Author: hello@alienvault.com

With budgets tightening across the board and competition for a limited pool of IT and security talent growing fiercer, cyber as a service providers have become an optimal solution for many companies. Knowing they can count on their partners to focus on specific vectors, internal security teams can concentrate on their core missions. This could be high priority or critical items within security or something totally outside of security. The flexibility of Cyber Security as a Service (CSaaS) allows the services utilized to change over time and be periodically realigned to ensure the customer’s business needs are being met.

The future is here and now, with digital transformation driving organizations rapidly. Today the role of a Chief Information Security Officer (CISO) within organizations has become transformational where the CISO leads cross-functional teams to match the speed and boldness of digital transformations with agile, forward-thinking security and privacy strategies, investments, and plans. The operational leader and master tacticians are tech-savvy and business-savvy CISOs. They can deliver consistent system performance, with security and privacy throughout the organization and its ecosystem amid constant and changing threats. 

Skills gap and the burnout of security teams

The cyber security talent shortage impacts a growing number of organizations, including an increasing workload for the existing cyber security team, unfilled open job requisitions, and high burnout among staff. Only pandemic-related issues outrank talent shortages as the most significant worry companies face. With the never-ending surge of cyber-attacks and potential threats in this digital era, enterprises have started identifying the significance of a robust cybersecurity plan to protect themselves.

While many companies enjoy the privilege of a specially dedicated in-house cybersecurity lead, namely a CISO, the position in most cases is a bit expensive considering the SMEs. On the other hand, the ongoing pandemic has induced a total shift in the working patterns and data sharing mediums.

The change has forced enterprises to understand the importance of complete cybersecurity protection to tackle incoming threats. While a full-time CISO position might not be feasible considering the affordability factor for Subject Matter Experts (SME), virtual CISO (vCISO) services offer a more flexible and affordable model.

CISO and security strategy an essential must have

It’s a critical juncture for cybersecurity and CISOs. A business-driven cyber strategy is the essential first step for business and security leaders amid sweeping, rapid business digitization. This reset defines the expanding role of the CISO. It affects how the organization sets cyber budgets, invests in security solutions, plans for resilience, and enhances its security. It determines whether CISOs may grow to become stewards of digital trust and securely lead their organizations into the new era with strategies to protect and create business value.

Time for a flexible delivery model

CISOaaS is a flexible CISO service that gives you the ability to flex your resourcing with your security needs without employing more staff. Form a strategy, embed best practices, and validate IT project architectural designs.

Contrary to a traditional CISO role, CISOaaS is based on a multidisciplinary team of experienced cybersecurity professionals. Required experience includes regulatory compliance and consulting on identity & access management, security testing, network & physical security, risk management, data protection, disaster recovery/business continuity, delivering customized services based on your needs, and achieving significant cost reduction. The caliber of security professionals required to mitigate the myriad of potential cyber threats and ever-growing legislative compliance requirements can often be beyond the reach of many businesses.

CISO as a Service brings affordability and flexibility to this critically strategic role.

Where to get started in 2022 with a vCISOaaS

• Start by analyzing and building inventories of systems your organization and understanding your business objectives.
• Develop a comprehensive and practical security program that fits the need of the business and enhances the immune system of the company’s information security posture with not focusing on just getting more tools but a more integrated risk view.
• vCISO team can function as an extension of your team and deliver expert security strategy, leadership, and support.
• Putting an effective cybersecurity strategy in place can seem overwhelming because of tight budgets and how efforts are prioritized when investing in a cyber risk management solution? 

Milestones to achieve

1. Establish Your Security Program

Learning the environment and understanding business goals to achieve the security program alignment to the business.

2. Prioritize and categorize the security needs 

The unique design of the security program will provide strategic direction to help you achieve your business goals. Determine and prioritize security initiatives to reduce risk quickly, economically, and efficiently.

3. Security Improvements for Risk Mitigation

Learn and understand the risk posture for the business and then create a complete risk treatment plan to achieve the accepted level of risk posture.

A lasting trend

The ongoing pandemic has brought many twists and turns to our working style, model, and pattern. Change is inevitable, and at the same time, needs to ensure compliance and protection to organization’s security standards and policies.

The vCISO service can provide an expert solution with an affordable and reliable model for enterprises, ensuring security. Large enterprises benefit from expert advisory, strategic guidance, and much-needed continuity. On the other hand, small-scale companies could use vCISO as a service that helps to manage security standards, compliances, management of staff, and the deployment of a security roadmap. The flexibility and cost-effectiveness of the vCISOaaS is a stand-out feature that makes it the right choice for many.

The post A lasting trend: As a Service appeared first on Cybersecurity Insiders.

This blog was written by an independent guest blogger.

Credential stuffing attacks essentially doubled in number between 2020 and 2021. As reported by Help Net Security, researchers detected 2,831,028,247 credential stuffing attacks between October 2020 and September 2021—growth of 98% over the previous year. Of the sectors that did experience credential stuffing during that period, gaming, digital and social media, as well as financial services experienced the greatest volume of attacks. What’s more, the United Kingdom was one of the top three regions that launched the most credential stuffing attacks in the world, followed by Asia and North America.

Looking towards the rest of 2022, the security community expects the volume of credential stuffing attacks to grow even further. “Expect to see credential stuffing attacks double in number again in 2022,” noted Forbes.

Why is credential stuffing a concern for organizations?

First, the role of automation in credential stuffing makes it possible for anyone—even attackers with low levels of expertise—to perpetrate these attacks. A low barrier of entry helps to explain why credential stuffing is so pervasive and why it’s expected to continue in this way for 2022.

