, all while circumventing detection. Equally concerning is the phenomenon of data poisoning where attackers taint an AI model during its training phase by injecting misleading data, thereby corrupting its eventual outcomes.

It is in this landscape that the Zero Trust security model of ‘Trust Nothing, Verify Everything’, stakes its claim as a potent counter to AI-based threats. Zero Trust moves away from the traditional notion of a secure perimeter. Instead, it assumes that any device or user, regardless of their location within or outside the network, should be considered a threat.

This shift in thinking demands strict access controls, comprehensive visibility, and continuous monitoring across the IT ecosystem. As AI technologies increase operational efficiency and decision-making, they can also become conduits for attacks if not properly secured. Cybercriminals are already trying to exploit AI systems via data poisoning and adversarial attacks making Zero Trust model’s role in securing these systems is becomes even more important.

II. Understanding AI threats

Mitigating AI threats risks requires a comprehensive approach to AI security, including careful design and testing of AI models, robust data protection measures, continuous monitoring for suspicious activity, and the use of secure, reliable infrastructure. Businesses need to consider the following risks when implementing AI.

Adversarial attacks: These attacks involve manipulating an AI model’s input data to make the model behave in a way that the attacker desires, without triggering an alarm. For example, an attacker could manipulate a facial recognition system to misidentify an individual, allowing unauthorized access.

Data poisoning: This type of attack involves introducing false or misleading data into an AI model during its training phase, with the aim of corrupting the model’s outcomes. Since AI systems depend heavily on their training data, poisoned data can significantly impact their performance and reliability.

Model theft and inversion attacks: Attackers might attempt to steal proprietary AI models or recreate them based on their outputs, a risk that’s particularly high for models provided as a service. Additionally, attackers can try to infer sensitive information from the outputs of an AI model, like learning about the individuals in a training dataset.

AI-enhanced cyberattacks: AI can be used by malicious actors to automate and enhance their cyberattacks. This includes using AI to perform more sophisticated phishing attacks, automate the discovery of vulnerabilities, or conduct faster, more effective brute-force attacks.

Lack of transparency (black box problem): It’s often hard to understand how complex AI models make decisions. This lack of transparency can create a security risk as it might allow biased or malicious behavior to go undetected.

Dependence on AI systems: As businesses increasingly rely on AI systems, any disruption to these systems can have serious consequences. This could occur due to technical issues, attacks on the AI system itself, or attacks on the underlying infrastructure.

III. The Zero Trust model for AI

Zero Trust offers an effective strategy to neutralize AI-based threats. At its core, Zero Trust is a simple concept: Trust Nothing, Verify Everything. It rebuffs the traditional notion of a secure perimeter and assumes that any device or user, whether inside or outside the network, could be a potential threat. Consequently, it mandates strict access controls, comprehensive visibility, and continual monitoring across the IT environment. Zero Trust is an effective strategy for dealing with AI threats for the following reasons:

• Zero Trust architecture: Design granular access controls based on least privilege principles. Each AI model, data source, and user is considered individually, with stringent permissions that limit access only to what is necessary. This approach significantly reduces the threat surface that an attacker can exploit.
• Zero Trust visibility: Emphasizes deep visibility across all digital assets, including AI algorithms and data sets. This transparency enables organizations to monitor and detect abnormal activities swiftly, aiding in promptly mitigating AI-specific threats such as model drift or data manipulation.
• Zero Trust persistent security monitoring and assessment: In the rapidly evolving AI landscape, a static security stance is inadequate. Zero Trust promotes continuous evaluation and real-time adaptation of security controls, helping organizations stay a step ahead of AI threats.

IV. Applying Zero Trust to AI

Zero Trust principles can be applied to protect a business’s sensitive data from being inadvertently sent to AI services like ChatGPT or any other external system. Here are some capabilities within Zero Trust that can help mitigate risks:

Identity and Access Management (IAM): IAM requires the implementation of robust authentication mechanisms, such as multi-factor authentication, alongside adaptive authentication techniques for user behavior and risk level assessment. It is vital to deploy granular access controls that follow the principle of least privilege to ensure users have only the necessary access privileges to perform their tasks.

Network segmentation: This involves dividing your network into smaller, isolated zones based on trust levels and data sensitivity, and deploying stringent network access controls and firewalls to restrict inter-segment communication. It also requires using secure connections, like VPNs, for remote access to sensitive data or systems.

Data encryption: It is crucial to encrypt sensitive data both at rest and in transit using robust encryption algorithms and secure key management practices. Applying end-to-end encryption for communication channels is also necessary to safeguard data exchanged with external systems.

Data Loss Prevention (DLP): This involves deploying DLP solutions to monitor and prevent potential data leaks, employing content inspection and contextual analysis to identify and block unauthorized data transfers, and defining DLP policies to detect and prevent the transmission of sensitive information to external systems, including AI models.

User and Entity Behavior Analytics (UEBA): The implementation of UEBA solutions helps monitor user behavior and identify anomalous activities. Analyzing patterns and deviations from normal behavior can detect potential data exfiltration attempts. Real-time alerts or triggers should also be set up to notify security teams of any suspicious activities.

Continuous monitoring and auditing: Deploying robust monitoring and logging mechanisms is essential to track and audit data access and usage. Utilizing Security Information and Event Management (SIEM) systems can help aggregate and correlate security events. Regular reviews of logs and proactive analysis are necessary to identify unauthorized data transfers or potential security breaches.

Incident response and remediation: Having a dedicated incident response plan for data leaks or unauthorized data transfers is crucial. Clear roles and responsibilities for the incident response team members should be defined, and regular drills and exercises conducted to test the plan’s effectiveness.

Security analytics and threat intelligence: Leveraging security analytics and threat intelligence platforms is key to identifying and mitigating potential risks. Staying updated on emerging threats and vulnerabilities related to AI systems and adjusting security measures accordingly is also essential.

Zero Trust principles provide a strong foundation for securing sensitive data. However, it’s also important to continuously assess and adapt your security measures to address evolving threats and industry best practices as AI becomes more integrated into the business.

V. Case studies

A large financial institution leverages AI to augment customer support and streamline business processes. However, concerns have arisen regarding the possible exposure of sensitive customer or proprietary financial data, primarily due to insider threats or misuse. To address this, the institution commits to implementing a Zero Trust Architecture, integrating various security measures to ensure data privacy and confidentiality within its operations.

This Zero Trust Architecture encompasses several strategies. The first is an Identity and Access Management (IAM) system that enforces access controls and authentication mechanisms. The plan also prioritizes data anonymization and strong encryption measures for all interactions with AI. Data Loss Prevention (DLP) solutions and User and Entity Behavior Analytics (UEBA) tools are deployed to monitor conversations, detect potential data leaks, and spot abnormal behavior. Further, Role-Based Access Controls (RBAC) confine users to accessing only data relevant to their roles, and a regimen of continuous monitoring and auditing of activities is implemented.

Additionally, user awareness and training are emphasized, with employees receiving education about data privacy, the risks of insider threats and misuse, and guidelines for handling sensitive data. With the institution’s Zero Trust Architecture continuously verifying and authenticating trust throughout interactions with AI, the risk of breaches leading to loss of data privacy and confidentiality is significantly mitigated, safeguarding sensitive data and maintaining the integrity of the institution’s business operations.

