Category: Detect

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Has your organization suddenly been attacked by a ransomware virus? Take a deep breath and try to remain composed. It can be easy to panic or become overwhelmed in the face of an attack, but it is vital to remain calm and focused in order to make the best decisions for your organization.

The initial actions to take in the event of a ransomware attack

• Disconnect the affected devices from the network as soon as possible. This can help to prevent the ransomware from spreading to other computers or devices.
• Determine what data has been affected and assess the extent of the damage.
• Determine the specific type of ransomware virus that has infected your devices to understand how this malware operates and what steps you need to take to remove it.
• It is important to notify all employees about the ransomware attack and instruct them not to click on any suspicious links or open any suspicious attachments.
• Consider reporting the attack. This can help to increase awareness of the attack and may also help to prevent future attacks. Please note that in some regions, business owners are required by law to report an attack.

Do not rush into a decision. Take the time to carefully evaluate your options and the potential consequences of each of them before deciding whether to pay the ransom or explore other solutions.

Paying the ransom is not the only option. Consider exploring other solutions, such as restoring your data from backups. If you do not have backups, cybersecurity experts may be able to help you recover your data since many ransomware strains were decrypted and keys are publicly available.

Strategies cybercrooks employ to obtain funds from victims swiftly

Cyber extortionists use various tactics beyond just encrypting data. They also use post-exploitation blackmail methods to coerce victims into paying them. Very often, cybercriminals use several extortion tactics simultaneously. Some examples of these tactics include:

• Steal and disclose

Cyber extortionists not only encrypt victims' data but also often steal it. If the ransom is not paid, the stolen files may be made publicly available on special leak websites, which can cause severe damage to the victim's reputation and make them more likely to give in to the attackers' demands.

• Destroy keys if a negotiation company intervenes

Some ransomware authors have threatened to delete the private keys necessary for decrypting victims' data if they seek the help of a professional third party to negotiate on their behalf.

•  Launch a DDoS attack

Ransomware attackers often threaten to flood the victim's website with a large volume of traffic in an effort to put it down and intimidate the targeted company into paying the ransom faster.

• Cause printers to behave abnormally

Some hackers were able to take control of the printers and print ransom notes directly in front of partners and customers. This provides a high level of visibility for the attack, as it is difficult for people to ignore the ransom notes being printed.

• Use Facebook ads for malicious purposes

Criminals have been known to use advertising to gain attention for their attacks. In one instance, ransomware developers used Facebook ads to shame their victim by highlighting the organization's weak defenses.

• Stir up anxiety among customers

Ransomware authors may send intimidating emails to the customers of major companies whose data was compromised. The emails threaten to leak the recipients' data unless the affected organization pays the ransom. The attackers encourage the recipients to pressure the affected companies to make the payment quickly.

Do not try to handle the situation on your own

Although ransomware is a trend in the world of cyber-attacks, hackers are not always successful in obtaining the ransom. They constantly have to develop new methods to replenish their arsenal of extortion techniques.

To make life as difficult as possible for hackers, the main thing to do is not to try to act alone. There are well-established mechanisms to counter extortionists.

Do seek professional assistance from others, even if it means losing some or all of your data. There are plenty of organizations and resources that can provide professional assistance and guidance. Some potential options include:

• Cybersecurity experts: These professionals can provide specialized expertise and assistance with recovering your data, as well as advice on how to prevent future attacks.
• Computer emergency response teams: Many countries and regions have organizations known as CERTs that assist with responding to and recovering from cyber incidents, including ransomware attacks.
• Ransomware recovery services: Some companies specialize in helping organizations recover from ransomware attacks and can provide a range of services, including data recovery, threat assessment, and ransomware negotiation.
• Law enforcement: In many cases, it may be appropriate to involve law enforcement agencies. They can help with investigations, help recover data, identify and prosecute the attackers.

It is essential to carefully research and evaluate any resources or services you consider using. Seek advice from multiple sources to find the best way out.

Before negotiations

It is generally not recommended to negotiate with ransomware attackers or pay the ransom. Doing so can encourage further ransomware attacks. Paying the ransom not only supports the attackers' criminal activity but also puts your organization at risk of being targeted again.

Keep in mind that there is no guarantee that the attackers will actually provide the decryption key – even if you do pay the ransom. Therefore, it is important to weigh the risks and potential consequences carefully before deciding to pay.

Ransomware attacks and payments are often carried out anonymously, using encrypted communication channels and cryptocurrency. Hackers usually provide an encrypted chat or email service for communication. Try to negotiate additional channels and means of communication with the adversary. Try to establish a line of communication with the attackers that involves mutual trust (as much as possible in this situation.)

If you decide to negotiate with the attackers and pay the ransom, it is important to keep a record of all communications, including any instructions for paying the ransom. This information may be helpful for law enforcement and cybersecurity experts who are investigating the attack.

Ask the attackers to demonstrate the decryption key and show that it actually works by decrypting several random files. This can help you ensure that you are dealing with the actual attackers and not a third party.

Research the attackers and their past behavior. If the attackers have been known to negotiate or provide the decryption key after receiving payment in the past, this may help to increase your confidence in the negotiation and may also give you leverage to negotiate a lower amount.

Tips for negotiating with the attackers

If you have exhausted all other options and have determined that paying the ransom is the only way to recover your data, here are a few tips for negotiating with the hackers:

1. The attackers may try to pressure you by threatening to destroy or leak data, but it is important not to let this influence your decision. Do not show any signs of desperation or urgency. Remain calm and composed all the time.
2. Do not reveal whether or not you have cyber insurance.
3. Do not offer to pay the entire ransom upfront. Instead, consider offering to pay a small portion of the ransom upfront, with the remainder to be paid after the decryption key has been provided and you have successfully decrypted all data.
4. Consider offering to pay the ransom in a cryptocurrency that you already have and is less commonly used or even less easily traced. This can make it more difficult for the attackers to convert the ransom into actual money and may make them more willing to negotiate a lower amount.
5. Consider offering to publicize the attack and the ransom negotiation in order to put pressure on the attackers. This can make it more difficult for the attackers to extort other victims in the future and may make them more willing to negotiate a lower ransom amount.
6. If the attackers have already agreed to negotiate the ransom amount and have lowered the price, you may try to push for a further reduction by continuing to negotiate and offering a lower amount. However, keep in mind that the attackers are likely to have a minimum amount that they are willing to accept, and it may not be possible to push them to lower the price further.

Be prepared to walk away from the negotiation if the attackers are unwilling to compromise or if the terms they offer are unacceptable, even if it entails losing your data.

How to prevent ransomware attacks

It is always good to focus on preventative measures to avoid falling victim to ransomware in the first place. Here are some tips in this regard:

1. Implement a robust cybersecurity policy that includes regular software updates and the use of security software.
2. Educate your employees about the risks of ransomware and how to protect against it, such as not opening attachments or clicking on links from unfamiliar sources.
3. Take care of backups and implement a disaster recovery plan to ensure that you can restore your data if it becomes encrypted.
4. Use strong, unique passwords and employ MFA where possible.
5. Consider purchasing cybersecurity insurance to protect your company against financial losses resulting from a ransomware attack.

The post The dos and don’ts of ransomware negotiations appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Identity and access management has emerged as an essential security element for organizations. A study reveals that 80% of global IT decision-makers have already adopted or are planning to adopt an IAM solution in the upcoming years.

IAM refers to business policies, processes, and technologies to control unauthorized data and digital systems access. Two IAM approaches are widely known, one for the cloud and the other for on-premises. The cloud based IAM practices are fast-growing because the demand for cloud adoption has increased over time.

