Category: Detect

Today, SC Media announced the winners of its annual cybersecurity awards for excellence and achievements.

At AT&T Cybersecurity we are thrilled that AT&T Alien Labs was awarded Best Threat Intelligence in this prestigious competition. The Alien Labs team works closely with the Open Threat Exchange (OTX), an open and free platform that lets security professionals easily share, research, and validate the latest threats, trends and techniques.

With more than 200,000 global security and IT professionals submitting data daily, OTX has become one of the world’s largest open threat intelligence communities. It offers context and details on threats, including threat actors, organizations and industries targeted, and related indicators of compromise.

The full list of winners is here.

The post AT&T Cybersecurity wins SC Media Award for Best Threat Intelligence appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Uncertainty looms large on the horizon as businesses deal with the difficulties of a downturn in the economy. Financial limitations, workforce reductions, and rising cyber threats exacerbate the complexity of such times. Organizations must prioritize their core competencies in this constantly changing environment while protecting their valuable assets from potential risks. By utilizing managed security services, organizations can achieve this delicate balance. This article explores why organizations should use managed security services during economic downturns to reduce uncertainty and potentially dangerous cybersecurity risks.

Cost-effectiveness in a time of hardship

Economic downturns frequently force businesses to review their spending and find cost-saving opportunities. Maintaining an internal security team can be expensive, mainly when there are financial limitations. Managed security services, however, offer a more affordable option. Organizations can access top-tier security expertise without the expense of full-time staffing by outsourcing their security operations to specialized providers.

Because of the managed security services’ economics, companies can take advantage of the economies of scale that result from handling numerous clients. As a result, the cost per organization decreases, making it a tempting proposition for businesses looking to maximize their budget allocations during challenging economic times.

Scalability to meet changing needs

During recessions, the economic environment is frequently erratic, which causes changes in business operations and staffing. Organizations require a security solution that can change with the needs of the environment. The ability to scale up or down based on an organization’s needs is provided by managed security services, ensuring that they receive the necessary level of security without expending excessive resources.

Managed security services providers can modify their services as necessary, whether by growing operations to take advantage of new opportunities or shrinking operations to save money. Thanks to this scalability, organizations can remain flexible and responsive to the demands of a volatile market.

Unwavering focus on core competencies

In tough economic times, organizations must put their core competencies first to survive and thrive. Building and maintaining an internal security team can take time and money away from crucial business operations. Managed security services allow companies to outsource security-related tasks to professionals, freeing internal staff to concentrate on their core competencies and increasing overall effectiveness and productivity.

In addition to ensuring security is a top priority, outsourcing security-related tasks frees up business executives’ time to focus on essential decision-making procedures, long-term planning, and promoting growth even during trying times.

24/7 Monitoring and rapid response

Cyber threats abound in the digital world, and the risk of attacks frequently increases during recessions. Hackers try to take advantage of weak defenses by finding vulnerabilities. Managed security services give businesses 24-hour monitoring and quick response options.

Managed security service providers can identify potential threats early on and take proactive measures to prevent or mitigate attacks by continuously monitoring the organization’s infrastructure and data. Even during economic uncertainty, quick response times are essential for minimizing the effects of security incidents and maintaining business continuity.

Access to cutting-edge technologies

Fortifying an organization’s defense against changing cyber threats requires cutting-edge cybersecurity technologies and tools. However, buying and keeping up with these technologies can be expensive, especially in tough times. Managed security service providers invest in modern security solutions, making them available to their clients without a sizable initial outlay.

Organizations can benefit from the most recent developments in cybersecurity, such as sophisticated threat detection systems, artificial intelligence-based analysis, and strong encryption technologies, by collaborating with managed security services. Thanks to access to cutting-edge tools, businesses can maintain an advantage in the never-ending struggle against cyber adversaries.

Risk reduction and compliance support

Data breaches are more likely to occur during economic downturns because bad actors are more likely to try to take advantage of weaknesses resulting from logistical and financial difficulties. Organizations’ exposure to threats is significantly decreased thanks to the assistance of managed security service providers in identifying and addressing potential risks.

Furthermore, adherence to industry regulations and data protection laws is essential even in challenging economic times. Managed security service providers frequently have a great deal of experience dealing with compliance requirements, ensuring businesses comply with their legal obligations regardless of their financial situation.

Incident response and recovery expertise

Cyberattacks can affect any company in some capacity. An incident response plan that has been carefully thought out is essential in the unfortunate event of a security breach or cyber incident. Managed security service providers have the specialized knowledge to handle these circumstances skillfully.

These service providers can react to security incidents quickly, contain the breach, and start the recovery process thanks to their extensive knowledge and experience. A well-planned response can reduce the harm brought on by cyberattacks and hasten the return to regular operations.

Continuous improvement and threat intelligence

New threats are constantly emerging, changing the cybersecurity landscape. By regularly updating their skills and knowledge, managed security service providers stay on the cutting edge of this rapidly evolving industry.

They gain knowledge of the most recent attack vectors and vulnerabilities thanks to their access to threat intelligence and collaboration with numerous clients from various industries. With this knowledge, managed security service providers can promptly implement security improvements and proactively bolster their clients’ defenses.

Conclusion

Managed security services are an effective choice for businesses seeking to cross treacherous terrain during uncertain economic times. Companies that use these services gain access to scalable, cost-effective security expertise and a laser-like focus on their core competencies. Managed security services’ 24-hour monitoring and quick response capabilities offer critical resilience against cyber threats required to protect priceless assets. The benefits of managed security services are further supported by access to cutting-edge technologies, compliance support, incident response know-how, and continuous threat intelligence improvement.

Turning to managed security services is a strategic move that promises stability and resilience in a cybersecurity landscape that is constantly changing as organizations deal with the uncertainties of difficult economic times. By adopting this strategy, businesses can strengthen their defenses and concentrate on their primary goals, ready to face challenges and become stronger after the recession.

The post Navigating economic uncertainty with managed security services appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Memory forensics plays a crucial role in digital investigations, allowing forensic analysts to extract valuable information from a computer’s volatile memory. Two popular tools in this field are Volatility Workbench and Volatility Framework. This article aims to compare and explore these tools, highlighting their features and differences to help investigators choose the right one for their needs.