VI. The future of AI and Zero Trust

The evolution of AI threats is driven by the ever-increasing complexity and pervasiveness of AI systems and the sophistication of cybercriminals who are continually finding new ways to exploit them. Here are some ongoing evolutions in AI threats and how the Zero Trust model can adapt to counter these challenges:

Advanced adversarial attacks: As AI models become more complex, so do the adversarial attacks against them. We are moving beyond simple data manipulation towards highly sophisticated techniques designed to trick AI systems in ways that are hard to detect and defend against. To counter this, Zero Trust architectures must implement more advanced detection and prevention systems, incorporating AI themselves to recognize and respond to adversarial inputs in real-time.

AI-powered cyberattacks: As cybercriminals begin to use AI to automate and enhance their attacks, businesses face threats that are faster, more frequent, and more sophisticated. In response, Zero Trust models should incorporate AI-driven threat detection and response tools, enabling them to identify and react to AI-powered attacks with greater speed and accuracy.

Exploitation of AI’s ‘`black box’ problem: The inherent complexity of some AI systems makes it hard to understand how they make decisions. This lack of transparency can be exploited by attackers. Zero Trust can adapt by requiring more transparency in AI systems and implementing monitoring tools that can detect anomalies in AI behavior, even when the underlying decision-making process is opaque.

Data privacy risks: As AI systems require vast amounts of data, there are increasing risks related to data privacy and protection. Zero Trust addresses this by ensuring that all data is encrypted, access is strictly controlled, and any unusual data access patterns are immediately detected and investigated.

AI in IoT devices: With AI being embedded in IoT devices, the attack surface is expanding. Zero Trust can help by extending the “never trust, always verify” principle to every IoT device in the network, regardless of its nature or location.

The Zero Trust model’s adaptability and robustness make it particularly suitable for countering the evolving threats in the AI landscape. By continuously updating its strategies and tools based on the latest threat intelligence, Zero Trust can keep pace with the rapidly evolving field of AI threats.

VII. Conclusion

As AI continues to evolve, so too will the threats that target these technologies. The Zero Trust model presents an effective approach to neutralizing these threats by assuming no implicit trust and verifying everything across your IT environment. It applies granular access controls, provides comprehensive visibility, and promotes continuous security monitoring, making it an essential tool in the fight against AI-based threats.

As IT professionals, we must be proactive and innovative in securing our organizations. AI is reshaping our operations and enabling us to streamline our work, make better decisions, and deliver better customer experiences. However, these benefits come with unique security challenges that demand a comprehensive and forward-thinking approach to cybersecurity.

With this in mind, it is time to take the next step. Assess your organization’s readiness to adopt a Zero Trust architecture to mitigate potential AI threats. Start by conducting a Zero Trust readiness assessment with AT&T Cybersecurity to evaluate your current security environment and identify any gaps. By understanding where your vulnerabilities lie, you can begin crafting a strategic plan towards implementing a robust Zero Trust framework, ultimately safeguarding your AI initiatives, and ensuring the integrity of your systems and data.

The post Understanding AI risks and how to secure using Zero Trust appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Numerous risks are inherent in the technologies that all organizations use. These risks have especially become apparent with recent ransomware attacks, which have crippled major infrastructure such as the Colonial Pipeline in the Eastern United States¹. This discussion will focus on how GRC, or governance, risk, and compliance can help organizations face and manage the risks that they face.

As GRC is broken down into three components, a discussion of each will illuminate why each is critical for risk management. The first part of GRC is governance. Governance involves ensuring that the IT organization is managed in a way that is consistent with the overall business goals.². The overall business goals are the strategy that an organization puts in place to ensure that they enjoy a competitive advantage. It is necessary to ensure that proper controls are in place that manages risks, and that starts at the governance level, with high-level business strategies³.

From an IT perspective, risk involves IT management ensuring that any organizational activities that they conduct are consistent with the organizational business goals as just stated. This means that the IT departments’ risk management process should be a part of the corporate risk management functionality. When IT departments limit their activities to economic and technical aspects, they fail to be engaged in the organization’s strategy, which fails to fully leverage the strength and potential of the company⁴.

The IT department’s risk strategies, when aligned with the corporate risk management policies, work in concert to make certain that the risks identified by upper management are reflected in risk management and prevention that occurs within the IT department. One way that organizations using GRC ensure that IT remains aligned with the corporate leadership’s risk management policies and objectives is by setting specific measurable objectives that demonstrate the effectiveness of how GRC is applied in the IT context.

The final area of GRC is compliance. While often considered adherence to laws and regulations, compliance can have a true impact on risk as well. As the complexity of compliance with myriads of regulatory requirements increases, the IT department is often involved with aiding the company to meet compliance demands. The complexity of compliance demands (that come with significant penalties for failures) can often only be accomplished with the support of IT, as the IT department establishes systems and processes which can help the organization to remain in compliance. If surveillance systems are not set up and used properly and the organization is found to be out of compliance, this could cause an enormous risk of financial penalties which could be crippling for the organization⁵.

As this brief discussion has outlined, using GRC to manage IT departments is essential for multiple reasons. Firstly, it ensures that the IT department is aligned with the rest of the organization and its’ strategies. Second, IT organizations run using GRC ensure that their risk management activities are aligned with the corporate risk management activities so that risks identified by the leadership are addressed in IT. Finally, using GRC ensures that the IT department does its part to ensure the organization stays in compliance with regulatory demands. This will protect against the risk of costly penalties for compliance failures.

References

1. Ransomware attack forces shutdown of largest fuel pipeline in the U.S. (https://www.cnbc.com/2021/05/08/colonial-pipeline-shuts-pipeline-operations-after-cyberattack.html)
2. What is GRC and why do you need it? (https://www.cio.com/article/230326/what-is-grc-and-why-do-you-need-it.html)
3. Corporate Governance and Risk Management: Lessons (Not) Learnt from the Financial Crisis (https://www.mdpi.com/1911-8074/14/9/419)
4. The impact of enterprise risk management on competitive advantage by moderating role of information technology (https://www.sciencedirect.com/science/article/abs/pii/S0920548918301454)
5. Dialectic Tensions in the Financial Markets: A Longitudinal Study of pre- and Post-Crisis Regulatory Technology (https://journals.sagepub.com/doi/10.1057/s41265-017-0047-5)

The post Managing technology risk appeared first on Cybersecurity Insiders.

Introduction

Today you look at the Global/Multi-site Enterprise Security Architecture of an organization and see a myriad of concerns. Increased levels of complexity, difficulties managing multiple third parties, difficulties implementing consistent levels of security, and so on. This makes it imperative for organizations to identify opportunities to simplify, streamline, and generally improve their infrastructure wherever possible.

Managing the level of complexity is becoming increasingly difficult. Security may be partially implemented, which is an ongoing challenging issue.

Terminology

• AWS Region – a physical location around the world where we cluster data centers.
• AWS Availability Zone (AZ) – is one or more discrete data centers with redundant power, networking, and connectivity in an AWS Region.
• AWS Services – AWS offers a broad set of global cloud-based products, including computing, storage, database, analytics, networking, machine learning and AI, mobile, developer tools, IoT, security, enterprise applications, and more.
• AWS Transit Gateway (TGW) – A transit gateway is a network transit hub that you can use to interconnect your virtual private clouds (VPCs) and on-premises networks. As your cloud infrastructure expands globally, inter-Region peering connects transit gateways together using the AWS Global Infrastructure.

Global/Multi-Site Enterprise Architecture

Many organizations are using Global/Multi-site with dated technology spread throughout data centers and networks mixed in with some newer technologies. This can include uncounted third parties as well. These sites often include multiple environments (like Dev, QA, Pre-Prod, and Prod) supported by numerous technologies spread across both physical and virtual servers, including databases, web, and application servers, and more.

