Author: cyberinsiders

In a concerning development for financial security, American Express has announced that its customers’ credit card information has been compromised in a data breach. The breach occurred through a third-party service provider, marking another significant event in a series of financial data security breaches affecting major companies.

The Breach: A Closer Look

The Amex breach was disclosed in a notification filed with the state of Massachusetts, revealing that American Express’s own systems were not directly compromised. Instead, the vulnerability stemmed from a service provider used by the company’s travel services division, American Express Travel Related Services Company. Information at risk includes American Express card account numbers, names, and expiration dates. Customers with more than one American Express credit card exposed in the breach (and wondering “Did my credit card data get leaked?”) have been advised to expect follow-up contact from the company.

Response and Recommendations

American Express has urged affected customers to vigilantly monitor their accounts for fraudulent activity over the next 12 to 24 months and to enable notifications in the American Express Mobile app for real-time account activity updates. The company assured its customers that they would not be held liable for any fraudulent charges detected on their accounts.

Industry-Wide Concerns About Leaks

This data breach comes on the heels of a similar incident at Bank of America, where a ransomware attack on third-party provider Infosys McCamish Systems affected at least 57,028 customers. These breaches underscore the growing concerns around third-party vendor security within the financial sector.

The Underlying Issues

The lack of details regarding the Amex breach’s detection and the scale of compromise has been a point of criticism. Industry professionals highlight the need for better logging and monitoring capabilities among third-party providers to identify and respond to data compromises effectively. This incident highlights the broader issue of “nth party” risk, where the security vulnerabilities of one vendor can affect multiple parties down the supply chain.

Moving Forward

Experts argue for a multi-faceted approach to mitigate third-party risk, including rigorous vetting during onboarding, specifying breach response responsibilities in contracts, and adopting best practices like data masking. The aim is to minimize access risk and ensure that third-party partners adhere to high standards of data security.

Roger Grimes, Data-Driven Defense Evangelist at KnowBe4, commented: “The problem of service providers, who get successfully hacked, that then end up causing a much larger data breach compromise is quite common. Really anyone who has access to a system becomes an ingress point for hackers. That’s why all services must routinely take inventory of who has what type of access and ensure that they are following recommended security guidelines. It also can’t hurt to have data monitoring so that when a large amount of data begins to move in an unusual way it can be reviewed, and if unauthorized, stopped soon as possible.”

Conclusion

The American Express data breach is a stark reminder of the vulnerabilities present in the complex supply chains of financial institutions. As cyber threats continue to evolve, it becomes increasingly important for organizations to invest in advanced data security capabilities, enforce robust access controls, and proactively reduce their data risk. The financial industry must prioritize these efforts to safeguard sensitive customer information against unauthorized access and ensure the integrity of their operations in the digital age.

The post American Express Customer Data Compromised in Third-Party Service Provider Breach appeared first on Cybersecurity Insiders.

[By Yoav Kalati, Head of Threat Intelligence at Wing Security]

Today, we’re seeing the growing dependence on and adoption of Software as a Service (SaaS) tools by businesses and organizations. However, this increased reliance also has posed challenges on the security front, as threat actors try to take advantage of vulnerabilities inherent within SaaS usage – capitalizing on its seamless connectivity and convenience. Wing Security recently released an extensive analysis of 493 companies and found alarming trends regarding the usage of SaaS and its security. For example, Wing discovered that 97% of organizations are facing threats from compromised SaaS supply chain apps, shadow IT increased the risks of data leakage and one-fifth of organizations exhibited incomplete offboarding practices – leading to a growing concern about insider risks.

From managing the risks of third-party applications to implementing Multi-Factor Authentication (MFA) and optimizing anomaly detection, the strategies below are crucial for safeguarding sensitive data and mitigating potential security threats. Despite some of the concerning statistics above, experiences point to the fact that SaaS is safer than ever before – due to the availability of technologies that allow Chief Information Security Officers (CISO) and security teams to navigate the complex landscape of SaaS security.

Here are eight practical tips to bolster your organization’s SaaS security.

1. Discover and Manage Third-Party Application Risks

To mitigate the risks of third-party breaches, it’s crucial to identify and get ahead of the risks of potential weaknesses in your interconnected SaaS supply chain. By knowing about all the third-party SaaS applications connected to your organization, you can be better prepared to take action should a breach occur somewhere in the SaaS supply chain. In addition, making sure that you onboard only trusted applications with secure third-party security controls, policies and procedures is critical.

A supply chain attack occurs when an attacker singles out a vendor, aiming to exploit it as a means to infiltrate a larger network of companies. Entrusting sensitive data to external SaaS vendors exposes organizations to supply chain risks, beyond immediate security considerations. This approach opens the possibility of data breaches, compliance issues and more extensive security challenges.

  1. Regain Control of Your AI-SaaS Landscape

Your SaaS security toolkit should encompass essential capabilities such as uncovering Shadow Artificial Intelligence (AI), controlling AI usage, identifying impersonator AI applications and automating remediation workflows. Additionally, security teams must take decisive actions by granting or restricting access to AI models and implementing necessary AI security measures.

Efficiently discovering and monitoring all AI-using SaaS applications training on your data is crucial, along with constant monitoring of your broader SaaS environment for updates in their terms and conditions regarding AI usage. Embrace methods that promote cross-organizational collaboration through automated remediation workflows, empowering end users to proactively mitigate risks.

  1. Establish Effective Offboarding Procedures

Weak offboarding practices introduce significant security risks to organizations, such as unauthorized access, data breaches and compromised system integrity. This can result in severe consequences, including legal penalties, financial losses and damage to reputation and customer trust. Shockingly, Wing detected that 1 out of 5 organizations have experienced incomplete offboarding processes for some former employees.

To address this issue, it’s critical to implement effective offboarding procedures, especially for managing insider threats. Leveraging centralized methods like SaaS security posture management (SSPM) can facilitate the manual process of de-provisioning users from core business SaaS and shadow IT applications, minimizing the risk of data leaks and unauthorized access.

  1. Leverage Threat Intelligence for Data Breach Tracking

Access to near-real-time threat intelligence alerts is crucial for staying informed about security incidents, enabling quick reactions to mitigate potential damages. In 2024, CISOs and their teams will continue to face various SaaS security threats, both known and new. To effectively manage these risks, prioritizing threat monitoring and leveraging an SSPM solution is essential.

