The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Preventing data loss is a concern for almost every organization, regardless of size, especially organizations with sensitive data.  Organizations, now more than ever before, rely on voluminous amounts of data to conduct business. When data leakage or a breach occurs, the organization is forced to deal with the negative consequences, such as the high cost associated with data breach fines and remediation and reputational harm to their company and brand. 

Data loss prevention (DLP) solutions help mitigate the risk of data loss. Losses can occur as a result of insider-related incidents (e.g., employee theft of proprietary information), or due to physical damage to computers, or as a result of human error (e.g., unintentional file deletion or sharing sensitive data in an email). In addition to the various ways an organization might experience data loss, mitigating the risk of loss requires the right people, processes, and technology.

Meeting the technology requirement can be a challenge when it comes to selecting the right DLP solution. During the vendor exploration and evaluation phases, there may be questions about whether it makes sense to invest in a solution that protects the network, endpoints, or the cloud or whether it’s better to select a solution that protects the enterprise and takes into account the hybrid nature of many organizations.

Data classification and labeling

The decision to invest in a DLP solution should be informed by sufficient research and planning with key stakeholders. This blog will discuss three additional things you should consider before making such an investment. Let’s begin with the types of data an organization collects, stores, and analyzes to conduct business. 

To have a successful data loss prevention program, it’s important to identify all types of data (e.g., financial data, health data, or personally identifiable information) and to classify the data according to its value and the risk to the organization if it is leaked or exfiltrated. Data classification is the process of categorizing data to easily retrieve and store it for business use. It also protects it from loss and theft and enables regulatory compliance activities. Today, systems are more dispersed, and organizations have hybrid and remote workforce models, so it is critical to protect data regardless of where it resides or with whom it is shared. This kind of protection requires properly classified and labeled data.

Automated data classification is foundational to preventing data loss. It is the best way for organizations to fully understand what types of data they have, as well as the characteristics of the data and what privacy and security requirements are necessary to protect the data. Properly classifying data also enables the organization to set policies for each data type.

Techniques to identify sensitive data

DLP solutions detect instances of either intentional or unintentional exfiltration of data. DLP policies describe what happens when a user uses sensitive data in a way the policy does not allow. For example, when a user attempts to print a document containing sensitive data to a home printer, the DLP policy might display a message stating that printing the document to a home printer violates the policy and is not permissible. How does the DLP tool know that the document includes sensitive data? Content inspection techniques and contextual analysis help identify sensitive data. 

The inspection capability of the DLP solution is very important. It’s important to note that traditional DLP solutions focus on data-specific content inspection methods. These inspection methods are no longer effective for organizations that have migrated to the cloud because the techniques were developed for on-premises environments. Gartner recommends investing in a DLP solution that not only provides content inspection capabilities but also offers extra features such as data lineage for visibility and classification, user, and entity behavior analytics (UEBA), and rich context for incident response. UEBA is useful for insider-related incidents (e.g., UEBA might help identify data exfiltration by a dissatisfied employee). 

What actions will the DLP solution perform

After it’s clear that the tool can classify sensitive data, a logical next question is what actions the tool will perform to prevent loss of that data. A DLP solution performs actions such as sending out alerts for DLP policy violations, warnings using pop-up messages, and blocking data entirely to prevent leakage or exfiltration. Another feature might include quarantining data. Organizations should be able to define their policies based on their policy, standards, controls, and procedures. 

Traditional DLP relies heavily on content analysis and does not always accurately identify sensitive data. Sometimes traditional tools block normal activity. In contrast, a modern DLP solution minimizes false positives by combining content analysis and data lineage capabilities to more accurately understand whether the data is sensitive.    

Conclusion   

There are many DLP tools on the market. A DLP solution might also be a capability in another security tool such as an email security solution. Selecting the right tool requires knowledge of market trends, the gap between traditional and modern DLP tools, data loss prevention best practices, and the purchasing organization’s security initiatives and goals. Given the many options and variables to consider, it can be challenging to understand the nuances and distinctions among solutions on the market.    

The post What your peers want to know before buying a DLP tool appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Today’s companies operate in a complex security environment. On the one hand, the threat landscape is growing. Bad actors are becoming more and more refined as they get access to new tools (like AI) and offerings (like hacking-as-a-service). On the other hand, companies are dealing with more sensitive data than ever before. This has prompted consumers and regulators alike to demand for better security practices.

To top it all off, companies are operating in an increasingly decentralized digital model. Gone are the days of firewalls. Employees want to be able to access work from anywhere, and on their own networks and devices. This has heightened the prevalence of insider threats, making it much easier for employees to inadvertently (or intentionally) share corporate data with others.

One way that insider threats have become particularly problematic is through social media. In this article, we’re taking a closer look at how social media can compromise data security for organizations — and what they can do to address this concern.

The challenge with social media

Depending on the platform, social media encourages users to share information about their life and experiences in varying degrees. When it comes to employees, social media can easily be a channel to discuss work-related topics, whether that’s sharing excitement about an upcoming product feature, posting a photo of a company event, or even sharing sensitive information with a colleague via private chat features. This degree of sharing — both of personal and corporate information — can pose a number of challenges for businesses.

For starters, there’s a risk of accidentally sharing information. An employee could post a picture of their desk on Instagram to show off their lunch for the day or the view from their office and forget to blur the sensitive information on their computer screen. Alternatively, a software developer might seek out peers on a Reddit forum to try and solve a particular issue with their code, and inadvertently share proprietary code when asking for help.

Some social media channels also allow for a certain degree of anonymity. A disgruntled employee could take to Twitter or Reddit and make corporate secrets widely available to competitors or regulators.

On the other side of the equation, cybercriminals use social media platforms as resources for their attacks. These bad actors understand that people are prone to sharing information, so they access public profiles to try and glean useful information that can then be used for sophisticated social engineering attacks. In addition, they can use the likes of LinkedIn to map out an organizational structure, get access to corporate email addresses, and even identify when core individuals are on vacation. They can also review an individual’s follower or contact list, create a fake account for someone at the company that’s not on the list, and encourage the employee to share sensitive information.

