The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

The world runs on data. That has always been true, but the power of data has perhaps never been greater than it is today. We live in the great age of information — where a seemingly infinite repository of knowledge lies at our fingertips.

But data is not, of course, only to be consumed for personal use. Indeed, the greatest impact of data is on the world of business. Data is the fuel that keeps the engines of enterprise humming.

The truth, though, is that businesses, on average, use less than half the data they accumulate. The rest is lost somewhere in the ether, where it becomes so-called “dark data” that puts your customers, your employees, and your company at risk.

What Is dark data?

One of the most significant challenges in dealing with dark data is that many business managers, even at the highest level, don’t know what it is or how to manage it. That’s a problem because all companies generate tremendous amounts of dark data simply while doing business each day.

Dark data refers to information collected through ordinary business transactions that does not serve a specific business function outside of the immediate transaction. It is information that is generated through ordinary business processes and remains even after its immediate purposes have been served.

This information might include customer email or mailing addresses, phone numbers, or purchase logs.

Because the data has no real business utility, it is often left forgotten, unorganized, and insecurely stored. And this is the true threat that dark data poses, because, even when it serves no legitimate function for your business, it can readily be exploited by bad actors for various cybercrimes, from identity theft to financial fraud.

Finding and identifying dark data 

Understanding that dark data exists and is a problem is a necessary but not sufficient step in mitigating the risk. It’s also imperative that business leaders understand where to find it, how to identify it, and what to do about it.

When it comes to finding, identifying, and managing dark data, your best strategy is going to be data mapping. With data mapping, you’ll be able to determine what data is being generated, when, how, and where. Tracing the sources of your data is often the first step in determining where it goes after it has been generated.

This, in turn, enables you to locate all the once-hidden information that has been lurking around your network, particularly in the cloud. And that means you will be better able to identify which data points have eluded your cloud data management processes and related controls.

Organizing and securing dark data in the cloud

After you’ve found and accurately identified the immense repository of dark data that is likely clogging your system (and potentially costing your company millions of dollars in storage fees each year), it’s time to get organized.

As we’ve seen, dark data can pose a significant risk to your network security and undermine your data security compliance. There is a great likelihood that much of this data is sensitive or private and should be secured but isn’t.

Organizing once “dark” data means subjecting it to rigorous analysis to understand exactly where the data should fall within the scope of your company’s system governance processes. The key is to ensure, for example, that you’re protecting your once hidden data from insider threats, such as access or exploitation by employees who do not possess the appropriate permissions.

Properly organizing your hidden data is also critical for installing an added layer of protection around your company’s sensitive information. For instance, cloud data storage, though providing significant security, is by no means invulnerable.

Cloud systems are at risk of data breaches unless proper procedures are instituted to limit access and amplify security. This might include measures to optimize cloud security such as the use of multifactor authentication processes or the encryption of the most sensitive of your now-organized dark data.

The takeaway

Dark data is an omnipresent but relatively little recognized threat to businesses, workers, and consumers today. It is the inevitable result of ordinary processes of doing business, and yet many business leaders, including highly trained tech specialists, do not know what it is or how to manage it.

Dark data is information that is generated through ordinary business transactions but that has no practical business utility beyond that immediate transaction. The data that result does not disappear, however. Rather, they linger and are often forgotten until they are found and exploited for nefarious purposes by bad actors. Learning to find, identify, and organize dark data, especially when it is stored in the cloud, is critical to protecting companies and consumers against a range of threats, including financial fraud and identity theft. 

The post Identifying and securing your business’s dark data assets in the cloud appeared first on Cybersecurity Insiders.

There is a possibility that artificial intelligence (AI) will have a significant influence, in either a good or bad direction, on cybersecurity. On the plus side, artificial intelligence (AI) can be used to automate and improve many parts of cybersecurity. AI can find and stop threats, find strange behavior, and look at network traffic, among other things. This might be a game-changer for the industry. On the other hand, artificial intelligence also creates new security holes and problems that must be fixed.

Processing massive volumes of data and seeing patterns that people would overlook are two of the primary advantages that artificial intelligence brings to the field of cybersecurity. This could be especially helpful for finding attacks like zero-day vulnerabilities and advanced persistent threats that are hard to see with standard security systems. Traditional security systems have a hard time spotting these kinds of threats. AI-driven systems can monitor network traffic in real-time and spot any strange behavior. This enables enterprises to take prompt action to thwart assaults.

AI could also be used to automate a lot of the day-to-day tasks that have to do with cybersecurity. This frees human analysts to work on more challenging and complex jobs. Because of this, businesses can make their security activities more effective and efficient. AI may be used, for instance, to monitor social media and other online sources for signs of possible danger. Some signs point to a new vulnerability or use dangerous hashtags on social media.

Still, bad things could happen when AI is used in cybersecurity. One cause for worry is the possibility that adversaries would use AI systems to carry out assaults that are both more complex and more precisely targeted. AI can, for example, make phishing emails that look real, find security holes automatically, and use them.

Another worry is that people with malicious intent might be able to take over or control AI-driven systems in some other way. If an AI system is hacked, it could use the security hole to get around security measures and get private information. This could have terrible consequences, such as confidential information theft or critical system failure.

Another worry is that AI-driven systems might come to the wrong conclusions or make mistakes when making decisions. For example, an AI system might mistakenly label a harmless file as malware, which could cause false positives and stop a business from running. On the other hand, an AI system can miss a real danger, resulting in a security breach.

To deal with these problems effectively, businesses must consider the risks and benefits of using AI in their cybersecurity efforts. This could mean putting in place extra security measures to protect AI systems and data and testing and updating these systems regularly to ensure they work as they should and are up to date.

Using AI raises several critical ethical questions and technological factors that need to be addressed regarding cybersecurity. For example, if artificial intelligence (AI) systems are trained on data that isn't representative of the whole population, they may have biases built in. This may result in some groups being unfairly treated. Organizations need to be aware of these problems and take steps to reduce the chances that they will have harmful effects.

