Author: hello@alienvault.com

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

What is an e-mail?

E-mail, also referred to as electronic mail, is an internet service which allows people and digital services to transmit messages(letters) in electronic form across Internet. To send and receive an E-mail message, an individual or service requires to have an e-mail address, i.e. electronic mail address which is generally in emailaddress@domain.com format. E-mails are more reliable, fast, and inexpensive form of messaging both in personal and professional environment.

What are e-mail headers?

E-mail headers are metadata information attached with every email sent or receive across the internet, email headers contain important information required for delivery of emails. E-mail headers contain information such as:

• Sender’s IP address
• Server the email came through
• Domain the email originated from
• SPF (Sender Policy Framework)
• DKIM
• DMARC
• Time of sending receiving email message
• Other important information required to validate the authenticity of the email received

Using E-mail header analysis, users can identify if an e-mail is legitimate or a scam. To view email headers in most clients, you can right click on the message and choose “show original” or “view-source.”

Metadata

Now, let us understand the terms related to metadata what it is and why the metadata associated is so important for email communications.

Metadata: Metadata is kind of data which provides information about the other data. For example: Email headers provide information about email communication.

SPF: also known as Sender Policy Framework, is a DNS record used for authentication mechanism in email addresses. SPF is a txt record configured in DNS records. It contains IP addresses and domain names which are authorised to send emails for a domain. The recipient can check the SPF record under email headers to verify if the email was originated from specified IP addresses or domain names.

DKIM: DomainKeys Identified Mail, is a cryptographic method that uses a digital signature to sign and verify emails. This allows the receiver’s mailbox to verify that the email was sent by authenticated user/owner of the domain. When an email is sent from a DKIM configured domain, it generates hashes for the email and encrypts them with private key which is available to the sender. It uses hashes to compare the mail origination and mail received content so that recipient can verify that email was not manipulated or tampered.

DMARC: Domain based Message Authentication, Reporting and Conformance is an email standard used for protecting email senders and recipients from spam, spoofing and spamming. DMARC indicates that an email is protected by SPF and DKIM as well. If SPF or DKIM fails to match the records, DMARC provides options such as quarantine or reject options for the message. For configuring DMARC to DNS records, SPF and DKIM configuration is mandatory.

Message ID: Message ID is a unique mail identifier for each email received; every email will have a unique Message ID.

E-mail header analysis has been used in criminal investigations to track down suspects and in civil litigation to prove the authenticity of emails. It’s also used by business to combat modern day email attacks like email spoofing.

There are various tools available for email header analysis, however, free tools may have limited capabilities.

The post E-mail header analysis appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

The global COVID-19 pandemic has left lasting effects on the workplace across all sectors. With so many people required to stay home, businesses in every field turned to remote work to open new possibilities for staying connected across distances. Now that the pandemic has largely subsided, many working environments have transitioned into a new hybrid workplace style. With this new approach to the office, employers and IT specialists have had to adapt to the increased risk of cybersecurity breaches within the company context. 

The first security measure businesses adopted during the pandemic was using VPNs that allowed employees to work remotely while still enjoying connectivity and security. Despite their popularity, however, VPN authentication can grant malicious third parties unrestricted network access and allow them to compromise an organization’s digital assets. 

To combat these vulnerabilities, organizations must consider establishing hybrid workplace network security. Investing in organizational cybersecurity means investing in the organization’s future; now, cybersecurity is as essential for the continuity and success of a business as the lock on its front door was once considered to be. 

This article will discuss types of network security breaches to watch out for. Then we will review practices you can adopt to establish hybrid workplace security and mitigate the risk of granting malicious third parties unrestricted network access.

Three types of hybrid network security breaches to watch out for

There are multiple potential gaps in every hybrid workplace network, including interpersonal communications, outdated software, and uninformed employees. Cybersecurity breaches at even a very small scale can grant hackers access to sensitive information, which could lead to the leakage of important data. 

This is a serious problem as, according to recent surveys, 45% of companies in the United States have been faced with data leakage in the past. With hybrid and remote workplaces becoming increasingly normal, workplace network security must become a priority. 

Here are three types of security breaches to watch out for. 

1. Phishing attacks

One type of cybersecurity attack is phishing. Phishing involves a hacker attempting to trick employees or co-workers into revealing sensitive information, granting access to protected files, or inadvertently downloading malicious software. 

Phishing is enacted by hackers who successfully adopt an employee’s personality, writing style, or company presence. According to recent statistics, 80% of breaches involve compromised identities, which can have a domino effect, leading to larger-scale company-wide cybersecurity breaches. 

2. Ransomware attacks

A second variety of cybersecurity breaches is ransomware. Ransomware is an attack where hackers encrypt files on a company’s network and demand payment to restore access. In other words, they gain private access to the workplace network and then essentially hold it hostage, demanding a “ransom” to prevent leaking any sensitive work data that might be stored there. 

Phishing can be used as an initial method of accessing a network so that hackers can then install ransomware. 

3. Man-in-the-Middle attacks

A third type of cybersecurity breach is a man-in-the-middle attack, where a hacker intercepts and alters communications between two parties to steal data or manipulate transactions. A man-in-the-middle attack can also be a type of phishing breach.  

Six practices to establish hybrid workplace security

The most effective overall approach to combating potential cyberattacks is establishing a comprehensive, multifaceted system of defenses. 

The combination of different approaches, such as widespread workplace cybersecurity education paired with awareness about making smart purchasing decisions, can shore up the defenses before an attack. Meanwhile, introducing specific preventive cybersecurity measures will guarantee a more robust cybersecurity structure across the workplace in case of a malicious incident.

 Here are six specific practices to establish hybrid workplace security. 

1. Choose trustworthy vendors

Part of running a business is working within a broader network of vendors, contractors, and clients. One way to establish cybersecurity from the outset is to carefully and thoroughly vet every business partner and vendor before working with them. Before signing a company-wide phone contract, for example, look for business phone services that come with features such as enhanced cyber protection and cyberattack insurance. 

When your business or employees request or send money online, they should use specific transfer sources as instructed. Employers should look for bank transfers that come with digital security encryption and protection against chargebacks to prevent breaches during the transaction. 