All of these challenges can put a business at risk of sophisticated threats including phishing and other forms of social engineering, brand impersonation aimed at tricking customers, data theft, and even large-scale data breaches. Despite the potential impact of a social media leak, it’s notoriously difficult for companies to control the egress of data through these platforms. That said, below are some of the things companies can proactively do to mitigate these threats.

Staying ahead of social media threats

Businesses can’t dictate what their employees say on their personal social media accounts — that’s a given. That said, they can educate their users on the dangers of disclosing too much information and the best ways to protect their data, credentials, and corporate details. This can be done through onboarding training, gamified security weeks where employees are given challenges to identify and act out security best practices, as well as lunch and learns dedicated to security.

For companies that provide their employees with mobile devices, there’s also an opportunity to set clear expectations around what can be posted from a corporate device or not. They can also encourage individuals to change their phone passwords often, and to use a password manager for their social accounts.

There are also services and technologies that can help here. For example, companies can hire social media scanning services to identify fraudulent accounts and flag them to employees. In addition, a comprehensive data loss prevention tool can also be instrumental in identifying when sensitive data has been exposed and kickstarting an immediate response.

Evolving with the times

When it comes to maintaining robust security measures, companies have a responsibility to keep up with cultural shifts and the adoption of new platforms. Security practitioners need to be continually aware of any new threat vectors, incorporating new measures and policies as needed and keeping up with best practices. This is why having a robust, comprehensive, and iterative cybersecurity strategy — one that accounts for both insider and external threats — is more important than ever. 

The post How social media compromises information security appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

In the realm of data security, there exists a captivating technique known as whitespace steganography. Unlike traditional methods of encryption, whitespace steganography allows for the hiding of sensitive information within whitespace characters, such as spaces, tabs, and line breaks.

This inconspicuous approach to data concealment has gained significant attention in recent years as a means of secure communication. In this blog, we will delve into the world of whitespace steganography, exploring its techniques, applications, tools, and ethical considerations for educational purposes.

Whitespace steganography is a method of concealing data within whitespace characters that are often overlooked or deemed insignificant. By strategically modifying the frequency or arrangement of whitespace characters, hidden messages can be embedded within a text document. To the naked eye, the document appears normal, but those aware of the encoding technique can retrieve the concealed information.

In whitespace steganography, several techniques are employed to conceal information effectively. These techniques include altering the frequency of whitespace characters, such as adding or removing spaces, tabs, or line breaks. Another approach involves manipulating the arrangement of whitespace characters to represent encoded data. Various algorithms, such as the Least Significant Bit (LSB) technique, can be utilized to embed and extract hidden messages from whitespace.

Whitespace steganography finds applications in a range of scenarios where secure communication and data protection are paramount. Some common use cases include:

• Covert communication: Whitespace steganography allows individuals to exchange sensitive information discreetly, evading detection and interception.
• Document protection: Concealing critical information within whitespace characters can help protect sensitive documents from unauthorized access or tampering.
• Digital watermarking: Hidden within whitespace, digital watermarks can be embedded in images or documents to protect intellectual property or verify authenticity.

Numerous open-source tools are available that facilitate whitespace steganography. These tools provide features and functionalities for encoding and decoding hidden messages within whitespace characters. Notable examples include Snow, Steghide, OpenStego, and Whitespace. There are also closed source or commercial whitespace steganography tools that offer advanced capabilities and additional security features. These tools often provide user-friendly interfaces, encryption algorithms, and integration with other security technologies. Some popular closed-source tools include SilentEye, OutGuess, and Masker.

In this blog, we will use Snow (Steganographic Nature of Whitespace) to see a working example of whitespace steganography -the tool can be downloaded from here.

As per the documentation, The Snow program runs in two modes – message concealment, and message extraction. During concealment, the following steps are taken.

Message -> optional compression -> optional encryption -> concealment in text

Extraction reverses the process.

Extract data from text -> optional decryption -> optional uncompression -> message

Now, let’s look on a working example.

We have downloaded the 32-bit version of Snow, and we’ve ensured that Java runtime environment (JRE) is installed on our system. Once everything is in place extract Snow to the desired directory. To run Snow, you will need to run command prompt as administrator and move to the directory where you have extracted Snow.

Once you are in the directory, you will need an input file (we are using a text file for demonstration)

Now, let us try to conceal a message “Hello There.” using Snow.
 

In the above example we concealed a message in the input file and created an output file using Snow (to avoid any contradiction we kept the input file in same directory as Snow)

In the above example we used -C for compression, -p for password and -m for message.

Now let us take a look at the output file.

Now let’s see if there are any differences in size of input and output files.

We can observe that there is a difference in size – however, when we open the output file it looks the same as the input file.

Now, let’s try to read the hidden message. Let’s run the command prompt as administrator and move to the directory of Snow where the output file is located.

So, I tried with wrong password once and then with the correct password as you can see below:

This was a demonstration of whitespace steganography using Snow and is purely for educational and research purposes to understand how it works in real life scenarios.

Steganalysis: Detecting steganography

Steganalysis refers to the detection and analysis of hidden messages within digital content. While whitespace steganography can be difficult to detect, specialized techniques and tools are available to identify potential instances of concealment. Steganalysis plays a vital role in identifying potential misuse and ensuring responsible use of steganography. We’ll dive deep into steganalysis in coming blogs.

Ethical usage and disclosure are crucial when it comes to steganography. It is important to adhere to legal regulations and privacy laws governing data security and communication. Whitespace steganography should be used responsibly for educational purposes only, emphasizing the importance of obtaining proper consent and ensuring ethical practices.

Whitespace steganography offers a remarkable approach to secure communication and data protection. By harnessing the power of seemingly innocuous whitespace characters, sensitive information can be concealed within plain sight. Understanding the techniques, applications, and tools associated with whitespace steganography enables individuals to navigate the field responsibly. As technology continues to advance, the future of whitespace steganography holds the potential for further innovations in secure communication and data privacy.

The post Unveiling the secrets: Exploring whitespace steganography for secure communication appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Social engineering has long been a popular tactic among cybercriminals. Relying exclusively on information security tools does not guarantee the safety of an IT infrastructure these days. It is critically important to enhance the knowledge of employees regarding information security threats. Specifically, there is often a pressing need to educate employees about phishing. But how could phishing awareness training go wrong, and what can be done about it? Let’s delve deeper and unravel the potential issues and solutions.

