Author: hello@alienvault.com

If your organization is having trouble creating policies, I hope that this blog post will help you set a clear path. We’ll discuss setting up your organization up for success by ensuring that you do not treat your policies as a “do once and forget” project. Many organizations I have worked with have done that, but later realized good policy lifecycle is required, and a pillar of good governance.

Organizations often feel that developing and enforcing policies is bureaucratic and tedious, but the importance of policies is often felt when your organization does not have them. Not only are they a cost of doing business, but they are also used to establish the foundation and norms of acquiring, operating, and securing technology and information assets.

The lifecycle, as it implies, should be iterative and continuous, and policies should be revisited at a regular cadence to ensure they remain relevant and deliver value to your business.

IT policy process

 Assess

The first step is to find out where your organization is, this step should shine a light on where, and what gaps exist.

First, determine how you will be assessing your policies; here is a checklist, whether you are building new ones or bringing current ones up to date:

  • Is it current and up to date
  • Does it have a clear purpose or goal
  • Does it have a clear scope (inclusions /exclusions)
  • Does it have a clear ownership
  • Does it have a clear list of affected people
  • Does it have language that is easy to understand
  • Is it detailed enough to avoid misinterpretations
  • Does it follow the laws/regulations/ethical standards
  • Does it reflect the organizational goals/values and culture
  • Are key terms and acronyms defined
  • Have related policies and procedures been identified
  • Are there clear consequences for non-compliance
  • Is it approved and supported by management
  • Is it enforceable

Next, inventory your organization’s policies by listing them and then assessing the quality using the previous list. Based on the quality, identify if your organization needs new policies or if the existing ones need improvement, then determine the amount of work that will be required.

Best practices suggest that you may want to prioritize your efforts on the most significant improvements, those that focus on the most serious business vulnerabilities.

Understand that policy improvement does not end with a new policy document. You will need to plan for communications, training, process changes, and any technology improvements needed to make the policy fair and enforceable.

Develop

After the assessment is done, you should plan on developing your policies or revamping the old ones. Although there is no consensus on what makes a good policy, referenced material [1] [2] [3] [4] suggests the following best practices, policies should have a clear purpose and precise presentation that drives compliance by eliminating misinterpretations;

All policies should include and describe the following:

  • Purpose
  • Expectations
  • Consequences
  • Glossary of terms

For maximum effect, policies should be written:

  • With everyday language
  • With direct and active voice
  • Precisely to avoid misinterpretation
  • Realistically
  • Consistently in keeping with standards

Consider that policies need to be actively sold to the people who are supposed to follow them. You can achieve that by using a communication plan that includes:

  • Goals and objectives
  • Key messages
  • Potential barriers
  • Suggested actions
  • Budget considerations
  • Timelines

Enforcement

A lack of enforcement will create ethical, financial, and legal risks to any organization. Among the risks are loss of productivity due to abuse of privileges, potential wasted resources, and loss of reputation if an employee engages in illegal activities due to poor policy enforcement, which can lead to potential litigation. Make sure that you have clear rules of engagement.

Your organization should establish the proper support framework around Leadership, Process, and Monitoring. Policies should perform against standards. Policies don't always fail due to bad behavior; they fail because:             

  • They are poorly written
  • There is no enforcement
  • They are illegal or unethical
  • They are poorly communicated
  • They go against company culture

If your company feels overwhelmed thinking about all the moving pieces that make up an IT Policy Management Lifecycle. Let AT&T Cybersecurity Consulting help whether you need to amend existing policies, implement one or more brand new policies, or need a complete overhaul of the entire policy portfolio.

References

1) F. H. Alqahtani, “Developing an Information Security Policy: A Case Study Approach,” Science Direct, vol. 124, pp. 691-697, 2017.

2) S. Diver, “SANS White Papers,” SANS , 02 03 2004. [Online]. Available: https://www.sans.org/white-papers/1331/. [Accessed 15

3) S. V. Flowerday and T. Tuyikeze, “Information security policy development and implementation: The what, how, and who,” Science Direct, vol. 61, pp. 169-183, 2016.

4) K. J. Knapp, R. F. Morris, T. E. Marshall and T. A. Byrd, “Information security policy: An Organizational level process model,” Science Direct, vol. 28, no. 7, pp. 493-508, 2007.

The post How to create a continuous lifecycle for your IT Policy Management appeared first on Cybersecurity Insiders.

This blog was written by an independent guest blogger.

Cyberthreats don't affect only large enterprises and governments – they can also affect small businesses. According to research, nearly half of small businesses have experienced a cyberattack, and 69% are concerned about future attacks. Small businesses should be aware of cyber security statistics and take tangible steps to protect their businesses against cyberattacks.

Employee records, customer information, loyalty schemes, transactions, and data collection are critical pieces of information that businesses need to protect. This is to prevent third parties from using the information for fraudulent purposes, such as phishing scams and identity theft.

It's crucial to safeguard your company from cyberattacks, but some business owners are unsure how to do it.

This article is intended to help small business owners navigate the realm of cyber threats and fortify their data security. The benefits of data security for small businesses are also discussed.

Data security

Data security is the practice of keeping data safe from unauthorized access or corruption.

Data protection entails safeguarding not only your company's data but also that of your customers and vendors.

Data encryption, hashing, tokenization, and key management are data security strategies that safeguard data across all applications and platforms.

Small firms, unfortunately, appear to be a much easier target for hackers, as their security systems are typically less advanced than those of a medium or large company. Despite this fact, most small business owners believe they are not vulnerable to a data breach.

Why data security?

To secure their essential assets, organizations all over the world are investing extensively in information technology (IT) cyber security capabilities. Every business has to protect its brand, intellectual capital, and customer information. It also needs to provide controls for essential infrastructure. However, incident detection and response have three fundamental elements: people, processes, and technology.