Let’s examine the flow of credential stuffing to illustrate this fact. According to the Open Web Application Security Project (OWASP), a credential stuffing attack begins when a malicious actor acquires compromised usernames and passwords from password dumps, data breaches, phishing campaigns, and other means. They then use automated tools to test those credentials across multiple websites including banks and social media platforms. If they succeed in authenticating themselves with a credential set, they can then conduct a password reuse attack, harvest the compromised account’s information/funds, and/or monetize it on the dark web.

Which brings us to our second reason why credential stuffing is so concerning: the impact of a successful attack can be far-reaching. The applications of a successful credential stuffing attack are tantamount to a data breach, so organizations can bet that all data privacy regulations will be enforced.

Meaning? Organizations could incur fines totaling millions of dollars in the aftermath of credential stuffing, per Cybersecurity Dive. Those penalties don’t include the costs that organizations will need to pay to understand the impact of the attack, figure out which data the malicious actors might have compromised, and remediate the incident. They also don’t cover the brand damage and legal fees that organizations could face after notifying their customers.

Credential stuffing defense best practices

To avoid the costs discussed above, organizations need to take action to defend themselves against a credential stuffing attack. Here are seven ways that they can do this.

1. Make credential stuffing defense an ongoing collaborative discussion

Organizations can’t tackle credential stuffing if there’s not even a discussion about the threat. Acknowledging this reality, TechRepublic recommends that organizations bring their security, fraud, and digital teams together to discuss credential stuffing, among other fraud trends, along with ways that they can use digital metrics to coordinate their defense efforts.

2. Implement multi-factor authentication

Credential stuffing hinges on the fact that malicious actors can translate access to a credential set into access to an account. Multi-factor authentication (MFA) denies this pivot point, as it forces attackers to also provide another factor such as an SMS-based text code or a fingerprint for authentication. This raises the barrier of taking over an account by forcing malicious actors to compromise those additional authentication factors in addition to the original credential set.

3. Use security awareness to familiarize employees with password best practices

Organizations can go a long way towards blocking a credential stuffing attack by cultivating their employees’ levels of security awareness. For instance, they can educate their employees on how malicious actors can leverage password reuse as part of a credential stuffing campaign. Per How-To Geek, organizations can also provide employees with a password manager for storing credentials that they’ve created in accordance with company password policies.

4. Analyze and baseline traffic for signs of credential stuffing

Infosecurity Magazine recommends that organizations create a baseline for their traffic including account activity. They can then use that baseline to monitor for anomalies such as a spike in failed login attempts and unusual account access requests.

5. Prevent users from securing their accounts with exposed passwords

The last thing security teams want is for their employees to use a password that’s been exposed in a previous security incident. Malicious actors use data breaches, information dumps, and other leaks to power automated tools used in credential stuffing, after all. Acknowledging this point, infosec personnel need to monitor the web for data breaches, information dumps, and other leaks that malicious actors could use to engage in credential stuffing. They can actively monitor the news for these types of incidents. They can also rely on receiving alerts from data breach tracking services such as Have I Been Pwned (HIBP).

6. Implement device fingerprinting

Infosec teams can use operating system, web browser version, language settings, and other attributes to fingerprint an employee’s device. They can then leverage that fingerprint to monitor for suspicious activity such as a user attempting to authenticate themselves with the device in a different country, noted Security Boulevard. If a circumstance like that arises, security teams can then prompt employees to submit additional authentication factors to confirm that someone hasn’t taken over their account.

7. Avoid using email addresses as user IDs

Password reuse isn’t the only factor that increases the risk of a credential stuffing attack. So too does the reuse of usernames and/or account IDs. Salt Security agrees with this statement.

“Credential stuffing relies on users leveraging the same usernames or account IDs across services,” it noted in a blog post. “The risk runs higher when the ID is an email address since it is easily obtained or guessed by attackers.”

Subsequently, organizations should consider using unique usernames that malicious actors can’t use for their authentication attempts across multiple web services.

Beating credential stuffing with the basics

Credential stuffing is one of the most prevalent forms of attack today. This popularity is possible because of how simple it is for malicious actors to obtain exposed sets of credentials on the web. However, as discussed above, it’s also simple for organizations to defend themselves against credential stuffing. They can do so in large part by focusing on the basics such as implementing MFA, awareness training, and baselining their traffic.

The post 7 ways to defend against a credential stuffing attack appeared first on Cybersecurity Insiders.

10 Ways organizations make attacks easy

What do cybercriminals love? (Mostly themselves, but that is beside the point.) They love organizations that have unmitigated risks in their web applications and application program interfaces (APIs). With the entire world connected via the internet, the easiest and quickest way for threat actors to infiltrate your systems or steal customer data is through web applications. Basically, everything from the code used to build the application or the API used to connect things to configurations and authentications are fair game.

The top 10 web application security risks cybercriminals love

The areas most often targeted for attack can vary and may change frequently as cybercriminals invent newer and more stealthy ways to worm their way into systems. According to the OWASP, the 2021 Top 10 Web Application Security Risks are:

1. Broken Access Control
2. Cryptographic Failures (Sensitive Data Exposure)
3. Injections (including Cross-site Scripting)
4. Insecure Design
5. Security Misconfigurations
6. Vulnerabilities and Outdated Components
7. Identification and Authentication Failures
8. Software and Data Integrity Failures
9. Security Logging and Monitoring Failures
10. Server-side Request Forgeries

Most common attack types

Based on the risks listed above, criminals are most likely to employ the following attack types in their bid to infiltrate systems or steal sensitive customer credentials:

Client-side attacks (data breaches and credential compromise)

Client-side attacks include formjacking, credit card skimming, and Magecart attacks. Cybercriminals use client-side attacks to steal information directly from customers or other website users as they input information into websites. Stolen data includes credit card information and personally identifiable information (PII).

