Category: Detect

There is a possibility that artificial intelligence (AI) will have a significant influence, in either a good or bad direction, on cybersecurity. On the plus side, artificial intelligence (AI) can be used to automate and improve many parts of cybersecurity. AI can find and stop threats, find strange behavior, and look at network traffic, among other things. This might be a game-changer for the industry. On the other hand, artificial intelligence also creates new security holes and problems that must be fixed.

Processing massive volumes of data and seeing patterns that people would overlook are two of the primary advantages that artificial intelligence brings to the field of cybersecurity. This could be especially helpful for finding attacks like zero-day vulnerabilities and advanced persistent threats that are hard to see with standard security systems. Traditional security systems have a hard time spotting these kinds of threats. AI-driven systems can monitor network traffic in real-time and spot any strange behavior. This enables enterprises to take prompt action to thwart assaults.

AI could also be used to automate a lot of the day-to-day tasks that have to do with cybersecurity. This frees human analysts to work on more challenging and complex jobs. Because of this, businesses can make their security activities more effective and efficient. AI may be used, for instance, to monitor social media and other online sources for signs of possible danger. Some signs point to a new vulnerability or use dangerous hashtags on social media.

Still, bad things could happen when AI is used in cybersecurity. One cause for worry is the possibility that adversaries would use AI systems to carry out assaults that are both more complex and more precisely targeted. AI can, for example, make phishing emails that look real, find security holes automatically, and use them.

Another worry is that people with malicious intent might be able to take over or control AI-driven systems in some other way. If an AI system is hacked, it could use the security hole to get around security measures and get private information. This could have terrible consequences, such as confidential information theft or critical system failure.

Another worry is that AI-driven systems might come to the wrong conclusions or make mistakes when making decisions. For example, an AI system might mistakenly label a harmless file as malware, which could cause false positives and stop a business from running. On the other hand, an AI system can miss a real danger, resulting in a security breach.

To deal with these problems effectively, businesses must consider the risks and benefits of using AI in their cybersecurity efforts. This could mean putting in place extra security measures to protect AI systems and data and testing and updating these systems regularly to ensure they work as they should and are up to date.

Using AI raises several critical ethical questions and technological factors that need to be addressed regarding cybersecurity. For example, if artificial intelligence (AI) systems are trained on data that isn't representative of the whole population, they may have biases built in. This may result in some groups being unfairly treated. Organizations need to be aware of these problems and take steps to reduce the chances that they will have harmful effects.

It is expected that the use of artificial intelligence (AI) in cybersecurity will have a large and varied effect. AI has the potential to make security much better, but it also brings up new problems and risks that need to be handled with great care. By taking a comprehensive and proactive approach to AI and cybersecurity, organizations can ensure they are ready to control the changing threat environment and protect themselves from a wide range of threats. This strategy can protect against a wide range of attacks.

The post AI and Cybersecurity: Some observational implications of the intersection between the two appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

In today's digital age, a business website is essential for success. Not only does it provide potential customers with information about your products or services, but it also allows you to connect and engage with them directly.

However, simply having a website is not enough. To ensure that your site is effective and safe, you need to make sure that it has all the necessary security features. In this article, we will discuss twelve security features that every business website must have.

1. Enable auto-update for plugins and software

One of the simplest but most effective security measures you can take, especially if you’re looking to protect your WordPress site, is to ensure that all your plugins and software are up-to-date. Outdated software is one of the most common ways that attackers gain access to websites. By keeping everything up to date, you can help to prevent vulnerabilities from being exploited.

You can usually enable auto-updates for most plugins and software from within their settings menu. For WordPress sites, there is also a plugin called Easy Updates Manager that can help you to keep everything up to date with ease.

2.  Have a strong password policy

A strong password policy is the first step to protecting your website from malicious actors. By requiring strong and unique passwords, you can make it significantly more difficult for attackers to gain access to your site. You need to ensure that your website's backend is well protected and that only authorized users have access. To do this, you should consider using a password manager to generate and store strong passwords for your site. You should not be using the same password for multiple sites.

3. Use two-factor authentication

Two-factor authentication (2FA) is an important security measure that you should consider implementing for your website. 2FA adds an extra layer of security by requiring users to provide two pieces of information before they can access your site. This could include a password and a one-time code that is generated by an app on your phone. 2FA can help to prevent attackers from gaining access to your site, even if they have your password.

4. Use a secure socket layer (SSL) certificate

An SSL certificate is a must-have for any website that wants to protect their users' information. SSL encrypts the communications between your website and your users' web browsers. This means that even if an attacker was able to intercept the communication, they would not be able to read it. SSL also provides authentication, which means you can be sure that your users are communicating with the intended website and not a fake site set up by an attacker.

Increasingly, having things like HTTPS and an SSL certificate are part of Google's ranking metrics and will help your website's SEO. If you aren't trying to protect your visitors and users (the people who give you their sensitive credit card information), they may take their business elsewhere.

5. Use a web application firewall (WAF)

A web application firewall (WAF) is a piece of software that sits between your website and the internet. It filters traffic to your site and blocks any requests that it considers to be malicious. WAFs can be very effective at stopping attacks such as SQL injection (SQLi) and cross-site scripting (XSS).

6. Use intrusion detection and prevention systems (IDPS)

Intrusion detection and prevention systems (IDPS) are designed to detect and prevent attacks on your website. IDPS systems can be either host-based or network-based. Host-based IDPSs are installed on the servers that host your website. They monitor traffic to and from the server and can detect and block attacks. Network-based IDPSs are installed on your network and monitor traffic to and from your website. Both types of IDPS can be effective at stopping attacks, but they have different strengths and weaknesses.