It is expected that the use of artificial intelligence (AI) in cybersecurity will have a large and varied effect. AI has the potential to make security much better, but it also brings up new problems and risks that need to be handled with great care. By taking a comprehensive and proactive approach to AI and cybersecurity, organizations can ensure they are ready to control the changing threat environment and protect themselves from a wide range of threats. This strategy can protect against a wide range of attacks.

The post AI and Cybersecurity: Some observational implications of the intersection between the two appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

In today's digital age, a business website is essential for success. Not only does it provide potential customers with information about your products or services, but it also allows you to connect and engage with them directly.

However, simply having a website is not enough. To ensure that your site is effective and safe, you need to make sure that it has all the necessary security features. In this article, we will discuss twelve security features that every business website must have.

1. Enable auto-update for plugins and software

One of the simplest but most effective security measures you can take, especially if you’re looking to protect your WordPress site, is to ensure that all your plugins and software are up-to-date. Outdated software is one of the most common ways that attackers gain access to websites. By keeping everything up to date, you can help to prevent vulnerabilities from being exploited.

You can usually enable auto-updates for most plugins and software from within their settings menu. For WordPress sites, there is also a plugin called Easy Updates Manager that can help you to keep everything up to date with ease.

2.  Have a strong password policy

A strong password policy is the first step to protecting your website from malicious actors. By requiring strong and unique passwords, you can make it significantly more difficult for attackers to gain access to your site. You need to ensure that your website's backend is well protected and that only authorized users have access. To do this, you should consider using a password manager to generate and store strong passwords for your site. You should not be using the same password for multiple sites.

3. Use two-factor authentication

Two-factor authentication (2FA) is an important security measure that you should consider implementing for your website. 2FA adds an extra layer of security by requiring users to provide two pieces of information before they can access your site. This could include a password and a one-time code that is generated by an app on your phone. 2FA can help to prevent attackers from gaining access to your site, even if they have your password.

4. Use a secure socket layer (SSL) certificate

An SSL certificate is a must-have for any website that wants to protect their users' information. SSL encrypts the communications between your website and your users' web browsers. This means that even if an attacker was able to intercept the communication, they would not be able to read it. SSL also provides authentication, which means you can be sure that your users are communicating with the intended website and not a fake site set up by an attacker.

Increasingly, having things like HTTPS and an SSL certificate are part of Google's ranking metrics and will help your website's SEO. If you aren't trying to protect your visitors and users (the people who give you their sensitive credit card information), they may take their business elsewhere.

5. Use a web application firewall (WAF)

A web application firewall (WAF) is a piece of software that sits between your website and the internet. It filters traffic to your site and blocks any requests that it considers to be malicious. WAFs can be very effective at stopping attacks such as SQL injection (SQLi) and cross-site scripting (XSS).

6. Use intrusion detection and prevention systems (IDPS)

Intrusion detection and prevention systems (IDPS) are designed to detect and prevent attacks on your website. IDPS systems can be either host-based or network-based. Host-based IDPSs are installed on the servers that host your website. They monitor traffic to and from the server and can detect and block attacks. Network-based IDPSs are installed on your network and monitor traffic to and from your website. Both types of IDPS can be effective at stopping attacks, but they have different strengths and weaknesses.

7. Do security logging and monitoring

Security logging and monitoring are a critical security measures for any website. By logging all activity on your site, you can track down any malicious activity and take appropriate action. You should also monitor your logs regularly to look for any unusual activity.

8. Use a secure hosting environment

A secure hosting environment is essential for any website. Your host should provide a secure server with up-to-date security patches. They should also have experience in hosting websites and be able to provide you with expert support if you need it. Things like DDoS protection and backups are also important considerations. Denial of service attacks are on the rise, and website owners need to be prepared. Your hosting provider and the measures they take to protect you make a difference.

9. Perform regular security scans

Regular security scans are a vital part of website security. Scans can help you to identify vulnerabilities on your site so that you can fix them before they are exploited by attackers. There are many different types of security scans, such as web application scans, network scans, and malware scans.

10. Perform malware scanning and remove malware

Malware is a serious threat to any website. Malicious code can be used to steal sensitive information, deface your site, or even take it offline. It's important to regularly scan your website for malware and remove any that is found.

11. Protect against spam

Spam is a major problem for many websites. It can clog up your comment sections, contact forms, and even your website's database. There are several ways to combat spam, such as using CAPTCHA codes and requiring registration for comments. Akismet is a popular WordPress plugin that does an excellent job of stopping spam.

12. Train your employees

One of the most important security measures you can take is to educate your employees about website security. They should know how to spot a phishing email, what to do if they suspect their computer has been infected with malware, and how to keep their passwords secure. You should also have a clear policy in place for what to do in the event of a security breach.

Conclusion

There are many security measures that every website should take. By implementing these measures, you can help to protect your site from attack and keep your data safe. Additionally, it's important to educate your employees about website security and have a clear policy in place for dealing with security breaches.

The post 12 ways to improve your website security appeared first on Cybersecurity Insiders.

In the first blog in this series, we discussed setting up IAM properly. Now we’re moving on to the second step, avoiding direct internet access to AWS resources.

When AWS resources like EC2 instances or S3 buckets are directly accessible via the Internet, they are vulnerable to attack.  For example, brute force attacks on SSH login, denial of service (DOS) attacks on server resources via Layer 3, 4, or 7 flooding, or the inadvertent disclosure of data on an S3 bucket.  Thankfully, AWS offers tools that can virtually eliminate each of these threats.  Let’s discuss how to protect resources that have traditionally been placed in the demilitarized zone (DMZ) of a public subnet.

Put all EC2 instances in private subnets

Despite the advent of network address translation (NAT) (i.e., the mapping of a public IP address to a private IP address), many businesses put publicly accessible resources in the DMZ.  This enables direct connectivity to resources by assigning public IP addresses to them.  In turn, through domain name system (DNS) resolution, website names are translated to these IP addresses which enables connectivity.  Ordinarily, resources placed in a DMZ are webservers.  Although some companies out of convenience, or lack of security awareness, will also place database, application, and file servers in the DMZ.  If adequate access control lists (ACLs) and security groups are not in place to restrict access by IP source, IP destination, protocol, and port number, these resources are vulnerable to attack. 