In recent years, we have seen an uptick in the delivery of malware via phishing attacks. Compounding the problem is the rising volume of email fatigue, which can lead to less vigilance and increased vulnerability. Regrettably, email protection software does not fully safeguard against phishing due to the inevitable human factor involved. Indeed, there is a reason why social engineering continues to be a preferred strategy for cybercriminals – its effectiveness is exceptional.

Many organizations are already conducting training sessions and rolling out specialized programs to enhance employee awareness about phishing. These programs are not just theoretical but also offer hands-on experience, allowing employees to interact with possible threats in real-world scenarios. For this, companies often use simulated phishing attacks, which are a vital part of their awareness programs. Some businesses manage these cyber exercises internally through their information security teams, while others enlist the help of service providers.

However, these training sessions and mock phishing exercises are not without their flaws. At times, technical issues can disrupt the process. In other instances, the problem lies with the employees who may exhibit apathy, failing to fully engage in the process. There are indeed numerous ways in which problems can arise during the implementation of these programs.

Email messages caught by technical means of protection

It is standard practice for most companies to operate various email security systems, like Secure Email Gateway, DMARC, SPF, DKIM tools, sandboxes, and various antivirus software. However, the goal of simulated phishing within security awareness training is to test people, not the effectiveness of technical protective tools. Consequently, when initiating any project, it is crucial to adjust the protection settings so your simulated phishing emails can get through. Do not forget to tweak all tools of email protection at all levels. It is important to establish appropriate rules across all areas.

By tweaking the settings, I am certainly not suggesting a total shutdown of the information security system – that would be unnecessary. When sending out simulated phishing emails, it is important to create exceptions for the IP addresses and domains that these messages come from, adding them to an allowlist.

After making these adjustments, conduct a test run to ensure the emails are not delayed in a sandbox, diverted to junk folders, or flagged as spam in the Inbox. For the training sessions to be effective and yield accurate statistics, there should be no issues with receiving these training emails, such as blocking, delays, or labeling them as spam.

Reporting phishing

Untrained employees often become victims of phishing, but those who are prepared, do more than just skip and delete suspicious messages; they report them to their company’s information security service.

Tools like the “Report Phishing” plugin for Outlook can be extremely useful. This plugin lets employees quickly and easily notify the information security team about potential phishing attempts. If an attack is indeed taking place, vigilant employees can help detect it faster and prevent severe consequences by forwarding the phishing email to the information security team, who can then respond to the incident.

This plugin is also beneficial for simulated phishing campaigns for several reasons:

• It helps to evaluate the vigilance of users and the effectiveness of the company’s awareness training program.
• It alleviates the burden on the information security service from having to process reports of simulated phishing. The fact is that all real phishing alerts are sent to a dedicated mailbox of the information security service. During a training campaign, this mailbox can quickly fill up. Simulated phishing messages will not end up in this mailbox if the plugin is used. Instead, the platform will simply count the employees who reported the attack, thus preventing cybersecurity specialists from being overwhelmed by unnecessary reports.

Apart from email client plugins, there are other ways to assist employees in taking the right actions when confronted with phishing attacks:

• Set up a short and easy-to-remember email address specifically for phishing reports and make sure all employees are aware of it.
• Regularly motivate employees to report any suspected attacks. For instance, you could circulate internal newsletters with statistics on reported incidents, discuss how such reporting aids in thwarting attacks, and give recognition to those who have successfully identified a cyber threat.

Sad test results

Companies can run special phishing tests using both clean emails and ones labeled “external sender” or “spam.” These red flags are intended to caution employees to exercise more care when handling such emails, as they are more likely to contain malicious attachments or phishing links. Interestingly, research shows that presenting suspicious details in email headers does not improve phishing detection. Even when emails bear labels like “external sender” or “spam” in the subject line or body of the message, employees click on them nearly as frequently as they do on unlabeled ones.

Why does this happen, and what can be done about it? There could be a level of mistrust towards technology and software algorithms at play here. We often hear the advice, “If you did not receive an email from us, check your spam folder.” And, of course, simple inattention on the part of employees is common.

Curiosity, interest, or fear triggered by the content of the email can lead employees to fall for the hackers’ bait. Certain expertly designed templates, such as those warning of potential account breaches and prompting password changes, generate high click rates. Often the “sender” field in an email might show an address that perfectly matches the legitimate domain of the client. However, the “from” field only displays text, which can be altered by the sender’s email server. To truly ascertain the domain from which the email originated, examining the headers in the email’s properties is necessary. Therefore, again, relying entirely on software and hardware for email information security is unwise. The human factor is a crucial element to consider.

Even following training, phishing emails continue to be opened

Let’s say right away that there are no magic pills against phishing for employees. Training courses are an important part of the process, but they will not work without regular practice. Upon contact with a new variant of phishing, an employee may become confused and eventually fall for the trick of scammers.

Cultivating robust phishing detection skills and enhancing awareness of threats should be continuous processes that involve direct exposure to these threats. Every training phishing email sent, irrespective of the unsafe action statistics, enhances an employee’s awareness: they learn about a new threat, encounter it firsthand, experience the potential impact, and consequently, become less vulnerable. As the proverb says: “Fool me once, shame on you. Fool me twice, shame on me.”

Practical experience affirms the need for ongoing engagement with employees. Mere theoretical training sessions will not protect you from phishing, and a single training session is not sufficient either. Interestingly, reports suggest that after one round of simulated phishing emails, there might be an increase in unsafe actions with mock phishing, even after employees have completed training courses.

Does this suggest that the training courses were entirely ineffective? Not necessarily. It simply indicates that the practical skills needed to recognize phishing are not yet fully developed, reinforcing the notion that understanding the information security theory without practical application is insufficient. It is through regular phishing training emails that employees become more adept at identifying phishing attempts and reporting them to the information security service.

Cycle-based phishing awareness program implementation

A phishing awareness program typically starts with an initial round of simulated phishing emails to evaluate employees’ susceptibility to such attacks. Next, the employees undergo training to learn about phishing and how to spot it. Following the training, another round of simulated phishing is conducted to provide practical reinforcement of the training and to assess its impact on employees. This constitutes the initial cycle of the program. Depending on your resources and the size of your organization, this part may take anywhere from several weeks to a few months to complete.

