As we start a new year, let's think about how we can draw up a plan to exercise our cyber fitness and make it a culture that sticks. It's a critical time to get this done as we work toward a new era where we're breaking down silos, understanding the new ecosystem movement going forward and the edge computing phenomenon.

Communication, creativity, and empathy are crucial in shifting from what we call a “have-to” security mindset (i.e., “I have to take this precaution because IT said so”) to a “want-to” mindset, which suggests employee buy-in to a company's security policy beyond simply ticking off a to-do box or watching a training video.

Key considerations include:

  • Do we have top-down buy-in?
  • Are expectations communicated effectively?
  • Are we driving accountability?
  • Have we formed a good CRUST (Credibility & Trust)?

When we say, “security culture” and “we have a positive security culture,” what we perceive as security culture and what you think in your mind as security culture might be two very different things. The reason is our companies prioritize the accomplishment of security goals differently. Some basics involve patching and reducing the chances of being hit by phishing attacks, but the underlying reason why that happens differs among organizations. This article is intended to examine each of these questions and provide helpful tips for creating a culture of cybersecurity awareness. 

Top-down approach

Isn't security something we should all be thinking about, not just the CISOs? It's interesting how people don't want to think about it. They appoint somebody, give them a title, and then say that person is now responsible for making security happen. But the reality is, within any organization, doing the right thing — whether that be security, keeping track of the money, or making sure that things are going the way you're expecting — is a responsibility shared across the entire organization.

That's something that we are now becoming more accustomed to. The security space realizes it's not just about the security folks doing a good job. It's about enabling the entire organization to understand what's important to be more secure and making that as easy as possible.

There's an element of culture change and of improving the entire organization. What's causing these softer approaches — behavior, culture, management, and attitude more important now? Is there something about security technology that has changed that makes us need to look at how people think? We're beginning to realize that technology is not going to solve all our problems.

So how do we create a top-down culture? The best recommendation would be to align business goals with good representation from multiple stakeholders, including the CEO, COO, IT Marketing, Finance, or business owner, depending on the size and structure of the firm.  

Appointing a “fall person” for security would make it challenging to foster a cybersecurity-aware culture.  Instead, identifying a lead such as a CISO, CIO, or security director and inspiring an organization-wide, strategically aligned program would promote the most significant outcome. At a minimum, form a small security committee represented by key stakeholders and empower the security leader to fully understand the business objectives and recommend the best protection methods.

kick start security culture

Kick Start your Security Culture

Communicate expectations

Once we have buy-in, it's time to communicate. What good is a cybersecurity policy if the people expected to follow it do not understand who, what, why, and how? The idea of sticking with “the policy states” only goes so far. Policies should be developed with the audience in mind, covering:

  • Purpose – why is the policy needed?
  • Objective – state the goal/what we want to accomplish.
  • Scope – what/who does the policy cover?
  • Roles & responsibilities – who is responsible, and what are their duties?
  • Penalties for non-compliance – why must the policy be followed?

To summarize – how will the effectiveness be measured? Understand baseline and encourage good behavior for reporting incidents

Everyone is accountable

Our primary goal in exercising cyber fitness is to raise awareness and understanding, measured by an increase in reported incidents and a decrease in actual events that are alleviated before they become incidents. It's essential to communicate the effectiveness and examples of accountability.

Some organizations utilize cybersecurity newsletters, while others make it a point to highlight via human resources or top-down communications. The key is to make it known that this is not another “mandatory training.” It's the standard, and we all have a stake in it.

Don't burn the CRUST

CRUST = Credibility and Trust. If we take a step back and ask, why do we even care about the security conversation? Security is one of the foundations of trust. No matter what companies we work for, we have some customers, someone that we serve, and customers need trust to make this transaction functional. Hence, an effective and successful company has a trust established with its customers and, in essence, its employees.

At the end of the day, when we're talking about building security in our companies, we're talking about building trust with our customers. Even if we look at ourselves and our spending habits, how many of us would choose to give our credit-card data to a company that's regularly getting hacked or has poor architectural choices where we don't trust our personal information? We don't. Or most of the time, we don't.

This is the foundation of why we're even having this conversation. When we think about building security in our organizations, that may mean different things to each of you. That could mean better architectural choices, products, threat modeling, processes, and reporting. It's the cultural foundation of how we make security decisions in our organization.

We must have accountability at all levels, and consistency is key to maintaining credibility and trust. If you attempt to bake a pizza without setting a timer or constantly monitoring it, your chances of burning the crust will drastically increase. It's great to take a similar approach with your organization. Look for ways to get feedback from employees and keep an open door for communication. Share feedback with your security committee and adjust accordingly. Remember to celebrate good behavior, communicate, and demonstrate examples of accountability.

We are the firewall

What began with a question ends with a statement, “WE are the firewall.” A culture built with top-down buy-in, accountability, and a good crust can be the foundation for employees to feel like they are part of something bigger and take pride in being the firewall. Though cybersecurity culture can sound intimidating, we can make headway as leaders now understand that the alternative threatens their bottom line.

As security becomes more integrated into businesses' day-to-day operations, we will continue to see a positive culture shift to reflect the common CISO phrase, “security is everyone's job.” The ultimate protection against cyber threats is that of instilling an organizational culture that is 'cybersecurity ready,' and that is knowledgeable and prepared to mitigate the risks at all levels of its strategy and operations.

The post Are WE the firewall? appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

With the explosive growth of technology, businesses are more vulnerable than ever to malicious cyber attacks. And as cybercriminals become more sophisticated, new methods of attack are popping up left and right.

To add fuel to the fire, the average cost of a data breach increased from $3.86 million to $4.24 million in 2021. That's costly enough to put most SMBs into the red. Not to mention the reputational damage it can cause for your brand.

Avoid this dreaded fate by protecting yourself against the latest cybersecurity developments — like Malware-as-a-Service (MaaS) — to protect your networks, data, systems, and business reputation.

If you've never heard of Malware-as-a-Service (MaaS) before, don't fret. This article is for you.

We'll teach you everything you need to know about Malware-as-a-Service and wrap it up by sharing some best practices for protecting your proprietary company data from potential threats.

Let's dive in.

What is Malware-as-a-Service (Maas)?

Malware-as-a-Service (MaaS) is a type of cyber attack in which criminals offer malware and deployment services to other hackers or malicious actors on the internet.

These services typically are available on the dark web. When purchased, a bad actor can carry out various malicious activities, such as stealing sensitive information, disrupting computer systems, or encrypting data and demanding a ransom to unlock it.

Some of the most common types of malware include the following:

  • Viruses: Programs that can replicate themselves and spread to other computers. They can cause various problems, such as disrupting computer operations, stealing information, or damaging files.
  • Trojan horses: These programs masquerade themselves as legitimate software but can carry out malicious activities, such as stealing data or giving attackers unauthorized access to a computer.
  • Worms: A self-replicating program that can spread across networks, disrupting computer operations and consuming network resources.
  • Adware: Software that displays unwanted advertisements on a computer. It can be intrusive and annoying and sometimes track a user's online activities.
  • Ransomware: Encryption of a victim's data with the demand for a ransom payment to unlock it. It can devastate businesses, resulting in losing important data and files.
  • Spyware: Software designed to collect information about a user's online activities without their knowledge or consent to steal sensitive information (like financial statements and passwords).
  • Bots: Often used in conjunction with other types of malware, such as viruses or worms. For example, a virus could infect a computer and then download and install a bot, which could carry out malicious activities on that computer or other computers on the network.