Fortunately, there is no longer a need to place EC2 instances in a public subnet.  This includes bastion hosts that are used to access EC2 instances in private subnets.  Rather than associate a public IP address with EC2 instances, an elastic load balancer (ELB) can be used instead. 

The ELB is a virtual appliance that terminates webserver bound traffic via a public IP address and passes that traffic to EC2 instances or corresponding containers, if applicable, that reside in a public subnet.  Neither the AWS customer using the load balancer, nor any external party can directly access the load balancer, so it is not vulnerable to attack.  Furthermore, depending on whether the traffic being terminated on the ELB is Layer 4 (Transport layer of the OSI) or HTTP (Layer 7), AWS offers two separate ELBs to accommodate the applicable traffic.  These ELB options are Network Load Balancer (Layer 4) and Application Load Balancer (Layer 7).  As the diagram and step-by-step description from AWS below reveals, virtualized server resources that reside in private subnets cannot be directly accessed by the outside world.    

Complete traffic flow diagram

The following diagram combines the inbound and return traffic flows to provide a complete illustration of load balancer routing.

AWS flow

  1. Traffic from the internet flows in to the Elastic IP address, which is dynamically created when you deploy an internet-facing Application Load Balancer.
  2. The Application Load Balancer is associated with two public subnets in the scenario that’s illustrated. The Application Load Balancer uses its internal logic to determine which target group and instance to route the traffic to.
  3. The Application Load Balancer routes the request to the EC2 instance through a node that’s associated with the public subnet in the same Availability Zone.
  4. The route table routes the traffic locally within the VPC, between the public subnet and the private subnet, and to the EC2 instance.
  5. The EC2 instance in the private subnet routes the outbound traffic through the route table.
  6. The route table has a local route to the public subnet. It reaches the Application Load Balancer on the node in the corresponding public subnet, by following the path back the way the traffic entered.
  7. The Application Load Balancer routes traffic out through its public Elastic IP address.
  8. The public subnet's route table has a default route pointing to an internet gateway, which routes the traffic back out to the internet.

Importantly, even with an ELB in place, it is imperative to configure appropriate ACLs and security groups.  Only legitimate traffic should be allowed in and out of the virtual private cloud (VPC).  If the load balancer improperly allows all traffic in and out of the private subnet where the EC2 instances reside, much of the benefit of restricting direct Internet access to them can be lost. 

Moreover, EC2 instances behind an ELB can still be vulnerable to Layer 3, Layer 4, or Layer 7 DoS attacks.  An ELB merely eliminates the ability for people from the Internet to directly access your instances.  To stop Layer 3 and Layer 4 Distributed Denial of Service (DDoS) attacks, AWS offers AWS Shield.  This service is offered at two levels – basic and advanced.  Basic service is free, and it monitors and restricts Layer 3 and Layer 4 traffic. Hence, before traffic ever hits your ELB, it is being monitored and filtered with AWS’ DDoS mitigation technology.  For advanced coverage and features, AWS offers AWS Shield Advanced for an additional cost.  With Shield Advanced, you have access to a 24/7 AWS Shield Response Team, advanced reporting, and cost protection associated with the increase of AWS resources used during an attack.  You can learn more about AWS Shield here: Managed DDoS protection – AWS Shield Features – Amazon Web Services

For Layer 7 DoS mitigation, AWS offers a Web Application Firewall (WAF).  Per AWS, this service “lets you create rules to filter web traffic based on conditions that include IP addresses, HTTP headers and body, or custom URIs…  In addition, AWS WAF makes it easy to create rules that block common web exploits like SQL injection and cross site scripting.”  If your business utilizes AWS Shield Advanced, AWS WAF is included in the monthly cost.  You can learn more about AWS WAF here: Features – AWS WAF – Amazon Web Services (AWS).

Notably, some DoS events are not malicious but are rather the result of a company’s web services going viral.  If too much traffic hits all at once, content can be inaccessible.  For both static and dynamic content, AWS offers a content delivery network (CDN) called CloudFront.  Thus, rather than scale your EC2 instances behind an ELB vertically or horizontally for increased demand, content can be offloaded to CloudFront where it is cached and, if need be, made globally available.  This protects your virtualized server resources and your wallet, too.  You can learn more about AWS CloudFront here: Low-Latency Content Delivery Network (CDN) – Amazon CloudFront – Amazon Web Services

How to securely access EC2 instances in private subnets

Up to this point, we have discussed how you can protect your EC2 instances from being accessed from the outside world.  Rightfully so, you may be wondering how systems administrators can access instances to manage them if there is no public IP address for SSH or RDP connectivity?  Normally, a bastion host would be provisioned in a public subnet for access to resources in a private subnet.  However, by provisioning an EC2 instance in a public subnet as a bastion host, no matter how hardened the instance is, it is creating an unnecessary vulnerability. 

The simple remedy to getting access to EC2 instances in private subnets is AWS Systems Manager.  There is no need to open SSH or RDP ports in the private subnet either.  Through the AWS console, AWS can programmatically establish SSH or RDP access to EC2 instances.  Without SSH or RDP ports open, even if an internal EC2 instance was compromised, it would not be possible for a malicious actor to capitalize on stolen key pairs to access an instance or perform a brute force attack on the root account either.  Accordingly, the only users permitted to access the EC2 instance, would be those users with the appropriate IAM user, group, or role permissions.  To learn more about AWS Systems Manager, click here: Centralized Operations Hub – AWS Systems Manager – Amazon Web Services

Finally, you may also be wondering how EC2 instances in a private subnet can access the Internet for software downloads, patches, and maintenance if they do not have a public IP address?  Previously, for instances in private subnets to access the Internet, an EC2 NAT instance in a public subnet would need to be provisioned.  Internet bound traffic from instances in the private subnet would be routed through the NAT instance. 

