Category: Detect

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

War, economic instability, external threats, and global politics affect the energy sector of a country or region. In addition, cyberattacks on critical infrastructure can cripple the strained energy market.

Europe is facing a severe energy crisis, and European governments are getting prepared for this winter by managing the demands and keeping energy reserves. The EU (European Union) also accelerated the work to improve critical infrastructure defence and resilience. This energy crisis is the outcome of Russia’s war in Ukraine (attacks on pipelines to disrupt the supply chain) and strict Russian policies towards European countries.

Cyberattacks on the energy sector

In addition to the physical challenges, the growing cyberattacks on the energy sector could worsen the energy crisis. According to Energy Security Sentinel, thirteen cyberattacks targeted energy infrastructure this year, making it the highest number of annual attacks over the last six years. Oil and electricity were the most vulnerable infrastructure, followed by gas and shipping.

The cyberattacks don’t only target critical European infrastructure. In 2021, the Colonial Pipeline in the United States was affected by the ransomware attack, which caused authorities to declare a regional emergency in 17 states and Washington, D.C.

The same year, Saudi Aramco – Saudi Arabia’s state oil giant, came under cyberattack. In that case, the hackers asked for $50m extortion money.

Why is the energy sector is a target for cyberattacks?

The energy sector is a lucrative target for financially motivated cybercriminals; they know the companies tend to be financially sound and can pay the heavy ransom to keep their operations running.

The economic activities of a country also rely on the energy sector; thus, a disruption can cause substantial damage. For example, a six-hour winter black-out in France could result in damages totalling over €1.5 billion ($.1.7 billion). It motivates state-sponsored hackers to target the opponent’s critical infrastructure to achieve political outcomes.

Despite the critical nature of the industry, the energy infrastructure is particularly vulnerable for three primary reasons:

• Large attack surface
• Lack of skilled professionals
• Digitalization and integration

Large attack surface

Attack surface refers to all the possible entry points into any system. The energy sector has a broad attack surface. Their attack surface includes distribution networks, supply chains, partners, powerlines, smart meters and so on. Generally, organizations don’t have the capability to monitor or tag their assets, which increases the risk and can leave unprotected doors of entry.

Lack of skilled professionals

People working in critical infrastructure are typically not equipped with the skills required to protect the infrastructure from cyberattacks. Even organizations investing in security products and solutions face the human resource problem, which makes them vulnerable.

Interestingly, the public and private sectors are joining forces to overcome the skilled professional supply problem. ENCS in Europe shares information and knowledge and is owned by grid operators. Similarly, the US House of Representatives passed a bill named “Industrial Control Systems Cybersecurity Training Act”, intending to give free ICS training to IT professionals.

Digitalization and integration

Though digitalization and IT integration facilitate critical infrastructure management and operations, they introduce several security risks. IT/OT convergence arguably raises security risks, such as unauthorized system changes and logic could put human life in danger. The security risk can be minimized by actively monitoring the systems, managing patching carefully and having skilled people protecting the network.

What to do?

The inevitable nature of digitalization could introduce more risks, and cyberattacks could become more frequent and organized. This in turn could worsen the energy crisis. Thus, leaders in the energy sector must build their systems to be cyber resilient and implement a business continuity plan.

Energy organizations must also consider a security by design approach while initiating any energy project, and they must also include cybersecurity leaders and experts on the project.

To achieve economic stability, protecting the energy sector from cyberattacks is vital. This requires organizations and governments to work closely in protecting the energy sector.

The post Cyberattacks could worsen the global energy crisis appeared first on Cybersecurity Insiders.

Stories from the SOC is a blog series that describes recent real-world security incident investigations conducted and reported by the AT&T SOC analyst team for AT&T Managed Extended Detection and Response customers.

Executive summary

Humans are considered the weakest link in cybersecurity. No matter how much a company invests in firewalls, antivirus, and other security software to detect, deter, and prevent attacks humans will always be the main vectors for compromise. If no adequate user-security training is provided within the organization, they will always be at risk. Phishing is one of the oldest cyber-attacks yet one of the most used by attackers due to its effectiveness and low cost.

The Managed Extended Detection and Response (MXDR) team received an alarm indicating a user had successfully logged in from a country outside of the United States (US. Upon further review, this was the first time the user had logged in from outside of the US. The analyst team created an investigation in which the customer responded and took the necessary steps to recover the account from the attacker. 

Investigation

Initial alarm review

Indicators of Compromise (IOC)

The initial alarm was triggered as a result of the account being accessed from outside of the United States. Due to the recent shift of remote working, it is common to see users accessing their accounts from different countries that could be caused by Virtual Private Network (VPN) or because of travel activity.