The process does not stop there. You should conduct new rounds of simulated phishing emails approximately once a month, gradually making them more complex. Employees who consistently fall for phishing attempts should be given additional training.

Yes, this is a slow process. Building sustainable skills takes time, typically at least 12 months. And even after this period, regular phishing simulation exercises are still necessary to ensure employees maintain their alertness. By running regular phishing simulations, employees become more knowledgeable and vigilant, boosting the attack resilience of both the individual and the entire organization.

Conclusion

As you can see, relying solely on technological measures for protection against phishing is not enough. The human factor should not be underestimated. Engaging with employees and motivating them in matters of information security is essential. That is why simulated phishing exercises are so valuable. If you are in charge of cybersecurity for your organization and do not yet have a dedicated process for reporting phishing and other cyber threats, it is time to establish one. This is a straightforward and effective initial step to shield against cyber threats and kickstart a security awareness program. It is important to properly structure the learning process and run multiple cycles of theoretical and practical sessions on an ongoing basis.

The post How to improve employee phishing awareness appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

In the current geopolitical climate, the energy sector, which powers our modern society – from homes and businesses to critical infrastructure and national defense systems, finds itself under the growing threat of cyberattacks.

With the energy sector’s growing dependence on digital technologies and interconnectivity, the attack surface for cybercriminals has expanded. This situation is further complicated by incidents such as the SolarWinds and Colonial Pipeline attacks years ago, which compromised numerous value chains, along with recent escalations in cyber threats. These circumstances highlight the urgent need for a robust and proactive cybersecurity strategy in the energy sector.

Why the energy sector is vulnerable

According to McKinsey, the energy sector is particularly vulnerable to cyber threats due to several characteristics that amplify the risk and impact of attacks against utilities:

1. The threat landscape has expanded, with nation-state actors, sophisticated players, cybercriminals, and hacktivists targeting infrastructure providers. This diverse range of threat actors poses varying levels of sophistication and potential disruptions to electric power and gas operations.
2. The geographically distributed nature of organizations’ infrastructure further complicates cybersecurity efforts. Maintaining visibility across both information technology (IT) and operational technology (OT) systems becomes challenging, not only within utility-controlled sites but also in consumer-facing devices that may contain cyber vulnerabilities, thereby compromising revenue or the overall security of the grid.
3. The organizational complexity of the energy sector exposes vulnerabilities to cyberattacks. Utilities often rely on multiple business units responsible for different aspects of energy generation, transmission, and distribution. This diversity introduces separate IT and OT policy regimes, making it difficult to ensure the network’s overall security.

To illustrate the potential impact across the entire value chain, it’s worth noting that electric organizations, in particular, could face cyber threats capable of disrupting various stages, including generation, transmission, distribution, and network segments.

• Generation stage: Potential disruptions in this stage could stem from service interruptions and ransomware attacks targeting power plants and clean-energy generators. The primary vulnerabilities lie in legacy generation systems and clean-energy infrastructure that were not originally designed with cybersecurity in mind.
• Transmission stage: The large-scale disruption of power to consumers could occur through remote disconnection of services. This is possible due to physical security weaknesses that allow unauthorized access to grid control systems, leading to potential disruptions.
• Distribution stage: Disruptions at substations could result in regional service loss and customer disruptions. The root cause of such disruptions can be traced back to distributed power systems and the limited security built into Supervisory Control and Data Acquisition (SCADA) systems.
• Network stage: Cyber threats at this stage could lead to the theft of customer information, fraudulent activities, and service disruptions. These threats are driven by the extensive attack surface presented by Internet of Things (IoT) devices, including smart meters and electric vehicles.

Recommendations for enhancing cybersecurity in the energy Sector

To further strengthen cybersecurity practices in the energy sector, the following key recommendations should be considered:

1. Develop strategic threat intelligence: Establish dedicated teams to monitor and analyze threats, providing a proactive view of potential risks. Integrate intelligence reporting into strategic planning and exercise incident response plans regularly.
2. Integrate security across regions and organizations: Create a unified approach to cybersecurity by establishing common security standards across all regions and business units. Foster a culture of security awareness and streamline processes for information sharing and decision-making.
3. Design clear and safe network architectures: Implement clear network segmentation and micro-segmentation strategies to limit the spread of cyberattacks within the network. Define security zones and establish secure demilitarized zones (DMZs) between IT and OT networks.
4. Promote industry collaboration: Engage in partnerships and industry-wide collaborations to develop common standards and best practices for cybersecurity. Participate in regional corporations to share knowledge and discuss security concerns specific to shared power grids. Advocate for security by design in IT and OT technologies, especially in smart-grid devices that may lie outside the utilities’ direct control. Additionally, organizing future-facing industry-wide exercises can help predict and preemptively address emerging threats to broader grid security.
5. Strengthen employee training and awareness: Build a culture of cybersecurity awareness within energy companies by conducting regular training sessions for employees. Educate them on identifying and responding to potential threats, emphasizing the importance of following established security protocols and reporting any suspicious activities.
6. Implement robust email security measures: Recognizing that phishing attacks often serve as entry points for cybercriminals, energy companies should prioritize comprehensive email security measures. These measures can include advanced spam filters, email authentication protocols (such as DMARC, SPF, and DKIM), and user awareness campaigns to identify and avoid phishing attempts.
7. Ensure secure remote access solutions: With remote work becoming increasingly prevalent, energy companies must ensure the security of remote access solutions. This involves implementing strong authentication methods, such as multi-factor authentication (MFA), virtual private networks (VPNs) with robust encryption, and strict access controls to minimize the risk of unauthorized access.
8. Regular software updates and patch management: Keeping all software systems and applications up-to-date is crucial in protecting against known vulnerabilities that cybercriminals often exploit. Energy companies should establish robust patch management processes to ensure timely updates and apply security patches promptly.
9. Backup and recovery planning: Developing comprehensive backup and recovery plans is essential for mitigating the impact of cyberattacks. Regularly backing up critical data and systems and maintaining off-site or offline backups can help organizations quickly recover in the event of a breach or system compromise. Testing the effectiveness of backup and recovery plans through regular drills and simulations is also recommended.

