Category: Detect

Businesses today have many tools in their security stack and security teams find themselves spending too much time managing the tools and not enough time tackling business-critical projects. Security tool overload creates internal challenges and distracts from the primary business mission. How can companies better protect themselves while staying on track to achieve goals?

 Let’s take a look at how working with a managed security service provider (MSSP) to manage your extended detection and response (XDR) solution can improve security coverage in busy and complex environments.

Much like secure access service edge (SASE) combines several network security protections, XDR combines network and endpoint detection and response capabilities with endpoint protection and security orchestration, automation, and response (SOAR). As with SASE, the devil is in the details.

XDR as a service helps you scale

One material way to simplify security is to enlist the aid of an MSSP. These experts have a deep understanding of how the tools work, and they have broad experience installing and running a variety of products and platforms in different customer environments.

XDR provides protection, detection, and response across the security ecosystem

While AT&T’s USM-based XDR is vendor-agnostic, it features a unique integration with SentinelOne, one of the leading vendors in the endpoint detection and response space. SentinelOne consolidates multiple endpoint security solutions, including next generation antivirus, pre-execution protection, and AI-based detection and response, into a single agent. The USM Anywhere integration with SentinelOne powered by the SentinelOne Advanced AlienApp allows the SOC analyst to terminate malicious processes, quarantine infected devices, and even roll back events to keep endpoints in a constant clean state. All this is achieved from a single pane of glass with the USM Anywhere platform.

Services based on AT&T’s USM Anywhere and SentinelOne bring broad visibility into your environment through their ability to interoperate with many security tools utilizing AT&T’s AlienApp integrations. These connections across your environment pull events and security intelligence into one centralized hub for further correlation and add context to help you respond faster to investigations and threats. With an extensive and evolving library of AlienApps, you will not need to rip and replace your current infrastructure; as you grow or change, your security can too.

Intelligence is key

Threat intelligence is critical for accurate detections and reducing false positives. This is one of the strengths of the USM Anywhere-based solutions—they include access to AT&T’s unique perspective as a service provider and operator of one of the largest networks in the world.

It starts with the world’s largest open threat intelligence community, AT&T Alien Labs Open Threat Exchange (OTX), feeding in data from researchers around the globe. Additional machine learning and security analytics help correlate the data and provide context so threats can be identified faster and more accurately. However, the biggest advantage is the AT&T Alien Labs researchers who, in combination with the OTX platform, can discover infrastructure and tools used by threat actors to host their operations and launch ransomware and other sophisticated cyberattacks. By concentrating on threat actor tactics, techniques, and procedures (TTPs), this approach provides early-stage, more predictive identification of threats, which means higher-fidelity detection of evolving threats.

Highly contextualized and correlated data is automatically maintained and fed into the award-winning USM platform, along with AlienApp intelligence for data analysis across your growing business.

Vendor lock-in, or multi-vendor integration?

One approach to addressing security tool complexity is to “go all in” with one vendor. The argument here is that standardizing on one vendor’s approach is better because the tools were designed to work together. However, the truth is that often each vendor’s products are more a collection of acquired technology than an integrated solution, and roadmaps for consolidation frequently stretch to the horizon. Not to mention that vendors tend to be leaders in one type of tech but followers in most other areas.

Another approach to consider is an open XDR solution. This approach brings together two important existing solutions: advanced security information and event management (SIEM) platforms with correlation engines, and endpoint detection and response agents. They also have deep integrations with third-party tools such as firewalls, SaaS/IaaS clouds, SASE solutions, and more. These integrations make responding to incidents, and automating responses, quick and easy. With this approach, you are free to choose the best security vendors with the confidence that they can be used together without the need for you to replace your entire stack.

Conclusion

There are no quick fixes for most of our modern security challenges, but one clear way to simplify things is to select products and services that are well integrated and offer the flexibility to mix and match critical components. By relying on MSSPs, organizations can reduce the need for both staff and subject matter expertise. Since detection and response has a significant learning curve, businesses can also realize significant savings and rest assured that their network is guarded by professionals. AT&T’s USM-based XDR brings together our strongest resources to help you improve your time to detect, respond, and recover from threats. Leverage our advanced security analytics, leading endpoint security, deep integrations with industry-leading vendors, and world-class 24×7 support to drive efficiencies in your security operations and help you find and quickly act on true threats to your business.

To learn more, visit AT&T Cybersecurity MSSP Partner Program (att.com)

The post Working with MSSPs to optimize XDR appeared first on Cybersecurity Insiders.