With the right IAM solutions and techniques, IT managers and businesses control users' access to sensitive business data within their networks. In addition, these solutions help protect organizations from cyber-attacks; they become more efficient, reduce IT operational costs, and improve user experience.

Six best IAM practices that organizations must not neglect

The IAM framework means using the right solution to implement user authentication and privileges policies. In addition, with IAM, companies demonstrate that any data is not misused, and they comply with government regulations.

For all these characteristics, businesses are increasingly adopting IAM solutions, and their demand will undoubtedly be high in the upcoming time. It's also estimated that the IAM market will grow to $15.3 billion by 2025.

The organization needs to use the right IAM tools and practices to reap the most benefits from the IAM solution. The six best IAM practices that every business should incorporate into its security strategy are as follows:

Adopt passwordless authentication

Many data breaches occur because of weak or stolen credentials. Threat actors can use advanced tools and tactics to steal and break passwords.

Organizations need a secure identity management system to prevent bad actors from breaking in and stealing credentials that can result in breaches such as the Lapsus$ attack or the Colonial Pipeline ransomware attack. Organizations eliminate password issues by choosing passwordless authentication to protect vital business data and ensure that only authentic people access it.

Passwordless authentication enables users to authenticate their identity without entering a password. There are various benefits for organizations to become passwordless- it enhances the overall efficiency, saves time and productivity, and provides greater ease of access. But, most importantly, passwordless authentication allows IAM leaders and users to access the cloud environment safely and securely.

Implement a Zero-Trust approach

The zero-trust approach is not new but has gained popularity as the threat landscape is evolving. Organizations cannot have a robust IAM policy without a function zero-trust architecture. The average cost of a data breach is $4.24 million, but the zero-trust model helps reduce the cost of a data breach by $1.76 million. Moreover, Gartner also predicts that the ZTNA solutions will grow to $1.674 billion in 2025.

Zero-trust means continuously verifying authorized users as they move into the network and giving them the lowest privileges while accessing crucial documents and files. Zero trust within the cloud creates access measures to protect sensitive data and applications from unwarranted access.

The zero-trust architecture ensures that IAM policies are followed whenever the user accesses the organization's network and protects the cloud data. Successful zero-trust implementation for the cloud must begin with passive application observation. Companies must first monitor and determine the relationship between the apps and then enforce rules. In addition, enterprises consider using other technologies like MFA, endpoint protection, micro-segmentation, and visibility and analytics to execute zero-trust systems.

Ensure compliance

IAM is designed to control users and protect their data, which can be achieved by meeting standard compliance requirements. Businesses often have regulatory requirements connected to the data they store either in the data warehouse or cloud data warehouse. They must report on their data access and use processes while complying with specific laws and regulations.

They must face hefty fines, lawsuits, and penalties if they fail. For example, Twitter agreed to pay $150 million to settle allegations of its data privacy practices when the US alleged Twitter for collecting users' contact information to show targeted ads.

Organizations that haven't yet must strictly follow compliance regulations, including GDPR, SOX, HIPAA, and PCI-DSS, to ensure that data is not misused. Besides this, businesses must audit each user role and assign them to the appropriate data owner, to keep a check and balance on the following compliance. In this way, companies can ensure compliance regulations and surveillance of data access.

Use appropriate DevOps tools

A data breach occurs because of human error or when application flaws occur. Businesses also forget to maintain a record of unstructured or dark data, including files and documents downloaded and used for different purposes, credit cards, and social security numbers. Cyber-criminals take complete advantage of such vulnerabilities and data that can eventually result in a data breach.

Such events not only cause significant financial loss to the business but also result in loss of customers and brand reputation. DevOps teams and tools greatly help enterprises prevent data breaches and ensure no one can access sensitive data. By using various DevOps tools, businesses keep track of the unstructured data from the initial stage and boost the overall security level.

Deploy artificial intelligence

Cybercriminals have become more advanced and sophisticated than before. They are using new approaches and tactics to access the organizational network. Because of their progressive nature, even the security teams sometimes fail to recognize them. Hence, organizations have adopted Artificial Intelligence and Machine Learning technologies to implement IAM and reduce the threat vector effectively.

AI ensures improved security and maintains business integrity. Using AI technology like Robotic Process Automation (RPA) deeply monitors and reveals the abnormalities in user behavior. Though an organization produces trillions of primarily unstructured data, the ML system scans all the data efficiently and prevents data leaks and breaches. Moreover, the AI system constantly monitors all behavior and ensures that verifying workers' access to network resources is continuous.

If, by any chance, threat actors gain access to the network by any backdoor, the AI system sends a quick alert to the IT department so they can take appropriate measures. Also, the system denies the access request and ensures the complete safety of the business data.

Centralize the organization's systems

Another best practice businesses can adopt to improve IAM is centralizing all network systems. It is an effective approach that provides more visibility and allows the security teams to detect and respond to cyber threats by letting all the users sign into a single authentication provider, which then propagates identity access across the apps and resources within the organization.

Moreover, with the centralized management system, it is easier to enforce policies like using secure passwords or multi-factor authentication to access the resources.

Additional best practices

Apart from the practices mentioned above, listed below are some common IAM practices businesses should not ignore. These includes:

• Ensure new applications from all sources are securely developed and onboarded. For this purpose, deploy API access control (authentication and authorization of APIs) as it is a crucial part of API security.
• Authentication is vital for IAM; hence, use multi-factor authentication tools to authenticate the identity.
• Remove unnecessary users from the network to reduce the risks of unauthorized access.
• Regularly review and audit the IAM policies to ensure they are granted the least privilege.
• When an IAM account is not used, immediately de-provisioned it. This prevents any hackers from stealing and misusing those credentials.

Final thoughts

Making a business compliant with identity and access management requires an in-depth understanding of who can access the sensitive data and which data is necessary for the workers. Staying informed and updated about the latest technological trends and IAM practices will further help improve the IAM infrastructure.

The post Key to success while implementing IAM- Best practices that every company should implement appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Identity and access management has emerged as an essential security element for organizations. A study reveals that 80% of global IT decision-makers have already adopted or are planning to adopt an IAM solution in the upcoming years.

IAM refers to business policies, processes, and technologies to control unauthorized data and digital systems access. Two IAM approaches are widely known, one for the cloud and the other for on-premises. The cloud based IAM practices are fast-growing because the demand for cloud adoption has increased over time.

With the right IAM solutions and techniques, IT managers and businesses control users' access to sensitive business data within their networks. In addition, these solutions help protect organizations from cyber-attacks; they become more efficient, reduce IT operational costs, and improve user experience.

Six best IAM practices that organizations must not neglect

The IAM framework means using the right solution to implement user authentication and privileges policies. In addition, with IAM, companies demonstrate that any data is not misused, and they comply with government regulations.

For all these characteristics, businesses are increasingly adopting IAM solutions, and their demand will undoubtedly be high in the upcoming time. It's also estimated that the IAM market will grow to $15.3 billion by 2025.

The organization needs to use the right IAM tools and practices to reap the most benefits from the IAM solution. The six best IAM practices that every business should incorporate into its security strategy are as follows:

Adopt passwordless authentication

Many data breaches occur because of weak or stolen credentials. Threat actors can use advanced tools and tactics to steal and break passwords.

Organizations need a secure identity management system to prevent bad actors from breaking in and stealing credentials that can result in breaches such as the Lapsus$ attack or the Colonial Pipeline ransomware attack. Organizations eliminate password issues by choosing passwordless authentication to protect vital business data and ensure that only authentic people access it.