Supply chain attacks (JavaScript and software)

According to recent research, supply chain attacks surged by more than 650% over the last year. Threat actors are leveraging existing vulnerabilities in open-source and third-party code or injecting their own malicious scripts into software and JavaScript code to conduct hostile attacks against organizations and industries connected via the supply chain.

Vulnerable application attacks (Unpatched bugs/vulnerabilities and legacy applications)

New bugs and vulnerabilities are discovered on a daily basis and cybercriminals love to exploit them. Equally, criminals are attracted to legacy applications that may contain unpatchable vulnerabilities. Sometimes attackers discover the vulnerabilities before security researchers, and these ‘zero days’ enable application and system compromise often without the organization even knowing it had been attacked. Common attack types that target vulnerabilities include cross-site scripting, injections (JavaScript, SQL, CSS, and HTML).

Automated attacks (Bots and DDoS)

Threat actors use automated techniques, such as botnets and distributed denial of service (DDOS) for attacks that include credential stuffing, content scraping, ticket/product scalping, gift card abuse, and business interruption.

Protect your organization from the risks and attacks that cybercriminals love

There are purpose-built solutions that safeguard organizations, consumers, and internet users from the very things that criminals love to use to their advantage. Two tools that are a part of AT&T Managed Vulnerability Program from Feroot provide client-side application security solutions. These tools are:

Feroot Security PageGuard—Based on the Zero Trust model, PageGuard runs continuously in the background to automatically detect the types of unauthorized scripts and anomalous code behavior found in client-side, application, supply chain and automated attack types. If threats are detected, PageGuard blocks all unauthorized and unwanted behavior in real-time across the organization. PageGuard also automatically applies security configurations and permissions for continuous monitoring of and protection from malicious client-side activities and third-party scripts.

Feroot Security Inspector—In just seconds, Inspector automatically discovers all web assets a company utilizes and reports on their data access. Inspector finds all security vulnerabilities on the client-side and provides specific client-side threat remediation advice to application developers and security teams in real-time.

Next steps

Modern web applications are useful, but they can carry potentially dangerous vulnerabilities and bugs. Protect your customers and your websites and applications from client-side security threats, like Magecart and script attacks with security tools like Feroot’s Inspector and PageGuard. These services offered by AT&T’s Managed Vulnerability Program (MVP) allows the MVP team to inspect and monitor customer web applications for malicious JavaScript code that could jeopardize customer and organization security.

The post 10 Things cybercriminals love about you appeared first on Cybersecurity Insiders.

Will Eborall, Asst VP, AT&T Cybersecurity and Edge Solutions Product Management, co-authored this blog.

The AT&T Cybersecurity team’s unwavering focus on managing risk while maximizing customer experience earns high marks from security experts and customers alike. The team garnered some well-earned official recognition of the quality of flexible services they run with the announcement that AT&T won the highest distinction Gold Award in four different service categories of the 2022 Cybersecurity Excellence Awards.

The highly competitive Cybersecurity Excellence Awards is an annual competition run by Cybersecurity Insiders that honors individuals and companies that demonstrate excellence, innovation, and leadership in information security. AT&T Cybersecurity was recognized as the top solution in the following categories:

• Managed Security Services
• Managed Detection and Response (MDR)
• Endpoint Detection and Response
• Secure Access Service Edge (SASE)

With over 900 entries across the range of Cybersecurity Excellence Awards categories, the competition award selection consisted of a two-part process. Finalists for each category were selected from the broader pool of nominations based on popular votes and comments received from the cybersecurity community, as well as the strength of the written nomination. Once finalists were winnowed down, Cybersecurity Insider’s award judges took a closer look at the finalist nominations’ demonstrated explanations and examples of the leadership, excellence and results in cybersecurity afforded by the service to determine winners.

Judges awarded each of the following four services the highest Gold Award for some of the reasons described below:

AT&T Managed Security Services picked up a gold award for Managed Security Services. Some of the considerations looked at by the judges included:

• As one of the largest MSSPs in the world, AT&T Cybersecurity fosters strong relationships with leading security technology providers while incubating emerging innovators to provide best-in-class services 
• AT&T Managed Security Services delivers services through eight global SOCs
• AT&T Cybersecurity delivers accountability with thorough communication and comprehensive reporting to clients along with coordinated responses with defined service level agreements on change requests.
• During the pandemic, AT&T Cybersecurity has helped customers persevere through the various disruptions caused by COVID-19 with its managed security services.
• AT&T Cybersecurity supported customers of its AT&T DDoS Defense service as well as non-subscribing customers with emergency mitigation services.

AT&T Managed Threat Detection and Response won a gold award for Managed Detection and Response (MDR). The judges picked this service based on factors that included:

• AT&T Managed Threat Detection and Response combines technology, intelligence, and 24×7 expertise in a service that can be deployed faster and has a starting price that’s less than the cost to hire a single security analyst.
• AT&T’s MDR service is priced by the total number of events that are analyzed, so customers don’t have to worry about limitations by assets, environments, or number of employees in their organization.
• AT&T Managed Threat Detection and Response is delivered through a unified platform that offers threat intelligence updates from AT&T Alient Labs, native cloud monitoring capabilities for IaaS and SaaS environments, service transparency into SOC operations, and built-in orchestration and automation through a single pane of glass.
• NHS Management, a leader in providing consulting and administrative services to individual healthcare facilities and companies gained visibility into emerging threats it didn’t have before through AT&T’s MDR service.

