The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Mobile device management (MDM) refers to a type of software that allows businesses to manage, configure and secure mobile devices used by their employees. Companies use MDM solutions to maintain a secure environment across all the mobile devices they own or have access to, as well as provide features such as remote wipe, password policies, application management and data protection. This helps them ensure security while providing their employees with access to the applications and data they need.

An increasing number of businesses are either accepting that they need MDM or realising that what they have in place is not sufficient. With that in mind, below are ten reasons why MDM is an integral part of doing business in the 21st century.

1. Enhanced security

MDM technology provides an extra layer of security for businesses, protecting them from breaches and data loss. MDM solutions enable secure authentication, access control and encryption for devices, applications and data, which in turn helps to keep sensitive corporate information safe. ESIMs, or embedded SIM cards can enhance the security of mobile devices even further by allowing businesses to remotely manage and secure their devices.

Improved security is one of the most important reasons why businesses need MDM solutions. With an ever-increasing number of cyber threats, it is essential for companies to take steps to keep their data and systems secure. MDM can help with this.

2. Increased productivity

MDM makes it easier for employees to access the applications and data they need, increasing their productivity and efficiency. By providing them with secure access to the resources they need, MDM solutions help remove the frustration of not being able to do their job due to technical issues or security policies.

The ability to securely access corporate resources from anywhere, at any time, helps boost employee productivity and gives them the freedom they need to work more flexibly.

3. Reduced costs

MDM solutions can help reduce costs in several ways. They enable companies to better manage their mobile devices and applications, which ensures that they are up-to-date with the latest security patches and features. This helps reduce maintenance costs associated with managing outdated equipment.

MDM solutions also make it easier for businesses to deploy new applications, as they don’t have to worry about manually configuring each device. This reduces expensive install times and makes it easier for employees to get started quickly.

4. Improved compliance

MDM solutions help businesses comply with industry standards and regulations. They enable companies to configure devices to meet specific security requirements, as well as monitor and manage mobile devices so that they adhere to corporate policies.

By ensuring that all company devices are configured securely, MDM solutions reduce the risk of data breaches and fines associated with non-compliance. What's more, they can help identify areas where businesses need to improve their compliance processes.

5. Easier troubleshooting

MDM solutions can make it easier for IT administrators to troubleshoot issues on mobile devices. As they give IT teams a centralized view of all connected devices, it’s simple for them to identify any problems quickly and take appropriate action.

This ability to easily monitor employee mobile devices also makes it easier for IT teams to provide support and help employees get back to work faster. Not only does this help reduce the time IT teams need to spend troubleshooting, but it also improves employee satisfaction.

6. Improved user experience

MDM solutions can improve the user experience by providing users with fast, secure access to the applications and data they need. This helps reduce frustration and makes it easier for employees to do their job, which in turn boosts productivity.

MDM solutions also make it easy for companies to deploy new apps and updates remotely, meaning that users always have access to the latest software versions. This ensures that all mobile devices are running optimally and delivers a better overall user experience.

7. Device optimization

MDM solutions enable businesses to optimize individual mobile devices for specific tasks. For example, corporate-owned devices can be configured with the exact set of features needed for each employee’s role, improving their efficiency and reducing costs associated with managing unnecessary features.

Furthermore, MDM solutions can also be used to remotely configure devices for different network settings or regions. This allows businesses to easily manage a fleet of mobile devices in different locations, ensuring that each device is optimized for its specific use case.

8. Improved customer service

MDM solutions can help improve customer service by providing employees with secure access to the applications and data they need when interacting with customers. This helps ensure that customer queries are dealt with promptly and accurately, improving overall customer satisfaction.

The ability to remotely monitor mobile devices also makes it easier for IT teams to proactively identify any issues before they become major problems, further enhancing customer service.

9. Increased visibility and control

MDM solutions enable businesses to gain greater visibility over their mobile devices, allowing them to quickly identify which devices are connected, what applications they’re running, and how they’re being used.

This, in turn, gives IT teams greater control over their deployments, ensuring that all company-owned devices are used for appropriate purposes and helping to reduce the risk of data breaches.

10. Reduced costs associated with lost or stolen devices

By using MDM solutions, businesses can remotely lock down or wipe any device that is lost or stolen. This prevents unauthorized access to sensitive business data, reducing the cost of potential data breaches or fines associated with non-compliance.

What's more, MDM solutions can also help businesses save money by allowing them to manage and monitor their mobile devices remotely, reducing the need for costly onsite visits. This helps make sure that all devices are kept up-to-date with the latest software versions, helping to reduce repair costs in the long run.

Conclusion

In summary, MDM solutions provide a range of benefits to businesses. From improved compliance and customer service to increased visibility and reduced costs associated with lost or stolen devices, they are an invaluable tool for any business looking to improve its MDM strategies.

The post 10 Reasons why businesses need mobile device management (MDM) appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article.

The cloud has revolutionized the way we do business. It has made it possible for us to store and access data from anywhere in the world, and it has also made it possible for us to scale our businesses up or down as needed.

However, the cloud also brings with it new challenges. One of the biggest challenges is just keeping track of all of the data that is stored in the cloud. This can make it difficult to identify and respond to security incidents.

Another challenge is that the cloud is a complex environment. There are many different services and components that can be used in the cloud, and each of these services and components has different types of data stored in different ways. This can make it difficult to identify and respond to security incidents.

Finally, since cloud systems scale up and down much more dynamically than anything we’ve seen in the past, then the data we need to understand the root cause and scope of an incident can disappear in the blink of an eye.

In this blog post, we will discuss the challenges of cloud forensics and incident response, and we will also provide some tips on how to address these challenges.

How to investigate a compromise of a cloud environment

When you are investigating a compromise of a cloud environment, there are a few key steps that you should follow:

  1. Identify the scope of the incident: The first step is to identify the scope of the incident. This means determining which resources were affected and how the data was accessed.
  2. Collect evidence: The next step is to collect evidence. This includes collecting log files, network traffic, metadata, and configuration files.
  3. Analyze the evidence: The next step is to analyze the evidence. This means looking for signs of malicious activity and determining how the data was compromised.
  4. Respond to the incident and contain it: The next step is to respond to the incident. This means taking steps to mitigate the damage and prevent future incidents. For example with a compromise of an EC2 system in AWS, that may include turning off the system or updating the firewall to block all network traffic, as well as isolating any associated IAM roles by adding a DenyAll policy. Once the incident is contained, that will give you more time to investigate safely in detail.
  5. Document the incident: The final step is to document the incident. This includes creating a report that describes the incident, the steps that were taken to respond to the incident, and the lessons that were learned.