MaaS makes it easier for cybercriminals to launch attacks, as they can purchase and use pre-made malware without developing it themselves. This distinction can make it harder for law enforcement, cybersecurity experts, and IT teams to track down the people responsible for the attacks.

And sadly, cyber-attacks are industry agnostic. For example, in the transportation industry, cybercriminals exploit vulnerabilities of electronic logging devices and steal valuable information from cloud-connected trucks.

MaaS is also a significant threat to online job boards like Salarship, Indeed, UpWork, or any other platform where job applications are stored. Attackers can easily access the personal data of thousands or millions of people by targeting these sites.

The bottom line: As a business with priority company data, it's essential to be aware of the different types of malware and take the necessary precautionary steps to protect against these heinous services.

Ransomware-as-a-Service (RaaS) vs. Malware-as-a-Service (MaaS)

Ransomware falls under the umbrella of malware. But what's the difference between Ransomware-as-a-Service (RaaS) and Malware-as-a-Service (MaaS)?

The main difference between MaaS and RaaS is the specific type of malware offered as a service. MaaS involves the development and deployment of any malware, while RaaS specifically consists of the development and deployment of ransomware.

Ransomware is a type of malware that restricts access to the infected computer system or its data and demands a ransom payment to regain access. It typically spreads through phishing emails, malicious websites, and targeted exploits.

MaaS and RaaS are online services on the dark web that make it easy for anyone with no experience or knowledge to launch an attack.

In some RaaS cases, the attackers may steal the victim's data and hold it for ransom, demanding payment to return it to the victim. Or the attackers may encrypt the victim's data and demand payment to unlock it without stealing it.

Regardless, the goal of ransomware is to make money by extorting the victim.

How to protect your business against MaaS

As malware becomes more sophisticated and accessible, it's imperative to have some defense programs in place that can offer your extra business protection against bad actors.

According to a recent study, 64% of Americans would blame the company, not the hacker, for losing personal data.

Thankfully, there are ways to lessen the impact. ​​A report from Cisco states that adhering to General Data Protection Regulations (GDPR) has been shown to minimize the effects of a data breach.

Why? Because if a company complies with the GDPR, attackers might not find any data to exploit. And with the help of a privacy policy generator, your business can be GDPR-compliant with the click of a button.

Here are a few additional steps that your business can take to protect itself from MaaS:

  • Implement strong network security measures, such as a web application firewall, intrusion detection, and secure passwords.
  • Regularly update and patch all software and operating systems to fix known vulnerabilities.
  • Educate employees about Malware-as-a-Service risks and how to avoid them, such as not opening suspicious email attachments or visiting untrusted websites.
  • Use reputable anti-virus and anti-malware software and regularly scan the network for signs of infection.
  • Back up any necessary data regularly so your business can quickly restore its operations if anything goes south.

One of your company's most significant assets is its data privacy and reputation, which directly affects how much your business is worth. So it's critical to protect it against MaaS with a strong and well-implemented cybersecurity plan.

Wrapping up

Cybercriminals no longer need a strong technical background to pull off a malicious hack. The MaaS model has made it possible for anyone to become a cybercriminal.

But that doesn't mean you have to avoid the internet forever — which is pretty challenging to do in today's day and age.

With preventative measures and a robust cybersecurity strategy, you can sleep soundly at night, knowing your company data is safe from a MaaS attack.

For more advice on staying secure online, check out the AT&T Cybersecurity blog for additional insight.

The post Understanding Malware-as-a-Service (MaaS): The future Of cyber attack accessibility appeared first on Cybersecurity Insiders.

In the first two blogs in this series, we discussed properly setting up IAM and avoiding direct internet access to AWS resources. In this blog, we’ll tackle encrypting AWS in transit and at rest.

Sometimes, despite all efforts to the contrary, data can be compromised.  This can occur due to data leakage through faulty apps or systems, by laptops or portable storage devices being lost, by malicious actors breaking through security defenses, by social engineering attacks, or by data being intercepted in man-in-the-middle attacks.  Fortunately, with adequate encryption measures in place, data exposures such as these can be nullified.  Simply put, when data is properly encrypted with industry approved algorithms, it can’t be deciphered.  The only way to make sense of encrypted data is by decrypting it with an encryption key that only trusted parties possess.  Let’s discuss how AWS makes it easy to encrypt data wherever it may be.

Encrypting data in transit

When you visit a website and see the small lock icon in the browser toolbar, it means that data being sent between your computer and the website host is secure.  If your data was intercepted by a malicious actor, they would not be able to decipher it since it is encrypted. 

Through an encryption process that is beyond the scope of this blog series, computers and website hosts negotiate the encryption algorithm and keys that are used during sessions.  Thus, since only the communicating computers and website hosts know the encryption keys in use, data is protected from prying eyes.  (Note: an exception to this statement is if the generation of encryption keys occurs over a publicly available Internet connection (e.g., coffee shop WiFi).  Cybercriminals could intercept this exchange of information and eavesdrop on your communication. That is why it is recommended to initiate a virtual private network (VPN) connection to a trusted provider before visiting websites when using a public Internet connection). 

AWS provides a convenient service to encrypt data in transit called Amazon Certificate Manager (ACM).  Per AWS, ACM “handles the complexity of creating, storing, and renewing public and private SSL/TLS X.509 certificates and keys that protect your AWS websites and applications.”  What Is AWS Certificate Manager? – AWS Certificate Manager (amazon.com).  These X.509 certificates can be used with AWS ELBs, CloudFront, and Amazon API Gateway.  Consequently, all Internet bound traffic to and from these resources will be secure.

Furthermore, AWS can encrypt data in transit using X.509 certificates to AWS managed resources like S3 buckets.  However, to enable this feature policies may need to be updated to restrict HTTP and only permit HTTPS connectivity.  To see an example of how AWS S3 can enforce HTTPS connections, click here: Enforce TLS 1.2 or higher for Amazon S3 buckets

Now that we know how to encrypt data in transit, let’s move on to our final topic of discussion – encrypting data at rest. 

Encrypting data at rest

One of the easiest and most impactful security measures AWS has to offer is encrypting data at rest.  Literally, with a few clicks of the mouse, every major AWS service that stores data can be encrypted with default encryption keys that are owned and maintained by AWS.  The service used to perform these actions is called AWS Key Management Service (AWS KMS). 

Thus, if for some reason your data was exposed to the world, it would be illegible without the encryption key that only AWS can access on your behalf.  A quick Google search on the Internet will reveal that the amount of time used to crack a common AES-256 encryption key would take modern computers trillions of years – even with the world’s fastest supercomputers. 

If laws, regulations, or corporate policy require you to manage your own encryption keys, AWS has other options.  Through KMS, AWS customers can import their own key material for AWS to use for encryption on their behalf.  If customers do not want AWS to have any access to their encryption keys, AWS also offers hardware security modules (HSMs).  These can be provisioned and used like a utility with an hourly cost. 

