Category: Detect

In today’s fast-paced digital landscape, businesses proactively seek innovative ways to optimize their networks, enhance operational efficiency, and reduce costs. Network Functions Virtualization (NFV) emerges as a transformative technology that leads the charge.

NFV revolutionizes traditional, hardware-based network functions by converting them into flexible, software-based solutions. Virtual Network Functions (VNFs) can be deployed on commodity servers, cloud infrastructure, or even in data centers, freeing businesses from the constraints of specialized, proprietary hardware.

NFV simplifies network operations and significantly reduces hardware costs by allowing network functions, such as firewalls, load balancers, and routers, to run on general-purpose servers. This leads to substantial savings in both capital expenditure (CAPEX) and operational expenditure (OPEX).

Furthermore, NFV equips businesses with the agility and flexibility necessary to adapt quickly to changing network demands. Unlike traditional hardware-based network functions, which are static and require manual configuration, VNFs can be rapidly deployed, scaled, or modified to accommodate fluctuating network requirements. This provides a level of scalability and agility that was previously unattainable.

NFV also streamlines network management and automation. With NFV Management and Orchestration (MANO) systems, businesses can centrally manage and orchestrate VNFs, reducing the complexity and manual effort associated with network administration. This simplifies the deployment and management of network services, improves efficiency, and minimizes the risk of errors.

Moreover, NFV contributes to more sustainable and environmentally friendly operations by reducing energy consumption. By consolidating multiple network functions onto shared infrastructure, NFV lowers energy usage and cooling requirements.

The NFV architecture, standardized by the European Telecommunications Standards Institute (ETSI), provides a blueprint for implementing and deploying NFV solutions. It comprises three main components:

• Virtual Network Functions (VNFs): Software implementations of network functions deployable on Network Function Virtualization Infrastructure (NFVI). Each VNF runs on generic server hardware and interconnects with other VNFs to create extensive networking communication services.
• NFV Infrastructure (NFVI): The environment hosting the VNFs. It includes the hardware resources and the software layers that abstract, pool, and manage the physical resources.
• NFV Management and Orchestration (MANO): The framework orchestrating and managing physical and/or virtual resources that support the VNFs. The MANO layer consists of the NFV Orchestrator, VNF Manager, and Virtualized Infrastructure Manager (VIM).

This architecture decouples network functions from proprietary hardware appliance which is how NFV enhances network flexibility, scalability, and service deployment speed, while cutting costs and energy consumption.

NFV not only brings cost savings and efficiency but also fosters innovation. The ability to quickly and easily deploy new network functions enables businesses to experiment with new services and features, accelerating innovation and enhancing competitiveness.

NFV represents a paradigm shift in networking. By transforming rigid, hardware-based network functions into flexible, software-based solutions, NFV equips businesses with the agility, cost-efficiency, and innovation potential necessary to thrive in the digital age. Embracing NFV is a strategic move for businesses looking to future-proof their networks and maintain a competitive edge in the digital era. Don’t let your current network setup hold you back; explore the possibilities NFV offers with AT&T Cybersecurity and transform your network infrastructure today.

The post What is NFV appeared first on Cybersecurity Insiders.

This blog was jointly written with Alejandro Prada and Ofer Caspi.

Executive summary

SeroXen is a new Remote Access Trojan (RAT) that showed up in late 2022 and is becoming more popular in 2023. Advertised as a legitimate tool that gives access to your computers undetected, it is being sold for only $30 for a monthly license or $60 for a lifetime bundle, making it accessible.

Key takeaways:

• SeroXen is a fileless RAT, performing well at evading detections on static and dynamic analysis.
• The malware combines several open-source projects to improve its capabilities. It is a combination of Quasar RAT, r77-rootkit and the command line NirCmd.
• Hundreds of samples have shown up since its creation, being most popular in the gaming community. It is only a matter of time before it is used to target companies instead of individual users.

Analysis

Quasar RAT is a legitimate open-source remote administration tool. It is offered on github page to provide user support or employee monitoring. It has been historically associated with malicious activity performed by threat actors, APT groups (like in this Mandiant report from 2017), or government attacks (in this report by Unit42 in 2017).

It was first released in July 2014 as “xRAT” and renamed to “Quasar” in August 2015. Since then, there have been released updates to the code until v1.4.1 in March 2023, which is the most current version. As an open-source RAT tool with updates 9 years after its creation, it is no surprise that it continues to be a common tool used by itself or combined with other payloads by threat actors up to this day.

In a review of the most recent samples, a new Quasar variant was observed by Alien Labs in the wild: SeroXen. This new RAT is a modified branch of the open-source version, adding some modifications features to the original RAT. They’re selling it for monthly or lifetime fee. Figure 1 contains some of the features advertised on their website.

Figure 1. SeroXen features announced on its website.

This new RAT first showed up on a Twitter account, established in September 2022. The person advertising the RAT appeared to be an English-speaking teenager. The same Twitter handle published a review of the RAT on YouTube. The video approached the review from an attacking/Red Team point of view, encouraging people to buy the tool because it is worth the money. They were claiming to be a reseller of the tool.

In December 2022, a specific domain was registered to market/sell the tool, seroxen[.]com. The RAT was distributed via a monthly license for $30 USD or a lifetime license of $60 USD. It was around that time that the malware was first observed in the wild, appearing with 0 detections on VirusTotal.

After a few months, on the 1st of February, the YouTuber CyberSec Zaado published a video alerting the community about the capabilities of the RAT from a defensive perspective. In late February, the RAT was advertised on social media platforms such as TikTok, Twitter, YouTube, and several cracking forums, including hackforums. There were some conversations on gaming forums complaining about being infected by malware after downloading some video games. The artifacts described by the users matched with SeroXen RAT.

The threat actor updated the domain name to seroxen[.]net by the end of March. This domain name was registered on March 27th, 2023, after seroxen[.]com was decommissioned. The threat actor used GoDaddy for registration and Cloudflare for hosting the website. These domains are only used for selling and marketing purposes, and not for Command and Control (C&C) communications.

Figure 2: SeroXen website

Based on the packed versions uploaded to VT, it appears that the RAT is being used for targeting video game users. Several lure injector cheat files have been observed with names invoking popular videogames such as Fortnite, Valorant, Roblox or Warzone2. The threat actor used Discord for the distribution of some of the samples.

Figure 3. SeroXen timeline.

One of the most relevant announced features is that it is a fully undetectable version. This is currently true from a static analysis point of view, since the RAT is packaged into an obfuscated PowerShell batch file. The file’s size typically ranges between 12-14 megabytes, as we can see in sample 8ace121fae472cc7ce896c91a3f1743d5ccc8a389bc3152578c4782171c69e87 uploaded to VT on May 21. Due to its relatively large size, certain antivirus may choose not to analyze it, potentially bypassing detection. This sample currently has 0 detections on VT, but some of the crowdsourced Sigma Rules do detect the activity as suspicious.

As the malware is fileless and executed only in memory after going through several decryptions and decompression routines, it is more difficult to detect by antiviruses. In addition, its rootkit loads a fresh copy of ntdll.dll, which makes it harder to detect by Endpoint Detection & Response (EDR) solutions that hook into it to detect process injections.

Regarding the dynamic analysis, it is worth noting that some sandbox environments might fail to detect the RAT due to its utilization of several techniques to evade virtualization and sandbox detection mechanisms and string encryption subsequent payloads.

The RAT employs anti-debugging techniques by leveraging Windows Management Instrumentation (WMI) to identify the system’s manufacturer. This enables it to identify virtualization environments such as VMware and abort the execution to delay and make the analysis harder. The RAT also checks for the presence of debuggers and uses pings make the threads sleep.

Currently, most child processes and files dropped during the execution of the RAT have a low detection rate.

Execution analysis

When the malicious payload is delivered to the victim, commonly through a phishing mail or a Discord channel – the victim often receives a ZIP file containing a benign file in plain sight, and the heavily obfuscated batch file is hidden and automatically executed when launched. The bat file format is always very similar and looks like the contents of Figure 4, followed by base64 encoded text later in the file.

Figure 4. Obfuscated bat script.

During the bat execution, the script extracts two separate binaries from the base64 encoded text, AES decrypts, and GZIP decompresses it to produce two separate byte arrays. These byte arrays are then used with .NET reflection to perform an in-memory load of the assembly from its bytes, locate the binary’s entry point, and perform an Invoke on both.