Cyber security problems and their effect on small businesses

Security risks faced by small businesses?

Small businesses may not have the operational know-how or employees to protect their IT systems and networks appropriately.

Small firms confront a variety of cyber security challenges, including:

  • Attacks by phishers: Phishing refers to a type of social engineering attack that is frequently used to obtain personal data from users; such data includes login credentials and credit card details.
  • Malware attack: Malware attacks are common cyberattacks in which malware (usually malicious software) performs unauthorized actions on the victim's system.
  • Ransomware: Ransomware is a sort of cryptovirology malware that threatens to expose or permanently limit access to the victim's personal information unless a ransom is paid.
  • Internal threats: Internal threats are often the result of poor access controls or a lack of proper staff training. Hostile employees or ex-employees might perpetrate cyber attacks in the company, posing internal threats.
  • Weak passwords: Passwords that aren't strong enough can expose a company to unauthorized access and security risks.

Use a combination of at least eight different letters, numbers, and symbols in your password to make it strong. It is more difficult to guess a password that is longer and contains more character types (including upper and lowercase letters). For instance, M0l#eb7Qs? employs a unique mix of capital and lowercase letters, numbers, and symbols. It is also recommended to change passwords every 90 days or less.

Organizations should carefully review password security policies and password management since stolen or weak passwords are still the most common cause of data breaches.

What effect does an attack have?

A successful cyber attack on your business can be devastating. It can have a negative impact on your financial line, as well as your company's reputation and consumer trust. A security breach has three major consequences: financial, reputational, and legal.

Financial cost of a cyberattack

Cyber breaches frequently cause a significant financial loss due to:

  • Unauthorized access to corporate data
  • Theft of corporate data
  • Financial information theft (e.g., bank details or payment card details)
  • Theft of funds
  • Trading disruption (e.g., inability to carry out transactions online)
  • Loss of contract or business

In addition, businesses would typically pay fees for fixing systems, networks, and devices affected, as part of their response to the breach.

Damage to the company’s reputation

A good customer relationship must be based on trust. Cyberattacks can harm your company's reputation and reduce client trust in you. This might ultimately result in:

  • Loss of clients
  • Sales decline
  • Decrease in profits

Reputational damage may also have a negative impact on your relationships with partners, investors, suppliers, and other interested parties.

Legal consequences of a cyberattack

You are required by data protection and privacy laws to manage the security of all personal data you hold, whether it relates to your customers or your personnel. You may be subject to penalties and regulatory sanctions if this data is compromised unintentionally or on purpose, and you fail to implement the necessary data security measures.

Essential tips for data security

1. Manage mobile devices, apps, and computer operations

To ensure the user's experience is as smooth as possible, manage important applications rather than the device itself. Also, make sure everything you're doing is transparent, particularly when it comes to your employees' devices.

2. Enable secure collaboration

To guarantee that your staff has access to the information they require, set up secure tools for data sharing.

If you're sending sensitive information via email, ensure you've set up a digital rights management system (or another secure email solution).

3. Reduce malware exposure

Create a training plan that ensures your employees get adequate awareness training on a regular basis.

It would help if you also considered using an email protection solution that includes time-of-click protection to guard against the inevitable human errors.

Implement regulations and procedures that limit specific actions, such as checking personal emails at work or installing apps from a trusted source, among other things.

4. Prevent data loss via email

Data Loss Prevention (DLP) skills can aid in the security of your company's data. Identify how DLP can be implemented in your workflow.

Also, limit the circulation of specific emails or files, or impose a digital rights management condition that limits who has access to the information.

5. Set up other key security measures

Securing your company's data is crucial, especially in today's world of remote work. Antivirus software, network analytics, firewalls, virtual private networks (VPNs), AI-enabled behavioral monitoring, data encryption, and other security measures may be used.

6. Focus on sensitive data

The sensitive data you are storing and processing can be an asset, but it is also a liability in terms of security and compliance. It is important to always know where sensitive data (such as personal identifiable information) is stored, and to apply measures like dynamic data masking to protect its anonymity while keeping it valuable.

Benefits of data security for small businesses

Small businesses that take data security seriously and take strategic actions to improve it are less prone to attack.

These businesses will also be able to meet their compliance obligations more efficiently and prevent reputational damage. All of these factors make business more convenient and profitable.

Because the cybersecurity world is constantly changing, you'll need to commit to monitoring and updating your network security on a regular basis to reap these benefits. This will help you stay current and safe.

Here are some proven strategies to help your business reap these benefits while avoiding cyber threats.

• Protect your business from external threats

Outsiders were responsible for over 70% of data breaches this year.

Minimizing external risks necessitates the use of thorough device security measures and the appropriate cybersecurity software.

• Protect your business from internal threats

While internal threats aren't as widespread as externally perpetrated attacks, they still warrant special attention.

Many of these attacks are absolutely avoidable. While hostile employees or ex-employees can always cause problems, many internal attacks result from poor access controls or a lack of staff training.

• Ensure your business is compliant

Ensuring that your company is compliant with data protection regulations is very important.

When it comes to data protection, a number of businesses are already living up to expectations by intensifying their cybersecurity.

Many regulatory agencies now require you to make the necessary efforts to secure your company and its data from hackers. You could risk substantial fines or trading restrictions if you don't comply.

• Ensure customer data security

It's not just the regulators that are concerned about data security. Consumers have been more interested in how firms protect their data; their awareness of the risks of organizations having large amounts of personal data has grown.

Furthermore, if you can establish an active dedication to data protection, you may gain loyal, long-term clients and increase your revenue.