Volatility Workbench, a powerful tool built on the Volatility Framework, is specifically designed to simplify and enhance the process of memory forensics. This article explores the capabilities of Volatility Workbench, highlighting its importance in uncovering critical evidence and facilitating comprehensive memory analysis.

Understanding Volatility Framework:

Volatility Framework is a robust tool used for memory analysis. It operates through a command-line interface and offers a wide range of commands and plugins. It enables investigators to extract essential data from memory dumps – including running processes, network connections, and passwords. However, it requires technical expertise to utilize effectively.

Volatility introduced people to the power of analyzing the runtime state of a system using the data found in volatile storage (RAM). It also provided a cross-platform, modular, and extensible platform to encourage further work into this exciting area of research. Volatility framework can be downloaded here. The Volatility Foundation provides these tools.

Introducing Volatility Workbench:

Volatility Workbench is a user-friendly graphical interface built on the Volatility Framework. It simplifies memory analysis by providing a visual interface that is more accessible, even for users with limited command-line experience. With Volatility Workbench, investigators can perform memory analysis tasks without the need for extensive command-line knowledge. Volatility Workbench can be downloaded here.

One of the key advantages of Volatility Workbench is its user-friendly interface, designed to simplify the complex process of memory forensics. With its graphical interface, investigators can navigate through various analysis options and settings effortlessly. The tool presents information in a visually appealing manner – with graphs, charts, and timelines, making it easier to interpret and draw insights from extracted data.

The initial interface when the Volatility Workbench is started looks like this:

 

The Volatility Workbench offers options to browse and select memory dump files in formats such as *.bin, *.raw, *.dmp, and *.mem. Once a memory dump file is chosen, the next step is to select the platform or operating system that the system being analyzed is using.

Once the memory image file and platform is selected, click on Get Process List in Volatility Workbench.

It will begin memory scanning. After that, you can use the multiple option in the command tab by selecting a valid command. The description of the command will be available in the dialog box on the side pane.

When the Get Process list is finished, the interface will like this:

Now we can select the command we want to use – let’s try using the command drop down menu.

Voila, we have commands available for analyzing the Windows memory dump.

Let’s try a command which lists process memory ranges that potentially contain injected code.

As seen in image above you can see the command as well as its description. You also have an option to select specific process IDs from the dropdown menu for the processes associated with the findings.

Let’s use the Malfind command to list process memory ranges that potentially contain injected code. It will take some time to process.

The analysis of the Malfind output requires a combination of technical skills, knowledge of malware behavior, and understanding of memory forensics. Continuously updating your knowledge in these areas and leveraging available resources can enhance your ability to effectively analyze the output and identify potential threats within memory dumps.

Look for process names associated with the identified memory regions. Determine if they are familiar or potentially malicious. Cross-reference them with known processes or conduct further research if necessary.

Some of the features of Volatility Workbench:

• It streamlines memory forensics workflow by automating tasks and providing pre-configured settings.
• It offers comprehensive analysis capabilities, including examining processes, network connections, and recovering artifacts.
• It seamlessly integrates with plugins for additional analysis options and features.
• It lets you generate comprehensive reports for documentation and collaboration.

Conclusion

By leveraging the capabilities of the underlying Volatility Framework, Volatility Workbench provides a streamlined workflow, comprehensive analysis options, and flexibility through plugin integration. With its user-friendly interface, investigators can efficiently extract valuable evidence from memory dumps, uncover hidden activities, and contribute to successful digital investigations. Volatility Workbench is an indispensable tool in the field of memory forensics, enabling investigators to unravel the secrets stored within a computer’s volatile memory.

The post Volatility Workbench: Empowering memory forensics investigations appeared first on Cybersecurity Insiders.

Cybersecurity as a competitive advantage

The economy is on the minds of business leaders. C-suites recognize survival depends upon the ability to safeguard systems and information. They must redesign for resilience, mitigate risk, strategically deploy assets and investments, and assign accountability. Do more with Less is the ongoing mantra across industries in technology and cyberspace.

As senior leaders revisit their growth strategies, it’s an excellent time to assess where they are on the cyber-risk spectrum and how significant the complexity costs have become. Although these will vary across business units, industries, and geographies, now for cyber, there is a new delivery model with the pay-as-you-go and use what you need from a cyber talent pool availability with the tools and platform that enable simplification.

Enter the Cybersecurity as a Service consumption model

CSaaS, or Cybersecurity-as-a-service, is a subscription-based approach to cybersecurity that offers organizations cybersecurity protection on demand. It is a pay-as-you-go model with a third-party vendor, where services can vary and be tailored to the organization’s needs. These services can include threat monitoring, compliance with industry standards, employee training, and penetration testing, which simulates an attack on the network.

One of the main advantages of CSaaS is that it takes the burden off the business to maintain a cybersecurity team, which can be challenging to hire today. It also allows organizations to scale as their business grows without needing to keep recruiting and hiring cybersecurity professionals.

Not all CSaaS vendors are created equal

When choosing a CSaaS vendor, several factors must be considered to ensure that you select the right one for your business. These factors include:

• Technical expertise and depth of services: Look for a vendor offering a comprehensive range of cybersecurity services beyond penetration testing.
• The reputation of the CSaaS: Check if the vendor has experience in your industry and if they have customers like your business. Also, ensure that they are financially stable.
• Size of the CSaaS: Make sure that the vendor can scale with your business needs as you grow.
• Terms and conditions of the relationship: Read the small print to understand all the details in various scenarios. Understand their policies and procedures.
• Cost and fee structure: Ensure that the vendor’s pricing model is transparent and that there are no hidden costs.
• Tools and technology: Make sure the vendor’s technology is solid, and they use the latest tools to provide cybersecurity services.
• Support: Check if the vendor can support your business 24×7, mainly if you operate in multiple time zones.
• Regulatory compliance: Ensure the vendor can meet the regulatory compliance you need in your industry.
• Considering these factors, you can choose a CSaaS vendor that meets your business needs and provides cybersecurity protection to keep your business safe from cyber threats.