Throughout the decryption process, the attackers had the need to create a legitimate looking folder to drop an illicit version of the System Configuration Utility msconfig.exe that is required later. For this purpose, the script creates the folder “C:Windows System32”, with a space after Windows and deletes it as soon as the utility is running. If it wasn’t for this file temporarily dropped into disk, the RAT would be fully fileless.

The execution of one of the above-mentioned binaries leads to another obfuscated binary carrying an embedded resource. This resource is hidden behind anti-sandboxing and debugger techniques, only to lead to more obfuscation and encryption techniques that lead to the final payload. This payload has been built using the Github project Costura, which allows SeroXen to pack the code’s dependencies into the .NET assembly so it can run self-contained.

Figure 5. Payload embedded resources.

The extraction of the resources leads to the final payloads. This is in the form of two .NET assemblies: CSStub2.InstallStager.exe, and CSStub2.UninstallStager.exe. And a Win32 binary called CSStub2.$sxr-nircmd.exe, which corresponds to the unmodified command-line utility NirCmd.

The payload InstallStager.exe is a compilation of the open-source rootkit named r77-rootkit – a fileless ring 3 rootkit written in .NET. This rootkit supports both x32 and x64 Windows processes and has the following features:

• Fileless persistence: The rootkit is stored as obfuscated data in the registry and is spawned with PowerShell via Task Scheduler to be injected into the winlogon.exe process.
• Child process hooking.
• Option to embed additional malware to be executed with the rootkit – in this case NirCmd and/or Quasar. The added malware will be decompressed and decrypted before it is injected into other processes.
• In memory process injection: the rootkit injects itself and additional malware(s) into all processes. Injection is done from memory: no files are needed to be stored on disk.
• Hooking: Hooks several functions from ntdll.dll to hide its presence.
• Communicating via NamedPipe: The rootkit can receive a command from any running process.
• Antivirus / EDR evasion: The rootkit uses several evasion techniques:
  • AMSI bypass: PowerShell inline script patches “amsi.dll!AmsiScanBuffer” to always return “AMSI_RESULT_CLEAN”.
  • DLL unhooking: Removes EDR hooks by loading a fresh copy of “ntdll.dll” from disk to avoid process hollowing detection
• Hiding entities: Hiding all entities starts with a configurable prefix, which in SeroXen’s case its “$sxr”. This prefix hardens the visualization of the attack on the system, but eases attribution of the malware family during the analysis. The prefix is used to hide files, directories, NamedPipes, scheduled tasks, processes, registry keys/values, and services.

R77 technical documentation provides a guideline of where can the prefix be found:

Config parameter	Details	Example
HIDE_PREFIX	The prefix for name-based hiding (e.g. processes, files, etc…).	L”$sxr”
R77_SERVICE_NAME32	Name for the scheduled task that starts the r77 service for 32-bit processes.	HIDE_PREFIX L”svc32″
R77_SERVICE_NAME64	Name for the scheduled task that starts the r77 service for 64-bit processes.	HIDE_PREFIX L”svc64″
CHILD_PROCESS_PIPE_NAME32	Name for the named pipe that notifies the 32-bit r77 service about new child processes.	L”.pipe” HIDE_PREFIX L”childproc32″
CHILD_PROCESS_PIPE_NAME64	Name for the named pipe that notifies the 64-bit r77 service about new child processes.	L”.pipe” HIDE_PREFIX L”childproc64″
CONTROL_PIPE_NAME	Name for the named pipe that receives commands from external processes.	L”.pipe” HIDE_PREFIX L”control”

 

The two main components in this project are the InstallStager service and the Rootkit. The InstallStager service is responsible for:

• Creating a registry key to store the malware code and writes it as encrypted data.
• Creating a scheduled task to execute the malware using PowerShell. PowerShell will decompress and decrypt the final payload (Service) that will be injected into the winlogon.exe process and executed via dllhost.exe using process hollowing techniques.

Figure 6. Starting payload after decryption using process hollowing.

Now the second and main stage of the Rootkit is ready to start. The service kicks off the load of the rootkit’s DLL that is embedded as a resource and saves its configuration as a registry key. (In SeroXen case it’s [HKEY_LOCAL_MACHINESOFTWARE$sxrconfig]).

The service creates 3 listener threads:

• NewProcessListener: Enumerates all running processes and injects the rootkit when new processes are created.
• ChildProcessListener: Injects the rootkit to a newly created process by another process and updates the callee via NamedPipe.

Figure 7. Child process injection.

• ControlPipeListener: Creates a NamedPipe to receive commands from any process. Supported commands are listed below:

Command	Details
CONTROL_R77_UNINSTALL	The control code that uninstalls r77.
CONTROL_R77_PAUSE_INJECTION	The control code that temporarily pauses injection of new processes.
CONTROL_R77_RESUME_INJECTION	The control code that resumes injection of new processes.
CONTROL_PROCESSES_INJECT	The control code that injects r77 into a specific process, if it is not yet injected.
CONTROL_PROCESSES_INJECT_ALL	The control code that injects r77 into all processes that are not yet injected.
CONTROL_PROCESSES_DETACH	The control code detaches r77 from a specific process.
CONTROL_PROCESSES_DETACH_ALL	The control code detaches r77 from all processes.
CONTROL_USER_SHELLEXEC	The control code that executes a file using ShellExecute.
CONTROL_USER_RUNPE	The control code that executes an executable using process hollowing.
CONTROL_SYSTEM_BSOD	The control code that triggers a BSOD.
CONTROL_R77_TERMINATE_SERVICE	The control code that terminates the r77 service.

 

The DLL rootkit carries out process injections, executes commands received by other processes, and keeps out of sight any sign of SeroXen being executed within the system.

Figure 8. System function hooking.

As a summary of the execution process:

Figure 9. SeroXen decryption flow.

Since Seroxen is based on QuasarRAT, the C&C server utilizes the same Common Name in their TLS certificate. The functionalities offered by the threat actor for the C&C server closely mirror those found in the Quasar Github repository, including support for TCP network streams (both IPv4 and IPv6), efficient network serialization, compression using QuickLZ, and secure communication through TLS encryption.

Figure 10. Quasar Server Certificate.

 

Conclusion

The SeroXen developer has found a formidable combination of free resources to develop a hard to detect in static and dynamic analysis RAT. The use of an elaborated open-source RAT like Quasar, with almost a decade since its first appearance, makes an advantageous foundation for the RAT. While the combination of NirCMD and r77-rootkit are logical additions to the mix, since they make the tool more elusive and harder to detect.

The Alien Labs team will continue to monitor the threat landscape for SeroXen samples and infrastructure.

Detection methods

The following associated detection methods are in use by Alien Labs. They can be used by readers to tune or deploy detections in their own environments or for aiding additional research.

SURICATA IDS SIGNATURES

2035595: ET TROJAN Generic AsyncRAT Style SSL Cert

2027619: ET TROJAN Observed Malicious SSL Cert (Quasar CnC)

 

Associated indicators (IOCs)

The following technical indicators are associated with the reported intelligence. A list of indicators is also available in the OTX Pulse. Please note, the pulse may include other activities related but out of the scope of the report.