AWS HSMs are certified as FIPS 140-2 compliant.  For those unfamiliar with this designation, it refers to rigorous testing to meet government approved security standards.  To learn more about AWS KMS click here: Key Usage — AWS Key Management Service — Amazon Web Services.  To learn more about AWS HSM, click here: Security HSM | AWS CloudHSM | Amazon Web Services

As such, considering the multitude of options and ease of use to encrypt data at rest, there simply is not an excuse to not encrypt data wherever it is stored. 

Tying everything together

In this article, we have discussed three easy steps every business or governmental entity can pursue to dramatically improve their AWS security posture.  As a recap, these steps are to 1) set up and use IAM properly, 2) avoid direct Internet access to vulnerable AWS resources, and 3) encrypt data in transit or at rest.  It goes without saying that these steps are not exhaustive.  They are merely the steps that this author believes to be the most impactful. 

Many other security mechanisms exist that AWS customers can pursue.  For more advanced AWS security help, you are encouraged to engage AT&T’s cybersecurity consulting division for support.  We are ready, willing, and able to help you with your AWS cybersecurity needs.  To get more information about AT&T cybersecurity consulting, please click here: Cybersecurity Consulting Services | AT&T Business (att.com)

Thank you for taking the time to read this blog series.  I sincerely hope you found it informative and useful. 

References:

AWS – https://aws.amazon.com

A Cloud Guru – https://acloudguru.com

The post Improve your AWS security posture, Step 3: Encrypt AWS data in transit and at rest appeared first on Cybersecurity Insiders.

There is a possibility that artificial intelligence (AI) will have a significant influence, in either a good or bad direction, on cybersecurity. On the plus side, artificial intelligence (AI) can be used to automate and improve many parts of cybersecurity. AI can find and stop threats, find strange behavior, and look at network traffic, among other things. This might be a game-changer for the industry. On the other hand, artificial intelligence also creates new security holes and problems that must be fixed.

Processing massive volumes of data and seeing patterns that people would overlook are two of the primary advantages that artificial intelligence brings to the field of cybersecurity. This could be especially helpful for finding attacks like zero-day vulnerabilities and advanced persistent threats that are hard to see with standard security systems. Traditional security systems have a hard time spotting these kinds of threats. AI-driven systems can monitor network traffic in real-time and spot any strange behavior. This enables enterprises to take prompt action to thwart assaults.

AI could also be used to automate a lot of the day-to-day tasks that have to do with cybersecurity. This frees human analysts to work on more challenging and complex jobs. Because of this, businesses can make their security activities more effective and efficient. AI may be used, for instance, to monitor social media and other online sources for signs of possible danger. Some signs point to a new vulnerability or use dangerous hashtags on social media.

Still, bad things could happen when AI is used in cybersecurity. One cause for worry is the possibility that adversaries would use AI systems to carry out assaults that are both more complex and more precisely targeted. AI can, for example, make phishing emails that look real, find security holes automatically, and use them.

Another worry is that people with malicious intent might be able to take over or control AI-driven systems in some other way. If an AI system is hacked, it could use the security hole to get around security measures and get private information. This could have terrible consequences, such as confidential information theft or critical system failure.

Another worry is that AI-driven systems might come to the wrong conclusions or make mistakes when making decisions. For example, an AI system might mistakenly label a harmless file as malware, which could cause false positives and stop a business from running. On the other hand, an AI system can miss a real danger, resulting in a security breach.

To deal with these problems effectively, businesses must consider the risks and benefits of using AI in their cybersecurity efforts. This could mean putting in place extra security measures to protect AI systems and data and testing and updating these systems regularly to ensure they work as they should and are up to date.

Using AI raises several critical ethical questions and technological factors that need to be addressed regarding cybersecurity. For example, if artificial intelligence (AI) systems are trained on data that isn't representative of the whole population, they may have biases built in. This may result in some groups being unfairly treated. Organizations need to be aware of these problems and take steps to reduce the chances that they will have harmful effects.

It is expected that the use of artificial intelligence (AI) in cybersecurity will have a large and varied effect. AI has the potential to make security much better, but it also brings up new problems and risks that need to be handled with great care. By taking a comprehensive and proactive approach to AI and cybersecurity, organizations can ensure they are ready to control the changing threat environment and protect themselves from a wide range of threats. This strategy can protect against a wide range of attacks.

The post AI and Cybersecurity: Some observational implications of the intersection between the two appeared first on Cybersecurity Insiders.

In the first blog in this series, we discussed setting up IAM properly. Now we’re moving on to the second step, avoiding direct internet access to AWS resources.

When AWS resources like EC2 instances or S3 buckets are directly accessible via the Internet, they are vulnerable to attack.  For example, brute force attacks on SSH login, denial of service (DOS) attacks on server resources via Layer 3, 4, or 7 flooding, or the inadvertent disclosure of data on an S3 bucket.  Thankfully, AWS offers tools that can virtually eliminate each of these threats.  Let’s discuss how to protect resources that have traditionally been placed in the demilitarized zone (DMZ) of a public subnet.

Put all EC2 instances in private subnets

Despite the advent of network address translation (NAT) (i.e., the mapping of a public IP address to a private IP address), many businesses put publicly accessible resources in the DMZ.  This enables direct connectivity to resources by assigning public IP addresses to them.  In turn, through domain name system (DNS) resolution, website names are translated to these IP addresses which enables connectivity.  Ordinarily, resources placed in a DMZ are webservers.  Although some companies out of convenience, or lack of security awareness, will also place database, application, and file servers in the DMZ.  If adequate access control lists (ACLs) and security groups are not in place to restrict access by IP source, IP destination, protocol, and port number, these resources are vulnerable to attack. 

Fortunately, there is no longer a need to place EC2 instances in a public subnet.  This includes bastion hosts that are used to access EC2 instances in private subnets.  Rather than associate a public IP address with EC2 instances, an elastic load balancer (ELB) can be used instead. 

The ELB is a virtual appliance that terminates webserver bound traffic via a public IP address and passes that traffic to EC2 instances or corresponding containers, if applicable, that reside in a public subnet.  Neither the AWS customer using the load balancer, nor any external party can directly access the load balancer, so it is not vulnerable to attack.  Furthermore, depending on whether the traffic being terminated on the ELB is Layer 4 (Transport layer of the OSI) or HTTP (Layer 7), AWS offers two separate ELBs to accommodate the applicable traffic.  These ELB options are Network Load Balancer (Layer 4) and Application Load Balancer (Layer 7).  As the diagram and step-by-step description from AWS below reveals, virtualized server resources that reside in private subnets cannot be directly accessed by the outside world.    

Complete traffic flow diagram

The following diagram combines the inbound and return traffic flows to provide a complete illustration of load balancer routing.

AWS flow

  1. Traffic from the internet flows in to the Elastic IP address, which is dynamically created when you deploy an internet-facing Application Load Balancer.
  2. The Application Load Balancer is associated with two public subnets in the scenario that’s illustrated. The Application Load Balancer uses its internal logic to determine which target group and instance to route the traffic to.
  3. The Application Load Balancer routes the request to the EC2 instance through a node that’s associated with the public subnet in the same Availability Zone.
  4. The route table routes the traffic locally within the VPC, between the public subnet and the private subnet, and to the EC2 instance.
  5. The EC2 instance in the private subnet routes the outbound traffic through the route table.
  6. The route table has a local route to the public subnet. It reaches the Application Load Balancer on the node in the corresponding public subnet, by following the path back the way the traffic entered.
  7. The Application Load Balancer routes traffic out through its public Elastic IP address.
  8. The public subnet's route table has a default route pointing to an internet gateway, which routes the traffic back out to the internet.