2. Adopt alternative remote access methods

Since breaches of company networks protected by VPNs are becoming increasingly common, seeking out alternative remote access methods is a good way to ensure the ongoing security of the workplace network. 

Software-defined perimeter, or SDP, uses a cloud-based approach so that each device can be easily synced across geographic barriers. A software-defined perimeter relies on identity authentication before connecting users and, as such, acts as a virtual barrier around every level of access. 

3. Introduce zero-trust network access (ZTNA)

Zero-trust network access means that every single request to access the company network, including all employee requests, must pass several layers of authentication before being granted. This way, all employees, both in-person and remote, will have to engage with the same advanced-level security protocols.  

Zero-trust network access also means that every device is analyzed and confirmed so hackers or bad actors attempting to impersonate an employee can be tracked and identified. 

4. Enact company-wide cybersecurity training programs

Create training documents that are easily accessible to both in-person and remote employees. 

Regular training on the latest cybersecurity protocols and procedures is an important way to maintain constant awareness of cybersecurity threats among your entire staff and establish clear and direct actions employees can take if they suspect they have been targeted by a bad actor. 

Since phishing is one of the top methods of cyberattacks in the workplace, the better informed that employees at every level of the company are, the more secure the workplace will be. 

5. Conduct regular cybersecurity tests

For hybrid companies, identifying potential vulnerabilities and weak spots in the cybersecurity system is key to preventing effective attacks.

Instruct the in-house IT team to conduct regular cybersecurity tests by launching false phishing campaigns and attempting to simulate other hacking strategies. If your hybrid business does not have an entire IT team, hire outside cybersecurity consultants to analyze the state of your company’s current cybersecurity defenses. 

IT experts should also be consulted to determine the best cybersecurity software for your business. All software and hardware should be updated regularly on every workplace device, and employees should be encouraged to update the software on their smartphones and other personal devices that might be used for work purposes. 

Since software updates contain the latest cybersecurity measures, they are essential to cyber risk management in the hybrid workplace. 

6. Install security software on all workplace devices 

In addition to the protection provided by personnel and alternative access networks, every workplace device should be equipped with adequate cybersecurity protective software. Installing a firewall on every workplace computer and tablet can protect the core of each hard drive from malware that may have been accidentally installed. 

A strong firewall can protect against any suspicious activity attempts within the company network. By providing a powerful firewall coupled with secure remote access methods, the entire workplace network should be secured from attempts at illicit access by cybercriminals with malicious intent. 

Data diodes are another viable method of securing the network; similar to software firewalls, data diodes work less like an identity barrier and more like a physical separator. While firewalls analyze and vet each incoming action request, data diodes function by separating distinct aspects of each electronic transaction or interaction. So even in case of a system failure, the main result would be a total lack of connectivity between parts, ensuring that cybercriminals would still be prevented from accessing company information. 

Final thoughts

Since a hybrid workplace encompasses both in-person and remote employees at the same time, hybrid companies face a unique set of challenges. Each cybersecurity policy must incorporate both types of employees, which can be difficult to enact across the board. 

To instill preventive measures that can thwart attempts at phishing, ransomware, malware, identity theft, and other malicious attacks, hybrid companies can boost their workplace training programs and install higher-level security software. These measures will help to prevent attacks and minimize damage in the case of a cybersecurity breach so that sensitive personal and company data will be protected no matter what. 

The post How to establish network security for your hybrid workplace appeared first on Cybersecurity Insiders.

AT&T Cybersecurity is committed to providing thought leadership to help you strategically plan for an evolving cybersecurity landscape. Our 2023 AT&T Cybersecurity InsightsTM Report: Edge Ecosystem is now available. It describes the common characteristics of an edge computing environment, the top use cases and security trends, and key recommendations for strategic planning.

Get your free copy now.

This is the 12th edition of our vendor-neutral and forward-looking report. During the last four years, the annual AT&T Cybersecurity Insights Report has focused on edge migration. Past reports have documented how we

• interact using edge computing (get the 2020 report)
• benefit from edge computing (get the 2021 report)
• secure the data, applications, and endpoints that rely on edge computing (get the 2022 report)

This year’s report reveals how the edge ecosystem is maturing along with our guidance on adapting and managing this new era of computing.

Watch the webcast to hear more about our findings.

The robust quantitative field survey reached 1,418 professionals in security, IT, application development, and line of business from around the world. The qualitative research tapped subject matter experts across the cybersecurity industry.

At the onset of our research, we set out to find the following:

1. Momentum of edge computing in the market.
2. Collaboration approaches to connecting and securing the edge ecosystem.
3. Perceived risk and benefit of the common use cases in each industry surveyed.

The results focus on common edge use cases in seven vertical industries – healthcare, retail, finance, manufacturing, energy and utilities, transportation, and U.S. SLED and delivers actionable advice for securing and connecting an edge ecosystem – including external trusted advisors. Finally, it examines cybersecurity and the broader edge ecosystem of networking, service providers, and top use cases.

As with any piece of primary research, we found some surprising and some not-so-surprising answers to these three broad questions.

Edge computing has expanded, creating a new ecosystem

Because our survey focused on leaders who are using edge to solve business problems, the research revealed a set of common characteristics that respondents agreed define edge computing.

• A distributed model of management, intelligence, and networks.
• Applications, workloads, and hosting closer to users and digital assets that are generating or consuming the data, which can be on-premises and/or in the cloud.
• Software-defined (which can mean the dominant use of private, public, or hybrid cloud environments; however, this does not rule out on-premises environments).

Understanding these common characteristics are essential as we move to an even further democratized version of computing with an abundance of connected IoT devices that will process and deliver data with velocity, volume, and variety, unlike anything we’ve previously seen.

Business is embracing the value of edge deployments

The primary use case of industries we surveyed evolved from the previous year. This shows that businesses are seeing positive outcomes and continue to invest in new models enabled by edge computing.

Industry	2022 Primary Use Case	2023 Primary Use Case
Healthcare	Consumer Virtual Care	Tele-emergency Medical Services
Manufacturing	Video-based Quality Inspection	Smart Warehousing
Retail	Lost Prevention	Real-time Inventory Management
Energy and Utilities	Remote Control Operations	Intelligent Grid Management
Finance	Concierge Services	Real-time Fraud Protection
Transportation	n/a	Fleet Tracking
U.S. SLED	Public Safety and Enforcement	Building Management

A full 57% of survey respondents are in proof of concept, partial, or full implementation phases with their edge computing use cases.