Assess your unique cybersecurity needs

Different industries are at varying stages of maturity with digital transformation, and within each sector, some organizations have progressed much quicker than others. Therefore, it is vital to assess your organization’s specific cybersecurity requirements as it continues along the digital transformation path. That means it has never been more critical to work with a provider that suits your particular needs but can also cover a wide range of use cases.  

For more information on the Cybersecurity-as-a-Service, check out the latest eBook written by an analyst from Enterprise Strategy Group showcasing the importance behind these subscription-based solutions and how working with a security provider like AT&T to help organizations achieve their security objectives and enable to innovate faster.

The post Is Cybersecurity as a Service (CSaaS) the answer: Move faster | Do more appeared first on Cybersecurity Insiders.

The case for unified endpoint management and mobile threat defense

The evolution of endpoint management

Unified endpoint management (UEM) has played a significant role over the years in enabling companies to improve the productivity and security of their corporate mobile devices and applications. In the early days of endpoint management there were separate workflows and products as it pertains to traditional endpoints, such as desktops and laptops, versus mobile devices. Over time, administrators grew frustrated with the number of tools they were required to learn and manage so developers moved toward an integrated solution where all endpoint devices, regardless of type, could be inventoried, managed, and have consistent policies applied through a single pane of glass.

Today, UEMs allow IT administrators to be more productive by enabling them to set and enforce policies as to the type of data and applications an employee can access, providing the administrators with granular control and more effective security. These UEM platforms boast security features including the ability to identify jailbroken or rooted devices, enforcing passcodes, and enabling companies to wipe the data from mobile devices in the event they become lost or stolen. In general, UEMs have and continue to play an integral part in improving the management and productivity of business-critical mobile endpoints. 

Possible avenues for attack

However, in today’s environment, companies are experiencing a significant rise in the number of sophisticated and targeted malware attacks whose goal is to capture their proprietary data.  Only a few years ago, losing a mobile device meant forfeiture of content such as text messages, photographs, contacts, and calling information. Today’s smartphones have become increasingly sophisticated not only in their transactional capabilities but also represent a valuable target, storing a trove of sensitive corporate and personal data, and in many cases include financial information. If the phone stores usernames and passwords, it may allow a malicious actor to access and manipulate a user’s account via banking or e-commerce websites and apps. 

To give you a sense of the magnitude of the mobile security issues:

• The number of mobile users in enterprise environments clicking on more than six malicious links annually has jumped from 1.6% in 2020 to 11.8% in 2022
• In 2021, banking trojan attacks on Android devices have increased by 80%
• In 2022, 80% of phishing attacks targeted mobile devices or were designed to function on both mobile devices and desktops 
• In 2022, 43% of all compromised devices were fully exploited, not jailbroken or rooted-an increase of 187% YOY  

Attack vectors come in various forms, with the most common categorized below:

Device-based threats – These threats are designed to exploit outdated operating systems, risky device configurations and jailbroken/rooted devices.

App threats – Malicious apps can install malware, spyware or rootkits, or share information with the developer or third parties unbeknownst to the user, including highly sensitive business and personal data.

Web and content threats – Threats may be transmitted via URLs opened from emails, SMS messages, QR codes, or social media, luring users to malicious websites.  These websites may be spoofed to appear like a legitimate site requesting payment details or login credentials. Other websites may include links that will download malware to your device.

Network threats – Data is at risk of attack via Wi-Fi or cellular network connections.  Attacks can come in the form of man-in-the-middle attacks or rogue access points enabling hackers to capture unencrypted data.     

Enter mobile threat defense

While UEM can inventory assets, offer employees a more consistent experience, and can be used to push updates, its threat detection capabilities is extremely limited. The increased sophistication of malware attacks makes UEM platforms insufficient to detect or prevent these attacks from occurring.

To address these attacks more companies are adopting mobile threat defense solutions to work in tandem with their UEM subscriptions. Mobile threat defense (MTD) enables companies to identify and block mobile threats across most, if not, all attack vectors. The following outlines how mobile threat defense protects against the four main categories of mobile device threats: 

Device-based threats – Continuous evaluation of user and device risk posture with the ability to prevent jailbroken devices, those with outdated OS, and risky device considerations from accessing the network

App and content threats – Continuous scanning for malicious malware, viruses, trojans and side-loaded apps.  Threat detection is alerted in real-time with device remediation.

Network threats – Scans through each of the customer’s mobile devices to determine missing OS security patches, identifies man-in-the-middle attacks and other network related vectors providing remediation guidance such as fixing vulnerabilities or bug fixes.

Web and content threats – Mobile threat defense will alert users phishing attempts from email, SMS, or browsers.  It can also block malicious websites depending on the MTD features and capabilities.

Use cases

Remote payment processing

Companies are beginning to increase flexibility and decrease time to revenue by offering mobile payments in the field.  If mobile devices are part of the company’s payment path, they require protection. Malicious actors may use man-in-the-middle attacks to intercept network transactions. Equally threatening are surveillanceware attacks that capture information during a transaction. Mobile threat defense will identify these attacks, alert the user, and potentially block depending on the MTD’s solution’s capabilities.

Defend high-value targets against breach

Executives are commonly targeted as they may have access to sensitive data (e.g., financial, and strategic plans, customer, and human resources related information) and often use mobile devices while “on the road”.  Attack vectors such as spear phishing may be deployed by hackers with targeted attacks. Such highly sensitive information warrants the need to secure executives’ devices. Mobile threat defense applications will aid the IT administrator in identifying these attacks and alert the user on their device. 

Mobile threat defense vendors and solutions

There are a few mobile threat defense offers for consideration in terms of their effectiveness in addressing threat vectors that target mobile devices. 

IBM MaaS360 Mobile Threat Management: IBM recently introduced a new version of its mobile threat management application to complement its UEM offering. IBM MaaS360 Mobile Threat Management enables companies to detect, analyze and remediate enterprise malware on mobile devices. It provides SMS and email phishing detection, advanced jailbreak, root and hider detection with over-the-air updates for security definitions. Administrators can configure compliance policies based on these advanced threats and remediate vulnerabilities—improving the security of bring your own device (BYOD) and corporate-owned devices.