Importantly, even with an ELB in place, it is imperative to configure appropriate ACLs and security groups.  Only legitimate traffic should be allowed in and out of the virtual private cloud (VPC).  If the load balancer improperly allows all traffic in and out of the private subnet where the EC2 instances reside, much of the benefit of restricting direct Internet access to them can be lost. 

Moreover, EC2 instances behind an ELB can still be vulnerable to Layer 3, Layer 4, or Layer 7 DoS attacks.  An ELB merely eliminates the ability for people from the Internet to directly access your instances.  To stop Layer 3 and Layer 4 Distributed Denial of Service (DDoS) attacks, AWS offers AWS Shield.  This service is offered at two levels – basic and advanced.  Basic service is free, and it monitors and restricts Layer 3 and Layer 4 traffic. Hence, before traffic ever hits your ELB, it is being monitored and filtered with AWS’ DDoS mitigation technology.  For advanced coverage and features, AWS offers AWS Shield Advanced for an additional cost.  With Shield Advanced, you have access to a 24/7 AWS Shield Response Team, advanced reporting, and cost protection associated with the increase of AWS resources used during an attack.  You can learn more about AWS Shield here: Managed DDoS protection – AWS Shield Features – Amazon Web Services

For Layer 7 DoS mitigation, AWS offers a Web Application Firewall (WAF).  Per AWS, this service “lets you create rules to filter web traffic based on conditions that include IP addresses, HTTP headers and body, or custom URIs…  In addition, AWS WAF makes it easy to create rules that block common web exploits like SQL injection and cross site scripting.”  If your business utilizes AWS Shield Advanced, AWS WAF is included in the monthly cost.  You can learn more about AWS WAF here: Features – AWS WAF – Amazon Web Services (AWS).

Notably, some DoS events are not malicious but are rather the result of a company’s web services going viral.  If too much traffic hits all at once, content can be inaccessible.  For both static and dynamic content, AWS offers a content delivery network (CDN) called CloudFront.  Thus, rather than scale your EC2 instances behind an ELB vertically or horizontally for increased demand, content can be offloaded to CloudFront where it is cached and, if need be, made globally available.  This protects your virtualized server resources and your wallet, too.  You can learn more about AWS CloudFront here: Low-Latency Content Delivery Network (CDN) – Amazon CloudFront – Amazon Web Services

How to securely access EC2 instances in private subnets

Up to this point, we have discussed how you can protect your EC2 instances from being accessed from the outside world.  Rightfully so, you may be wondering how systems administrators can access instances to manage them if there is no public IP address for SSH or RDP connectivity?  Normally, a bastion host would be provisioned in a public subnet for access to resources in a private subnet.  However, by provisioning an EC2 instance in a public subnet as a bastion host, no matter how hardened the instance is, it is creating an unnecessary vulnerability. 

The simple remedy to getting access to EC2 instances in private subnets is AWS Systems Manager.  There is no need to open SSH or RDP ports in the private subnet either.  Through the AWS console, AWS can programmatically establish SSH or RDP access to EC2 instances.  Without SSH or RDP ports open, even if an internal EC2 instance was compromised, it would not be possible for a malicious actor to capitalize on stolen key pairs to access an instance or perform a brute force attack on the root account either.  Accordingly, the only users permitted to access the EC2 instance, would be those users with the appropriate IAM user, group, or role permissions.  To learn more about AWS Systems Manager, click here: Centralized Operations Hub – AWS Systems Manager – Amazon Web Services

Finally, you may also be wondering how EC2 instances in a private subnet can access the Internet for software downloads, patches, and maintenance if they do not have a public IP address?  Previously, for instances in private subnets to access the Internet, an EC2 NAT instance in a public subnet would need to be provisioned.  Internet bound traffic from instances in the private subnet would be routed through the NAT instance. 

However, like bastion hosts, EC2 NAT instances pose unnecessary security risk.  The solution to routing Internet based traffic to and from instances in private subnets is by using AWS NAT Gateways.  Like ELBs, NAT Gateways are virtualized appliances that are not accessible to AWS customers, or external parties.  Unlike NAT instances, they are not provisioned with predefined CPU, RAM, and throughput either.  Rather, they scale dynamically to handle whatever workload is thrown at them.  Consequently, EC2 instances in private subnets can securely access the Internet without the threat associated with a NAT instance in a public subnet. To learn more about AWS NAT Gateways, click here: NAT gateways – Amazon Virtual Private Cloud

Now that we have learned how to protect EC2 instances and vicariously the services that leverage them like containers, applications, and databases, let’s discuss how to secure S3 Buckets.

Keep S3 buckets private or restrict public access using CloudFront.

Over the years, many news stories have revealed the blunders of companies that publicly expose their customers’ data by publishing it in public S3 buckets.  As anyone who has recently provisioned an S3 bucket will know, AWS has made it exceedingly difficult to repeat this error.  With warning prompts and conspicuous red, “danger, Will Robinson!” icons, AWS lets you know when an S3 Bucket is public. 

For obvious reasons, data that companies do not want the whole world to know should never be placed in a public S3 bucket.  This includes personally identifiable information (PII), health information, credit card account details, trade secrets, and any other proprietary data.  Even with encryption in place, which we will discuss in Step 3, there is no reason to ever make this type of data publicly available. 

For S3 data that is publicly available, direct access to the objects should be restricted.  There are a few reasons why.  First, entities may not want their customers to access objects with the AWS S3 URL.  Instead, they may want their customers to access objects using their custom domain.  Second, entities may not want their customers to have unlimited access to S3 objects.  Instead, they may prefer to use pre-signed URLs to limit how long end users can access objects.  Finally, entities may not want to pay unnecessary costs for end users reading or downloading S3 objects directly from a bucket.  The remedy to these problems is to make public S3 buckets accessible only via CloudFront. 

This is achieved by configuring S3 to only accept GET or POST requests from CloudFront.  Hence, objects in a public S3 bucket are inaccessible to the outside world.  To learn more about AWS CloudFront and S3 Bucket integration, click here: Restricting access to an Amazon S3 origin – Amazon CloudFront

Now that we know how to properly secure EC2 instances and S3 buckets by restricting direct access via the Internet, the next, and last blog in this series will discuss our final step – encryption. 

The post Improve your AWS security posture, Step 2: Avoid direct internet access to AWS resources appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Apple is typically known for its minimal design, user-friendly UI, and hardware. But, the success of their products, especially iPhones, has long relied upon timely cybersecurity updates and their effectiveness. The prolonged support that they promise to their devices, in addition to hardware, also revolves around the OS and security updates.

That’s why you may still see security updates for older devices that aren’t upgradable to iOS 16 still being released. We’ll talk about a few latest security updates that have recently surfaced because of known and unknown vulnerabilities.

However, as a user, you may like to know how these updates are prioritized and why you should update your devices regularly.