7. Do security logging and monitoring

Security logging and monitoring are a critical security measures for any website. By logging all activity on your site, you can track down any malicious activity and take appropriate action. You should also monitor your logs regularly to look for any unusual activity.

8. Use a secure hosting environment

A secure hosting environment is essential for any website. Your host should provide a secure server with up-to-date security patches. They should also have experience in hosting websites and be able to provide you with expert support if you need it. Things like DDoS protection and backups are also important considerations. Denial of service attacks are on the rise, and website owners need to be prepared. Your hosting provider and the measures they take to protect you make a difference.

9. Perform regular security scans

Regular security scans are a vital part of website security. Scans can help you to identify vulnerabilities on your site so that you can fix them before they are exploited by attackers. There are many different types of security scans, such as web application scans, network scans, and malware scans.

10. Perform malware scanning and remove malware

Malware is a serious threat to any website. Malicious code can be used to steal sensitive information, deface your site, or even take it offline. It's important to regularly scan your website for malware and remove any that is found.

11. Protect against spam

Spam is a major problem for many websites. It can clog up your comment sections, contact forms, and even your website's database. There are several ways to combat spam, such as using CAPTCHA codes and requiring registration for comments. Akismet is a popular WordPress plugin that does an excellent job of stopping spam.

12. Train your employees

One of the most important security measures you can take is to educate your employees about website security. They should know how to spot a phishing email, what to do if they suspect their computer has been infected with malware, and how to keep their passwords secure. You should also have a clear policy in place for what to do in the event of a security breach.

Conclusion

There are many security measures that every website should take. By implementing these measures, you can help to protect your site from attack and keep your data safe. Additionally, it's important to educate your employees about website security and have a clear policy in place for dealing with security breaches.

The post 12 ways to improve your website security appeared first on Cybersecurity Insiders.

Telephony fraud is a significant challenge. Companies of all sizes and industries are subjected to the malicious usage of voice and SMS with the intent of committing financial fraud, identity theft, denial-of-service, and a variety of other attacks. Businesses that fall victim to fraud can incur significant financial losses, irreparable damage to their reputation, and legal implications. Detection of and preventing fraud can be a complex and time-consuming process, requiring businesses to devote significant resources to protect themselves. Some common challenges that companies face when it comes to fraud include the following:

• Swiftly adapting to constantly evolving fraud tactics: Fraudsters are always searching for innovative ways to carry out their schemes. Therefore, businesses must be hyper-aware in identifying and addressing potential threats.
• Balancing the need for security with customer convenience: Businesses must balance protecting themselves against fraud and providing a seamless customer experience. This can be particularly challenging in the digital age, as customers expect fast, convenient service.
• Investing in fraud prevention solutions and skilling up human resources: To stay ahead of fraudsters, organizations may need to invest in technology solutions, such as fraud detection software or security protocols, to help identify and prevent fraudulent activity. Such solutions are often expensive and may require hiring dedicated employees to manage and maintain these toolsets.
• Mitigating the aftermath of a fraud incident: If a business or its customers fall victim to a fraud campaign, this organization must be prepared to not only address the immediate financial losses but also work to repair any damage to its reputation and restore customer trust. Such an endeavor is often a time-consuming and costly process.

Vishing

As mentioned above, telephony fraud can consist of voice fraud and SMS fraud sub-categories. Voice fraud, also known as vishing or voice phishing, involves criminals leveraging voice calls or voice messaging to social engineer potential victims into divulging sensitive information or making payments. In this type of attack vector, the malicious actor often attempts to mask their identity through spoofing, which involves alternating caller-ID information to make the communication appear legitimate.

The attacker may also utilize voice manipulation software or even voice impersonation to mask their identity and solicit a target into taking a specific action, such as revealing sensitive data or even transferring bank funds over to the attacker. In such unfortunate scenarios, Vishers may pretend to be an individual from a legitimate organization, such as a trusted individual, a company/business, or a government agency, and request personal information or login credentials.

Some of the voice fraud challenges that companies may face include the following:

• Spoofed caller IDs: Criminals can use spoofed caller IDs to make it appear as if the call is coming from a legitimate source, such as a bank or government agency. This can make it difficult for companies to identify fraudulent calls and protect their customers from these scams.
• Automated voice messages: Criminals can also use automated voice messages to deliver phishing scams. These messages may ask the recipient to call a specific number to update their account information or resolve an issue. Still, the call leads to a scammer trying to steal sensitive information.
• Social engineering tactics: Criminals may use social engineering tactics, such as creating a sense of urgency or playing on the recipient's emotions, to convince them to divulge sensitive information or make a payment.

Smishing

Smishing is a phishing scam involving using text messages to perform various social engineering attempts to convince victims to reveal sensitive information or persuade them to make fraudulent transactions. Smishing scams often involve fake websites or phone numbers, and they may be disguised as legitimate texts from banks, government agencies, or other trusted organizations.

Smishing attacks can be challenging to detect because they often use familiar logos, language, and tone to make the message appear legitimate. Some common tactics used in smishing attacks include:

• Asking for personal information: Smishers may ask for personal information, such as passwords or credit card numbers, under the pretense of verifying account information or completing a transaction.
• Offering fake deals or prizes: Smishers may send texts offering fake deals or prizes to lure people into revealing sensitive information or making fraudulent transactions.
• Scare tactics: Smishers may send texts threatening to cancel accounts or take legal action unless sensitive information is provided.