Modifications can be challenging when integrating legacy with new technologies. Sometimes can require a static approach when completely redesigning existing infrastructure. Understandably, most organizations tend to shy away from exploring anything that seems like a significant upgrade or change. Thankfully there are some solutions available that can substantially improve operations and infrastructure without the typical complexities and implementation challenges.

One such example is outlined below.

Example AWS Transit Gateway (TGW) Global Diagram

AWS Transit Gateway diagram

AWS Transit Gateway is a cloud-based tool that permits a simplified, secure networking approach for companies requiring a hybrid solution that can scale according to their global/multi-site enterprise business needs. The AWS Transit Gateway integrates with Palo Alto Security Devices, which helps to reduce the organization’s risk footprint.

AWS Transit Gateway architecture is used to consolidate site-to-site VPN connections from your on-premises network to your AWS environment and support connectivity between your team development and workload hosting VPCs and your infrastructure shared services VPC. This information will help you make a more informed decision as you consider the recommended approach of using AWS Transit Gateway.

AWS Transit Gateway connects your Amazon Virtual Private Clouds (VPCs) and on-premises networks through a central hub. This simplifies your network and puts an end to complex peering relationships. It acts as a cloud router – each new connection is only made once.

As you expand globally, inter-region peering connects AWS Transit Gateways together using the AWS global network. Your data is secured automatically and encrypted; it never travels over the public internet, only on the AWS Global Network. Because of its central position, AWS Transit Gateway Network Manager has a unique view over your entire network, even connecting to Software-Defined Wide Area Network (SD-WAN) devices.

General tips

Data transfer charges apply based on the source, destination, and amount of traffic. Here are some general tips for when you start planning your architecture:

• Avoid routing traffic over the internet when connecting to AWS services from within AWS by using VPC endpoints:
• VPC gateway endpoints allow communication to Amazon S3 and Amazon DynamoDB without incurring data transfer charges within the same Region.
• VPC interface endpoints are available for some AWS services. This type of endpoint incurs hourly service charges and data transfer charges.
• Use Direct Connect instead of the Internet for sending data to on-premises networks.
• Traffic that crosses an Availability Zone boundary typically incurs a data transfer charge. Use resources from the local Availability Zone whenever possible.
• Traffic that crosses a regional boundary will typically incur a data transfer charge. Avoid cross-Region data transfer unless your business case requires it.
• Use the AWS Free Tier. Under certain circumstances, you may be able to test your workload free of charge.
• Use the AWS Pricing Calculator to help estimate the data transfer costs for your solution.

Use a dashboard to visualize better data transfer charges – this workshop will show how.

Cybersecurity

A Cybersecurity approach includes how to address a global enterprise architecture.

A collaborative approach permits meetings to review the global enterprise architecture/workflow.

Hold an introductory overview session to gather the preliminary information for each of the sections listed above and in relation to a phased/planned approach for introducing the AWS Transit Gateway. The phases can include compliance with standards such as NIST.

This extensive security approach would cover all the items listed in the prior sections and the required daily business workflows from end to end.

Global/multi-site security certificates, data at rest, data in transit, networks, firewalls/security devices, circuits, and communications. Topics include Strategies, Securing the Edge, Risk-based Cyber assessment, MTDR (Managed Threat Detection and Response), and Endpoint/Network Security

In the future, we will review other Cybersecurity offerings with AWS Services and the reasons why a company would want to invest in AWS Transit Gateway.

Conclusion

AWS provides the ability to deploy across multiple Availability Zones and Regions. This allows organizations to reduce the complexity of their architecture, improve overall performance, and increase dynamic scalability. By streamlining networks and removing unnecessary middlemen, organizations can also improve overall security by reducing risks associated with having multiple vendors while also increasing operational oversight across their infrastructure.

This blog post provided information to help you make an informed decision and explore different architectural patterns to save on data transfer costs. AT&T Cybersecurity offers services to assist you in your journey. You can review the references listed below to gain additional perspective.

References & Resources

• • AWS Transit Gateway
  • AWS Overview of Data Transfer Costs for Common Architectures
  • AWS Solutions Library
  • Cisco CSR1000V-Transit VPC with Transit Gateway
  • AWS Pricing Calculator
  • Cost and Usage Analysis Well-Architected Lab
  • Data Transfer Cost Analysis Well-Architected Lab
  • AWS Cost Optimization
• Clearscale Blog

The post Introduction to the purpose of AWS Transit Gateway appeared first on Cybersecurity Insiders.

Executive Summary

Killnet is an advanced persistent threat (APT) group based in Russia that has been active since at least 2015. The group is notorious for its highly sophisticated and persistent attacks on a diverse range of industries, including state and local governments, telecommunications, and defense.

Killnet has been linked to several high-profile attacks, including the 2016 hack of the Democratic National Committee (DNC) during the U.S. presidential election. The group has also been implicated in distributed denial-of-service (DDoS) attacks against U.S. airports and Elon Musk’s Starlink satellite broadband service.

The motivations behind these attacks vary, but recently, they have primarily targeted those who are the most vocal supporters of Ukraine and its political agenda.

The aim of this threat hunt is to create a virtual attack environment that simulates Killnet’s tactics, techniques, and procedures (TTPs). Subsequently, detections and threat hunt queries will be written to proactively identify the emulated TTPs while compensating for the limitations of traditional IOC historical searches.

The results of the threat hunt will include high-level dashboards, code, and network artifacts generated from the attack range, which will be used to explain how a hypothesis was formed. The outcomes will also contain the pseudo and translated query logic in a format that can be utilized by tools such as Suricata, Snort, Splunk, and Zeek. The query output will then be employed to confirm the initial hypothesis generated.

Network Artifacts

To emulate the attack, cc.py was utilized to generate continuous HEAD requests against an Apache server, refer to Appendix A for further details. Once the attack was launched, the captured log traffic was examined, as shown in Figure 1 and Figure 2. Upon reviewing the HEAD HTTP traffic, it was discovered that the digits between the ranges of 11-12 appeared after “HEAD /?” consistently. This pattern will serve as the basis for our first hypothesis, as outlined in the next section.

Figure 3 also contains the Apache logs that were generated on the server as the attack script kept trying to access different files in the ‘/var/www/html/’ directory. The script reiterates in a brute force type style, until CPU resources are rendered exhausted by sheer traffic volume.

Figure 1 –Wireshark – Dynamically Generated 11-12 Digits

Figure 2 –Wireshark – Forged Referrer & Anonymized IPs

Figure 3 – Splunk – Apache Server Error Logs – Failed File Access Attempts

Detection Guidance

Perl compatible regular expressions can be used to leverage the context derived from the packet capture during threat analysis, as shown in Figure 1. This allows us to write Suricata/Snort rules that will match observed patterns in headers. Detections tend to scale more than hunt queries and can be applied strategically on a per sensor basis. Specifically, the following rule will match any instance when an HTTP HEAD request containing 11-12 digits has been captured by a network sensor on a forward looking basis. This serves as our first hypothesis to identify the usage of DDoS HEAD floods:

alert tcp any any -> any any (msg:”Killnet cc.py DDoS HTTP HEAD Flood”; content:”HEAD”; depth:4; content:” /?”; distance:0; content:” HTTP/1.1|0d0a|Host: “; distance:0; fast_pattern; content:”.”; distance:1; within:3; content:”.”; distance:1; within:3; content:”.”; distance:1; within:3; content:”|0d0a|Referer: https://”; distance:0; content:”|0d0a|Accept-Language: “; distance:0; content:”|0d0a|Accept-Charset: “; distance:0; content:”|0d0a|Connection: Keep-Alive|0d0a0d0a|”; distance:0; pcre:”/^HEADx20/?[0-9]{11,12}x20HTTP/”; sid:10000001;)