Every vulnerability that has been detected gets ranked by a Common Vulnerability Scoring System (CVSS) and is denoted by a CVE serial number (CVE-Year-XXXXXX) that is used to track its status. For example, the log4j vulnerability, which impacted millions of systems worldwide, was ranked 10 out of 10. The updates are prioritized and released depending on that score. 

iOS 15.7.2 security update

The major security updates of iOS 15.7.2 are discussed below.

AppleAVD (Malicious Video File)

With a CVSS score of 7.8 and regarded as a high risk, AppleAVD vulnerability (CVE-2022-46694) increases the potential risk of a malicious video file writing out-of-bound and executing kernel code. Although user interaction is required for the vulnerability to be efficacious, risky downloaded videos may present issues with privacy and cybersecurity with this. The vulnerability was patched with improved input validation.  

AVEVideoEncoder (Kernel Privileges)

Like AppleAVD, AVEVideoEncoder vulnerability (CVE-2022-42848) also has a 7.8 CVSS score. However, the difference between these two is the AVEVideoEncoder vulnerability is related to an app that can access kernel privileges through user interaction and execute arbitrary code to jeopardize user security. The issue was fixed with improved checks.  

File System (Sandbox Issue)

In cybersecurity, sandbox defines a virtually isolated environment to run, observe, and analyze code. Typically, sandboxing is facilitated to imitate user interaction without involving active users. However, in complex operating systems like iOS, each app is caged in its own sandbox to limit its activity. The File System Vulnerability (CVE-2022-426861) revolves around malicious apps breaking out of the sandbox and executing kernel code. As it doesn’t require user interaction to act maliciously, it has a very high CVSS rating of 8.8. The issue was patched with improved checks. This vulnerability is one of the most critical reasons why you should stay updated with the latest iPhone releases.

Graphics Driver (Malicious Video File, System Termination)

With a medium CVSS rating of 5.5, the CVE-2022-42846 Graphics Driver vulnerability is capable of terminating systems through buffer overflow with malicious video files crafted for that particular purpose. Although user interaction is required, the impact of such attacks has severe implications on user experience and integrity. The issue was patched in the security update 15.7.2 with improved memory handling.

libxml2

libXML2 is generally used for parsing XML documents that transport text files containing structured data. This particular vulnerability with libxml2 (CVE-2022-40304) is assigned a CVSS base score of 7.8 and is capable of corrupting a hash table key—ultimately leading to logic errors—making the programs behave arbitrarily. This issue had occurred due to an integer overflow and was mitigated through improved input validation. 

WebKit (Processing Malicious Web Content)

Websites without security certifications and compliances often contain malicious codes that may lead to cybersecurity issues. As these malicious actors do their best to hide the fact, this particular WebKit issue (CVE-2022-46691) comes with a CVSS score of 8.8 and is considered a direct threat to the security of iPhones and iPads. This was patched in the latest update through improved memory handling.

iOS 16.2 security update

Most of the updates mentioned in the 15.7.2 update are also present in the 16.2 security patch released on 13th December 2022 for devices like the Apple iPhone 14 Plus. We won’t be discussing them again unless there is a major difference present in how the vulnerability was patched.

Accounts (Unauthorized User Access)

The CVE-2022-42843 vulnerability, AKA Accounts, is a 5.5-grade low-level issue that has been patched in the 16.2 security update. The issue mainly revolves around users viewing sensitive information of other users. While it has a high confidentiality impact, it doesn’t particularly affect the integrity of the apps or the database. The issue was fixed through improved data protection measures.

AppleMobileFileIntegrity (Bypass Privacy Preferences)

Privacy is considered paramount for iPhones. Although still a medium risk (5.5) vulnerability, the AppleMobileFileIntegrity issue (CVE-2022-42865) was prioritized in the recent updates due to apps using this to bypass privacy preferences and breach user confidentiality. This issue was fixed by enabling hardened runtime that prevents code injection, process memory tampering, and DLL hijacking.

CoreServices (Removal of Vulnerable Code)

Owing to the close nature of Apple, the CoreServices update (CVE-2022-42859) doesn’t specify any major changes that were made to the codes, but it promises to have removed a piece of vulnerable code that could enable an app to bypass privacy preferences to jeopardize confidentiality. The CVSS score is a medium 5.5 for this update.

GPU Drivers (Disclose Kernel Memory)

An issue with the GPU drivers in the CVE-2022-46702 vulnerability was detected for a malicious app to be able to disclose kernel memory. Kernel memory is strictly local memory loaded in the physical device's RAM. As user interaction is required for the app to act maliciously, a medium 5.5 CVSS score was given. The issue was fixed to better memory handling.

ImageIO (Arbitrary Code Execution)

Mostly related to iCloud, but also seen in iOS itself, ImageIO issue with CVE-2022-46693 was detected to empower malicious files to execute arbitrary code. It was given a high CVSS score of 7.8 due to the arbitrary nature of the vulnerability. However, it requires user interaction, like locating and downloading that file(s). This out-of-bound issue was mitigated through improved input validation.

The bottom line

As you may already have understood, these updates are critical for your device to function securely and keep you safe from identity thefts and literal monetary risks. As these vulnerabilities are often made public for development purposes, malicious criminals often try to target devices that are yet to be updated. Therefore, you shouldn’t wait even a single day to install them.

The post How do the latest iPhone updates address Cybersecurity issues? appeared first on Cybersecurity Insiders.

Telephony fraud is a significant challenge. Companies of all sizes and industries are subjected to the malicious usage of voice and SMS with the intent of committing financial fraud, identity theft, denial-of-service, and a variety of other attacks. Businesses that fall victim to fraud can incur significant financial losses, irreparable damage to their reputation, and legal implications. Detection of and preventing fraud can be a complex and time-consuming process, requiring businesses to devote significant resources to protect themselves. Some common challenges that companies face when it comes to fraud include the following:

  • Swiftly adapting to constantly evolving fraud tactics: Fraudsters are always searching for innovative ways to carry out their schemes. Therefore, businesses must be hyper-aware in identifying and addressing potential threats.
  • Balancing the need for security with customer convenience: Businesses must balance protecting themselves against fraud and providing a seamless customer experience. This can be particularly challenging in the digital age, as customers expect fast, convenient service.
  • Investing in fraud prevention solutions and skilling up human resources: To stay ahead of fraudsters, organizations may need to invest in technology solutions, such as fraud detection software or security protocols, to help identify and prevent fraudulent activity. Such solutions are often expensive and may require hiring dedicated employees to manage and maintain these toolsets.
  • Mitigating the aftermath of a fraud incident: If a business or its customers fall victim to a fraud campaign, this organization must be prepared to not only address the immediate financial losses but also work to repair any damage to its reputation and restore customer trust. Such an endeavor is often a time-consuming and costly process.

Vishing

As mentioned above, telephony fraud can consist of voice fraud and SMS fraud sub-categories. Voice fraud, also known as vishing or voice phishing, involves criminals leveraging voice calls or voice messaging to social engineer potential victims into divulging sensitive information or making payments. In this type of attack vector, the malicious actor often attempts to mask their identity through spoofing, which involves alternating caller-ID information to make the communication appear legitimate.