However, like bastion hosts, EC2 NAT instances pose unnecessary security risk.  The solution to routing Internet based traffic to and from instances in private subnets is by using AWS NAT Gateways.  Like ELBs, NAT Gateways are virtualized appliances that are not accessible to AWS customers, or external parties.  Unlike NAT instances, they are not provisioned with predefined CPU, RAM, and throughput either.  Rather, they scale dynamically to handle whatever workload is thrown at them.  Consequently, EC2 instances in private subnets can securely access the Internet without the threat associated with a NAT instance in a public subnet. To learn more about AWS NAT Gateways, click here: NAT gateways – Amazon Virtual Private Cloud

Now that we have learned how to protect EC2 instances and vicariously the services that leverage them like containers, applications, and databases, let’s discuss how to secure S3 Buckets.

Keep S3 buckets private or restrict public access using CloudFront.

Over the years, many news stories have revealed the blunders of companies that publicly expose their customers’ data by publishing it in public S3 buckets.  As anyone who has recently provisioned an S3 bucket will know, AWS has made it exceedingly difficult to repeat this error.  With warning prompts and conspicuous red, “danger, Will Robinson!” icons, AWS lets you know when an S3 Bucket is public. 

For obvious reasons, data that companies do not want the whole world to know should never be placed in a public S3 bucket.  This includes personally identifiable information (PII), health information, credit card account details, trade secrets, and any other proprietary data.  Even with encryption in place, which we will discuss in Step 3, there is no reason to ever make this type of data publicly available. 

For S3 data that is publicly available, direct access to the objects should be restricted.  There are a few reasons why.  First, entities may not want their customers to access objects with the AWS S3 URL.  Instead, they may want their customers to access objects using their custom domain.  Second, entities may not want their customers to have unlimited access to S3 objects.  Instead, they may prefer to use pre-signed URLs to limit how long end users can access objects.  Finally, entities may not want to pay unnecessary costs for end users reading or downloading S3 objects directly from a bucket.  The remedy to these problems is to make public S3 buckets accessible only via CloudFront. 

This is achieved by configuring S3 to only accept GET or POST requests from CloudFront.  Hence, objects in a public S3 bucket are inaccessible to the outside world.  To learn more about AWS CloudFront and S3 Bucket integration, click here: Restricting access to an Amazon S3 origin – Amazon CloudFront

Now that we know how to properly secure EC2 instances and S3 buckets by restricting direct access via the Internet, the next, and last blog in this series will discuss our final step – encryption. 

The post Improve your AWS security posture, Step 2: Avoid direct internet access to AWS resources appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the authors in this article. This blog was jointly written with David Maimon, Professor at Georgia State University.

Website defacement

Websites are central to business operations but are also the target of various cyber-attacks. Malicious hackers have found several ways to compromise websites, with the most common attack vector being SQL injection: the act of injecting malicious SQL code to gain unauthorized access to the server hosting the website. Once on the server, the hacker can compromise the target organization's website, and vandalize it by replacing the original content with content of their own choosing. This criminal act is referred to as website defacement. See Figure 1 for examples of past website defacements.

example website defacementdefacement 2Figure 1. Examples of past website defacements.

While the act of vandalizing a website may seem trivial, it can be devastating for the victimized entities. If an e-commerce site is publicly compromised, for example, they suffer direct and indirect financial loss. The direct losses can be measured by the amount of revenue that would have been generated had the website not been compromised, and by the time and money spent to repair the damaged site. Indirect losses occur because of reputational damage. Potential customers may be deterred from providing their banking information to an organization portrayed and perceived as incapable of protecting their assets.

Threat actors

Unlike most forms of hacking, website defacement has a public facing component. Assailants are eager to get credit for their success in compromising websites and are notorious for bragging about their exploits across various platforms, including general social media (e.g., Facebook, Twitter, Youtube, etc.) and hacking specific sites. The most popular platform on which hackers report successful defacements is Zone-H. Users of the platform upload evidence of their attack, and once the attack is verified by the site’s administrators, it is permanently housed in the archive and viewable on Zone-H’s webpage. Zone-H is the largest hacking archive in the world: over 15 million attacks have been verified by Zone-H thus far, with over 160,000 unique active users. The archive, as depicted in Figure 2, includes the hackers’ moniker, the attacked website's domain name, and an image of the defacement content (resembling the images depicted in Figure 1).

zone-h

Figure 2. Zone-H: The largest hacking archive in the world.

Hackers tend to use the same moniker across platforms to bolster the reputation and status of their online identity, which allows for the gathering of digital artifacts and threat intelligence pertinent to the attack and attacker, respectively. Indeed, we have been systematically gathering data on active malicious hackers who report their successful defacements to Zone-H since 2017 and, in doing so, have uncovered several interesting findings that shed light on this underground community. For example, and in direct contrast to Hollywood’s stereotype of the lone actor, we observed an interconnected community of hackers who form teams and develop their skills through collaboration and camaraderie. We also found variation in hackers’ attack frequency: some hackers are extremely prolific and can be classified as persistent threats, while others only engage in a few attacks before disappearing. These findings served as motivation for this study.

Criminal trajectories           

Recently, we built an analytic model capable of predicting which new hackers will become persistent threats at the onset of their criminal career. The study began by identifying 241 new hackers on the Zone-H archive. We then tracked each of these hackers for one year (52 weeks) following their first disclosed website defacement. We recorded their total number of attacks, extracted and analyzed content from their defacements, and gathered open-source intelligence from a litany of social media and hacking sites. In total, the 241 hackers in our study defaced 39,428 websites within the first year of their hacking career. We identified 73% of our sample on a social media site and found that 50% also report their defacements to other hacking archives. Finally, we extracted and analyzed the content of each new hacker's first defacement and found that 39% of hackers indicated involvement with a hacking team, 12% posted political content, and 34% left their contact information directly on the compromised site. 