Securing energy infrastructure is an ongoing task

Given the increasing integration of IT and OT environments, it’s important to highlight that 94% of IT security incidents have also impacted the OT environment. This underscores the ongoing and comprehensive task of securing energy infrastructure from cyber threats.

In this evolving landscape, effective cybersecurity is not a standalone effort but hinges on several key elements:

• Cross-regional and cross-departmental integration
• Secure network architectures and demilitarized zones
• Recognition of the sector’s unique vulnerabilities
• Implementation of layered defense strategies to significantly mitigate risks
• Strategic threat intelligence that enables proactive responses to threats
• Prioritization of staff training, robust email security, and secure remote access solutions
• Regular software updates and industry-wide collaboration

By adhering to these recommendations and fostering a proactive cybersecurity mindset, we can safeguard our critical infrastructure and ensure a resilient energy future.

The post Protecting energy infrastructure from cyberattacks appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

The threat of ransomware attacks continues to strike organizations, government institutions, individuals, and businesses across the globe. These attacks have skyrocketed in frequency and sophistication, leaving a trail of disrupted operations, financial loss, and compromised data. Statistics reveal that there will be a new ransomware attack after every two seconds by 2031 while the companies lose between $1 and $10 million because of these attacks.

As the security landscape evolves, cybercriminals change their tactics and attack vectors to maximize their profit potential. Previously, ransomware attackers employed tactics like email phishing, remote desktop protocol vulnerabilities, supply chain issues, and exploit kits to breach the system and implant the ransomware payloads. But now attackers have significantly changed their business model.

Organizations need to adopt a proactive stance as more ransomware gangs emerge and new tactics are introduced. They must aim to lower their attack surface and increase their ability to respond to and recover from the aftermath of a ransomware attack.

How is ransomware blooming as a business model?

Ransomware has emerged as a thriving business model for cybercriminals. It is a highly lucrative and sophisticated method in which the attackers encrypt the data and release it only when the ransom is paid. Data backup was one way for businesses to escape this situation, but those lacking this had no option except to pay the ransom. If organizations delay or stop paying the ransom, attackers threaten to exfiltrate or leak valuable data. This adds more pressure on organizations to pay the ransom, especially if they hold sensitive customer information and intellectual property. As a result, over half of ransomware victims agree to pay the ransom.

With opportunities everywhere, ransomware attacks have evolved as the threat actors continue looking for new ways to expand their operations’ attack vectors and scope. For instance, the emergence of the Ransomware-as-a-service (RaaS) model encourages non-technical threat actors to participate in these attacks. It allows cybercriminals to rent or buy ransomware toolkits to launch successful attacks and earn a portion of the profits instead of performing the attacks themselves.

Moreover, a new breed of ransomware gangs is also blooming in the ransomware business. Previously, Conti, REvil, LockBit, Black Basta, and Vice Society were among the most prolific groups that launched the attacks. But now, the Clop, Cuban, and Play ransomware groups are gaining popularity as they exploit the zero-day vulnerability and impact various organizations.

Ransomware has also become a professionalized industry in which attackers demand payments in Bitcoins only. Cryptocurrency provides anonymity and a more convenient way for cybercriminals to collect ransom payments, making it more difficult for law enforcement agencies to trace the money. Though the FBI discourages ransom payments, many businesses still facilitate the attackers by paying ransom in bitcoins.

 What’s the worst that can happen after a ransomware attack?

A ransomware attack can have consequences for businesses, individuals, and society. Since these attacks are prevalent there are privacy risks in almost every activity online. These attacks are not only a hazard to organisations but they also carve pathways that disrupts every associated client, customer and partner’s online anonymity. Here’s a brief insight into the worst outcomes that can occur following a ransomware attack:

No data recovery and repeated attacks

Ransomware attacks can result in significant data and financial loss. Despite promises, paying a ransom ensures no guarantee that the cybercriminals will return or delete the data they already have compromised. A study finds that nearly 200,000 companies fail to retrieve data after paying the ransom. Besides this, businesses willing to pay the ransom make them a more attractive target. The same study also finds that a ransomware attack hit 80% of companies for a second time, with 68% saying that the second attack happened in less than a month – and the attackers demanded a higher amount.

Financial instability

The most significant impact of ransomware attacks is the devastating financial losses. These attacks will cost victims around $265 billion annually by 2031. The victims are usually organizations that will likely incur the costs associated with customers’ data, investigating the attack, restoring the systems, and deploying robust security measures to avoid such attacks. In addition, if an organization fails to recover the data, it may experience long-term financial instability due to operational disruptions, reduced productivity, revenue loss, and legal liabilities.

Lawsuits and regulatory fines

Cybercriminals exfiltrate valuable data in ransomware attacks. This can result in lawsuits being filed by the affected parties whose data was compromised. Equip Systems, US Fertility, TransLink, and Canon, are some companies that faced lawsuits due to ransomware attacks. Additionally, most businesses are subject to industry regulations like HIPAA, GDPR, and CCPA to maintain data privacy. Suppose the attackers exfiltrate data that includes personally identifiable information and financial or medical records. In that case, the organizations face regulatory fines, losing customers’ trust and causing significant reputational damage.

Operational downtime

Ransomware attacks paralyze the organization’s everyday operations, resulting in significant downtime and productivity losses. Stats reveal that, on average, organizations experience almost three weeks of downtime in the aftermath of a ransomware attack. When a critical infrastructure, network, or system is compromised, businesses fail to provide services, and this downtime significantly impacts their profits and earnings.