AT&T Managed Endpoint Security earned a gold award for Endpoint Detection and Response. The following were a few of the points that swayed judges in this category:

• AT&T Managed Endpoint Security offers users top tier security features the include tamper protection and patented AI algorithms that live on devices, automatic mapping and tracking of all endpoint activity, and IoT discovery and control.
• The service offers platform integrations with AT&T Alien Labs Threat Intelligence and AT&T Alien Labs Open Threat Exchange (OTX) for better context about the endpoint threat environment
• Through the AT&T Managed Endpoint Security alliance with SentinelOne, customers receive 24×7 threat monitoring and management by AT&T Security Operations Center (SOC) analysts for greater network visibility and faster endpoint threat detection.
• AT&T Managed Endpoint Security provides comprehensive endpoint protection against ransomware and other cyberattacks through a unique rollback to safe state feature while also detecting highly advanced threats within an enterprise network or cloud environment.

AT&T SASE won a gold award for Secure Access Service Edge. The judges considered a number of factors, including:

• AT&T was the first provider to offer a global managed SASE solution at scale, and most recently, AT&T expanded its SASE portfolio to include a new offering, AT&T SASE with Cisco.
• With AT&T SASE’s combined networking and security technology and service expertise, the solutions offer a future-ready, unified solution through a single provider.
• With AT&T SASE, businesses can control access for any device, connecting from any network. This enables the dynamic needs of today’s distributed workforce to deliver security-driven networking at every edge.

Winning even one cybersecurity solution award is a great distinction, but when a company is able to deliver four different award-winning offerings, we believe that’s a testament to its ability to put together an expert team that listens to the needs of its customers. AT&T Cybersecurity is proud of its results in the Cybersecurity Excellence Awards, as everyone here believes that they stand as a testament to the networking and security expertise that our customers have come to count on.  Our crack team of security analysts is constantly researching the threat environment to continually defend customer environments. To learn more about some of the trends in the past year that they’ve helped organizations contend with, check out the 2022 AT&T Cybersecurity Insights Report.

The post AT&T Cybersecurity earns four Cybersecurity Excellence Awards appeared first on Cybersecurity Insiders.

Data breaches are still on the rise in healthcare.  2021 accumulated 686 healthcare data breaches of 500 or more records in 2021, resulting in 45M exposed or stolen healthcare records.  2022 is off to a poor start with over 3.7M healthcare records compromised as of 3/2/2022.[1]

Healthcare organizations face a landscape that is increasingly riddled with complexities, threats, and a multitude of attack vectors.  The pandemic take a toll on hospitals and ransomware attacks increased significantly. Nevertheless, healthcare organizations must continue to provide patient care through various avenues that necessitate emerging and advanced digital solutions, like edge computing.  With that, comes cybersecurity risk.  This can be challenging for even the most mature organizations, but there are many healthcare organizations that are still lagging behind and do not have the fundamentals of cybersecurity in place. 

Cybersecurity frameworks for the healthcare industry

Frameworks are becoming increasingly more important to build that foundation, to measure improvements, and to drive results.  Frameworks allow for a defensible and rational approach to managing your cybersecurity risks and complying with regulatory requirements.    Many regulations purposely strike a balance between specificity and flexibility to allow organizations latitude in applying the requirements based upon their size, complexity, and risk assessment. 

Established frameworks are adopted across industries, some are industry-specific, but all continue to evolve as cybersecurity risks evolve.  Most recently we have seen the newly updated ISO 27002 standard published last month, the DoD has come out with CMMC 2.0 (NIST 800-171r2), and the National Institute of Standards and Technology (NIST) regularly publishes new and updated standards. 

The need for a vertical-specific framework

Adoption of a particular framework can vary from industry to industry.  One such framework is the HITRUST CSF that has been heavily adopted in the healthcare industry.  The HITRUST CSF was established to provide prescription and consistency in the application of security and privacy controls for healthcare organizations. It provides for the protection of health data by creating a single framework that harmonizes various, related compliance requirements and industry standards.  While HITRUST is no longer focused on only the healthcare industry, the adoption of the HITRUST CSF can help organizations in healthcare lay the foundation and continuously improve their cybersecurity posture and address existing and emerging threats. 

The HITRUST CSF is valuable to healthcare organizations for the reasons mentioned above….it provides a defensible approach to compliance with HIPAA, it is prescriptive in control implementation, and is continually updated based upon the threats and risks the healthcare industry faces.   The healthcare industry not only has to demonstrate cybersecurity risk management to regulators, but to business partners and clients as well.  HITRUST offers certification for this purpose. 

HITRUST has added two new assessments to provide organizations options. The assessment formerly known as the HITRUST CSF Validated Assessment could be daunting for some organizations to take on.  Given this, HITRUST published in early 2022 what is called the Implemented, 1-Year (i1) Assessment.   This assessment allows organizations to take a streamlined and a crawl, walk, run approach to assurance and certification. 

The i1 Assessment is based upon a static set of 219 controls with substantial coverage for NIST SP 171 revision 2, The HIPAA Security Rule, and the AICPA Availability Trust Services Principle, evaluating the maturity of control implementation.  This is an attractive assessment for organizations that need to demonstrate a moderate level of assurance and are willing to go through the assessment and certification process on an annual basis.  It is also a good stepping stone to higher levels of assurance.   

This does not replace the former HITRUST CSF Validated Assessment, which is now called the Risk-Based, 2 Year (r2) Assessment.  The r2 Assessment’s requirements are risk-based, where the number of controls are dependent on scoping factors and will vary from organization to organization.  The evaluation of the controls is very rigorous, analyzes policy, process, implemented, measured, and managed maturity, and demonstrates high assurance. 

Also new in 2022 is the Basic, Current-state (“bC”) Assessment, which is a self-assessment focused on  good security hygiene controls and is suitable for quick and low assurance requirements.  There is coverage for NISTIR 7621: Small Business Information Security Fundamentals. 