On February 15th, the International Organization for Standardization (ISO), published the latest update to “ISO/IEC 27002 Information security, cybersecurity and privacy protection — Information security controls”. This latest standard is available for personal use from their site on ISO.org for CHF 198 (Swiss Francs) or, if you prefer, US dollars, $200, at the ANSI.org webstore. I’ll also simply refer to it as ISO 27002 as most people do.

I’ve been working with ISO 27002 controls since the 2005 version. It’s always interesting to see the changes that are made and what I need to be adjusting to adhere to the framework. Unfortunately, this also means that many organizations’ policies and procedures have to be updated. ISO 27002:2013 was mostly the same as the 2005 version, except it removed the controls around Risk Assessment and Treatment. This time, the changes are much more drastic to align and these changes are, in short:

• ISO 27002:2013 had 114 controls over 14 control domains
• ISO 27002:2022 reorganized this into 93 controls with a taxonomy of 4 primary categories (referred to as clauses):

1. Organizational Controls – 37 controls
   • The catchall clause
2. People Controls – 8 controls
   • These deal with individual people, such as background checks
3. Physical Controls – 14 controls
   • These refer to physical objects, such as data centers and backup media
4. Technological Controls – 34 controls
   • These are concerned with information security technology, such as access rights and authentication

When I initially looked at this, I liked how it looked like how HIPAA was broken down into Administrative, Physical, and Technical. This simplification makes talking to non-security folk much easier, though of course, the very detailed controls are still in place.

Another big change is the inclusion of Attribute tables for each control. These are defined in Appendix A, but generally tell you if the control is preventative, detective, or corrective, does the control deal with Confidentiality, Integrity, or Availability, what Cybersecurity concepts it covers: Identify, Protect, Detect, Respond, or Recover. Oh hey, those are the NIST CSF functions!

Many of the controls from 2013 -> 2022 were merged where it made sense. When reviewing the changes to ISO 27002:2022, it became clear that controls that were previously “near” each other are moved all over the place. I decided to use Appendix B (included in the standard) to map out better where controls from ISO 27002:2013 were moved to in this latest version.

Additionally, I found that although no controls were dropped altogether, there were 11 new controls added, showing that the ISO 27002 framework continues to evolve and include current technologies and security concepts. These new controls are noted in table 1 below, and it is clear these are more recent security technologies.

For the most part, there is a “Many to 1” mapping. This means that each 2013 control maps into a single 2022 control. Sometimes multiple 2013 controls map into a single 2022 control as it combined similar concepts into a single control. This is the merging I referenced earlier. The map shows for each 2013 control where to find it in 2022, but also for each 2022 control which 2015 controls are included. I like to keep my policies very obviously aligned with the framework, so they are trivially auditable, and this map will help me re-use my 2013 documents.

This mapping is provided in the linked “ISO 27002 2013-2022 MAP (Annex B).xlsx” file. As we all move our tools and documentation from ISO 27002:2013 to ISO 27002:2022, hopefully the mapping will be useful to help guide you in this process and maybe shorten the time it takes you to migrate to the latest and greatest.

Table 1

­­

The post  ISO 27002 2013 to 2022 mapping appeared first on Cybersecurity Insiders.

With budgets tightening across the board and competition for a limited pool of IT and security talent growing fiercer, cyber as a service providers have become an optimal solution for many companies. Knowing they can count on their partners to focus on specific vectors, internal security teams can concentrate on their core missions. This could be high priority or critical items within security or something totally outside of security. The flexibility of Cyber Security as a Service (CSaaS) allows the services utilized to change over time and be periodically realigned to ensure the customer’s business needs are being met.

The future is here and now, with digital transformation driving organizations rapidly. Today the role of a Chief Information Security Officer (CISO) within organizations has become transformational where the CISO leads cross-functional teams to match the speed and boldness of digital transformations with agile, forward-thinking security and privacy strategies, investments, and plans. The operational leader and master tacticians are tech-savvy and business-savvy CISOs. They can deliver consistent system performance, with security and privacy throughout the organization and its ecosystem amid constant and changing threats. 

Skills gap and the burnout of security teams

The cyber security talent shortage impacts a growing number of organizations, including an increasing workload for the existing cyber security team, unfilled open job requisitions, and high burnout among staff. Only pandemic-related issues outrank talent shortages as the most significant worry companies face. With the never-ending surge of cyber-attacks and potential threats in this digital era, enterprises have started identifying the significance of a robust cybersecurity plan to protect themselves.

While many companies enjoy the privilege of a specially dedicated in-house cybersecurity lead, namely a CISO, the position in most cases is a bit expensive considering the SMEs. On the other hand, the ongoing pandemic has induced a total shift in the working patterns and data sharing mediums.