Breaking down the ransomware business model

The risk of ransomware attacks is bigger than many organizations might realize. However, the good news is that there are plenty of measures that businesses can take to mitigate these attacks:

• Use data backups: Regularly backing up the data helps recover data during a ransomware attack. Businesses must ensure that all critical business data is backed up and stored in a location inaccessible to attackers.
• Upgrade, update, and patch systems: The older an operating system gets, the more chances of malware and other threats targeting them. Therefore, retire legacy devices, hardware, or software the vendor no longer supports. It’s also crucial to update the network software with fixes as soon as they are released.
• Reduce the attack surface: Organizations with clearly defined rules have been able to mitigate the impact of attack during the initial stages. Hence, create attack surface reduction rules to prevent common tactics that attackers use to launch an attack.
• Network segmentation: Develop a logical network segmentation based on least privilege that reduces the attack surface threat and limits lateral movement. If by any means the malicious actor bypasses your perimeter, network segmentation can stop them from moving into other network zones and protects your endpoints.
• Have a handy incident response plan: A survey finds that 77% of people say their businesses lack a formal incident response plan. A well-informed incident response plan can help businesses manage ransomware attacks better, minimize impacts, and foster fast recovery.
• Deploy XDR and SIEM tools: These tools provide holistic insights about emerging threats and enhance the security professionals’ detection and response capabilities for ransomware attacks.
• Employee education: Humans are an organization’s weakest link, and ransomware groups use this loophole to launch attacks. To close this gap, businesses must educate their employees about the latest trends, hackers’ tactics, and ways to respond promptly.

Final words

Over time, the ransomware business model is becoming sophisticated and evolving through double extortion, the RaaS model, and the emergence of new ransomware gangs. As these attacks are unlikely to go away anytime soon, businesses must educate their staff about this lucrative attack and the consequences it presents to the company. Organizations must prioritize basic cybersecurity measures like regularly backing up the data, segmenting the network, and patching the systems. Additionally, they must invest in endpoint protection tools, have an incident response plan handy, and invest enough in security awareness programs to minimize the impact of ransomware attacks.

The post Ransomware business model-What is it and how to break it? appeared first on Cybersecurity Insiders.

This blog was co-written with Kristen Perreault – Professional Cybersecurity and James Rodriguez – Sr. Specialist Cybersecurity.

Executive summary

Since December 22nd, 2022, there has been an increase in malware sent via Phishing emails via a OneNote attachment. As with most phishing emails, the end user would open the OneNote attachment but unlike Microsoft Word or Microsoft Excel, OneNote does not support macros. This is how threat actors previously launched scripts to install malware.

Minimal documentation has been made towards the tactics, techniques, and procedures (TTP’s) observed in these attacks. Some of the TTP’s observed included executions of Powershell.exe usage and Curl.exe once a hidden process was ran. Once the hidden executable was clicked on, a connection was made to an external site to attempt to install and execute malware. Once executed the attacker will unload additional malicious files and gain internal information from within the organization. In this case, malicious files were detected and mitigated by SentinelOne.

Investigation

Initial Alarm Review

Indicators of Compromise (IOC)

The initial alarm came in for malware being detected by SentinelOne which was a .One file type. The file sourced from Outlook indicated this was likely a phishing email. Shortly after receiving the initial alarm, the MES SOC Threat Hunters (SECTOR Team) were alerted by a customer experiencing this activity and began their deep dive. Upon entering the file hash obtained from the SentinelOne event, no discernible information regarding the file’s purpose was uncovered. This prompted SECTOR to utilize Deep Visibility to gain further insight into the process and purpose of the detected file.

Deep Visibility is a feature within SentinelOne that provides comprehensive insight into the activities and behaviors of threats within a network environment. This feature allows security teams, such as SECTOR, to investigate and respond to threats by providing greater insight in processes, network connections, and file activities. It is an incredibly powerful tool in SentinelOne and is commonly used during the Incident Response process.

Expanded investigation

Events Search

A search string was created for Deep Visibility which included the file name and associated file hashes. An event in SentinelOne was found that included a Curl.exe process with the external domain minaato[.]com. When reviewing the domain further, it was determined that this was a file sharing website and additional malicious indicators were uncovered. Analyzing the DNS request to minaato[.]com, showed events with the source process mshta.exe with the target process curl.exe, and the parent process of onenote.exe. This chain of processes were the heuristic (behavioral) attributes that prompted SentinelOne to fire off an alert. Utilizing these TTP and previous source processes, a new query was generated to find any potential file populating the same activity. This led SECTOR to detect another file under Cancellation[.]one.

Event Deep Dive

SECTOR began their event deep dive with an initial IOC based search query that included the file name and the domain that generated outbound network connections.

Pivoting off of the results from the initial IOC based search query, SECTOR created a secondary search query that included multiple file names, domains, and hashes that were found. These IOCs had not been previously discovered in the wild but once they were found, SECTOR provided them to the AT&T AlienLabs team for additional detection engines, correlation rules, and OTX (AT&T Open Threat Exchange Platform) pulse updates.

After gathering all the IOCs, a third heuristic-based search query was created. This new query aimed to find any remaining events related to the malware that SentinelOne might not have alerted on, as it mainly focuses on execution-based activities rather than behavior-based ones. This demonstrates the importance of using threat hunting in conjunction with SentinelOne’s Deep Visibility feature for enhanced security.

In the final stage of the event search, SECTOR created a final heuristic search query that detected any outreach to a domain with the same behavioral attributes observed in this environment. Although the results contained false positives, they were able to sift through and find an event where the “ping.exe” command successfully communicated with the malicious domain, “minaato[.]com”. In this case, SentinelOne did not alert on this activity due to it being a common process execution.

Response

Building the Investigation

After gathering all necessary information and event findings, SECTOR was able to pull the malicious OneNote file and detonate it within their sandbox environment. They were then able to see that once the file was opened, the malicious link was hidden under an overlayed stock Microsoft image that asked the user to click open. This then brought the user to the malicious domain, minaato[.]com.

SECTOR provided all data gathered from this threat hunt to the affected customers and fellow CyberSecurity Teams within AT&T for situational awareness.

Customer interaction

The affected customers were given remediation steps based on the specific activity they experienced with this malware. Some of them were successfully compromised, while others were able to avoid any execution or downloads in association with the malware itself. These remediation steps included removing all files from the affected devices, resetting all user passwords for best practices, scanning assets to ensure no further unauthorized or malicious activity was occurring in the background, globally blocking all IOC’s, and implementing block rules on their firewalls.