 

TYPE	INDICATOR	DESCRIPTION
SHA256	8ace121fae472cc7ce896c91a3f1743d5ccc8a389bc3152578c4782171c69e87	Example malware hash

Mapped to MITRE ATT&CK

The findings of this report are mapped to the following MITRE ATT&CK Matrix techniques:

• TA0002 : Execution 
• T1053: Scheduled Task/Job 
• T1053.005: Scheduled Task 
• T1059: Command and Scripting Interpreter 
• T1059.003: Windows Command Shell 
• TA0003: Persistence 
• T1547: Boot or Logon Autostart Execution 
• T1547.001 Registry Run Keys / Startup Folder 
• TA0004: Privilege Escalation 
• T1548: Abuse Elevation Control Mechanism 
• T1548.002: Bypass User Account Control 
• TA0005: Defense Evasion 
• T1112: Modify Registry 
• T1553: Subvert Trust Controls 
• T1553.002: Code Signing 
• T1564: Hide Artifacts 
• T1564.001: Hidden Files and Directories 
• T1564.003: Hidden Window 
• TA0006: Credential Access 
• T1552: Unsecured Credentials 
• T1552.001: Credentials In Files 
• T1555: Credentials from Password Stores 
• T1555.003: Credentials from Web Browsers 
• TA0007: Discovery 
• T1016: System Network Configuration Discovery 
• T1033: System Owner/User Discovery 
• T1082: System Information Discovery 
• T1614: System Location Discovery 
• TA0008: Lateral Movement 
• T1021: Remote Services 
• T1021.001: Remote Desktop Protocol 
• TA009: Collection 
• T1005: Data from Local System 
• T1056: Input Capture 
• T1056.001: Keylogging 
• T1125: Video Capture 
• TA0011: Command and Control 
• T1090: Proxy 
• T1095: Non-Application Layer Protocol  
• T1105: Ingress Tool Transfer 
• T1571: Non-Standard Port 
• T1573: Encrypted Channel: 
• T1573.001: Symmetric Cryptography 

References:

• Seroxen webpage
• Seroxen features
• Quasar RAT
• NirCmd – Windows command line tool (nirsoft.net)
• R77-rootkit

The post SeroXen RAT for sale appeared first on Cybersecurity Insiders.

I. Introduction

AI’s transformative power is reshaping business operations across numerous industries. Through Robotic Process Automation (RPA), AI is liberating human resources from the shackles of repetitive, rule-based tasks and directing their focus towards strategic, complex operations. Furthermore, AI and machine learning algorithms can decipher the huge sets of data at an unprecedented speed and accuracy, giving businesses insights that were once out of reach. For customer relations, AI serves as a personal touchpoint, enhancing engagement through personalized interactions.

As advantageous as AI is to businesses, it also creates very unique security challenges. For example, adversarial attacks that subtly manipulate the input data of an AI model to make it behave abnormally, all while circumventing detection. Equally concerning is the phenomenon of data poisoning where attackers taint an AI model during its training phase by injecting misleading data, thereby corrupting its eventual outcomes.

It is in this landscape that the Zero Trust security model of ‘Trust Nothing, Verify Everything’, stakes its claim as a potent counter to AI-based threats. Zero Trust moves away from the traditional notion of a secure perimeter. Instead, it assumes that any device or user, regardless of their location within or outside the network, should be considered a threat.

This shift in thinking demands strict access controls, comprehensive visibility, and continuous monitoring across the IT ecosystem. As AI technologies increase operational efficiency and decision-making, they can also become conduits for attacks if not properly secured. Cybercriminals are already trying to exploit AI systems via data poisoning and adversarial attacks making Zero Trust model’s role in securing these systems is becomes even more important.

II. Understanding AI threats

Mitigating AI threats risks requires a comprehensive approach to AI security, including careful design and testing of AI models, robust data protection measures, continuous monitoring for suspicious activity, and the use of secure, reliable infrastructure. Businesses need to consider the following risks when implementing AI.

Adversarial attacks: These attacks involve manipulating an AI model’s input data to make the model behave in a way that the attacker desires, without triggering an alarm. For example, an attacker could manipulate a facial recognition system to misidentify an individual, allowing unauthorized access.

Data poisoning: This type of attack involves introducing false or misleading data into an AI model during its training phase, with the aim of corrupting the model’s outcomes. Since AI systems depend heavily on their training data, poisoned data can significantly impact their performance and reliability.

Model theft and inversion attacks: Attackers might attempt to steal proprietary AI models or recreate them based on their outputs, a risk that’s particularly high for models provided as a service. Additionally, attackers can try to infer sensitive information from the outputs of an AI model, like learning about the individuals in a training dataset.

AI-enhanced cyberattacks: AI can be used by malicious actors to automate and enhance their cyberattacks. This includes using AI to perform more sophisticated phishing attacks, automate the discovery of vulnerabilities, or conduct faster, more effective brute-force attacks.

Lack of transparency (black box problem): It’s often hard to understand how complex AI models make decisions. This lack of transparency can create a security risk as it might allow biased or malicious behavior to go undetected.

Dependence on AI systems: As businesses increasingly rely on AI systems, any disruption to these systems can have serious consequences. This could occur due to technical issues, attacks on the AI system itself, or attacks on the underlying infrastructure.

III. The Zero Trust model for AI

Zero Trust offers an effective strategy to neutralize AI-based threats. At its core, Zero Trust is a simple concept: Trust Nothing, Verify Everything. It rebuffs the traditional notion of a secure perimeter and assumes that any device or user, whether inside or outside the network, could be a potential threat. Consequently, it mandates strict access controls, comprehensive visibility, and continual monitoring across the IT environment. Zero Trust is an effective strategy for dealing with AI threats for the following reasons:

• Zero Trust architecture: Design granular access controls based on least privilege principles. Each AI model, data source, and user is considered individually, with stringent permissions that limit access only to what is necessary. This approach significantly reduces the threat surface that an attacker can exploit.
• Zero Trust visibility: Emphasizes deep visibility across all digital assets, including AI algorithms and data sets. This transparency enables organizations to monitor and detect abnormal activities swiftly, aiding in promptly mitigating AI-specific threats such as model drift or data manipulation.
• Zero Trust persistent security monitoring and assessment: In the rapidly evolving AI landscape, a static security stance is inadequate. Zero Trust promotes continuous evaluation and real-time adaptation of security controls, helping organizations stay a step ahead of AI threats.

IV. Applying Zero Trust to AI

Zero Trust principles can be applied to protect a business’s sensitive data from being inadvertently sent to AI services like ChatGPT or any other external system. Here are some capabilities within Zero Trust that can help mitigate risks:

Identity and Access Management (IAM): IAM requires the implementation of robust authentication mechanisms, such as multi-factor authentication, alongside adaptive authentication techniques for user behavior and risk level assessment. It is vital to deploy granular access controls that follow the principle of least privilege to ensure users have only the necessary access privileges to perform their tasks.

Network segmentation: This involves dividing your network into smaller, isolated zones based on trust levels and data sensitivity, and deploying stringent network access controls and firewalls to restrict inter-segment communication. It also requires using secure connections, like VPNs, for remote access to sensitive data or systems.

Data encryption: It is crucial to encrypt sensitive data both at rest and in transit using robust encryption algorithms and secure key management practices. Applying end-to-end encryption for communication channels is also necessary to safeguard data exchanged with external systems.

Data Loss Prevention (DLP): This involves deploying DLP solutions to monitor and prevent potential data leaks, employing content inspection and contextual analysis to identify and block unauthorized data transfers, and defining DLP policies to detect and prevent the transmission of sensitive information to external systems, including AI models.

User and Entity Behavior Analytics (UEBA): The implementation of UEBA solutions helps monitor user behavior and identify anomalous activities. Analyzing patterns and deviations from normal behavior can detect potential data exfiltration attempts. Real-time alerts or triggers should also be set up to notify security teams of any suspicious activities.

Continuous monitoring and auditing: Deploying robust monitoring and logging mechanisms is essential to track and audit data access and usage. Utilizing Security Information and Event Management (SIEM) systems can help aggregate and correlate security events. Regular reviews of logs and proactive analysis are necessary to identify unauthorized data transfers or potential security breaches.

Incident response and remediation: Having a dedicated incident response plan for data leaks or unauthorized data transfers is crucial. Clear roles and responsibilities for the incident response team members should be defined, and regular drills and exercises conducted to test the plan’s effectiveness.

Security analytics and threat intelligence: Leveraging security analytics and threat intelligence platforms is key to identifying and mitigating potential risks. Staying updated on emerging threats and vulnerabilities related to AI systems and adjusting security measures accordingly is also essential.

Zero Trust principles provide a strong foundation for securing sensitive data. However, it’s also important to continuously assess and adapt your security measures to address evolving threats and industry best practices as AI becomes more integrated into the business.

V. Case studies

A large financial institution leverages AI to augment customer support and streamline business processes. However, concerns have arisen regarding the possible exposure of sensitive customer or proprietary financial data, primarily due to insider threats or misuse. To address this, the institution commits to implementing a Zero Trust Architecture, integrating various security measures to ensure data privacy and confidentiality within its operations.