What data can you get access to in the cloud?

Getting access to the data required to perform an investigation to find the root cause is often harder in the cloud than it is on-prem. That’s as you often find yourself at the mercy of the data the cloud providers have decided to let you access. That said, there are a number of different resources that can be used for cloud forensics, including:

  • AWS EC2: Data you can get includes snapshots of the volumes and memory dumps of the live systems. You can also get cloudtrail logs associated with the instance.
  • AWS EKS: Data you can get includes audit logs and control plane logs in S3. You can also get the docker file system, which is normally a versioned filesystem called overlay2. You can also get the docker logs from containers that have been started and stopped.
  • AWS ECS: You can use ecs execute or kubectl exec to grab files from the filesystem and memory.
  • AWS Lambda: You can get cloud trail logs and previous versions of lambda.
  • Azure Virtual Machines: You can download snapshots of the disks in VHD format.
  • Azure Kubernetes Service: You can use “command invoke” to get live data from the system.
  • Azure Functions: A number of different logs such as “FunctionAppLogs”.
  • Google Compute Engine: You can access snapshots of the disks, downloading them in VMDK format.
  • Google Kubernetes Engine: You can use kubectl exec to get data from the system.
  • Google Cloud Run: A number of different logs such as the application logs.

AWS data sources

Figure 1: The various data sources in AWS

Tips for cloud forensics and incident response

Here are a few tips for cloud forensics and incident response:

  • Have a plan: The first step is to have an explicit cloud incident response plan. This means having a process in place for identifying and responding to security incidents in each cloud provider, understanding how your team will get access to the data and take the actions they need.
  • Automate ruthlessly: The speed and scale of the cloud means that you don’t have the time to perform steps manually, since the data you need could easily disappear by the time you get round to responding. Use the automation capabilities of the cloud to set up rules ahead of time to execute as many as possible of the steps of your plan without human intervention.
  • Train your staff: The next step is to train your staff on how to identify and respond to security incidents, especially around those issues that are highly cloud centric, like understanding how accesses and logging work.
  • Use cloud-specific tools: The next step is to use the tools that are purpose built to help you to identify, collect, and analyze evidence produced by cloud providers. Simply repurposing what you use in an on-prem world is likely to fail.

If you are interested in learning more about my company, Cado Response, please visit our website or contact us for a free trial.

The post Cloud forensics – An introduction to investigating security incidents in AWS, Azure and GCP appeared first on Cybersecurity Insiders.

AT&T Alien Labs researchers have discovered a new variant of BlackGuard stealer in the wild, infecting using spear phishing attacks. The malware evolved since its previous variant and now arrives with new capabilities.

Key takeaways:

  • BlackGuard steals user sensitive information from a wide range of applications and browsers.
  • The malware can hijack crypto wallets copied to clipboard.
  • The new variant is trying to propagate through removable media and shared devices.

Background

BlackGuard stealer is malware as a service sold in underground forums and Telegram since 2021, when a Russian user posted information about a new malware called BlackGuard. It was offered for $700 lifetime or $200 monthly, claiming it can collect information from a wide range of applications and browsers.

In November 2022, an update for BlackGuard was announced in Telegram by its developer. Along with the new features, the malware author suggests free help with installing the command & control panel (Figure 1)

announcement in Telegraph

Figure 1. Announcement of new malware version in its Telegram channel.

Analysis

When executed, BlackGuard first checks if another instance is running by creating a Mutex.

Then to ensure it will survive a system reboot, the malware adds itself to the “Run” registry key. The malware also checks if it's running in debugger mode by checking TickCount and checking if the current user belongs to a specific list to determine whether it is running in a malware sandbox environment. (Figure 2)

Blackguard avoiding detection

Figure 2. Malware will avoid execution if running under specific user names.

Now all is ready for stealing the user’s sensitive data. It collects all stolen information in a folder where each piece of data is stored in a specific folder, such as Browsers, Files, Telegram, etc. (Figure 3)

Blackguard main folder

Figure 3. BlackGuard main folder with stolen data divided into folders.

When it finishes collecting sensitive data, the malware will zip the main folder using the password “xNET3301LIVE” and send it to its command & control. (Figure 4)

Zipped exfiltration data

Figure 4. Zipping exfiltrated data with password and uploading to command & control.

Browser stealth

Along with collecting cookies, history and downloads of different browsers, BlackGuard also looks for the existence of special files and folders of different browsers. (This includes “Login Data”, AutoFill, History and Downloads. (Figure 5)

 Blackguard collecting browser information

Figure 5. Collecting browser information.

Below is the list of browsers BlackGuard is looking for:

Chromium

Chrome

ChromePlus

Iridium

7Star

CentBrowser

Chedot

Vivaldi

Kometa

Elements Browser

Epic Privacy Browser

uCozMedia

Sleipnir5

Citrio

Coowon

liebao

QIP Surf

Orbitum

Comodo Dragon

Amigo

Torch

Comodo

360Browser

Maxthon3

K-Melon

Sputnik

Nichrome

CocCoc

Uran

Chromodo

Opera

Brave-Browser

Edge

Edge Beta

OperaGX

CryptoTab browser

 

In addition, the malware steals Chrome, Edge, and Edge Beta browsers’ crypto currency addons data. It supports the addons listed below by looking for their hardcoded installation folder path in “MicrosoftEdgeUser DataDefaultLocal Extension Settings”. For example, the specific folder for “Terra Stations” is “ajkhoeiiokighlmdnlakpjfoobnjinie”. BlackGuard looks for Edge/EdgeBeta addons listed below:

Auvitas

Math

Metamask

MTV

Rabet

Ronin

Yoroi

Zilpay

Exodus

Terra Station

Jaxx

 

 

For Chrome it looks for those addons:

Binance

Bitapp

Coin98

Equal

Guild

Iconex

Math

Mobox

Phantom

Tron

XinPay

Ton

Metamask

Sollet

Slope

Starcoin

Swash

Finnie

Keplr

Crocobit

Oxygen

Nifty

Keplr

Forbole X

Slope Wallet

Nabox Wallet

ONTO Wallet

Goby

FINX

Ale

Sender Wallet

Leap Wallet

Infinity Wallet

Zecrey

Maiar Wallet

Flint Wallet

Liquality

 

 

 

Cryptocurrency

The malware also steals cryptocurrency wallets. It copies the wallet directory for each of the following crypto wallets below and sends them to its command & control.