IOCS

IOC Type	IOC
File Name	cancelation.one
File Name	cancelation.one
File Hash (MD5)	670604eeef968b98a179c38495371209
File Hash (SHA1)	8f4fc0dbf3114200e18b7ef23f2ecb0b31a96cd7
File Hash (SHA1)	776181d69149f893e9b52d80908311c0f42ec5eb
File Hash (SHA1)	202b7c6c05c1425c8c7da29a97c386ede09f1b9f
File Hash (SHA256)	83f0f1b491fa83d72a819e3de69455a0b20c6cb48480bcd8cc9c64dbbbc1b581
Domain Name	minaato[.]com
Domain Name	simonoo[.]com
Domain Name	olimobile[.]com
Domain Name	sellscentre[.]com

The post Stories from the SOC: OneNote MalSpam – Detection & response appeared first on Cybersecurity Insiders.

For anyone who follows industry trends and related news I am certain you have been absolutely inundated by the torrent of articles and headlines about ChatGPT, Google’s Bard, and AI in general. Let me apologize up front for adding yet another article to the pile. I promise this one is worth a read, especially for anyone looking for ways to safely, securely, and ethically begin introducing AI to their business. On June 20th the International Association of Privacy Professionals (IAPP) released a new body of knowledge (BOK) for their soon-to-be-released Artificial Intelligence Governance Professional Certification (AIGP). This first-of-its-kind certification covers a series of knowledge areas, which I’ll explore later in this post. It’s of great value to any professional interested in implementing or managing AI, or simply curious about the field.

The field is booming with new tools, ideas, and use-cases being developed by the hour (at least that’s how it seems sometimes). Several companies, IBM being the most prolific, have also released several technical certifications aimed at the creation and refinement of AI. There are not, however, any certifications aimed at business leaders or non-technical professionals, the people who will approve and use AI in their day-to-day tasks. At least there weren’t until the IAPP announced their new AIGP certification, that is.

Introduction to the IAPP, and the AIGP knowledge areas

While the IAPP is the de facto leader in the industry when it comes to privacy certifications, I recognize not everyone may be familiar with them or their offerings. The IAPP was founded in 2000 and currently offers a suite of certifications aimed at professionals, including lawyers, who work with data privacy or governance. Their key offerings include the Certified Information Privacy Professional series (including individual certifications on European, Canadian, and American privacy laws), the Certified Information Privacy Manager, Certified Information Privacy Technologist, as well as a few others. The AIGP is a brand-new offering that hasn’t been fully released yet beyond the newly posted BOK.

The AIGP covers seven different domains that range from fundamental components of AI, all the way to development lifecycles and risk management. The topics on the exam will allow professionals to showcase their knowledge of both AI as a field of study and a technology, but also how to effectively manage it within an organization. Learning what you need to know to pass the test will create an excellent foundation and equip you to identify and leverage opportunities when they appear, and manage risks when they invariably crop up. I’ve listed the seven domains below:

1. Understanding the Foundations of Artificial Intelligence
2. Understanding AI Impacts and Responsible AI Principles
3. Understanding How Current Laws Apply to AI Systems
4. Understanding the Existing and Merging AI Laws and Standards
5. Understanding the AI Development Life Cycle
6. Implementing Responsible AI Governance and Risk Management
7. Contemplating Ongoing Issues and Concerns

Conclusion

While the certification itself isn’t out quite yet, I highly recommend you visit the IAPP’s website and take a look at the AIGP’s BOK. This will give you a good idea of what you can expect to see on the exam and let you begin preparing while we wait for the official training material to be released. I reached out to the IAPP for more information and was informed that additional training material to support this certification is planned for a Q4 release later this year.

This certification promises to become a milestone in the realm of AI governance, effectively bridging the gap between those with deep technical knowledge and non-technical business leaders. As the presence and use of AI becomes more pervasive, being able to understand its governance, risks, and ethical implications is no longer a luxury, but a necessity. This certification is going to be a vital first step towards achieving that understanding. I’ll continue to follow the development of the AIGP and provide more insights as new information becomes available.

The post Artificial Intelligence Governance Professional Certification – AIGP appeared first on Cybersecurity Insiders.

As everyone looks about, sirens begin to sound, creating a sense of urgency; they only have a split second to determine what to do next. The announcer repeats himself over the loudspeaker in short bursts… This is not a drill; report to your individual formations and proceed to the allocated zone by following the numbers on your squad leader’s red cap. I take a breather and contemplate whether this is an evacuation. What underlying danger is entering our daily activities? 1…2….3…. Let’s get this party started!

When I come to… I find that the blue and red lights only exist in the security operations center. Intruders are attempting to infiltrate our defenses in real time; therefore, we are on high alert. The time has come to rely on incident response plans, disaster recovery procedures, and business continuity plans. We serve as security posture guardians and incident response strategy executors as organizational security leaders. It is vital to respond to and mitigate cyber incidents, as well as to reduce security, financial, legal, and organizational risks in an efficient and effective manner.

Stakeholder community

CISOs, as security leaders, must develop incident response teams to combat cybercrime, data theft, and service failures, which jeopardize daily operations and prevent consumers from receiving world-class service. To maintain operations pace, alert the on-the-ground, first-line-of-defense engagement teams, and stimulate real-time decision-making, Incident Response Plan (IRP) protocols must include end-to-end, diverse communication channels.

Stakeholder Types

 

What does an incident response plan (IRP) do?

That’s an excellent question. The incident response plan gives a structure or guideline to follow to reduce, mitigate, and recover from a data breach or attack. Such attacks have the potential to cause chaos by impacting customers, stealing sensitive data or intellectual property, and damaging brand value. The important steps of the incident response process, according to the National Institute of Standards and Technology (NIST), are preparation, detection and analysis, containment, eradication, and recovery, and post-incident activity that focuses on a continual learning and improvement cycle.

Lifecycle of Incident Response

Many company leaders confront a bottleneck when it comes to assigning a severity rating that determines the impact of the incident and establishes the framework for resolution strategies and external messaging. For some firms, being able to inspect the damage and appropriately assign a priority level and impact rating can be stressful and terrifying.

Rating events can help prioritize limited resources. The incident’s business impact is calculated by combining the functional effect on the organization’s systems and the impact on the organization’s information. The recoverability of the situation dictates the possible answers that the team may take while dealing with the issue. A high functional impact occurrence with a low recovery effort is suited for fast team action.