Summary

Cyberattacks are becoming increasingly common among small businesses, but you don't have to be affected. You can avoid falling victim to preventable cyberattacks by implementing the necessary security measures, from employee training to suitable cybersecurity software. This will not only save you time and effort, but it will also save you money by preventing revenue losses, regulatory fines, and other costs.

The post All you need to know about data security and its benefits for small businesses appeared first on Cybersecurity Insiders.

AT&T Business’ most recently #BizTalks Twitter Chat—What’s New in Cybersecurity—Insights, Threat Trends, & RSA Learnings—explored many emerging concepts in the cybersecurity industry. [Optional sentence: Our very own Tawnya Lancaster, AT&T Cybersecurity’s threat intelligence and trends Research lead, did a takeover of the @ATTBusiness Twitter handle to provide her point of view.] Head to the @ATTBusiness Twitter page—go.att.com/twchat—to see the full chat and learn more.

It was an interesting conversation with diverse opinions. Here are some of the highlights.

Adversary tactics

The top question in terms of engagement was this one, and lots of interesting perspectives:

Edge computing was a hot question

Organized cybercrime is clearly top of mind as well

Don’t forget to follow @ATTBusiness on Twitter and stay tuned for our monthly #BizTalks Twitter Chats which cover a range of topics, including cybersecurity, 5G, manufacturing and supply chain, and healthcare.

The post New in Cybersecurity – Insights, threat trends, & RSA learnings appeared first on Cybersecurity Insiders.

This blog was written by an independent guest blogger.

USM Anywhere is the ideal solution for small and mid-sized businesses that need multiple high-quality security tools in a single, unified package.

There’s no reason large, global enterprises should have a monopoly on top cybersecurity technology. Solutions like USM Anywhere give smaller organizations access to security tools that are both effective and affordable.

USM Anywhere offers a centralized solution for monitoring networks and devices for security threats. It secures devices operating on-premises, remotely, and in the cloud. By combining multiple security tools into a single, streamlined interface, USM Anywhere gives smaller organizations a competitive solution for obtaining best-in-class security outcomes.

Castra's extensive experience working with USM Anywhere has given us unique insight into the value it represents. There is a clear difference in security returns and outcomes between USM Anywhere users and those that put their faith in proprietary solutions developed by managed security service providers. This is especially true for organizations with less than 1000 employees, where management is under considerable pressure to justify security expenditures.

Three ways USM Anywhere outperforms

USM Anywhere furnishes organizations with essential security capabilities right out of the box. It is a full-featured security information and event management platform that enables analysts to discover assets, assess vulnerabilities, detect threats, and respond to security incidents. It features built-in and customizable compliance reporting capabilities, as well as behavioral monitoring capabilities.

These features, along with the platform’s uniquely integrated architecture, provide valuable benefits to security-conscious organizations:

1. Automated log management

USM Anywhere enables analysts to automate log collection and event data from data sources throughout the IT environment. With the right configuration, analysts can receive normalized logs enriched with appropriate data and retain them in a compliant storage solution.

This eliminates the need for costly and time-consuming manual log aggregation, significantly improving the productivity of every employee-hour spent on security tasks. Improved logging efficiency gives security teams more time to spend on strategic, high-value initiatives that generate significant returns.

2. Cloud platform API integration

USM Anywhere integrates with the most popular cloud and productivity platforms, including Office 365 and Amazon AWS.

With the Office 365 Management API, analysts can monitor user and administrator activities throughout the entire Microsoft environment. This makes it easy for analysts to detect anomalies like users logging in from unfamiliar territories, changing mailbox privileges, or sending sensitive data outside the organization.

The CloudWatch and CloudTrail APIs allow analysts to monitor AWS environments and review log activity within the cloud. Gain real-time visibility into asset creation, security group configurations, and S3 access control changes directly through an intuitive, unified SIEM interface.

3. Orchestrated response capabilities

Analysts need accurate, real-time data on suspicious activities so they can categorize attacks and orchestrate a coherent response. USM Anywhere gives analysts access to full details about attack methods, strategies, and response guidance.

AlienApps™ users can extend USM Anywhere capabilities to third-party security and management platforms, allowing analysts to initiate and orchestrate comprehensive event response from within the USM Anywhere user interface. This allows Castra analysts to automate the integration of Palo Alto Cortex XDR capabilities and Anomali Threat Intelligence data from directly within USM Anywhere.

Make Castra your USM Anywhere partner

Castra has been an AlienVault partner since 2013, successfully deploying the company’s security technologies thousands of times. Our remarkable customer renewal rate of almost 100% stands a testament to the effectiveness of our approach. Working with Castra gives you visibility and control over your security posture, while supporting it with qualified expertise on demand.

We have worked closely with AT&T’s USM Anywhere development team for years, providing critical feedback even before AlienVault was publicly released. Our security analysts have deep knowledge of this platform and can personalize its performance to meet your security objectives and compliance needs to the letter. Speak to a Castra expert about optimizing your SIEM deployment to find out more.

The post The three core strengths of USM Anywhere appeared first on Cybersecurity Insiders.

The partnership between these two market-leading vendors enables MSSPs around the world to fast-track cutting-edge MXDR services.

AT&T, the leader in network and managed security services, and SentinelOne, the leader in next generation, autonomous endpoint protection, today announced a strategic alliance to help prevent cybercrime. The partnership focuses on providing managed security service providers (MSSPs) around the world with a clear path to providing top-tier managed extended detection and response (MXDR) capabilities for customers.