This Zero Trust Architecture encompasses several strategies. The first is an Identity and Access Management (IAM) system that enforces access controls and authentication mechanisms. The plan also prioritizes data anonymization and strong encryption measures for all interactions with AI. Data Loss Prevention (DLP) solutions and User and Entity Behavior Analytics (UEBA) tools are deployed to monitor conversations, detect potential data leaks, and spot abnormal behavior. Further, Role-Based Access Controls (RBAC) confine users to accessing only data relevant to their roles, and a regimen of continuous monitoring and auditing of activities is implemented.

Additionally, user awareness and training are emphasized, with employees receiving education about data privacy, the risks of insider threats and misuse, and guidelines for handling sensitive data. With the institution’s Zero Trust Architecture continuously verifying and authenticating trust throughout interactions with AI, the risk of breaches leading to loss of data privacy and confidentiality is significantly mitigated, safeguarding sensitive data and maintaining the integrity of the institution’s business operations.

VI. The future of AI and Zero Trust

The evolution of AI threats is driven by the ever-increasing complexity and pervasiveness of AI systems and the sophistication of cybercriminals who are continually finding new ways to exploit them. Here are some ongoing evolutions in AI threats and how the Zero Trust model can adapt to counter these challenges:

Advanced adversarial attacks: As AI models become more complex, so do the adversarial attacks against them. We are moving beyond simple data manipulation towards highly sophisticated techniques designed to trick AI systems in ways that are hard to detect and defend against. To counter this, Zero Trust architectures must implement more advanced detection and prevention systems, incorporating AI themselves to recognize and respond to adversarial inputs in real-time.

AI-powered cyberattacks: As cybercriminals begin to use AI to automate and enhance their attacks, businesses face threats that are faster, more frequent, and more sophisticated. In response, Zero Trust models should incorporate AI-driven threat detection and response tools, enabling them to identify and react to AI-powered attacks with greater speed and accuracy.

Exploitation of AI’s ‘`black box’ problem: The inherent complexity of some AI systems makes it hard to understand how they make decisions. This lack of transparency can be exploited by attackers. Zero Trust can adapt by requiring more transparency in AI systems and implementing monitoring tools that can detect anomalies in AI behavior, even when the underlying decision-making process is opaque.

Data privacy risks: As AI systems require vast amounts of data, there are increasing risks related to data privacy and protection. Zero Trust addresses this by ensuring that all data is encrypted, access is strictly controlled, and any unusual data access patterns are immediately detected and investigated.

AI in IoT devices: With AI being embedded in IoT devices, the attack surface is expanding. Zero Trust can help by extending the “never trust, always verify” principle to every IoT device in the network, regardless of its nature or location.

The Zero Trust model’s adaptability and robustness make it particularly suitable for countering the evolving threats in the AI landscape. By continuously updating its strategies and tools based on the latest threat intelligence, Zero Trust can keep pace with the rapidly evolving field of AI threats.

VII. Conclusion

As AI continues to evolve, so too will the threats that target these technologies. The Zero Trust model presents an effective approach to neutralizing these threats by assuming no implicit trust and verifying everything across your IT environment. It applies granular access controls, provides comprehensive visibility, and promotes continuous security monitoring, making it an essential tool in the fight against AI-based threats.

As IT professionals, we must be proactive and innovative in securing our organizations. AI is reshaping our operations and enabling us to streamline our work, make better decisions, and deliver better customer experiences. However, these benefits come with unique security challenges that demand a comprehensive and forward-thinking approach to cybersecurity.

With this in mind, it is time to take the next step. Assess your organization’s readiness to adopt a Zero Trust architecture to mitigate potential AI threats. Start by conducting a Zero Trust readiness assessment with AT&T Cybersecurity to evaluate your current security environment and identify any gaps. By understanding where your vulnerabilities lie, you can begin crafting a strategic plan towards implementing a robust Zero Trust framework, ultimately safeguarding your AI initiatives, and ensuring the integrity of your systems and data.

The post Understanding AI risks and how to secure using Zero Trust appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Numerous risks are inherent in the technologies that all organizations use. These risks have especially become apparent with recent ransomware attacks, which have crippled major infrastructure such as the Colonial Pipeline in the Eastern United States¹. This discussion will focus on how GRC, or governance, risk, and compliance can help organizations face and manage the risks that they face.

As GRC is broken down into three components, a discussion of each will illuminate why each is critical for risk management. The first part of GRC is governance. Governance involves ensuring that the IT organization is managed in a way that is consistent with the overall business goals.². The overall business goals are the strategy that an organization puts in place to ensure that they enjoy a competitive advantage. It is necessary to ensure that proper controls are in place that manages risks, and that starts at the governance level, with high-level business strategies³.

From an IT perspective, risk involves IT management ensuring that any organizational activities that they conduct are consistent with the organizational business goals as just stated. This means that the IT departments’ risk management process should be a part of the corporate risk management functionality. When IT departments limit their activities to economic and technical aspects, they fail to be engaged in the organization’s strategy, which fails to fully leverage the strength and potential of the company⁴.

The IT department’s risk strategies, when aligned with the corporate risk management policies, work in concert to make certain that the risks identified by upper management are reflected in risk management and prevention that occurs within the IT department. One way that organizations using GRC ensure that IT remains aligned with the corporate leadership’s risk management policies and objectives is by setting specific measurable objectives that demonstrate the effectiveness of how GRC is applied in the IT context.

The final area of GRC is compliance. While often considered adherence to laws and regulations, compliance can have a true impact on risk as well. As the complexity of compliance with myriads of regulatory requirements increases, the IT department is often involved with aiding the company to meet compliance demands. The complexity of compliance demands (that come with significant penalties for failures) can often only be accomplished with the support of IT, as the IT department establishes systems and processes which can help the organization to remain in compliance. If surveillance systems are not set up and used properly and the organization is found to be out of compliance, this could cause an enormous risk of financial penalties which could be crippling for the organization⁵.

As this brief discussion has outlined, using GRC to manage IT departments is essential for multiple reasons. Firstly, it ensures that the IT department is aligned with the rest of the organization and its’ strategies. Second, IT organizations run using GRC ensure that their risk management activities are aligned with the corporate risk management activities so that risks identified by the leadership are addressed in IT. Finally, using GRC ensures that the IT department does its part to ensure the organization stays in compliance with regulatory demands. This will protect against the risk of costly penalties for compliance failures.

References

1. Ransomware attack forces shutdown of largest fuel pipeline in the U.S. (https://www.cnbc.com/2021/05/08/colonial-pipeline-shuts-pipeline-operations-after-cyberattack.html)
2. What is GRC and why do you need it? (https://www.cio.com/article/230326/what-is-grc-and-why-do-you-need-it.html)
3. Corporate Governance and Risk Management: Lessons (Not) Learnt from the Financial Crisis (https://www.mdpi.com/1911-8074/14/9/419)
4. The impact of enterprise risk management on competitive advantage by moderating role of information technology (https://www.sciencedirect.com/science/article/abs/pii/S0920548918301454)
5. Dialectic Tensions in the Financial Markets: A Longitudinal Study of pre- and Post-Crisis Regulatory Technology (https://journals.sagepub.com/doi/10.1057/s41265-017-0047-5)

The post Managing technology risk appeared first on Cybersecurity Insiders.

Introduction

Today you look at the Global/Multi-site Enterprise Security Architecture of an organization and see a myriad of concerns. Increased levels of complexity, difficulties managing multiple third parties, difficulties implementing consistent levels of security, and so on. This makes it imperative for organizations to identify opportunities to simplify, streamline, and generally improve their infrastructure wherever possible.

Managing the level of complexity is becoming increasingly difficult. Security may be partially implemented, which is an ongoing challenging issue.

Terminology

• AWS Region – a physical location around the world where we cluster data centers.
• AWS Availability Zone (AZ) – is one or more discrete data centers with redundant power, networking, and connectivity in an AWS Region.
• AWS Services – AWS offers a broad set of global cloud-based products, including computing, storage, database, analytics, networking, machine learning and AI, mobile, developer tools, IoT, security, enterprise applications, and more.
• AWS Transit Gateway (TGW) – A transit gateway is a network transit hub that you can use to interconnect your virtual private clouds (VPCs) and on-premises networks. As your cloud infrastructure expands globally, inter-Region peering connects transit gateways together using the AWS Global Infrastructure.