The change has forced enterprises to understand the importance of complete cybersecurity protection to tackle incoming threats. While a full-time CISO position might not be feasible considering the affordability factor for Subject Matter Experts (SME), virtual CISO (vCISO) services offer a more flexible and affordable model.

CISO and security strategy an essential must have

It’s a critical juncture for cybersecurity and CISOs. A business-driven cyber strategy is the essential first step for business and security leaders amid sweeping, rapid business digitization. This reset defines the expanding role of the CISO. It affects how the organization sets cyber budgets, invests in security solutions, plans for resilience, and enhances its security. It determines whether CISOs may grow to become stewards of digital trust and securely lead their organizations into the new era with strategies to protect and create business value.

Time for a flexible delivery model

CISOaaS is a flexible CISO service that gives you the ability to flex your resourcing with your security needs without employing more staff. Form a strategy, embed best practices, and validate IT project architectural designs.

Contrary to a traditional CISO role, CISOaaS is based on a multidisciplinary team of experienced cybersecurity professionals. Required experience includes regulatory compliance and consulting on identity & access management, security testing, network & physical security, risk management, data protection, disaster recovery/business continuity, delivering customized services based on your needs, and achieving significant cost reduction. The caliber of security professionals required to mitigate the myriad of potential cyber threats and ever-growing legislative compliance requirements can often be beyond the reach of many businesses.

CISO as a Service brings affordability and flexibility to this critically strategic role.

Where to get started in 2022 with a vCISOaaS

• Start by analyzing and building inventories of systems your organization and understanding your business objectives.
• Develop a comprehensive and practical security program that fits the need of the business and enhances the immune system of the company’s information security posture with not focusing on just getting more tools but a more integrated risk view.
• vCISO team can function as an extension of your team and deliver expert security strategy, leadership, and support.
• Putting an effective cybersecurity strategy in place can seem overwhelming because of tight budgets and how efforts are prioritized when investing in a cyber risk management solution? 

Milestones to achieve

1. Establish Your Security Program

Learning the environment and understanding business goals to achieve the security program alignment to the business.

2. Prioritize and categorize the security needs 

The unique design of the security program will provide strategic direction to help you achieve your business goals. Determine and prioritize security initiatives to reduce risk quickly, economically, and efficiently.

3. Security Improvements for Risk Mitigation

Learn and understand the risk posture for the business and then create a complete risk treatment plan to achieve the accepted level of risk posture.

A lasting trend

The ongoing pandemic has brought many twists and turns to our working style, model, and pattern. Change is inevitable, and at the same time, needs to ensure compliance and protection to organization’s security standards and policies.

The vCISO service can provide an expert solution with an affordable and reliable model for enterprises, ensuring security. Large enterprises benefit from expert advisory, strategic guidance, and much-needed continuity. On the other hand, small-scale companies could use vCISO as a service that helps to manage security standards, compliances, management of staff, and the deployment of a security roadmap. The flexibility and cost-effectiveness of the vCISOaaS is a stand-out feature that makes it the right choice for many.

The post A lasting trend: As a Service appeared first on Cybersecurity Insiders.

This blog was written by an independent guest blogger.

Over 250,000 people in the US live off the grid, meaning they do not rely on public utilities such as electricity and water. Their aim is generally to live more independently and self-sufficiently, rely on solar or other eco-friendly technologies, and build a stronger connection with nature. However, most people who choose this lifestyle are very much reliant on the Internet. Over 4.7 million people work remotely at least part-time in the US, and most need to keep in touch with clients and colleagues via the Internet. Online connections are also key for security systems and communication. If you are living off-grid, what cybersecurity risks could you be exposed to and how can you avoid them?

Off-grid and on the move

Those who live off-grid in RVs usually rely on one of two sources of power to connect to the Internet. One is their cell phone, which can be used as a wireless hub. Another is via Satellite, which is generally more costly, but which guarantees Internet access regardless of where the user is (except for underground surfaces, of course). Regardless of the system users choose, they should follow a variety of measures—including using strong passwords, relying on fingerprint logins, using only authorized or well-reputed apps, disabling location services when these are unnecessary, using remote wiping software, backing up their phone often and keeping their software updated.

Cyber vulnerabilities in security systems

Because RV users change the place they call ‘home’ often, many install mobile home security cameras. These can have handy features like panic buttons, night vision, motion detectors and alerts, and similar. Quality systems usually have cloud storage, which allows for live view and playback. However, security systems have specific cyber vulnerabilities—including human error, outdated systems, and poor maintenance. If you live in an RV, invest in device lifecycle management and be proactive with respect to maintenance. Install updates when the manufacturer makes them available, secure the entire network (including devices) your security system supports, and have strict access policies in place.