Passwordless authentication enables users to authenticate their identity without entering a password. There are various benefits for organizations to become passwordless- it enhances the overall efficiency, saves time and productivity, and provides greater ease of access. But, most importantly, passwordless authentication allows IAM leaders and users to access the cloud environment safely and securely.

Implement a Zero-Trust approach

The zero-trust approach is not new but has gained popularity as the threat landscape is evolving. Organizations cannot have a robust IAM policy without a function zero-trust architecture. The average cost of a data breach is $4.24 million, but the zero-trust model helps reduce the cost of a data breach by $1.76 million. Moreover, Gartner also predicts that the ZTNA solutions will grow to $1.674 billion in 2025.

Zero-trust means continuously verifying authorized users as they move into the network and giving them the lowest privileges while accessing crucial documents and files. Zero trust within the cloud creates access measures to protect sensitive data and applications from unwarranted access.

The zero-trust architecture ensures that IAM policies are followed whenever the user accesses the organization's network and protects the cloud data. Successful zero-trust implementation for the cloud must begin with passive application observation. Companies must first monitor and determine the relationship between the apps and then enforce rules. In addition, enterprises consider using other technologies like MFA, endpoint protection, micro-segmentation, and visibility and analytics to execute zero-trust systems.

Ensure compliance

IAM is designed to control users and protect their data, which can be achieved by meeting standard compliance requirements. Businesses often have regulatory requirements connected to the data they store either in the data warehouse or cloud data warehouse. They must report on their data access and use processes while complying with specific laws and regulations.

They must face hefty fines, lawsuits, and penalties if they fail. For example, Twitter agreed to pay $150 million to settle allegations of its data privacy practices when the US alleged Twitter for collecting users' contact information to show targeted ads.

Organizations that haven't yet must strictly follow compliance regulations, including GDPR, SOX, HIPAA, and PCI-DSS, to ensure that data is not misused. Besides this, businesses must audit each user role and assign them to the appropriate data owner, to keep a check and balance on the following compliance. In this way, companies can ensure compliance regulations and surveillance of data access.

Use appropriate DevOps tools

A data breach occurs because of human error or when application flaws occur. Businesses also forget to maintain a record of unstructured or dark data, including files and documents downloaded and used for different purposes, credit cards, and social security numbers. Cyber-criminals take complete advantage of such vulnerabilities and data that can eventually result in a data breach.

Such events not only cause significant financial loss to the business but also result in loss of customers and brand reputation. DevOps teams and tools greatly help enterprises prevent data breaches and ensure no one can access sensitive data. By using various DevOps tools, businesses keep track of the unstructured data from the initial stage and boost the overall security level.

Deploy artificial intelligence

Cybercriminals have become more advanced and sophisticated than before. They are using new approaches and tactics to access the organizational network. Because of their progressive nature, even the security teams sometimes fail to recognize them. Hence, organizations have adopted Artificial Intelligence and Machine Learning technologies to implement IAM and reduce the threat vector effectively.

AI ensures improved security and maintains business integrity. Using AI technology like Robotic Process Automation (RPA) deeply monitors and reveals the abnormalities in user behavior. Though an organization produces trillions of primarily unstructured data, the ML system scans all the data efficiently and prevents data leaks and breaches. Moreover, the AI system constantly monitors all behavior and ensures that verifying workers' access to network resources is continuous.

If, by any chance, threat actors gain access to the network by any backdoor, the AI system sends a quick alert to the IT department so they can take appropriate measures. Also, the system denies the access request and ensures the complete safety of the business data.

Centralize the organization's systems

Another best practice businesses can adopt to improve IAM is centralizing all network systems. It is an effective approach that provides more visibility and allows the security teams to detect and respond to cyber threats by letting all the users sign into a single authentication provider, which then propagates identity access across the apps and resources within the organization.

Moreover, with the centralized management system, it is easier to enforce policies like using secure passwords or multi-factor authentication to access the resources.

Additional best practices

Apart from the practices mentioned above, listed below are some common IAM practices businesses should not ignore. These includes:

• Ensure new applications from all sources are securely developed and onboarded. For this purpose, deploy API access control (authentication and authorization of APIs) as it is a crucial part of API security.
• Authentication is vital for IAM; hence, use multi-factor authentication tools to authenticate the identity.
• Remove unnecessary users from the network to reduce the risks of unauthorized access.
• Regularly review and audit the IAM policies to ensure they are granted the least privilege.
• When an IAM account is not used, immediately de-provisioned it. This prevents any hackers from stealing and misusing those credentials.

Final thoughts

Making a business compliant with identity and access management requires an in-depth understanding of who can access the sensitive data and which data is necessary for the workers. Staying informed and updated about the latest technological trends and IAM practices will further help improve the IAM infrastructure.

The post Key to success while implementing IAM- Best practices that every company should implement appeared first on Cybersecurity Insiders.

As we start a new year, let's think about how we can draw up a plan to exercise our cyber fitness and make it a culture that sticks. It's a critical time to get this done as we work toward a new era where we're breaking down silos, understanding the new ecosystem movement going forward and the edge computing phenomenon.

Communication, creativity, and empathy are crucial in shifting from what we call a “have-to” security mindset (i.e., “I have to take this precaution because IT said so”) to a “want-to” mindset, which suggests employee buy-in to a company's security policy beyond simply ticking off a to-do box or watching a training video.

Key considerations include:

• Do we have top-down buy-in?
• Are expectations communicated effectively?
• Are we driving accountability?
• Have we formed a good CRUST (Credibility & Trust)?

When we say, “security culture” and “we have a positive security culture,” what we perceive as security culture and what you think in your mind as security culture might be two very different things. The reason is our companies prioritize the accomplishment of security goals differently. Some basics involve patching and reducing the chances of being hit by phishing attacks, but the underlying reason why that happens differs among organizations. This article is intended to examine each of these questions and provide helpful tips for creating a culture of cybersecurity awareness. 

Top-down approach

Isn't security something we should all be thinking about, not just the CISOs? It's interesting how people don't want to think about it. They appoint somebody, give them a title, and then say that person is now responsible for making security happen. But the reality is, within any organization, doing the right thing — whether that be security, keeping track of the money, or making sure that things are going the way you're expecting — is a responsibility shared across the entire organization.

That's something that we are now becoming more accustomed to. The security space realizes it's not just about the security folks doing a good job. It's about enabling the entire organization to understand what's important to be more secure and making that as easy as possible.

There's an element of culture change and of improving the entire organization. What's causing these softer approaches — behavior, culture, management, and attitude more important now? Is there something about security technology that has changed that makes us need to look at how people think? We're beginning to realize that technology is not going to solve all our problems.

So how do we create a top-down culture? The best recommendation would be to align business goals with good representation from multiple stakeholders, including the CEO, COO, IT Marketing, Finance, or business owner, depending on the size and structure of the firm.  

Appointing a “fall person” for security would make it challenging to foster a cybersecurity-aware culture.  Instead, identifying a lead such as a CISO, CIO, or security director and inspiring an organization-wide, strategically aligned program would promote the most significant outcome. At a minimum, form a small security committee represented by key stakeholders and empower the security leader to fully understand the business objectives and recommend the best protection methods.

Kick Start your Security Culture

Communicate expectations

Once we have buy-in, it's time to communicate. What good is a cybersecurity policy if the people expected to follow it do not understand who, what, why, and how? The idea of sticking with “the policy states” only goes so far. Policies should be developed with the audience in mind, covering:

• Purpose – why is the policy needed?
• Objective – state the goal/what we want to accomplish.
• Scope – what/who does the policy cover?
• Roles & responsibilities – who is responsible, and what are their duties?
• Penalties for non-compliance – why must the policy be followed?