Global/Multi-Site Enterprise Architecture

Many organizations are using Global/Multi-site with dated technology spread throughout data centers and networks mixed in with some newer technologies. This can include uncounted third parties as well. These sites often include multiple environments (like Dev, QA, Pre-Prod, and Prod) supported by numerous technologies spread across both physical and virtual servers, including databases, web, and application servers, and more.

Modifications can be challenging when integrating legacy with new technologies. Sometimes can require a static approach when completely redesigning existing infrastructure. Understandably, most organizations tend to shy away from exploring anything that seems like a significant upgrade or change. Thankfully there are some solutions available that can substantially improve operations and infrastructure without the typical complexities and implementation challenges.

One such example is outlined below.

Example AWS Transit Gateway (TGW) Global Diagram

AWS Transit Gateway diagram

AWS Transit Gateway is a cloud-based tool that permits a simplified, secure networking approach for companies requiring a hybrid solution that can scale according to their global/multi-site enterprise business needs. The AWS Transit Gateway integrates with Palo Alto Security Devices, which helps to reduce the organization’s risk footprint.

AWS Transit Gateway architecture is used to consolidate site-to-site VPN connections from your on-premises network to your AWS environment and support connectivity between your team development and workload hosting VPCs and your infrastructure shared services VPC. This information will help you make a more informed decision as you consider the recommended approach of using AWS Transit Gateway.

AWS Transit Gateway connects your Amazon Virtual Private Clouds (VPCs) and on-premises networks through a central hub. This simplifies your network and puts an end to complex peering relationships. It acts as a cloud router – each new connection is only made once.

As you expand globally, inter-region peering connects AWS Transit Gateways together using the AWS global network. Your data is secured automatically and encrypted; it never travels over the public internet, only on the AWS Global Network. Because of its central position, AWS Transit Gateway Network Manager has a unique view over your entire network, even connecting to Software-Defined Wide Area Network (SD-WAN) devices.

General tips

Data transfer charges apply based on the source, destination, and amount of traffic. Here are some general tips for when you start planning your architecture:

• Avoid routing traffic over the internet when connecting to AWS services from within AWS by using VPC endpoints:
• VPC gateway endpoints allow communication to Amazon S3 and Amazon DynamoDB without incurring data transfer charges within the same Region.
• VPC interface endpoints are available for some AWS services. This type of endpoint incurs hourly service charges and data transfer charges.
• Use Direct Connect instead of the Internet for sending data to on-premises networks.
• Traffic that crosses an Availability Zone boundary typically incurs a data transfer charge. Use resources from the local Availability Zone whenever possible.
• Traffic that crosses a regional boundary will typically incur a data transfer charge. Avoid cross-Region data transfer unless your business case requires it.
• Use the AWS Free Tier. Under certain circumstances, you may be able to test your workload free of charge.
• Use the AWS Pricing Calculator to help estimate the data transfer costs for your solution.

Use a dashboard to visualize better data transfer charges – this workshop will show how.

Cybersecurity

A Cybersecurity approach includes how to address a global enterprise architecture.

A collaborative approach permits meetings to review the global enterprise architecture/workflow.

Hold an introductory overview session to gather the preliminary information for each of the sections listed above and in relation to a phased/planned approach for introducing the AWS Transit Gateway. The phases can include compliance with standards such as NIST.

This extensive security approach would cover all the items listed in the prior sections and the required daily business workflows from end to end.

Global/multi-site security certificates, data at rest, data in transit, networks, firewalls/security devices, circuits, and communications. Topics include Strategies, Securing the Edge, Risk-based Cyber assessment, MTDR (Managed Threat Detection and Response), and Endpoint/Network Security

In the future, we will review other Cybersecurity offerings with AWS Services and the reasons why a company would want to invest in AWS Transit Gateway.

Conclusion

AWS provides the ability to deploy across multiple Availability Zones and Regions. This allows organizations to reduce the complexity of their architecture, improve overall performance, and increase dynamic scalability. By streamlining networks and removing unnecessary middlemen, organizations can also improve overall security by reducing risks associated with having multiple vendors while also increasing operational oversight across their infrastructure.

This blog post provided information to help you make an informed decision and explore different architectural patterns to save on data transfer costs. AT&T Cybersecurity offers services to assist you in your journey. You can review the references listed below to gain additional perspective.

References & Resources

• • AWS Transit Gateway
  • AWS Overview of Data Transfer Costs for Common Architectures
  • AWS Solutions Library
  • Cisco CSR1000V-Transit VPC with Transit Gateway
  • AWS Pricing Calculator
  • Cost and Usage Analysis Well-Architected Lab
  • Data Transfer Cost Analysis Well-Architected Lab
  • AWS Cost Optimization
• Clearscale Blog

The post Introduction to the purpose of AWS Transit Gateway appeared first on Cybersecurity Insiders.

Executive Summary

Killnet is an advanced persistent threat (APT) group based in Russia that has been active since at least 2015. The group is notorious for its highly sophisticated and persistent attacks on a diverse range of industries, including state and local governments, telecommunications, and defense.

Killnet has been linked to several high-profile attacks, including the 2016 hack of the Democratic National Committee (DNC) during the U.S. presidential election. The group has also been implicated in distributed denial-of-service (DDoS) attacks against U.S. airports and Elon Musk’s Starlink satellite broadband service.

The motivations behind these attacks vary, but recently, they have primarily targeted those who are the most vocal supporters of Ukraine and its political agenda.

The aim of this threat hunt is to create a virtual attack environment that simulates Killnet’s tactics, techniques, and procedures (TTPs). Subsequently, detections and threat hunt queries will be written to proactively identify the emulated TTPs while compensating for the limitations of traditional IOC historical searches.

The results of the threat hunt will include high-level dashboards, code, and network artifacts generated from the attack range, which will be used to explain how a hypothesis was formed. The outcomes will also contain the pseudo and translated query logic in a format that can be utilized by tools such as Suricata, Snort, Splunk, and Zeek. The query output will then be employed to confirm the initial hypothesis generated.

Network Artifacts

To emulate the attack, cc.py was utilized to generate continuous HEAD requests against an Apache server, refer to Appendix A for further details. Once the attack was launched, the captured log traffic was examined, as shown in Figure 1 and Figure 2. Upon reviewing the HEAD HTTP traffic, it was discovered that the digits between the ranges of 11-12 appeared after “HEAD /?” consistently. This pattern will serve as the basis for our first hypothesis, as outlined in the next section.

Figure 3 also contains the Apache logs that were generated on the server as the attack script kept trying to access different files in the ‘/var/www/html/’ directory. The script reiterates in a brute force type style, until CPU resources are rendered exhausted by sheer traffic volume.

Figure 1 –Wireshark – Dynamically Generated 11-12 Digits

Figure 2 –Wireshark – Forged Referrer & Anonymized IPs

Figure 3 – Splunk – Apache Server Error Logs – Failed File Access Attempts

Detection Guidance

Perl compatible regular expressions can be used to leverage the context derived from the packet capture during threat analysis, as shown in Figure 1. This allows us to write Suricata/Snort rules that will match observed patterns in headers. Detections tend to scale more than hunt queries and can be applied strategically on a per sensor basis. Specifically, the following rule will match any instance when an HTTP HEAD request containing 11-12 digits has been captured by a network sensor on a forward looking basis. This serves as our first hypothesis to identify the usage of DDoS HEAD floods:

alert tcp any any -> any any (msg:”Killnet cc.py DDoS HTTP HEAD Flood”; content:”HEAD”; depth:4; content:” /?”; distance:0; content:” HTTP/1.1|0d0a|Host: “; distance:0; fast_pattern; content:”.”; distance:1; within:3; content:”.”; distance:1; within:3; content:”.”; distance:1; within:3; content:”|0d0a|Referer: https://”; distance:0; content:”|0d0a|Accept-Language: “; distance:0; content:”|0d0a|Accept-Charset: “; distance:0; content:”|0d0a|Connection: Keep-Alive|0d0a0d0a|”; distance:0; pcre:”/^HEADx20/?[0-9]{11,12}x20HTTP/”; sid:10000001;)

Hypothesis #1

Hunting Process

The following is a Splunk hunt query that utilizes the Zeek/Bro dataset to identify “High connections from common source over a short amount of time”. The query breaks the time column (shown in Figure 2) into 1-second chunks. Once an appropriate threshold has been established, the “where count > 10” statement can be adjusted accordingly to search retroactively within the last 7 days from when the activity was first observed. This query serves as our second hypothesis to identify the usage of DDoS HEAD floods:

index=zeek sourcetype=zeek_conn | eval datetime=strftime(ts,”%Y-%m-%d %H:%M:%S”) | bucket span=1s datetime | stats count by datetime, id.orig_h | where count > 10 | rename datetime as “Date & Time” id.orig_h as “Attacker IP”

Hypothesis #2

Appendix A – Adversary Emulation

Cc.py is a Python tool publicly available on the internet that can be used for Layer 7 DDoS attacks. The tool, created by a student in 2020, uses various dynamic characteristics to launch DDoS attacks against web assets. The script automates the process of using open proxy servers to relay attacks while maintaining anonymity, which can render traditional IP-based blocking techniques ineffective.