“Managed XDR is a lot different than the conventional detection and response systems in the sense that it enables members of our partner program to build solutions on the platforms their customers already use in order to make the best out of their investments,” says Rakesh Shah, Vice President of Product at AT&T Cybersecurity. “The new alliance combines AT&T USM Anywhere network threat detection capabilities with SentinelOne endpoint protection. Together, these two security platforms provide industry-leading network and endpoint threat detection and response solutions that will enable MSSPs to be successful at providing their end customers with world-class security.”

“AT&T and SentinelOne help MSSPs enter the era of XDR, protecting more surfaces at speeds and scales previously not possible with humans alone. SentinelOne’s autonomous technology coupled with AT&T’s integrated network technologies and services enables MSSPs to reduce risk and boost protection for their customers,” says Mike Petronaci, VP Product at SentinelOne.

The alliance streamlines XDR attainment for partner program members that provide manage security services for a range of organizations. An ideal customer for this MXDR solution would be an MSSP managing small-to-midsized enterprises. Those enterprises may be interested in outsourcing managed cybersecurity services because they do not have the in-house resources to deliver the security results they need. Larger enterprises that do not want to outsource their security completely but are looking for some help could also use this MXDR solution managed by one of our partners.

The tight integration this alliance brings provides MSSP partners with ready access to the award-winning USM Anywhere and SentinelOne platforms. In addition, for MSSPs that acquire SentinelOne endpoint protection through the partner program, AT&T will manage hundreds of additional indicators of compromise through a unique integration within USM Anywhere that streams uniquely tailored security telemetry from the SentinelOne Deep Visibility platform.

SentinelOne partnership

The post AT&T Cybersecurity’s Partner Program and SentinelOne enter managed XDR market with robust alliance appeared first on Cybersecurity Insiders.

Perspective:

While there is an alphabet soup of compliance requirements and security standards frameworks, this post will focus on the two prevalent certifications frequently discussed for SaaS and B2B businesses. Security and compliance qualifications, like SOC 2 and ISO 27001, demonstrate that you apply good practices in your business. They are often classified as “security” and thought of as the technical security of your systems. However, they are broader, focusing on organizational practices supporting your security and other objectives. That includes availability (system resilience), the confidentiality of data, privacy for your users, integrity of the system processing objectives, scalable process design, and operational readiness to support significant business customers.

So, before we get into which one would you pick, how, and why, let's quickly get aligned on the key benefits of why these certifications and attestations are relevant from a business standpoint.

Background and benefits:

It helps establish brand trust and enable sales: Your customer's looking to use your software, consider your product, and your capabilities as an organization. These qualifications play an essential role in demonstrating your business is “enterprise-ready,” providing a reliable service and keeping their data secure.

It helps demonstrate compliance and establish a baseline for risk management: These certifications often become mandates from procurement teams to demonstrate supply chain security. Or they can be used to demonstrate compliance with regulations and satisfy regulatory requirements.

It helps reduce overhead and time responding to due diligence questionnaires: A significant pain point for software companies is the relentless due diligence in serving enterprise customers. Hundreds, even thousands of “security questions” and vendor audits are common. Standards like SOC 2 and ISO 27001 are designed to have a single independent audit process that satisfies broad end-user requirements.

It helps streamline and improve business operations: You adopt “good” or “best” industry practices by going through these certifications. Investors, regulators, partners, Board, the management team, and even employees benefit from implementing and validating your alignment to standards. It provides peace of mind that you are improving your security posture, helps address compliance requirements, and strengthens your essential operational practices.

Which standard is best for these goals? 

Each standard has different requirements, nuances in how they are applied, and perceptions in the market. This impacts which may be best for your business and how they help you achieve the goals above.

Below, we'll compare the two most common standards, SOC and ISO.

Often, we see that the SOC 2 reports are widely adopted and acknowledged. Many procurement and security departments may require a SOC 2 report before approving a SaaS vendor for use.  If your business handles any customer data, getting a SOC 2 report will help show your customers and users that you seriously consider data security and protection. Healthcare, retail, financial services, SaaS, cloud storage, and computing companies are just some businesses that will benefit from SOC 2 compliance certification.

What is a SOC -2 certification?

SOC-2 is based on five Trust Service Criteria (TSC) principles.

Security – making sure that sensitive information and systems are protected from security risks and that all predefined security procedures are being followed

Availability – ensuring that all systems are available and minimizing downtime to protect sensitive data

Processing integrity – verifying data integrity during processing and before authorization

Confidentiality – allowing information access only to those approved and authorized to receive

Privacy – managing personal and private information with integrity and care

SOC 2 examinations were designed by the American Institute of Certified Public Accountants (AICPA) to help organizations protect their data and the privacy of their client's information. A SOC 2 assessment focuses on an organization's security controls related to overall services, operations, and cybersecurity compliance. SOC 2 examinations can be completed for organizations of various sizes and across different sectors. 

Businesses that handle customer data proactively perform SOC 2 audits to ensure they meet all the criteria. Once an outside auditor performs a SOC 2 audit, the auditor will issue a SOC 2 certificate that shows the business complies with all the requirements if the business passes the audit. There are two types of SOC 2 audits: Type 1 and Type 2. The difference between them is simple: A Type 1 audit looks at the design of a specific security process or procedure at one point in time, while a Type 2 audit assesses how successful that security process is.

What Is ISO/IEC 27001:2013?

The ISO/IEC 27001 is an international information security standard published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC.) It is part of the ISO/IEC 27000 family of standards. It offers a framework to help organizations establish, implement, operate, monitor, review, maintain, and continually improve their information security management systems.

ISO 27001 details the specification for Information Security Management System (ISMS) to help organizations address people, processes, and technology about data security to protect the confidentiality, integrity, and availability of their information assets. The ISO 27001 framework is based on risk assessment and risk management, and compliance involves identifying information security risks and implementing appropriate security controls to mitigate them. It also includes 27017 and 27018 to demonstrate cloud security and privacy protections and /or do 27701 (privacy management system) as an extension to ISO 27001.