Overall, fraud attacks can have serious consequences. If your organization falls victim to a fraud campaign, there may be severe financial loss, damage to brand reputation, data breaches, and disruption to your everyday operations. The event in which a data breach occurs can lead to identity theft of your employees and customers and the leak of proprietary information owned by your company, which can cause long-term financial and legal implications. Therefore, we recommend that organizations take the following steps to protect themselves against telephony fraud:

• Educate employees: Train employees to recognize the signs of voice and SMS fraud and to be cautious when giving out sensitive information or making financial transactions over the phone.
• Implement two-factor authentication: Leverage two-factor authentication to verify the identity of employees and customers when they access sensitive information or make financial transactions.
• Use anti-phishing software: Use anti-phishing software to protect against phishing scams, including smishing attacks.
• Monitor your phone bills: Regularly review phone bills for unusual charges or suspicious activity, which may result from a malicious actor spoofing your telephone number.
• Secure communication platforms: Use secure communication platforms, such as encrypted messaging apps, to protect against voice and SMS fraud.
• Invest in fraud detection solutions to identify and act upon fraudulent calls
• Monitor for suspicious activity: Organizations can use tools to monitor suspicious activity, such as unexpected changes in calling patterns or unusual requests for information.

By following these best practices, businesses can reduce the likelihood of a telephony fraud disaster.

If you are an individual who is looking to safeguard yourself from such attacks:

• Be vigilant of the types of commonly used scams and how to recognize them.
• Never give out personal information or make financial transactions over the phone unless you are sure you are dealing with a legitimate entity.
• Use strong passwords and enable two-factor authentication whenever possible to protect against unauthorized access to your accounts.
• If you receive a suspicious phone call, hang up and verify the call's legitimacy before providing any information. You can do this by looking up the phone number online or contacting the organization directly using a phone number you know is legitimate.
• Be cautious of unsolicited phone calls, especially if the caller requests personal information or tries to rush you into making a decision.
• Report any voice fraud to the authorities and relevant organizations, such as your bank or credit card company. This can help to prevent others from falling victim to similar scams.

Overall, it is imperative to have a multi-layered approach to combat telephony fraud. This should include an effective monitoring solution to identify anomalies in voice and SMS traffic patterns and the ability to detect and act upon suspicious activity quickly.

AT&T Cybersecurity Consulting offers a telephony fraud management program that will equip your organization with unique visibility into your voice and SMS traffic, allowing you to observe daily traffic flow across your network. As a result, your organization will be able to understand established baselines of “normal” traffic originating from your network.

AT&T Cybersecurity Consulting will actively monitor your network traffic to pinpoint deviations from your baseline traffic patterns to quickly identify malicious activity or robocall campaigns spoofing your organization's telephone numbers. If such an anomaly is detected, the AT&T Cybersecurity Consulting team will notify your team with a report containing the observed activity and then present your team with options for responding to the anomaly. Options for response will include but are not limited to blocking traffic from transiting over the AT&T network, as well as requesting a traceback to determine the originating source of the spoofed traffic.

For more information about our telephony fraud management service, please forward any inquiries to caas-voicefraud@list.att.com.

The post Telephony fraud and risk mitigation: Understanding this ever-changing threat appeared first on Cybersecurity Insiders.

Website defacement

Websites are central to business operations but are also the target of various cyber-attacks. Malicious hackers have found several ways to compromise websites, with the most common attack vector being SQL injection: the act of injecting malicious SQL code to gain unauthorized access to the server hosting the website. Once on the server, the hacker can compromise the target organization's website, and vandalize it by replacing the original content with content of their own choosing. This criminal act is referred to as website defacement. See Figure 1 for examples of past website defacements.

Figure 1. Examples of past website defacements.

While the act of vandalizing a website may seem trivial, it can be devastating for the victimized entities. If an e-commerce site is publicly compromised, for example, they suffer direct and indirect financial loss. The direct losses can be measured by the amount of revenue that would have been generated had the website not been compromised, and by the time and money spent to repair the damaged site. Indirect losses occur because of reputational damage. Potential customers may be deterred from providing their banking information to an organization portrayed and perceived as incapable of protecting their assets.

Threat actors

Unlike most forms of hacking, website defacement has a public facing component. Assailants are eager to get credit for their success in compromising websites and are notorious for bragging about their exploits across various platforms, including general social media (e.g., Facebook, Twitter, Youtube, etc.) and hacking specific sites. The most popular platform on which hackers report successful defacements is Zone-H. Users of the platform upload evidence of their attack, and once the attack is verified by the site’s administrators, it is permanently housed in the archive and viewable on Zone-H’s webpage. Zone-H is the largest hacking archive in the world: over 15 million attacks have been verified by Zone-H thus far, with over 160,000 unique active users. The archive, as depicted in Figure 2, includes the hackers’ moniker, the attacked website's domain name, and an image of the defacement content (resembling the images depicted in Figure 1).

Figure 2. Zone-H: The largest hacking archive in the world.

Hackers tend to use the same moniker across platforms to bolster the reputation and status of their online identity, which allows for the gathering of digital artifacts and threat intelligence pertinent to the attack and attacker, respectively. Indeed, we have been systematically gathering data on active malicious hackers who report their successful defacements to Zone-H since 2017 and, in doing so, have uncovered several interesting findings that shed light on this underground community. For example, and in direct contrast to Hollywood’s stereotype of the lone actor, we observed an interconnected community of hackers who form teams and develop their skills through collaboration and camaraderie. We also found variation in hackers’ attack frequency: some hackers are extremely prolific and can be classified as persistent threats, while others only engage in a few attacks before disappearing. These findings served as motivation for this study.