SentinelOne Mobile Threat Defense: This solution enables comprehensive, on-device, autonomous security for corporate-owned and personally owned BYOD devices that protects against modern day threats and exploits. The mobile agent detects application exploits in real-time, untrusted networks, man-in-the-middle attacks, system tampering, and delivers mobile phishing protection.

Lookout Mobile Endpoint Security:  Lookout Mobile Endpoint Security (MES) is considered by many to be the industry’s most advanced platform to deliver mobile endpoint detection and response (EDR). Its capabilities include extending zero trust policies to any device having access to corporate data, evaluates the risk posture of every user and mobile device throughout their session and automatically ends the session if the risk posture changes informing both user and admin of the threat.

The post Mobile threat defense or bust appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Here’s how organizations can eliminate content-based malware in ICS/OT supply chains.

As the Industrial Internet of Things (IIoT) landscape expands, ICS and OT networks are more connected than ever to various enterprise systems and cloud services. This new level of connectivity, while offering benefits, also paves the way for targeted and supply chain attacks, making them easier to carry out and broadening their potential effects.

A prominent example of supply chain vulnerability is the 2020 SolarWinds Orion breach. In this sophisticated attack:

• Two distinct types of malware, “Sunburst” and “Supernova,” were secretly placed into an authorized software update.
• Over 17,000 organizations downloaded the update, and the malware managed to evade various security measures.
• Once activated, the malware connected to an Internet-based command and control (C2) server using what appeared to be a harmless HTTPS connection.
• The C2 traffic was cleverly hidden using steganography, making detection even more challenging.
• The threat actors then remotely controlled the malware through their C2, affecting up to 200 organizations.

While this incident led to widespread IT infiltration, it did not directly affect OT systems.

In contrast, other attacks have had direct impacts on OT. In 2014, a malware known as Havex was hidden in IT product downloads and used to breach IT/OT firewalls, gathering intelligence from OT networks. This demonstrated how a compromised IT product in the supply chain could lead to OT consequences.

Similarly, in 2017, the NotPetya malware was concealed in a software update for a widely-used tax program in Ukraine. Though primarily affecting IT networks, the malware caused shutdowns in industrial operations, illustrating how a corrupted element in the supply chain can have far-reaching effects on both IT and OT systems.

These real-world incidents emphasize the multifaceted nature of cybersecurity risks within interconnected ICS/OT systems. They serve as a prelude to a deeper exploration of specific challenges and vulnerabilities, including:

1. Malware attacks on ICS/OT: Specific targeting of components can disrupt operations and cause physical damage.
2. Third-party vulnerabilities: Integration of third-party systems within the supply chain can create exploitable weak points.
3. Data integrity issues: Unauthorized data manipulation within ICS/OT systems can lead to faulty decision-making.
4. Access control challenges: Proper identity and access management within complex environments are crucial.
5. Compliance with best practices: Adherence to guidelines such as NIST’s best practices is essential for resilience.
6. Rising threats in manufacturing: Unique challenges include intellectual property theft and process disruptions.

Traditional defenses are proving inadequate, and a multifaceted strategy, including technologies like Content Disarm and Reconstruction (CDR), is required to safeguard these vital systems.

Supply chain defense: The power of content disarm and reconstruction

Content Disarm and Reconstruction (CDR) is a cutting-edge technology. It operates on a simple, yet powerful premise based on the Zero Trust principle: all files could be malicious.

What does CDR do?

In the complex cybersecurity landscape, CDR stands as a unique solution, transforming the way we approach file safety.

• Sanitizes and rebuilds files: By treating every file as potentially harmful, CDR ensures they are safe for use while maintaining full functionality.
• Removes harmful elements: This process effectively removes any harmful elements, making it a robust defense against known and unknown threats, including zero-day attacks.

How does it work?

CDR’s effectiveness lies in its methodical approach to file handling, ensuring that no stone is left unturned in the pursuit of security.

• Content firewall: CDR acts as a barrier, with files destined for OT systems relayed to external sanitization engines, creating a malware-free environment.
• High availability: Whether on the cloud or on-premises in the DMZ (demilitarized zone), the external location ensures consistent sanitization across various locations.

Why choose CDR?

With cyber threats becoming more sophisticated, CDR offers a fresh perspective, focusing on prevention rather than mere detection.

• Independence from detection: Unlike traditional methods, CDR can neutralize both known and unknown malware, giving it a significant advantage.
• Essential for security: Its unique approach makes CDR an indispensable layer in critical network security.

CDR in action:

Beyond theory, CDR’s real-world applications demonstrate its ability to adapt and respond to various threat scenarios.

• Extreme processes: CDR applies deconstruction and reconstruction to incoming files, disrupting any embedded malware.
• Virtual content perimeter: Positioned outside the network, in the DMZ, it blocks malicious code entry through email and file exchange.
• Preventative measures: By foiling the initial access phase, CDR has been shown to deliver up to 100% prevention rates for various malware.

Integration possibilities:

CDR technology can be seamlessly integrated into various network security modules.

• Secure email gateways: Enhances email security by integrating with existing systems, providing an additional layer of protection.
• USB import stations: Offers controlled access to USB devices, ensuring that only sanitized content is allowed.
• Web-based secure managed file transfer systems: Enables comprehensive coverage of file transfers, ensuring sanitized content at every step.
• Firmware and software updates: Aims to cover all content gateways, securing a ‘sterile area’ behind these modules, including essential updates.

NIST’s guidelines that call for the adoption of CDR

The National Institute of Standards and Technology (NIST) has outlined specific guidelines that highlight the importance of CDR. In the NIST SP 800-82 Revision 3 document, the emphasis on CDR’s role is evident:

1. Physical access control:

• Portable devices security: Under the section ‘6.2.1.2 Physical Access Controls (PR.AC-2),’ the guidelines stress that organizations should apply a verification process to portable devices like laptops and USB storage. This includes scanning for malicious code before connecting to OT devices or networks, where CDR can play a vital role in ensuring safety.