Figure 4 depicts a Python function called “head” that performs an HTTP HEAD request to a target server. The function takes two arguments: “event” and “proxy type”. These arguments control the flow of the request and specify the type of open proxy to leverage. Additionally, the code concatenates the variables where the forged/randomized headers will be used.

Figure 4 – cc python script

To generate a dynamic list of compromised open proxies that will be used to relay attacks on behalf of the attacker, the following command is utilized:

python3 cc.py –down –f proxy.txt –v 5

Once the list is generated, the following command is used to launch an attack against a server running Apache web server within the attack range. The command specifies the use of the “head” module and sets the duration of the attack to 30 seconds. The “head” module floods the target server with continuous HTTP HEAD requests until it is knocked offline.

python3 cc.py –url http:// -f proxy.txt –m head –v 4 –s 30

Appendix B – IOCs

At OTX pulse was created listing over the 12K+ indicators from this research.

https://otx.alienvault.com/pulse/642dd6df987a88229012d214

References

https://github.com/Leeon123/CC-attack

https://securityresearch.samadkhawaja.com/

The post Threat Hunt: KillNet’s DDoS HEAD Flood Attacks – cc.py appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

In an era where digital technology increasingly underpins food production and distribution, the urgency of cybersecurity in agriculture has heightened. A surge of cyberattacks in recent years, disrupting operations, causing economic losses, and threatening food industry security- all underscore this escalating concern.

In April 2023, hackers targeted irrigation systems and wastewater treatment plants in Israel. The attack was part of an annual “hacktivist” campaign, and it temporarily disabled automated irrigation systems on about a dozen farms in the Jordan Valley. The attack also disrupted wastewater treatment processes at the Galil Sewage Corporation.

In addition, in June 2022, six grain cooperatives in the US were hit by a ransomware attack during the fall harvest, disrupting their seed and fertilizer supplies. Adding to this growing list, a leading US agriculture firm also fell victim to a cyberattack the same year, which affected operations at several of its production facilities.

These incidents highlight the pressing need for improved cybersecurity in the agricultural sector and underscore the challenges and risks this sector faces compared to others.

As outlined in a study, “Various technologies are integrated into one product to perform specific agricultural tasks.” An example provided is that of an irrigation system which “has smart sensors/actuators, communication protocols, software, traditional networking devices, and human interaction.”

The study further elaborates that these complex systems are often outsourced from diverse vendors for many kinds of environments and applications. This complexity “increases the attack surface, and cyber-criminals can exploit vulnerabilities to compromise one or other parts of the agricultural application.”

However, the situation is far from hopeless. By taking decisive action, we can significantly strengthen cybersecurity in the agricultural sector. Here are three strategies that pave the way toward a more secure future for the farming industry:

1. Strengthening password practices

Weak or default passwords are an easily avoidable security risk that can expose vital assets in the agricultural sector to cyber threats. Arguably, even now, people have poor habits when it comes to password security.

As per the findings of a survey conducted by GoodFirms:

• A significant percentage of people – 62.9%, to be exact – update their passwords only when prompted.
• 45.7% of people admitted to using the same password across multiple platforms or applications.
• More than half of the people had shared their passwords with others, such as colleagues, friends, or family members, raising the risk of unauthorized access.
• A surprising 35.7% of respondents reported keeping a physical record of their passwords on paper, sticky notes, or in planners.

These lax password practices have had tangible negative impacts, with 30% of users experiencing security breaches attributable to weak passwords.

Hackers can use various methods, such as brute force attacks or phishing attacks, to guess or obtain weak passwords and access sensitive information or control critical systems.

Therefore, agricultural organizations need to make passwords stronger. Here are some of the critical steps these organizations need to take:

• Encourage using strong, unique passwords (8+ characters, mixed letters, numbers, symbols).
• Implement regular password changes (every three months or upon a suspected breach).
• Enforce multi-factor authentication on all systems.
• Update network passwords regularly to invalidate stolen credentials.
• Use a password keeper/generator app for secure password storage.
• Discourage password sharing or reuse across platforms.
• Avoid using dictionary words, common phrases, or personal info in passwords.
• Deploy a password management tool for efficient password handling.

2. Maintaining updated systems

In the digitally transformed landscape of agriculture, known vulnerabilities linked to outdated software and hardware present significant cybersecurity risks. Cybercriminals often exploit these weaknesses in such systems, compounding the cybersecurity challenges faced by the industry.

The Ponemon Institute, in a comprehensive study, found that 60% of organizations that experienced a breach said it occurred due to a known vulnerability that was left unpatched, even though a patch was available. Further complicating matters, the study reported that 88% of IT teams had to coordinate with other departments when patching vulnerabilities. This coordination added an extra 12 days before a patch could be applied, leaving systems vulnerable for a more extended period.

As we’ve seen from the damaging agricultural infrastructure attacks, neglecting cybersecurity in the context of known vulnerabilities can lead to significant problems. Regular updates and patches are not just good practice—they’re a crucial first line of defense against cyberattacks. In the digitally transforming world of agriculture, this is not merely an option—it’s a necessity.

3. Securing operational technology traffic

Given the scale of the risks associated with known vulnerabilities, it’s clear that agribusinesses face a significant cybersecurity challenge. However, the threats are not confined to these known issues alone. The unknown vulnerabilities, particularly those associated with Operational Technology (OT) systems, present another layer of risk that has recently come into focus.

The growing prevalence of Internet of Things (IoT) devices in contemporary agriculture amplifies these concerns. If not adequately secured, these devices can expand the attack surface, offering potential attackers an open door to critical systems.

Highlighting the severity of such issues, Itay Glick, VP of Products at OPSWAT, brings up the cyberattack on irrigation systems in Israel. He pointed out that weak passwords and outdated OT devices were a significant part of the problem. He noted that “there was a critical vulnerability in a specific device dated back to 2015 (CVE-2015-7905), which could have been exploited by any average hacker.”

The vulnerability Glick referred to underscores the importance of regularly updating OT devices. “If this was the case, this underscores the importance of scanning and validating that OT devices are updated,” he emphasized.

This dual approach – segregating OT traffic and monitoring it – provides a solid defense strategy. Segregation makes it more challenging for attackers to access critical systems, while monitoring allows for early detection of any potential threats. Agribusinesses must heed this advice, as the digital landscape continues to evolve, and the stakes continue to rise.

Conclusion

Cyber threats pose grave risks, with the potential to disrupt operations and cause hefty financial losses. Plus, the enduring harm to brand image and customer trust post-attack can be tough to bounce back from. A thorough assessment of current cybersecurity protocols, identification of potential vulnerabilities, and application of the discussed solutions should be on top of the list. These steps encompass the use of robust and unique passwords, segregation and monitoring of OT traffic, and consistent updating of software and hardware.

In the final analysis, agribusinesses that can integrate these cybersecurity measures into their operations are better positioned to secure their future in the rapidly evolving agricultural landscape.

The post Three ways agribusinesses can protect vital assets from cyberattacks appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

When most people think about social media and cybersecurity, they typically think about hackers taking over Instagram accounts or Facebook Messenger scammers taking private information. It’s for good reason that this is top-of-mind. The Identity Theft Resource Center’s 2022 Consumer Impact Report revealed that social media account takeovers have grown by 1,000% in one year. 

Putting yourself out there on social media platforms opens up your personal information to cyber threats. However, social media can be used for good, rather than evil, when it comes to cybersecurity. Learn how to educate your social media following on everyday cybersecurity risks.