Risks faced by homes with solar energy

If you are relying on solar energy for your online needs, you can be attacked by cybercriminals in a similar fashion to if you relied on fuel-based energy. In the past, this risk was much smaller for solar energy, since very few systems were deployed and most solar inverters (which convert direct current electricity to alternating current electricity) did not communicate for monitoring purposes. However, as more solar power is installed and inverters become more sophisticated, the data of inverters can be hacked and manipulated. Therefore, it is vital to keep the software that controls your inverter updated and safe. 

Different layers of protection

Security software alerts you if there is any abnormal behavior though in reality, keeping your system safe against hackers involves various ‘layers’ of protection. In addition to installing anti-virus software in components like inverters, you should also install anti-virus protection on the firewalls and servers that integrate your solar energy into the wider system of grid operation. You can also control who has access to your system, either physical or online.

Conclusion

A quarter of a million people in the US live off the grid, with some using renewable energies to power their homes and others relying on their cell phone or satellite. Those living on solar energy can face attacks to their inverters and other systems. Those in RVs, meanwhile, can be vulnerable to equipment such as security systems. Updating software, maintaining systems proactively, and using various layers of prediction can all help off-grid residents enjoy the benefits of the Internet while keeping their devices and data safe against attacks.

The post ​​​​​​​Staying safe online when you live off-grid appeared first on Cybersecurity Insiders.

This blog was written by an independent guest blogger.

Privileged users are the key to the information system. The operation of information systems and the availability of enterprise resources depend on privileged users’ actions. If admins make a mistake or their credentials are leaked to attackers or competitors, it could put your business at serious risk.

When business processes depend not on one information system but on a set of complex solutions, controlled by several administrators with different powers and competencies – it becomes very difficult and costly to control their actions. This is especially true if the proper authentication system is not implemented and administrators use widespread or default passwords.

Of course, if all admins are crystal-clear and competent, then such a situation may still suit the top managers for some time, but if an incident occurs, it will not be easy to identify who is guilty.

If you hire a new administrator who does not understand all the interconnections of the system and destroys something by mistake, they may try to assure that others are to blame. Therefore, all privileged users must be authenticated separately and efficiently. Their actions should be controlled with the greatest possible granularity – down to specific commands, operations, and clicked buttons.

There are many different ways to hack the system. For example, crooks can take advantage of the lack of an update and patch management system exploiting zero-day vulnerabilities or turn to malicious insiders. However, for external attackers, the ability to spoof an administrator account is actually the best method to quickly and stealthy breach an information system. Therefore, the reliability of the authentication mechanism for administrators and other privileged users is the key to the security of the company.

Best practices for authenticating privileged users

First, you need to know the requirements for authenticating privileged users. There are plenty of infosec standards and regulations in this field. Most of them have the following criteria:

• One person – one account. This requirement is understandable and straightforward. If there is a shared or role-based account, and the password is known to several people, then it is hard to establish exactly who used it and performed specific actions. It is good if there are videos from office cameras, but, for example, the ability to connect remotely neutralizes this method of identification. One person can physically sit at the computer, and several other users can remotely connect to this account simultaneously. In this regard, the security system must know the person who is using the corresponding login name.
• Legal requirements. In some countries, a legally significant authentication procedure is required for privileged users where each recorded action must be signed with an electronic signature. If illegal acts were committed using the company's computer, then the manager must provide information about who exactly did it. Otherwise, they may be responsible for these actions.
• Timely removal. Security standards require control over user access to information. Control is not only granting permission to access resources but also the timely removal of access rights. This is not a trivial task, especially if there are many applications accessible from the external network. Typically, for timely removal of rights, a role model is used. In this case, a directory of users with all their roles and a Single sign-on system (SSO) allow you to remove user rights from all applications at once.
• Non-repudiation. Many standards require the ability to conduct an investigation. Non-repudiation is associated with legal matters. All actions of privileged users must be signed with an electronic signature generated using the private key. According to the rules, this can only be done by a specific user who has access to the private key. It is highly desirable that this key is stored on a removable storage medium strongly associated with the user, for example, on a plastic card.
• BYOD. In the era of digitalization, companies are forced to keep part of information systems constantly working. This implies that administrators have the ability to fix problems using any device at any time. Therefore, you have to allow remote administration, including the use of personal devices. This saves resources and money. However, when adopting BYOD, the authentication system should be based on standard technologies not tied to a specific device, platform, or program. To simplify BYOD, you need to use standard authentication protocols that are used by the most popular remote administration tools.
• Clouds. Not all systems are now located within the perimeter. In the case of corporate use of the cloud, authentication must be linked to corporate verification mechanisms. To do this, cloud service providers offer the use of federated authentication protocols, such as OpenID or SAML, and access cloud services using the same authenticators as when accessing a corporate system.