2. Defense-in-depth strategy:

• Multi-layered protection: Under section 5.1.2, the document defines defense-in-depth as a multifaceted strategy. It states: ‘a multifaceted strategy integrating people, technology, and operations capabilities to establish variable barriers across multiple layers and dimensions of the organization.’ This approach is considered best practice in the cybersecurity field.
• Widespread adoption: The quote continues, emphasizing that ‘Many cybersecurity architectures incorporate the principles of defense-in-depth, and the strategy has been integrated into numerous standards and regulatory frameworks.’ This highlights the broad acceptance and integration of this strategy in various cybersecurity measures.
• OT environments: This strategy is particularly useful in OT environments, including ICS, SCADA, IoT, IIoT, and hybrid environments. It focuses on critical functions and offers flexible defensive mechanisms.
• CDR’s role in defense: CDR contributes to this defense-in-depth approach, especially in handling content with browser isolation solutions. Its role in enhancing security across different layers of the organization makes it a valuable asset in the cybersecurity landscape.

Mitigating the risks

The SolarWinds breach was a frightening sign of what has already begun, and it might just be a small part of what’s happening now. With criminal groups capitalizing on the increasing cloud connectivity at ICS/OT sites, attacks on hundreds or even thousands of organizations simultaneously are actual risks we face today.

But amid these challenges, there’s a solution: CDR. This cutting-edge technology offers a robust defense against the known and unknown, providing a shield against malicious forces that seek to exploit our interconnected world. In the ongoing battle against malware, CDR stands as a vigilant sentinel, ever ready to protect.

The post Battling malware in the industrial supply chain appeared first on Cybersecurity Insiders.

As cybersecurity becomes increasingly complex, having a centralized team of experts driving continuous innovation and improvement in their Zero Trust journey is invaluable. A Zero Trust Center of Excellence (CoE) can serve as the hub of expertise, driving the organization’s strategy in its focus area, standardizing best practices, fostering innovation, and providing training. It can also help organizations adapt to changes in the cybersecurity landscape, such as new regulations or technologies, ensuring they remain resilient and secure in the face of future challenges. The Zero Trust CoE also ensures that organization’s stay up-to-date with the latest security trends, technologies, and threats, while constantly applying and implementing the most effective security measures.

Zero Trust is a security concept that continues to evolve but is centered on the belief that organizations should not automatically trust anything inside or outside of their perimeters. Instead, organizations must verify and grant access to anything and everything trying to connect to their systems and data. This can be achieved through a unified strategy and approach by centralizing the organization’s Zero Trust initiatives into a CoE. Below are some of the benefits realized through a Zero Trust CoE.

A critical aspect of managing a Zero Trust CoE effectively is the use of Key Performance Indicators (KPIs). KPIs are quantifiable measurements that reflect the performance of an organization in achieving its objectives. In the context of a Zero Trust CoE, KPIs can help measure the effectiveness of the organization’s Zero Trust initiatives, providing valuable insights that can guide decision-making and strategy.

Creating a Zero Trust CoE involves identifying the key roles and responsibilities that will drive the organization’s Zero Trust initiatives. This typically includes a leadership team, a Zero Trust architecture team, a engineering team, a policy and compliance team, an education and training team, and a research and development team. These teams will need to be organized to support the cross-functional collaboration necessary for enhancing productivity.

A Zero Trust CoE should be organized in a way that aligns with the organization’s overall strategy and goals, while also ensuring effective collaboration and communication. AT&T Cybersecurity consultants can also provide valuable leadership and deep technical guidance for each of the teams. Below is an approach to structuring the different members of the CoE team:

• Leadership team: This team is responsible for setting the strategic direction of the CoE. It typically includes senior executives and leaders from various departments, such as IT, security, and business operations.
   
• Zero Trust architects: This individual or team is responsible for designing and implementing the Zero Trust architecture within the organization. They work closely with the leadership team to ensure that the architecture aligns with the organization’s strategic goals.
   
• Engineering team: This team is responsible for the technical implementation of the Zero Trust strategy. This includes network engineers, security analysts, and other IT professionals.
   
• Policy and compliance team: This team is responsible for developing and enforcing policies related to Zero Trust. They also ensure that the organization follows compliance with relevant regulations and standards.
   
• Education and training team: This team is responsible for educating and training staff members about Zero Trust principles and practices. They develop training materials, conduct workshops, and provide ongoing support.
   
• Research and lab team: This team stays abreast of the latest developments in Zero Trust and explores new technologies and approaches that could enhance the organization’s Zero Trust capabilities. AT&T Cybersecurity consultants, with their finger on the pulse of the latest trends and developments, can provide valuable insights to this team.

Each of these teams should have its own set of KPIs that align with the organization’s overall business goals. For example, the KPIs for the ‘Engineering Team’ could include the number of systems that have been migrated to the Zero Trust architecture, while the KPIs for the ‘Policy and Compliance Team’ could include the percentage of staff members who comply with the organization’s Zero Trust policies.

Monitoring and evaluating these KPIs regularly is crucial for ensuring the effectiveness of the CoE. This should be done at least quarterly but could be done more frequently depending on the specific KPI and the dynamics of the organization and the cybersecurity landscape. The results of this monitoring and evaluation should be used to adjust the CoE’s activities and strategies as needed.

There are challenges associated with monitoring and evaluating KPIs. It can be time-consuming and require specialized skills and tools. Additionally, it can be difficult to determine the cause of changes in KPIs, and there can be a lag between changes in activities and changes in KPIs. To overcome these challenges, it’s important to have clear processes and responsibilities for monitoring and evaluating KPIs, to use appropriate tools and techniques, and to be patient and persistent.

While the CoE offers many benefits, it can also present challenges. Without leadership and oversight, it can become resource-intensive, create silos, slow down decision-making, and be resistant to change. To overcome these challenges, it’s important to ensure that the CoE is aligned with the organization’s overall strategy and goals, promotes collaboration and communication, and remains flexible and adaptable. AT&T Cybersecurity consultants, with their deep expertise and broad perspective, can provide valuable leadership in each of these areas. They can help consolidate expertise, develop and enforce standards, drive innovation, and provide education and training.