Hypothesis #1

Hunting Process

The following is a Splunk hunt query that utilizes the Zeek/Bro dataset to identify “High connections from common source over a short amount of time”. The query breaks the time column (shown in Figure 2) into 1-second chunks. Once an appropriate threshold has been established, the “where count > 10” statement can be adjusted accordingly to search retroactively within the last 7 days from when the activity was first observed. This query serves as our second hypothesis to identify the usage of DDoS HEAD floods:

index=zeek sourcetype=zeek_conn | eval datetime=strftime(ts,”%Y-%m-%d %H:%M:%S”) | bucket span=1s datetime | stats count by datetime, id.orig_h | where count > 10 | rename datetime as “Date & Time” id.orig_h as “Attacker IP”

Hypothesis #2

Appendix A – Adversary Emulation

Cc.py is a Python tool publicly available on the internet that can be used for Layer 7 DDoS attacks. The tool, created by a student in 2020, uses various dynamic characteristics to launch DDoS attacks against web assets. The script automates the process of using open proxy servers to relay attacks while maintaining anonymity, which can render traditional IP-based blocking techniques ineffective.

Figure 4 depicts a Python function called “head” that performs an HTTP HEAD request to a target server. The function takes two arguments: “event” and “proxy type”. These arguments control the flow of the request and specify the type of open proxy to leverage. Additionally, the code concatenates the variables where the forged/randomized headers will be used.

Figure 4 – cc python script

To generate a dynamic list of compromised open proxies that will be used to relay attacks on behalf of the attacker, the following command is utilized:

python3 cc.py –down –f proxy.txt –v 5

Once the list is generated, the following command is used to launch an attack against a server running Apache web server within the attack range. The command specifies the use of the “head” module and sets the duration of the attack to 30 seconds. The “head” module floods the target server with continuous HTTP HEAD requests until it is knocked offline.

python3 cc.py –url http:// -f proxy.txt –m head –v 4 –s 30

Appendix B – IOCs

At OTX pulse was created listing over the 12K+ indicators from this research.

https://otx.alienvault.com/pulse/642dd6df987a88229012d214

References

https://github.com/Leeon123/CC-attack

https://securityresearch.samadkhawaja.com/

The post Threat Hunt: KillNet’s DDoS HEAD Flood Attacks – cc.py appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

In an era where digital technology increasingly underpins food production and distribution, the urgency of cybersecurity in agriculture has heightened. A surge of cyberattacks in recent years, disrupting operations, causing economic losses, and threatening food industry security- all underscore this escalating concern.

In April 2023, hackers targeted irrigation systems and wastewater treatment plants in Israel. The attack was part of an annual “hacktivist” campaign, and it temporarily disabled automated irrigation systems on about a dozen farms in the Jordan Valley. The attack also disrupted wastewater treatment processes at the Galil Sewage Corporation.

In addition, in June 2022, six grain cooperatives in the US were hit by a ransomware attack during the fall harvest, disrupting their seed and fertilizer supplies. Adding to this growing list, a leading US agriculture firm also fell victim to a cyberattack the same year, which affected operations at several of its production facilities.

These incidents highlight the pressing need for improved cybersecurity in the agricultural sector and underscore the challenges and risks this sector faces compared to others.

As outlined in a study, “Various technologies are integrated into one product to perform specific agricultural tasks.” An example provided is that of an irrigation system which “has smart sensors/actuators, communication protocols, software, traditional networking devices, and human interaction.”

The study further elaborates that these complex systems are often outsourced from diverse vendors for many kinds of environments and applications. This complexity “increases the attack surface, and cyber-criminals can exploit vulnerabilities to compromise one or other parts of the agricultural application.”

However, the situation is far from hopeless. By taking decisive action, we can significantly strengthen cybersecurity in the agricultural sector. Here are three strategies that pave the way toward a more secure future for the farming industry:

1. Strengthening password practices

Weak or default passwords are an easily avoidable security risk that can expose vital assets in the agricultural sector to cyber threats. Arguably, even now, people have poor habits when it comes to password security.

As per the findings of a survey conducted by GoodFirms:

• A significant percentage of people – 62.9%, to be exact – update their passwords only when prompted.
• 45.7% of people admitted to using the same password across multiple platforms or applications.
• More than half of the people had shared their passwords with others, such as colleagues, friends, or family members, raising the risk of unauthorized access.
• A surprising 35.7% of respondents reported keeping a physical record of their passwords on paper, sticky notes, or in planners.

These lax password practices have had tangible negative impacts, with 30% of users experiencing security breaches attributable to weak passwords.

Hackers can use various methods, such as brute force attacks or phishing attacks, to guess or obtain weak passwords and access sensitive information or control critical systems.

Therefore, agricultural organizations need to make passwords stronger. Here are some of the critical steps these organizations need to take:

• Encourage using strong, unique passwords (8+ characters, mixed letters, numbers, symbols).
• Implement regular password changes (every three months or upon a suspected breach).
• Enforce multi-factor authentication on all systems.
• Update network passwords regularly to invalidate stolen credentials.
• Use a password keeper/generator app for secure password storage.
• Discourage password sharing or reuse across platforms.
• Avoid using dictionary words, common phrases, or personal info in passwords.
• Deploy a password management tool for efficient password handling.

2. Maintaining updated systems

In the digitally transformed landscape of agriculture, known vulnerabilities linked to outdated software and hardware present significant cybersecurity risks. Cybercriminals often exploit these weaknesses in such systems, compounding the cybersecurity challenges faced by the industry.

The Ponemon Institute, in a comprehensive study, found that 60% of organizations that experienced a breach said it occurred due to a known vulnerability that was left unpatched, even though a patch was available. Further complicating matters, the study reported that 88% of IT teams had to coordinate with other departments when patching vulnerabilities. This coordination added an extra 12 days before a patch could be applied, leaving systems vulnerable for a more extended period.

As we’ve seen from the damaging agricultural infrastructure attacks, neglecting cybersecurity in the context of known vulnerabilities can lead to significant problems. Regular updates and patches are not just good practice—they’re a crucial first line of defense against cyberattacks. In the digitally transforming world of agriculture, this is not merely an option—it’s a necessity.

3. Securing operational technology traffic

Given the scale of the risks associated with known vulnerabilities, it’s clear that agribusinesses face a significant cybersecurity challenge. However, the threats are not confined to these known issues alone. The unknown vulnerabilities, particularly those associated with Operational Technology (OT) systems, present another layer of risk that has recently come into focus.

The growing prevalence of Internet of Things (IoT) devices in contemporary agriculture amplifies these concerns. If not adequately secured, these devices can expand the attack surface, offering potential attackers an open door to critical systems.

Highlighting the severity of such issues, Itay Glick, VP of Products at OPSWAT, brings up the cyberattack on irrigation systems in Israel. He pointed out that weak passwords and outdated OT devices were a significant part of the problem. He noted that “there was a critical vulnerability in a specific device dated back to 2015 (CVE-2015-7905), which could have been exploited by any average hacker.”

The vulnerability Glick referred to underscores the importance of regularly updating OT devices. “If this was the case, this underscores the importance of scanning and validating that OT devices are updated,” he emphasized.

This dual approach – segregating OT traffic and monitoring it – provides a solid defense strategy. Segregation makes it more challenging for attackers to access critical systems, while monitoring allows for early detection of any potential threats. Agribusinesses must heed this advice, as the digital landscape continues to evolve, and the stakes continue to rise.