Criminal trajectories           

Recently, we built an analytic model capable of predicting which new hackers will become persistent threats at the onset of their criminal career. The study began by identifying 241 new hackers on the Zone-H archive. We then tracked each of these hackers for one year (52 weeks) following their first disclosed website defacement. We recorded their total number of attacks, extracted and analyzed content from their defacements, and gathered open-source intelligence from a litany of social media and hacking sites. In total, the 241 hackers in our study defaced 39,428 websites within the first year of their hacking career. We identified 73% of our sample on a social media site and found that 50% also report their defacements to other hacking archives. Finally, we extracted and analyzed the content of each new hacker's first defacement and found that 39% of hackers indicated involvement with a hacking team, 12% posted political content, and 34% left their contact information directly on the compromised site. 

To plot trajectories, we had to first disaggregate the dataset to determine whether each of the hackers in our sample defaced at least one website each week for the 52 weeks following their first defacement. Upon completion, we employed latent group-based trajectory modeling to determine if, and how many, unique criminal trajectories exist. Results are presented in Figure 3. We found that new hackers follow one of four patterns: low threat (28.8%), naturally desisting (23.9%), increasingly prolific (25.8%), and persistent threat (21.5%). Hackers classified as low threat (blue line) engage in very few defacements and do not increase their attack frequency within one year of their first attack. Those labeled as naturally desisting (red line) begin their careers with velocity, but this is short-lived. Conversely, those classified as increasingly prolific (green line) engage in more attacks as they advance in their criminal careers. Finally, those deemed as persistent threats (yellow line) begin their careers with velocity and remain prolific. To our knowledge, we are the first to plot the trajectories of new malicious hackers.

Figure 3. The one-year trajectory of new malicious hackers.

After plotting the trajectories, we employed a series of regression models to determine if open-source intelligence and digital artifacts can be used to predict the evolution of a new hacker's criminal career. Contrary to our expectation, we found politically driven hackers are at an increased odds of naturally desisting. While these hackers may engage in a high number of attacks at the onset of their career, this is short-lived. We suspect eager new hacktivists simply lose sight, or get bored, of their cause. Conversely, new hackers who post their contact information directly to the compromised site are at a decreased odds of naturally desisting. Tagging a virtual crime scene with contact information is a bold move. We suspect these hackers are rewarded for their boldness and initiated into the hacking community, where they continue defacing websites alongside their peers.

Different patterns emerged when predicting who will become a persistent threat. We found that social media engagement and reporting defacement activity to other platforms increase the odds of being a persistent threat. This may boil down to commitment: hackers committed to building their brand by posting on multiple platforms are also committed to building their brand through continual and frequent defacement activity. The most interesting, yet also intuitive, patterns emerge when predicting who will become increasingly prolific. We found that hackers who report to other platforms and indicate team involvement engage in more attacks as they progress in their career. Joining a hacking team is a valuable educational experience for a new hacker. As a novice hacker learns new skills, it is no surprise they demonstrate their capabilities by defacing more websites.

Taken together, these findings offer insight into the development of proactive cybersecurity solutions. We demonstrate that open-source intelligence can be used to predict which hackers will become persistent threats. Upon identifying high-risk hackers, we believe the next logical step is to launch early intervention programs aimed at redirecting their talent toward something more constructive. Recruiting young hackers for cybersecurity positions could create a safer cyberspace by filling the nation’s skills shortage while simultaneously removing persistent threat actors from the equation.

Acknowledgements

This work was conducted alongside several members of the Evidence-Based Cybersecurity Research Laboratory. We thank Cameron Hoffman and Robert Perkins for their continual involvement on the hacking project. For more information about our team of researchers and this project visit https://ebcs.gsu.edu/. Follow @Dr_Cybercrime on Twitter for more cutting-edge cybersecurity research.

The post Predicting which hackers will become persistent threats appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Most of the time, the advantages of technology overshadow the recognition of challenges. IT/OT convergence has given a boost to the industry, there are many cybersecurity considerations. Due to a lack of legislation, best practices are filling the void. This article will give an overview of industrial cybersecurity best practices.

According to a survey presented by Veracode in 2022, more than 75% of all software applications have security flaws that can serve as a gateway to larger environments. With the spread of industrial IT (Information Technology) / OT (Operational Technology) integration, it means that almost every infrastructure is in possible danger of cyberattacks. 

The two sides of the IT/OT convergence coin

Industrial IT/OT convergence has been accelerated by the advantages it offers to the sector. These advantages have made production faster, cheaper, and more automated. The convergence has been advancing at such a pace that the flipside of its use has never been given serious thought until recently. With the obvious advantages, challenges have surfaced as well. The need for a comprehensive solution has already appeared in recent years, but until this day, best practices are routine.

Best practices for IT/OT converged environment

During the years of broad-scale IT/OT implementation, operational and cybersecurity experience has been gathered. This serves as the basis for industrial best practices and their practical implementation, which ranges from recommendations to practical steps.

Regulations. Industrial regulations and legislation should set standards. Though there are some governmental initiatives – like Executive Order 14028 – for building an overall framework, the bottom-to-top need has already surfaced.

CIS Controls (Critical Security Controls) Version 8 is one of those comprehensive cybersecurity bottom-to-top frameworks that are the most often referred to by legal, regulatory, and policy bodies. CIS has been developed by the global IT community to set up practical cybersecurity measures. Each version is an evolution of the previous, so it is constantly evolving as practice, and technological advancement require it.