One of the most pleasantly surprising findings is how organizations are investing in security for edge. We asked survey participants how they were allocating their budgets for the primary edge use cases across four areas – strategy and planning, network, security, and applications.

The results show that security is clearly an integral part of edge computing. This balanced investment strategy shows that the much-needed security for ephemeral edge applications is part of the broader plan.

Edge project budgets are notably nearly balanced across four key areas:

• Network – 30%
• Overall strategy and planning – 23%
• Security – 22%
• Applications – 22%

A robust partner ecosystem supports edge complexity

Across all industries, external trusted advisors are being called upon as critical extensions of the team. During the edge project planning phase, 64% are using an external partner. During the production phase, that same number increases to 71%. These findings demonstrate that organizations are seeking help because the complexity of edge demands more than a do-it-yourself approach.

A surprise finding comes in the form of the changing attack surface and changing attack sophistication. Our data shows that DDoS (Distributed Denial of Service) attacks are now the top concern (when examining the data in the aggregate vs. by industry). Surprisingly, ransomware dropped to eighth place out of eight in attack type.

The qualitative analysis points to an abundance of organizational spending on ransomware prevention over the past 24 months and enthusiasm for ransomware containment. However, ransomware criminals and their attacks are relentless. Additional qualitative analysis suggests cyber adversaries may be cycling different types of attacks. This is a worthwhile issue to discuss in your organization. What types of attacks concern your team the most?

Building resilience is critical for successful edge integration

Resilience is about adapting quickly to a changing situation. Together, resilience and security address risk, support business needs, and drive operational efficiency at each stage of the journey. As use cases evolve, resilience gains importance, and the competitive advantage that edge applications provide can be fine-tuned. Future evolution will involve more IoT devices, faster connectivity and networks, and holistic security tailored to hybrid environments.

Our research finds that organizations are fortifying and future-proofing their edge architectures and adding cyber resilience as a core pillar. Empirically, our research shows that as the number of edge use cases in production grows, there is a strong need and desire to increase protection for endpoints and data. For example, the use of endpoint detection and response grows by 12% as use cases go from ideation to full implementation.

Maturity in understanding edge use cases and what it takes to protect actively is a journey that every organization will undertake.

Key takeaways

You may not realize you’ve already encountered edge computing – whether it is through a tele-medicine experience, finding available parking places in a public structure, or working in a smart building. Edge is bringing us to a digital-first world, rich with new and exciting possibilities.

By embracing edge computing, you’ll help your organization gain important, and often competitive business advantages. This report is designed to help you start and further the conversation. Use it to develop a strategic plan that includes these key development areas.

• Start developing your edge computing profile. Work with internal line-of-business teams to understand use cases. Include key business partners and vendors to identify initiatives that impact security.
• Develop an investment strategy. Bundle security investments with use case development. Evaluate investment allocation. The increased business opportunity of edge use cases should include a security budget.
• Align resources with emerging security priorities. Use collaboration to expand expertise and lower resource costs. Consider creating edge computing use case experts who help the security team stay on top of emerging use cases.
• Prepare for ongoing, dynamic response. Edge use cases rapidly evolve once they show value. Use cases require high-speed, low-latency networks as network functions and cybersecurity controls converge.

A special thanks to our contributors for their continued guidance on this report

A report of this scope and magnitude comes together through a collaborative effort of leaders in the cybersecurity market.

• Akamai
• Check Point
• Cisco
• Ivanti
• Palo Alto Networks
• SentinelOne
• VMware

Thank you to our 2023 AT&T Cybersecurity Insights Report contributors!

To help start or advance the conversation about edge computing in your organization, use the infographic below as a guide.

The post Securing the Edge Ecosystem Global Research released – Complimentary report available appeared first on Cybersecurity Insiders.

This is the first of a series of consultant-written blogs around PCI DSS.

Many organizations have multiple IAM schemes that they forget about when it comes to a robust compliance framework such as PCI DSS.

There are, at minimum, two schemes that need to be reviewed, but consider if you have more from this potential, and probably incomplete, list:

• Cloud service master account management AWS (Amazon Web Services), Microsoft Azure, Google Cloud Platform (GCP), Oracle Cloud Architecture (OCA),
• Name Service Registrars (E.g., GoDaddy, Network Solutions)
• DNS service (E.g., Akamai, CloudFront)
• Certificate providers (E.g., Entrust, DigiCert)
• IaaS (Infrastructure as a Service) and SaaS (Software as a Service)) accounts (E.g.: Digital Realty, Equinix, Splunk, USM Anywhere (USMA), Rapid7)
• Servers and networking gear administrative account management (Firewalls, routers, VPN, WAF, load balancer, DDoS prevention, SIEM, database, Wi-Fi)
• Internal user account management, (Active Directory, LDAP or equivalent, and third parties who may act as staff augmentation or maintenance and repair services, API accesses)
• Consumer account management (often self-managed in a separate database using a different set of encryption, tools and privileges or capabilities, from staff logins).
• PCI DSS v4.0 expands the requirement to all system, automated access, credentialed testing, and API interfaces, so those need to be considered too.

Bottom line, in whatever fashion someone or something validates their authorization to use the device, service, or application, that authorization must be mapped to the role and privileges afforded to that actor. The goal being to ensure that each is provisioned with the least-privilege needed to be able to complete its or their intended function(s) and can be held accountable for their actions.

As many of the devices as possible should be integrated into a common schema, since having multiple devices with local only admin accounts is a recipe for disaster.

If privilege escalation is possible from within an already-authenticated account, the mechanism by which that occurs must be thoroughly documented and monitored (logged) too.

PCI DSS Requirement 7 asks the assessor to review the roles and access privileges and groupings that individuals could be assigned to, and that those individuals are specifically authorized to have those access rights and roles. This covers both physical and logical access.

Requirement 9 asks specifically about business-based need and authorization for visitors gaining physical access to any sensitive areas. Frequent visitors such as janitors and HVAC maintenance must be remembered when writing policy and procedures and when conferring access rights for physical access.