Conclusion

Cyber threats pose grave risks, with the potential to disrupt operations and cause hefty financial losses. Plus, the enduring harm to brand image and customer trust post-attack can be tough to bounce back from. A thorough assessment of current cybersecurity protocols, identification of potential vulnerabilities, and application of the discussed solutions should be on top of the list. These steps encompass the use of robust and unique passwords, segregation and monitoring of OT traffic, and consistent updating of software and hardware.

In the final analysis, agribusinesses that can integrate these cybersecurity measures into their operations are better positioned to secure their future in the rapidly evolving agricultural landscape.

The post Three ways agribusinesses can protect vital assets from cyberattacks appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

When most people think about social media and cybersecurity, they typically think about hackers taking over Instagram accounts or Facebook Messenger scammers taking private information. It’s for good reason that this is top-of-mind. The Identity Theft Resource Center’s 2022 Consumer Impact Report revealed that social media account takeovers have grown by 1,000% in one year. 

Putting yourself out there on social media platforms opens up your personal information to cyber threats. However, social media can be used for good, rather than evil, when it comes to cybersecurity. Learn how to educate your social media following on everyday cybersecurity risks.

Create Cybersecurity content relevant to your audience

Not every company or content creator posting on social media is in the cybersecurity niche, not to mention any offshoots or umbrella niches like technology. Of course, if you do fall into a tech niche and have an audience that’s interested specifically in cybersecurity, you can certainly post on social media about the topic.

However, virtually any industry could benefit from creating cybersecurity content. When planning quality content for your social pages, identify your content niche and determine what aspects of cybersecurity would be most beneficial and interesting to your audience. You can also capitalize on current trends on social media or in the news when designing an informational content campaign around cybersecurity.

Let’s look at how cybersecurity topics can be approached from a variety of industry angles.

B2B

If you are a shared workspace company, for example, your followers are likely interested in ways to establish network security in a hybrid workplace. Followers of a hiring software company likely want to see how to hire more securely online. If your business caters to other businesses, you can create educational cybersecurity content to help them stay safe while using your services or otherwise doing things related to your product or services.

Healthcare

While creating content aimed at public services is different than B2B audiences, cybersecurity information is especially relevant. In a time when interest in virtual healthcare services is booming, patients and providers alike need to be aware of HIPAA laws. For instance, a social media post about the security risks and ethical concerns of doctors emailing and texting patients is an important and highly relevant topic.

Education

Like many healthcare practices have incorporated virtual visits, many schools have started providing virtual classes. If your business is in the education sphere at all, your followers would likely benefit from engaging content about keeping student information private in online classrooms.

Lifestyle

If your brand is in a lifestyle category, you may not think this has much to do with cybersecurity. However, think about the ways in which your followers engage with your brand. If you sell products on a website, make a social post about how to create a secure login for your site when purchasing to reduce the risk of data theft. Further, you can inform your consumers how you’re taking steps to securely process payments and handle customer information. This will instill trust in your brand.

If you don’t sell tangible products or services in this way, you can still find something to do with cybersecurity that will benefit your audience. People use online services all the time, and not everyone is up to date with the latest ways to catch phishing scams or create safe passwords. If your followers are interested in a certain fashion brand and you are aware of an email scam under that brand’s name, you can post about it on social media to help spread awareness.

Pick the right platform and format

Regardless of your industry, it’s clear that all audiences can benefit from some level of cybersecurity education. Similar to how your content will differ, each creator will also benefit from posting on varying social platforms. Some of the most popular social media sites for sharing informative posts include:

• Twitter: platform for text posts, accompanying images, and links;
• Reddit: site for more nuanced, forum-style discussions;
• Quora: site with question-and-answer-style discussions;
• Instagram: app with primarily image-based with short-form video and live streaming options;
• Facebook: platform affiliated with and similar to Instagram but with longer text posts and groups;
• LinkedIn: professional networking platform with longer text posts and videos;
• YouTube: leader in the long-form video space with the option for Shorts and live streaming;
• Twitch: live streaming platform primarily for gamers;
• Pinterest: image-based sharing platform;
• TikTok: short-form video content platform with live streaming options.

TikTok, in particular, is interested in promoting cybersecurity education, so you may have enhanced luck on the platform. Short-form TikTok videos are brief enough to keep viewers’ attention, but you also have enough options to successfully pack in cybersecurity knowledge. For example, you could make a video using a trending sound about how to spot insider threats, pointing to each tip. The platform shows users the content they will be most interested in, so you are more likely to reach the right audience and spread cybersecurity awareness.

If you already have a social media presence, you likely know which platforms garner you the most engagement currently. Start by testing the performance of cybersecurity education posts on your chosen platforms. Then, analyze the data and adjust accordingly.

Using social media for Cybersecurity awareness

Whatever industry you’re in, your social media following will be able to benefit from cybersecurity education. Data privacy is top-of-mind for most social media users, so cater to their unique needs with your content.

The post Using social media as a tool to share knowledge on day-to-day Cybersecurity risks appeared first on Cybersecurity Insiders.

With increased dangers lurking in digital spaces, the need for cybersecurity is now a commonly known fact for just about all business owners.

When it comes to protecting their network, most start with the basic firewall. While added layers are required, there is something even more fundamental that should not be overlooked: the physical connection itself.  It is like making sure you have secure and quality doors and windows prior to putting alarms on them.

So, what type of internet connection is the most secure?

To answer this question, I consulted with Robert Lozanski, a member of AT&T’s Solution Consultant team whose primary role is to design full networking solutions for businesses.  In the following paragraphs, let’s go through the different types of connections and assess the quality – as well as the security level – of each one.

Meet the contenders

First off, it is important to understand the different types of internet connections. The most common ones are copper, fiber, and wireless networks.

Copper: Copper cables are the original internet connections. They transmit data in the form of electrical signals. While this type of connection has been used for years, copper is difficult to maintain, has limited speed options, and degrades with time. As a result, many providers are making a shift away from it.

Cellular: A cellular network provides access to the Internet by transmitting data over the air. The network connects to cellular towers rather than cables in the ground.  While cellular internet has made huge technological advancements with the rollout of 5G, it still has its limitations. Cellular networks currently have lower speed tiers than many wired options – but this may change in the future.

Fiber: Fiber optic internet uses a network of bundled strands of glass called fiber optic cables to deliver internet service through pulses of light. Fiber optics are the newest and most reliable type of internet connections. They also offer the highest speed options.

Assessing the security of the connections

A common way to assess a network is by measuring it against the CIA triad: Confidentiality, Integrity, and Availability. Among the different internet transport types, some are more secure than others because of the way they fulfill the three CIA requirements.  In other words, a secure network will have high levels of confidentiality, integrity, and availability.

As of 2023, 5G wireless connections have security layer options and speeds that make them strong contenders in the networking market. However, wired connections are still the primary choice for businesses prioritizing their internet connections due to wired connection’s reliability and bandwidth availability.

According to Lozanski, “while a cellular network solution is utilitarian for its mobility and flexibility, wired connections still offer an added layer of security because they will provide faster speeds and performance. A cellular connection can perform like a broadband connection with fluctuations throughout the day, but it won’t offer the same speeds.”

Between the two wired connections mentioned, copper and fiber, there is not much competition. With speeds up to 1Tbps, fiber moves at the speed of light and offers availability and reliability that copper wired connections cannot provide. 

However, the search for the most secure connection does not stop there. Even though fiber optic connections are made of glass and move at the speed of light, the way the connection is delivered may vary, and in turn offer different levels of security. The simplest way to break down this difference is to differentiate between a shared and dedicated connection.