Zero Trust. In every critical infrastructure, the basic approach should be the “zero trust principle.” According to this notion, entering data, and exiting data, users, and context should be treated with the highest distrust.

Risk-based approach. It is a strategy that assesses hardware and software status to prevent cybersecurity risks and mitigate possible consequences of a breach. The process has several compliance points. These include device version and patching date checkup, finding security and safety issues, and revealing the exploitation history of applied devices.

The strategy is only effective if it is completed with constant threat monitoring. In this case, operators are aware of system vulnerabilities if there is no or a delayed system update.

Passive scanning. It is the “listen, but don’t touch” method. Scanners watch the data traffic of the entire system from its perimeters. These are usually installed at routers that collect information at strategic listening points without interacting directly with the system. Because of this lack of direct intervention, passive scanning is usually used for monitoring sensitive environments.

The upside of passive scanning is that it understands the entering and exiting dataflows, monitors the entire system and the operating software, and can find parts of the network. The downside is that the collectible information is limited, so there is little or no complete picture of the vulnerability status of the environment.

Active scanning. Scanners constantly monitor, evaluate, and assess the weak points of the environment. They can simulate attacks on the network to uncover hidden security gaps. Some active scanners are even able to resolve some discovered security issues.

On the flip side, these scanners only focus on certain points of the system and particular situations. They can easily overwhelm the monitored nodes, so it can affect the speed, performance, and uptime of the given part of the system.

Conclusion

The takeaway message is that best practice solutions are not replacements for each other. They complement one another in an ideal industrial environment to fence off different attack vectors. Though each has its advantages and disadvantages, used as complementing solutions, their strengths can be combined while weaknesses alleviated. This way the possible maximum protection can be achieved.

The post IT/OT convergence and Cybersecurity best practices appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Amazon Web Services (AWS) is home to almost a third of the world’s cloud clients and boasts huge cyber security features; yet, even Amazon is not immune to attack. The provider has been beset with outages this year, with industry authority Network World highlighting the recent Ohio outage, which lasted 75 minutes, as being of particular interest. While the reasons behind these outages will remain a closely guarded secret, they nevertheless raise the discussion of cyber-attacks. Could malicious actors have been responsible? What level of protection is available behind the scenes, and how far ahead of the game is Amazon? Finally, is AWS up to scratch for the next generation of web users?

Making the balance

AWS is an affordable option, but it nevertheless comes with overhead. With belts being tightened all over the USA and the rest of the world, businesses will necessarily be looking towards their web usage to try and generate new savings. For most businesses, optimizing your AWS expenses it’s an effective way to do this, but it’s crucial to find those efficiencies in the right areas.

One area not to cut back on is cybersecurity. AWS is famed for its built-in security, and, as the internet society W3 highlights, that security works at scale. Leaving that in place is crucial. Instead of looking to economize on security, businesses should seek to find efficiencies in changing their billing profile. For instance, by choosing between quota-based demand systems, and more flexible plans that can benefit those businesses. Focusing on demand, and business priorities, rather than security for cutbacks is really important.

Extra layers of protection

There is a strong track record of data protection within AWS, but not necessarily within the wider Amazon setup. Indeed, as one Wired investigation showed, consumer data that is held on the same data centers as AWS assets has been compromised. However, this was not through attacks but from unauthorized internal access.

As such, adding extra layers of protection onto the business side, and making use of enhanced security packages offered by AWS can ensure that data has multiple key levels of protection. This helps ensure that attacks are minimized and any successful breaches are managed immediately.

Ask for the best

Cyberattacks have been ramping up across the world, according to CNBC. As a result, Amazon and Microsoft have been hoovering up cybersecurity solutions and contractors in order to shore up their own defenses for AWS and Azure respectively.

This may result in new solutions being integrated into the AWS system and made available to customers – and you should be proactive in asking for these protections. It’s important that products are well tested and deployed, of course, to ensure their quality, but being at the forefront of the cybersecurity vanguard within AWS will give your business an extra layer of quality and also help to build your reputation as a forward-thinking and well protected enterprise. This can be absolutely crucial in the world of business, especially with cyberattacks becoming ever more frequent.

Data is the lifeblood of the business – when you protect it you protect the sustainability of the business and your future success. AWS does a lot to help with security, but no solution is without its flaws. As such, take a proactive approach to security measures within AWS, and constantly seek to apply new standards to gain advantage against cyber criminals and help to build your reputation as a forward-thinking business. These approaches are crucial in the ongoing fight against cyber-crime.

The post Working with AWS to secure your data against attack appeared first on Cybersecurity Insiders.

In the first two blogs in this series, we discussed properly setting up IAM and avoiding direct internet access to AWS resources. In this blog, we’ll tackle encrypting AWS in transit and at rest.

Sometimes, despite all efforts to the contrary, data can be compromised.  This can occur due to data leakage through faulty apps or systems, by laptops or portable storage devices being lost, by malicious actors breaking through security defenses, by social engineering attacks, or by data being intercepted in man-in-the-middle attacks.  Fortunately, with adequate encryption measures in place, data exposures such as these can be nullified.  Simply put, when data is properly encrypted with industry approved algorithms, it can’t be deciphered.  The only way to make sense of encrypted data is by decrypting it with an encryption key that only trusted parties possess.  Let’s discuss how AWS makes it easy to encrypt data wherever it may be.