To plot trajectories, we had to first disaggregate the dataset to determine whether each of the hackers in our sample defaced at least one website each week for the 52 weeks following their first defacement. Upon completion, we employed latent group-based trajectory modeling to determine if, and how many, unique criminal trajectories exist. Results are presented in Figure 3. We found that new hackers follow one of four patterns: low threat (28.8%), naturally desisting (23.9%), increasingly prolific (25.8%), and persistent threat (21.5%). Hackers classified as low threat (blue line) engage in very few defacements and do not increase their attack frequency within one year of their first attack. Those labeled as naturally desisting (red line) begin their careers with velocity, but this is short-lived. Conversely, those classified as increasingly prolific (green line) engage in more attacks as they advance in their criminal careers. Finally, those deemed as persistent threats (yellow line) begin their careers with velocity and remain prolific. To our knowledge, we are the first to plot the trajectories of new malicious hackers.

hacker trajectory

Figure 3. The one-year trajectory of new malicious hackers.

After plotting the trajectories, we employed a series of regression models to determine if open-source intelligence and digital artifacts can be used to predict the evolution of a new hacker's criminal career. Contrary to our expectation, we found politically driven hackers are at an increased odds of naturally desisting. While these hackers may engage in a high number of attacks at the onset of their career, this is short-lived. We suspect eager new hacktivists simply lose sight, or get bored, of their cause. Conversely, new hackers who post their contact information directly to the compromised site are at a decreased odds of naturally desisting. Tagging a virtual crime scene with contact information is a bold move. We suspect these hackers are rewarded for their boldness and initiated into the hacking community, where they continue defacing websites alongside their peers.

Different patterns emerged when predicting who will become a persistent threat. We found that social media engagement and reporting defacement activity to other platforms increase the odds of being a persistent threat. This may boil down to commitment: hackers committed to building their brand by posting on multiple platforms are also committed to building their brand through continual and frequent defacement activity. The most interesting, yet also intuitive, patterns emerge when predicting who will become increasingly prolific. We found that hackers who report to other platforms and indicate team involvement engage in more attacks as they progress in their career. Joining a hacking team is a valuable educational experience for a new hacker. As a novice hacker learns new skills, it is no surprise they demonstrate their capabilities by defacing more websites.

Taken together, these findings offer insight into the development of proactive cybersecurity solutions. We demonstrate that open-source intelligence can be used to predict which hackers will become persistent threats. Upon identifying high-risk hackers, we believe the next logical step is to launch early intervention programs aimed at redirecting their talent toward something more constructive. Recruiting young hackers for cybersecurity positions could create a safer cyberspace by filling the nation’s skills shortage while simultaneously removing persistent threat actors from the equation.

Acknowledgements

This work was conducted alongside several members of the Evidence-Based Cybersecurity Research Laboratory. We thank Cameron Hoffman and Robert Perkins for their continual involvement on the hacking project. For more information about our team of researchers and this project visit https://ebcs.gsu.edu/. Follow @Dr_Cybercrime on Twitter for more cutting-edge cybersecurity research.

The post Predicting which hackers will become persistent threats appeared first on Cybersecurity Insiders.

Telephony fraud is a significant challenge. Companies of all sizes and industries are subjected to the malicious usage of voice and SMS with the intent of committing financial fraud, identity theft, denial-of-service, and a variety of other attacks. Businesses that fall victim to fraud can incur significant financial losses, irreparable damage to their reputation, and legal implications. Detection of and preventing fraud can be a complex and time-consuming process, requiring businesses to devote significant resources to protect themselves. Some common challenges that companies face when it comes to fraud include the following:

  • Swiftly adapting to constantly evolving fraud tactics: Fraudsters are always searching for innovative ways to carry out their schemes. Therefore, businesses must be hyper-aware in identifying and addressing potential threats.
  • Balancing the need for security with customer convenience: Businesses must balance protecting themselves against fraud and providing a seamless customer experience. This can be particularly challenging in the digital age, as customers expect fast, convenient service.
  • Investing in fraud prevention solutions and skilling up human resources: To stay ahead of fraudsters, organizations may need to invest in technology solutions, such as fraud detection software or security protocols, to help identify and prevent fraudulent activity. Such solutions are often expensive and may require hiring dedicated employees to manage and maintain these toolsets.
  • Mitigating the aftermath of a fraud incident: If a business or its customers fall victim to a fraud campaign, this organization must be prepared to not only address the immediate financial losses but also work to repair any damage to its reputation and restore customer trust. Such an endeavor is often a time-consuming and costly process.

Vishing

As mentioned above, telephony fraud can consist of voice fraud and SMS fraud sub-categories. Voice fraud, also known as vishing or voice phishing, involves criminals leveraging voice calls or voice messaging to social engineer potential victims into divulging sensitive information or making payments. In this type of attack vector, the malicious actor often attempts to mask their identity through spoofing, which involves alternating caller-ID information to make the communication appear legitimate.

The attacker may also utilize voice manipulation software or even voice impersonation to mask their identity and solicit a target into taking a specific action, such as revealing sensitive data or even transferring bank funds over to the attacker. In such unfortunate scenarios, Vishers may pretend to be an individual from a legitimate organization, such as a trusted individual, a company/business, or a government agency, and request personal information or login credentials.

vishing flow

Some of the voice fraud challenges that companies may face include the following:

  • Spoofed caller IDs: Criminals can use spoofed caller IDs to make it appear as if the call is coming from a legitimate source, such as a bank or government agency. This can make it difficult for companies to identify fraudulent calls and protect their customers from these scams.
  • Automated voice messages: Criminals can also use automated voice messages to deliver phishing scams. These messages may ask the recipient to call a specific number to update their account information or resolve an issue. Still, the call leads to a scammer trying to steal sensitive information.
  • Social engineering tactics: Criminals may use social engineering tactics, such as creating a sense of urgency or playing on the recipient's emotions, to convince them to divulge sensitive information or make a payment.

Smishing

Smishing is a phishing scam involving using text messages to perform various social engineering attempts to convince victims to reveal sensitive information or persuade them to make fraudulent transactions. Smishing scams often involve fake websites or phone numbers, and they may be disguised as legitimate texts from banks, government agencies, or other trusted organizations.