The CoE should drive Zero Trust related projects, such as developing a Zero Trust Architecture that includes components such as Zero Trust Network Access (ZTNA), a capability of Secure Access Service Edge (SASE). The CoE can provide the expertise, resources, and guidance needed to successfully implement these types of projects. Implementing ZTNA requires a structured, multi-phased project that would have a plan similar to the following:

• Project initiation: Develop a project plan with timelines, resources, and budget. Identify the scope, objectives, and deliverables as well as the key stakeholders and project team members.
   
• Assessment and planning: Develop a detailed plan for implementing ZTNA. Conduct a thorough assessment of the current network infrastructure and security environment looking for vulnerabilities and areas of improvement.
   
• Design and develop: Design the ZTNA architecture, taking into account the organization’s specific needs and constraints. Create test plans to be used in the lab, pilot sites, and during deployment.
   
• Implementation: Deploy and monitor the ZTNA program in a phased manner, starting with less critical systems and gradually expanding to more critical ones.
   
• Education and training: Develop and distribute user guides and other training materials. Conduct training sessions on how to use the new system.
   
• Monitoring: Continuously monitor the performance of the platform, report on the assigned KPIs, and conduct regular audits to identify areas for improvement.
   
• Maintenance and support: Regularly update and improve the solution based on feedback and technical innovations. Provide ongoing technical support for users of the ZTNA platform.

Throughout the ZTNA implementation, the Zero Trust CoE plays a central role in coordinating activities, providing expertise, and ensuring alignment with the organization’s overall Zero Trust strategy. The CoE is responsible for communicating with stakeholders, managing risk, and ensuring the project stays on track and achieves the stated objectives.

In conclusion, a Zero Trust Center of Excellence is a powerful tool that can help organizations enhance their cybersecurity posture, stay ahead of evolving threats, and drive continuous improvement in their Zero Trust initiatives. By centralizing expertise, standardizing practices, fostering innovation, and providing education and training, a Zero Trust CoE can provide a strategic, coordinated approach to managing Zero Trust initiatives.

As cyber threats continue to evolve, the importance and potential of a Zero Trust CoE, led by AT&T cybersecurity consultants, will only increase. Contact AT&T Cybersecurity for more information on the Zero Trust journey and how to establish a Center of Excellence.

The post Leveraging AT&T Cybersecurity Consulting for a robust Zero Trust Center of Excellence appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

The Biden Administration has recently announced the implementation of a cybersecurity labeling program for smart devices. Overseen by the Federal Communication Commission (FCC), this new program seeks to address the security of Internet of Things (IoT) devices nationwide. This announcement is in response to an increasing number of smart devices that fall victim to hackers and malware (AP News).

As IoT devices increase in popularity in homes, offices, and other settings, these labels allow consumers to be aware of their digital safety. The cybersecurity labeling program will mandate manufacturers of smart devices to meet certain cybersecurity standards before releasing their products into the market. Each smart device will be required to have a standardized cybersecurity label. Labels will serve as an indicator of the device’s security level and inform consumers about the device’s compliance with security standards. Devices that meet the highest level of security will be awarded a “Cyber Trust Mark,” indicating their adherence to the most stringent security measures.

The program will be able to hold companies accountable for producing secure devices while also giving customers the information they need to make informed decisions while purchasing IoT devices. Examples of IoT devices include smart watches, home assistants, Ring cameras, thermostats, and smart appliances. New technologies such as these have grown increasingly more present in modern life.

However, hackers have continued to exploit vulnerabilities in these devices, which compromise user privacy. These devices also allow hackers to gain entry to consumers’ larger networks. In the last quarter of 2022, there was a 98% increase in malware targeting IoT devices. New malware variants also spiked, rising 22% on the year (Tech Monitor). Compared to 2018, 2022 had more than 3 times the amount of IoT malware attacks (Statista).

Economically motivated attacks have been on the rise, and a larger number of consumers’ personal devices are being breached through IoT devices on the same network. Hackers then hold users’ devices until they are paid a ransom in cryptocurrency to keep the transaction anonymous. This rise in cybersecurity attacks can be contributed to the fact that it has become easier than ever for hackers to target networks. With Raas (Ransomware as a Service) offerings, hackers don’t need any previous cybersecurity expertise, as they can buy software written by ransomware operators. Because IoT devices are often left with default passwords and are easily hackable, they have been becoming a larger target for hackers.

IoT devices have been breached multiple times in the past resulting in leaks for big corporations such as NASA. In 2018, a NASA laboratory was breached through an IoT device added to its network by hackers. Another example of an IoT hack was the Mirai Botnet hack in 2016. Hackers used malware to infect an IoT device, which they later used to infiltrate other devices through a shared network. The malware would then use the default name and password to log into devices and continue to replicate itself.

IoT devices aren’t limited to just small gadgets that play a role in the home. In 2015, Jeep was hacked by a team from IBM, who used a firmware update to take control of the car’s steering, acceleration, and more (IoT Solutions World Congress). Because of electric cars increasing popularity, companies need to be aware of potential security risks that could cause harm to drivers.

After the implementation of Biden’s new program, IoT devices will be vetted and consumers will be shown the safety rating for each of the devices. The cybersecurity rating of each device is determined by evaluations and testing procedures carried out by FCC inspectors. These evaluations will make sure that devices can withstand potential cyber threats and protect users’ private data.

Some methods that hackers often use are brute force attacks, man-in-the-middle attacks, and malware attacks. Brute force attacks involve hackers using programs to repeatedly try to guess a device’s password, man-in-the-middle attacks involve hackers intercepting communications between a device and the internet, and malware attacks are when hackers use malware to take over IoT devices and eventually entire networks (Pass Camp). The cybersecurity labeling program has been highly praised by cybersecurity professionals across the industry. It is an important step towards building a more secure online network while also allowing consumers to make knowledgeable decisions on what they are buying.