  1. Gain Control Over Data Sharing Practices

Ensuring effective access control and managing file sharing are crucial steps for organizations wanting to mitigate data-related risks and prevent sensitive data exposure. However, implementing these security measures while adapting to the evolving demands of a rapidly changing business landscape can be challenging.

To address this challenge, implement stringent automated access control measures for your data and regularly review sharing settings and permissions. Additionally, consider adding password protection to sensitive files and actively promote general cybersecurity awareness to prevent data leaks and unauthorized exposure.

  1. Prioritize SaaS Misconfiguration Remediation

Misconfigurations of SaaS applications create vulnerabilities that can lead to data breaches. Mistakes during the setup and onboarding of SaaS applications can lead to accessing sensitive data stored in the cloud. That’s why it is critical to align with best practices in SaaS security to prevent unauthorized access. This can be done by swiftly correcting misconfigurations in your SaaS environment. With a proactive strategy to identify and resolve errors on time, you can boost your defenses against potential breaches.

  1. Optimize Anomaly Detection for Threat Identification

Nowadays, threat actors exploit vulnerabilities more easily, with a growing trend of abusing unsecured credentials found through scanning public codes. Over the past year, this trend has surged across multiple platforms, particularly software development platforms where developers commonly use hard-coded credentials. By remaining vigilant and addressing these vulnerabilities, organizations can effectively mitigate the risk posed by unauthorized access and potential breaches.

Strengthening threat detection capabilities and maintaining vigilance through anomaly detection guards, tracking user behavior, and detecting unusual or suspicious actions are crucial for preserving a resilient cybersecurity posture and safeguarding sensitive data.

  1. Enforce MFA for User Protection

Wing’s findings reveal crucial insights into MFA implementation from within numerous customer environments. We found that a surprising number of organizations did not implement MFA on any of their users, leaving them vulnerable to potential security breaches and compromises. Unauthorized individuals may exploit this lack of authentication protection to gain access to sensitive data, systems or resources.

Implementing MFA is highly effective in strengthening defenses against unauthorized access and SaaS attacks. It stands as the optimal solution to thwart credential-stuffing attacks. It is recommended to implement multiple forms of identification and multi-step login processes, such as numerous passwords and additional verification steps.

As the world becomes increasingly interconnected through cloud-based services, the attack surface for organizations continues to grow. From supply chain risks to misconfigurations and the introduction of new risks through AI, the SaaS threat landscape is continuously expanding. However, companies can get ahead of SaaS attacks by taking a proactive and vigilant approach by leveraging the right technology.

Yoav Kalati is the Head of Threat Intelligence at Wing Security, with extensive experience in the security field since 2008. Beginning their career as an Intelligence Analyst with the Israel Defense Forces, they transitioned to a cybersecurity analyst role, eventually leading a team as a cyber threat analyst. In 2018, Kalati assumed the role of Head of Cyber Threat Intelligence Analysis Section at J6 & Cyber Defense Directorate, IDF, subsequently serving as Acting Head of Cyber Research Branch. Currently, Kalati serves as the Head of Threat Intelligence at Wing Security. They attended The Hebrew University of Jerusalem from 2015 to 2018, earning a Bachelor of Arts in Economics and International Relations.

The post 8 Tips To Protect Your Organization in the Evolving SaaS Landscape appeared first on Cybersecurity Insiders.

Digital healthcare has been developing rapidly during the last decade: the enactment of the American Reinvestment and Recovery Act (ARRA) in 2009 drove the majority of healthcare organizations in the US to adopt the EHR system, the COVID-19 pandemic boosted telehealth apps’ popularity, and the rapid adoption of sophisticated generative AI during the past couple of years helped virtual health assistance to become a new trend.

While such progress is undoubtedly beneficial for patients and providers, there are also downsides associated with healthcare data circulating in cyberspace. The cost of data breaches in healthcare was twice as high as in any other industry between 2022 and 2023, according to Statista. Therefore, healthcare software development still has challenges to overcome in 2024, mainly in terms of regulatory compliance and strengthening security.

Healthcare software development regulations to consider

The healthcare software regulatory landscape is full of nuances. Therefore, healthcare organizations should always consult an expert before implementing a new solution, modernizing legacy systems, or integrating their software with third-party apps.

In general, a combination of laws and standards that a healthcare app should adhere to depends on the intended purpose of the software use, the type of data it will collect, process, and store, and the geographical location of the healthcare services provider and its patients.

Global security regulations relevant to healthcare software implementation

ISO 13485 and IEC 62304. These standards focus on quality management of the medical device software development process, providing software developers and healthcare device manufacturers with a set of requirements for handling the entire software lifecycle. These rules about how software for medical devices should be designed, implemented, and maintained help strengthen the cybersecurity for software that qualifies as a medical device (SaMD) and software that will be embedded into medical devices.

HL7 (Health Level Seven). This collection of industry-wide standards regulates how clinical and administrative data gets transferred between applications. It lays the foundation of healthcare software interoperability and secure data transfer.

NIST Cybersecurity Framework. This framework provides guidance for managing cybersecurity risks. It is not mandatory, but is used by experienced healthcare app developers, because it outlines the essential practices to keep software secure.

Location-specific standards

In addition to general rules for securely developing and implementing the applications that process patients’ personal information, most countries have their regulations on such software’s development and usage:

HIPAA. The Health Insurance Portability and Accountability Act is a comprehensive set of standards for protecting the privacy and security of patients’ information. Any software used by patients or clinicians in the US that handles patients’ personal health information, must be designed and implemented according to HIPAA.

CCPA. The state of California has an additional privacy protection standard – the California Consumer Privacy Act – that requires companies to disclose how they acquire, store, and share their customers’ data. Healthcare providers operating within the state have to abide by this law.

GDPR. General Data Protection Regulation sets strict rules necessary for the personal data protection of European Union citizens. Healthcare software that handles patient data and is used in the EU falls under this standard.

EU MDR (Medical Device Regulation). This regulation outlines essential safety and performance requirements for medical devices sold in the European Union. Naturally, it includes cybersecurity requirements for software as a medical device that will be used inside the EU.

PDPA. In Saudi Arabia, all operations with personal data, including those performed by healthcare organizations, are regulated by the Personal Data Protection Act. It is a broad framework that lays the foundation for data security in Saudi Arabia.