Requirement 8 then asks the assessor to put together the roles, privileges, and assignments with actual current staff members, and to validate that the privileges those staff currently have, were authorized, and match the authorized privileges. This is one of the few for-ever requirements of PCI DSS, so if paperwork conferring and authorizing access for any individuals or automation has been lost, it must be re-created to show authorization of the current access rights and privileges.

PCI DSS v4.0 requires much more scrutiny of APIs – which are a growing aspect of application programming. The design engineers need to ensure that APIs and automated processes are given, or acquire, their own specific, unique, authorization credentials, and the interface has session control characteristics that are well-planned, documented, and managed using the same schema created for Requirement 7. Cross-session data pollution and/or capture must be prevented. If the API is distributed as a commercial off-the-shelf (COTS) product, it cannot have default credentials programmed in, but the installation process must ask for, or create and store appropriately, strong credentials for management and use.

Requirements 1 and 6 both impact role and privilege assignments also, where separation of duties between development and production in both networking and code deployment is becoming blurred in today’s DevSecOps and agile world. However, PCI’s standard remains strict and requires such separations, challenging very small operations. The intent is that no one person (or login ID) should have end-to-end control of anything, and no-one should be reviewing or QA’ing and authorizing their own work. This might mean a small organization needs to contract one or more reviewers¹ if there’s one person doing development, and the other doing deployment.

Even in larger organizations where developers sometimes need access to live production environments to diagnose specific failures, they must not be using the same login ID as they use for development. Organizations could choose asmith as the developer role and andys as the administrative login ID for the same person, to ensure privilege escalations are deliberately bounded and easily trackable (per requirement 10). Also, no-one should ever be using elevated privileges to perform their day-to-day job; elevations should always be used for point tasks and dropped as soon as they are no longer needed.

Next, third parties allowed into your cardholder data environment (CDE) – for maintenance purposes for instance – must always be specifically authorized to be there (physically or logically) and monitored while they are there. Most SIEM tools these days monitor everything indiscriminately, but PCI also says their access must be cut off as soon as it is no longer needed.

That might mean time-bounding their logical access, and it does mean escorting them while they are present. Staff must also be empowered and encouraged to challenge people with no badge, or no escort, and to escort them out of any sensitive area until their escort can be reunited with them. If your staff has access to customer premises where PCI-sensitive data is present, (either physically or logically) they must conduct themselves in like manner.

PCI DSS v4.0 also adds a requirement that any normally automated process that can be used interactively (e.g. for debugging) must log any of the interactive usage that occurs, with the appropriate individual’s attribution.

Lastly, PCI DSS 4.0 adds credentialed testing using high access privileges for requirement 11 (although not necessarily administrative privilege), which requires those credentials to be designed into the overall requirement 7 schema and subjected to the requirement 8 restrictions and constraints.

¹Reviewers are secure-code reviewers and security-trained functional QA staff.

The post Identity and Access Management (IAM) in Payment Card Industry (PCI) Data Security Standard (DSS) environments. appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

If cyber threats feel like faceless intruders, you’re only considering a fraction of the risk. Insider threats pose a challenge for organizations, often catching them by surprise as they focus on securing the perimeter.

There is a bright side, however. Understanding the threat landscape and developing a security plan will help you to mitigate risk and prevent cyber incidents. When designing your strategy, be sure to account for insider threats.

What is an insider threat?

Perhaps unsurprisingly, insider threats are threats that come from within your organization. Rather than bad actors from the outside infiltrating your network or systems, these risks refer to those initiated by someone within your organization – purposefully or as a result of human error.

There are three classifications of insider threats:

• Malicious insider threats are those perpetrated purposefully by someone with access to your systems. This may include a disgruntled employee, a scorned former employee, or a third-party partner or contractor who has been granted permissions on your network.
• Negligent insider threats are often a matter of human error. Employees who click on malware links in an email or download a compromised file are responsible for these threats.
• Unsuspecting insider threats technically come from the outside. Yet, they rely on insiders’ naivety to succeed. For example, an employee whose login credentials are stolen or who leaves their computer unguarded may be a victim of this type of threat.

Keys to identifying insider threats

Once you know what types of threats exist, you must know how to detect them to mitigate the risk or address compromises as quickly as possible. Here are four key ways to identify insider threats:

Monitor

Third parties are the risk outliers that, unfortunately, lead to data compromise all too often. Monitoring and controlling third-party access is crucial to identifying insider threats, as contractors and partners with access to your networks can quickly become doorways to your data.

Consider monitoring employee access as well. Security cameras and keystroke logging are methods some companies may choose to monitor movement and usage, though they may not suit every organization.

Audit

Pivotal to risk mitigation – for insider threats or those outside your network – is an ongoing auditing process. Regular audits will help understand typical behavior patterns and identify anomalies should they arise. Automated audits can run based on your parameters and schedule without much intervention from SecOps. Manual audits are also valuable for ad hoc reviews of multiple or disparate systems.

Report

A risk-aware culture is based on ongoing communication about threats, risks, and what to do should issues arise. It also means establishing a straightforward process for whistleblowing. SecOps, try as they might, cannot always be everywhere. Get the support of your employees by making it clear what to look out for and where to report any questionable activity they notice. Employees can also conduct self-audits with SecOps’ guidance to assess their risk level.

Best practices for prevention

Prevention of insider threats relies on a few key aspects. Here are some best practices to prevent threats:

Use MFA

The low-hanging fruit in security is establishing strong authentication methods and defining clear password practices. Enforce strong, unique passwords, and ensure users must change them regularly. Multifactor authentication (MFA) will protect your network and systems if a user ID or password is stolen or compromised.

Screen candidates and new hires

Granted, bad actors have to start somewhere, so screening and background checks do not eliminate every threat. Still, it’s helpful to have processes in place to screen new hires, so you know to whom you’re granting access to your systems. Depending on the nature of the relationship, this best practice may also apply to third-party partners, contractors, and vendors.

Define roles and access

This may seem obvious to some, yet it’s often overlooked. Each user or user group in your organization should have clearly defined roles and access privileges relevant to their needs. For example, your valuable data is left on the table if entry-level employees have carte blanche across your network. Ensure roles and access levels are well-defined and upheld.