To summarize – how will the effectiveness be measured? Understand baseline and encourage good behavior for reporting incidents

Everyone is accountable

Our primary goal in exercising cyber fitness is to raise awareness and understanding, measured by an increase in reported incidents and a decrease in actual events that are alleviated before they become incidents. It's essential to communicate the effectiveness and examples of accountability.

Some organizations utilize cybersecurity newsletters, while others make it a point to highlight via human resources or top-down communications. The key is to make it known that this is not another “mandatory training.” It's the standard, and we all have a stake in it.

Don't burn the CRUST

CRUST = Credibility and Trust. If we take a step back and ask, why do we even care about the security conversation? Security is one of the foundations of trust. No matter what companies we work for, we have some customers, someone that we serve, and customers need trust to make this transaction functional. Hence, an effective and successful company has a trust established with its customers and, in essence, its employees.

At the end of the day, when we're talking about building security in our companies, we're talking about building trust with our customers. Even if we look at ourselves and our spending habits, how many of us would choose to give our credit-card data to a company that's regularly getting hacked or has poor architectural choices where we don't trust our personal information? We don't. Or most of the time, we don't.

This is the foundation of why we're even having this conversation. When we think about building security in our organizations, that may mean different things to each of you. That could mean better architectural choices, products, threat modeling, processes, and reporting. It's the cultural foundation of how we make security decisions in our organization.

We must have accountability at all levels, and consistency is key to maintaining credibility and trust. If you attempt to bake a pizza without setting a timer or constantly monitoring it, your chances of burning the crust will drastically increase. It's great to take a similar approach with your organization. Look for ways to get feedback from employees and keep an open door for communication. Share feedback with your security committee and adjust accordingly. Remember to celebrate good behavior, communicate, and demonstrate examples of accountability.

We are the firewall

What began with a question ends with a statement, “WE are the firewall.” A culture built with top-down buy-in, accountability, and a good crust can be the foundation for employees to feel like they are part of something bigger and take pride in being the firewall. Though cybersecurity culture can sound intimidating, we can make headway as leaders now understand that the alternative threatens their bottom line.

As security becomes more integrated into businesses' day-to-day operations, we will continue to see a positive culture shift to reflect the common CISO phrase, “security is everyone's job.” The ultimate protection against cyber threats is that of instilling an organizational culture that is 'cybersecurity ready,' and that is knowledgeable and prepared to mitigate the risks at all levels of its strategy and operations.

The post Are WE the firewall? appeared first on Cybersecurity Insiders.

As we start a new year, let's think about how we can draw up a plan to exercise our cyber fitness and make it a culture that sticks. It's a critical time to get this done as we work toward a new era where we're breaking down silos, understanding the new ecosystem movement going forward and the edge computing phenomenon.

Communication, creativity, and empathy are crucial in shifting from what we call a “have-to” security mindset (i.e., “I have to take this precaution because IT said so”) to a “want-to” mindset, which suggests employee buy-in to a company's security policy beyond simply ticking off a to-do box or watching a training video.

Key considerations include:

• Do we have top-down buy-in?
• Are expectations communicated effectively?
• Are we driving accountability?
• Have we formed a good CRUST (Credibility & Trust)?

When we say, “security culture” and “we have a positive security culture,” what we perceive as security culture and what you think in your mind as security culture might be two very different things. The reason is our companies prioritize the accomplishment of security goals differently. Some basics involve patching and reducing the chances of being hit by phishing attacks, but the underlying reason why that happens differs among organizations. This article is intended to examine each of these questions and provide helpful tips for creating a culture of cybersecurity awareness. 

Top-down approach

Isn't security something we should all be thinking about, not just the CISOs? It's interesting how people don't want to think about it. They appoint somebody, give them a title, and then say that person is now responsible for making security happen. But the reality is, within any organization, doing the right thing — whether that be security, keeping track of the money, or making sure that things are going the way you're expecting — is a responsibility shared across the entire organization.

That's something that we are now becoming more accustomed to. The security space realizes it's not just about the security folks doing a good job. It's about enabling the entire organization to understand what's important to be more secure and making that as easy as possible.

There's an element of culture change and of improving the entire organization. What's causing these softer approaches — behavior, culture, management, and attitude more important now? Is there something about security technology that has changed that makes us need to look at how people think? We're beginning to realize that technology is not going to solve all our problems.

So how do we create a top-down culture? The best recommendation would be to align business goals with good representation from multiple stakeholders, including the CEO, COO, IT Marketing, Finance, or business owner, depending on the size and structure of the firm.  

Appointing a “fall person” for security would make it challenging to foster a cybersecurity-aware culture.  Instead, identifying a lead such as a CISO, CIO, or security director and inspiring an organization-wide, strategically aligned program would promote the most significant outcome. At a minimum, form a small security committee represented by key stakeholders and empower the security leader to fully understand the business objectives and recommend the best protection methods.

Kick Start your Security Culture

Communicate expectations

Once we have buy-in, it's time to communicate. What good is a cybersecurity policy if the people expected to follow it do not understand who, what, why, and how? The idea of sticking with “the policy states” only goes so far. Policies should be developed with the audience in mind, covering:

• Purpose – why is the policy needed?
• Objective – state the goal/what we want to accomplish.
• Scope – what/who does the policy cover?
• Roles & responsibilities – who is responsible, and what are their duties?
• Penalties for non-compliance – why must the policy be followed?

To summarize – how will the effectiveness be measured? Understand baseline and encourage good behavior for reporting incidents

Everyone is accountable

Our primary goal in exercising cyber fitness is to raise awareness and understanding, measured by an increase in reported incidents and a decrease in actual events that are alleviated before they become incidents. It's essential to communicate the effectiveness and examples of accountability.

Some organizations utilize cybersecurity newsletters, while others make it a point to highlight via human resources or top-down communications. The key is to make it known that this is not another “mandatory training.” It's the standard, and we all have a stake in it.

Don't burn the CRUST

CRUST = Credibility and Trust. If we take a step back and ask, why do we even care about the security conversation? Security is one of the foundations of trust. No matter what companies we work for, we have some customers, someone that we serve, and customers need trust to make this transaction functional. Hence, an effective and successful company has a trust established with its customers and, in essence, its employees.

At the end of the day, when we're talking about building security in our companies, we're talking about building trust with our customers. Even if we look at ourselves and our spending habits, how many of us would choose to give our credit-card data to a company that's regularly getting hacked or has poor architectural choices where we don't trust our personal information? We don't. Or most of the time, we don't.

This is the foundation of why we're even having this conversation. When we think about building security in our organizations, that may mean different things to each of you. That could mean better architectural choices, products, threat modeling, processes, and reporting. It's the cultural foundation of how we make security decisions in our organization.

We must have accountability at all levels, and consistency is key to maintaining credibility and trust. If you attempt to bake a pizza without setting a timer or constantly monitoring it, your chances of burning the crust will drastically increase. It's great to take a similar approach with your organization. Look for ways to get feedback from employees and keep an open door for communication. Share feedback with your security committee and adjust accordingly. Remember to celebrate good behavior, communicate, and demonstrate examples of accountability.

We are the firewall

What began with a question ends with a statement, “WE are the firewall.” A culture built with top-down buy-in, accountability, and a good crust can be the foundation for employees to feel like they are part of something bigger and take pride in being the firewall. Though cybersecurity culture can sound intimidating, we can make headway as leaders now understand that the alternative threatens their bottom line.