A shared connection is where multiple units share the same bandwidth with limited speeds available. This is the type of connection most people picture when they think of Fiber, and it’s becoming an increasingly cost-effective and popular option. Unfortunately, shared fiber is limited in its availability, as it is only available in qualified areas where providers build their infrastructure. Although fiber infrastructure has grown rapidly, there are still places that do not have shared fiber facilities at all. See if you qualify for AT&T shared Fiber here.

A Dedicated Connection, also known as a point-to-point connection, is where the provider builds out a single line of fiber to an individual customer. Unlike shared connections that segment out the bandwidth to neighboring units, a dedicated connection is reserved for a single unit. When using the CIA metric for security, a Dedicated Fiber Circuit comes out on top. Below is the breakdown: 

What makes a Dedicated Fiber Circuit secure?

1. Confidentiality

A secure network is one where the right people have access to needed information, while others are kept out. One highlight of a dedicated connection is that it travels on its own network and is aggregated directly to a wire center. This makes it much harder to hack into as the connection isn’t shared by multiple users. 

Lozanski brought in an example, “A dedicated fiber circuit is extremely private for businesses that host their infrastructure onsite, such as web-hosting servers and email servers. Dedicated internet is an ideal option because it is physically safer.

It is important to note, however, that while a dedicated circuit may provide some protection on a physical level, the connection will still lead to the public internet and additional layers of Cybersecurity are essential to ensure a truly confidential connection. In the event of an attack, a shared connection with the right layers of security would likely fare better than an unprotected dedicated fiber circuit. The physical connection is just the foundation, and utilizing a Dedicated circuit on its own does not ensure full privacy. 

2. Integrity

The integrity of a network is measured by the accuracy, completeness, and consistency of the data that travels on it. Through his many consultations, Lozanski sees a trend that highlights the importance of a connection with high integrity. He said, “Nowadays, many businesses utilize VoIP (Voice over Internet Protocol). This is data that you don’t want there to be any issue with.”

Instead of using traditional copper landlines to host their calls, businesses use VoIP to put voice data over the internet. While it is more cost effective and boasts numerous benefits, this solution creates a higher reliability on the internet connection.  If the internet is not stable, the data may be disrupted, and the voice quality will go down.

“With AT&T Dedicated Internet, you are able to prioritize mission critical data and you are guaranteed call quality when it comes to VoIP. Dedicated Internet can add a Class of Service component that you cannot get with another type of connection,” Lozanksi continued. 

3. Availability

If a network is not available to its users, it is simply not secure. The owners of the network need to be able to seamlessly access their resources. Lozanski said, “The piece of the puzzle that differentiates a Dedicated Fiber circuit is that it is the only connection backed up by Service Level Agreements for availability, latency, jitter, and packet loss. While the SLA’s may vary per carrier, at AT&T we guarantee 100% availability service level agreements on our Dedicated Fiber Circuits. We will have your internet connection up 24/7, 365 days of the year”.

On a shared connection, multiple users share the same bandwidth. Like traffic on a highway that becomes congested when many cars travel on it at the same time, a shared connection may slow down during peak busy hours. No matter the provider, shared connections run on ‘best effort’ speeds without the same kind of service level agreements. This can result in slower repair time and for many businesses, a loss of revenue and security.

Who are Dedicated Fiber circuits for?

Dedicated Fiber used to be utilized mainly by enterprise-level customers due to the large-scale networking needs of these types of businesses and a higher monthly cost. However, as more businesses move online and increase their digital presence, many find Dedicated Fiber an increasingly enticing option.

Lozanski added, “Generally, any business that needs to prioritize mission-critical data may be interested in a Dedicated Circuit. While the monthly cost may be higher, it is important to also analyze the impact and financial loss the business may incur if their internet is down”. Oftentimes, the additional cost of Dedicated Fiber may be offset by bundling multiple services together.

At the end of the day, no matter the connection you choose, note that the physical connection is only the first layer. While a Dedicated Circuit will provide a solid foundation, it is equally important to consider what is being layered on top of the network to protect it. Cyber threats are only increasing and to be prepared, the first step is to be informed.

Click here to learn more about AT&T Dedicated Fiber and request a free consultation to see if it’s a good fit for your business this year.

The post When internet security is a requirement, look to dedicated fiber appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Small businesses are more vulnerable to cyber-attacks since hackers view them as easy victims to target. While this may seem unlikely, statistics reveal that more than half of these businesses experienced some form of cyber-attack in 2022. It’s also reported that state-sponsored threat actors are diversifying their tactics and shifting their focus toward smaller enterprises.

Cyber-attacks against small-sized businesses do not always make headlines, but they have potentially catastrophic impacts. These attacks can result in significant financial and data loss, sometimes shutting down the business. Therefore, it’s crucial that small businesses make cybersecurity a top priority.

What drives more cybersecurity attacks on small businesses?

Small businesses are on the target list of hackers mainly because they focus less on security. On average, SMBs and small businesses allocate 5%-20% of their total budget to security. Additionally, human mistakes are the root cause of 82% of cyber breaches in organizations. Cybercriminals take advantage of their weak security infrastructure and exploit the behavior of careless employees to launch insider threats and other cyber-attacks successfully.

A report reveals various cyber-attacks that often target small businesses, such as malware, phishing, data breaches, and ransomware attacks. Also, small businesses are vulnerable to malware, brute-force attacks, ransomware, and social attacks and may not survive one incident.

The influx of remote working culture has added new challenges and cybersecurity risks for small businesses. This culture has given rise to a large number of personal devices like mobile phones, laptops, and tablets that can easily access sensitive information. Many employees don’t undergo regular scans of their phones and laptops for potential vulnerabilities.

In addition, few companies can provide access to password management software or VPNs to protect their internet connection and credentials and maintain security on rogue Wi-Fi networks. Statistics also reveal that only 17% of small businesses encrypt their data, which is alarming.

Moreover, small businesses are at a higher risk of being attacked because they have limited resources to respond to cyber-attacks. Unlike large organizations, they don’t have a dedicated IT team with exceptional skills and experience to deal with complex cyber-attacks. They also have a limited budget to spend on effective cyber security measures. Hence they don’t invest in advanced cybersecurity solutions or hire professionals to manage their cybersecurity.

Impacts of a Cybersecurity attack on small businesses

Cyber-attacks on small businesses can result in severe consequences – like financial loss, reputational damage, legal ramifications, and disruptions in operations. Below is a better insight into the effects of a potential cyber-attack on small businesses:

Loss of money

A cyber-attack may cause small businesses to lose billions of dollars. A report predicted that the attacks on small businesses will cost the global economy $10.5 trillion by 2025. Also, the average data breach cost to small businesses increased to $2.98 million in 2021, and these figures will likely increase with time. Sometimes small businesses will need to pay to compensate customers, investigate the attack, or implement additional security measures – all of which add up to more financial costs.

Reputational damage

A possible cyber-attack can also damage the business’s reputation and erodes customers’ trust. Suppose a customer’s, partner’s, or supplier’s sensitive data gets exposed to attackers. In that case, it negatively affects the company’s reputation. This might cause them to lose valuable clients, which can also lead to the unexpected closure of the business. According to the National Cybersecurity Alliance, 60% of small and mid-size companies get shut down within six months of falling victim to a cyber-attack. It might take a lot of time and effort to restore the client trust and restore the organization’s reputation.

Disruptions in operations

Small businesses often face operational disruption after a cyber-attack. They may experience downtime or lose access to critical business data – which leads to lost opportunities and delays in operations. This negatively impacts your business as you fail to meet customer demands.