Have a straightforward onboarding and offboarding process

Most organizations have a clear and structured onboarding process for registering and bringing users online. Your onboarding process should include clear guidelines for network usage, an understanding of what will happen in the case of a data compromise (deliberate or accidental), where to report issues, and other security measures.

Just as important – if not more – as onboarding is the offboarding process. Languishing user accounts pose a major security risk as they lay theoretically dormant and unmonitored, and no user in the organization will notice if their account is being used. Ensure swift decommissioning of user accounts when employees leave the organization.

Secure infrastructure

Apply strict access controls to all physical and digital access points across your organization. Use least privileged access to limit accessibility, as recommended above. Opt for stronger verification measures, including PKI cards or biometrics, particularly in more sensitive business areas. Secure desktops and install gateways to protect your environment from nodes to the perimeter.

Establish governance procedures

Security requires everyone’s participation, yet organizations need buy-in from key leadership team members and nominated people or a team to hold the reigns. Establishing a governance team and well-defined procedures will ensure attention to security risks at all times and save valuable time should a breach occur.

The tools of the trade

“Organizations must be able to address the risks from malicious insiders who intentionally steal sensitive data for personal reasons as well as users who can accidentally expose information due to negligence or simple mistakes.”

Thankfully, you don’t have to do it all alone. With a data-aware insider threat protection solution, you can rest with the peace of mind that you – and your network – are safe.

The post How Can You Identify and Prevent Insider Threats? appeared first on Cybersecurity Insiders.

Going to RSA next week? If you don’t know, it’s a huge cybersecurity conference held at Moscone Center in San Francisco, CA. If you’re going, please stop by the AT&T Cybersecurity booth and check us out. It’s at #6245 in the North Hall. Remember to bring a picture ID for RSA check-in, otherwise you’ll have to go back to your hotel and get it.

The RSA theme this year is “Stronger Together” which sounds like a great plan to me!

The details

So, the details: AT&T Cybersecurity will be at RSA Conference 2023 (San Francisco, April 24-27), in booth 6245 in the North Hall. We’ll have a 10’ digital wall, four demo stations, and a mini theatre for presentations.

What can you expect to see in the AT&T Cybersecurity booth?

The AT&T Cybersecurity booth will be a hub of activity with demo stations, presentations, and other social networking activities. Our goal is to help you address macro challenges in your organization such as:

• Pro-active and effective threat detection and response
• Modernizing network security
• Protecting web applications and APIs
• Engaging expert guidance on cybersecurity challenges

Demo stations

Come check out our four demo stations that will provide you an opportunity to meet and talk with AT&T Cybersecurity pros. Our demos are highlighting:

• Managed XDR
• Network Modernization
• Web Application and API Security (WAAP)
• AT&T Cybersecurity Consulting

In-booth mini-theatre

The AT&T Cybersecurity booth includes a mini-theater where you can relax and enjoy presentations every 15 minutes plus get one of our limited-edition AT&T Cybersecurity mini-backpacks for all of your RSA memorabilia

Join us for presentations about:

• 2023 AT&T Cybersecurity Insights Report: Edge Ecosystem

Hot off the press for RSA, the 2023 AT&T Cybersecurity Insights Report is our annual thought leadership research. Learn how seven industries are using edge computing for competitive business advantages, what the perceived risks are, and how security is an integral part of the next generation of computing.

• The Endpoint Revolution

Understand today’s “endpoint revolution” and the multi-layered preventative and detective controls that should be implemented to secure your organization.

• Modernizing Network Security

Learn more about the modernization of enterprise security architectures and consolidation of multiple security controls, including those crucial to supporting hybrid work and the migration of apps and data to cloud services.

• Alien Labs Threat Intelligence

Learn how the AT&T Alien Labs threat intelligence team curates intelligence based on global visibility of indicators of compromise into threats and tactics, techniques, and procedures of cybercriminals.

• Next Generation Web Application and API Protection (WAAP) Security

Learn how WAAP is expanding to include additional features and how a service provider can help guide you to the right solution. The WAAP market is diverse and includes DDOS, bot management, web application protection and API security.

• Empowering the SOC with Next Generation Tools

Learn how a new era of operations in security and networking is creating more efficiency in the SOC.

Events

Monday, April 24	2023 AT&T Cybersecurity Insights Report: Edge Ecosystem Report launch – attend a mini-theater presentation for your copy
Monday, April 24	Cloud Security Alliance Panel: 8:00 AM – 3:00 PM Pacific Moscone South 301-304 Featuring AT&T Cybersecurity’s Scott Scheppers discussing cybersecurity employee recruitment and retention. Cloud Security Alliance Mission Critical summit RSAC 2023 (Open to RSA registrants) – All Day
Wednesday, April 26	Happy Hour at the AT&T Booth N624: 4:30 – 6:00 PM Pacific   Join us for networking and refreshments after a long day at the conference.
Wednesday, April 26	Partner Perspectives Track Session: 2:25 – 3:15 PM Pacific Moscone South 155 Cutting Through the Noise of XDR – Are Service Providers an Answer? Presented by AT&T Cybersecurity’s Rakesh Shah

 

As you can see, we have an exciting RSA week planned! We look forward to seeing and meeting everyone at the conference!

The post Get ready for RSA 2023: Stronger Together appeared first on Cybersecurity Insiders.

This is the second blog in the series focused on PCI DSS, written by an AT&T Cybersecurity consultant. See the first blog relating to IAM and PCI DSS here.

There are several issues implied in the PCI DSS Standard and its associated Report on Compliance which are rarely addressed in practice. This occurs frequently on penetration and vulnerability test reports that I’ve had to assess.

First off is a methodology which matches the written policies and procedures of the entity seeking the assessment. I frequently see the methodology dictated by the provider, not by the client. As a client you should be asking (possibly different providers) at minimum for:

• Internal and external network vulnerability testing
• Internal and external penetration testing for both application and network layers
• Segmentation testing
• API penetration testing
• Web application vulnerability testing.