As security becomes more integrated into businesses' day-to-day operations, we will continue to see a positive culture shift to reflect the common CISO phrase, “security is everyone's job.” The ultimate protection against cyber threats is that of instilling an organizational culture that is 'cybersecurity ready,' and that is knowledgeable and prepared to mitigate the risks at all levels of its strategy and operations.

The post Are WE the firewall? appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

The digital world is ever-expanding in scope and influence, both in personal and professional matters. In the last few years, business operations have become increasingly dependent on technology, and on employees to use that technology safely. While remote and mobile work have been necessary and useful, they also open the door for cybercriminals to take advantage of lax security measures and employees’ ignorance of best practices. 

So long as companies are carrying out some or all of their affairs in the digital realm, cybersecurity is easily as important as physical security. As one cybersecurity awareness training guide puts it: “if businesses are to thrive in the Fourth Industrial Revolution, security needs to be not only top of mind, but a fluent language.” Some of the most pressing reasons for cybersecurity training are detailed below. 

1. Compliance with regulations

There are many areas of business operations which are governed by legal or regulatory oversight to protect against various risks inherent to digital activities. These include HIPAA, which outlines rules regarding private health information, PCI SSC, which seeks to strengthen payment account security, and GDPR, which regulates general data privacy. Complying with these regulations is necessary for several reasons, although the dominant motivator for compliance is that the organizations can and will impose fines on businesses that fail to meet standards.

It has often been said that a business is only as strong as its weakest link, and nowhere is this truer than in the world of data security. Any one employee can be a liability when it comes to the practices that an enterprise puts in place to protect consumer data as well as their own. When compliance is mandated and the threat of fines is looming, companies must ensure that all of their employees are properly trained and informed on the regulations in place.

2. Protecting enterprise assets

Aside from wanting to avoid fines, however, businesses should still attempt to meet these regulatory standards for their own good. While meeting the bare minimum of compliance standards will keep a company out of hot water with regulatory boards, it will not necessarily protect the company itself. According to one report from IBM, the average cost of a data breach is 4.35 million USD. Ensuring that employees are trained in cybersecurity awareness greatly decreases the risk of a data breach occurring, as well as ensuring that employees know how to respond in the event that there is an attack targeting the company’s data. 

3. Protecting consumer data

Ostensibly protected by the aforementioned regulatory standards, consumer data is still at a huge risk of being obtained, stolen, or leveraged by cybercriminals. An attack that only targets a company’s internal data is dangerous to the company, but an attack that targets consumer data can have far-reaching consequences that affect thousands or millions of people.

The responsibility for password complexity and variation, device and website privacy settings, and the amount of data shared can be at least partially placed upon the consumer’s shoulders. But the company must have its own measures in place as well to protect against attacks on customer data. 

Thorough and effective cybersecurity awareness training will reduce the chances of employee error leading to customer data being breached. When customer data is safe and protected, it establishes trust between the consumer and the business, and protects both from the liabilities that enterprises with weak security practices are subject to.

4. Establishing skill sets

In addition to protecting both the consumers and the business at large, cybersecurity awareness training can instill knowledge in employees that they will carry with them outside of work hours and use to their benefit, possibly even spreading it to their friends and family. Employees who learn how to detect and mitigate threats such as phishing, ransomware, spoofing, and deepfakes will be able to prevent those types of attacks not only on the company or its customers, but on their own personal data. They may even be more computer-literate in general and more receptive to technological advances that bring about change within the company, rather than being resistant and hesitant to learn. 

5. Constantly changing landscape

Even a company with a highly trained workforce must still make cybersecurity awareness training a priority going forward. The world of computers and data security is constantly shifting and growing, and threats adapt along with it. It is vital to refresh employees’ training and update it to account for significant changes that come about on a frequent basis. No cybersecurity training is effective if it is treated as a “one-and-done” affair, because no training can predict and guard against future advances on both the company’s end and the attackers’ end. 

Conclusion

At the end of the day, a company must be responsible for protecting its own data as well as any data that consumers choose to share with it. All employees have the potential to put this data in danger, so all employees need to undergo cybersecurity awareness training to mitigate that risk. A training program combined with other effective security measures will make sure that employees are prepared to recognize risks, guard against threats, and recognize and react to attacks if and when they do occur. Cybersecurity awareness training programs come in many flavors to meet the varying needs of businesses everywhere, and it is not only advisable but crucial to establish some kind of training for employees.

The post Five reasons why Cybersecurity training is important in 2023 appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Gift for cyber well being

During the holiday season, it is essential to take extra precautions when it comes to cybersecurity. Cybercriminals may be more active than usual, looking for ways to exploit unsuspecting users. Protect yourself and your loved ones, ensure that you and they are up to date with the latest security software, and be mindful of potential scams.

Furthermore, only visit trusted websites and know the risks before making technological purchases. Cyber security can seem complicated, but anyone can protect themselves from common cyber threats with the correct information. Additionally, be aware of the various scams aimed at senior citizens during the holidays, such as fake holiday deals, phishing emails, fake charities, sweepstakes, or even threats to disconnect a senior's utilities. Taking these extra precautions can help ensure a safe and secure holiday season.

The pandemic has highlighted the need for an intergenerational cyber awareness program to help seniors and their grandchildren stay safe online. Using a grandchild's name for a password may be cute, but it's not always the safest option. Educating them and their grandchildren about the risks and best practices of using technology is essential to promote cyber well-being for seniors. A conversation between generations can be a powerful tool for increasing cyber security and safety. By providing age-appropriate lessons, we can create a strong bond across generations and make sure that everyone can stay safe online

No matter your age, staying informed about cyber security is essential today. Elder fraud is becoming increasingly common, with scams taking different forms, such as fraudulent phone calls, phishing attempts through email and social media, or shopping scams. It is essential for everyone to be aware of the risks associated with the online world and to be responsible digital citizens.

To make this easier, it takes a “cyber village” to help raise savvy cyber citizens. For example, I have been able to explain the importance of cyber to my grandparents. They enjoy using iPad and social media to stay connected and are a great example of how anyone can become a responsible digital citizen.

Be aware of the potential dangers of oversharing online, particularly on social media. Personal details such as your name, family member's name, home address, telephone numbers, and even answers to your secret question when you set passwords should be kept private. Be wary if you're ever contacted online by someone who requests this information. It is best to ignore unsolicited requests for personal information, including Social Security numbers, bank account numbers, and passwords.

Be on the lookout for any suspicious deals, discounts, or coupons that may be sent to you via email. It is essential to be aware of phishing scams, which often involve requests for you to act urgently to take advantage of a deal or prize. Also, be mindful of attachments containing malicious content, as they can infect your computer with a virus. Be vigilant and know how to spot any malicious baits confidently.

A password manager can be your friend: Change the default password if you have a device that will connect to the Internet. A device is not just your phone or laptop; everything from your Internet router, TVs, and home thermostats to Wi-Fi is included. What does a strong password look like? Use a phrase instead of a word. “Passphrases” are easy to remember but difficult to guess. If the field allows, use spaces as special characters for added strength, making the phrase easier to type.

Longer is stronger for passwords. The best passwords are at least ten characters and include some capitalization and punctuation. Typing the passphrase becomes a habit (usually within a few days). Some additional strategies include misspelling, a nursery rhyme, a movie quote, or song lyrics with a twist.

Don't fall for free Wi-Fi: Be smart about where and how you connect to the Internet for banking or other communications involving sensitive personal information. Public Wi-Fi networks and computers at places such as libraries or hotel business centers can be risky if they don't have up-to-date security software. The process starts now with teaching our family, especially older generations, how to interact with new technologies safely

When in doubt, reach out! Beware of scammers, especially during the holidays. A stranger may claim an urgent emergency involving your grandchild and ask for thousands of dollars by declaring a critical emergency involving a child or grandchild, posing as a kidnapper demanding ransom or grandchildren in distress.