SEHR. Another Saudi Arabia regulation essential for data protection in the healthcare sector is Saudi Electronic Health Record Framework. It sets security standards specifically for the implementation and use of the EHRs.

Challenges of implementing secure healthcare software

Due to multiple standards determining the rules for safe and secure healthcare application implementation, healthcare providers often struggle to adopt sufficiently secure solutions. Software providers and consultants can help them overcome challenges that depend on the following factors:

  • Number and complexity of regulations. Companies operating in multiple countries or states must navigate across and meet different international, national, and regional standards. Healthcare software consultants can assess the particular company’s type of practice, location, patient base, and other parameters to help choose the solution that fits the relevant regulatory landscape.
  • Regulations’ constant evolution. While the fact that healthcare regulations are constantly transforming to adapt to the modern state of the industry is undoubtedly a positive one, it creates additional difficulties for healthcare service providers and software developers. They must constantly stay updated on the changes and adapt their software and practices accordingly. To manage this effectively, employing tools like task timers can significantly aid in efficiently allocating time to monitor and integrate these regulatory changes. It is not an easy task, and it is costly too, especially for large corporations with complex IT ecosystems in place. It’s best to partner with a software provider that offers comprehensive support services and can help with ongoing software improvements and upgrades.
  • Tug between security and usability. Robust security measures put in place to meet stringent security regulations can be overwhelming for healthcare personnel and patients using the software. Healthcare software must be designed to strike a balance between supplying users with intuitive interfaces, enabling smooth workflows, and ensuring the safety and security of sensitive information and operations.
  • Integration with existing systems. Many healthcare organizations have complex legacy systems. Integrating new apps securely with these systems can be challenging, requiring careful data mapping, access control measures, and adherence to interoperability standards. Healthcare organizations can navigate this process better with the help of seasoned integration consultants.
  • Limited resources. Smaller healthcare providers often have limited budgets and IT staff, making investing in top-notch security solutions and expertise challenging. They have to determine the possible security breach points in their organization to address the most pressing problems first, and consider cheaper alternatives that don’t compromise security, for example, open-source secure solutions. Implementation service providers help healthcare organizations to find the cheapest solution without cutting off too much of the systems’ capabilities in the name of security.

In conclusion

Keeping sensitive healthcare data safe while providing medical personnel and patients with the convenience and comfort of digital healthcare requires a joint effort. On the one hand, software providers must consider industry specifics during the software development to deliver applications that are secure by design. At the same time, healthcare organizations must implement special measures to secure their entire ecosystem. They must adopt proper data governance strategies, enhance personnel and patients’ cyber literacy, and enforce security procedures in everyday operations.

The post Healthcare Software Security: Standards and Challenges appeared first on Cybersecurity Insiders.

Stellar Cyber, the innovator of Open XDR, today announced that RSM US – the leading provider of professional services to the middle market – is leveraging the Stellar Cyber Open XDR platform to unify, expand and control the cybersecurity defenses across its Global MSSP Client Network.

RSM US operates a global managed security operations service, known as RSM Defense, which offers around-the-clock threat detection, response and intelligence services to its clients. As an MSSP, RSM Defense Director and Threat Operations leader Todd Willoughby’s team amassed a collection of discrete client data sources that focus on individual aspects of security, each with a separate console. RSM Defense integrated Stellar Cyber’s Open XDR platform into the MSSP model’s workflow because it unifies those tools and provides SIEM, NDR, UEBA and TPA tools in one comprehensive platform.

“Stellar Cyber is taking a different approach to what’s been offered in the market over the last 15 years,” said Willoughby. “Instead of just putting out just one tool, they are addressing the challenge of delivering a complete view of security events across our clients’ infrastructure under one pane of glass; and because it’s an open platform, integrating clients’ new or existing EDR and other security tools and data sources is a non-issue.”

Other advantages Willoughby found are the platform’s machine learning capabilities and robust, out-of-the-box detection rulesets, which enable him to level the playing field between newer and more skilled security analysts, making them all fully productive. “Great senior cybersecurity analysts are tough to find – even if you can find one, they can cost the business upwards of $150,000 a year, and most clients can’t afford that,” he said.

“Enterprises and MSSPs providing cybersecurity protection for multiple sites or customers need solutions that put them in control with a single pane of visibility, automatic data correlation and analysis, and rapid, bi-directional integrations to client security stack tools,” said Steve Garrison, SVP Marketing at Stellar Cyber. “Our platform delivers on those promises like no other solution in the market.”

About Stellar Cyber

Stellar Cyber’s Open XDR platform delivers comprehensive, unified security without complexity, empowering lean security teams of any skill to secure their environments successfully. With Stellar Cyber, organizations reduce risk with early and precise identification and remediation of threats while slashing costs, retaining investments in existing tools, and improving analyst productivity. The company is based in Silicon Valley. For more information, contact https://stellarcyber.ai.

About RSM

RSM is the leading provider of professional services to the middle market. The clients RSM serves are the engine of global commerce and economic growth, and RSM is focused on developing leading professionals and services to meet their evolving needs in today’s ever-changing business landscape. RSM’s purpose is to instill confidence in a world of change, empowering clients and people to realize their full potential. RSM US LLP is the U.S. member of RSM International, a global network of independent assurance, tax and consulting firms with 57,000 people in 120 countries. For more information, visit Security monitoring and response | Services | RSM US.

The post RSM US Deploys Stellar Cyber Open XDR Platform to Secure Clients appeared first on Cybersecurity Insiders.

[By Demetris Booth, Product Manager, Cato Networks]

The cybersecurity market is brimming with point solutions. Each solution is designed to address a specific risk, a specific security use case and a specific attack vector. This approach is no longer sustainable because it unnecessarily complicates the overall security architecture. Security gaps are the result. Already overburdened and understaffed security teams are having to learn, configure, manage, maintain and monitor scores of different tools, and because of this, they are ignoring important alerts, delaying patching and overlooking other critical issues. Moreover, critical security signals simply get lost or buried across multiple and disparate systems, and these security gaps are being weaponized by cybercriminals.