The bC, i1, and r2 provides various assurance options to meet organizational, partner, and client needs, and continues to reduce efforts in responding to third-party requests to demonstrate a sound, security posture. 

A balance of risk and transforming the delivery of patient care necessitate adopting a framework that is sustainable and continually updated, especially as healthcare organizations invest in cybersecurity strategies like securing the edge. 

[1] U.S Department of Health and Human Services Office of Civil Rights Breach Portal:  Notice to the Secretary of HHS Breach of Unsecured Protected Health Information

The post Healthcare focus:  Need for resilience appeared first on Cybersecurity Insiders.

In the previous article about the coding process, we covered developers using secure coding practices and how to secure the central code repository that represents the single source of truth. After coding is complete, developers move to the build and test processes of the Continuous Integration (CI) phase. These processes use automation to compile code and test it for errors, vulnerabilities, license conformity, unexpected behavior, and of course bugs in the application.

The focus of DevSecOps is to help developers follow secure-coding best practices and open-source licensing policy that were identified in the planning process. In addition, DevSecOps helps testers by providing automated scanning and testing capabilities within the build pipeline.

What is in a build pipeline?

Build pipelines run on highly customizable platforms like Microsoft Azure DevOps, Jenkins, and Gitlab. The build pipeline pulls source code from a repository and packages the software into an artifact. The artifact is then stored in a different repository (called a registry) where it can be retrieved by the release pipeline. Jobs in the build pipeline perform the step-by-step tasks to create an application build. The jobs can be grouped into stages and run sequentially every time the build process is run. Jobs need a build server, or pools of build servers to run the pipeline and return a built application for testing.

DevSecOps partners with developers by inserting additional source code scanning tools as jobs into the build pipeline. The tools used depend on what is being built and is usually determined through DevSecOps collaboration with the development team to understand the architecture and design of the code. For most projects, DevSecOps should implement at a minimum, the scanning tools that look for vulnerabilities, poor coding practices and license violations.

Source code scanners

Pipelines allow automated application security (AppSec) scans to be run every time a new build is created. This capability allows DevSecOps to integrate static analysis (lint) tools like source code scanners that can run early in the software development lifecycle. Security scanners come in two forms: static application security testing (SAST) and dynamic application security testing (DAST).

SAST is run early in the development lifecycle because it scans source code before it is compiled. DAST runs after the development cycle and is focused on finding the same types of vulnerabilities hackers look for while the application is running.

SAST can look for supply chain attacks, source code errors, vulnerabilities, poor coding practices, and free open-source software (FOSS) license violations. SAST speeds up code reviews and delivers valuable information early in the project so developers can incorporate better secure coding practices. Picking the right SAST tool is important because different tools can scan different coding languages. By automating scanning and providing feedback early in the development process, developers are empowered by DevSecOps to be proactive in making security related code changes before the code becomes an application.

Container image scanners

Application builds that create containers for microservices like Docker are stored in a registry as an image artifact. These images have application code, additional software packages, and dependencies that are needed to run the application. Sometimes the images are built by the developers and other times are pulled from a public repository like Github.

Source code scanners review the source code, image scanners review the built application, packages, and dependencies. Image scanners look for container vulnerabilities and exploits like supply chain attacks and crypto jacking software.

Image scanners should be run during the build process so that vulnerabilities are identified and remediated by the development team quickly. Keeping an image small (fewest needed packages and dependencies) is a great (and easy) way for developers to reduce the attack surface of the image and speed up security scanning and remediating vulnerabilities.

In addition to image scanning, DevSecOps recommends the following criteria to protect the application. Images should be configured to not run on the host system using the admin (root) account. This protects the host from privilege escalation if the application is compromised.

Images should be signed by a trusted certificate authority so they have a trusted signature that can be verified when the image is deployed to an environment. Images should be stored in a dedicated image repository so that all internal microservices platforms (Docker and Kubernetes) only pull “approved” images.

Test process

Testing is one of the first environments that an application build is deployed into. Testing teams use tools like Selenium and Cucumber to help automate as much of the testing as possible. Automated test plans can benefit from iterative improvements that increase the test plan quality every time a build is created. DevSecOps has open-source tools like ZAP that support proxying and can sit between the testing tools to perform security scanning as the tests are examining the application. Bringing DevSecOps and the testing teams together helps builds trust and collaboration while speeding up testing and reducing the number of scripts and tools necessary to complete the testing process.

Bending the rules

Outages, quality issues, and common mistakes can happen when there is pressure to deliver in a compressed timeframe. Building and testing is where bending the rules may be accepted or even the current norm within the teams. Security scanners are designed to stop the build process if audits and compliance fail. If the development and testing teams are unaware of this risk, it will appear as builds and tests breaking. They will complain to their leaders who will come to the DevSecOp team and demand the tools get out of the way of the success of DevOps.

DevSecOps overcomes these concerns by being an integral part of the team with developers and testers. Coordination between DevSecOps and developers is also promoted by adding the findings from these tools into the same bug tracking tools used by testers. DevSecOps integrates by speaking about the changes and listening to incorporate the feedback loop, create inclusiveness, and collaborate to help everyone understand what the tools are doing, how they work, and why they are important.

Next steps

Security scanners help developers follow secure-coding and license compliance practices. Scanners and feedback work best when performed as early as possible in the build pipeline so adjustments can be made quickly and with minimal development impact. Using automation encourages developers and testers not to bend the rules. With the application built and tests complete, the software is ready to be packaged as a release.

The post DevSecOps build and test process appeared first on Cybersecurity Insiders.

This blog was written by an independent guest blogger.

The US Office of Management and Budget (OMB) has released a strategy to help the federal government embrace a zero-trust approach to cybersecurity.