Zcash

Armory

Jaxx Liberty

Exodus

Ethereum

Electrum

Atomic

Guarda

Zap

Binance

Atomic

Frame

Solar wallet

Token Pocket

Infinity

 

It will also query the registry for the installation path of “Dash” and “Litecoin” keys and do the same.

Messaging and gaming applications:

BlackGuard supports the stealing of a wide range of messaging applications. For some of the applications such as Telegram, Discord and Pidgin, the malware has a specific handler for each. For example, for Discord, it copies all data for the following folders in the Application Data folder which stored the Discord tokens: “DiscordLocal Storageleveldb”, “Discord PTBLocal Storageleveldb”, “Discord Canaryleveldb”. In addition, it copies all strings in files with the extension of “.txt” and “.ldb” if they match Discord’s token regular expression. (Figure 6)

BlackGuard stealing Discord data

Figure 6. Stealing Discord’s tokens and data.

Below is the list of messaging applications the malware looking to steal sensitive information from:

Discord

Telegram

Tox

Element

Miranda NG

Signal

Adamant-IM

Wire

WhatsApp

Vipole

Proxifier

Steam

Pdgin

Battlet net

 

 

Outlook, FTP, VPN, and other applications

BlackGuard steals login data and other sensitive information from additional communication programs. For email applications, the malware queries specific Outlook registry keys under the CURRENT_USER hive to extract user, password and server information. (Figure 7)

exfil of Outlook data

Figure 7. Exfiltration of Outlook stored information.

The malware also handles different FTP and VPN applications to extract stored users and passwords. For example, for NordVPN, the malware will search the application’s folder and if found, it parses all user.config files to extract the users and passwords. (Figure 8)

exfil NordVPN data

Figure 8. Exfiltrating NordVPN information.

In addition to Outlook and NordVPN, BlackGuard also steals information from WinSCP, FileZilla, OpenVPN, ProtonVPN and Total Commander.

Other data collected      

Additionally, the malware also collects information from the machine such as anti-virus software installed on the machine, external IP address, localization, file system information, OS and more.

New BlackGuard features

Crypto wallet hijacking

In addition to stealing crypto wallets saved/installed on the infected machine, BlackGuard is hijacking cryptocurrency addresses copied to clipboard (such as CTRL+C) and replacing them with the threat actor’s address. This can cause a victim to send crypto assets to the attacker without noticing it when trying to transfer/pay to other wallets. This is done by tracking any content copied to the clipboard and matching it to relative different crypto wallets’ regex. (Figure 9)

regex to search

Figure 9. Specific regex to search in clipboard for listed coins.

Once there is a match, the malware will query its command and control for the alternative wallet and replace it in the clipboard instead of the one that was copied by the user. The malware supports stealing the popular crypto assets below:

BTC (Bitcoin)

ETH (Ethereum)

XMR (Monero)

XLM (Stellar)

XRP (Ripple)

LTC (Litecoin)

NEC (Nectar)

BCH (Bitcoin Cash)

DASH

 

Propagate through shared / removable devices

Although this feature was limited since Windows 7 to be used only for CDROM, the malware copies itself to each available drive with an “autorun.inf” file that points to the malware to execute it automatically. This includes removable and shared devices. For example, if a USB device is connected to an old version of Windows, the malware will be executed automatically and infect the machine. (Figure 10)

BlackGuard propagating

Figure 10. Propagate to all available drives.

Download and execute additional malware with process injection

The new variant of BlackGuard downloads and executes additional malware from its command & control. The newly downloaded malware is injected and executed using the “Process Hollowing” method. With that the malware will be running under legitimate/whitelisted processes and can make more detection more difficult. (Figure 11)

BlackGuard process injection

Figure 11. Download and execute additional malware using process injection.

The targeted process is RuntimeDirectory folder, RegASM.exe (C:WindowsMicrosoft.NETFramework64runtime_versionRegAsm.exe)

Massive malware duplication

The malware copies itself to every folder in C: drive recursively, each folder the malware generates a random name to be copied to. This feature is not common for malware, and this is mostly annoying, as the malware gains no advantage from that.

Persistence
The malware added persistence to survive system reboot by adding itself under the “Run” registry key. (Figure 12)

BlackGuard registry persistence

Figure 12. Setting registry persistence.

Documents – stealth activity

The malware searches and sends to its command and control all documents end with extensions “.txt”, “.config”, “.docx”, “.doc”, “.rdp” in the user folders (including sub directories): “Desktop”, “My Documents”, UserProfile folder.

Detection methods

The following associated detection methods are in use by Alien Labs. They can be used by readers to tune or deploy detections in their own environments or for aiding additional research.

SURICATA IDS SIGNATURES

 

2035716: ET TROJAN BlackGuard_v2 Data Exfiltration Observed

2035398: ET TROJAN MSIL/BlackGuard Stealer Exfil Activity

 

Associated indicators (IOCs)

The following technical indicators are associated with the reported intelligence. A list of indicators is also available in the OTX Pulse. Please note, the pulse may include other activities related but out of the scope of the report.

TYPE

INDICATOR

DESCRIPTION

IP ADDRESS

http://23[.]83.114.131

Malware command & control

SHA256

88e9780ce5cac572013aebdd99d154fa0b61db12faffeff6f29f9d2800c915b3

Malware hash

 

Mapped to MITRE ATT&CK

The findings of this report are mapped to the following MITRE ATT&CK Matrix techniques:

  • TA0001: Initial Access
    • T1091: Replication Through Removable Media
  • TA0002: Execution
    • T1106: Native API
    • T1047: Windows Management Instrumentation
  • TA0003: Persistence
    • T1547.001: Registry Run Keys / Startup Folder
  • TA0005: Defense Evasion
    • T1027: Obfuscated Files or Information
  • TA0006: Credential Access
    • T1003: OS Credential Dumping
    • T1539: Steal Web Session Cookie
    • T1528: Steal Application Access Token
    • T1552: Unsecured Credentials
      • .001: Credentials In Files
      • .002: Credentials In Files
  • TA0007: Discovery
    • T1010: Application Window Discovery
    • T1622: Debugger Evasion
    • T1083: File and Directory Discovery
    • T1057: Process Discovery
    • T1012: Query Registry
    • T1082: System Information Discovery
    • T1497: Virtualization/Sandbox Evasion
  • TA0008: Lateral Movement
    • T1091: Replication Through Removable Media
  • TA0009: Collection
    • T1115: Clipboard Data
    • T1213: Data from Information Repositories
    • T1005: Data from Local System
  • TA0011: Command and Control
    • T1071: Application Layer Protocol
    • T1105: Ingress Tool Transfer
  • TA0010: Exfiltration
    • T1020: Automated Exfiltration

The post BlackGuard stealer extends its capabilities in new variant appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

What is an e-mail?