Also, no tech support company will call you. If anyone pressures you to buy a computer security product or says, a subscription fee is associated with a call, hang up. If you're concerned about your computer, call your security software company and ask for help. Watch out for copycat websites too.

During the holidays, you'll see an increase in-store sales emails. Be sure to verify the sender's address, hover over links before clicking to see the URL address, and only enter information into websites with URLs that start with “HTTPS.” Also, beware of fake delivery notifications. Once you place an online order that requires shipping, you'll usually receive delivery notifications telling you when your order has shipped and your expected delivery date. However, some of these notifications can be phishing scams that hide behind legitimate business names to get your private information. To avoid falling victim to these scams, make sure you receive tracking information so that you can easily find your items

Have you done your cyber exercises? It's important to remember that passwords should be kept secret, just like your special cookie recipe. Even though these tips may not be new for the holidays, reviewing and applying them to your normal activities is still essential. During the holiday season, when the cousins come to visit or when you make your famous cookie recipe, things can get a little bit busier. So, to ensure that your festive season isn't ruined, here are the top 10 tips to help you stay cyber-secure:

1. I avoid using free Wi-Fi and use a VPN or my mobile phone as a hotspot when going online.
2. I disable auto-connect on my devices and keep track of my laptop, smartphone, tablet, and accessories such as USB drives, especially while on the go.
3.  I don't leave my devices unattended in public places and avoid using the same password for different accounts.
4. I change my passwords regularly and ensure they are at least ten characters long, involve a mix of upper- and lower-case letters plus symbols and numbers, and avoid the obvious. I also change the default passwords on my connected devices, such as Wi-Fi routers and printers.
5.  I never write my passwords down or share them with others, and I avoid clicking on suspicious links or links I'm unsure of.
6. I don't open suspicious emails or attachments and never click on ads that promise free money, prizes, or discounts.
7. I am wary of strange or unexpected messages, even from people I know, and I don't answer personal questions when using a text or voice chat online gaming session.
8. When using social media, I limit the personal information I post and only add people I know.
9. Before I act, I search for information about a proposed offer and never send money or personally identifiable information to unverified people or businesses.
10. I use reputable antivirus software and ensure I regularly update them, and I never share financial account information or allow anyone access to my accounts.

Sources

https://www.safewise.com/faq/senior-safety/senior-internet-protection/#Basic_Online_Safety

https://www.cyber.nj.gov/informational-report/stay-cyber-safe-this-holiday-season

The post Cybersecurity for seniors this holiday season: all generations are a target appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

With the explosive growth of technology, businesses are more vulnerable than ever to malicious cyber attacks. And as cybercriminals become more sophisticated, new methods of attack are popping up left and right.

To add fuel to the fire, the average cost of a data breach increased from $3.86 million to $4.24 million in 2021. That's costly enough to put most SMBs into the red. Not to mention the reputational damage it can cause for your brand.

Avoid this dreaded fate by protecting yourself against the latest cybersecurity developments — like Malware-as-a-Service (MaaS) — to protect your networks, data, systems, and business reputation.

If you've never heard of Malware-as-a-Service (MaaS) before, don't fret. This article is for you.

We'll teach you everything you need to know about Malware-as-a-Service and wrap it up by sharing some best practices for protecting your proprietary company data from potential threats.

Let's dive in.

What is Malware-as-a-Service (Maas)?

Malware-as-a-Service (MaaS) is a type of cyber attack in which criminals offer malware and deployment services to other hackers or malicious actors on the internet.

These services typically are available on the dark web. When purchased, a bad actor can carry out various malicious activities, such as stealing sensitive information, disrupting computer systems, or encrypting data and demanding a ransom to unlock it.

Some of the most common types of malware include the following:

• Viruses: Programs that can replicate themselves and spread to other computers. They can cause various problems, such as disrupting computer operations, stealing information, or damaging files.
• Trojan horses: These programs masquerade themselves as legitimate software but can carry out malicious activities, such as stealing data or giving attackers unauthorized access to a computer.
• Worms: A self-replicating program that can spread across networks, disrupting computer operations and consuming network resources.
• Adware: Software that displays unwanted advertisements on a computer. It can be intrusive and annoying and sometimes track a user's online activities.
• Ransomware: Encryption of a victim's data with the demand for a ransom payment to unlock it. It can devastate businesses, resulting in losing important data and files.
• Spyware: Software designed to collect information about a user's online activities without their knowledge or consent to steal sensitive information (like financial statements and passwords).
• Bots: Often used in conjunction with other types of malware, such as viruses or worms. For example, a virus could infect a computer and then download and install a bot, which could carry out malicious activities on that computer or other computers on the network.

MaaS makes it easier for cybercriminals to launch attacks, as they can purchase and use pre-made malware without developing it themselves. This distinction can make it harder for law enforcement, cybersecurity experts, and IT teams to track down the people responsible for the attacks.

And sadly, cyber-attacks are industry agnostic. For example, in the transportation industry, cybercriminals exploit vulnerabilities of electronic logging devices and steal valuable information from cloud-connected trucks.

MaaS is also a significant threat to online job boards like Salarship, Indeed, UpWork, or any other platform where job applications are stored. Attackers can easily access the personal data of thousands or millions of people by targeting these sites.

The bottom line: As a business with priority company data, it's essential to be aware of the different types of malware and take the necessary precautionary steps to protect against these heinous services.

Ransomware-as-a-Service (RaaS) vs. Malware-as-a-Service (MaaS)

Ransomware falls under the umbrella of malware. But what's the difference between Ransomware-as-a-Service (RaaS) and Malware-as-a-Service (MaaS)?

The main difference between MaaS and RaaS is the specific type of malware offered as a service. MaaS involves the development and deployment of any malware, while RaaS specifically consists of the development and deployment of ransomware.

Ransomware is a type of malware that restricts access to the infected computer system or its data and demands a ransom payment to regain access. It typically spreads through phishing emails, malicious websites, and targeted exploits.

MaaS and RaaS are online services on the dark web that make it easy for anyone with no experience or knowledge to launch an attack.

In some RaaS cases, the attackers may steal the victim's data and hold it for ransom, demanding payment to return it to the victim. Or the attackers may encrypt the victim's data and demand payment to unlock it without stealing it.

Regardless, the goal of ransomware is to make money by extorting the victim.

How to protect your business against MaaS

As malware becomes more sophisticated and accessible, it's imperative to have some defense programs in place that can offer your extra business protection against bad actors.

According to a recent study, 64% of Americans would blame the company, not the hacker, for losing personal data.

Thankfully, there are ways to lessen the impact. ​​A report from Cisco states that adhering to General Data Protection Regulations (GDPR) has been shown to minimize the effects of a data breach.

Why? Because if a company complies with the GDPR, attackers might not find any data to exploit. And with the help of a privacy policy generator, your business can be GDPR-compliant with the click of a button.

Here are a few additional steps that your business can take to protect itself from MaaS:

• Implement strong network security measures, such as a web application firewall, intrusion detection, and secure passwords.
• Regularly update and patch all software and operating systems to fix known vulnerabilities.
• Educate employees about Malware-as-a-Service risks and how to avoid them, such as not opening suspicious email attachments or visiting untrusted websites.
• Use reputable anti-virus and anti-malware software and regularly scan the network for signs of infection.
• Back up any necessary data regularly so your business can quickly restore its operations if anything goes south.