XDR Addresses Security Complexity To A Degree

Extended detection and response (XDR) is being hailed as the “Swiss-army knife” solution to security complexity issues. For those not familiar with XDR, it is an advanced security technology that extends beyond endpoint detection and response (EDR) tools. XDR platforms analyze threats and anomalies across networks, endpoints, clouds, and more.

XDR technology sounds great on paper. There’s been considerable hype and confusion through clever marketing, as some XDR platforms only work on specific vendor toolsets (closed XDR or native XDR), while others promise integrations with third-party vendors (a.k.a. Open XDR). The issue is that the effectiveness of these integrations remains questionable. While Open XDR offers integration with existing networking and security tools, making sense of all this data can be challenging. This is because for XDR to process and analyze all threat data, it needs to be standardized into a format that the XDR tool understands.

Given this potential data inconsistency, it seems unlikely that XDR can live up to the hype and perform at a high degree of speed, effectiveness, and accuracy.

SASE-based XDR Can Overcome The Data Normalization Problem

Before we discuss SASE-based XDR, it is important to understand the basics behind Secure Access Service Edge. SASE converges networking and network security functions into a single, cloud-delivered architecture. SASE provides end-to-end visibility to ensure consistent global policy enforcement for all authorized users, devices and applications regardless of location.

What Is SASE-based XDR And How Does It Work? 

SASE-based XDR is a new native approach to detection and response that improves operations for security teams. Unlike standard XDR technology that relies on capturing threat data from multiple security tools, SASE-based XDR captures threat data from native sensors that are built into the SASE platform, as well as data from third-party sensors. Data from these sensors is populated into a single data lake and requires no integration or normalization. Advanced AI/ML algorithms train on this data to produce more accurate and related threat incidents for security analysts to act on.

SASE-based XDR becomes a game changer over standard XDR because of the quality of data it produces. As mentioned earlier, standard XDR has data quality limitations, which can impact detection and response effectiveness. Because XDR requires security data to be normalized and understood, it risks losing critical threat information during the process. The quality of the data and the accuracy of security incidents that security analysts handle are directly affected by this.

With SASE in the picture, XDR is more effective because it ingests cleaner data to produce more accurate security incidents. Furthermore, training AI/ML on higher-quality data ensures enhanced threat correlation, detection, and incident response capabilities.

Studies show that most organizations are gravitating to technologies like XDR and SASE in a bid to consolidate security and reduce overhead and complexity. Given the challenges and limitations of standard XDR, it makes reasonable sense to evaluate SASE based XDR, which leverages the best of both worlds to deliver superior visibility and control.

About the Author 

Demetris Booth is Product Director for Cato Networks in Asia Pacific, Demetris leads the strategic engagements around Cato’s cloud-native approach to Secure Access Service Edge (SASE). He is a strong advocate and champion of network and security convergence, promoting SASE as the pathway to better business and technical outcomes. Prior to Cato, he held various leadership roles with Sophos, Cisco, Juniper Networks and Citrix Systems. As a 20+ year technology industry veteran, he brings a diverse, global perspective, having lived and worked in North America, Europe, and Asia.

The post How SASE-based XDR Delivers Better Threat Detection Performance appeared first on Cybersecurity Insiders.

[By Darren James, Senior Product Manager, Outpost24]

Humans have made unbelievable advancements in science and technology that have stretched the imagination and changed society forever.  But one seemingly mundane, albeit crucial, piece of wisdom continues to elude mankind – proper password management.

We’ve all seen the headlines about the next big breach, the majority of which can be attributed to a root cause of human interaction, including the use of compromised or stolen access credentials, such as usernames and passwords.   This is clearly a chronic issue for businesses and consumers alike.

Unfortunately, this conclusion is no “revelation.”  The individual remains the weakest link in the security chain.  Despite countless resources for end user training and security hygiene, IT teams are still battling against the use of weak or compromised passwords creeping into their company’s network.

The reason there is such a huge focus on passwords and getting password security right is the fact that 88% of organizations still use passwords as their primary method of authentication to protect their systems.

This naturally attracts a lot of attention from cybercriminals who are focusing thoroughly on exploiting weak passwords, stealing credentials, selling them, and using them as an initial access point for breaching organizations.

There is certainly more than meets the eye when it comes to passwords. Understanding this as well as the patterns and trends of breached passwords, how they become compromised, and the most common password mistakes users make that might surprise you, will lead us along a path towards stronger password security.

Weak Passwords – How they’re exploited

Within any organization, you’d be hard pressed to find an employee who hasn’t had training in creating strong passwords. If you have, this is a serious problem. The many years of security industry advice and best practices should have hammered this home. Yet, even with these recommendations, research has revealed that the most common base terms used in breached passwords were “password,” “admin,” and “welcome” – terms one may think would be obviously off-limits to any security-savvy end user.

Weak passwords remain the gifts that hackers keep on getting. The easy entry routes into organizations, they are the low hanging fruit that can be snatched and exploited to reveal the jewels of the kingdom: sensitive data.

There are three common methods in which hackers exploit weak passwords, including:

Dictionary attacks:

Hackers use predefined ‘dictionary lists’ of likely possibilities to guess passwords or decryption keys. These could range from frequently used passwords and phrases to common terms in specific industries, exploiting the human tendency to opt for simplicity and familiarity when creating passwords. Hackers will often leverage social media platforms to gather information about specific users and their organizations, gaining insights into the potential usernames and passwords they may choose. Of course, many end users will add at least a small amount of variation to these terms, which is where brute force techniques come in.

Brute force attacks:

Brute force attacks use software to attempt all possible character combinations until the correct password or decryption key is found. While this might seem time-consuming, it can be a highly effective method against shorter or less complex passwords – especially when given a head start by using common base terms found in dictionary lists. Combining techniques in this way is known as a hybrid attack. For example, “password” could be the base term from a dictionary list. A brute force attack will try all subsequent variations such as “password, Password, P@$$w0rd,P455w0rD, Password1, Password!” and so on. This takes advantage of common variations people make to weak base terms to meet their organization’s complexity requirements.

Mask attacks:

A mask attack is a form of brute forcing, where attackers know elements of common password constructions and can therefore reduce the amount of guesses they’ll need to get it right. For example, an attacker might know many passwords are eight characters, start with a capital letter, and end with a few punctuation characters, like “Welcome1!”. So, they might only try combinations that match this pattern, reducing the total amount of passwords to attempt. Alternatively, they might know a specific company has a poor policy such as adding the current month and year to the end of passwords when rotating them. Having any sort of definitive information about the makeup of a password can greatly speed up a brute force attack.