All of the above requirements should be carefully considered when building a corporate authentication system. Privileged users should be provided with enhanced authentication mechanisms. Although they are somewhat more expensive, security, in this case, is more important than the cost of an additional identifier.

To fully comply with all of these requirements, the best variant is to use an SSO platform, an enterprise IDM with a role-based access rights management model and support for federated authentication protocols, as well as special devices for reliable authentication of privileged users.

What to use instead of a password?

For privileged users, simple passwords cannot be used. It is easy to intercept passwords with the help of a Trojan program, even if you use secure protocols like a VPN. The low cost of this authentication method is offset by the elevated risk of compromise, which is unacceptable for privileged users. Therefore, the standards strongly recommend (and sometimes even imply fines) that at least IT and information security administrators avoid using simple passwords. The alternatives can be as follows:

• Graphical passwords. Recently, various graphical authentication methods have begun to be used. Graphical password schemes allow using specially formed pictures to authenticate users based on specific rules. This method is relatively cheap and does not require complex protocols. At the same time, it provides ways to protect against automated interception. However, recording the authentication session and knowing the rules allow an attacker to guess the password. In addition, it is difficult to make this method legally significant.
• One-time passwords. The cheapest alternative to a simple password is a One Time Password (OTP). You can get a code in different ways: SMS, using a special device, or a program. The principle of OTP generation can also be different: by number, by time, by crypto algorithm, or be even completely random.
• Biometric authentication. As an identifier, you can use biometric parameters of a person, such as fingerprints, retina, hand veins, face, etc. With the current proliferation of photographic lenses built into mobile phones, these technologies can achieve reasonably good results at an affordable cost. Fingerprint scanners are built into some smartphones, and face recognition is available in Windows. These technologies allow you to connect the device and the person who works with it.
• Behavior analysis. It is possible to assess whether the specific person is working at the computer by analyzing additional information about his actions. For example, the working style on the keyboard is unique for each person. In addition, it can vary depending on the device they use – the virtual keyboard, tablet keyboard, standard keyboard, etc. However, this method cannot be the main one for authentication. It can be used as an additional factor for the most important operations. When administering information systems, most user actions are routine operations, and therefore user behavior can be checked for “commonness.”
• Additional devices. For authentication, you can use additional devices to generate one-time passwords, store secret keys, and even sign documents. In particular, now, a smartphone with a built-in TPM module for storing encryption keys may well act as such a device. In some cases, for mobile devices, you can use external modules for storing identification information, interacting with the device via Bluetooth.

It should be noted that the listed alternatives are not mutually exclusive. They are complementary. It is quite possible to imagine multi-level authentication where a graphical password is used to access a database of face recognition images stored in the protected memory of a device with one-time passwords. At the same time, the system can take into account the characteristic features of the set of commands sent by the administrator (behavior analysis) and timely suppress attacks from the outside. All authentication methods can be used in one system, which makes this procedure highly secure.

Identity management tools for administrators

For administrators, some tools automate authentication management for both regular and privileged users. These tools include:

• Password vault. This is usually a local application that encrypts all passwords for all user services. It can be accessed using a local password, and then this application automatically sends passwords to all services to which users connect. This eliminates the need to enter the password by hand and it will be difficult to intercept it using a keylogger or during an unsafe connection. Passwords stored in such an application will also be difficult to guess – they are generated randomly.
• SSO. In essence, this is a development of the idea of ​​secure password storage, but in a network version. The storage is located at the entrance to the corporate network, and users, especially privileged ones, having passed the authentication procedure in it, get access to all other corporate resources. At the same time, users do not know passwords from all systems – they are hidden from them. Therefore, the privileged user cannot connect to a specific resource directly and bypass the SSO. In addition, enterprise SSO can also support federated authentication protocols for verifying the identity of users connecting to enterprise cloud services — sometimes referred to as Web SSO. SSO obtains information about which corporate resources should be accessible by users either from the user directory or a separate IDM system.
• IDM. It is highly advisable to use IDM solutions in a large information system for managing access rights. For privileged users, special roles are created that describe the minimum permissions they need. To provide access for a specific user to an administered resource, it is enough to bind the corresponding role to it. Moreover, modern IDMs allow you to issue temporary rights, provide access to resources using a schedule, quickly block access to users suspected of compromise, and much more.
• PUM – Privileged User Management. Some systems for controlling privileged users include built-in SSO mechanisms. In particular, they allow you to combine the requirements for authentication and requirements for authorization, enable the use of privileged accounts and correlate them with personal accounts. This makes PUM an essential element – privileged users cannot connect directly to the resources of the corporate network and their actions will be fully logged. Modern authentication protocols make it possible to connect PUM to external SSO and IDM systems, thereby integrating privileged users into a common access control system.