The intent of information protection – a common thread between both SOC and ISO 27001.

Both SOC 2 and ISO 27001 are similar in that they are designed to instill trust with clients that you are protecting their data. If you look at their principles, they each cover essential dimensions of securing information, such as confidentiality, integrity, and availability.

The good news from this comparison is that both frameworks are broadly recognized certifications that prove to clients that you take security seriously. The great news is that if you complete one certification, you are well along the path to achieving the other. These attestations and certifications are reputable and typically accepted by clients as proof that you have proper security. Suppose you sell to organizations in the United States. In that case, they will likely accept either SOC 2 or ISO 27001 as a third-party attestation to your InfoSec program. Both are equally “horizontal” in that most industries accept them.

There are several key differences between ISO 27001 vs. SOC 2, but the main difference is scope. ISO 27001 is to provide a framework for how organizations should manage their data and prove they have an entire working ISMS in place. In contrast, SOC 2 demonstrates that an organization has implemented essential data security controls. 

Which one should you go with?

Whatever certification you decide to do first, the odds are as your business grows, you will eventually have to complete both certifications to meet the requirements of your global clientele. The encouraging news is that there are more accessible, faster, and more cost-effective methods to leverage your work in one certification to reduce the amount of work you need to do in subsequent certifications. We are suggesting that you explore compliance with a proactive mindset, as it will save you time and money in the long run.

The post Security frameworks / attestations and certifications: Which one is the right fit for your organization? appeared first on Cybersecurity Insiders.

This blog was written by an independent guest blogger.

If you don’t think API security is that important, think again. Last year, 91% of organizations had an API security incident. The proliferation of SOAP and REST APIs makes it easy for organizations to tailor their application ecosystems. But, APIs also hold the keys to all of a company’s data. And as data-centric projects become more in demand, it increases the likelihood of a target API attack campaign. 

Experts agree that organizations that keep their API ecosystem open should also take steps to prevent ransomware attacks and protect data from unauthorized users. Here is a list of 12 tips to help protect your API ecosystem and avoid unnecessary security risks. 

Encryption

The best place to start when it comes to any cybersecurity protocol is encryption. Encryption converts all of your protected information into code that can only be read by users with the appropriate credentials. Without the encryption key, unauthorized users cannot access encrypted data. This ensures that sensitive information stays far from prying eyes. 

In today’s digital business environment, everything you do should be encrypted. Using a VPN and Tor together runs your network connection through a secured server. Encrypting connections at every stage can help prevent unwanted attacks. Customer-facing activities, vendor and third-party applications, and internal communications should all be protected with TLS encryption or higher. 

Authentication

Authentication means validating that a user or a machine is being truthful about their identity. Identifying each user that accesses your APIs is crucial so that only authorized users can see your company’s most sensitive information. 

There are many ways to authenticate API users:

  • HTTP basic authentication
  • API authentication key configuration
  • IdP server tokens

OAuth & OpenID Connect

A great API has the ability to delegate authentication protocols. Delegating authorizations and authentication of APIs to an IdP can help make better use of resources and keep your API more secure. 

OAuth 2 is what prevents people from having to recall from memory thousands of passwords for numerous accounts across the internet and allows users to connect via trusted credentials through another provider (like when you use Facebook, Apple, or Google to log in or create an account online).

This concept is also applied to API security with IdP tokens. Instead of users inputting their credentials, they access the API with a token provided by a third-party server. Plus, you can leverage the OpenId Connect standard by adding an identity layer on top of OAuth. 

Audit, log, and version

Without adequate API monitoring, there is no way organizations can stop insidious attacks. Teams should continuously monitor the API and have an organized and repeatable troubleshooting process in place. It’s also important that companies audit and log data on the server and turn it into resources in case of an incident. 

A monitoring dashboard can help track API consumption and enhance monitoring practices. And don’t forget to add the version on all APIs and depreciate them when appropriate. 

Stay private

Organizations should be overly cautious when it comes to vulnerabilities and privacy since data is one of the most valuable and sought-after business commodities. Ensure error messages display as little information as possible, keep IP addresses private, and use a secure email gateway for all internal and external messaging. Consider hiring a dedicated development team that has only necessary access and use an IP whitelist and blacklist to restrict access to resources. 

Consider your infrastructure

Without a good infrastructure and security network, it’s impossible to keep your API secure. Make sure that your servers and software are up to date and ensure that regular maintenance is done to consolidate resources. You should also ensure that third-party service providers use the most up-to-date versioning and encryption protocols. 

Throttling and quotas

DDOS attacks can block legitimate users from using their dedicated resources, including APIs. Restricting access to the API and application organizations can ensure that no one will abuse your APIs. Setting throttling limits and quotas is a great way to prevent cyberattacks from numerous sources, such as a DDOS attack. Plus, you can prevent overloading your system with unnecessary requests. 

Data validation

All data must be validated according to your administrative standards to prevent malicious code from being injected into your API. Check every piece of data that comes through your servers and reject anything unexpected, significantly large, or from an unknown user. JSON and XML schema validation can help check your parameters and prevent attacks. 

OWASP Top 10

Staying up on the OWASP (Open Web Application Security Project) Top 10 can help teams implement proactive measures to protect the API from known vulnerabilities. The OWASP Top 10 lists the 10 worst vulnerabilities according to their exploitability and impact. Organizations should regularly review their systems and secure all OWASP vulnerabilities. 