E-mail, also referred to as electronic mail, is an internet service which allows people and digital services to transmit messages(letters) in electronic form across Internet. To send and receive an E-mail message, an individual or service requires to have an e-mail address, i.e. electronic mail address which is generally in emailaddress@domain.com format. E-mails are more reliable, fast, and inexpensive form of messaging both in personal and professional environment.

What are e-mail headers?

E-mail headers are metadata information attached with every email sent or receive across the internet, email headers contain important information required for delivery of emails. E-mail headers contain information such as:

  • Sender’s IP address
  • Server the email came through
  • Domain the email originated from
  • SPF (Sender Policy Framework)
  • DKIM
  • DMARC
  • Time of sending receiving email message
  • Other important information required to validate the authenticity of the email received

Using E-mail header analysis, users can identify if an e-mail is legitimate or a scam. To view email headers in most clients, you can right click on the message and choose “show original” or “view-source.”

Metadata

Now, let us understand the terms related to metadata what it is and why the metadata associated is so important for email communications.

Metadata: Metadata is kind of data which provides information about the other data. For example: Email headers provide information about email communication.

SPF: also known as Sender Policy Framework, is a DNS record used for authentication mechanism in email addresses. SPF is a txt record configured in DNS records. It contains IP addresses and domain names which are authorised to send emails for a domain. The recipient can check the SPF record under email headers to verify if the email was originated from specified IP addresses or domain names.

DKIM: DomainKeys Identified Mail, is a cryptographic method that uses a digital signature to sign and verify emails. This allows the receiver’s mailbox to verify that the email was sent by authenticated user/owner of the domain. When an email is sent from a DKIM configured domain, it generates hashes for the email and encrypts them with private key which is available to the sender. It uses hashes to compare the mail origination and mail received content so that recipient can verify that email was not manipulated or tampered.

DMARC: Domain based Message Authentication, Reporting and Conformance is an email standard used for protecting email senders and recipients from spam, spoofing and spamming. DMARC indicates that an email is protected by SPF and DKIM as well. If SPF or DKIM fails to match the records, DMARC provides options such as quarantine or reject options for the message. For configuring DMARC to DNS records, SPF and DKIM configuration is mandatory.

Message ID: Message ID is a unique mail identifier for each email received; every email will have a unique Message ID.

E-mail header analysis has been used in criminal investigations to track down suspects and in civil litigation to prove the authenticity of emails. It’s also used by business to combat modern day email attacks like email spoofing.

There are various tools available for email header analysis, however, free tools may have limited capabilities.

The post E-mail header analysis appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

“While defenders pursue the most powerful and advanced solutions they can find, the enemy needs only a single user with a bad password or an unpatched application to derail an entire defensive position.” This quote by Dr. Chase Cunningham from his book, “Cyber Warfare – Truth, Tactics, and Strategies,” seems a fitting way to begin the topic of cybersecurity battlegrounds.

Regardless of the techniques used, going big, expensive, and glossy – while potentially useful – doesn’t replace the need for a well-reasoned approach to securing assets founded on traditional activities and principles. Innumerable assets are housed behind APIs, and the widespread use of APIs means they are high-profile targets. Securing them is of the utmost importance.

Two historical books came to mind for this topic:

  • Art of War, by Sun Tzu
  • Book of Five Rings, by Miyamoto Musashi

I chose these two due to their applicability to the topic (oddly enough because they are less specific to modern security – something about their antiquity allows for a broader application).

After revisiting the books, I decided to take Musashi’s five (5) principles (scrolls; Earth, Water, Fire, Wind, and Void) and match them as best as possible with 5 of the numerous teachings from Sun Tzu. I then applied them to securing APIs in the growing cybersecurity arena where there are an increasing number of threat actors.

Earth

Musashi’s focus in the Earth Scroll is seeing the bigger picture. Practitioners need to know the landscape or the 30,000 ft view. Sun Tzu said, “The supreme art of war is to subdue the enemy without fighting.”

How to Apply

One needs to understand the nature of API attacks and attackers in securing APIs. One example of a common exploit category is Security Misconfiguration.

Some fundamental API security activities that can prevent attacks before they even get started including following an SDLC, implementing access control, deploying some form of edge protection, using continuous monitoring and alerting, and using appropriate architecture and design patterns.

API attackers are ruthless and relentless. Most criminals want an easy win and using good defense will fend off a high percentage of attacks.

Encryption is a must, both in transit and at rest. The enemy can be thwarted by not being able to use what was stolen.

WATER

It’s important to be experienced and flexible – or fluid – on an individual level, and that includes one’s role in the company. Sun Tzu said, “Be flexible.”

How to Apply

Gathering cyber threat intelligence (CTI) makes it possible to adapt to changing threats in real time. Intelligence gathering, even using Contextual Machine Learning (CML), means that one doesn’t depend on past information, hearsay, rumors, or peer information. Rely on as much clear, relevant, and current information as possible about threats and risks for one’s own company.

In addition to CTI, focus on a well-designed and tested incident response plan.

Intelligence and responding to incidents go a long way toward making company security agile and adaptable.

FIRE

The Fire aspect is about the actual use of the weapons (tools) on the battlefield. Sun Tzu said, “The enlightened ruler lays his plans well ahead; the good general cultivates his resources.”

Now that the proper foundations have been built, it’s time to use the API tools that have been implemented.

How to Apply

Manage and maintain the API resources and identify the strengths and weaknesses of the API system, Ensuring secure authentication and authorization methods for API access.

Also, set fire to vulnerabilities through regular security testing. This should include vulnerability scanning and pentesting, if not red/blue/purple teaming, or even something like Chaos Monkey to test uptime (an oft-overlooked aspect of API security).

Wind

This is also interpreted as “Style.” Here, the goal is to study (not just passively observe) opponents. Sun Tzu said, “If you know the enemy and know yourself, you need not fear the result of a hundred battles.”

How to Apply

For the modern day, we’ll expand this to studying how other companies have dealt with cybercrime and cyberattacks. One will improve by studying others based on facets such as industry, regulations, and org size.