Each of these types of tests then needs to be applied to all appropriate in-scope elements of the cardholder data environment (CDE). Generally, you will provide either a list of URLs or a list of IP addresses to the tester. PCI requires that all publicly reachable assets associated with payment pages be submitted for testing. In as much as dynamic IP assignment is very common, especially in Cloud environments, ensure that you are providing a consistent set of addressing information across quarterly testing orders.

Make sure that the Approved Scanning Vendor (ASV) scans are attested scans, both by you and the ASV, and that the scan report shows enough detail to know what was scanned and the results. The first two summary pages are rarely enough for the assessor to work with since they may give a quantity of assets scanned and a quantity found, but no specific information on what was scanned.  

You will need to specify to the testing provider that each of the reports must include

• The tester’s credentials and training record showing appropriate training within the prior 12 months
• If it’s an internal resource performing the tests, explain in the report how they are independent of the organization managing the equipment being tested. (Admins report to CIO, testers report to CTO, for instance, although that could mean testers and developers were in the same organization and not necessarily independent).
• The date of the previous test completion (to prove “at least quarterly” (or annual) execution).
• The dates of the current test execution.
• Dates of remediation testing and exactly what it covered, along with a summary of the new results (just rewriting the old results is very difficult for the Qualified Security Assessor (QSA) to recognize at assessment time).
• All URLS and IP addresses covered, and explain any accommodations made for dynamic DNS assignments such as in the cloud platforms, any removals, or additions to the inventory from the previous test (deprecated platforms, in-maintenance and therefore undiscovered, cluster additions, etc.). Any assets that were under maintenance during the scheduled test must have a test performed on them as soon as they come back online, or they could languish without testing for substantial periods.
• Explain any resources, for which results are included in the report, but are not in fact part of the scope of the CDE and therefore may not need the remediations that an in-scope device does need (e.g., printers on CDE-adjacent networks).
• Explanations of why any issues found, and deemed failures, by the testing are not in fact germane to the overall security posture. (This may be internally generated, rather than part of the test report).
• Suspected and confirmed security issues that arose during the previous year are listed by the tester in the report with a description as to how the testing confirmed that those issues remain adequately remediated. At a minimum, anything addressed by the Critical Response Team should be included here.
• Any additional methodology to confirm the PCI requirements (especially for segmentation, and how the testing covered all segmentation methods in use).

In future PCI DSS 4.0 assessments, the testers must also prove that their test tools were up to date and capable of mimicking all current and emerging attacks. This does not mean another 100 pages of plugin revisions that a QSA cannot practically compare to anything. A new paradigm for test and system-under-test component revision level validation will have to be developed within the testing industry.

Credentialed internal vulnerability scans are also required by PCI DSS 4.0 requirement 11.3.1.2. This requires creation of the role(s) and privilege(s) to be assigned to the test userID, including a sufficient level of privilege to provide meaningful testing without giving the test super-user capabilities, per requirement 7. Management authorization to enable the accounts created for testing, and management validation of the role and of the credentials every six months.. Requirement 8 controls also apply to the credentials created for testing. These include, but are not limited to, 12-character minimum passwords, unique passwords, monitoring of the activity of the associated userID(s), and disabling the account(s) when not in use.

The post PCI DSS reporting details to ensure when contracting quarterly CDE tests appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Cyber attacks are common occurrences that often make headlines, but the leakage of personal information, particularly credit card data, can have severe consequences for individuals. It is essential to understand the techniques employed by cyber criminals to steal this sensitive information.

Credit card fraud in the United States has been on the rise, with total losses reaching approximately $12.16 billion in 2021, according to Insider Intelligence. Card-Not-Present (CNP) fraud constituted 72% of these losses, with a substantial portion attributed to Chinese fraudsters.

This article discusses the tactics employed by Chinese cyber actors in committing CNP fraud and their value chain.

Chinese fraudsters primarily target the United States for two reasons: the large population makes phishing attacks more effective, and credit card limits in the country are higher compared to other nations. These factors make the US an attractive market for card fraudsters.

Common methods for acquiring card information include phishing, JavaScript injection through website tampering, and stealing data via Trojan horse infections. Phishing is the most prevalent method, and this analysis will focus on phishing tactics and the monetization value chain of stolen credit card information.

Chinese fraudsters have developed extensive ecosystems for their operations. In a card fraud community targeting Japan and the US, over 96,000 users have joined. For 3,000 Chinese yuan in Bitcoin, individuals can enroll in a bootcamp to learn phishing techniques through recorded videos and access resources for creating phishing sites and profiting from stolen credit cards.

According to the community leader, more than 500 students enrolled in the first half of 2022 alone. This leader has made significant profits, receiving 56 BTC over the past three years.

Chinese fraudster ecosystem: actor’s value chain

The value chain of Card Non-present fraud is shown as the following picture.

To carry out these activities, Chinese fraudsters establish a value chain for CNP fraud, starting with setting up a secure environment. They anonymize IDs, falsify IP addresses, change time zones and language settings, alter MAC addresses and device IDs, modify user agents, and clear cookies to evade detection by security researchers and bypass various security measures.

Fraudsters also use residential proxies, which are infected domestic devices, to access targeted websites indirectly and avoid tracking. These proxies can be purchased from online providers, with payments made via stolen credit cards or bitcoin. By selecting the desired IP address, users can access the target site with a fake IP address, making it difficult to trace their activities.

One residential proxy service popular among Chinese fraudsters is “911,” which is built using software distributed under the guise of a free VPN service. Once installed, users are unknowingly transformed into valuable residential proxies for fraudsters without their consent. The service offers locations at city granularity to match the target user’s geographic location.

Additionally, fraudsters can select ISP and device fingerprints, such as browser version, operating system, and screen size. This information is usually acquired through phishing, and fraudsters select the ones used by the victims to imitate each victim’s user behavior.

Researchers at Sherbrooke University in Canada recently published an analysis of the “911” service and found that about 120,000 PCs are rented through the service, with the largest number located in the United States. More information about the research can be found at https://gric.recherche.usherbrooke.ca/rpaas/.

Although the “911” service was shut down in July 2022, many new residential proxy providers have emerged, which are now used by Chinese fraudsters.