Overview of OMB’s Zero Trust strategy

Released on January 26, 2022, the strategy identifies “specific security goals” that heads of Federal Civilian Executive Branch (FCEB) agencies must achieve by the end of the Fiscal Year (FY) 2024. Provided below are some of these objectives.

• In its Executive Order (EO) 14028, The White House states that FCEB agencies must develop their own plans for implementing a zero-trust architecture (ZTA). OMB’s strategy goes beyond this mandate by requiring FCEB agencies to incorporate additional requirements and submitting them to OMB and the US Cybersecurity & Infrastructure Security Agency (CISA) within 60 days of the memorandum taking effect. FCEB agencies also need to submit a budget estimate for FY 2024 within that period. In the shorter term, OMB explains that in-scope entities can use internal funding or seek money from alternative sources to achieve primary goals in FY 2022 and FY 2023.
• OMB’s strategy notes that FCEB agencies must designate and identify a lead for implementing zero trust at their organization within 30 days of the strategy entering into force. Ultimately, OMB will use those leads to coordinate the implementation of zero trust across the federal government. It’ll also refer to them to orchestrate planning and implementation efforts within each agency. 

Identity and MFA as key tenets

The security goals identified above align with several pillars of zero trust set forth by CISA. “Identity” is one of the most important of those elements. The purpose of “Identity” for zero trust is to have agency staff use enterprise-managed identities to access the applications they need to perform their job duties. The best way to do that is to invest in centralized identity management systems and integrate them into both applications, and common platforms, noted OMB in its federal strategy. Specifically, agencies can implement phishing-resistant multi-factor authentication (MFA) at the application layer as well as require staff, contractors, and partners to enroll in this scheme. (This option must also be an option for public users.) Finally, agencies must design their password policies in such a way that doesn’t require the use of special characters or require regular password rotation.

A driving factor behind the importance of identity and MFA to zero trust is the growth in cloud adoption. In December 2021, 90% of O’Reilly subscribers revealed their organizations were using the cloud at that time—up from 88% a year earlier. The study went on to reveal that at least 75% of respondents in organizations across every sector were using the cloud, with retail & commerce, finance & banking, and software registering as some of the most active industries. Looking ahead, nearly half (48%) of survey participants said that their organizations were planning to migrate at least half of their applications to the cloud in the coming year. One-fifth of personnel said they intended to migrate all their applications within that period.

This growing focus on the cloud means that literally everyone is an outsider, as I told TechSpective last August. In response, organizations need to implement a scheme by which they can validate the authenticity of approved identities and their attributes for users, services, and devices.

Giving authentication and identity the emphasis they deserve

FCEB agencies and other organizations can emphasize authentication and identity protection for zero trust by laying the groundwork for an Identity and Access Management (IAM) strategy. In formulating this plan, organizations should follow the CISA’s MFA guidelines. They then need to clarify which authentication methods they’ll require of their users and plan how to roll out authentication for their users. Finally, entities can develop access rules and policies to shape who can access certain types of data and applications along with the conditions under which they can do so. 

Regarding MFA in particular, agencies and other organizations can consider combining MFA with other best practices such as Single Sign-On to improve account security while reducing user friction. To this end, they can use an integrated service or solution that offers multi-factor authentication, SSO and policy-based access.

The post Unpacking OMB’s federal strategy for implementing Zero Trust appeared first on Cybersecurity Insiders.

This blog was written by an independent guest blogger.

Cybersecurity is more important today than ever before, with virtual threats surging to historic highs. Organizations in every industry need to take steps to protect themselves from cybercrime. A few sectors, in particular, should be especially concerned about safety. These industries are at the highest risk of being targeted by cyberattacks, with damages that can cost billions of dollars.

1. E-commerce

Online shopping was steadily becoming more popular throughout the 2000s and 2010s, but the COVID-19 pandemic has sparked an incredible boom in the 2020s. This is great news for businesses since e-commerce can pull in revenue from a larger audience than brick-and-mortar stores.

However, these companies must have top-notch cybersecurity. When online shopping rose in popularity in 2020, cybercrimes also skyrocketed, amounting to $1 trillion in damages. E-commerce businesses can protect their customers from these threats using online checkout security, multifactor authentication, secure data storage and other practices that put client information first.

2. Finance

A shocking 74% of financial institutions reported experiencing a surge in cyber threats connected to the COVID-19 pandemic in 2021. It should come as no surprise that financial institutions are at the top of cybercriminals’ lists. The trend will only continue as more customers turn to online banking.

Organizations in the finance industry have to take extra steps to protect themselves and their customers from digital threats. For example, mobile banking apps should have an option for biometric authentication, which is more difficult to hack than a conventional alphanumeric password. Internally, cybersecurity must be impenetrable, which requires a culture of security among employees and leaders.

3. Healthcare

Hackers noticed when the COVID-19 pandemic channeled massive amounts of attention and money into the health care industry. Providers, institutions, and businesses of all types have become targets for cybercrime. Patients’ sensitive data can be especially valuable around the dark web and cybercrime networks since it allows for impersonation and identity theft.

Health care organizations must be extremely careful and focused to protect their patients and customers. Studies have found that misdelivery alone is responsible for 36% of breaches in the medical industry. Telemedicine only increases the danger of individual mistakes and inconsistencies. Every password, device, file and user must be extremely well-fortified. AI cybersecurity software is on the rise for this exact purpose, helping autonomously detect threats and vulnerabilities.

4. Manufacturing

The manufacturing industry may not be a traditional target for cybercrime, but the supply chain crisis has changed that. Cybercriminals know that manufacturers are working against the clock already, making it much easier for certain attacks, like ransomware, to gain leverage. As a result, manufacturers’ security gaps have put the entire supply chain at risk.