API firewalling

An API firewall makes it more difficult for hackers to exploit API vulnerabilities. API firewalls should be configured into two layers. The first DMZ layer has an API firewall for basic security functions, including checking for SQL injections, message size, and other HTTP security activities. Then the message gets forwarded to the second LAN layer with more advanced security functions. 

API gateway management

Using an API gateway or API management solution can help save organizations a lot of time and effort when successfully implementing an API security plan. An API gateway helps keep data secure with tools to help monitor and control your API access. 

In addition to streamlined API security implementation, an API management solution can help you make sense of API data to power future business decisions. Plus, with the help of creative graphic design, many API management solutions and gateways offer a simple UI with easy navigation. 

Call security experts

Although cybersecurity positions are popping up worldwide, many organizations are having difficulty finding talented experts with the right security credentials to fill in the security gaps. There are ways to attract cybersecurity professionals to your company, but cybersecurity can’t wait for the right candidate. 

Call the security experts at AT&T cybersecurity to help you manage your network and API security. Plus, you can use ICAP (Internet Content Adaptation Protocol) servers to scan the payload of your APIs. 

Final thoughts

As digital tools and technologies continue to evolve, so will hackers’ attempts to exploit crucial business data. Putting some basic API security best practices in place will help prevent attacks in the future and contribute to a healthy IT policy management lifecycle. 

The best way to ensure that your APIs are safe is to create a company-wide mindset of cyber hygiene through continuous training and encouraging DevSecOps collaborative projects. However, organizations can secure their digital experiences and important data by following these simple tips to enhance their API security. 

The post API security: 12 essential best practices to keep your data & APIs safe appeared first on Cybersecurity Insiders.

This blog was written by an independent guest blogger.

“Ransomware has become the enemy of the day; the threat that was first feared on Pennsylvania Avenue and subsequently detested on Wall Street is now the topic of conversation on Main Street.”

Frank Dickson, Program Vice President, Cybersecurity Products at IDC

In the first installment of this blog series (Endpoint Security and Remote Work), we highlighted the need to provide comprehensive data protections to both traditional and mobile endpoints as an enabler of remote work.  In this second chapter, we’ll expand on the importance of endpoint security as one of many key elements for defining an organization’s security posture as it relates to arguably the most relevant cybersecurity issue of the day.  

Cue the ominous music and shadowy lighting as it is likely the mood for most cybersecurity professionals when considering the topic of ransomware. To the dismay of corporate executives, government and education leaders, and small business owners, ransomware is pervasive and evolving quickly.  As evidence, a recent report indicated that roughly half of all state and local governments worldwide were victim of a ransomware attack in 2021. 

However, there are important steps that can be taken along the path to digital transformation to minimize the risk associated to these attacks.  As companies consider the evolution of their strategy for combating ransomware, there are five key strategies to help with reducing the risks inherent to an attack:

1. Prevent phishing attacks and access to malicious websites

Companies must be able to inspect all Internet bound traffic from every endpoint, especially mobile, and block malicious connections.  This challenge is significantly more complex than simply inspecting corporate email.  In fact, because bad actors are highly tuned to user behavior, most threat campaigns generally include both a traditional and mobile phishing component to the attack.                                              

Bad actors are highly tuned to user behavior as they look to perpetuate their attacks and SMS/Messaging apps provide considerably higher response rates. To quantify, SMS has a 98% open rate and an average response time of just 90 seconds.   The same stats for email usage equate to a 20% open rate and 1.5-hour response time which help explain why hackers have pivoted to mobile to initiate ransomware attacks.

As a result, Secure Web Gateways (SWG) and Mobile Endpoint Security (MES) solutions need to work in concert to secure every connection to the Internet and from any device. Both SWG and MES perform similar functions specific to inspecting web traffic but they do it from different form factors and operating systems.  The data protections for SWG are primarily available on traditional endpoints (Windows, MacOS, etc.) where MTD addresses the mobile ecosystem with protections for iOS and Android.  Because ransomware can be initiated in many ways including but not limited to email, SMS, QR codes, and social media, every organization must employ tools to detect and mitigate threats that target all endpoints. 

2. Prevent privilege escalation and application misconfigurations

Another tell-tale sign of a possible ransomware attack is the escalation of privileges by a user within the organization.  Hackers will use the compromised credentials of a user to access systems and disable security functions necessary to execute their attack.  The ability of the IT organization to recognize when a user’s privileges have been altered is made possible through UEBA (User and Entity Behavior Analytics).  Many times, hackers will modify or disable security functions to allow them easier access and more dwell time within an organization to identify more critical systems and data to include in their attack.  The ability to identify abnormal behavior such as privilege escalation or “impossible travel” are early indicators of ransomware attacks and key aspects of any UEBA solution.  For example, if a user logs into their SaaS app in Dallas and an hour later in Moscow, your security staff need to be aware, and you must have tools to automate the necessary response that starts with blocking access to the user. 

3. Prevent lateral movement across applications

After the ransomware attack has been initiated, the next key aspect of the attack is to obtain access to other systems and tools with high value data that can be leveraged to increase the ransom.  Therefore, businesses should enable segmentation at the application level to prevent lateral movement.  Unfortunately, with traditional VPNs, access management can be very challenging.  If a hacker were to compromise a credential and access company resources via the VPN, every system accessible via the VPN could now be available to expand the scope of the attack. 

Current security tools such as Zero Trust Network Access prevent that lateral movement by authenticating the user and his/her privileges on an app-by-app basis.  That functionality can be extended by utilizing context to manage the permissions of that user based on many factors such which device is being utilized for the request (managed vs. unmanaged), the health status of the device, time of day/location, file type, data classification such as confidential/classified, user activity such as upload/download, and many more.  A real-world example would allow view only access to non-sensitive corporate content via their personal tablet to perform their job, but would require the data be accessed via a managed device if they were to take any action such as sharing or downloading that content.  