It's easy for a company to a) think it's alone or b) believe it does better than anyone. This can lead to isolation. Org leaders have every reason to set their org apart – distinction is a major component in having a chance at creating a profitable, if not lasting, business. But there aren't all that many ways to uniquely secure a business – phishing is phishing whether against an international enterprise or a local coffee shop; an API for a fintech org is much the same as an API for ice cream shop (the architectures available are only in a few flavors) – many people can use it and abuse it.

Intelligence sharing with other companies can be helpful in creating a secure community.

Void

The idea here – also called Emptiness, is understood as “no mind.” This doesn’t mean that no brain activity is involved, but points more to intuition, awareness, and acting on instinct. Action doesn’t always require thinking things through, getting input from others, and planning something. Some things – whether by natural inclination or by training – are just second nature.

Sun Tzu said, “Utilize your strengths.”

How to Apply

Play to your strengths: individual, departmental, corporate. There’s no one else like you or your company.

Leverage the strengths of your API resources to enhance security. Make sure you know your tools in and out. Often, they’re expensive and very likely, they’re not used to full capacity.

Focus on continuous learning and improvement. This requires a team of individuals who work well together and are independently passionate about defending data.

This intuitiveness is not based on industry, spreadsheets, or data analysis but depends on relevant stakeholders' individual and collective expertise. Often, it will be addressing many fronts at once, such as improved IR, developer training, choosing a platform that provides numerous API protections (while also avoiding a single point of failure), getting legal and compliance teams to determine next steps in the privacy regulation landscape, and performing regular incident response and disaster recovery exercises.

Epilogue

To paraphrase the classic ending of many of Musashi’s teachings, these ideas should be given careful and thorough reflection.

The post API security: the new security battleground appeared first on Cybersecurity Insiders.

This is the first of a series of consultant-written blogs around PCI DSS.

Many organizations have multiple IAM schemes that they forget about when it comes to a robust compliance framework such as PCI DSS.

There are, at minimum, two schemes that need to be reviewed, but consider if you have more from this potential, and probably incomplete, list:

  • Cloud service master account management AWS (Amazon Web Services), Microsoft Azure, Google Cloud Platform (GCP), Oracle Cloud Architecture (OCA),
  • Name Service Registrars (E.g., GoDaddy, Network Solutions)
  • DNS service (E.g., Akamai, CloudFront)
  • Certificate providers (E.g., Entrust, DigiCert)
  • IaaS (Infrastructure as a Service) and SaaS (Software as a Service)) accounts (E.g.: Digital Realty, Equinix, Splunk, USM Anywhere (USMA), Rapid7)
  • Servers and networking gear administrative account management (Firewalls, routers, VPN, WAF, load balancer, DDoS prevention, SIEM, database, Wi-Fi)
  • Internal user account management, (Active Directory, LDAP or equivalent, and third parties who may act as staff augmentation or maintenance and repair services, API accesses)
  • Consumer account management (often self-managed in a separate database using a different set of encryption, tools and privileges or capabilities, from staff logins).
  • PCI DSS v4.0 expands the requirement to all system, automated access, credentialed testing, and API interfaces, so those need to be considered too.

Bottom line, in whatever fashion someone or something validates their authorization to use the device, service, or application, that authorization must be mapped to the role and privileges afforded to that actor. The goal being to ensure that each is provisioned with the least-privilege needed to be able to complete its or their intended function(s) and can be held accountable for their actions.

As many of the devices as possible should be integrated into a common schema, since having multiple devices with local only admin accounts is a recipe for disaster.

If privilege escalation is possible from within an already-authenticated account, the mechanism by which that occurs must be thoroughly documented and monitored (logged) too.

PCI DSS Requirement 7 asks the assessor to review the roles and access privileges and groupings that individuals could be assigned to, and that those individuals are specifically authorized to have those access rights and roles. This covers both physical and logical access.

Requirement 9 asks specifically about business-based need and authorization for visitors gaining physical access to any sensitive areas. Frequent visitors such as janitors and HVAC maintenance must be remembered when writing policy and procedures and when conferring access rights for physical access.

Requirement 8 then asks the assessor to put together the roles, privileges, and assignments with actual current staff members, and to validate that the privileges those staff currently have, were authorized, and match the authorized privileges. This is one of the few for-ever requirements of PCI DSS, so if paperwork conferring and authorizing access for any individuals or automation has been lost, it must be re-created to show authorization of the current access rights and privileges.

PCI DSS v4.0 requires much more scrutiny of APIs – which are a growing aspect of application programming. The design engineers need to ensure that APIs and automated processes are given, or acquire, their own specific, unique, authorization credentials, and the interface has session control characteristics that are well-planned, documented, and managed using the same schema created for Requirement 7. Cross-session data pollution and/or capture must be prevented. If the API is distributed as a commercial off-the-shelf (COTS) product, it cannot have default credentials programmed in, but the installation process must ask for, or create and store appropriately, strong credentials for management and use.

Requirements 1 and 6 both impact role and privilege assignments also, where separation of duties between development and production in both networking and code deployment is becoming blurred in today’s DevSecOps and agile world. However, PCI’s standard remains strict and requires such separations, challenging very small operations. The intent is that no one person (or login ID) should have end-to-end control of anything, and no-one should be reviewing or QA’ing and authorizing their own work. This might mean a small organization needs to contract one or more reviewers1 if there's one person doing development, and the other doing deployment.

Even in larger organizations where developers sometimes need access to live production environments to diagnose specific failures, they must not be using the same login ID as they use for development. Organizations could choose asmith as the developer role and andys as the administrative login ID for the same person, to ensure privilege escalations are deliberately bounded and easily trackable (per requirement 10). Also, no-one should ever be using elevated privileges to perform their day-to-day job; elevations should always be used for point tasks and dropped as soon as they are no longer needed.

Next, third parties allowed into your cardholder data environment (CDE) – for maintenance purposes for instance – must always be specifically authorized to be there (physically or logically) and monitored while they are there. Most SIEM tools these days monitor everything indiscriminately, but PCI also says their access must be cut off as soon as it is no longer needed.

That might mean time-bounding their logical access, and it does mean escorting them while they are present. Staff must also be empowered and encouraged to challenge people with no badge, or no escort, and to escort them out of any sensitive area until their escort can be reunited with them. If your staff has access to customer premises where PCI-sensitive data is present, (either physically or logically) they must conduct themselves in like manner.

PCI DSS v4.0 also adds a requirement that any normally automated process that can be used interactively (e.g. for debugging) must log any of the interactive usage that occurs, with the appropriate individual’s attribution.