Smishing attacks can be challenging to detect because they often use familiar logos, language, and tone to make the message appear legitimate. Some common tactics used in smishing attacks include:

  • Asking for personal information: Smishers may ask for personal information, such as passwords or credit card numbers, under the pretense of verifying account information or completing a transaction.
  • Offering fake deals or prizes: Smishers may send texts offering fake deals or prizes to lure people into revealing sensitive information or making fraudulent transactions.
  • Scare tactics: Smishers may send texts threatening to cancel accounts or take legal action unless sensitive information is provided.

Overall, fraud attacks can have serious consequences. If your organization falls victim to a fraud campaign, there may be severe financial loss, damage to brand reputation, data breaches, and disruption to your everyday operations. The event in which a data breach occurs can lead to identity theft of your employees and customers and the leak of proprietary information owned by your company, which can cause long-term financial and legal implications. Therefore, we recommend that organizations take the following steps to protect themselves against telephony fraud:

  • Educate employees: Train employees to recognize the signs of voice and SMS fraud and to be cautious when giving out sensitive information or making financial transactions over the phone.
  • Implement two-factor authentication: Leverage two-factor authentication to verify the identity of employees and customers when they access sensitive information or make financial transactions.
  • Use anti-phishing software: Use anti-phishing software to protect against phishing scams, including smishing attacks.
  • Monitor your phone bills: Regularly review phone bills for unusual charges or suspicious activity, which may result from a malicious actor spoofing your telephone number.
  • Secure communication platforms: Use secure communication platforms, such as encrypted messaging apps, to protect against voice and SMS fraud.
  • Invest in fraud detection solutions to identify and act upon fraudulent calls
  • Monitor for suspicious activity: Organizations can use tools to monitor suspicious activity, such as unexpected changes in calling patterns or unusual requests for information.

By following these best practices, businesses can reduce the likelihood of a telephony fraud disaster.

If you are an individual who is looking to safeguard yourself from such attacks:

  • Be vigilant of the types of commonly used scams and how to recognize them.
  • Never give out personal information or make financial transactions over the phone unless you are sure you are dealing with a legitimate entity.
  • Use strong passwords and enable two-factor authentication whenever possible to protect against unauthorized access to your accounts.
  • If you receive a suspicious phone call, hang up and verify the call's legitimacy before providing any information. You can do this by looking up the phone number online or contacting the organization directly using a phone number you know is legitimate.
  • Be cautious of unsolicited phone calls, especially if the caller requests personal information or tries to rush you into making a decision.
  • Report any voice fraud to the authorities and relevant organizations, such as your bank or credit card company. This can help to prevent others from falling victim to similar scams.

Overall, it is imperative to have a multi-layered approach to combat telephony fraud. This should include an effective monitoring solution to identify anomalies in voice and SMS traffic patterns and the ability to detect and act upon suspicious activity quickly.

AT&T Cybersecurity Consulting offers a telephony fraud management program that will equip your organization with unique visibility into your voice and SMS traffic, allowing you to observe daily traffic flow across your network. As a result, your organization will be able to understand established baselines of “normal” traffic originating from your network.

AT&T Cybersecurity Consulting will actively monitor your network traffic to pinpoint deviations from your baseline traffic patterns to quickly identify malicious activity or robocall campaigns spoofing your organization's telephone numbers. If such an anomaly is detected, the AT&T Cybersecurity Consulting team will notify your team with a report containing the observed activity and then present your team with options for responding to the anomaly. Options for response will include but are not limited to blocking traffic from transiting over the AT&T network, as well as requesting a traceback to determine the originating source of the spoofed traffic.

For more information about our telephony fraud management service, please forward any inquiries to caas-voicefraud@list.att.com.

The post Telephony fraud and risk mitigation: Understanding this ever-changing threat appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Identity and access management has emerged as an essential security element for organizations. A study reveals that 80% of global IT decision-makers have already adopted or are planning to adopt an IAM solution in the upcoming years.

IAM refers to business policies, processes, and technologies to control unauthorized data and digital systems access. Two IAM approaches are widely known, one for the cloud and the other for on-premises. The cloud based IAM practices are fast-growing because the demand for cloud adoption has increased over time.

With the right IAM solutions and techniques, IT managers and businesses control users' access to sensitive business data within their networks. In addition, these solutions help protect organizations from cyber-attacks; they become more efficient, reduce IT operational costs, and improve user experience.

Six best IAM practices that organizations must not neglect

The IAM framework means using the right solution to implement user authentication and privileges policies. In addition, with IAM, companies demonstrate that any data is not misused, and they comply with government regulations.

For all these characteristics, businesses are increasingly adopting IAM solutions, and their demand will undoubtedly be high in the upcoming time. It's also estimated that the IAM market will grow to $15.3 billion by 2025.

The organization needs to use the right IAM tools and practices to reap the most benefits from the IAM solution. The six best IAM practices that every business should incorporate into its security strategy are as follows:

Adopt passwordless authentication

Many data breaches occur because of weak or stolen credentials. Threat actors can use advanced tools and tactics to steal and break passwords.

Organizations need a secure identity management system to prevent bad actors from breaking in and stealing credentials that can result in breaches such as the Lapsus$ attack or the Colonial Pipeline ransomware attack. Organizations eliminate password issues by choosing passwordless authentication to protect vital business data and ensure that only authentic people access it.

Passwordless authentication enables users to authenticate their identity without entering a password. There are various benefits for organizations to become passwordless- it enhances the overall efficiency, saves time and productivity, and provides greater ease of access. But, most importantly, passwordless authentication allows IAM leaders and users to access the cloud environment safely and securely.

Implement a Zero-Trust approach

The zero-trust approach is not new but has gained popularity as the threat landscape is evolving. Organizations cannot have a robust IAM policy without a function zero-trust architecture. The average cost of a data breach is $4.24 million, but the zero-trust model helps reduce the cost of a data breach by $1.76 million. Moreover, Gartner also predicts that the ZTNA solutions will grow to $1.674 billion in 2025.

Zero-trust means continuously verifying authorized users as they move into the network and giving them the lowest privileges while accessing crucial documents and files. Zero trust within the cloud creates access measures to protect sensitive data and applications from unwarranted access.