For large information systems with many administrators, outsourcers, department heads, and other privileged users, it is best to use all of these tools. Still, in specific cases, you can get by with a minimum of specialized solutions, for example, PUM with built-in SSO.

Managing privileged user passwords with PUM

The privileged user password management system allows you to separate administrators from the systems they control. The fact is that administrators can always create an additional administrative account in the system and use it to perform unauthorized actions. To exclude this possibility, it is necessary to ensure that administrators interact not directly with systems, but with an intermediary who already interacts with the target system and also records all the actions of administrators. Attempts to create additional privileged accounts will be recorded in the PUM and can be used during the investigation of incidents.

It is vital that the authorship of all recorded commands is accurately determined without the possibility of rejection. To do this, it is necessary to entrust PUM with the tasks of reliable authentication. Of course, PUM can be connected to an already deployed SSO system using federated or corporate authentication protocols; however, you need to have the corresponding system deployed to do this. It is always better for privileged users to use stronger authentication methods than for authorizing regular users. Thus, the presence of its own separate authentication system in PUM makes it more reliable and secure.

It is crucial for PUM to guarantee that users do not try to connect to target systems directly, bypassing control. And the authentication system provides just such a guarantee. Administrators simply do not know passwords from administrative accounts in target systems – this information is stored in PUM. As a result, PUM has the opportunity not only to record actions but also to block access for administrators if they try to perform dangerous actions. Thus, for PUM, having an embedded and integrated SSO system is an additional feature, convenience and, ultimately, a competitive advantage.

Conclusion

Today, correct authentication procedures and rules cannot be ignored. For privileged users, this is crucial. Fortunately, there are not many privileged users in most organizations. More complex and expensive authentication methods can be used for them, up to special devices with built-in cryptographic functions, complex authentication protocols, and abnormal behavior recognition. For companies that care about protecting against insider threats, there are all the necessary components to authenticate almost any number of privileged users. At the same time, it would be nice not only to authenticate privileged users but also to record actions. Hence, it is logical to implement not just an SSO system with support for strong authentication for administrators but a full-fledged PUM with integrated SSO.

The post How to manage privileged users in IT appeared first on Cybersecurity Insiders.

10 Ways organizations make attacks easy

What do cybercriminals love? (Mostly themselves, but that is beside the point.) They love organizations that have unmitigated risks in their web applications and application program interfaces (APIs). With the entire world connected via the internet, the easiest and quickest way for threat actors to infiltrate your systems or steal customer data is through web applications. Basically, everything from the code used to build the application or the API used to connect things to configurations and authentications are fair game.

The top 10 web application security risks cybercriminals love

The areas most often targeted for attack can vary and may change frequently as cybercriminals invent newer and more stealthy ways to worm their way into systems. According to the OWASP, the 2021 Top 10 Web Application Security Risks are:

1. Broken Access Control
2. Cryptographic Failures (Sensitive Data Exposure)
3. Injections (including Cross-site Scripting)
4. Insecure Design
5. Security Misconfigurations
6. Vulnerabilities and Outdated Components
7. Identification and Authentication Failures
8. Software and Data Integrity Failures
9. Security Logging and Monitoring Failures
10. Server-side Request Forgeries

Most common attack types

Based on the risks listed above, criminals are most likely to employ the following attack types in their bid to infiltrate systems or steal sensitive customer credentials:

Client-side attacks (data breaches and credential compromise)

Client-side attacks include formjacking, credit card skimming, and Magecart attacks. Cybercriminals use client-side attacks to steal information directly from customers or other website users as they input information into websites. Stolen data includes credit card information and personally identifiable information (PII).

Supply chain attacks (JavaScript and software)

According to recent research, supply chain attacks surged by more than 650% over the last year. Threat actors are leveraging existing vulnerabilities in open-source and third-party code or injecting their own malicious scripts into software and JavaScript code to conduct hostile attacks against organizations and industries connected via the supply chain.

Vulnerable application attacks (Unpatched bugs/vulnerabilities and legacy applications)

New bugs and vulnerabilities are discovered on a daily basis and cybercriminals love to exploit them. Equally, criminals are attracted to legacy applications that may contain unpatchable vulnerabilities. Sometimes attackers discover the vulnerabilities before security researchers, and these ‘zero days’ enable application and system compromise often without the organization even knowing it had been attacked. Common attack types that target vulnerabilities include cross-site scripting, injections (JavaScript, SQL, CSS, and HTML).