Expanded investigation

Events search

When investigating potentially malicious behavior, it is important to understand what the baseline of a user's activity looks like. While looking at the historic data for their activity, logs showed this was the first instance the account has been accessed from outside of the United States.

The logs did not show any failed login attempts from another country, which is usually seen whenever an attacker attempts to compromise an account.

Response

Building the investigation

After gathering enough information, an investigation was created for the customer to confirm if this should be expected from this user.

Customer interaction

Within minutes of the investigation being created, the customer confirmed the user had clicked a phishing email and input their credentials, which the attacker then used to successfully logged in into their account.

The phishing email contained a URL to the following site:

Once clicked, this site would send the user to a page that impersonated a login for an email account that was used to harvest credentials.

Limitations and opportunities

Limitations

For this investigation, the MXDR team did not have full visibility into the Microsoft Office 365 Exchange environment, hindering visibility into the initial attack. We were unable able to see the phishing email being sent to this account. The only events being observed by the SOC were the successful log ins from outside of the United States.

The post Stories from the SOC – Phishing for credentials appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Data continues to be a valuable asset for an organization and plays a crucial role in making operational and strategic business decisions. With the growth of hybrid, private, and multi-cloud models, much of the data is stored on these platforms and becomes vulnerable to malicious activities and potential data leaks.

Amid the vast volume of data, some of the data remains unknown, untapped, and unused with an organization's architecture. This dark data is generated by users' daily online interactions between several devices and systems.

Dark data might seem like a scary term, but it isn't, though it poses some risks. Since its percentage of data is rising more quickly than organizational data, business organizations are getting concerned about it. Hence, to grasp what dark data is and what issues it signifies, it's essential to understand it from a broader perspective.

What Is dark data?

Dark data is the type of organizational data whose value is not identified; hence, it can be crucial business data or useless data. A research report published by BigID reveals that 84% of organizations are seriously concerned about dark data. This data consists of the additional information collected and stored during daily business activities. But perhaps to your surprise, the organization may be unaware of the dark data and typically doesn't use it.

Dark data tends to be unstructured data that contains sensitive and unclassified information. The research report further reveals that eight out of ten organizations consider unstructured data the most critical to handle and secure. Dark data can be classified as follows:

• Emails, images, audio, video, and social media posts.
• Application trials including API caches and encryption keys such as VPN or SSH support.
• Data stored in overlooked virtual images activated or installed in local or cloud infrastructure.
• Forgotten unstructured data created on various database engines a long time ago.
• Customers and the company's employees own data on the desktop and mobile devices.
• The hidden data file in a file system can be in the form of old pictures, scanned documents, pdf forms, notes on MS Word documents, and signed files.

Dark data might seem benign, but it holds most of the organization's information. Thus, it can pose significant security risks if it falls into the wrong hands, like leaking a company's sensitive data and damaging its industry reputation. This is particularly alarming for organisations that do not use a reliable VPN or any other security tools to ensure data privacy and safety.

How can you utilize dark data to help your business?

Dark data seems challenging to handle and involves lengthy manual processes, but companies need to automate these processes. Technological advancements such as the use of AI have made it easier for companies to explore and process unstructured data.

Another important use of dark data is its role in boosting AI-powered solutions. As more and more data exists, the information that AI can analyse to produce even deeper insights. Alongside Artificial Intelligence, you can also use Machine Learning technology to discover untapped and unused data and insights. These insights might help organizations make more informed decisions regarding incoming data. Also, it guides them toward taking practical steps in response to their data.

Implementing AI and ML systems needs internal structural changes for businesses, costing organizations a great deal of time and money. However, the benefits will be a high return on investment, so do invest in it.

Besides this, organizations can use dark data to create management strategies around IoT technology to provide long- and short-term trend analyses to show possible results to managers and senior leadership.

Another way dark data can prove helpful is by developing new and productive business strategies. This helps enterprises analyse which department owns what type of data different employees and management hold. Moreover, it can help improve the quality assurance processes that detect and correct errors. Also, it looks for potential privacy loopholes, vulnerabilities, and compliance violations.

Dark data can improve business by creating revenue, streamlining processes, and reducing costs. It is capable of understanding the relationships between unrelated pieces of information.

Thus, analysing information like server log files can give insight into user behaviour, customer call records, geolocation data, and preferences that can reveal traffic patterns and help in further improving and expanding their business.

Hidden dark data cybersecurity risks

Dark data isn't going away anytime soon; hence, organizations should consider it a big challenge and poses significant cybersecurity risks. Here are some of the issues that dark data brings along it:

Compliance violations

There are greater chances that the organization's dark data might violate the data privacy compliance mandates and regulations like the GDPR, PCI DSS, or HIPAA. The organization itself has no idea about this violation unless a breach occurs. In such a situation, the regulators and the clients become extremely angry for not protecting the data. Also, the organization might face lawsuits, sanctions, and hefty fines.