The attacker may also utilize voice manipulation software or even voice impersonation to mask their identity and solicit a target into taking a specific action, such as revealing sensitive data or even transferring bank funds over to the attacker. In such unfortunate scenarios, Vishers may pretend to be an individual from a legitimate organization, such as a trusted individual, a company/business, or a government agency, and request personal information or login credentials.

vishing flow

Some of the voice fraud challenges that companies may face include the following:

  • Spoofed caller IDs: Criminals can use spoofed caller IDs to make it appear as if the call is coming from a legitimate source, such as a bank or government agency. This can make it difficult for companies to identify fraudulent calls and protect their customers from these scams.
  • Automated voice messages: Criminals can also use automated voice messages to deliver phishing scams. These messages may ask the recipient to call a specific number to update their account information or resolve an issue. Still, the call leads to a scammer trying to steal sensitive information.
  • Social engineering tactics: Criminals may use social engineering tactics, such as creating a sense of urgency or playing on the recipient's emotions, to convince them to divulge sensitive information or make a payment.

Smishing

Smishing is a phishing scam involving using text messages to perform various social engineering attempts to convince victims to reveal sensitive information or persuade them to make fraudulent transactions. Smishing scams often involve fake websites or phone numbers, and they may be disguised as legitimate texts from banks, government agencies, or other trusted organizations.

Smishing attacks can be challenging to detect because they often use familiar logos, language, and tone to make the message appear legitimate. Some common tactics used in smishing attacks include:

  • Asking for personal information: Smishers may ask for personal information, such as passwords or credit card numbers, under the pretense of verifying account information or completing a transaction.
  • Offering fake deals or prizes: Smishers may send texts offering fake deals or prizes to lure people into revealing sensitive information or making fraudulent transactions.
  • Scare tactics: Smishers may send texts threatening to cancel accounts or take legal action unless sensitive information is provided.

Overall, fraud attacks can have serious consequences. If your organization falls victim to a fraud campaign, there may be severe financial loss, damage to brand reputation, data breaches, and disruption to your everyday operations. The event in which a data breach occurs can lead to identity theft of your employees and customers and the leak of proprietary information owned by your company, which can cause long-term financial and legal implications. Therefore, we recommend that organizations take the following steps to protect themselves against telephony fraud:

  • Educate employees: Train employees to recognize the signs of voice and SMS fraud and to be cautious when giving out sensitive information or making financial transactions over the phone.
  • Implement two-factor authentication: Leverage two-factor authentication to verify the identity of employees and customers when they access sensitive information or make financial transactions.
  • Use anti-phishing software: Use anti-phishing software to protect against phishing scams, including smishing attacks.
  • Monitor your phone bills: Regularly review phone bills for unusual charges or suspicious activity, which may result from a malicious actor spoofing your telephone number.
  • Secure communication platforms: Use secure communication platforms, such as encrypted messaging apps, to protect against voice and SMS fraud.
  • Invest in fraud detection solutions to identify and act upon fraudulent calls
  • Monitor for suspicious activity: Organizations can use tools to monitor suspicious activity, such as unexpected changes in calling patterns or unusual requests for information.

By following these best practices, businesses can reduce the likelihood of a telephony fraud disaster.

If you are an individual who is looking to safeguard yourself from such attacks:

  • Be vigilant of the types of commonly used scams and how to recognize them.
  • Never give out personal information or make financial transactions over the phone unless you are sure you are dealing with a legitimate entity.
  • Use strong passwords and enable two-factor authentication whenever possible to protect against unauthorized access to your accounts.
  • If you receive a suspicious phone call, hang up and verify the call's legitimacy before providing any information. You can do this by looking up the phone number online or contacting the organization directly using a phone number you know is legitimate.
  • Be cautious of unsolicited phone calls, especially if the caller requests personal information or tries to rush you into making a decision.
  • Report any voice fraud to the authorities and relevant organizations, such as your bank or credit card company. This can help to prevent others from falling victim to similar scams.

Overall, it is imperative to have a multi-layered approach to combat telephony fraud. This should include an effective monitoring solution to identify anomalies in voice and SMS traffic patterns and the ability to detect and act upon suspicious activity quickly.

AT&T Cybersecurity Consulting offers a telephony fraud management program that will equip your organization with unique visibility into your voice and SMS traffic, allowing you to observe daily traffic flow across your network. As a result, your organization will be able to understand established baselines of “normal” traffic originating from your network.

AT&T Cybersecurity Consulting will actively monitor your network traffic to pinpoint deviations from your baseline traffic patterns to quickly identify malicious activity or robocall campaigns spoofing your organization's telephone numbers. If such an anomaly is detected, the AT&T Cybersecurity Consulting team will notify your team with a report containing the observed activity and then present your team with options for responding to the anomaly. Options for response will include but are not limited to blocking traffic from transiting over the AT&T network, as well as requesting a traceback to determine the originating source of the spoofed traffic.

For more information about our telephony fraud management service, please forward any inquiries to caas-voicefraud@list.att.com.

The post Telephony fraud and risk mitigation: Understanding this ever-changing threat appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Has your organization suddenly been attacked by a ransomware virus? Take a deep breath and try to remain composed. It can be easy to panic or become overwhelmed in the face of an attack, but it is vital to remain calm and focused in order to make the best decisions for your organization.

The initial actions to take in the event of a ransomware attack

  • Disconnect the affected devices from the network as soon as possible. This can help to prevent the ransomware from spreading to other computers or devices.
  • Determine what data has been affected and assess the extent of the damage.
  • Determine the specific type of ransomware virus that has infected your devices to understand how this malware operates and what steps you need to take to remove it.
  • It is important to notify all employees about the ransomware attack and instruct them not to click on any suspicious links or open any suspicious attachments.
  • Consider reporting the attack. This can help to increase awareness of the attack and may also help to prevent future attacks. Please note that in some regions, business owners are required by law to report an attack.

Do not rush into a decision. Take the time to carefully evaluate your options and the potential consequences of each of them before deciding whether to pay the ransom or explore other solutions.

Paying the ransom is not the only option. Consider exploring other solutions, such as restoring your data from backups. If you do not have backups, cybersecurity experts may be able to help you recover your data since many ransomware strains were decrypted and keys are publicly available.

Strategies cybercrooks employ to obtain funds from victims swiftly

Cyber extortionists use various tactics beyond just encrypting data. They also use post-exploitation blackmail methods to coerce victims into paying them. Very often, cybercriminals use several extortion tactics simultaneously. Some examples of these tactics include:

  • Steal and disclose

Cyber extortionists not only encrypt victims' data but also often steal it. If the ransom is not paid, the stolen files may be made publicly available on special leak websites, which can cause severe damage to the victim's reputation and make them more likely to give in to the attackers' demands.

  • Destroy keys if a negotiation company intervenes

Some ransomware authors have threatened to delete the private keys necessary for decrypting victims' data if they seek the help of a professional third party to negotiate on their behalf.

  •  Launch a DDoS attack

Ransomware attackers often threaten to flood the victim's website with a large volume of traffic in an effort to put it down and intimidate the targeted company into paying the ransom faster.

  • Cause printers to behave abnormally

Some hackers were able to take control of the printers and print ransom notes directly in front of partners and customers. This provides a high level of visibility for the attack, as it is difficult for people to ignore the ransom notes being printed.

  • Use Facebook ads for malicious purposes

Criminals have been known to use advertising to gain attention for their attacks. In one instance, ransomware developers used Facebook ads to shame their victim by highlighting the organization's weak defenses.