Lastly, PCI DSS 4.0 adds credentialed testing using high access privileges for requirement 11 (although not necessarily administrative privilege), which requires those credentials to be designed into the overall requirement 7 schema and subjected to the requirement 8 restrictions and constraints.

1Reviewers are secure-code reviewers and security-trained functional QA staff.

The post Identity and Access Management (IAM) in Payment Card Industry (PCI) Data Security Standard (DSS) environments. appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

If cyber threats feel like faceless intruders, you’re only considering a fraction of the risk. Insider threats pose a challenge for organizations, often catching them by surprise as they focus on securing the perimeter.

There is a bright side, however. Understanding the threat landscape and developing a security plan will help you to mitigate risk and prevent cyber incidents. When designing your strategy, be sure to account for insider threats.

What is an insider threat?

Perhaps unsurprisingly, insider threats are threats that come from within your organization. Rather than bad actors from the outside infiltrating your network or systems, these risks refer to those initiated by someone within your organization – purposefully or as a result of human error.

There are three classifications of insider threats:

  • Malicious insider threats are those perpetrated purposefully by someone with access to your systems. This may include a disgruntled employee, a scorned former employee, or a third-party partner or contractor who has been granted permissions on your network.
  • Negligent insider threats are often a matter of human error. Employees who click on malware links in an email or download a compromised file are responsible for these threats.
  • Unsuspecting insider threats technically come from the outside. Yet, they rely on insiders’ naivety to succeed. For example, an employee whose login credentials are stolen or who leaves their computer unguarded may be a victim of this type of threat.

Keys to identifying insider threats

Once you know what types of threats exist, you must know how to detect them to mitigate the risk or address compromises as quickly as possible. Here are four key ways to identify insider threats:

Monitor

Third parties are the risk outliers that, unfortunately, lead to data compromise all too often. Monitoring and controlling third-party access is crucial to identifying insider threats, as contractors and partners with access to your networks can quickly become doorways to your data.

Consider monitoring employee access as well. Security cameras and keystroke logging are methods some companies may choose to monitor movement and usage, though they may not suit every organization.

Audit

Pivotal to risk mitigation – for insider threats or those outside your network – is an ongoing auditing process. Regular audits will help understand typical behavior patterns and identify anomalies should they arise. Automated audits can run based on your parameters and schedule without much intervention from SecOps. Manual audits are also valuable for ad hoc reviews of multiple or disparate systems.

Report

A risk-aware culture is based on ongoing communication about threats, risks, and what to do should issues arise. It also means establishing a straightforward process for whistleblowing. SecOps, try as they might, cannot always be everywhere. Get the support of your employees by making it clear what to look out for and where to report any questionable activity they notice. Employees can also conduct self-audits with SecOps’ guidance to assess their risk level.

Best practices for prevention

Prevention of insider threats relies on a few key aspects. Here are some best practices to prevent threats:

Use MFA

The low-hanging fruit in security is establishing strong authentication methods and defining clear password practices. Enforce strong, unique passwords, and ensure users must change them regularly. Multifactor authentication (MFA) will protect your network and systems if a user ID or password is stolen or compromised.

Screen candidates and new hires

Granted, bad actors have to start somewhere, so screening and background checks do not eliminate every threat. Still, it’s helpful to have processes in place to screen new hires, so you know to whom you’re granting access to your systems. Depending on the nature of the relationship, this best practice may also apply to third-party partners, contractors, and vendors.

Define roles and access

This may seem obvious to some, yet it’s often overlooked. Each user or user group in your organization should have clearly defined roles and access privileges relevant to their needs. For example, your valuable data is left on the table if entry-level employees have carte blanche across your network. Ensure roles and access levels are well-defined and upheld.

Have a straightforward onboarding and offboarding process

Most organizations have a clear and structured onboarding process for registering and bringing users online. Your onboarding process should include clear guidelines for network usage, an understanding of what will happen in the case of a data compromise (deliberate or accidental), where to report issues, and other security measures.

Just as important – if not more – as onboarding is the offboarding process. Languishing user accounts pose a major security risk as they lay theoretically dormant and unmonitored, and no user in the organization will notice if their account is being used. Ensure swift decommissioning of user accounts when employees leave the organization.

Secure infrastructure

Apply strict access controls to all physical and digital access points across your organization. Use least privileged access to limit accessibility, as recommended above. Opt for stronger verification measures, including PKI cards or biometrics, particularly in more sensitive business areas. Secure desktops and install gateways to protect your environment from nodes to the perimeter.

Establish governance procedures

Security requires everyone’s participation, yet organizations need buy-in from key leadership team members and nominated people or a team to hold the reigns. Establishing a governance team and well-defined procedures will ensure attention to security risks at all times and save valuable time should a breach occur.

The tools of the trade

“Organizations must be able to address the risks from malicious insiders who intentionally steal sensitive data for personal reasons as well as users who can accidentally expose information due to negligence or simple mistakes.”

Thankfully, you don’t have to do it all alone. With a data-aware insider threat protection solution, you can rest with the peace of mind that you – and your network – are safe.

The post How Can You Identify and Prevent Insider Threats? appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Introduction:

Dridex, also known as Cridex or Bugat, is a banking Trojan that has been active since 2011. The malware is primarily used to steal sensitive information, such as login credentials and financial information, from victims. Dridex is known for its ability to evade detection by using dynamic configuration files and hiding its servers behind proxy layers.

The Dridex malware typically spreads through spam email campaigns, with the emails containing a malicious attachment or link that, when clicked, will install the malware on the victim's computer. The malware then uses web injections to steal financial information from the victim.

One of the interesting features of Dridex is its use of a peer-to-peer (P2P) network for command and control (C&C) communication. This allows the attackers to evade detection by security researchers and law enforcement, as the C&C servers can be quickly changed if one is discovered.

In terms of atomic techniques, Dridex uses a variety of methods to evade detection and maintain persistence on an infected system. Some of these techniques include:

  • Fileless infection: Dridex can infect a system without leaving any trace of a malicious file on the hard drive.
  •  Process hollowing: Dridex can inject its code into a legitimate process in order to evade detection by security software.
  •  Anti-debugging and anti-virtualization: Dridex can detect if it is running in a virtualized environment or if it is being debugged, and will terminate itself if it is.

Dridex is a well-known and sophisticated banking trojan that has been active for more than a decade, the malware has been known to target financial institutions, businesses, and individuals. Despite the arrest of one of its administrators in 2015, the malware continues to be active and evolve.