Unused business security intelligence

Another drawback of dark data stored within your organization is that enterprises fail to utilize all security intelligence. For instance, the dark data assets also include system log files that can be used to create more accurate threat and anomaly detection or cyber risk assessment models. But when it goes overlooked, enterprises might experience a hacking or data breaching incident, and they regret it later because they have a way to secure themselves but ignore it.

Increased risk of cyber-attacks

As you store more and more business data on local servers and within the cloud environment, it becomes more challenging to discover, reuse, or retrieve user data – which may increase the risk of a data breach.

When people within an organization don't know what information each data set contains, it can result in confusion about who can access it and who is unauthorized. Moreover, the poorly categorized data even lead to significant permission challenges. Any unauthorized person accessing sensitive information simply puts your business on the verge of a possible data breach or leaks of critical business data. If the wrong individuals are accessing sensitive information, you're putting your business at risk of a data breach.

Besides this, dark data also causes opportunity costs to an organization. If a company decides not to invest in the evaluation and processing of dark data, but its competitors do so, they likely fall behind. Hence, the organization pays the cost of lost opportunities.

How to handle dark data?

Despite using dark data constructively, there are some other ways that you can adopt to handle dark data more efficiently and in a well-organized manner. Here are some of these ways:

• Use strong encryption standards for your business data to prevent data security issues and add an extra security layer to your online data. Organizations need to apply this practice to in-house servers and data shifting in the cloud environment. Using a reliable VPN provider can provide a top-notch level of encryption and online security.
• Organizations must implement data retention policies and remain compliant with the data protection regulation. This allows them to store users' data for a limited time and helps prevent lawsuits or fines. Also, good data retention policies retain valuable data for later use.
• You need to perform regular audits of the database. It includes classifying and structuring data and gives an idea of where what kind of data is stored. Later if you need the data, you can find it easily in an organized database instead of an unorganized form.
• Organizations need to take control of dark data with an appropriate data governance plan. Companies can improve compliance and overall productivity with a robust plan in function.

Final thoughts

An organization produces lots of data every day. In an era where cyberattacks are increasing at an unprecedented rate, protecting and governing different data types is an uphill task. Dark data is one of the data types that's tough to handle and secure. It brings multiple cybersecurity risks like legal and regulatory issues, intelligence risks, and increased attack surface.

However, if you know the appropriate strategies, you can make good use of the dark data as discussed above. If used constructively, dark data can bring increased success to your business; if not, it can cause havoc, so now the choice is yours.

The post Dark Data: What is it? How can you best utilize it? appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

The tech professional labor market is an extremely competitive and difficult place right now. The stakes are so high that CNBC has highlighted certain companies that are offering paid vacations before new hires even begin the job.

This is a great environment for workers, and is something pushing employer standards higher and higher. This includes the onboarding process, in which employees are brought into the fold and then provided with all of the setup they need to get a running start in the business. As companies seek to move through the onboarding process quickly, cyber risks are presented – as with any expedited business process.

Sensitive data exchange

As part of the onboarding process, employees will need to exchange sensitive personal data. Indeed, having a well-structured “day 1” plan in which pay schedules, security codes, personal information and HR data is exchanged is absolutely crucial to maintaining good employee service and ensuring engagement. Dealing with these requests in a quick fashion achieves that, but it’s also important to note that this is where security risks can occur.

Indeed, US News highlights the fact that 2022 has been a bumper year for data breaches; Microsoft, Uber, Ronin and News Corp have all experienced huge attacks. In order to ensure that sensitive data can be exchanged safely, a holistic review of corporate and third-party security systems is essential. Secure portals, to allow the transfer of data into the business from the employee onboarding, will protect both parties.

Protecting corporate data

With employees in the corporate system, it’s important that they have immediate access to local resources and knowledge to start their development and to support their work as they get going. It’s important that these knowledge bases have significant and accurate resources, but they also need to be protected. Corporate cyber espionage is a serious risk; according to Security Magazine, hundreds of millions of dollars of damage was inflicted in 2020-21 through corporate information theft. Accordingly, operating a stringent data management policy and ensuring files are maintained securely is key.

Generating social connections

A key benefit that companies can offer employees is networking. Being a conduit for new industry connections and all the benefits that comes from that is a key part of onboarding – but, as with other aspects, it brings risks. Bringing a new employee into the fold and then putting them in touch with established networks brings its own risks and, furthermore, without the familiarity that existing employees have with corporate networks, there is a definite risk of exposing those networks to additional risk and cyber threats.

As with all corporate cybersecurity solutions, the key to securing social networking and promoting assurance comes in the form of systems checks. That’s staying up to date with high quality security technology, keeping check of what valuable data and assets are being shared, and ensuring that employees are aware of their security responsibilities.