In-depth analysis: evasion techniques in anti-fraud systems to elude detection

To set up phishing sites, several elements must be in place, including an email database to disseminate phishing emails and a phishing kit to create the phishing site. These elements can be acquired online through various channels. There are two methods to create phishing sites: by tampering with an existing website or by using rented servers or virtual private servers (VPS). The former has the advantage of a high reputation but is often detected and removed quickly. The latter method involves using the server and templates included in the phishing kit to impersonate various companies and brands.

Phishing kit templates are also available on the dark web, covering card companies, payment services, and online banking. These phishing kits incorporate various measures to avoid detection, such as blocking bot access and preparing a blacklist to prevent access from security companies and researchers. Additionally, these phishing kits also attempt to obtain the actual IP addresses of individuals accessing them through proxies, check their geolocation information, and return errors for access from outside China and the US.

Chinese fraudsters use elaborate phishing infrastructures and kits to create phishing sites and deceive users who access them via emails. To avoid being blocked by spam filters or reputation-based blocks, they continuously improve their content and environment. They change their IP addresses while maintaining a clean state and use multiple domain names to spread their risk, ensuring that they can continue phishing even if one domain is blocked.

Moreover, these fraudsters use URL redirect tools to show high-reputation URLs and disguise their phishing URLs as normal ones. If a phishing URL is blocked by email filters, they can use a different URL to continue phishing.

In summary, Chinese fraudsters use sophisticated phishing kits to evade tracking and detection. These phishing kits include anti-fraud features to counteract security researchers and organizations. They continuously improve their content and environment to avoid being blocked by spam filters and reputation-based blocks. They use multiple domain names and change their IP addresses to spread their risk, and they use URL redirect tools to disguise their phishing URLs as normal ones.

Cashing out through popular platforms: TikTok and NFT exploitation

Chinese fraudsters have a value chain that extends from the setup and misuse of cards to the cashing out stage, where they obtain unjust gains.

There are various methods of cashing out. One method is to directly purchase cryptocurrency or gift cards through websites using stolen credit card information, which is popular for U.S. cards.

Another method is to purchase products on an eCommerce site using stolen credit card information and have a domestic collaborator receive the products. The domestic collaborator then sends the purchased goods to China and obtains money, which is commonly used in Japan and other Asian countries that are geographically close to China.

In the monetization stage, fraudsters prefer products that can be easily resold, such as home appliances, brand bags, mobile phones, and gift cards.

In the past three years, new methods using TikTok and NFTs have emerged. One method involves purchasing TikTok coins with stolen card information and donating them to malicious influencers. In some cases, the fraudster and the influencer may be the same person, or another person may receive a commission fee. Additionally, NFTs and eBooks are also suitable for money laundering.

It is challenging to distinguish whether the credit card abuser is a fraudster or simply someone who wants to donate to a favorite influencer when donations are made on TikTok.

As a preliminary step to cashing out, fraudsters confirm the credit card limit. They may use methods such as pretending to be the rightful owner (social engineering) and calling the card company’s call center to confirm the limit, disabling the one-time password authentication required for card use, or using other social engineering tactics. However, due to the language barrier, Chinese fraudsters don’t often use this method.

Preventing fraud at the monetization stage: Enhancing security measures

In the value chain of fraud, actors’ roles are divided into three categories: phishers, credit card misusers who misuse credit card information, and monetization dealers who monetize the stolen information. By dividing the roles, they can concentrate on their area of expertise, and even if they are investigated by the police, they can avoid legal sanctions by stating that they merely received something from their friends and are unaware of what is happening.

Dealing with CNP fraud is difficult when focusing on upstream. It is critical to prevent misuse at the monetization process. Nowadays, man-in-the-middle attack phishing techniques have become the mainstream, and one-time-password (OTP) authentication is insufficient to defend against these attacks anymore. More advanced authentication methods, such as FIDO or passkeys, and more sophisticated machine learning models, will be indispensable soon.

The post Chinese fraudsters: evading detection and monetizing stolen credit card information appeared first on Cybersecurity Insiders.

This is the third blog in the series focused on PCI DSS, written by an AT&T Cybersecurity consultant. See the first blog relating to IAM and PCI DSS here. See the second blog on PCI DSS reporting details to ensure when contracting quarterly CDE tests here.

PCI DSS requires that an “entity” have up to date cardholder data (CHD) flow and networking diagrams to show the networks that CHD travels over.

Googling “enterprise network diagram examples” and “enterprise data flow diagram examples” gets several different examples for diagrams which you could further refine to fit whatever drawing tools you currently use, and best resembles your current architecture.

The network diagrams are best when they include both a human recognizable network name and the IP address range that the network segment uses. This helps assessors to correlate the diagram to the firewall configuration rules or (AWS) security groups (or equivalent).

Each firewall or router within the environment and any management data paths also need to be shown (to the extent that you have control over them).

You must also show (because PCI requires it) the IDS/IPS tools and both transaction logging and overall system logging paths. Authentication, anti-virus, backup, and update mechanisms are other connections that need to be shown. Our customers often create multiple diagrams to reduce the complexity of having everything in one.

Both types of diagrams need to include each possible form of ingestion and propagation of credit card data, and the management or monitoring paths, to the extent that those paths could affect the security of that cardholder data.

Using red to signify unencrypted data, blue to signify data you control the seeding or key generation mechanism for and either decrypt or encrypt (prior to saving or propagation), brown to signify DUKPT (Derived Unique Key per Transaction) channels, and green to signify data you cannot decrypt (such as P2PE) also helps you and us understand the risk associated with various data flows. (The specific colors cited here are not mandatory, but recommendations borne of experience).

As examples:

In the network diagram:

In the web order case, there would be a blue data path from the consumer through your web application firewall and perimeter firewall, to your web servers using standard TLS1.2 encryption, since it is based on your web-site’s certificate.

There may be a red unencrypted path between the web server and order management server/application, then there would be a blue data path from your servers to the payment gateway using encryption negotiated by the gateway. This would start with TLS1.2, which might then use an iFrame to initiate a green data path directly from the payment provider to the consumer to receive the card data, bypassing all your networking and systems. Then there would be a blue return from the payment provider to your payment application with the authorization completion code.

In the data flow diagram:

An extremely useful addition to most data flow diagrams is a numbered sequence of events with the number adjacent to the arrow in the appropriate direction.