However, some critics have voiced concerns about the program. The rapidly evolving nature of technology could lead to a lag in new security standards, which could leave devices outdated in security certifications. To address this, the program is expected to include provisions for periodic reviews to ensure that standards remain relevant and up to date.

In conclusion, the Biden administration’s announcement of the cybersecurity labeling program for smart devices marks a significant milestone in the ongoing efforts to enhance cybersecurity and safeguard consumer interests. Consumers can also make efforts to secure their own devices by using stronger passwords, keeping software up to date, and securing their networks. By incentivizing manufacturers to prioritize security in their product development and providing consumers with transparent information, the program aims to create a more secure and trustworthy environment for the increasingly connected world of smart devices. As the program takes effect, it is hoped that it will foster greater confidence in the IoT industry and encourage the adoption of robust cybersecurity programs across the board.

The author of this blog works at Perimeterwatch.

The post Biden’s IoT Cybersecurity initiative appeared first on Cybersecurity Insiders.

 The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Smart cities are on the rise. What was once squarely placed in the realm of science fiction is now a reality, and the number of smart cities worldwide continues to grow. According to a study by Research and Markets, the market for smart cities is expected to reach over 1 trillion USD by 2027.

Cities that use technology to enhance sustainability and efficiency, streamline resources, and provide layers of interconnectivity gain recognition and remain competitive on a global scale, attracting new citizens while meeting the increased demands and pressures for resource control. 

However, as smart cities continue to develop, it will become even more imperative that official bodies ensure they are adequately protected against cyber threats. As you will learn, smart cities are uniquely positioned to pose a cybersecurity risk and potential targets for bad actors. 

This article will delve into the specific challenges facing smart cities when it comes to cybersecurity. We will then explore concrete, actionable solutions for shoring up the security of smart cities, both those in development and those already up and running today. 

Recent developments in smart city technology

Smart city technology is still rapidly evolving. As we continue to see technological advancements and widespread adoption of relatively new technologies such as the IoT (Internet of Things), AI and automation, and 5G networks, we are primed for the growth of integrated technology within urban infrastructures and systems. 

One of the major trends in e-commerce in recent years has been the adoption of AI for everything from customer service chatbots to data collection and customer preference analysis. Smart cities utilize the same technology to provide enhanced living experiences for urban citizens. 

For example, robots will soon fill in for delivery vans and trucks, using automation to fulfill last-mile deliveries of food, groceries, and pharmacy supplies. App-based solutions, such as smart parking lots, will rely on technology to reduce space management issues in overcrowded urban areas.

E-bikes, e-scooters, self-driving cars, and smart traffic management systems will continue to transform how we get from place to place in a smart city. Property technology, such as remote property management, will allow tenants to adapt more easily to hybrid and work-from-home contexts. 

Other tech innovations, such as automated sensors, AI-enabled data collection points, and responsive data-driven tech gadgets, will be used to assess the sustainability of smart cities, measuring everything from the flow of traffic to the smog and noise pollution levels. Tech solutions are already being implemented in smart cities in development to improve the environmental impact and carbon footprint of the city as a whole. 

Cybersecurity challenges facing smart cities

Due to its multifaceted nature, the smart city faces several particular challenges. With so many different levels and layers to maintain, securing multiple entry points proves difficult, as does ensuring cohesive security and coordinating among various departments. 

Ensuring that there are sufficient and up-to-date cybersecurity measures in place is already a challenge when it comes to specific sectors, such as protecting energy infrastructures. When you add the compounding factors of securing not only distinct sectors of urban government and maintenance but also personal devices and network entry points, digital asset management becomes distinctly more complex. 

As cities adopt new technology networks and infrastructures, they are also automatically creating new opportunities for bad actors to infiltrate the city’s systems. Every time data is produced in a smart city, it must be protected. All too often, smart city technology is added on top of pre-existing cybersecurity infrastructures, meaning that there is insufficient support in place to protect the new technology. 

Take, for example, smart traffic control systems. In a smart traffic control system, there are communications that are transmitted between smart traffic lights and the smart control system itself, with no form of encryption or verification process. Thus, any bad actor could access the system to create false data, leading to accidents, blackouts, and panic in the city. 

Likewise, bad actors could feed false data into unsecured systems so that smart sensors inaccurately identify a disaster, such as an earthquake, flood, mass shooting, or terrorist incident. This can sow panic, confusion, and fear in the urban populace, leaving space for further physical or digital attacks. This type of attack can also have political implications and could be used in an attempt to destabilize the trustworthiness of a particular urban system. 

Other forms of cyberattack that can be expected in the context of the smart city include:

• DDoS (distributed denial of service) attacks
• Message delays and manipulations
• Channel congestion

Effective solutions to secure smart cities

To meet the growing demands for smart technology, smart city developers will have to ensure that they are implementing sufficient protective policies, systems, structures, and training to cover all the most vulnerable potential attack sites.

With a multilayered, multifaceted approach that covers cybersecurity from a broad, general perspective as well as at the most detailed level, smart cities are much more likely to be protected from cyberattacks. Let’s look at some specific solutions to help secure smart cities. 

Protect IoT devices

One key facet of a multi-channel smart city cybersecurity system is to secure individual IoT devices. Since each IoT device provides a potential entry point for hackers, providing sufficient protection for individual IoT devices will create a stronger network of interconnected and highly protected devices. This means securing mobile devices and tablets as well as smart city gadgets such as smart meters, streetlights, traffic lights, and waste management systems. 

One key way to secure IoT devices is to provide secure verification options. Each device that communicates with the Internet of Things should include MFA or multi-factor authentication. Users should be asked to provide a valid digital signature when signing contracts, leases, or purchase agreements. Digital signatures are more secure than e-signatures, providing encrypted proof of identity and preventing false access to restricted networks and systems. 

Enact public awareness and education campaigns

Phishing remains one of the most common forms of cyberattacks across all industries. This type of attack targets unsuspecting victims, who are manipulated into providing information or log-in details or completing a task or action on behalf of the bad actor making the request. 