The post Employee onboarding needs to be engaging – But how can security be preserved? appeared first on Cybersecurity Insiders.

Cybersecurity is a relatively new discipline in the realm of computing. Once computing became more democratized with PCs connected via local area networks (LAN) and client/server environments, adversaries quickly saw opportunities. The more democratized computing – the more risk and the potential for cyber adversaries.

Dealing with cyber risk and adversaries is now part of a normal business plan. Gone are the days of instilling fear, uncertainty, and doubt (FUD) about the potential of a bad actor. The days of nefarious hackers in hoodies lurking in the shadows are gone.

Businesses of all types and sizes now know that cybersecurity is part of a solid business plan. Security is no longer relegated to a team of really smart experts; security is a business enabler and builder of digital trust.

As we move to 2023, we will continue to see computing more democratized. With the advent of more edge computing (according to the 2022 AT&T Cybersecurity Insights Report, 75% of organizations are on a journey to the edge, the way we interact with technology is rapidly shifting. We are moving from input/output types of functions to more seamless interactions that deliver outcomes.

With more of a focus on outcomes, security becomes the center of focus in the new democratized era of computing. We are just getting started with ideas for edge computing. And, by association, we are just getting started with what security means.

Here are my predictions for some of the trends and highlights we will see in cybersecurity landscape in the year ahead.

Move to the edge

A new paradigm of computing is upon us. This new era is underpinned by 5G and edge.

Edge is a word we have heard for quite some time, but in general conversation lacks a consistent definition. Vendors and business users alike tend to define edge in accordance with the technology stack being sold or used.

When thinking about edge, consider these three characteristics as a starting point:

• A distributed model of management, intelligence, and networks
• Applications, workloads, and hosting closer to users and assets that are generating or consuming the data – may be on-premise or in the cloud
• Software defined

Edge use cases are largely driven by the world of the internet of things (IoT) that collect and transmit data to make logical and rational decisions to derive an outcome.

In 2023, we should expect to see an accelerated full-scale rollout of edge use cases in areas such as:

• Real-time fraud detection for financial services
• Automated warehousing with near real-time inventory management
• Near real-time visual inspections for uses as varied as manufacturing assembly lines, passport control at border crossing, and available parking spaces

These use cases require connected systems from the network layer through to application monitoring/management, and require each component to be secure in order to derive the desired outcome.

With more democratized computing, security is no longer isolated, it is central to delivering strong business outcomes.

In 2023, expect to see more edge use cases and applications. For successful implementation and with security at the core, expect to see the erosion of decades-old siloes such as networking, IT, app development, and security begin to fade away and enable more cross-functional work and roles.

Read more about the edge ecosystem in the upcoming 2023 AT&T Cybersecurity Insights Report due out January 24, 2023. Check out our previous reports available here for: 2022 and 2021.

Disaggregation of the network

Networks are becoming more intelligent. The idea of disaggregation, the separation into component parts, means that some security tools may be able to become part of the network.

Following the theme of software-defined, disaggregated networks can bring in the security components needed at a specific time. Think about a network infected with malware. In the scenario of a disaggregated network, a new instantiation may be easily and quickly spun up and the propagation of malware across the network avoided.

Admittedly, widespread implementation and adoption of disaggregation will take more than the next 12 months. However, expect to see the start of this game-changing technology in 2023.

Data lifecycle

Edge computing is all about data – collecting, using, and enriching.

From a security perspective, expect to see solutions that focus on the data lifecycle to help organizations make sure that data governance policies are automated and enforced.

As more edge applications are deployed the sheer amount of data will multiply at a rapid scale. Data, at the heart of the edge app, needs to be protected, intact/trusted, and usable.  It is critical to make sure the data lifecycle is managed with the proper data governance policies.

In 2023, expect to have more emphasis and focus placed on data – the collection, management, use, and governance.

Application security

Security is central to a successful business, and in a software-defined world, applications or apps are the connecting point.

Application security is seemingly the last frontier of an ecosystem built with security in mind. In 2001 the Open Web Application Security Project (OWASP) was formed with the goal of identifying the most common web application security vulnerabilities. In the 21 intervening years since the founding of OWASP and their noble work in the field of application security, little has changed. The OWASP Top 10 has not seen radical shifts.

The scant change in the OWASP Top 10 over two decades is indicative of gaps in security strategies and siloed application developers. Moving to an edge compute paradigm, graphical user interface (GUI) based apps give way to headless or non-GUI applets and application programming interfaces (APIs). In fact in 2019 OWASP issued a OWASP top 10 for APIs.

APIs and applets are about computer program to computer program communication. It is critical that the software development lifecycle (SDLC) embrace security as a non-functional requirement. This need may require developers to re-assess software engineering practices and work in more systematic ways.