Encrypting data in transit

When you visit a website and see the small lock icon in the browser toolbar, it means that data being sent between your computer and the website host is secure.  If your data was intercepted by a malicious actor, they would not be able to decipher it since it is encrypted. 

Through an encryption process that is beyond the scope of this blog series, computers and website hosts negotiate the encryption algorithm and keys that are used during sessions.  Thus, since only the communicating computers and website hosts know the encryption keys in use, data is protected from prying eyes.  (Note: an exception to this statement is if the generation of encryption keys occurs over a publicly available Internet connection (e.g., coffee shop WiFi).  Cybercriminals could intercept this exchange of information and eavesdrop on your communication. That is why it is recommended to initiate a virtual private network (VPN) connection to a trusted provider before visiting websites when using a public Internet connection). 

AWS provides a convenient service to encrypt data in transit called Amazon Certificate Manager (ACM).  Per AWS, ACM “handles the complexity of creating, storing, and renewing public and private SSL/TLS X.509 certificates and keys that protect your AWS websites and applications.”  What Is AWS Certificate Manager? – AWS Certificate Manager (amazon.com).  These X.509 certificates can be used with AWS ELBs, CloudFront, and Amazon API Gateway.  Consequently, all Internet bound traffic to and from these resources will be secure.

Furthermore, AWS can encrypt data in transit using X.509 certificates to AWS managed resources like S3 buckets.  However, to enable this feature policies may need to be updated to restrict HTTP and only permit HTTPS connectivity.  To see an example of how AWS S3 can enforce HTTPS connections, click here: Enforce TLS 1.2 or higher for Amazon S3 buckets. 

Now that we know how to encrypt data in transit, let’s move on to our final topic of discussion – encrypting data at rest. 

Encrypting data at rest

One of the easiest and most impactful security measures AWS has to offer is encrypting data at rest.  Literally, with a few clicks of the mouse, every major AWS service that stores data can be encrypted with default encryption keys that are owned and maintained by AWS.  The service used to perform these actions is called AWS Key Management Service (AWS KMS). 

Thus, if for some reason your data was exposed to the world, it would be illegible without the encryption key that only AWS can access on your behalf.  A quick Google search on the Internet will reveal that the amount of time used to crack a common AES-256 encryption key would take modern computers trillions of years – even with the world’s fastest supercomputers. 

If laws, regulations, or corporate policy require you to manage your own encryption keys, AWS has other options.  Through KMS, AWS customers can import their own key material for AWS to use for encryption on their behalf.  If customers do not want AWS to have any access to their encryption keys, AWS also offers hardware security modules (HSMs).  These can be provisioned and used like a utility with an hourly cost. 

AWS HSMs are certified as FIPS 140-2 compliant.  For those unfamiliar with this designation, it refers to rigorous testing to meet government approved security standards.  To learn more about AWS KMS click here: Key Usage — AWS Key Management Service — Amazon Web Services.  To learn more about AWS HSM, click here: Security HSM | AWS CloudHSM | Amazon Web Services. 

As such, considering the multitude of options and ease of use to encrypt data at rest, there simply is not an excuse to not encrypt data wherever it is stored. 

Tying everything together

In this article, we have discussed three easy steps every business or governmental entity can pursue to dramatically improve their AWS security posture.  As a recap, these steps are to 1) set up and use IAM properly, 2) avoid direct Internet access to vulnerable AWS resources, and 3) encrypt data in transit or at rest.  It goes without saying that these steps are not exhaustive.  They are merely the steps that this author believes to be the most impactful. 

Many other security mechanisms exist that AWS customers can pursue.  For more advanced AWS security help, you are encouraged to engage AT&T’s cybersecurity consulting division for support.  We are ready, willing, and able to help you with your AWS cybersecurity needs.  To get more information about AT&T cybersecurity consulting, please click here: Cybersecurity Consulting Services | AT&T Business (att.com). 

Thank you for taking the time to read this blog series.  I sincerely hope you found it informative and useful. 

References:

AWS – https://aws.amazon.com

A Cloud Guru – https://acloudguru.com

The post Improve your AWS security posture, Step 3: Encrypt AWS data in transit and at rest appeared first on Cybersecurity Insiders.

As we start a new year, let's think about how we can draw up a plan to exercise our cyber fitness and make it a culture that sticks. It's a critical time to get this done as we work toward a new era where we're breaking down silos, understanding the new ecosystem movement going forward and the edge computing phenomenon.

Communication, creativity, and empathy are crucial in shifting from what we call a “have-to” security mindset (i.e., “I have to take this precaution because IT said so”) to a “want-to” mindset, which suggests employee buy-in to a company's security policy beyond simply ticking off a to-do box or watching a training video.

Key considerations include:

• Do we have top-down buy-in?
• Are expectations communicated effectively?
• Are we driving accountability?
• Have we formed a good CRUST (Credibility & Trust)?

When we say, “security culture” and “we have a positive security culture,” what we perceive as security culture and what you think in your mind as security culture might be two very different things. The reason is our companies prioritize the accomplishment of security goals differently. Some basics involve patching and reducing the chances of being hit by phishing attacks, but the underlying reason why that happens differs among organizations. This article is intended to examine each of these questions and provide helpful tips for creating a culture of cybersecurity awareness. 

Top-down approach

Isn't security something we should all be thinking about, not just the CISOs? It's interesting how people don't want to think about it. They appoint somebody, give them a title, and then say that person is now responsible for making security happen. But the reality is, within any organization, doing the right thing — whether that be security, keeping track of the money, or making sure that things are going the way you're expecting — is a responsibility shared across the entire organization.