More manufacturers are using automation, IoT and other connected technologies to stay ahead of the curve during the supply chain crisis. Protecting these devices is crucial. Additionally, manufacturing facilities’ networks must have strong firewalls and login protections to keep out intruders. Any computers employees use to access business information need to be secured and backed up regularly, as well.

5. Government

Government institutions and the private sector businesses they work with have always been prime targets for cybercrime. Their cybersecurity methods will need to evolve in the years ahead, though. In fact, government organizations and their private sector partners will need to lead the way at the cutting edge of safety practices to stay ahead of the rising tide of cybercrime.

Specific types of attacks are increasing faster than others, which governmental bodies must be aware of. For example, they need to start requiring anti-phishing training to teach federal employees how to recognize and deal with suspicious emails and domains. INTERPOL found that phishing attacks have increased more than any other type of cyberattack in response to the COVID-19 pandemic. They are especially dangerous for governments since they handle sensitive and even classified information regularly.

Cybersecurity in the next digital era

Cybersecurity is a continuous process that must be constantly monitored and improved to stay ahead of criminals. Innovation has exploded in recent years in response to evolving threats. For example, artificial intelligence is becoming a popular tool for outsmarting cybercriminals and preventing attacks altogether. Friendly hacking is also becoming commonplace as organizations seek to test their defenses safely.

Education and training are crucial for digital safety. This is especially important with the rising popularity of remote work, where employees are solely responsible for the security of their devices and connections. A security-first mindset allows organizations in every industry to protect themselves and their customers from the advancing threats of the digital landscape.

The post 5 Industries that need advanced Cybersecurity measures appeared first on Cybersecurity Insiders.

This blog was written by an independent guest blogger.

As Morgan Stanley Bank now knows, ignoring certified data destruction policies can be disastrous. The bank made news in 2020 when it was fined over $60 million for not using proper oversight when decommissioning two of its data centers. Regulators found that the organization had not addressed the risks associated with decommissioning hardware effectively. 

An ever-increasing number of IoT and Business Connect devices allows for numerous entry points for hackers electronically, but companies should also take care that they decommission their hardware. Unfortunately, studies show that many companies lack the necessary precautions for data destruction. 

What is data destruction?

Data destruction is a process that involves destroying information and records such as paper documents and digital information stored on hard drives, SSDs, optical disks, memory chips, and the like. The goal of digital data destruction is to eliminate any information that was previously held on the server or hardware so that it can’t ever be recovered by a third party or someone from within the organization. 

The increased cybersecurity events of 2020 and 2021 have highlighted the need for proper data destruction protocols across industries. Additionally, emphasizing the circular economy, sustainability, and eco-friendly practices means that more refurbished devices will be recycled and resold to new owners. If data is not completely destroyed, then that information is at risk. 

What happened at Morgan Stanley?

A lack of secure data destruction protocols can have profound implications. 

In 2016, Morgan Stanley hired a vendor to wipe all data from the servers. But they didn’t monitor their vendor or keep adequate documentation. As a result, the vendor failed to completely erase all the data from the hardware before selling it to recyclers. 

In 2019, a few of Morgan Stanley’s decommissioned servers went missing, and the disks were left with unencrypted customer data. This incident was attributed to a software flaw but still reflects a lack of oversight over one of the most critical business data practices.

These data flubs could have had a significant impact on the online privacy of their clients, but the bank maintains that none of their customers’ data was breached in either instance. Still, the data left on these devices could have easily been accessed by anyone in possession of the servers and other hardware. 

A person with sensitive customer information such as account and social security numbers, birthdates, contact information, and other crucial data could wreak havoc on customers and the organization as a whole. 

Benefits of secure data destruction

Improper data destruction protocols can leave customer and business data wide open to be stolen and used for malicious intentions. 

Businesses of all sizes need to ensure that their financial statements and documents such as profit and loss statement templates, invoices, third-party data, and everything in between are all safely secured using the correct data destruction activities. 

Here are just a few of the benefits of secure and certified data destruction policies and practices:

• Complete removal of data — certified data destruction helps remove data from hardware without leaving a single trace of its existence. A simple delete is not enough to completely remove data from a device. Data destruction protects the data and the device owner.
• DARP — Even encryption and firewall security are not enough to ensure that your data at rest is protected. Data at Rest Protection (DARP) through data destruction is the most secure way to ensure data that is no longer in use and isn’t serving any real purpose. 
• Prevent cybersecurity incidents — Devices, both business and personal, no longer needed have to be permanently wiped with a certified data destruction tool that meets data erasure standards. Without it, they could be vulnerable to a breach resulting in financial and reputational losses, including fines and penalties. 
• Meet compliance and regulation guidelines — Data protection laws worldwide such as GDPR, SOX, and HIPAA state clear rules for consumers’ right to erasure and to be forgotten. Data destruction policies ensure that these guidelines are met. 
• Sustainable hardware refurbishing — Reducing e-waste has become a top priority as the circular economy comes into focus. Old devices like smartphones and laptops are not the only ones businesses can recycle. A new emphasis on recycling servers and other hardware means an increased need for complete data destruction. 

Methods for data destruction

Organizations use many methods to destroy data at rest permanently. Media wiping tools are essential for companies that use refurbished IT assets or recycle their hardware. These electronic devices must all be adequately wiped before safely passing on to their next owner: 

• Computers
• Smartphones
• Tablets
• Digital cameras
• Media players
• Printers
• Monitors
• Hard drives
• Gaming consoles
• External hardware
• Peripheral devices

Secure and dispose of electronic devices, servers, and hardware by using these data destruction methods:

Delete or reformat

The two most common ways to attempt to rid a device of its data are by deleting or reformatting files. 