Create Cybersecurity content relevant to your audience

Not every company or content creator posting on social media is in the cybersecurity niche, not to mention any offshoots or umbrella niches like technology. Of course, if you do fall into a tech niche and have an audience that’s interested specifically in cybersecurity, you can certainly post on social media about the topic.

However, virtually any industry could benefit from creating cybersecurity content. When planning quality content for your social pages, identify your content niche and determine what aspects of cybersecurity would be most beneficial and interesting to your audience. You can also capitalize on current trends on social media or in the news when designing an informational content campaign around cybersecurity.

Let’s look at how cybersecurity topics can be approached from a variety of industry angles.

B2B

If you are a shared workspace company, for example, your followers are likely interested in ways to establish network security in a hybrid workplace. Followers of a hiring software company likely want to see how to hire more securely online. If your business caters to other businesses, you can create educational cybersecurity content to help them stay safe while using your services or otherwise doing things related to your product or services.

Healthcare

While creating content aimed at public services is different than B2B audiences, cybersecurity information is especially relevant. In a time when interest in virtual healthcare services is booming, patients and providers alike need to be aware of HIPAA laws. For instance, a social media post about the security risks and ethical concerns of doctors emailing and texting patients is an important and highly relevant topic.

Education

Like many healthcare practices have incorporated virtual visits, many schools have started providing virtual classes. If your business is in the education sphere at all, your followers would likely benefit from engaging content about keeping student information private in online classrooms.

Lifestyle

If your brand is in a lifestyle category, you may not think this has much to do with cybersecurity. However, think about the ways in which your followers engage with your brand. If you sell products on a website, make a social post about how to create a secure login for your site when purchasing to reduce the risk of data theft. Further, you can inform your consumers how you’re taking steps to securely process payments and handle customer information. This will instill trust in your brand.

If you don’t sell tangible products or services in this way, you can still find something to do with cybersecurity that will benefit your audience. People use online services all the time, and not everyone is up to date with the latest ways to catch phishing scams or create safe passwords. If your followers are interested in a certain fashion brand and you are aware of an email scam under that brand’s name, you can post about it on social media to help spread awareness.

Pick the right platform and format

Regardless of your industry, it’s clear that all audiences can benefit from some level of cybersecurity education. Similar to how your content will differ, each creator will also benefit from posting on varying social platforms. Some of the most popular social media sites for sharing informative posts include:

• Twitter: platform for text posts, accompanying images, and links;
• Reddit: site for more nuanced, forum-style discussions;
• Quora: site with question-and-answer-style discussions;
• Instagram: app with primarily image-based with short-form video and live streaming options;
• Facebook: platform affiliated with and similar to Instagram but with longer text posts and groups;
• LinkedIn: professional networking platform with longer text posts and videos;
• YouTube: leader in the long-form video space with the option for Shorts and live streaming;
• Twitch: live streaming platform primarily for gamers;
• Pinterest: image-based sharing platform;
• TikTok: short-form video content platform with live streaming options.

TikTok, in particular, is interested in promoting cybersecurity education, so you may have enhanced luck on the platform. Short-form TikTok videos are brief enough to keep viewers’ attention, but you also have enough options to successfully pack in cybersecurity knowledge. For example, you could make a video using a trending sound about how to spot insider threats, pointing to each tip. The platform shows users the content they will be most interested in, so you are more likely to reach the right audience and spread cybersecurity awareness.

If you already have a social media presence, you likely know which platforms garner you the most engagement currently. Start by testing the performance of cybersecurity education posts on your chosen platforms. Then, analyze the data and adjust accordingly.

Using social media for Cybersecurity awareness

Whatever industry you’re in, your social media following will be able to benefit from cybersecurity education. Data privacy is top-of-mind for most social media users, so cater to their unique needs with your content.

The post Using social media as a tool to share knowledge on day-to-day Cybersecurity risks appeared first on Cybersecurity Insiders.

With increased dangers lurking in digital spaces, the need for cybersecurity is now a commonly known fact for just about all business owners.

When it comes to protecting their network, most start with the basic firewall. While added layers are required, there is something even more fundamental that should not be overlooked: the physical connection itself.  It is like making sure you have secure and quality doors and windows prior to putting alarms on them.

So, what type of internet connection is the most secure?

To answer this question, I consulted with Robert Lozanski, a member of AT&T’s Solution Consultant team whose primary role is to design full networking solutions for businesses.  In the following paragraphs, let’s go through the different types of connections and assess the quality – as well as the security level – of each one.

Meet the contenders

First off, it is important to understand the different types of internet connections. The most common ones are copper, fiber, and wireless networks.

Copper: Copper cables are the original internet connections. They transmit data in the form of electrical signals. While this type of connection has been used for years, copper is difficult to maintain, has limited speed options, and degrades with time. As a result, many providers are making a shift away from it.

Cellular: A cellular network provides access to the Internet by transmitting data over the air. The network connects to cellular towers rather than cables in the ground.  While cellular internet has made huge technological advancements with the rollout of 5G, it still has its limitations. Cellular networks currently have lower speed tiers than many wired options – but this may change in the future.

Fiber: Fiber optic internet uses a network of bundled strands of glass called fiber optic cables to deliver internet service through pulses of light. Fiber optics are the newest and most reliable type of internet connections. They also offer the highest speed options.

Assessing the security of the connections

A common way to assess a network is by measuring it against the CIA triad: Confidentiality, Integrity, and Availability. Among the different internet transport types, some are more secure than others because of the way they fulfill the three CIA requirements.  In other words, a secure network will have high levels of confidentiality, integrity, and availability.

As of 2023, 5G wireless connections have security layer options and speeds that make them strong contenders in the networking market. However, wired connections are still the primary choice for businesses prioritizing their internet connections due to wired connection’s reliability and bandwidth availability.

According to Lozanski, “while a cellular network solution is utilitarian for its mobility and flexibility, wired connections still offer an added layer of security because they will provide faster speeds and performance. A cellular connection can perform like a broadband connection with fluctuations throughout the day, but it won’t offer the same speeds.”

Between the two wired connections mentioned, copper and fiber, there is not much competition. With speeds up to 1Tbps, fiber moves at the speed of light and offers availability and reliability that copper wired connections cannot provide. 

However, the search for the most secure connection does not stop there. Even though fiber optic connections are made of glass and move at the speed of light, the way the connection is delivered may vary, and in turn offer different levels of security. The simplest way to break down this difference is to differentiate between a shared and dedicated connection.

A shared connection is where multiple units share the same bandwidth with limited speeds available. This is the type of connection most people picture when they think of Fiber, and it’s becoming an increasingly cost-effective and popular option. Unfortunately, shared fiber is limited in its availability, as it is only available in qualified areas where providers build their infrastructure. Although fiber infrastructure has grown rapidly, there are still places that do not have shared fiber facilities at all. See if you qualify for AT&T shared Fiber here.

A Dedicated Connection, also known as a point-to-point connection, is where the provider builds out a single line of fiber to an individual customer. Unlike shared connections that segment out the bandwidth to neighboring units, a dedicated connection is reserved for a single unit. When using the CIA metric for security, a Dedicated Fiber Circuit comes out on top. Below is the breakdown: 

What makes a Dedicated Fiber Circuit secure?

1. Confidentiality

A secure network is one where the right people have access to needed information, while others are kept out. One highlight of a dedicated connection is that it travels on its own network and is aggregated directly to a wire center. This makes it much harder to hack into as the connection isn’t shared by multiple users. 

Lozanski brought in an example, “A dedicated fiber circuit is extremely private for businesses that host their infrastructure onsite, such as web-hosting servers and email servers. Dedicated internet is an ideal option because it is physically safer.

It is important to note, however, that while a dedicated circuit may provide some protection on a physical level, the connection will still lead to the public internet and additional layers of Cybersecurity are essential to ensure a truly confidential connection. In the event of an attack, a shared connection with the right layers of security would likely fare better than an unprotected dedicated fiber circuit. The physical connection is just the foundation, and utilizing a Dedicated circuit on its own does not ensure full privacy. 

2. Integrity

The integrity of a network is measured by the accuracy, completeness, and consistency of the data that travels on it. Through his many consultations, Lozanski sees a trend that highlights the importance of a connection with high integrity. He said, “Nowadays, many businesses utilize VoIP (Voice over Internet Protocol). This is data that you don’t want there to be any issue with.”