  • Stir up anxiety among customers

Ransomware authors may send intimidating emails to the customers of major companies whose data was compromised. The emails threaten to leak the recipients' data unless the affected organization pays the ransom. The attackers encourage the recipients to pressure the affected companies to make the payment quickly.

Do not try to handle the situation on your own

Although ransomware is a trend in the world of cyber-attacks, hackers are not always successful in obtaining the ransom. They constantly have to develop new methods to replenish their arsenal of extortion techniques.

To make life as difficult as possible for hackers, the main thing to do is not to try to act alone. There are well-established mechanisms to counter extortionists.

Do seek professional assistance from others, even if it means losing some or all of your data. There are plenty of organizations and resources that can provide professional assistance and guidance. Some potential options include:

  • Cybersecurity experts: These professionals can provide specialized expertise and assistance with recovering your data, as well as advice on how to prevent future attacks.
  • Computer emergency response teams: Many countries and regions have organizations known as CERTs that assist with responding to and recovering from cyber incidents, including ransomware attacks.
  • Ransomware recovery services: Some companies specialize in helping organizations recover from ransomware attacks and can provide a range of services, including data recovery, threat assessment, and ransomware negotiation.
  • Law enforcement: In many cases, it may be appropriate to involve law enforcement agencies. They can help with investigations, help recover data, identify and prosecute the attackers.

It is essential to carefully research and evaluate any resources or services you consider using. Seek advice from multiple sources to find the best way out.

Before negotiations

It is generally not recommended to negotiate with ransomware attackers or pay the ransom. Doing so can encourage further ransomware attacks. Paying the ransom not only supports the attackers' criminal activity but also puts your organization at risk of being targeted again.

Keep in mind that there is no guarantee that the attackers will actually provide the decryption key – even if you do pay the ransom. Therefore, it is important to weigh the risks and potential consequences carefully before deciding to pay.

Ransomware attacks and payments are often carried out anonymously, using encrypted communication channels and cryptocurrency. Hackers usually provide an encrypted chat or email service for communication. Try to negotiate additional channels and means of communication with the adversary. Try to establish a line of communication with the attackers that involves mutual trust (as much as possible in this situation.)

If you decide to negotiate with the attackers and pay the ransom, it is important to keep a record of all communications, including any instructions for paying the ransom. This information may be helpful for law enforcement and cybersecurity experts who are investigating the attack.

Ask the attackers to demonstrate the decryption key and show that it actually works by decrypting several random files. This can help you ensure that you are dealing with the actual attackers and not a third party.

Research the attackers and their past behavior. If the attackers have been known to negotiate or provide the decryption key after receiving payment in the past, this may help to increase your confidence in the negotiation and may also give you leverage to negotiate a lower amount.

Tips for negotiating with the attackers

If you have exhausted all other options and have determined that paying the ransom is the only way to recover your data, here are a few tips for negotiating with the hackers:

  1. The attackers may try to pressure you by threatening to destroy or leak data, but it is important not to let this influence your decision. Do not show any signs of desperation or urgency. Remain calm and composed all the time.
  2. Do not reveal whether or not you have cyber insurance.
  3. Do not offer to pay the entire ransom upfront. Instead, consider offering to pay a small portion of the ransom upfront, with the remainder to be paid after the decryption key has been provided and you have successfully decrypted all data.
  4. Consider offering to pay the ransom in a cryptocurrency that you already have and is less commonly used or even less easily traced. This can make it more difficult for the attackers to convert the ransom into actual money and may make them more willing to negotiate a lower amount.
  5. Consider offering to publicize the attack and the ransom negotiation in order to put pressure on the attackers. This can make it more difficult for the attackers to extort other victims in the future and may make them more willing to negotiate a lower ransom amount.
  6. If the attackers have already agreed to negotiate the ransom amount and have lowered the price, you may try to push for a further reduction by continuing to negotiate and offering a lower amount. However, keep in mind that the attackers are likely to have a minimum amount that they are willing to accept, and it may not be possible to push them to lower the price further.

Be prepared to walk away from the negotiation if the attackers are unwilling to compromise or if the terms they offer are unacceptable, even if it entails losing your data.

How to prevent ransomware attacks

It is always good to focus on preventative measures to avoid falling victim to ransomware in the first place. Here are some tips in this regard:

  1. Implement a robust cybersecurity policy that includes regular software updates and the use of security software.
  2. Educate your employees about the risks of ransomware and how to protect against it, such as not opening attachments or clicking on links from unfamiliar sources.
  3. Take care of backups and implement a disaster recovery plan to ensure that you can restore your data if it becomes encrypted.
  4. Use strong, unique passwords and employ MFA where possible.
  5. Consider purchasing cybersecurity insurance to protect your company against financial losses resulting from a ransomware attack.

The post The dos and don’ts of ransomware negotiations appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Identity and access management has emerged as an essential security element for organizations. A study reveals that 80% of global IT decision-makers have already adopted or are planning to adopt an IAM solution in the upcoming years.

IAM refers to business policies, processes, and technologies to control unauthorized data and digital systems access. Two IAM approaches are widely known, one for the cloud and the other for on-premises. The cloud based IAM practices are fast-growing because the demand for cloud adoption has increased over time.

With the right IAM solutions and techniques, IT managers and businesses control users' access to sensitive business data within their networks. In addition, these solutions help protect organizations from cyber-attacks; they become more efficient, reduce IT operational costs, and improve user experience.

Six best IAM practices that organizations must not neglect

The IAM framework means using the right solution to implement user authentication and privileges policies. In addition, with IAM, companies demonstrate that any data is not misused, and they comply with government regulations.

For all these characteristics, businesses are increasingly adopting IAM solutions, and their demand will undoubtedly be high in the upcoming time. It's also estimated that the IAM market will grow to $15.3 billion by 2025.

The organization needs to use the right IAM tools and practices to reap the most benefits from the IAM solution. The six best IAM practices that every business should incorporate into its security strategy are as follows:

Adopt passwordless authentication

Many data breaches occur because of weak or stolen credentials. Threat actors can use advanced tools and tactics to steal and break passwords.

Organizations need a secure identity management system to prevent bad actors from breaking in and stealing credentials that can result in breaches such as the Lapsus$ attack or the Colonial Pipeline ransomware attack. Organizations eliminate password issues by choosing passwordless authentication to protect vital business data and ensure that only authentic people access it.

Passwordless authentication enables users to authenticate their identity without entering a password. There are various benefits for organizations to become passwordless- it enhances the overall efficiency, saves time and productivity, and provides greater ease of access. But, most importantly, passwordless authentication allows IAM leaders and users to access the cloud environment safely and securely.

Implement a Zero-Trust approach

The zero-trust approach is not new but has gained popularity as the threat landscape is evolving. Organizations cannot have a robust IAM policy without a function zero-trust architecture. The average cost of a data breach is $4.24 million, but the zero-trust model helps reduce the cost of a data breach by $1.76 million. Moreover, Gartner also predicts that the ZTNA solutions will grow to $1.674 billion in 2025.

Zero-trust means continuously verifying authorized users as they move into the network and giving them the lowest privileges while accessing crucial documents and files. Zero trust within the cloud creates access measures to protect sensitive data and applications from unwarranted access.