By nurturing a cyber-aware culture through public awareness training programs and education campaigns, urban citizens can become alert to the potential dangers of cybersecurity attacks. Through effective education and advertising, citizens will learn what signs to look out for to identify a potential cyber threat and will be able to determine what steps to take to report and block the attacker. 

For example, through public cybersecurity awareness training, individuals can be shown how to mask the geolocation of their log-ins and devices, securing any interactions synced with the smart city. Training can reveal to individuals how to install and work with a proxy server to mask their digital activity from any potential cyber criminals. 

Deploy AI-powered threat detection

Using the advanced computing and analysis abilities of AI will be essential to protecting smart cities. AI-powered threat detection systems can provide early recognition of possible threats and offer advanced suggestions for defusing the threat. 

Security powered by AI can help to mitigate the level of damage that results from any undetected threats that are successfully carried out. Smart city AI security can address both physical and digital threats, providing a comprehensive protection network that responds to real-time data. 

Final thoughts

As smart cities continue to evolve, there will need to be cooperation among many departments to ensure that the new technology is implemented with high levels of cybersecurity protection. Government bodies will need to work with urban planners, IT specialists, and other tech consultants to ensure that every layer of a smart city is secured. 

By utilizing secure authentication practices, securing devices as well as networks and systems, working with AI to analyze threats and mitigate damage, and providing public awareness training and education, smart cities can stay on top of any cybersecurity threats as they emerge. In this way, smart cities can continue to develop, safely providing enhanced services and experiences to urban citizens. 

The post Securing the smart cities of tomorrow: Cybersecurity challenges and solutions appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

The installation of Active Directory (AD) on Windows Server 2019 calls for a thorough understanding of technical nuances and a steadfast dedication to security best practices. This guide will walk you through the process of securely implementing Active Directory, ensuring the highest level of protection for the information and resources within your company.

Planning and design

Start by carefully planning and designing. Analyze your organization’s requirements, network topology, and security requirements in great detail. Establish the necessary number of organizational units (OUs), domains, and user and group structures. Make a thorough design plan that complies with your organization’s compliance standards and security guidelines.

Installing Windows Server 2019

Install Windows Server 2019 on a dedicated system that satisfies the system minimums. Use the most recent Windows Server 2019 ISO and adhere to recommended procedures for a secure installation. Set a strong password for the Administrator account and enable Secure Boot if it is supported in the BIOS/UEFI settings for hardware security.

Choose the right deployment type

Select the domain controller (DC) installation as the Active Directory deployment type. By doing this, you can be confident that your server is a dedicated domain controller overseeing your domain’s directory services, authentication, and security policies.

Install Active Directory Domain Services (AD DS) role

Add the Active Directory Domain Services (AD DS) role to Windows Server 2019. For the installation, use Server Manager or PowerShell. Select the appropriate forest and domain functional levels during the procedure and specify the server as a domain controller.

Choose an appropriate Forest Functional Level (FFL)

Select the highest Forest Functional Level (FFL) compatible with your domain controllers. This enables access to the most recent AD features and security upgrades. Examine the FFL specifications and confirm that every domain controller currently in use can support the selected level.

Secure DNS configuration

AD heavily relies on DNS for name resolution and service location. Ensure that DNS is configured securely by:

a. Using Active Directory Integrated Zones for DNS storage, enabling secure updates and zone replication through AD.

b. Implementing DNSSEC to protect against DNS data tampering and for secure zone signing.

c. Restricting zone transfers to authorized servers only, preventing unauthorized access to DNS data.

d. Implementing DNS monitoring and logging for suspicious activities using tools like DNS auditing and query logging.

Use strong authentication protocols

Configure Active Directory to use strong authentication protocols such as Kerberos. To stop credential-based attacks, disable older, less secure protocols like NTLM and LM hashes. Ensure domain controllers are set up to favor robust authentication techniques over weak ones when performing authentication.

Securing administrative accounts

Safeguard administrative accounts by:

a. Creating complicated, one-of-a-kind passwords for each administrative account, following the password policy guidelines, and rotating passwords frequently.

b. Adding multi-factor authentication (MFA) to all administrative accounts to improve login security and reduce the risk of credential theft.

c. Enforcing the principle of least privilege, role-based access control (RBAC), and limiting the use of administrative accounts to authorized personnel only.

d. To reduce the attack surface and potential insider threats, administrative account privileges should be regularly reviewed, and extra access rights should be removed.

Applying group policies

Leverage Group Policy Objects (GPOs) to enforce security settings and standards across your Active Directory domain. Implement password policies, account lockout policies, and other security-related configurations to improve the overall security posture.

Protecting domain controllers

Domain controllers are the backbone of Active Directory. Safeguard them by:

a. Isolating domain controllers in a separate network segment or VLAN to minimize the attack surface and prevent lateral movement.

b. Enabling BitLocker Drive Encryption on the system volume of the domain controller to safeguard critical data from physical theft or unauthorized access.

c. Setting up Windows Firewall rules to restrict inbound traffic to critical AD services and thwart potential dangers.

d. Performing regular domain controller backups and securely storing those backups to protect data integrity and speed up disaster recovery. Create system state backups using the Windows Server Backup feature, and for redundancy, think about using off-site storage.

Monitor and audit

Implement a robust monitoring and auditing system to detect potential security breaches and unauthorized access. Employ Security Information and Event Management (SIEM) solutions for thorough threat monitoring, set up real-time alerts for crucial security events, and use Windows Event Forwarding to centralize log data for analysis.

Perform regular backups

Create regular system state backups of Active Directory to ensure data integrity and quick recovery in case of data loss or disaster. Periodically test the restoration procedure to confirm its efficacy and guarantee that backups are safely kept off-site.

Conclusion

By following this technical guide, you can confidently and securely implement Active Directory on Windows Server 2019, ensuring your organization has a robust, dependable, highly secure Active Directory environment that safeguards valuable assets and sensitive data from the constantly changing threat landscape. Always remember that security is a continuous process, and maintaining a resilient AD infrastructure requires staying current with the latest security measures.

The post Securely implementing Active Directory on Windows Server 2019 appeared first on Cybersecurity Insiders.