One of your company's most significant assets is its data privacy and reputation, which directly affects how much your business is worth. So it's critical to protect it against MaaS with a strong and well-implemented cybersecurity plan.

Wrapping up

Cybercriminals no longer need a strong technical background to pull off a malicious hack. The MaaS model has made it possible for anyone to become a cybercriminal.

But that doesn't mean you have to avoid the internet forever — which is pretty challenging to do in today's day and age.

With preventative measures and a robust cybersecurity strategy, you can sleep soundly at night, knowing your company data is safe from a MaaS attack.

For more advice on staying secure online, check out the AT&T Cybersecurity blog for additional insight.

The post Understanding Malware-as-a-Service (MaaS): The future Of cyber attack accessibility appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

What is a bug bounty platform?

As mentioned in Wikipedia: “A bug bounty program is a deal offered by many websites, organizations and software developers by which individuals can receive recognition and compensation for reporting bugs, especially those pertaining to security exploits and vulnerabilities”.

For instance, Company ‘A’ wants to audit/test it’s apps i.e., web & mobile apps for security vulnerabilities & bugs, it will have two options:

1. Self-host bug bounty / responsible disclosure program

2. List bounty program on bug bounty platforms like Hackerone, BugCrowd etc.

How does a bug bounty program work?

Bug bounties help connect ethical hackers and a firm’s remediation team. A single bug bounty platform allows both parties to unite, communicate, and patch bugs quickly. Bug bounty program managers track the program’s progress by recording bounty payouts, number of vulnerabilities discovered and average resolution time.

Before launching a bug bounty program, the firm sets program scope and determines whether it's private or public. Scope defines what systems are available for testing, how they will carry tests out, and how long the program will be open. Bug bounty programs can be either public or private. Private programs allow firms to make an invite-only program. Private programs aren't visible to anyone online.

Mostly programs start as private, with the option to go public when firms decide they ’re ready. Private programs help firms pace their remediation efforts and avoid overwhelming their security teams with a lot of duplicate bug reports.

Public programs can accept submissions from the entire hacker community, allowing all hackers to test a firm's assets. Because public programs are open, they frequently lead to a high number of bug reports (containing a lot of duplicates however).

Payout of each bounty is set based on the vulnerability’s criticality. Bounty prices can range from several hundred dollars to thousands of dollars, and, in some cases, millions.

Bounty programs give a social and professional element that attracts top-league hackers who are looking for community and a challenge. When a hacker discovers a bug, they submit a vulnerability report. This report shows what systems the bug impacts, how developers doing triage can replicate the bug, and its security risk level. These reports are transferred directly to the remediation teams that validates the bug. Upon validation of a bug, the ethical hacker receives payment for their finding.

Why launch a bug bounty program?

Some would say that why firms resort to bounty programs rather than hiring security professionals. Well, the answer is straightforward, some of them have their own security teams, however once we are talking about big firms like Facebook, Google, etc., they launch and develop loads of software, domains & other products continuously. With this huge list of assets, it nearly becomes impossible for the security teams to pen test all the targets.

Therefore, bounty programs may be an economical approach for firms to regularly check large numbers of assets. Plus, bug bounty programs encourage security researchers to contribute ethically to these firms and receive acknowledgment/bounties. That’s why it makes a lot of sense for big firms to use bug bounty programs.

However, for little budget firms, employing a bug bounty program won't be their best choice as they may receive loads of vulnerabilities that they can’t afford to pay for due to their limited resources.

Top bug bounty platforms

HackerOne

In 2012, hackers and security leaders formed HackerOne because of their passion for making the internet safer. As the leader in Attack Resistance Management (ARM), HackerOne closes the security gap between what organizations own and what they can protect. ARM blends the security expertise of ethical hackers with asset discovery, continuous assessment, and process enhancement to find and close gaps in the ever-evolving digital attack surface. This approach enables organizations to transform their business while staying ahead of threats.

HackerOne is used by big multinational companies such as Google, Yahoo, Twitter, PayPal, Starbucks, GitHub, etc. that have huge revenues and are also willing to pay large amounts to hackers.

Bugcrowd

Bugcrowd is another bug bounty platform that is a huge name in the bug bounty industry. Founded in 2011, it is one of the first, and one of the largest platforms.

Various companies trust Bugcrowd for hosting their vulnerability disclosure programs, and Bugcrowd also offers penetration testing services, and attack surface management.

Currently Bugcrowd has over 1400 bug bounty programs. It has come up with a SaaS solution that blends easily into your existing software lifecycle making it quite easy to run a successful bug bounty program.

Synack

Synack is an American technology company based in Redwood City, California. Synack's business includes a vulnerability intelligence platform that automates the discovery of exploitable vulnerabilities for reconnaissance and turns them over to the company's freelance hackers to create vulnerability reports for clients.

So, if you’re looking for not just a bug bounty service but also security guidance and training at the top level, Synack may be your way to go.

Intigriti

Intigriti helps companies protect themselves from cybercrime. It is a community of ethical hackers that provides continuous, realistic security testing to protect customer’s assets and brand.

This interactive platform features real-time reports of current vulnerabilities and commonly identifies crucial vulnerabilities within 48 hours.

Founded in 2016, Intigriti set out to conquer the limitations of traditional security testing. Today, the company is widely recognized for its innovative approach to security testing, impacting both customers’ security awareness and security researcher’s lives.

Immunefi (Focused on Web3):

Immunefi provides bug bounty hosting, consultation, and program management services to blockchain and smart contract projects.

Since its founding, Immunefi has become the leading bug bounty platform for Web3 with the world's largest bounties and payouts.

The post Top bug bounty platforms for organizations to improve security appeared first on Cybersecurity Insiders.

In the first blog in this series, we discussed setting up IAM properly. Now we’re moving on to the second step, avoiding direct internet access to AWS resources.

When AWS resources like EC2 instances or S3 buckets are directly accessible via the Internet, they are vulnerable to attack.  For example, brute force attacks on SSH login, denial of service (DOS) attacks on server resources via Layer 3, 4, or 7 flooding, or the inadvertent disclosure of data on an S3 bucket.  Thankfully, AWS offers tools that can virtually eliminate each of these threats.  Let’s discuss how to protect resources that have traditionally been placed in the demilitarized zone (DMZ) of a public subnet.

Put all EC2 instances in private subnets

Despite the advent of network address translation (NAT) (i.e., the mapping of a public IP address to a private IP address), many businesses put publicly accessible resources in the DMZ.  This enables direct connectivity to resources by assigning public IP addresses to them.  In turn, through domain name system (DNS) resolution, website names are translated to these IP addresses which enables connectivity.  Ordinarily, resources placed in a DMZ are webservers.  Although some companies out of convenience, or lack of security awareness, will also place database, application, and file servers in the DMZ.  If adequate access control lists (ACLs) and security groups are not in place to restrict access by IP source, IP destination, protocol, and port number, these resources are vulnerable to attack. 

Fortunately, there is no longer a need to place EC2 instances in a public subnet.  This includes bastion hosts that are used to access EC2 instances in private subnets.  Rather than associate a public IP address with EC2 instances, an elastic load balancer (ELB) can be used instead. 

The ELB is a virtual appliance that terminates webserver bound traffic via a public IP address and passes that traffic to EC2 instances or corresponding containers, if applicable, that reside in a public subnet.  Neither the AWS customer using the load balancer, nor any external party can directly access the load balancer, so it is not vulnerable to attack.  Furthermore, depending on whether the traffic being terminated on the ELB is Layer 4 (Transport layer of the OSI) or HTTP (Layer 7), AWS offers two separate ELBs to accommodate the applicable traffic.  These ELB options are Network Load Balancer (Layer 4) and Application Load Balancer (Layer 7).  As the diagram and step-by-step description from AWS below reveals, virtualized server resources that reside in private subnets cannot be directly accessed by the outside world.    