In the most basic form that sequence might look like

1. Consumer calls into ordering line over POTS line (red – unencrypted)
2. POTS call is converted to VOIP (blue – encrypted by xxx server/application)
3. Call manager routes to a free CSR (blue-encrypted)
4. Order is placed (blue-encrypted)
5. CSR navigates to payment page within the same web form as a web order would be placed (blue-encrypted, served by the payment gateway API)
6. CSR takes credit card data and enters it directly into the web form. (blue-encrypted, served by the payment gateway API)
7. Authorization occurs under the payment gateway’s control.
8. Authorization success or denial is received from the payment gateway (blue-encrypted under the same session as step 5)
9. CSR confirms the payment and completes the ordering process.

This same list could form the basis of a procedure for the CSRs for a successful order placement. You will have to add your own steps for how the CSRs must respond if the authorization fails, or the network or payment page goes down.

Remember all documentation for PCI requires a date of last review, and notation of by whom it was approved as accurate. Even better is to add a list of changes, or change identifiers and their dates, so that all updates can be traced easily. Also remember that even updates which are subsequently reverted must be documented to ensure they don’t erroneously get re-implemented, or forgotten for some reason, thus becoming permanent.

The post Guidance on network and data flow diagrams for PCI DSS compliance appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Mobile device management (MDM) refers to a type of software that allows businesses to manage, configure and secure mobile devices used by their employees. Companies use MDM solutions to maintain a secure environment across all the mobile devices they own or have access to, as well as provide features such as remote wipe, password policies, application management and data protection. This helps them ensure security while providing their employees with access to the applications and data they need.

An increasing number of businesses are either accepting that they need MDM or realising that what they have in place is not sufficient. With that in mind, below are ten reasons why MDM is an integral part of doing business in the 21st century.

1. Enhanced security

MDM technology provides an extra layer of security for businesses, protecting them from breaches and data loss. MDM solutions enable secure authentication, access control and encryption for devices, applications and data, which in turn helps to keep sensitive corporate information safe. ESIMs, or embedded SIM cards can enhance the security of mobile devices even further by allowing businesses to remotely manage and secure their devices.

Improved security is one of the most important reasons why businesses need MDM solutions. With an ever-increasing number of cyber threats, it is essential for companies to take steps to keep their data and systems secure. MDM can help with this.

2. Increased productivity

MDM makes it easier for employees to access the applications and data they need, increasing their productivity and efficiency. By providing them with secure access to the resources they need, MDM solutions help remove the frustration of not being able to do their job due to technical issues or security policies.

The ability to securely access corporate resources from anywhere, at any time, helps boost employee productivity and gives them the freedom they need to work more flexibly.

3. Reduced costs

MDM solutions can help reduce costs in several ways. They enable companies to better manage their mobile devices and applications, which ensures that they are up-to-date with the latest security patches and features. This helps reduce maintenance costs associated with managing outdated equipment.

MDM solutions also make it easier for businesses to deploy new applications, as they don’t have to worry about manually configuring each device. This reduces expensive install times and makes it easier for employees to get started quickly.

4. Improved compliance

MDM solutions help businesses comply with industry standards and regulations. They enable companies to configure devices to meet specific security requirements, as well as monitor and manage mobile devices so that they adhere to corporate policies.

By ensuring that all company devices are configured securely, MDM solutions reduce the risk of data breaches and fines associated with non-compliance. What's more, they can help identify areas where businesses need to improve their compliance processes.

5. Easier troubleshooting

MDM solutions can make it easier for IT administrators to troubleshoot issues on mobile devices. As they give IT teams a centralized view of all connected devices, it’s simple for them to identify any problems quickly and take appropriate action.

This ability to easily monitor employee mobile devices also makes it easier for IT teams to provide support and help employees get back to work faster. Not only does this help reduce the time IT teams need to spend troubleshooting, but it also improves employee satisfaction.

6. Improved user experience

MDM solutions can improve the user experience by providing users with fast, secure access to the applications and data they need. This helps reduce frustration and makes it easier for employees to do their job, which in turn boosts productivity.

MDM solutions also make it easy for companies to deploy new apps and updates remotely, meaning that users always have access to the latest software versions. This ensures that all mobile devices are running optimally and delivers a better overall user experience.

7. Device optimization

MDM solutions enable businesses to optimize individual mobile devices for specific tasks. For example, corporate-owned devices can be configured with the exact set of features needed for each employee’s role, improving their efficiency and reducing costs associated with managing unnecessary features.

Furthermore, MDM solutions can also be used to remotely configure devices for different network settings or regions. This allows businesses to easily manage a fleet of mobile devices in different locations, ensuring that each device is optimized for its specific use case.

8. Improved customer service

MDM solutions can help improve customer service by providing employees with secure access to the applications and data they need when interacting with customers. This helps ensure that customer queries are dealt with promptly and accurately, improving overall customer satisfaction.

The ability to remotely monitor mobile devices also makes it easier for IT teams to proactively identify any issues before they become major problems, further enhancing customer service.

9. Increased visibility and control

MDM solutions enable businesses to gain greater visibility over their mobile devices, allowing them to quickly identify which devices are connected, what applications they’re running, and how they’re being used.

This, in turn, gives IT teams greater control over their deployments, ensuring that all company-owned devices are used for appropriate purposes and helping to reduce the risk of data breaches.

10. Reduced costs associated with lost or stolen devices

By using MDM solutions, businesses can remotely lock down or wipe any device that is lost or stolen. This prevents unauthorized access to sensitive business data, reducing the cost of potential data breaches or fines associated with non-compliance.

What's more, MDM solutions can also help businesses save money by allowing them to manage and monitor their mobile devices remotely, reducing the need for costly onsite visits. This helps make sure that all devices are kept up-to-date with the latest software versions, helping to reduce repair costs in the long run.

Conclusion

In summary, MDM solutions provide a range of benefits to businesses. From improved compliance and customer service to increased visibility and reduced costs associated with lost or stolen devices, they are an invaluable tool for any business looking to improve its MDM strategies.

The post 10 Reasons why businesses need mobile device management (MDM) appeared first on Cybersecurity Insiders.