The zero-trust architecture ensures that IAM policies are followed whenever the user accesses the organization's network and protects the cloud data. Successful zero-trust implementation for the cloud must begin with passive application observation. Companies must first monitor and determine the relationship between the apps and then enforce rules. In addition, enterprises consider using other technologies like MFA, endpoint protection, micro-segmentation, and visibility and analytics to execute zero-trust systems.

Ensure compliance

IAM is designed to control users and protect their data, which can be achieved by meeting standard compliance requirements. Businesses often have regulatory requirements connected to the data they store either in the data warehouse or cloud data warehouse. They must report on their data access and use processes while complying with specific laws and regulations.

They must face hefty fines, lawsuits, and penalties if they fail. For example, Twitter agreed to pay $150 million to settle allegations of its data privacy practices when the US alleged Twitter for collecting users' contact information to show targeted ads.

Organizations that haven't yet must strictly follow compliance regulations, including GDPR, SOX, HIPAA, and PCI-DSS, to ensure that data is not misused. Besides this, businesses must audit each user role and assign them to the appropriate data owner, to keep a check and balance on the following compliance. In this way, companies can ensure compliance regulations and surveillance of data access.

Use appropriate DevOps tools

A data breach occurs because of human error or when application flaws occur. Businesses also forget to maintain a record of unstructured or dark data, including files and documents downloaded and used for different purposes, credit cards, and social security numbers. Cyber-criminals take complete advantage of such vulnerabilities and data that can eventually result in a data breach.

Such events not only cause significant financial loss to the business but also result in loss of customers and brand reputation. DevOps teams and tools greatly help enterprises prevent data breaches and ensure no one can access sensitive data. By using various DevOps tools, businesses keep track of the unstructured data from the initial stage and boost the overall security level.

Deploy artificial intelligence

Cybercriminals have become more advanced and sophisticated than before. They are using new approaches and tactics to access the organizational network. Because of their progressive nature, even the security teams sometimes fail to recognize them. Hence, organizations have adopted Artificial Intelligence and Machine Learning technologies to implement IAM and reduce the threat vector effectively.

AI ensures improved security and maintains business integrity. Using AI technology like Robotic Process Automation (RPA) deeply monitors and reveals the abnormalities in user behavior. Though an organization produces trillions of primarily unstructured data, the ML system scans all the data efficiently and prevents data leaks and breaches. Moreover, the AI system constantly monitors all behavior and ensures that verifying workers' access to network resources is continuous.

If, by any chance, threat actors gain access to the network by any backdoor, the AI system sends a quick alert to the IT department so they can take appropriate measures. Also, the system denies the access request and ensures the complete safety of the business data.

Centralize the organization's systems

Another best practice businesses can adopt to improve IAM is centralizing all network systems. It is an effective approach that provides more visibility and allows the security teams to detect and respond to cyber threats by letting all the users sign into a single authentication provider, which then propagates identity access across the apps and resources within the organization.

Moreover, with the centralized management system, it is easier to enforce policies like using secure passwords or multi-factor authentication to access the resources.

Additional best practices

Apart from the practices mentioned above, listed below are some common IAM practices businesses should not ignore. These includes:

  • Ensure new applications from all sources are securely developed and onboarded. For this purpose, deploy API access control (authentication and authorization of APIs) as it is a crucial part of API security.
  • Authentication is vital for IAM; hence, use multi-factor authentication tools to authenticate the identity.
  • Remove unnecessary users from the network to reduce the risks of unauthorized access.
  • Regularly review and audit the IAM policies to ensure they are granted the least privilege.
  • When an IAM account is not used, immediately de-provisioned it. This prevents any hackers from stealing and misusing those credentials.

Final thoughts

Making a business compliant with identity and access management requires an in-depth understanding of who can access the sensitive data and which data is necessary for the workers. Staying informed and updated about the latest technological trends and IAM practices will further help improve the IAM infrastructure.

The post Key to success while implementing IAM- Best practices that every company should implement appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Most of the time, the advantages of technology overshadow the recognition of challenges. IT/OT convergence has given a boost to the industry, there are many cybersecurity considerations. Due to a lack of legislation, best practices are filling the void. This article will give an overview of industrial cybersecurity best practices.

According to a survey presented by Veracode in 2022, more than 75% of all software applications have security flaws that can serve as a gateway to larger environments. With the spread of industrial IT (Information Technology) / OT (Operational Technology) integration, it means that almost every infrastructure is in possible danger of cyberattacks. 

The two sides of the IT/OT convergence coin

Industrial IT/OT convergence has been accelerated by the advantages it offers to the sector. These advantages have made production faster, cheaper, and more automated. The convergence has been advancing at such a pace that the flipside of its use has never been given serious thought until recently. With the obvious advantages, challenges have surfaced as well. The need for a comprehensive solution has already appeared in recent years, but until this day, best practices are routine.

Best practices for IT/OT converged environment

During the years of broad-scale IT/OT implementation, operational and cybersecurity experience has been gathered. This serves as the basis for industrial best practices and their practical implementation, which ranges from recommendations to practical steps.

Regulations. Industrial regulations and legislation should set standards. Though there are some governmental initiatives – like Executive Order 14028 – for building an overall framework, the bottom-to-top need has already surfaced.

CIS Controls (Critical Security Controls) Version 8 is one of those comprehensive cybersecurity bottom-to-top frameworks that are the most often referred to by legal, regulatory, and policy bodies. CIS has been developed by the global IT community to set up practical cybersecurity measures. Each version is an evolution of the previous, so it is constantly evolving as practice, and technological advancement require it.

Zero Trust. In every critical infrastructure, the basic approach should be the “zero trust principle.” According to this notion, entering data, and exiting data, users, and context should be treated with the highest distrust.

Risk-based approach. It is a strategy that assesses hardware and software status to prevent cybersecurity risks and mitigate possible consequences of a breach. The process has several compliance points. These include device version and patching date checkup, finding security and safety issues, and revealing the exploitation history of applied devices.

The strategy is only effective if it is completed with constant threat monitoring. In this case, operators are aware of system vulnerabilities if there is no or a delayed system update.

Passive scanning. It is the “listen, but don’t touch” method. Scanners watch the data traffic of the entire system from its perimeters. These are usually installed at routers that collect information at strategic listening points without interacting directly with the system. Because of this lack of direct intervention, passive scanning is usually used for monitoring sensitive environments.

The upside of passive scanning is that it understands the entering and exiting dataflows, monitors the entire system and the operating software, and can find parts of the network. The downside is that the collectible information is limited, so there is little or no complete picture of the vulnerability status of the environment.

Active scanning. Scanners constantly monitor, evaluate, and assess the weak points of the environment. They can simulate attacks on the network to uncover hidden security gaps. Some active scanners are even able to resolve some discovered security issues.

On the flip side, these scanners only focus on certain points of the system and particular situations. They can easily overwhelm the monitored nodes, so it can affect the speed, performance, and uptime of the given part of the system.

Conclusion

The takeaway message is that best practice solutions are not replacements for each other. They complement one another in an ideal industrial environment to fence off different attack vectors. Though each has its advantages and disadvantages, used as complementing solutions, their strengths can be combined while weaknesses alleviated. This way the possible maximum protection can be achieved.

The post IT/OT convergence and Cybersecurity best practices appeared first on Cybersecurity Insiders.