Deleting a file from a device will remove it, but it doesn’t destroy the data. The information within the deleted file will remain on the device’s hard drive or memory trip. 

Reformatting the disc also produces similar results. Reformatting will not wipe the data from the device, and it just replaces an existing file system with a brand new one. 

Using these methods to destroy data is ineffective and does not represent proper data destruction, but it is worth mentioning since it is often used as the first response. 

Wipe

Data wiping involves overwriting data on a device so that no one can read it. It is usually accomplished by connecting the affected media to a wiping device, but it can also be done internally. 

However, data wiping is time-consuming, especially for a business with lots of information across numerous devices. It’s a more practical approach for individuals. 

Overwriting data

Overwriting data and wiping data are very similar approaches to data destruction. Overwriting data refers to writing a pattern of ones and zeroes over the current data to hide it and prevent it from being read. 

However, if the data in question is a high-security risk, it may be worth taking a few extra passes at overwriting it. It ensures that the data is completely destroyed and not a single bit of shadow or remnant of pre-existing information can be detected. 

Overwriting data is by far the most common data destruction method used by organizations, but it is also very time-consuming. Additionally, you can only overwrite data on an undamaged device that still allows data to be written into it. 

Erasure

Another term for overwriting, complete erasure destroys all data stored on a hard drive and delivers a certificate of destruction. This certificate proves that data has been successfully erased from an electronic device. 

Erasure is a suitable method for businesses that purchase equipment such as desktops, enterprise data centers, and laptops off-lease.

Degaussing

Degaussing uses a high-powered magnet to destroy data. It is a quick and effective method to destroy sensitive data, but it has some disadvantages. 

Once a device has been degaussed, its hard drive is no longer operable. Besides that, there is no way to know whether all the data has been destroyed without an electron microscope. 

Physical destruction

It turns out that taking a hammer to a hard drive is a very effective data destruction method for businesses of all sizes. However, not all companies can afford to spend money on replacing hard drives that have been pummeled in the name of data privacy, so this is not always an ideal solution. 

Shredding 

Another method similar to physical destruction, shredding is the most secure and cost-effective data destruction strategy. Shredding involves reducing electronic devices to tiny pieces, no larger than a couple of millimeters. 

This method is ideal for high-security environments and is most commonly used when an organization has a stockpile of old media to destroy. 

Final thoughts

Many businesses will outsource their data destruction needs to a dedicated data destruction company. But beware, just like in Morgan Stanley’s case, you could still be held responsible for any data that remains. 

You may think that your organization isn’t susceptible to a major data breach from decommissioned data centers and other equipment. However, small businesses are the number one target for cybersecurity breaches. 

That’s why businesses of all sizes must take the correct steps to destroy data and ensure their customers’ information stays secure.

The post Formulating proper data destruction policies to reduce data breach risks appeared first on Cybersecurity Insiders.

Photo by Adi Goldstein on Unsplash

This blog was written by an independent guest blogger.

The technical infrastructure of video games requires a significant level of access to private data, whether through client-server side interactions or financial data. This has led to what Computer Weekly describes as a ‘relentless’ attack on the video game industry, with attacks against game hosts and customer credentials rising 224% in 2021. There are several techniques to managing a personal online presence in a way that deters cyber attacks, but the ever-broadening range of games and communication tools used to support gaming communities means these threats are only increasing, and are starting to affect games played in single-player.

Gaming exploits

Gaming hacks and exploits are nothing new. There has long been a industry around compromising game code integrity and releasing games for free, and within those games distributing malicious software to breach private user details and deploy them for the gain of the hacker. These have become less common in recent years due to awareness over online data hygiene, but the risks do remain.

In July, NintendoLife highlighted one particularly notorious hack of the Legend of Zelda series that was sold, unlawfully, and earned the creator over $87,000 in revenue. This exploit showed a common route towards tricking customers – deception. Zelda has a notably strong community where fans help each other out, both in learning the game and defending against common exploits; this is why the malicious actor in question was discovered, and why no further harm was done, but it remains a risk. Awareness is often key in avoiding attempted cyber attacks.

Web services to apps

Video games have become increasingly merged with web services and this, too, is raising the risk of attack. According to CISO mag, a majority of the attacks targeting video game services were conducted via SQL injection, a popular form of web service attack that attempts to breach databases. This, in turn, can result in the extraction of private customer details and financial information.

Games have previously sought to use their own platforms for registration and payments. However, in recent years, and especially with the growth of gaming platforms – such as Battle.net, Steam and EA Origin – user account details are made more vulnerable through their hosting via web services. This is a worrying development when considering the ultimate interface of video gaming, web services, and virtual reality – the up-and-coming Metaverse.

The Metaverse

The Metaverse is a descriptor for an interlinked series of digital worlds that will come together into one VR-powered reality. Pioneered most recently by Mark Zuckerberg and his Meta company, it is considered the future of communication and casual video gaming. According to Hacker Noon, the Metaverse is at unique risk of being subjected to serious cyber attacks.

The Metaverse is unique in that it will require digital currencies to operate. It is envisioned as a world within a world – not simply a service you pay for and then access, but an area where you will actively live and play. That means persistent financial data and constant access to privileged private information. Furthermore, individuals play themselves in the Metaverse; not a created character. One successful attack could claim a significant amount of data from any single user of the Metaverse, making it the ideal target for a new generation of cyber attacks.

In short, the protections that will come up for the Metaverse need to be absolutely world-class. Collaboration is required, and a strong culture of individual diligence and digital hygiene, too. Putting these principles in place today will help to protect the Metaverse before it really gets big, and protect video gamers too.

The post Cyber threats increasingly target video games – The metaverse is next appeared first on Cybersecurity Insiders.