In 2023, expect application security to be a top priority as organizations move to the edge and understand the importance of security as a central priority for the business – including at the application level.

Threat intelligence

Threat intelligence, the gathering of information about attacks on an organization from a variety of sources, will continue to be an essential component of security.

With edge computing and the expansion of IoT devices, threat intelligence will relay more granular and refined information about the attack surface. Threat intelligence will continue to be delivered as tactical, strategic, and operational. As more machine learning enrichment is available, consumers of threat intelligence will demand more pertinent and personalized reporting.

In 2023, expect to see the need for more relevant and curated threat intelligence feeds designed to combat specific industries or use cases.

Biometric security

Using biometrics to authenticate identity is nothing new, we have been doing this with fingerprints for over 50 years and more recently with facial recognition. In fact, multi-factor authentication (MFA) is frequently framed as something you know – a passcode, something you have – a device, and something you are – a biometric indicator.

We are now seeing celebrities selling their images or digital twins. This means that your favorite actor will continue to be in new movies, at varying ages, indefinitely.

What does this mean for security? Increasingly, we are being asked to authenticate via some sort of biometric. Advancements in digital twins and deepfakes mean there is a need to secure our own physical identities. The abundance of images available of any individual via a quick internet search can yield a treasure trove for an adversary seeking to hack an identity.

In 2023, expect to see more serious discussions regarding digital twins and how to make biometrics more secure.

Cyber/physical

Cybersecurity professionals have secured our cyber world – the electronic bits and bytes that create our computing systems. Increasingly, connected computers are entering a space that was reserved for physical only devices – think internet connected medical devices, internet connected construction devices, and internet connected transportation such as cars, planes, and ships. These previously physical only devices connected to the internet now constitute convergence.

Anything connected to the internet has to be secured and this includes newly converged physical devices that are now considered endpoints.

Making sure that these new style of endpoints are protected from cyber-attacks as well as physical attacks are key.

In 2023, expect to see more solutions focused on protecting the cyber and the physical and expect to see new roles emerge in organizations focused on this new element of security.

Companies born on the edge

Disruption is essential for innovation. As new “born on the edge” companies begin to emerge, the baggage of previous iterations of computing are jettisoned. Just as we saw “born of the web” companies not have to deal with legacy computing systems and infrastructure, “born on the edge” companies will have data and application security embedded from the beginning.

“Born on the edge” companies will take advantage of networks, infrastructure, development practices, and organizational benefits available in 2023. These new types of companies, across industries of all types, will spur on innovation and increase competition. As a result, more businesses will advance edge ecosystems and edge applications to deliver business outcomes.

Expect 2023 to be a year of anticipated disruption as “born on the edge” companies boldly emerge.

Looking forward

Out of necessity, we have seen digital transformation initiatives flourish over the past two years. And, in the last year digital transformation has yielded way to operationalizing what was transformed.

In 2022, we have once again been able to convene in person to discuss, debate, and dream of what is next.

Expect 2023 to be a year where we are reminded of the seemingly endless possibilities of the power of ideas translated to computing.

Here’s to an innovative and exciting 2023!

The post 2023 Cybersecurity predictions appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

In times of economic volatility, precious metals are a safe harbor for investors of all sizes. This has been reflected in choppy pricing for metals such as gold, which, according to CNBC, have only just settled down after weeks of gradual rise against a weakening dollar.

While there is a sense of solidity in trading precious metals, given their very real world physical sense, they are, like every other digitally traded item, subject to the same cyber threats and risks that attack the digital markets every day. Staying safe in the face of these threats is key and starts with protecting spot trades.

Understanding stock market attacks

Precious metals are traded, just like other stocks, shares and commodities, at spot price. This means the buyer will pay a determined price from the seller, in addition to a variable degree of commission to the broker or other middleman. The high-profile nature of stock markets means that they are often well protected against cyber-attack, but this protection is faltering as stock trades become more diversified.

As more and more brokers and agents get involved in trading, the number of weak points in the networks increases. This is especially the case in precious metals; the sensitive pricing of precious metals means that the trades need to be completed quickly, or at high frequency. According to Investopedia, this extreme need for expediency offers an ‘in’ for attackers in two main forms.

Seizing the algorithm

Cryptocurrency has helped to shed a light on one of the most important threats to counter – algorithm hacking. This is a process whereby the malicious actor will attempt to seize control of a trading algorithm, whether used on a wider scale by the market or by individual brokers. Through this, they can crash prices, causing instant damage that will be confusing to rectify with corrections.

As Yahoo highlights, cryptocurrency deals with such attacks on a minute-by-minute basis; through proper online hygiene and experienced 2+ factor authentication, trading houses can stop third parties from accessing this data.