Automated attacks (Bots and DDoS)

Threat actors use automated techniques, such as botnets and distributed denial of service (DDOS) for attacks that include credential stuffing, content scraping, ticket/product scalping, gift card abuse, and business interruption.

Protect your organization from the risks and attacks that cybercriminals love

There are purpose-built solutions that safeguard organizations, consumers, and internet users from the very things that criminals love to use to their advantage. Two tools that are a part of AT&T Managed Vulnerability Program from Feroot provide client-side application security solutions. These tools are:

Feroot Security PageGuard—Based on the Zero Trust model, PageGuard runs continuously in the background to automatically detect the types of unauthorized scripts and anomalous code behavior found in client-side, application, supply chain and automated attack types. If threats are detected, PageGuard blocks all unauthorized and unwanted behavior in real-time across the organization. PageGuard also automatically applies security configurations and permissions for continuous monitoring of and protection from malicious client-side activities and third-party scripts.

Feroot Security Inspector—In just seconds, Inspector automatically discovers all web assets a company utilizes and reports on their data access. Inspector finds all security vulnerabilities on the client-side and provides specific client-side threat remediation advice to application developers and security teams in real-time.

Next steps

Modern web applications are useful, but they can carry potentially dangerous vulnerabilities and bugs. Protect your customers and your websites and applications from client-side security threats, like Magecart and script attacks with security tools like Feroot’s Inspector and PageGuard. These services offered by AT&T’s Managed Vulnerability Program (MVP) allows the MVP team to inspect and monitor customer web applications for malicious JavaScript code that could jeopardize customer and organization security.

The post 10 Things cybercriminals love about you appeared first on Cybersecurity Insiders.

This blog was written by an independent guest blogger.

The US Office of Management and Budget (OMB) has released a strategy to help the federal government embrace a zero-trust approach to cybersecurity.

Overview of OMB’s Zero Trust strategy

Released on January 26, 2022, the strategy identifies “specific security goals” that heads of Federal Civilian Executive Branch (FCEB) agencies must achieve by the end of the Fiscal Year (FY) 2024. Provided below are some of these objectives.

• In its Executive Order (EO) 14028, The White House states that FCEB agencies must develop their own plans for implementing a zero-trust architecture (ZTA). OMB’s strategy goes beyond this mandate by requiring FCEB agencies to incorporate additional requirements and submitting them to OMB and the US Cybersecurity & Infrastructure Security Agency (CISA) within 60 days of the memorandum taking effect. FCEB agencies also need to submit a budget estimate for FY 2024 within that period. In the shorter term, OMB explains that in-scope entities can use internal funding or seek money from alternative sources to achieve primary goals in FY 2022 and FY 2023.
• OMB’s strategy notes that FCEB agencies must designate and identify a lead for implementing zero trust at their organization within 30 days of the strategy entering into force. Ultimately, OMB will use those leads to coordinate the implementation of zero trust across the federal government. It’ll also refer to them to orchestrate planning and implementation efforts within each agency. 

Identity and MFA as key tenets

The security goals identified above align with several pillars of zero trust set forth by CISA. “Identity” is one of the most important of those elements. The purpose of “Identity” for zero trust is to have agency staff use enterprise-managed identities to access the applications they need to perform their job duties. The best way to do that is to invest in centralized identity management systems and integrate them into both applications, and common platforms, noted OMB in its federal strategy. Specifically, agencies can implement phishing-resistant multi-factor authentication (MFA) at the application layer as well as require staff, contractors, and partners to enroll in this scheme. (This option must also be an option for public users.) Finally, agencies must design their password policies in such a way that doesn’t require the use of special characters or require regular password rotation.

A driving factor behind the importance of identity and MFA to zero trust is the growth in cloud adoption. In December 2021, 90% of O’Reilly subscribers revealed their organizations were using the cloud at that time—up from 88% a year earlier. The study went on to reveal that at least 75% of respondents in organizations across every sector were using the cloud, with retail & commerce, finance & banking, and software registering as some of the most active industries. Looking ahead, nearly half (48%) of survey participants said that their organizations were planning to migrate at least half of their applications to the cloud in the coming year. One-fifth of personnel said they intended to migrate all their applications within that period.

This growing focus on the cloud means that literally everyone is an outsider, as I told TechSpective last August. In response, organizations need to implement a scheme by which they can validate the authenticity of approved identities and their attributes for users, services, and devices.