4. Minimize the risk of unauthorized access to private applications

It is essential for companies to ensure that corporate/proprietary apps and servers aren’t discoverable on the Internet.  Authorized users should only get access to corporate information using adaptive access policies that are based on users’ and devices’ context.  Whether these applications reside in private data centers or IaaS environments (AWS, Azure, GCP, etc.), the same policies for accessing data should be consistent. Ideally, they are managed by the same policy engine to simplify administration of an organization’s data protections.  One of the most difficult challenges for security teams in deploying Zero Trust is the process of creating policy.  It can take months or even years to tune false positives and negatives out of a DLP policy, so a unified platform that simplifies the management of those policies across private apps, SaaS, and the Internet is absolutely critical. 

5. Detect data exfiltration and alterations

A recent trend amongst ransomware attacks has included the exfiltration of data in addition to the encryption of the critical data.  In these examples, the data that was stolen was then used as leverage against their victim to encourage the payment of the ransom.  LockBit 2.0 and Conti are two separate ransomware gangs notorious for stealing data for the purposes of monetizing it and at the same time using it to damage the reputation of their targets.

Hence, companies must be able to leverage the context and content-aware signals of their data to help mitigate malicious downloads or modifications of their data.  At the same time, it is just as important that these signals travel with the files throughout their lifecycle so that the data can be encrypted when accessed via an unauthorized user, thereby preventing them from being able to view the content.  Enterprise Data Rights Management and DLP together can provide this functionality that serves as an important toolset to combat ransomware attacks by minimizing the value of the data that is exfiltrated. 

It should also be noted that this functionality is just as important when considering the impact to compliance and collaboration.  Historically, collaboration has been thought to increase security risk, but the ability to provide data protections based on data classification can dramatically improve a company’s ability to collaborate securely while maximizing productivity.

As stated above, there is considerably more to preventing ransomware attacks than good endpoint security hygiene.  With the reality of remote work and the adoption of cloud, the task is significantly more challenging but not impossible.  The adoption of Zero Trust and a data protection platform that includes critical capabilities (UEBA, EDRM, DLP, etc.) enables companies to provide contextually aware protections and understand who is accessing data and what actions are being taken…key indicators that can be used to identify and stop ransomware attacks before they occur.  

For more information regarding how to protect your business from the perils of ransomware, please reach out to your assigned AT&T account manager or click here to learn more about how Lookout’s platform helps safeguard your data.

This is part two of a three-part series, written by an independent guest blogger. Please keep an eye out for the last blog in this series which will focus on the need to extend Endpoint Detection and Response capabilities to mobile.

The post 5 ways to prevent Ransomware attacks appeared first on Cybersecurity Insiders.

This blog was written by an independent guest blogger.

Stop, look, listen; lock, stock, and barrel; “Friends, Romans, Countrymen…” The 3 Little Pigs; Art has 3 primary colors; photography has the rule of thirds; the bands Rush and The Police; the movie The 3 Amigos. On and on it goes – “Omne trium perfectum” – “Everything that comes in threes is perfect.”

While this article doesn’t provide perfection, we’ll focus on the top three API vulnerabilities (according to OWASP). OWASP’s international standard is important to read because it’s not only developed by professionals worldwide, but it’s also read by the threat actors who will take advantage of those vulnerabilities.

OWASP determines the risk of APIs based on the level of the API vulnerability's Exploitability, Weakness Prevalence, Weakness Detectability, and Technical Impact. Therefore, the API Top 10 are in order of OWASP's own risk methodology. Their risk method doesn't consider the chance of materialization or the impact – that's left up to each business. But these three are great places to start because they've affected large companies such as Peloton in 2021.

1. API1:2019 Broken Object Level Authorization (BOLA)

In this vulnerability, aka BOLA, APIs expose endpoints that handle object identifiers, which in turn allows visitors access to numerous resources. This attack is like Insecure Direct Object Reference (IDOR), where applications use user-supplied credentials to access objects. In the API sphere, BOLA is more accurate than IDOR – the problem is broken authorization over a sequence of API calls. Every call to a data source that uses user-provided input should include object level auth checks.

Here’s a simple example of how this works.

An API call has the following path: /customers/user/bob/profile. An attacker will attempt various names in place of “bob” to see what can be accessed, such as:

/customers/user/alice/profile

/customers/user/john/profile

Even if the name is replaced with long mixed characters, if those character sequences are sequential or otherwise guessable, the problem remains and is vulnerable.

Mitigation

  • Implement an authorization mechanism that relies on user policies and hierarchy.
  • Use an authorization mechanism to check if the logged-in user has authorization to perform the requested action on the record in every function that uses an input from the client to access a record in the database.
  • Use random and non-guessable values for record IDs.
  • Evaluate the authorization checks.

2. API2:2019 Broken User Authentication

When authentication mechanisms are implemented improperly, attackers can compromise authentication tokens or exploit implementation flaws by assuming other users’ identities.

A prominent example of this vulnerability is the 2021 Parler breach. Other factors came into play in the whole breach, but at least one endpoint did not require authentication, giving anyone who found it (and someone did) unhindered access to images.

Mitigation

  • Use industry-standard authentication and token generation mechanisms (and read the accompanying documentation).
  • Be aware of all the possible API authentication flows in the product or service (mobile/ web/deep links that implement one-click authentication/etc.).
  • Treat “forget password” endpoints as login endpoints in terms of brute force, rate limiting, and lockout protection.
  • Use the OWASP Authentication Cheat Sheet.
  • Implement multi-factor authentication wherever and whenever possible.
  • Check for weak passwords.
  • API keys should be used for client app authentication, but not user authentication.