Legal ramifications

Small organizations are also subject to various industry legal and regulatory regulations like GDPR, HIPAA, and CCPA to maintain data privacy. A cyber-attack resulting in valuable data loss ultimately triggers regulatory penalties. As a result, small businesses may face lawsuits and hefty fines for non-compliance, further adding financial strains. A Small Business Association Office of Advocacy report finds that the cost of lawsuits for small firms ranges from $3,000 to $150,000. Therefore, protecting the clients’ data is better than facing compliance issues.

Actionable Cybersecurity tips for small businesses

With  51% of small businesses having limited cybersecurity measures, adopting preventive measures to protect networks and employees from malicious threat actors is crucial. Some of the best practices that you, as an owner of a small business, can exercise to reduce the attack vector includes:

• Educate employees by providing regular training sessions and conducting awareness programs about cyber-attacks like phishing, malware, or social engineering techniques. Ensure that the employees at all levels understand the risks and learn how to detect and respond to these attacks.
• Create a comprehensive cybersecurity policy outlining the employees’ guidelines, best practices, and responsibilities regarding data protection, password management, incident reporting, and acceptable use of technology.
• With the rise of remote and hybrid working culture, it’s crucial to ensure that all remote workers use online security tools like a virtual private network (VPN). It maintains data safety and privacy and enables the workers to access the company’s resources safely.
• Deploy a regular data backup strategy to prevent data loss due to phishing or ransomware attacks. Store the backups offline or within secure cloud storage to ensure they are not easily accessible by attackers.
• Regularly monitor and assess systems using inexpensive security tools to detect and respond to threats in real-time. Conduct regular security assessments, vulnerability scans, or penetration testing to identify potential vulnerabilities within the system and address them promptly.
• Creating an incident response plan (IRP) helps small businesses prevent cyber-attacks by providing a structured approach to detect, respond, and mitigate security incidents. It outlines roles, procedures, and protocols – enabling effective action to minimize damage, protect data, and restore operations, ultimately strengthening the business’s cybersecurity defenses.

These are some of the effective steps that small businesses and start-ups can take to reduce the likelihood of a data breach or decrease the negative impact when an attack occurs.

Final thoughts

Small businesses face many cybersecurity threats and challenges that can affect their reputation and making it difficult to run their business successfully. The best way to ensure a healthy cybersecurity culture is to deploy a successful security awareness and training program. This assures employees are well aware of the threats and how to respond at the right time. To sum up, by prioritizing cybersecurity and adopting proactive measures, small businesses can safeguard their digital assets and mitigate potential threats in today’s increasingly interconnected world.

The post How can small businesses ensure Cybersecurity? appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Cybersecurity is practice of protecting information technology (IT) infrastructure assets such as computers, networks, mobile devices, servers, hardware, software, and data (personal & financial) against attacks, breaches and unauthorised access. Due to bloom of technology, most of all businesses rely on IT services, making cybersecurity a critical part of IT infrastructure in any business.

The role of cybersecurity in financial institutions is very vital as the number and severity of cyber threats continues to rise by each day. With the widespread use of technology and the increasing amount of data being stored and shared electronically, financial institutions must ensure that they have robust cybersecurity measures in place to protect against evolving threats.

Financial institutions face a range of cybersecurity threats, including phishing attacks, malware, ransomware, and denial of service (DDoS) attacks. These threats can result in the theft of sensitive customer data (PII), financial fraud, and reputational damage. Sometimes theft of PII can lead to identity theft too.

Cybersecurity measures are designed to protect the confidentiality, integrity, and availability of data and systems. Confidentiality refers to protection of sensitive information from unauthorised disclosure using measures like encryption, access control etc., to protect sensitive data. Integrity refers to accuracy and completeness of data to ensure data is not manipulated or corrupted using cybersecurity measures like data backups, system monitoring. Availability refers to the ability of authorised users to access the systems and data when needed under any circumstances using measures like disaster recovery plans.

Before we go further and discuss about various threats faced by financial institutions, let’s look at the regulatory requirements and industry standards in financial institutions.

There are mainly two standards which financial institutions must comply with:

PCI-DSS: Payment Card Industry Data Security Standard is a set of security and compliance requirements designed to protect the cardholder data which defines how the financial data (card data) will be processed, stored and transmitted in a safe manner. This standard requires use of encryption, masking, hashing and other secure mechanisms to safeguard the customer data. PCI-DSS is widely accepted globally.

GLBA: Gramm-Leach-Bliley Act, also known as Financial Modernisation Act of 1999 is a federal law in the United states which requires financial institutions to explain their information sharing practices to their customers and to safeguard sensitive data.

Apart from PCI-DSS, GLBA some countries have their own privacy laws which also requires compliance from financial institutions to operate. Non-adherence to regulatory compliance can sometimes attract penalties to financial institutions.

Top Cybersecurity threats faced by banks are:

• Malware- Malware, or malicious software, is any program or file that is intentionally harmful to a computer, network or server. It is very important to secure customer devices such as computers and mobile devices that are used for digital transactions. Malware on these devices can pose a significant risk to a bank’s cybersecurity when they connect to the network. Confidential data passes through the network and if the user’s device has malware without proper security, it can create a serious danger to the bank’s network.

• Phishing- Phishing means to get confidential, classified data such as credit, debit card details etc. for malicious actions by hiding as a reliable person in electronic interaction. Online banking phishing scams have advanced constantly. They seem real and genuine, but they trick you into providing away your access data.

• Spoofing- Spoofing can be used to gain access to a target’s PII (Personally Identifiable Information), spread malware through infected links or attachments, bypass network access controls, or redistribute traffic to conduct a denial-of-service attack. Spoofing is often the way a bad actor gains access in order to execute a larger cyber-attack such as an advanced persistent threat or a man-in-the-middle attack.

• Unencrypted data- unencrypted data is a significant threat to financial institutions, as hackers can use it immediately if they seize it. Therefore, all data should be encrypted, even if stolen by potential thieves, they would face the challenge of decrypting it.

• Cloud-based cybersecurity theft- There is an increased risk of cloud-based attacks as more software systems and data are stored in the cloud. Attackers have taken advantage of this, leading to a rise in cloud-based attacks.

• Insider theft- An insider threat refers to when someone with authorized access to an organization’s information or systems misuses that access to harm the organization. This can be intentional or unintentional and can come from employees, third-party vendors, contractors, or partners. Insider threats can include data theft, corporate espionage, or data destruction. People are the root cause of insider threats, and it’s important to recognize that anyone with access to proprietary data can pose a threat. 25% of security incidents involve insiders. Many security tools only analyse computer, network, or system data, but it’s crucial to consider the human element in preventing insider threats.

Financial institutions can take several steps to improve their cybersecurity posture and protect against evolving threats. Some best practices for cybersecurity in financial institutions include:

• Regular risk assessments: Financial institutions should conduct regular risk assessments to identify potential vulnerabilities in their systems and networks. Risk assessments should include both technical and non-technical factors such as employee training and physical security.
• Implementing strong access controls: Financial institutions should implement strong access controls to protect against unauthorized access to systems and data. Access controls should include strong passwords, multi-factor authentication, and role-based access controls.
• Awareness programs: Financial institutions should educate employees on cybersecurity best practices and provide regular training to help them recognize and respond to potential threats. Employees should be trained on topics such as phishing, malware, and password security. They can also simulate phishing campaigns to make employees aware.
• Encrypting sensitive data: Financial institutions should encrypt sensitive data such as customer information and financial transactions to protect against unauthorized disclosure.