Keyboard walks

Another common base term for passwords can be found looking at a traditional keyboard. The terms “Qwerty”, “asdfghjkl” or, “zxcvbnm” may seem like random combinations but they are simply the letters next to each other on the keyboard. Known as “keyboard walks” or “finger walks”, these are seen as quick and memorable passwords for employees. Unfortunately, they are incredibly easy to compromise. The most used keyboard walk pattern was “Qwerty,” which appeared over 1 million times in a list of 800 million compromised passwords. Even “123456” was found to be the most common compromised password in a new list of breached cloud application credentials.

Now, the notion that the password issue lies solely with the general workforce is not true.  In fact, IT administrators are often equally careless when it comes to password choices. Research has revealed that out of 1.8 million administrator credentials scanned, over 40,000 admin portal accounts were using the weak password “admin” to protect access to some of the most sensitive accounts with the highest levels of access within an organization.

It goes without saying that protecting access to sensitive information must be a priority for every employee within an organization. Above all, this starts with creating stronger passwords.

But what exactly makes a strong password?

Strength, length and security

At present, the default password length requirement in the Active Directory is 8 characters, which is also the most common length for many websites. However, given the sophistication of modern cracking technology, the time it takes for hackers to crack 8-character long passwords is under 3 hours. Moreover, if an individual was to use a known compromised password, this would be cracked instantly. It is strongly recommended for organizations to force end users to create passwords that are at least 15 characters long.

While this may be a challenge for some employees to remember, a method to overcome this would be to encourage the use of passphrases consisting of three random words. Embedding special characters and using a combination of letters and numbers would only strengthen the password.

Across the board, stronger password policies are needed to prevent the use of breached, common, and easily guessable passwords entering the system. To achieve this, a multi-pronged approach is required whereby the organization has the necessary processes in place to detect compromised passwords – even those that have become breached outside of the workplace. Implementing a company-wide password policy is beneficial in achieving this outcome as there are solutions available that can be integrated with the organizations’ Active Directory to prevent the use of keyboard walks, passwords that don’t meet a set criterion for length and/or complexity, or passwords that have been detected in compromised lists.

Scanning the Active Directory passwords against breached passwords lists should be conducted continuously, and if a compromised password is being used within the organization, the IT team should be alerted instantly so they can immediately enforce the end user to change it at their next logon.

Yes, the password continues to be a significant issue for IT teams and a massive weak link in the defense for many businesses. With that said, by following security best practices and deploying the security parameters, there will be drastic improvements in helping the IT team achieve password peace of mind for the entire organization. While it’s hard to imagine 2024 being the year total password security is achieved, it can certainly be something IT teams strive for going forward.

The post 2024 is Here:  Will This Be the Year We Get Passwords Right? appeared first on Cybersecurity Insiders.

[By Chris Debigh-White, Chief Security Officer at Next DLP]

The majority of security experts adhere to the “assume breach” paradigm, which recognizes the possibility, if not the inevitability, of an attacker gaining access to an organization. This breach could occur through various means, such as unpatched vulnerabilities, phishing attacks, insider threats, or the exploitation of the billions of stolen credentials harvested from previous breaches.

With the “assume breach mindset,” a defender’s primary objective is to detect and mitigate these breaches as quickly as possible. According to the 2023 IBM Cost of a Data Breach Report, the global average cost of a data breach was $4.45 million ($4.9 million if the attack was by a malicious insider). Breaches identified and contained within 200 days of the initial breach cost organizations over $1 million less than those that required more than 200 days. The time taken to address a breach is directly proportional to the extent of damage and financial impact on an organization.

The same IBM report found that organizations that have a formal and regularly rehearsed incident response plan (IR plan) could detect breaches 54 days sooner than those without any plan. Moreover, organizations with robust IR planning and testing procedures were able to reduce the costs associated with a breach by over 34%.

Defining an Incident Response Plan

An IR plan is a documented approach to address and manage cybersecurity incidents or attacks. A well-defined IR plan outlines the roles, responsibilities, and procedures to be followed during an incident, enabling a coordinated and efficient response. It includes identifying, investigating, mitigating, and recovering from data breaches, cyberattacks, or any unauthorized activity that threatens data and systems.

Cybersecurity Incident Response

One well recognized process for incident response and management is the ISO/IEC Standard 27035 which provides five-steps focused on preparation, detection and reporting, assessment and decision-making, response, and lessons learned. It’s important that organizations take it a step further, and dive into each recommended step more deeply:

  1. Preparation

The cornerstone of a strong IR plan lies in thorough preparation. This phase includes the formation of a dedicated, clearly-defined IR team, along with the allocation of all necessary resources. Regular drills and training sessions are vital in maintaining the team’s preparedness, with activities like simulated phishing attacks to uncover potential weaknesses and enhance the team’s capability to respond effectively.

 

Adopting best practices in preparation involves comprehensive documentation of the organization’s network infrastructure and compiling a detailed inventory of vital assets. Setting up communication pathways with pertinent stakeholders, including legal departments, public relations teams, and law enforcement agencies, is also imperative. Furthermore, building relationships with external incident response specialists and providing additional expertise when confronting complex cyber security challenges is advised.

 

  1. The Detection and Identification Phase

The primary goal of detection and identification is to swiftly pinpoint potential security incidents supported by tools like intrusion detection systems (IDS) and security information and event management (SIEM) tools. Additionally, data loss prevention (DLP) and Insider Threat Management tools observe and analyze all actions taken with data to identify and confirm activity that could put sensitive data at risk.

 

By generating alerts based on predefined rules or anomalous behavior, security teams can then gather relevant information, such as log files, network traffic data, and system snapshots, and analyze the situation to determine the scope and severity of the incident.

 

  1. The Containment Phase

In the containment phase, isolating affected systems is vital to mitigate further damage. This requires an in-depth understanding of the network architecture, system interdependencies, and established protocols for swift isolation, like network disconnection or account deactivation. Utilizing data protection tools enhances this process, enabling organizations to disconnect devices, terminate user sessions, capture evidence, block uploads, and halt harmful processes, thereby effectively safeguarding against the escalation of the incident.