The zero-trust architecture ensures that IAM policies are followed whenever the user accesses the organization's network and protects the cloud data. Successful zero-trust implementation for the cloud must begin with passive application observation. Companies must first monitor and determine the relationship between the apps and then enforce rules. In addition, enterprises consider using other technologies like MFA, endpoint protection, micro-segmentation, and visibility and analytics to execute zero-trust systems.

Ensure compliance

IAM is designed to control users and protect their data, which can be achieved by meeting standard compliance requirements. Businesses often have regulatory requirements connected to the data they store either in the data warehouse or cloud data warehouse. They must report on their data access and use processes while complying with specific laws and regulations.

They must face hefty fines, lawsuits, and penalties if they fail. For example, Twitter agreed to pay $150 million to settle allegations of its data privacy practices when the US alleged Twitter for collecting users' contact information to show targeted ads.

Organizations that haven't yet must strictly follow compliance regulations, including GDPR, SOX, HIPAA, and PCI-DSS, to ensure that data is not misused. Besides this, businesses must audit each user role and assign them to the appropriate data owner, to keep a check and balance on the following compliance. In this way, companies can ensure compliance regulations and surveillance of data access.

Use appropriate DevOps tools

A data breach occurs because of human error or when application flaws occur. Businesses also forget to maintain a record of unstructured or dark data, including files and documents downloaded and used for different purposes, credit cards, and social security numbers. Cyber-criminals take complete advantage of such vulnerabilities and data that can eventually result in a data breach.

Such events not only cause significant financial loss to the business but also result in loss of customers and brand reputation. DevOps teams and tools greatly help enterprises prevent data breaches and ensure no one can access sensitive data. By using various DevOps tools, businesses keep track of the unstructured data from the initial stage and boost the overall security level.

Deploy artificial intelligence

Cybercriminals have become more advanced and sophisticated than before. They are using new approaches and tactics to access the organizational network. Because of their progressive nature, even the security teams sometimes fail to recognize them. Hence, organizations have adopted Artificial Intelligence and Machine Learning technologies to implement IAM and reduce the threat vector effectively.

AI ensures improved security and maintains business integrity. Using AI technology like Robotic Process Automation (RPA) deeply monitors and reveals the abnormalities in user behavior. Though an organization produces trillions of primarily unstructured data, the ML system scans all the data efficiently and prevents data leaks and breaches. Moreover, the AI system constantly monitors all behavior and ensures that verifying workers' access to network resources is continuous.

If, by any chance, threat actors gain access to the network by any backdoor, the AI system sends a quick alert to the IT department so they can take appropriate measures. Also, the system denies the access request and ensures the complete safety of the business data.

Centralize the organization's systems

Another best practice businesses can adopt to improve IAM is centralizing all network systems. It is an effective approach that provides more visibility and allows the security teams to detect and respond to cyber threats by letting all the users sign into a single authentication provider, which then propagates identity access across the apps and resources within the organization.

Moreover, with the centralized management system, it is easier to enforce policies like using secure passwords or multi-factor authentication to access the resources.

Additional best practices

Apart from the practices mentioned above, listed below are some common IAM practices businesses should not ignore. These includes:

  • Ensure new applications from all sources are securely developed and onboarded. For this purpose, deploy API access control (authentication and authorization of APIs) as it is a crucial part of API security.
  • Authentication is vital for IAM; hence, use multi-factor authentication tools to authenticate the identity.
  • Remove unnecessary users from the network to reduce the risks of unauthorized access.
  • Regularly review and audit the IAM policies to ensure they are granted the least privilege.
  • When an IAM account is not used, immediately de-provisioned it. This prevents any hackers from stealing and misusing those credentials.

Final thoughts

Making a business compliant with identity and access management requires an in-depth understanding of who can access the sensitive data and which data is necessary for the workers. Staying informed and updated about the latest technological trends and IAM practices will further help improve the IAM infrastructure.

The post Key to success while implementing IAM- Best practices that every company should implement appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Most of the time, the advantages of technology overshadow the recognition of challenges. IT/OT convergence has given a boost to the industry, there are many cybersecurity considerations. Due to a lack of legislation, best practices are filling the void. This article will give an overview of industrial cybersecurity best practices.

According to a survey presented by Veracode in 2022, more than 75% of all software applications have security flaws that can serve as a gateway to larger environments. With the spread of industrial IT (Information Technology) / OT (Operational Technology) integration, it means that almost every infrastructure is in possible danger of cyberattacks. 

The two sides of the IT/OT convergence coin

Industrial IT/OT convergence has been accelerated by the advantages it offers to the sector. These advantages have made production faster, cheaper, and more automated. The convergence has been advancing at such a pace that the flipside of its use has never been given serious thought until recently. With the obvious advantages, challenges have surfaced as well. The need for a comprehensive solution has already appeared in recent years, but until this day, best practices are routine.

Best practices for IT/OT converged environment

During the years of broad-scale IT/OT implementation, operational and cybersecurity experience has been gathered. This serves as the basis for industrial best practices and their practical implementation, which ranges from recommendations to practical steps.

Regulations. Industrial regulations and legislation should set standards. Though there are some governmental initiatives – like Executive Order 14028 – for building an overall framework, the bottom-to-top need has already surfaced.

CIS Controls (Critical Security Controls) Version 8 is one of those comprehensive cybersecurity bottom-to-top frameworks that are the most often referred to by legal, regulatory, and policy bodies. CIS has been developed by the global IT community to set up practical cybersecurity measures. Each version is an evolution of the previous, so it is constantly evolving as practice, and technological advancement require it.

Zero Trust. In every critical infrastructure, the basic approach should be the “zero trust principle.” According to this notion, entering data, and exiting data, users, and context should be treated with the highest distrust.

Risk-based approach. It is a strategy that assesses hardware and software status to prevent cybersecurity risks and mitigate possible consequences of a breach. The process has several compliance points. These include device version and patching date checkup, finding security and safety issues, and revealing the exploitation history of applied devices.

The strategy is only effective if it is completed with constant threat monitoring. In this case, operators are aware of system vulnerabilities if there is no or a delayed system update.