That's something that we are now becoming more accustomed to. The security space realizes it's not just about the security folks doing a good job. It's about enabling the entire organization to understand what's important to be more secure and making that as easy as possible.

There's an element of culture change and of improving the entire organization. What's causing these softer approaches — behavior, culture, management, and attitude more important now? Is there something about security technology that has changed that makes us need to look at how people think? We're beginning to realize that technology is not going to solve all our problems.

So how do we create a top-down culture? The best recommendation would be to align business goals with good representation from multiple stakeholders, including the CEO, COO, IT Marketing, Finance, or business owner, depending on the size and structure of the firm.  

Appointing a “fall person” for security would make it challenging to foster a cybersecurity-aware culture.  Instead, identifying a lead such as a CISO, CIO, or security director and inspiring an organization-wide, strategically aligned program would promote the most significant outcome. At a minimum, form a small security committee represented by key stakeholders and empower the security leader to fully understand the business objectives and recommend the best protection methods.

Kick Start your Security Culture

Communicate expectations

Once we have buy-in, it's time to communicate. What good is a cybersecurity policy if the people expected to follow it do not understand who, what, why, and how? The idea of sticking with “the policy states” only goes so far. Policies should be developed with the audience in mind, covering:

• Purpose – why is the policy needed?
• Objective – state the goal/what we want to accomplish.
• Scope – what/who does the policy cover?
• Roles & responsibilities – who is responsible, and what are their duties?
• Penalties for non-compliance – why must the policy be followed?

To summarize – how will the effectiveness be measured? Understand baseline and encourage good behavior for reporting incidents

Everyone is accountable

Our primary goal in exercising cyber fitness is to raise awareness and understanding, measured by an increase in reported incidents and a decrease in actual events that are alleviated before they become incidents. It's essential to communicate the effectiveness and examples of accountability.

Some organizations utilize cybersecurity newsletters, while others make it a point to highlight via human resources or top-down communications. The key is to make it known that this is not another “mandatory training.” It's the standard, and we all have a stake in it.

Don't burn the CRUST

CRUST = Credibility and Trust. If we take a step back and ask, why do we even care about the security conversation? Security is one of the foundations of trust. No matter what companies we work for, we have some customers, someone that we serve, and customers need trust to make this transaction functional. Hence, an effective and successful company has a trust established with its customers and, in essence, its employees.

At the end of the day, when we're talking about building security in our companies, we're talking about building trust with our customers. Even if we look at ourselves and our spending habits, how many of us would choose to give our credit-card data to a company that's regularly getting hacked or has poor architectural choices where we don't trust our personal information? We don't. Or most of the time, we don't.

This is the foundation of why we're even having this conversation. When we think about building security in our organizations, that may mean different things to each of you. That could mean better architectural choices, products, threat modeling, processes, and reporting. It's the cultural foundation of how we make security decisions in our organization.

We must have accountability at all levels, and consistency is key to maintaining credibility and trust. If you attempt to bake a pizza without setting a timer or constantly monitoring it, your chances of burning the crust will drastically increase. It's great to take a similar approach with your organization. Look for ways to get feedback from employees and keep an open door for communication. Share feedback with your security committee and adjust accordingly. Remember to celebrate good behavior, communicate, and demonstrate examples of accountability.

We are the firewall

What began with a question ends with a statement, “WE are the firewall.” A culture built with top-down buy-in, accountability, and a good crust can be the foundation for employees to feel like they are part of something bigger and take pride in being the firewall. Though cybersecurity culture can sound intimidating, we can make headway as leaders now understand that the alternative threatens their bottom line.

As security becomes more integrated into businesses' day-to-day operations, we will continue to see a positive culture shift to reflect the common CISO phrase, “security is everyone's job.” The ultimate protection against cyber threats is that of instilling an organizational culture that is 'cybersecurity ready,' and that is knowledgeable and prepared to mitigate the risks at all levels of its strategy and operations.

The post Are WE the firewall? appeared first on Cybersecurity Insiders.

In the first two blogs in this series, we discussed properly setting up IAM and avoiding direct internet access to AWS resources. In this blog, we’ll tackle encrypting AWS in transit and at rest.

Sometimes, despite all efforts to the contrary, data can be compromised.  This can occur due to data leakage through faulty apps or systems, by laptops or portable storage devices being lost, by malicious actors breaking through security defenses, by social engineering attacks, or by data being intercepted in man-in-the-middle attacks.  Fortunately, with adequate encryption measures in place, data exposures such as these can be nullified.  Simply put, when data is properly encrypted with industry approved algorithms, it can’t be deciphered.  The only way to make sense of encrypted data is by decrypting it with an encryption key that only trusted parties possess.  Let’s discuss how AWS makes it easy to encrypt data wherever it may be.

Encrypting data in transit

When you visit a website and see the small lock icon in the browser toolbar, it means that data being sent between your computer and the website host is secure.  If your data was intercepted by a malicious actor, they would not be able to decipher it since it is encrypted. 

Through an encryption process that is beyond the scope of this blog series, computers and website hosts negotiate the encryption algorithm and keys that are used during sessions.  Thus, since only the communicating computers and website hosts know the encryption keys in use, data is protected from prying eyes.  (Note: an exception to this statement is if the generation of encryption keys occurs over a publicly available Internet connection (e.g., coffee shop WiFi).  Cybercriminals could intercept this exchange of information and eavesdrop on your communication. That is why it is recommended to initiate a virtual private network (VPN) connection to a trusted provider before visiting websites when using a public Internet connection). 