Distributed outages

A very common form of cyber-attack in the modern day is the DDoS. This takes networks offline, denying users access to data, and can sow confusion. While proprietary vendors such as Cloudflare have helped to provide coverage, there have still been high-profile attacks on stock markets.

Consider, for instance, the multi-day outage of the New Zealand stock exchange, highlighted by GARP. While not a primary player in the world markets, these smaller hubs feed into the larger, regional markets, in London, New York and Tokyo. While smaller hubs are taken down, there are huge risks in terms of inaccurate costing, hijacked sales, and other risks. Ensuring that markets are protected as much as possible by DDoS protection is essential and, for individual traders, looking to take full logs and using a high-quality broker will help further.

Criminals will continue to exploit the increased amount of business being seen in the precious metals market. Protection must come first, or profits could be at risk.

The post ​​​​​​​As volumes continue to rise, precious metal traders must be cyber vigilant appeared first on Cybersecurity Insiders.

What is CRQC?

Widespread interest in quantum computing continues to expand as computer innovators, scientists, and technology industry leaders vie to position themselves at the top of the pack for quantum computing prowess.  As the buzz continues, I’d like to discuss Cryptographically Relevant Quantum Computers (CRQC) in simple terms.

A CRQC uses quantum mechanical phenomena to quickly solve difficult mathematical problems a classical computer cannot or would take years to complete; additionally, if or when a CRQC is achieved, it will have the calculation skill to break today’s public-key cryptography leaving web based digital communications compromised. 

One of the first lessons I learned from a cybersecurity architect is to never do the same thing when it comes to cybersecurity. Cybersecurity practices should continually change according to evolving threat applications and vulnerabilities. Nonetheless, for the last 30 plus years the US has relied on public-key cryptography to secure digital data globally. With the date looming for CRQC to hit the market, the US is now in a race to replace a decades old standard of encryption to protect vital data.

What is Y2Q?

Years to Quantum (Y2Q) refers to the unknown number of years before there is a CRQC. Quantum systems are now being used and select organizations are providing cloud-based access to these systems for testing and research purposes; however, quantum computers currently in use are not CRQC.  From this point forward we will refer to quantum systems that emerge post Y2Q as CRQC.

As quantum computing evolves and the technology for CRQC comes to reality, no single entity can pinpoint a precise date when CRQC will make an impact on the worlds IT infrastructure.  Speculation ranges from five to 25 years and various organizations have developed Y2Q countdown clocks, arbitrarily specifying date ranges up to 2034, as the deadline by which the world must upgrade its IT infrastructure to meet the Y2Q threat.

Conclusion

As the world awaits Y2Q, government entities and cybersecurity managers, along with medical, telecom and bank industries are generating play books/plans and contingencies to defend against CRQC. While CRQC will pose a considerable threat to enterprises in the future, a wide variety of contingencies are emerging to develop advanced CRQC solutions to alleviate the threat.

While the full range of quantum computer applications steadily grows, it is nevertheless clear that America’s continued technological and scientific leadership will be subject to its ability to sustain a competitive advantage in quantum computing information and systems. Critical infrastructure, security protocols, internet banking in addition to military and civilian communications could be threatened.

Is the United States postured to solidify its role as a world leader in its approach to Y2Q?

The post What is YTQ? appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Today, an important measure for success in the tech sector is time to market. The speed at which you can launch your product and any new features can make a huge difference in meeting growing customer expectations, breaking new ground in an existing market, and standing out against your competitors.

For many organizations, this speed to market is accelerated by employing APIs that rapidly share critical data between systems, enable business operations and reduce the need to reinvent the wheel. As such, APIs have become a strategic technology for businesses that want to keep moving forward, and quickly. In fact, according to research from Salt Security, “26% of businesses use at least twice as many APIs now as a year ago.”

However, APIs can quickly lose their strategic value if they’re not protected properly. This is because today’s APIs expose more sensitive data than ever before, making them a highly valuable target for attack. Businesses that want to leverage the speed that comes from using APIs need to also invest the time and effort required to minimize the security risk they pose. Here’s a look into how.

What makes API security different?

So, what is API security? The Open Web Application Security Project (OWASP) defines it as strategies and solutions focused on mitigating the unique vulnerabilities and security risks of APIs. Sounds easy enough, right?

The thing to remember is that API security differs from other security initiatives. With so many different APIs emerging on the scene every day, each with its own set of logic paths, it’s almost impossible to have a ubiquitous approach to securing every one. Plus, most of the security tools that companies tend to have in place — from web application firewalls and API gateways to identity and access management (IAM) tools — weren’t designed to prevent attacks on APIs.