Financial institutions must manage third-party risks by conducting due diligence on third-party vendors and ensuring that they have robust cybersecurity measures in place. This includes regular monitoring and auditing of third-party vendors to ensure that they are complying with cybersecurity standards and regulations.

Cybersecurity is a critical issue for financial institutions, given the sensitive information and valuable assets they handle. Financial institutions must prioritize cybersecurity measures to protect themselves and their customers from cyber-attacks. The evolving cyber threat landscape and the challenges financial institutions face in implementing effective cybersecurity measures make it crucial for them to stay up-to-date with evolving threats, invest more resources in cybersecurity, prioritize employee training and education, and manage third-party risks.

The post The role of cybersecurity in financial institutions -protecting against evolving threats appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

OpenAI’s flagship product, ChatGPT, has dominated the news cycle since its unveiling in November 2022. In only a few months, ChatGPT became the fastest-growing consumer app in internet history, reaching 100 million users as 2023 began.

The generative AI application has revolutionized not only the world of artificial intelligence but is impacting almost every industry. In the world of cybersecurity, new tools and technologies are typically adopted quickly; unfortunately, in many cases, bad actors are the earliest to adopt and adapt.

This can be bad news for your business, as it escalates the degree of difficulty in managing threats. 

Using ChatGPT’s large language model, anyone can easily generate malicious code or craft convincing phishing emails, all without any technical expertise or coding knowledge. While cybersecurity teams can leverage ChatGPT defensively, the lower barrier to entry for launching a cyberattack has both complicated and escalated the threat landscape.

Understanding the role of ChatGPT in modern ransomware attacks

We’ve written about ransomware many times, but it’s crucial to reiterate that the cost to individuals, businesses, and institutions can be massive, both financially and in terms of data loss or reputational damage.

With AI, cybercriminals have a potent tool at their disposal, enabling more precise, adaptable, and stealthy attacks. They’re using machine learning algorithms to simulate trusted entities, create convincing phishing emails, and even evade detection.

The problem isn’t just the sophistication of the attacks, but their sheer volume. With AI, hackers can launch attacks on an unprecedented scale, exponentially expanding the breadth of potential victims. Today, hackers use AI to power their ransomware attacks, making them more precise, adaptable, and destructive.

Cybercriminals can leverage AI for ransomware in many ways, but perhaps the easiest is more in line with how many ChatGPT users are using it: writing and creating content. For hackers, especially foreign ransomware gangs, AI can be used to craft sophisticated phishing emails that are much more difficult to detect than the poorly-worded message that was once so common with bad actors (and their equally bad grammar). Even more concerning, ChatGPT-fueled ransomware can mimic the style and tone of a trusted individual or company, tricking the recipient into clicking a malicious link or downloading an infected attachment.

This is where the danger lies. Imagine your organization has the best cybersecurity awareness program, and all your employees have gained expertise in deciphering which emails are legitimate and which can be dangerous. Today, if the email can mimic tone and appear 100% genuine, how are the employees going to know? It’s almost down to a coin flip in terms of odds.

Furthermore, AI-driven ransomware can study the behavior of the security software on a system, identify patterns, and then either modify itself or choose the right moment to strike to avoid detection.

Trends and patterns in ChatGPT-themed cybercrimes

While the vast majority of people use ChatGPT for benign or beneficial purposes, the notable uptick in ChatGPT-themed suspicious activities is cause for concern. These threats include the creation of malicious code, phishing schemes, and of course ransomware — often exploiting the advanced capabilities of ChatGPT to enhance their effectiveness.

The majority of patterns and trends in these activities are not ransomware-related; however, they provide invaluable insights for security experts to proactively respond to these challenges.

Creation of malware using ChatGPT

A self-proclaimed novice reportedly created a powerful data-mining malware using just ChatGPT prompts within a few hours.

ChatGPT imposters

Malware operators and spammers read the news, too, and are following trends and high-engagement topics, leading to an increase in malicious ChatGPT imposters.

Malware campaigns using ChatGPT

ChatGPT is everywhere. Meta took steps to take down more than 1,000 malicious URLs that were found to leverage ChatGPT.

Cybercriminals using ChatGPT

ChatGPT cybercrime is popular with hackers. A thread named “ChatGPT – Benefits of Malware” appeared on a popular underground hacking forum, indicating that cybercriminals are starting to use ChatGPT.

ChatGPT-themed lures

Watch out: hackers are using ChatGPT-themed malware to take over online accounts.

ChatGPT phishing attacks

Finally, these phishing attacks are the most concerning for organizations defending against ransomware. The ChatGPT “Banker” phishing attack involves fake webpages and a trojan virus.

Copycat Chatbots and their threat to Cybersecurity

The success and visibility of OpenAI’s ChatGPT inevitably leads to another cybersecurity concern — the rise of copycat chatbots. These are AI models developed by other groups or individuals seeking to mimic the functionalities and capabilities of ChatGPT, often with less stringent ethical guidelines and fewer protective measures.

There are two key issues that arise from these imitation chatbots. First, they often lack the advanced protective guardrails that have been incorporated into ChatGPT, leaving them more open to misuse. These bots could easily become tools for generating malicious code, crafting phishing emails, or designing ransomware attacks.

Next, these copycat chatbots are frequently hosted on less secure platforms, which may be susceptible to cyber-attacks. Hackers could potentially compromise these platforms to gain control of the chatbots and manipulate their capabilities for nefarious purposes.

Copycat chatbots present the risk of amplifying misinformation and fostering cybercrime. As they lack the same level of scrutiny and oversight as ChatGPT, they could be used to disseminate deceptive content on a large scale.

Proactive measures you can take to combat AI-enhanced ransomware threats

Despite the escalating threat, the outlook is not hopeless.

As always, good security hygiene can go a long way in bolstering your defenses. The advice hasn’t changed, but it bears repeating.

Regular updates and patches: Ensure that all your software, including your operating system and applications, are up to date.

Avoid suspicious emails/links: Be wary of emails from unknown sources and don’t click on suspicious links. Remember, AI can be used to mimic trusted contacts.

Back up your data: Regularly backing up data is a simple yet effective way of mitigating the potential damage of a ransomware attack. The more data you have backed up, the easier it is to recover from a potential disaster.

Promote a culture of security awareness: Learn about the latest threats and techniques used by hackers. The better your company and all employees understand these tactics, the easier it will be to recognize and avoid potential threats.

If you do fall victim to a ransomware attack, don’t panic. Disconnect from the internet, report the incident to local authorities, and consider seeking professional help to mitigate the damage. In most cases, paying the ransomware is not recommended.

While AI can pose a threat when in the hands of hackers, it can also be a potent ally in your defense. AI-driven cybersecurity solutions are becoming more prevalent and can help you combat these advanced threats. These solutions use machine learning to recognize patterns, anticipate threats, and respond in real-time. By adopting AI-based security tools, you’re not just reacting to cyber threats, but proactively defending against them.

How AT&T Cybersecurity can help defend against ransomware

If your company lacks cybersecurity expertise, you may consider hiring trusted and experienced consultants to help you out. Take control by proactively making your company a place that cybercriminals do not want to visit.

With AT&T Cybersecurity incident response service, you’ll be well-positioned to:

• Prevent data breaches
• Quickly respond to attacks and mitigate impact
• Minimize impacts of a potential breach
• Quickly analyze and recover from the breach
• Mitigate security risk
• Improve incident response
• Leverage an “all hands on deck” approach, which includes in-depth digital forensic analysis, breach, support and compromise detection

The post Rise of AI in Cybercrime: How ChatGPT is revolutionizing ransomware attacks and what your business can do appeared first on Cybersecurity Insiders.