Recent infection on Macs:

The recent variant of Dridex malware that targets MacOS systems delivers malicious macros via documents in a new way. The malware typically spreads through spam email campaigns, with the emails containing a malicious attachment or link that, when clicked, will install the malware on the victim's computer. The variant overwrites document files to carry Dridex's malicious macros, but currently, the payload it delivers is a Microsoft exe file, which won't run on a MacOS environment. This suggests that the variant may still be in the testing stages and not yet fully converted to work on MacOS machines. However, it's possible that the attackers will make further modifications to make it compatible with MacOS in the future.

Once the malware is installed on the system, it searches for files with .doc extensions and overwrites them with the malicious code. The overwritten code has a D0CF file format signature, implying it is a Microsoft document file. This means that the malicious macros are delivered via document files, which makes it harder for the user to determine if the file is malicious or not.

The malware also uses basic string encryption to hide the malicious URL it connects to in order to retrieve a file. This method of delivery is different from the traditional method of delivery, which is through email attachments. This shows that the attackers behind Dridex are trying to find new targets and more efficient methods of entry.

How it works:

Dridex is a banking Trojan that is typically distributed through phishing email campaigns. The malware is delivered as an attachment, often in the form of a Word or Excel document, that contains a malicious macro. Once the macro is enabled, it will download and execute the Dridex payload on the victim's system.

Once installed, Dridex can perform a variety of malicious actions, including keylogging, capturing screenshots, and stealing login credentials. The malware can also be used to create a botnet, allowing the attackers to remotely control the infected systems.

Dridex uses web injects, which are modules that can inject HTML or JavaScript code into a web page before it is rendered. This allows the malware to manipulate the appearance of web pages and trick the user into entering sensitive information, such as login credentials or credit card numbers. The malware can then send this information to its command and control (C2) server.

Dridex uses a variety of techniques to evade detection and maintain persistence on an infected system. These include using code injection to infect other processes, using named pipes to communicate with other processes, and using anti-debugging and anti-virtualization techniques to evade analysis.

In addition, Dridex uses a technique called “Heaven's Gate” to bypass Windows' WoW64 (Windows 32-bit on Windows 64-bit) layer, allowing it to execute 64-bit code on a 32-bit system. This technique involves using a feature in Windows that allows 32-bit applications to call 64-bit functions. By running malware code in a 64-bit environment, Dridex evades detection and anti-analysis by security tools that are not designed to detect 64-bit malware on 32-bit systems.

Remediation:

1. Isolate and remove the malware: Identify and isolate any infected systems and remove the malware using reputable anti-virus software.

2. Change all passwords: Dridex malware is known to steal login credentials, so it is important to change all passwords on the affected systems.

3. Patch the system: Ensure that all systems are fully patched and updated with the latest security fixes.

4. Use endpoint protection: Implement endpoint protection software to detect and block Dridex malware and other malicious software.

5. Monitor network traffic: Monitor network traffic for suspicious activity and use intrusion detection systems (IDS) to detect and block malicious traffic.

6. Employee education: Educate employees on how to identify and avoid phishing scams, and to be cautious when opening email attachments or clicking on links.

7. Regular backups: Regularly backup important data and keep backups in a secure location.

8. Use a firewall: Use a firewall to block incoming and outgoing connections from known malicious IP addresses.

Conclusion:

In conclusion, Dridex is a well-known banking trojan that has been active since 2012, targeting financial institutions and their customers. The malware is typically distributed through phishing email campaigns, using attachments or links that lead to the downloading of the malware. Once on a system, Dridex can use various techniques to steal sensitive information and uses a technique called web injection to manipulate web pages and steal credentials. Remediation efforts should include monitoring for suspicious activity, blocking known malicious IPs and domains, keeping software updated, and educating users on how to identify and avoid phishing attempts. Additionally, monitoring for known indicators of compromise and inspecting processes and dll files that are known to be targeted by Dridex can help detect and prevent Dridex infections.

This author is from www.perimeterwatch.com

The post Dridex malware, the banking trojan appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Customers’ willingness to give you their personal data begins with the experience they receive. Convincing them requires the right tone, an outlook of what they’ll get in return, and most importantly, a high level of trust. But while companies depend on customer data to unlock growth, user-centric data collection can be tricky.

43% of U.S. consumers say they would not allow companies to collect personal data, even to accommodate more personalized, customized experiences, while 88% will give you their data if they trust your brand.

With this in mind, how do you meet customer expectations and proactively build consumer trust throughout the entire customer lifecycle? Effective user journey orchestration, supported by a robust Customer Identity & Access Management (CIAM) solution, can help you balance security, privacy, and convenience, resulting in a trust-worthy digital experience.

5 ways CIAM safely orchestrates your customers’ journey

CIAM is an effective solution for hassle-free and secure logins that enables you to retain more customers with seamless access across various digital channels. This is how CIAM safely orchestrates your customers’ journey.

1. Capture and manage customer identities to remove friction at registration and login

Businesses spend a lot to acquire new customers but tend to invest less in the experience once acquired. Meanwhile, providing a seamless and convenient experience is what eventually brings loyalty – and thus, the base to harness true ROI.

With CIAM, you no longer need to push every customer through the same rigid authentication processes when they visit your site. Put simply, CIAM ensures customers are always met at the digital front door, conveniently and without friction.  

For example, if customers are registering for the first time, you don't need to ask them to enter all their personal data immediately. Ask your customer for only needed information, at the right point in their journey. This will allow them to focus on their shopping experience or the task at hand rather than filling in forms.

When an existing customer wants to log into your site, you can make smarter decisions about how many authentication hoops you should make them jump through. For example, suppose the risk environment remains unchanged, and their behavioral context is the same as before. You might decide they don't need to enter their password again or authenticate using MFA.

CIAM allows you to adjust your authentication experience's friction level to make your customers' experience seamless.

2. Build robust customer profiles based on first-party, consent-based data

CIAM captures the personal data that the customer has released to your brand. This first-party data, which is based on consumer consent, enables your business to compile comprehensive client profiles by collecting and combining data from multiple channels. The data produced can assist your company in achieving a unified customer experience as your consumer engages with various business divisions.

First-party data is essential as third-party cookies are being blocked from browsers, and businesses need to invest in privacy-friendly ways to gather data for profiling their prospective customers. Besides from harnessing the value of data, consent-based data collection is a demonstration of respecting your customer’s privacy – a building block to achieving customers’ trust.