Instead of using traditional copper landlines to host their calls, businesses use VoIP to put voice data over the internet. While it is more cost effective and boasts numerous benefits, this solution creates a higher reliability on the internet connection.  If the internet is not stable, the data may be disrupted, and the voice quality will go down.

“With AT&T Dedicated Internet, you are able to prioritize mission critical data and you are guaranteed call quality when it comes to VoIP. Dedicated Internet can add a Class of Service component that you cannot get with another type of connection,” Lozanksi continued. 

3. Availability

If a network is not available to its users, it is simply not secure. The owners of the network need to be able to seamlessly access their resources. Lozanski said, “The piece of the puzzle that differentiates a Dedicated Fiber circuit is that it is the only connection backed up by Service Level Agreements for availability, latency, jitter, and packet loss. While the SLA’s may vary per carrier, at AT&T we guarantee 100% availability service level agreements on our Dedicated Fiber Circuits. We will have your internet connection up 24/7, 365 days of the year”.

On a shared connection, multiple users share the same bandwidth. Like traffic on a highway that becomes congested when many cars travel on it at the same time, a shared connection may slow down during peak busy hours. No matter the provider, shared connections run on ‘best effort’ speeds without the same kind of service level agreements. This can result in slower repair time and for many businesses, a loss of revenue and security.

Who are Dedicated Fiber circuits for?

Dedicated Fiber used to be utilized mainly by enterprise-level customers due to the large-scale networking needs of these types of businesses and a higher monthly cost. However, as more businesses move online and increase their digital presence, many find Dedicated Fiber an increasingly enticing option.

Lozanski added, “Generally, any business that needs to prioritize mission-critical data may be interested in a Dedicated Circuit. While the monthly cost may be higher, it is important to also analyze the impact and financial loss the business may incur if their internet is down”. Oftentimes, the additional cost of Dedicated Fiber may be offset by bundling multiple services together.

At the end of the day, no matter the connection you choose, note that the physical connection is only the first layer. While a Dedicated Circuit will provide a solid foundation, it is equally important to consider what is being layered on top of the network to protect it. Cyber threats are only increasing and to be prepared, the first step is to be informed.

Click here to learn more about AT&T Dedicated Fiber and request a free consultation to see if it’s a good fit for your business this year.

The post When internet security is a requirement, look to dedicated fiber appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Small businesses are more vulnerable to cyber-attacks since hackers view them as easy victims to target. While this may seem unlikely, statistics reveal that more than half of these businesses experienced some form of cyber-attack in 2022. It’s also reported that state-sponsored threat actors are diversifying their tactics and shifting their focus toward smaller enterprises.

Cyber-attacks against small-sized businesses do not always make headlines, but they have potentially catastrophic impacts. These attacks can result in significant financial and data loss, sometimes shutting down the business. Therefore, it’s crucial that small businesses make cybersecurity a top priority.

What drives more cybersecurity attacks on small businesses?

Small businesses are on the target list of hackers mainly because they focus less on security. On average, SMBs and small businesses allocate 5%-20% of their total budget to security. Additionally, human mistakes are the root cause of 82% of cyber breaches in organizations. Cybercriminals take advantage of their weak security infrastructure and exploit the behavior of careless employees to launch insider threats and other cyber-attacks successfully.

A report reveals various cyber-attacks that often target small businesses, such as malware, phishing, data breaches, and ransomware attacks. Also, small businesses are vulnerable to malware, brute-force attacks, ransomware, and social attacks and may not survive one incident.

The influx of remote working culture has added new challenges and cybersecurity risks for small businesses. This culture has given rise to a large number of personal devices like mobile phones, laptops, and tablets that can easily access sensitive information. Many employees don’t undergo regular scans of their phones and laptops for potential vulnerabilities.

In addition, few companies can provide access to password management software or VPNs to protect their internet connection and credentials and maintain security on rogue Wi-Fi networks. Statistics also reveal that only 17% of small businesses encrypt their data, which is alarming.

Moreover, small businesses are at a higher risk of being attacked because they have limited resources to respond to cyber-attacks. Unlike large organizations, they don’t have a dedicated IT team with exceptional skills and experience to deal with complex cyber-attacks. They also have a limited budget to spend on effective cyber security measures. Hence they don’t invest in advanced cybersecurity solutions or hire professionals to manage their cybersecurity.

Impacts of a Cybersecurity attack on small businesses

Cyber-attacks on small businesses can result in severe consequences – like financial loss, reputational damage, legal ramifications, and disruptions in operations. Below is a better insight into the effects of a potential cyber-attack on small businesses:

Loss of money

A cyber-attack may cause small businesses to lose billions of dollars. A report predicted that the attacks on small businesses will cost the global economy $10.5 trillion by 2025. Also, the average data breach cost to small businesses increased to $2.98 million in 2021, and these figures will likely increase with time. Sometimes small businesses will need to pay to compensate customers, investigate the attack, or implement additional security measures – all of which add up to more financial costs.

Reputational damage

A possible cyber-attack can also damage the business’s reputation and erodes customers’ trust. Suppose a customer’s, partner’s, or supplier’s sensitive data gets exposed to attackers. In that case, it negatively affects the company’s reputation. This might cause them to lose valuable clients, which can also lead to the unexpected closure of the business. According to the National Cybersecurity Alliance, 60% of small and mid-size companies get shut down within six months of falling victim to a cyber-attack. It might take a lot of time and effort to restore the client trust and restore the organization’s reputation.

Disruptions in operations

Small businesses often face operational disruption after a cyber-attack. They may experience downtime or lose access to critical business data – which leads to lost opportunities and delays in operations. This negatively impacts your business as you fail to meet customer demands.

Legal ramifications

Small organizations are also subject to various industry legal and regulatory regulations like GDPR, HIPAA, and CCPA to maintain data privacy. A cyber-attack resulting in valuable data loss ultimately triggers regulatory penalties. As a result, small businesses may face lawsuits and hefty fines for non-compliance, further adding financial strains. A Small Business Association Office of Advocacy report finds that the cost of lawsuits for small firms ranges from $3,000 to $150,000. Therefore, protecting the clients’ data is better than facing compliance issues.

Actionable Cybersecurity tips for small businesses

With  51% of small businesses having limited cybersecurity measures, adopting preventive measures to protect networks and employees from malicious threat actors is crucial. Some of the best practices that you, as an owner of a small business, can exercise to reduce the attack vector includes:

• Educate employees by providing regular training sessions and conducting awareness programs about cyber-attacks like phishing, malware, or social engineering techniques. Ensure that the employees at all levels understand the risks and learn how to detect and respond to these attacks.
• Create a comprehensive cybersecurity policy outlining the employees’ guidelines, best practices, and responsibilities regarding data protection, password management, incident reporting, and acceptable use of technology.
• With the rise of remote and hybrid working culture, it’s crucial to ensure that all remote workers use online security tools like a virtual private network (VPN). It maintains data safety and privacy and enables the workers to access the company’s resources safely.
• Deploy a regular data backup strategy to prevent data loss due to phishing or ransomware attacks. Store the backups offline or within secure cloud storage to ensure they are not easily accessible by attackers.
• Regularly monitor and assess systems using inexpensive security tools to detect and respond to threats in real-time. Conduct regular security assessments, vulnerability scans, or penetration testing to identify potential vulnerabilities within the system and address them promptly.
• Creating an incident response plan (IRP) helps small businesses prevent cyber-attacks by providing a structured approach to detect, respond, and mitigate security incidents. It outlines roles, procedures, and protocols – enabling effective action to minimize damage, protect data, and restore operations, ultimately strengthening the business’s cybersecurity defenses.

These are some of the effective steps that small businesses and start-ups can take to reduce the likelihood of a data breach or decrease the negative impact when an attack occurs.

Final thoughts

Small businesses face many cybersecurity threats and challenges that can affect their reputation and making it difficult to run their business successfully. The best way to ensure a healthy cybersecurity culture is to deploy a successful security awareness and training program. This assures employees are well aware of the threats and how to respond at the right time. To sum up, by prioritizing cybersecurity and adopting proactive measures, small businesses can safeguard their digital assets and mitigate potential threats in today’s increasingly interconnected world.

The post How can small businesses ensure Cybersecurity? appeared first on Cybersecurity Insiders.