This is because APIs offer unique security challenges:

• The landscape is always changing and staying up to date with new and changing APIs is an insurmountable task.
• APIs are often subject to low-and-slow attacks that differ from traditional one-and-done mechanisms in that attackers spend time to evaluate the API and identify business logic gaps they can take advantage of.
• Common DevOps security tactics like “shifting left” don’t really apply to API security as they can’t uncover all the vulnerabilities rooted in API business logic gaps.

In addition to that, APIs can be exploited through a number of threat vectors (10, according to OWASP) that could expose sensitive information. These include potential issues around authorization, authentication, data management, misconfigurations, monitoring, and more.

What does this mean for businesses focused on growth?

For organizations prioritizing rapid growth, there are ways to incorporate API security without severely compromising on speed and efficiency.

Be proactive

For starters, businesses should avoid leaving security as an afterthought. Force-fitting security functions into your API strategy after the fact can all but guarantee that you’ll slow down your launch and leave more vulnerabilities exposed than you address.

That said, take your time to determine what proactive API security looks like for you. We referenced shift-left tactics above. This approach is one that has been at the center of many DevSecOps discussions, encouraging developers to build security into every part of the product development cycle. And while that’s a sound strategy, it’s important to note that a) it takes time to build out a robust DevOps model and b) API security can’t just happen at the development stage. As such, it might be worth investing in an API security platform that can help cover as much of your bases as possible.

Choose the right leaders

Whether you’re a small and agile team launching its first product, or a large organization releasing features every quarter, you need to have someone (or multiple someones) responsible for API security.

Yes, everyone on your team should contribute to making API security a priority but having someone who’s directly accountable can help the functionality feel like less of a burden and more of a key component for any project. Find the people that are knowledgeable in this area (they won’t just be in your dev team), choose one or more API leaders that can drive cross-functional collaboration across all groups, and give them the time and space to stay up to date on best practices.

Implement best practices

For any business prioritizing growth, speed is important — and enabling that speed comes down to establishing a strong foundation of best practices.

At a high level, the constant change of APIs requires a continuous feedback loop between engineering and security to keep teams in sync and enable continuous security improvement. Security teams need to have an accurate understanding of the attack surface, and developers must be able to eliminate gaps identified at runtime to ensure that attackers cannot exploit these potential vulnerabilities in the future. Meanwhile, runtime insights should also provide valuable feedback to developers to aid in the remediation of these vulnerabilities.

This continuous improvement doesn’t require a full DevSecOps program, but it does require strong collaboration between security and engineering teams, as well as leveraging security tools that can easily integrate with existing workflows.

Here are some of the best practices that can help improve an API security posture and facilitate rapid (and secure) growth.

On the development and testing side:

• Promote secure API design and development, and encourage secure coding and configuration practices for building and integration APIs
• Reduce exposure of sensitive data
• Conduct design reviews that include business logic
• Document your APIs to facilitate design reviews, security testing, and protection
• Maintain an accurate API inventory so that security teams can get a realistic view of the attack surface
• Do security testing on a regular basis

And for production:

• Turn on logging and monitoring, and use telemetry data as a baseline for normal behavior to identify outlier events
• Mediate your APIs with tools like API gateways to improve visibility and security
• Create a plan for identifying changes to an API — automated platforms can compare documentation against runtime behavior to identify these gaps
• Choose the right network security tools
• Continuously authenticate and authorize access
• Deploy runtime protection

API security and growth, no longer at odds

Moving quickly as a business should never mean having to compromise on your security posture. By incorporating API security into your overarching strategy, you can set a strong foundation that allows your business to stand out in the market with a product that’s equal parts effective and secure.

The post API Security in the fast lane appeared first on Cybersecurity Insiders.

Executive summary:

Fortinet’s newest vulnerability, CVE-2022-40684, allowing for authentication bypass to manipulate admin SSH keys, unauthorized downloading of configuration files, and creating of super admin accounts, has put a big target on the backs of  unpatched and exposed Fortinet devices.

An AT&T Managed Extended Detection and Response (MXDR) customer was involved in a true positive compromise that was discovered through a threat hunt initiated off an Intrusion Protection System (IPS) alert from Fortinet. With coordination between customer and MXDR and the customer’s network and security teams, the threat was remediated and contained, and the vulnerable devices were patched.  

Investigation

The initial investigation began during a tactical check-in with the customer, who mentioned an investigation regarding an IPS detection for two IP addresses that were attempting the authentication  bypass exploit. 

If we pivot to the event, we can see Fortinet created detections for potentially unauthorized API requests to the cmdb filepath.