3. Orchestrate customer profiles in near real-time to other engagement solutions to deliver personalized experiences

Storing your customers' profile data in a single platform allows you to make timely and data-informed decisions furthering engagement with your customer with other solutions.

Take, for example, the way Spotify works. When you search for your favorite artist, the platform suggests other artists with the same style. These suggestions allow you to listen to more of your favorite music and offer an impeccable personalized experience. Wouldn’t you like your brand to treat your customers the same way?

If you get to know your customers better by building rich user profiles, you can use these profiles to tailor experiences across every digital property. And your customer will keep coming back to you for more.

4. Drive the adaptive authentication experience to limit burden and enhance security

Requiring your customers to provide an additional authentication factor by implementing MFA is one of the simplest ways to increase the security of the login flow. Email is an option that is often easier to implement, but it can increase customers’ effort at the authentication flow, and building frustration might cause them to opt for a competitor.

With CIAM, you can choose the authentication options, i.e., biometrics, that will be easiest or most secure for your customers without any additional worry about how difficult they might be to integrate and maintain within your application.

A customer identity platform only asks for the authentication you need and always asks for it when you need it, providing two sides of the same coin. If you can prove to customers that the friction added to the experience is always proportionate to the situation, you'll find it much easier to win their trust.

5. Adopt progressive profiling

A customer's introduction to your application is often a registration process, and you need to ensure that the process is efficient, seamless, and secure so that you don't lose the customer's attention along the way. This might mean primarily collecting only the minimum amount of information you require from your users. A 'just in time' and 'just enough' approach to data collection is the best strategy for building a frictionless and secure prospect-to-customer journey that leads to better conversion rates.

A CIAM solution can be configured to require as many or as few pieces of information about your customers as you wish to gather. This information can be stored centrally so that you can utilize the CIAM solution as the source of truth regarding customer personal information and be assured that this data is always secured. 

The main advantage of effective user journey orchestration

A significant benefit of deploying a cloud identity platform, and thereby adopting a user journey orchestration process, is that it helps establish the trust needed to build long-lasting relationships with your customers.

Businesses can acquire more customers by using CIAM and progressive profiling to streamline the registration process and asking for information over time rather than forcing new customers to fill out a long sign-up form at the very beginning. Also, reducing friction during login when existing customers return to any digital property can help your business retain customers.

By enforcing appropriate security measures in every situation, CIAM shows your customers that you are a trustworthy steward of their accounts and personal data. This increases the likelihood of repeat business, reduces the risk of account abandonment, and acts as a disincentive for churn.

The post How CIAM safely orchestrates your customers’ journey and its benefits  appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

In today’s digital world, it’s no surprise that cyberattacks are becoming more frequent and intense. Enterprises worldwide are trying to defend themselves against attacks such as ransomware, phishing, distributed denial of service and more.

In this challenging cybersecurity landscape, now is the time for companies to prioritize security audits. What are cybersecurity audits and how often should they be to remain safe in the threatening IT world?

Cybersecurity audits and their importance

A cybersecurity audit establishes a set of criteria organizations can use to check the preventive cybersecurity measures they have in place to ensure they’re defending themselves against ongoing threats.

Because cybersecurity risks and threats are growing more sophisticated and frequent in nature, organizations must plan and conduct cybersecurity audits regularly. In doing so, they will have continuous protection from external and internal threats.

How often companies should perform security audits

There’s no official schedule companies must follow for their cybersecurity audits, but in general, it’s recommended that they perform audits at least once a year. However, the IT landscape is changing so quickly that more audits often amount to better protection for an organization.

Businesses working with sensitive information — such as personally identifiable information — should consider conducting cybersecurity audits twice a year, if not more frequently. However, keep in mind that your company may need more time or resources to perform quarterly or monthly audits. The goal is to balance the number of audits you perform and the amount you spend on the audits themselves.

There are many types of audits out there. For example, a blended audit that combines remote and in-person auditing tasks can be helpful for global organizations with remote workers. But two types of audits — routine and event-based — are important to know.

You should certainly conduct routine audits annually or semi-annually, and event-based audits should be done when any major events happen within your IT infrastructure. For example, suppose you add servers to your network or transition to a new project management software. In that case, these “events” require you to perform another audit, as the changes could impact your cybersecurity posture.

4 Benefits of performing audits

The primary purpose of a security audit is to find weaknesses in your cybersecurity program so you can fix them before cybercriminals exploit them. It can also help companies maintain compliance with changing regulatory requirements. Here are some of the primary benefits you can reap by performing regular security audits.

1. Limits downtime

Extended downtime can cost your business a lot of money. According to Information Technology Intelligence Consulting, 40% of organizations surveyed say hourly downtime can cost them between one and five million dollars, excluding legal fees, penalties or fines.

Downtime can occur due to poor IT management or something more serious like a cybersecurity incident. Auditing is the first step companies must take to identify weaknesses that could eventually lead to downtime.

2. Reduces the chance of a cyberattack

As stated above, the main goal of a security audit is to identify vulnerabilities in your cybersecurity program. However, this is only helpful if you and your IT team develop solutions to patch these vulnerabilities and weaknesses. In doing so, you’re improving your overall cybersecurity posture and increasing your level of protection against potential cyber risks, such as malware or phishing attacks, ransomware, and business email compromise — to name a few.

3. Helps maintain client trust

Customers and clients want to know the companies they do business with prioritize physical and cybersecurity. This gives them peace of mind that their sensitive data is not at risk of being exposed, stolen or even sold on the dark web.

Maintaining client trust should be an important objective for any company offering products or services. It can help build your customer base, enhance customer loyalty, and even improve brand recognition.

4. Supports compliance efforts

Security audits are beneficial for businesses looking to take their compliance efforts up a notch. Various data privacy and protection laws are emerging to try and protect consumers and their sensitive information.

For example, the EU’s General Data Protection Regulation can impact your company, especially if it has customers or does business with other organizations in the EU. It can be challenging to keep up with changing regulatory requirements. However, conducting a security audit can help IT teams ensure they’re helping their companies comply with all these rules to avoid fees or penalties.

Protect your business with regular security audits

The cybersecurity landscape is evolving rapidly, with more threats emerging and attacks becoming more sophisticated than ever before. It’s come to the point where hackers leverage advanced technologies such as artificial intelligence to launch automated attacks on enterprises. It’s critical for your business to perform regular security audits to ensure you’re protecting your assets and data. Consider performing audits on a semi-annual basis to offer the best defense against ongoing cybersecurity threats.

The post How often should security audits be? appeared first on Cybersecurity Insiders.