3. API3:2019 Excessive Data Exposure

Developers, designers, and/or engineers may not take data sensitivity into consideration. They may favor using client-side filtering, which means that data is not filtered before reaching the user.

When testing, ask “What should the user know?” and display the minimum amount of data necessary.

Mitigation

  • Test or capture the API calls (using, e.g., Postman or OWASP ZAP) and look for “token” or “key” to see what it reveals.
  • Threat model the data to review the flow and data filtering.
  • Never depend on client-side filtering of sensitive data.
  • Review the API responses. Do they contain valid data?
  • Determine what data type is crossing the wire. Is it sensitive, confidential, PII, etc.? If it is, then it poses both security and privacy threats.

An important aspect of security and risk management is acknowledging that nothing is 100% secure or risk-free. There's always a risk. One concept in self-defense is appearing hard to get. Someone who walks tall and confidently, has no visible jewelry or purse, and is not distracted is considered a much harder target for being accosted than someone who slumps, lazes along, has visible necklaces and bracelets, and is on the phone (distracted). The former doesn't eliminate risk but presents a greatly reduced risk.

Securing APIs needs to move toward a confident posture and reduced risk model. Attackers are looking at the OWASP API Top 10 and other lists of common attack mechanisms, then applying those to their targets. An API that has missed any of these is at much greater risk than an organization that has addressed these, even if there are some other security issues (and there are always security issues). But if attackers have a difficult time making headway on a target, then it's more likely that they'll move on. A major challenge for organizations is that one never knows when or what attackers are doing, so staying on top of security maintenance is another challenge (think of it as job security). One way to become better acquainted with API security is to examine the fundamental aspects.

Focusing efforts on a few high-risk items won’t solve all the vulnerabilities, but that focus provides immediate guidance for engineering, developers, security, and privacy teams. In turn, this provides a roadmap for projects and tasks and prevents any appearance of negligence. These active and engaged responses to known vulnerabilities increase service security and customer trust.

The post API attack types and mitigations appeared first on Cybersecurity Insiders.

This blog was written by an independent guest blogger.

It’s well known that there’s a pervasive cybersecurity skills shortage. The problem has multiple ramifications. Current cybersecurity teams often deal with consistently heavy workloads and don’t have time to deal with all issues appropriately. The skills shortage also means people who need cybersecurity talent may find it takes much longer than expected to find qualified candidates.

Most people agree there’s no single way to address the issue and no fast fix. However, some individuals wonder if global recruitment could be an option, particularly after human resources managers establish that there aren’t enough suitable candidates locally.

Current cybersecurity professionals planning career changes

A June 2022 study from Trellix revealed that 30% of current cybersecurity professionals are thinking about changing their careers. Gathering from a wider candidate pool by recruiting people on a global level could increase the number of overall options a company has when trying to fill open positions.

However, it’s essential to learn what’s causing cybersecurity professionals to want to leave the field. Otherwise, newly hired candidates may not stick around for as long as their employers hope. It’s also important to note that the Trellix poll surveyed people from numerous countries, including the United States, Canada, India, France, and Japan.

Another takeaway from the study was that 91% of people believed there should be more efforts to increase diversity in the cybersecurity sector. The study showed that most employees in the industry now are straight, white, and male. If more people from minority groups feel welcomed and accepted while working in cybersecurity roles, they’ll be more likely to enter the field and stay in it for the long term.

Appealing perks help attract workers

Some companies have already invested in global recruitment efforts to help close cybersecurity skills gaps.

For example, Microsoft recently expanded its cybersecurity skills campaign to an additional 23 countries – including Ireland, Israel, Norway, Poland, and South Africa. All the places were identified as under high threat of cybersecurity attacks. Microsoft representatives have numerous plans to get people the knowledge they need to enter the workforce confidently and fill cybersecurity roles.

The hiring initiative also includes some Asia-Pacific (APAC) countries. That’s significant since statistics suggest it will face a labor shortage of 47 million people across all job types by 2030.

Something human resources leaders must keep in mind before hiring cybersecurity professionals is that the open positions should include attractive benefits packages that are better than or on par with what other companies in the sector provide.

Since cybersecurity experts are in such high demand, they enjoy the luxury of being picky about which jobs they consider and how long they stay in them. Even though cultural differences exist, there are some similarities in what most people look for in their job prospects. Competitive salaries and generous paid time off are among the many examples.

Shortfalls persist despite 700,000 workforce entrants

Global research published in 2021 by (ISC)² found that 700,000 new people had joined the cybersecurity workforce since 2020. However, the study also showed that the worldwide pool of professionals must grow by 65% to keep pace with demand.

The study’s results also suggested that one possibility is to recruit people who don’t have cybersecurity backgrounds. The data indicated that 17% of respondents came into the field from unrelated sectors.

Some experts suggest tapping into specific population groups as a practical way to address the shortage. For example, people with autism and ADHD often have skills that make them well suited for the cybersecurity industry.

Global recruitment is not an all-encompassing solution

Hiring people from around the world could close skill gaps in situations where it’s evident there’s a lack of talent wherever a company primarily operates. However, as the details above highlight, the skills shortage is a widespread issue.

Accepting applications from a global talent pool could also increase administrative tasks when a company is ready to hire. That’s partially due to the higher number of applications to evaluate. Additionally, there are other necessities associated with aspects like visa applications or time zone specifics if an international new hire will work remotely.

People in the IT sector should ideally see global recruitment as one of many possibilities for reducing the cybersecurity skills gap severity. It’s worth consideration, but not at the expense of ignoring other strategies.

The post Can global recruitment solve the cybersecurity hiring problem? appeared first on Cybersecurity Insiders.