 

  1. The Eradication Phase

It’s imperative to remove all forms of malware, backdoors, and unauthorized access. This often requires system restoration from clean backups or the application of security patches. Documenting each action for future analysis is crucial. Given the persistence of sophisticated attackers, this stage includes identifying the root cause of the breach.

 

  1. The Recovery Phase

In the post-incident recovery phase, the focus is on restoring affected systems and resuming normal operations, which includes validating system integrity, ensuring data availability, and thorough testing before reintegration. Effective recovery entails prioritizing critical systems, setting clear recovery time objectives (RTOs), and regular data backups to minimize downtime. Comprehensive testing and monitoring are crucial to address residual issues and reduce future risks. Concurrently, transparent communication with stakeholders about recovery progress and timelines is essential for maintaining trust and clarity.

 

  1. The Reflection/Learning Phase

The final step of an incident response plan is to conduct a detailed post-incident analysis and document the lessons learned to identify ways in which the IR process and overall security of a company can be improved. This does not mean pointing fingers and assigning blame. Reflection involves the response team thoroughly investigating the breach, assessing the affected data or assets, and evaluating the extent of the damage. Such analysis is crucial for identifying gaps in the response process and determining improvement areas, necessitating the involvement of all relevant stakeholders, including the response team, IT personnel, and management. Additionally, the psychological safety of all participants is paramount in order to ensure that this phase is not just a tick box exercise.

 

Thorough incident response documentation, encompassing all actions and timelines, is vital for future reference, compliance, and plan enhancement. Regular updates and reviews of the incident response plan, integrating these insights, are essential to ensure ongoing effectiveness. Organizations must respond promptly to incidents, with a well-crafted playbook of policies and processes and regular practice drills to ensure teams are well-versed in the required actions, including incident categorization and reporting protocols.

 

Incident Response Goes Beyond the Security Team

Effective cybersecurity incident response is not solely the responsibility of information security teams. Incident response teams require a coordinated effort across multiple disciplines in an organization, depending on the type of attack. Those outside of the organization, like customers, law enforcement, and service providers will play a big part too. While security teams will confirm the attack and recommend remediation activities, legal will guide data breach notification requirements, compliance with data protection laws, and potential liabilities. HR will work with legal and management to plan internal responses when considering insider threats. Per your IR Plan, each participant and their teams will have specific responsibilities that are essential to have practiced prior to an incident.

 

Must-Haves for Effective Incident Response

Incident response plans will vary depending on the affected assets, organizational resources, and regulatory requirements, but a few core pieces will always be necessary. Training will always be the most effective first line of defense and practice makes perfect in incident response. Additionally, teams must never forget to consider insider threats while constantly testing containment capabilities.

 

In the event of a breach, always collect data for investigations. Adequate logging and monitoring is paramount to the availability of this data. If not performed, there will be nothing to collect. This should be addressed in the preparation phase and reflected upon in the lessons learned phase by conducting post-mortem reviews and assessments to identify areas of improvement.

 

For security teams and the entire organization, having an IR plan in place, and regularly testing and improving upon that plan, is what every organization should do regardless of the potential costs of a breach. By combining an organization-wide incident response team with a well-coordinated IR plan, companies can actively reduce the impacts of data breaches.

The post How to Properly Handle Cyber Security Incident Management appeared first on Cybersecurity Insiders.

The digital era: what a time to be alive! It’s easier to stay in contact from a distance, make financial transactions, shop for necessities (or luxuries), and conduct business. Lucky us, right?

The answer is undoubtedly yes, with an and… thrown in for good measure. We’re indeed in a period of life where things are easier and more accessible than ever. Of course, consumers and businesses aren’t the only ones benefiting from the digitization of modern life. Cybercrime is growing exponentially, and businesses in particular are at significant risk.

The Era of Cyber (In)security

It’s been said that if cybercrime were a country, it would be the third-largest economy in the world. That’s a pretty sobering statistic, mainly owing to the value of attacks against organizations and enterprises.

Cybercriminals are attacking from all directions, and businesses must stay on their toes to avoid becoming a statistic. Digitized data is particularly vulnerable, and it’s more than an inconvenience if it falls into the wrong hands. Compromised data can be financially and reputationally costly and only takes a single exploited weakness to trigger a wave of fines, regulatory issues and brand damage.

Top Risks to Businesses

Vigilance is vital to staying safe, but where and how do you begin implementing robust security measures to protect your data, end users, and customers? To start, it’s crucial to understand the top risks your business faces today.

Insider Threats

Cybercriminals are not only opportunistic strangers. In the modern era, threats can come from inside your network.

Insider threats are those posed by people who don’t need to breach security to reach your network, as they’ve already been granted access. That means employees, contractors, partners, vendors, suppliers, and anyone else you trust with your network or data can pose a threat.

Of course, not all insider threats are purposeful. Human error can be just as costly, as any employee or third-party partner can click the wrong link, use an insecure network connection, or leave a device unattended, leading to a security breach.

That doesn’t mean deliberate insider threats are not a problem, however. Employees with privileged access may be tempted to sell trade secrets, bring information to a new company as a bargaining chip for career advancement, or sabotage your information as retaliation for discipline or firing. Insider threats can exist in any department or team, whether accidental or deliberate.

Social Engineering

Covering a wide range of attacks, Social Engineering refers to any cybercrime that starts with gaining the trust of an end user. That can mean masquerading as a trustworthy colleague or simply sending a believable message (including an SMS or phone call) with a request for information.

Social engineering attacks are particularly threatening because they prey on the trust or naivety of an end user to wreak havoc. With remote and hybrid workforces, social engineering attacks are even more prominent – end users have grown accustomed to receiving requests for information or performing actions via digital means.

Traditional security, like encryption, policies, and security software, are less effective. Organizations must also communicate well and often with their end users to ensure they encourage a healthy sense of skepticism about messages and requests.

Ransomware

A form of malware, ransomware is a nefarious attack that can be catastrophic for businesses. All it takes is one exploited system weakness or false move by a user, and malware is installed on your network. From there, your valuable data or systems are locked until you pay a hefty price to regain access.

Ransomware attacks are very effective as businesses are held at the mercy of their attackers. Without access to their data or systems, business comes to a standstill. That means the value of these attacks is not only the price tag set by the attackers but the losses incurred when a company cannot conduct business.