The following diagram combines the inbound and return traffic flows to provide a complete illustration of load balancer routing.

1. Traffic from the internet flows in to the Elastic IP address, which is dynamically created when you deploy an internet-facing Application Load Balancer.
2. The Application Load Balancer is associated with two public subnets in the scenario that’s illustrated. The Application Load Balancer uses its internal logic to determine which target group and instance to route the traffic to.
3. The Application Load Balancer routes the request to the EC2 instance through a node that’s associated with the public subnet in the same Availability Zone.
4. The route table routes the traffic locally within the VPC, between the public subnet and the private subnet, and to the EC2 instance.
5. The EC2 instance in the private subnet routes the outbound traffic through the route table.
6. The route table has a local route to the public subnet. It reaches the Application Load Balancer on the node in the corresponding public subnet, by following the path back the way the traffic entered.
7. The Application Load Balancer routes traffic out through its public Elastic IP address.
8. The public subnet's route table has a default route pointing to an internet gateway, which routes the traffic back out to the internet.

Importantly, even with an ELB in place, it is imperative to configure appropriate ACLs and security groups.  Only legitimate traffic should be allowed in and out of the virtual private cloud (VPC).  If the load balancer improperly allows all traffic in and out of the private subnet where the EC2 instances reside, much of the benefit of restricting direct Internet access to them can be lost. 

Moreover, EC2 instances behind an ELB can still be vulnerable to Layer 3, Layer 4, or Layer 7 DoS attacks.  An ELB merely eliminates the ability for people from the Internet to directly access your instances.  To stop Layer 3 and Layer 4 Distributed Denial of Service (DDoS) attacks, AWS offers AWS Shield.  This service is offered at two levels – basic and advanced.  Basic service is free, and it monitors and restricts Layer 3 and Layer 4 traffic. Hence, before traffic ever hits your ELB, it is being monitored and filtered with AWS’ DDoS mitigation technology.  For advanced coverage and features, AWS offers AWS Shield Advanced for an additional cost.  With Shield Advanced, you have access to a 24/7 AWS Shield Response Team, advanced reporting, and cost protection associated with the increase of AWS resources used during an attack.  You can learn more about AWS Shield here: Managed DDoS protection – AWS Shield Features – Amazon Web Services. 

For Layer 7 DoS mitigation, AWS offers a Web Application Firewall (WAF).  Per AWS, this service “lets you create rules to filter web traffic based on conditions that include IP addresses, HTTP headers and body, or custom URIs…  In addition, AWS WAF makes it easy to create rules that block common web exploits like SQL injection and cross site scripting.”  If your business utilizes AWS Shield Advanced, AWS WAF is included in the monthly cost.  You can learn more about AWS WAF here: Features – AWS WAF – Amazon Web Services (AWS).

Notably, some DoS events are not malicious but are rather the result of a company’s web services going viral.  If too much traffic hits all at once, content can be inaccessible.  For both static and dynamic content, AWS offers a content delivery network (CDN) called CloudFront.  Thus, rather than scale your EC2 instances behind an ELB vertically or horizontally for increased demand, content can be offloaded to CloudFront where it is cached and, if need be, made globally available.  This protects your virtualized server resources and your wallet, too.  You can learn more about AWS CloudFront here: Low-Latency Content Delivery Network (CDN) – Amazon CloudFront – Amazon Web Services. 

How to securely access EC2 instances in private subnets

Up to this point, we have discussed how you can protect your EC2 instances from being accessed from the outside world.  Rightfully so, you may be wondering how systems administrators can access instances to manage them if there is no public IP address for SSH or RDP connectivity?  Normally, a bastion host would be provisioned in a public subnet for access to resources in a private subnet.  However, by provisioning an EC2 instance in a public subnet as a bastion host, no matter how hardened the instance is, it is creating an unnecessary vulnerability. 

The simple remedy to getting access to EC2 instances in private subnets is AWS Systems Manager.  There is no need to open SSH or RDP ports in the private subnet either.  Through the AWS console, AWS can programmatically establish SSH or RDP access to EC2 instances.  Without SSH or RDP ports open, even if an internal EC2 instance was compromised, it would not be possible for a malicious actor to capitalize on stolen key pairs to access an instance or perform a brute force attack on the root account either.  Accordingly, the only users permitted to access the EC2 instance, would be those users with the appropriate IAM user, group, or role permissions.  To learn more about AWS Systems Manager, click here: Centralized Operations Hub – AWS Systems Manager – Amazon Web Services. 

Finally, you may also be wondering how EC2 instances in a private subnet can access the Internet for software downloads, patches, and maintenance if they do not have a public IP address?  Previously, for instances in private subnets to access the Internet, an EC2 NAT instance in a public subnet would need to be provisioned.  Internet bound traffic from instances in the private subnet would be routed through the NAT instance. 

However, like bastion hosts, EC2 NAT instances pose unnecessary security risk.  The solution to routing Internet based traffic to and from instances in private subnets is by using AWS NAT Gateways.  Like ELBs, NAT Gateways are virtualized appliances that are not accessible to AWS customers, or external parties.  Unlike NAT instances, they are not provisioned with predefined CPU, RAM, and throughput either.  Rather, they scale dynamically to handle whatever workload is thrown at them.  Consequently, EC2 instances in private subnets can securely access the Internet without the threat associated with a NAT instance in a public subnet. To learn more about AWS NAT Gateways, click here: NAT gateways – Amazon Virtual Private Cloud. 

Now that we have learned how to protect EC2 instances and vicariously the services that leverage them like containers, applications, and databases, let’s discuss how to secure S3 Buckets.

Keep S3 buckets private or restrict public access using CloudFront.

Over the years, many news stories have revealed the blunders of companies that publicly expose their customers’ data by publishing it in public S3 buckets.  As anyone who has recently provisioned an S3 bucket will know, AWS has made it exceedingly difficult to repeat this error.  With warning prompts and conspicuous red, “danger, Will Robinson!” icons, AWS lets you know when an S3 Bucket is public. 

For obvious reasons, data that companies do not want the whole world to know should never be placed in a public S3 bucket.  This includes personally identifiable information (PII), health information, credit card account details, trade secrets, and any other proprietary data.  Even with encryption in place, which we will discuss in Step 3, there is no reason to ever make this type of data publicly available. 

For S3 data that is publicly available, direct access to the objects should be restricted.  There are a few reasons why.  First, entities may not want their customers to access objects with the AWS S3 URL.  Instead, they may want their customers to access objects using their custom domain.  Second, entities may not want their customers to have unlimited access to S3 objects.  Instead, they may prefer to use pre-signed URLs to limit how long end users can access objects.  Finally, entities may not want to pay unnecessary costs for end users reading or downloading S3 objects directly from a bucket.  The remedy to these problems is to make public S3 buckets accessible only via CloudFront. 

This is achieved by configuring S3 to only accept GET or POST requests from CloudFront.  Hence, objects in a public S3 bucket are inaccessible to the outside world.  To learn more about AWS CloudFront and S3 Bucket integration, click here: Restricting access to an Amazon S3 origin – Amazon CloudFront. 

Now that we know how to properly secure EC2 instances and S3 buckets by restricting direct access via the Internet, the next, and last blog in this series will discuss our final step – encryption. 

The post Improve your AWS security posture, Step 2: Avoid direct internet access to AWS resources appeared first on Cybersecurity Insiders.