The heart beat

Companies should follow industry standards that have been tried and tested by fire departments to improve overall incident response effectiveness. This includes:

• Current contact lists, on-call schedules/rotations for SMEs, and backups
• Conferencing tools (e.g., distribution lists, Slack channels, emails, phone numbers)
• Technical documentation, network diagrams, and accompanying plans/runbooks
• Escalation processes for inaccessible SMEs

Since enemies are moving their emphasis away from established pathways to avoid defenders, it is vital to enlist third-party threat landscape evaluations. These can halt the bleeding and cauterize the wound, much like a surgeon in a high-stress operation. Threat actors are always improving their abilities using the same emerging sizzling cyber technologies that defenders use.

Despite widespread recognition of the human aspect as the weakest link, threat actors study their prey’s network to seek alternative weak points such as straddle vulnerability exploitation and credential theft. Employ Managed Threat Detection Response (MTDR), Threat Model Workshop (TMW), and Cyber Risk Posture Assessment (CRPA) services to expertly manage your infrastructure and cloud environments in a one-size-fits-all way.

Takeaways

Take inventory of your assets

• Increase return on investment
• Provide comprehensive coverage
• Accelerate compliance needs
• Create a cybersecurity monitoring response strategy
• Emphasize essential resources, attack surface area, and threat vectors
• Deliver transparent, seamless security

Elevate security ecosystem

• Improve the efficiency and effectiveness of incident response systems.
• The Cyber Risk Posture Assessment (CRPA) encourages better decision-making in order to assess governance security posture.
• The Cyber Risk Posture Assessment (CRPA) & Threat Model Workshop (TMW) provide a method for evaluating the security attack surface and threat vectors.
• The Managed Threat Detection Response (MTDR) expands the security team’s capabilities and competencies.
• Use scenario-based tabletop exercises and incident response planning exercises.

In the future, businesses should implement an incident response strategy, a collection of well-known, verified best practices, and assess their actual versus realized assets and security attack surface portfolio. Is your organization crisis-ready? A strong incident management solution increases organizational resiliency and continuity of operations in the event of a crisis.

The post What is an incident response plan (IRP) and how effective is your incident response posture? appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

How can you effectively manage a security budget in a recession? An economic downturn will likely impact your team, so you must prepare to balance your cybersecurity needs with your spending limits.

How will a recession impact security teams?

Cyber attacks become more common during recessions because potential insider threats and fraud cases increase. On top of the risks, you likely must deal with reduced budgets and staff. Less flexible spending usually means you have to take on larger workloads.

In addition, you face increased risk from anyone who was let go due to the economic downturn. They know your organization’s security vulnerabilities and how to exploit them if they want to retaliate. Cybercrime also gives them an opportunity to utilize their skills for financial gain. You must effectively manage your budget to prepare for such effects.

Preparing security budgets for a recession

Your organization will likely cut or limit your security budget, so you must prepare to handle increased security threats with less flexible spending. The key to an adequate long-term solution is to consider the returns you’ll get for each investment.

•  Consider a loan

Getting a loan to boost your security budget may be a good approach if you need more flexibility with your expenses. However, you must be aware of transaction types to navigate the complexities of borrowing adequately. For example, hindering is the practice of keeping assets from creditors, which is fraud. Establish a relationship with a trustworthy lender before committing. In addition, you should ensure you fully understand your contract and repayment responsibilities.

•  Get cyber insurance

Cyber insurance is a great consideration. You can justify the expense because a recession puts you at greater risk for data breaches and network intrusions. Since it typically covers damages, information restoration and incident response, it can put you in a better place financially.

•  Prioritize spending

Prioritizing cybersecurity spending is the first step you should take to prepare your team for an economic downturn. Identify your compliance and essential security needs, and determine how to support them with a smaller budget. You can then take inventory of your technology and labor necessities and decide how to allocate funds properly.

•  Analyze technology needs

You can only effectively manage your security budget if you fully understand what you’re working with. Take inventory of the hardware and software you possess, and categorize it. Even if you don’t have to cut your existing equipment, doing so may give you future spending flexibility. Identify what is essential to your team and isn’t, then decide what you can efficiently operate without.

In addition to potentially saving you money in the long term, taking note of your equipment can inform your security decisions. For example, your cloud platform may be helpful for storage purposes but can also open you up to unique risks. Since everything is a potential attack surface, you may be better off operating with only the essentials.

Assessing your technology may help you optimize spending, as well. You can recognize security gaps more quickly when you have an accurate inventory. It also allows you to patch, update and manage devices, reducing the chance of experiencing an expensive breach.

Effectively budgeting during a recession

Preparation is crucial, but continuous budget management is essential. You’ll have to routinely reevaluate your security spending to align with the recession’s effects.

•  Leverage automation

Automating workflows with artificial intelligence (AI) is an excellent solution if you have large workloads or need more staff. It can complete tasks in seconds without your input or assistance, so you can let it run on its own while focusing on more essential duties. Despite its speed, its decisions are accurate because they’re data-driven. While AI may require a larger initial investment, it’s usually worth it.

On top of reducing labor expenses, it can save your team money when handling security issues. Organizations using automation and AI saved over $3 million during data breaches and controlled them 74 days earlier than those without the technology. It allows for more flexibility in your department’s budget because dealing with situations becomes more affordable. Since it can also scale with your needs, you can adjust its involvement as necessary.

•  Increase training

Training is essential since human error causes 95% of cybersecurity issues for organizations. You only need to spend on labor, which can be an effective strategy. Your department’s budget may be limited, but consider the benefits of allocating funds toward upskilling. It can inform your team of potential risks during the recession. Also, it can better prepare them to respond to security threats — a critical factor for those dealing with high workloads or understaffing.

•  Focus on employee retention

The cybersecurity skills shortage is a significant factor to consider because you’ll likely see its impact during the recession. The longer it goes on, the more you may feel its effects. Employee retention is essential to mitigate this challenge.

You could use a multi-layered security architecture to make your role manageable. It’s a cost-effective approach to reducing burnout and simplifying tech stacks — some of the main ways to keep your team productive.

Balancing security and spending

A recession may limit your budget, but you can continue to provide security to your organization if you manage it effectively. Ensure you understand your equipment needs, prioritize spending and stabilize your team’s workload.

The post Effectively managing security budgets in a recession appeared first on Cybersecurity Insiders.