While the dream for cybercriminals is a successful ransomware attack on a large company with deep pockets, no one is hidden from their radar. Small businesses are often targeted as bad actors know they likely lack resources to back up data or otherwise recover from downtime and are most likely to find a way to pay the ransom so they can get back to business.

Artificial Intelligence

Threats exploiting artificial intelligence (AI) vulnerabilities are evolving faster than any other category, particularly as interest in AI tools grows. Emergent technologies are alluring for cybercriminals, as organizations are less likely to have policies and protections.

At the time of writing, AI is a non-standard attack vector. The most considerable related risk to businesses today concerning AI is data leakage. AI tools such as large language models (LLMs) and GPT do not consider confidentiality. As such, several organizations worldwide have banned GPT tools to prevent confidential and privileged information – such as code and trade secrets – from falling into the wrong hands.

Cloud Vulnerabilities

Along with digitizing processes across the organization, our modern world is predominantly cloud-based. This has been a tremendous help, particularly for the remote and hybrid workforce, as cloud-based tools can be accessed from anywhere, as long as an internet connection is available.

Cloud security vulnerabilities can present a cyber threat to organizations. It’s imperative to ensure the third-party platforms you enlist to help run your business take security seriously. Data transmission must be encrypted and stored securely, and multi-factor authentication is recommended to keep end-user accounts protected. Apply the same stringent security assessment to APIs, as API security is a common attack vector.

Learn more about governance, risk and compliance professional certification in The Ultimate Guide to the CGRC.

The post Top 5 Cybersecurity Risks Facing Businesses Today appeared first on Cybersecurity Insiders.

[By Doug Dooley, COO, Data Theorem]

The rise of OpenAI and new changes with ChatGPT-4 Turbo will help to revolutionize the way financial services organizations take advantage of their data, enabling them to scale their analysis rapidly and stay agile in a fast-paced digital environment. However, the number of enterprise Application Programming Interfaces (APIs) to connect and share data with GenAI system like OpenAI has also brought new risks and vulnerabilities to the forefront. With every new API integration that OpenAI gets access to, the attack surface of a financial organization grows, creating new opportunities for attackers to exploit vulnerabilities and gain access to sensitive customer and financial data.

APIs have become the backbone of modern digital ecosystems, allowing financial organizations to streamline operations, automate processes, and provide seamless user experiences. They are the data transporters for all cloud-based applications and services. APIs act as intermediaries between applications, enabling them to communicate with each other and exchange data. They also provide access to critical services and functionality in your cloud-based applications. If an attacker gains access to your APIs, they can easily bypass security measures and gain access to your cloud-based applications, which can result in data breaches, financial losses, compliance violations, and reputational damage. For hackers looking to have the best return on investment (ROI) of their time and energy for exploiting and exfiltrating data, APIs are one of the best targets available today.

It’s clear these same APIs that enable innovation, revenue, and profits also create new avenues for attackers to achieve successful data breaches for their own gains. As the number of APIs in use grows, so does the attack surface of a financial organization. According to an industry study by Enterprise Strategy Group (ESG) titled “Securing the API Attack Surface”, the majority (75%) of organizations typically change or update their APIs on a daily or weekly basis, creating a significant challenge for protecting the dynamic nature of API attack surfaces.

API security is critical because APIs are often the important link in the security chain of modern applications. Developers often prioritize speed, features, functionality, and ease of use over security, which can leave APIs vulnerable to attacks. Additionally, cloud-native APIs are often exposed directly to the internet, making them accessible to anyone. This can make it easier for hackers to exploit vulnerabilities in your APIs and gain access to your cloud-based applications. As evidence, the same ESG study also revealed most all (92%) organizations have experienced at least one security incident related to insecure APIs in the past 12 months, while the majority of organizations (57%) have experienced multiple security incidents related to insecure APIs during the past year.

One of the biggest challenges for banks and other financial service organizations is protecting their APIs and proprietary data from OpenAI and other generative AI tools. With ChatGPT 4-Turbo, the technical and cost barriers for experimentation on APIs and data have substantially lowered. Further, the new support for API keys, OAuth 2.0 workflow, and Microsoft Azure Active Directory opens up enterprise data like never before. As a result, the popularity and growth of Enterprise AI assistants enabled by tools such as OpenAI’s Playground and the new “My ChatGPT” creator will invite an onslaught of new users attempting to gain greater insights on proprietary banking data. The intention for nearly all these new Enterprise AI experiments will be to help customers get better financial services and insights, but as the popularity and usage of Enterprise AI continue to surge, financial institutions will find themselves facing a unique dilemma. On one hand, the potential benefits of harnessing AI-powered tools like OpenAI’s Playground for automating tasks, enhancing customer experiences, and increasing their clients’ wealth are enticing. However, this newfound capability also opens the door to unforeseen vulnerabilities, as these AI agents access and interact with sensitive financial APIs and private data sources.

The advent of Enterprise AI assistants introduces a host of security concerns for the financial sector. One immediate concern is the potential for unintended data exposure or leakage as AI systems learn and adapt to their environment. While AI-driven tools aim to streamline processes and improve decision-making, they also have the capacity to inadvertently access or expose critical financial data, likely violating many privacy laws such as the General Data Protection Regulation (GDPR), Payment Card Industry Data Security Standard (PCI DSS), and California Consumer Privacy Act (CCPA) to name a few. Financial institutions must carefully monitor and regulate these interactions to prevent unauthorized access or misuse of sensitive information.

Furthermore, financial service companies must grapple with the challenge of securing their APIs against malicious actors who may exploit AI-powered systems for nefarious purposes. The integration of AI agents into financial processes creates an additional attack surface that can be targeted by cybercriminals seeking to breach systems, steal valuable data, or disrupt operations. Robust security measures and continuous monitoring are essential to mitigate these risks and safeguard against potential breaches.

As Enterprise AI assistants become increasingly prevalent within the financial services sector, institutions must strike a delicate balance between harnessing the potential of AI for innovation and ensuring the highest standards of data protection and cybersecurity. A proactive and comprehensive approach to API security, data governance, and AI-assisted decision-making is paramount to navigating these new challenges successfully while maintaining the trust of customers and regulatory bodies.