Passive scanning. It is the “listen, but don’t touch” method. Scanners watch the data traffic of the entire system from its perimeters. These are usually installed at routers that collect information at strategic listening points without interacting directly with the system. Because of this lack of direct intervention, passive scanning is usually used for monitoring sensitive environments.

The upside of passive scanning is that it understands the entering and exiting dataflows, monitors the entire system and the operating software, and can find parts of the network. The downside is that the collectible information is limited, so there is little or no complete picture of the vulnerability status of the environment.

Active scanning. Scanners constantly monitor, evaluate, and assess the weak points of the environment. They can simulate attacks on the network to uncover hidden security gaps. Some active scanners are even able to resolve some discovered security issues.

On the flip side, these scanners only focus on certain points of the system and particular situations. They can easily overwhelm the monitored nodes, so it can affect the speed, performance, and uptime of the given part of the system.

Conclusion

The takeaway message is that best practice solutions are not replacements for each other. They complement one another in an ideal industrial environment to fence off different attack vectors. Though each has its advantages and disadvantages, used as complementing solutions, their strengths can be combined while weaknesses alleviated. This way the possible maximum protection can be achieved.

The post IT/OT convergence and Cybersecurity best practices appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Amazon Web Services (AWS) is home to almost a third of the world’s cloud clients and boasts huge cyber security features; yet, even Amazon is not immune to attack. The provider has been beset with outages this year, with industry authority Network World highlighting the recent Ohio outage, which lasted 75 minutes, as being of particular interest. While the reasons behind these outages will remain a closely guarded secret, they nevertheless raise the discussion of cyber-attacks. Could malicious actors have been responsible? What level of protection is available behind the scenes, and how far ahead of the game is Amazon? Finally, is AWS up to scratch for the next generation of web users?

Making the balance

AWS is an affordable option, but it nevertheless comes with overhead. With belts being tightened all over the USA and the rest of the world, businesses will necessarily be looking towards their web usage to try and generate new savings. For most businesses, optimizing your AWS expenses it’s an effective way to do this, but it’s crucial to find those efficiencies in the right areas.

One area not to cut back on is cybersecurity. AWS is famed for its built-in security, and, as the internet society W3 highlights, that security works at scale. Leaving that in place is crucial. Instead of looking to economize on security, businesses should seek to find efficiencies in changing their billing profile. For instance, by choosing between quota-based demand systems, and more flexible plans that can benefit those businesses. Focusing on demand, and business priorities, rather than security for cutbacks is really important.

Extra layers of protection

There is a strong track record of data protection within AWS, but not necessarily within the wider Amazon setup. Indeed, as one Wired investigation showed, consumer data that is held on the same data centers as AWS assets has been compromised. However, this was not through attacks but from unauthorized internal access.

As such, adding extra layers of protection onto the business side, and making use of enhanced security packages offered by AWS can ensure that data has multiple key levels of protection. This helps ensure that attacks are minimized and any successful breaches are managed immediately.

Ask for the best

Cyberattacks have been ramping up across the world, according to CNBC. As a result, Amazon and Microsoft have been hoovering up cybersecurity solutions and contractors in order to shore up their own defenses for AWS and Azure respectively.

This may result in new solutions being integrated into the AWS system and made available to customers – and you should be proactive in asking for these protections. It’s important that products are well tested and deployed, of course, to ensure their quality, but being at the forefront of the cybersecurity vanguard within AWS will give your business an extra layer of quality and also help to build your reputation as a forward-thinking and well protected enterprise. This can be absolutely crucial in the world of business, especially with cyberattacks becoming ever more frequent.

Data is the lifeblood of the business – when you protect it you protect the sustainability of the business and your future success. AWS does a lot to help with security, but no solution is without its flaws. As such, take a proactive approach to security measures within AWS, and constantly seek to apply new standards to gain advantage against cyber criminals and help to build your reputation as a forward-thinking business. These approaches are crucial in the ongoing fight against cyber-crime.

The post Working with AWS to secure your data against attack appeared first on Cybersecurity Insiders.

AT&T Cybersecurity received the Palo Alto Networks 2022 Partner of the Year Award for its managed security services at the annual Palo Alto Networks Ignite 2022 conference. The awards are presented to an elite group of Palo Alto Networks partners that have excelled in performance, enablement, and engagement over the past year.

In an era where security collaboration continues to grow in importance, AT&T Cybersecurity stressed the significance of its relationship with Palo Alto Networks. Danessa Lambdin, President of AT&T Cybersecurity explains:

 As one of the largest MSSPs in the world, we are in a unique position to help secure innovation at scale and bring those lessons learned to our broader customer base. Our technology alliances are a fundamental part of evolving our cybersecurity services to meet our customer needs today and tomorrow.  AT&T has long worked with Palo Alto Networks, building new services atop their technology platforms to meet tomorrow's security challenges, especially as customers move to the cloud and edge.

By maintaining a strong relationship with Palo Alto Networks, AT&T Cybersecurity is able to provide cutting-edge security products while leveraging its managed services to make security more accessible by offering trainings, consulting, and management. Don Jones, senior vice present of Ecosystems at Palo Alto Networks states:

Palo Alto Networks partners share our vision of a world where each day is safer and more secure than the one before. Now more than ever, a trusted ecosystem of partners is essential to enabling organizations to easily, more confidently, and more securely transform. We’re proud to recognize AT&T Cybersecurity as Palo Alto Networks 2022 Partner of the Year and we look forward to our continued work together helping mutual customers achieve better security outcomes.

AT&T Cybersecurity combines cybersecurity with consulting services to help organizations meet their network transformation goals. With AT&T’s support, overcome resource obstacles and ease the burden on short-staffed, in-house teams by working with AT&T’s cyber experts to identify and understand cybersecurity risks and exposures, thereby making it safer for businesses to innovate through network resiliency.

For more information on AT&T Cybersecurity please visit this page. For more information on Palo Alto Networks, please visit this page.

The post AT&T Cybersecurity awarded the Palo Alto Networks 2022 Partner of the Year Award appeared first on Cybersecurity Insiders.