AWS provides a convenient service to encrypt data in transit called Amazon Certificate Manager (ACM).  Per AWS, ACM “handles the complexity of creating, storing, and renewing public and private SSL/TLS X.509 certificates and keys that protect your AWS websites and applications.”  What Is AWS Certificate Manager? – AWS Certificate Manager (amazon.com).  These X.509 certificates can be used with AWS ELBs, CloudFront, and Amazon API Gateway.  Consequently, all Internet bound traffic to and from these resources will be secure.

Furthermore, AWS can encrypt data in transit using X.509 certificates to AWS managed resources like S3 buckets.  However, to enable this feature policies may need to be updated to restrict HTTP and only permit HTTPS connectivity.  To see an example of how AWS S3 can enforce HTTPS connections, click here: Enforce TLS 1.2 or higher for Amazon S3 buckets. 

Now that we know how to encrypt data in transit, let’s move on to our final topic of discussion – encrypting data at rest. 

Encrypting data at rest

One of the easiest and most impactful security measures AWS has to offer is encrypting data at rest.  Literally, with a few clicks of the mouse, every major AWS service that stores data can be encrypted with default encryption keys that are owned and maintained by AWS.  The service used to perform these actions is called AWS Key Management Service (AWS KMS). 

Thus, if for some reason your data was exposed to the world, it would be illegible without the encryption key that only AWS can access on your behalf.  A quick Google search on the Internet will reveal that the amount of time used to crack a common AES-256 encryption key would take modern computers trillions of years – even with the world’s fastest supercomputers. 

If laws, regulations, or corporate policy require you to manage your own encryption keys, AWS has other options.  Through KMS, AWS customers can import their own key material for AWS to use for encryption on their behalf.  If customers do not want AWS to have any access to their encryption keys, AWS also offers hardware security modules (HSMs).  These can be provisioned and used like a utility with an hourly cost. 

AWS HSMs are certified as FIPS 140-2 compliant.  For those unfamiliar with this designation, it refers to rigorous testing to meet government approved security standards.  To learn more about AWS KMS click here: Key Usage — AWS Key Management Service — Amazon Web Services.  To learn more about AWS HSM, click here: Security HSM | AWS CloudHSM | Amazon Web Services. 

As such, considering the multitude of options and ease of use to encrypt data at rest, there simply is not an excuse to not encrypt data wherever it is stored. 

Tying everything together

In this article, we have discussed three easy steps every business or governmental entity can pursue to dramatically improve their AWS security posture.  As a recap, these steps are to 1) set up and use IAM properly, 2) avoid direct Internet access to vulnerable AWS resources, and 3) encrypt data in transit or at rest.  It goes without saying that these steps are not exhaustive.  They are merely the steps that this author believes to be the most impactful. 

Many other security mechanisms exist that AWS customers can pursue.  For more advanced AWS security help, you are encouraged to engage AT&T’s cybersecurity consulting division for support.  We are ready, willing, and able to help you with your AWS cybersecurity needs.  To get more information about AT&T cybersecurity consulting, please click here: Cybersecurity Consulting Services | AT&T Business (att.com). 

Thank you for taking the time to read this blog series.  I sincerely hope you found it informative and useful. 

References:

AWS – https://aws.amazon.com

A Cloud Guru – https://acloudguru.com

The post Improve your AWS security posture, Step 3: Encrypt AWS data in transit and at rest appeared first on Cybersecurity Insiders.

AT&T Cybersecurity received the Palo Alto Networks 2022 Partner of the Year Award for its managed security services at the annual Palo Alto Networks Ignite 2022 conference. The awards are presented to an elite group of Palo Alto Networks partners that have excelled in performance, enablement, and engagement over the past year.

In an era where security collaboration continues to grow in importance, AT&T Cybersecurity stressed the significance of its relationship with Palo Alto Networks. Danessa Lambdin, President of AT&T Cybersecurity explains:

 As one of the largest MSSPs in the world, we are in a unique position to help secure innovation at scale and bring those lessons learned to our broader customer base. Our technology alliances are a fundamental part of evolving our cybersecurity services to meet our customer needs today and tomorrow.  AT&T has long worked with Palo Alto Networks, building new services atop their technology platforms to meet tomorrow's security challenges, especially as customers move to the cloud and edge.

By maintaining a strong relationship with Palo Alto Networks, AT&T Cybersecurity is able to provide cutting-edge security products while leveraging its managed services to make security more accessible by offering trainings, consulting, and management. Don Jones, senior vice present of Ecosystems at Palo Alto Networks states:

Palo Alto Networks partners share our vision of a world where each day is safer and more secure than the one before. Now more than ever, a trusted ecosystem of partners is essential to enabling organizations to easily, more confidently, and more securely transform. We’re proud to recognize AT&T Cybersecurity as Palo Alto Networks 2022 Partner of the Year and we look forward to our continued work together helping mutual customers achieve better security outcomes.

AT&T Cybersecurity combines cybersecurity with consulting services to help organizations meet their network transformation goals. With AT&T’s support, overcome resource obstacles and ease the burden on short-staffed, in-house teams by working with AT&T’s cyber experts to identify and understand cybersecurity risks and exposures, thereby making it safer for businesses to innovate through network resiliency.

For more information on AT&T Cybersecurity please visit this page. For more information on Palo Alto Networks, please visit this page.

The post AT&T Cybersecurity awarded the Palo Alto Networks 2022 Partner of the Year Award appeared first on Cybersecurity Insiders.