Giving authentication and identity the emphasis they deserve

FCEB agencies and other organizations can emphasize authentication and identity protection for zero trust by laying the groundwork for an Identity and Access Management (IAM) strategy. In formulating this plan, organizations should follow the CISA’s MFA guidelines. They then need to clarify which authentication methods they’ll require of their users and plan how to roll out authentication for their users. Finally, entities can develop access rules and policies to shape who can access certain types of data and applications along with the conditions under which they can do so. 

Regarding MFA in particular, agencies and other organizations can consider combining MFA with other best practices such as Single Sign-On to improve account security while reducing user friction. To this end, they can use an integrated service or solution that offers multi-factor authentication, SSO and policy-based access.

The post Unpacking OMB’s federal strategy for implementing Zero Trust appeared first on Cybersecurity Insiders.

This blog was written by an independent guest blogger.

Cybersecurity is more important today than ever before, with virtual threats surging to historic highs. Organizations in every industry need to take steps to protect themselves from cybercrime. A few sectors, in particular, should be especially concerned about safety. These industries are at the highest risk of being targeted by cyberattacks, with damages that can cost billions of dollars.

1. E-commerce

Online shopping was steadily becoming more popular throughout the 2000s and 2010s, but the COVID-19 pandemic has sparked an incredible boom in the 2020s. This is great news for businesses since e-commerce can pull in revenue from a larger audience than brick-and-mortar stores.

However, these companies must have top-notch cybersecurity. When online shopping rose in popularity in 2020, cybercrimes also skyrocketed, amounting to $1 trillion in damages. E-commerce businesses can protect their customers from these threats using online checkout security, multifactor authentication, secure data storage and other practices that put client information first.

2. Finance

A shocking 74% of financial institutions reported experiencing a surge in cyber threats connected to the COVID-19 pandemic in 2021. It should come as no surprise that financial institutions are at the top of cybercriminals’ lists. The trend will only continue as more customers turn to online banking.

Organizations in the finance industry have to take extra steps to protect themselves and their customers from digital threats. For example, mobile banking apps should have an option for biometric authentication, which is more difficult to hack than a conventional alphanumeric password. Internally, cybersecurity must be impenetrable, which requires a culture of security among employees and leaders.

3. Healthcare

Hackers noticed when the COVID-19 pandemic channeled massive amounts of attention and money into the health care industry. Providers, institutions, and businesses of all types have become targets for cybercrime. Patients’ sensitive data can be especially valuable around the dark web and cybercrime networks since it allows for impersonation and identity theft.

Health care organizations must be extremely careful and focused to protect their patients and customers. Studies have found that misdelivery alone is responsible for 36% of breaches in the medical industry. Telemedicine only increases the danger of individual mistakes and inconsistencies. Every password, device, file and user must be extremely well-fortified. AI cybersecurity software is on the rise for this exact purpose, helping autonomously detect threats and vulnerabilities.

4. Manufacturing

The manufacturing industry may not be a traditional target for cybercrime, but the supply chain crisis has changed that. Cybercriminals know that manufacturers are working against the clock already, making it much easier for certain attacks, like ransomware, to gain leverage. As a result, manufacturers’ security gaps have put the entire supply chain at risk.

More manufacturers are using automation, IoT and other connected technologies to stay ahead of the curve during the supply chain crisis. Protecting these devices is crucial. Additionally, manufacturing facilities’ networks must have strong firewalls and login protections to keep out intruders. Any computers employees use to access business information need to be secured and backed up regularly, as well.

5. Government

Government institutions and the private sector businesses they work with have always been prime targets for cybercrime. Their cybersecurity methods will need to evolve in the years ahead, though. In fact, government organizations and their private sector partners will need to lead the way at the cutting edge of safety practices to stay ahead of the rising tide of cybercrime.

Specific types of attacks are increasing faster than others, which governmental bodies must be aware of. For example, they need to start requiring anti-phishing training to teach federal employees how to recognize and deal with suspicious emails and domains. INTERPOL found that phishing attacks have increased more than any other type of cyberattack in response to the COVID-19 pandemic. They are especially dangerous for governments since they handle sensitive and even classified information regularly.

Cybersecurity in the next digital era

Cybersecurity is a continuous process that must be constantly monitored and improved to stay ahead of criminals. Innovation has exploded in recent years in response to evolving threats. For example, artificial intelligence is becoming a popular tool for outsmarting cybercriminals and preventing attacks altogether. Friendly hacking is also becoming commonplace as organizations seek to test their defenses safely.

Education and training are crucial for digital safety. This is especially important with the rising popularity of remote work, where employees are solely responsible for the security of their devices and connections. A security-first mindset allows organizations in every industry to protect themselves and their customers from the advancing threats of the digital landscape.

The post 5 Industries that need advanced Cybersecurity measures appeared first on Cybersecurity Insiders.