When it comes to securing APIs and reducing attack surfaces to help protect from ChatGPT threats, Cloud Native Application Protection Platform (CNAPP) is a newer security framework that provides security specifically for cloud-native applications by protecting them against various API attacks threats. CNAPPs do three primary jobs: (1) artifact scanning in pre-production; (2) cloud configuration and posture management scanning; (3) run-time observability and dynamic analysis of applications and APIs, especially in production environments. With CNAPP scanning pre-production and production environments, an inventory list of all APIs and software assets is generated. If the dynamically generated inventory of cloud assets has APIs connected to them, ChatGPT, Open AI, and other AI and ML libraries can be discovered. As a result, CNAPPs help to identify these potentially dangerous libraries connected to Enterprise APIs and help to add layers of protection to prevent them from causing unauthorized exposure from API attack surfaces to protect your organization’s reputation and clients’ private data, and build trust with your customers.

Ultimately, the key to managing the risks posed by expanding API attack surfaces with ChatGPT is to take a proactive approach to API management and security. When it comes to cloud security, CNAPP is well suited for financial organizations with cloud-native applications, microservices, and APIs that require application-level security. API security is a must-have when building out cloud-native applications, and CNAPP offers an effective approach for protecting expanding API attack surfaces, including those caused by ChatGPT.

The post Beware of OpenAI and ChatGPT-4 Turbo in Financial Services Organizations’ Growing API Attack Surface appeared first on Cybersecurity Insiders.

[By Paul Fuegner – QuSecure]

The rapid advances we are seeing in emerging technologies like AI, ML and quantum computing will have a devastating impact on organizations not prepared and who have not considered updating existing modes of asymmetric data encryption.  As nation-states and threat actors continue to work hard to gain the upper hand, find new ways to infiltrate and steal data, it is very possible that our adversaries will gain the ability to decrypt virtually every secret possessed by the United States government and private industry that relies on asymmetric encryption. From your bank accounts to the nuclear codes and all data in between is at risk now for this scenario known as steal now, decrypt later (SNDL), otherwise known as screwed now, destroyed later. 

Many cyberattacks are already automated, yet if we add in AI’s learning potential, these attacks could be dramatically increased in size, scale and disruption. With quantum, early planning is necessary as cyber threat actors are targeting data today that would still require protection in the future – the plan “steal now, decrypt later” plan. 

Quantum is coming at a faster pace than anyone previously contemplated. In addition, the unprecedented power of quantum computers might enable nation-states and threat actors to crack the digital encryption system upon which the modern information and communication infrastructure depends. By breaking that encryption, quantum computing could jeopardize military communications, financial transactions, the support system for the global economy and even the foundations of liberty from which our society operates. 

Add in the potential for AI to increase cyber threats exponentially, CISA, NSA, and NIST urge organizations to begin preparing now by creating quantum-readiness roadmaps, applying risk assessments and analysis, and engaging vendors to test solutions that involve crypto agility and quantum resilience leading to a zero-trust architecture.

Changes That Can Happen Right Now – Crypto Agility is a Must Have  

Crypto agility allows organizations to apply any of the NIST Post Quantum Cryptography (PQC) candidates or their own custom developed algorithms.  Quantum-resilience providers then create a hyper encrypted trusted channel resilient to the threat of decryption from quantum-based computers. Any adversary will be unable to identify that PQC has been employed and will waste valuable time and compute power collecting data that they will never be able to decrypt.  

Much of the cryptography that we use today was first invented in the late ’70s. Most of our society fundamentally runs on the same cryptographic schemes, albeit with increased key sizes. And while these cryptographic methods might be effective against classical computers, they simply do not stand a chance against the combined force of AI and quantum computing. 

Here are some steps that you can take to bolster defenses for an AI / Quantum future:  

1. Begin with a cryptographic assessment: 

This will help determine which cryptographic schemes you are using, where they are located, and which ones are most vulnerable to AI and quantum attacks. This can help in identifying any weaknesses or vulnerabilities in these algorithms or deployments, leading to the development of more secure cryptographic techniques. 

2. Implement an orchestrated, cryptographic agility approach: 

This means you have an effortless way to change cryptography if it is breached, or for any other reason. Orchestrated cryptographic agility, powered by AI, could have the potential to stay one step ahead of attackers by shifting algorithms and keys so hackers see no consistent patterns. Given that multiple post-quantum algorithms are being proposed and developed, AI can assist in determining which of these algorithms is best suited for a particular use case, based on factors such as security, performance and available resources. 

3. Consider quantum resilient technologies: 

There are several innovative technologies to consider when aiming to ensure cyber resilience within your organization. Post-quantum cryptography (PQC), for example, uses new cryptographic algorithms that are resistant to quantum computers and may also help with AI-based attacks. You can learn more about new, approved cybersecurity standards by going to the National Institute of Standards and Technology (NIST) website. 

4. Address the entire network including servers, cloud and edge: 

Think of phones, laptops, servers behind the firewall, cloud-based servers and even satellites. For rapid scalable, advanced cryptographic deployment, look for PQC that can be deployed without installing anything on edge devices. This will make it much easier and quicker to secure your organization as there is no change to the endpoint or user experience. 

5. Use AI and ML for security: 

AI or machine learning (ML) can be used to manage and dynamically update security policies based on the threat landscape. Think of active defense, active attack mitigation and more to ensure that you are set for the future. 

6. Use AI for cryptanalysis: 

AI can be used for cryptanalysis of post-quantum cryptographic algorithms. This can help in identifying any weaknesses or vulnerabilities in these algorithms, leading to the development of more secure cryptographic techniques. 

It is important to know that new quantum safe encryption methods can be deployed now. The challenge is to make them work with existing encryption algorithms. Through crypto-agility, advanced quantum secure encryption solutions can map the network and identify which encryption algorithms and protocols are being employed for security between endpoints and servers. These solutions can deploy a proxy that can “speak” with each protocol being used between clients and encapsulate the data being sent with post-quantum resilient encryption. 

The days of relying on outdated encryption algorithms are gone.  Don’t let the fear of quantum computing hold you back from achieving digital transformation and quantum safety today. The time is now to understand AI and quantum threats and work to ensure your data and networks are resilient against powerful unexpected adversarial threats. Too much is at stake to find yourself screwed now and destroyed later.

The post It’s time to bolster defenses for an AI / Quantum Future appeared first on Cybersecurity Insiders.