Through Fortinet’s advisory on the vulnerability, we learned that potential malicious activity would originate from a user Local_Process_Access and would utilize the Node.js or Report Runner interface. Reports indicate that some of the handlers for API connections check certain conditions, including IP address being a loopback address and User-Agent being either Report Runner or Node.js. Off that information, we’re able to turn our attention to potential true positives that weren’t picked up by the IPS. Doing a quick filter on the Local_Process_Access user produced some interesting events:

 

This doesn’t look good. The first event we can see the attacker manage to successfully download the Local Certificate: 

This allows the attacker to see certificate information such as email address for the certificate owner, IP address of the Fortigate, company name, location where the Fortigate was installed, and other sensitive details. These local certificates a generated and provided to the Certificate Authority (CA) for environment trust.

Shortly after, the attacker managed to download the system config of the Fortigate:

Finally, a few hours later they managed to upload a script and run it to create a super_admin user:

This is where the observable activity ended from the Local_Process_User and newly created admin account. Remediation began at this point.

Response

After discovery of the administrator account, a network administrator was urgently contacted and was able to remove the account. During the remediation process, the network administrator observed that the management port’s external interface had HTTPS open, which is likely how the attacker gained the initial foothold. It’s believed the super_admin account that was created was to be used as a backdoor in case the device was patched, as no activity was seen from the account after creation. The script used by the attacker was not recovered, but following its upload and execution it was likely just used to create the admin account.

Importance of patching:

Fortinet did release a patch the day this vulnerability was announced, as well as mitigation steps if patching was not immediately feasible. One of the mitigation steps was to disable HTTPS/HTTP on the external facing management interface if not needed. The Fortinet Fortigate in question was the only device that had the management interface open, and thus allowed the attacker an easy path to exploit the vulnerability.

As a result of the detection of this activity through threat hunting through customer logs, additional correlation logic was created for the USM Anywhere platform to detect future compromises.

The post Stories from the SOC: Fortinet authentication bypass observed in the wild appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

As more connected vehicles hit the road, cyberattacks are increasing. Deloitte estimates that there will be over 470 million connected cars in use by 2025 if their popularity continues to grow at the current rate. And because each connected car produces about 25 GB of data every hour, they are a tempting challenge for cybercriminals and bad actors with malicious intent. 

Connected vehicles come with enhanced features that give drivers more to love about their favorite car brands, but cybersecurity in automobiles has a long way to go. If you drive a connected car or are considering buying one, you need to know how to protect your new car against a potential cyberattack. 

In this article, we’ll talk about how hackers can infiltrate your vehicle and what you can do to protect yourself and your car from a serious attack. 

Can your car get hacked?

Cars today are built using hundreds of sensors connected to computers that help monitor how your car operates, add internet capabilities, and enable connected apps. While these technologies are helpful and convenient for drivers, they can also lead to data theft and even threaten your safety while driving. For example, remote manipulation, identity theft, and vehicle theft are all ways that bad actors can exploit the security vulnerabilities of your connected car. 

The push toward electric vehicles also poses a unique threat to connected car owners. A recent survey revealed that 79% of two-car households are considering an electric car for their next purchase, but ethical hacking exercises have shown that electric vehicles can easily be drained by remote hackers. This can potentially put drivers in a dangerous situation if they are stranded without a means of charging their vehicle. 

There are many ways that bad actors can hack into your car. They can manipulate the signal from a key fob to unlock your doors, change the code in the apps to create a backdoor to steal your data, learn about your driving habits, control your vehicle’s security response systems, and much more. Cars today are essentially human-assisted computers, which means they can be hacked just as easily as any other IoT device. 

How to protect your connected vehicle from a cyberattack

Connected vehicles provide users convenience and peace of mind while traveling across the country or making their daily commute. But they also pose a significant threat when bad actors execute attacks for data theft, taking over vehicle controls, and even tracking your location. If you’re going to take advantage of connected vehicle features, you need to know how to protect yourself from becoming the victim of an automotive cyberattack. 

Here are five tips to protect your connected vehicle from an attack:

Remove dongles

Dongles are small devices that plug into the diagnostic port and allow companies to monitor your driving habits for various reasons. It can be used to monitor vehicle performance, improve gas mileage, and set more accurate insurance rates based on driving activity. 

Many people choose to use dongles to save money and ensure their car is running at top performance, but these devices can be an easy entry point for hackers. If you want to use a dongle in your connected vehicle, it’s best to take it out when you’re not driving so that hackers can’t take advantage of this attack vector while you’re unaware. 

Lock key fobs away

Key fobs are now standard over traditional keys to unlock vehicle doors. Many cars come with security features that won’t allow doors to be opened unless the fob is near the vehicle or require proximity for the vehicle to start. But hackers can intercept the key fob signal to trick the car into thinking the fob is closer than it really is by amplifying its signal. To protect from this type of attack, store your key fob in a metal drawer or refrigerator to reduce the keys’ signal when you’re not planning to drive.

Disable in-car wireless services

Wireless systems are also pretty standard in newer vehicles for things like in-car Wi-Fi, satellite radio, telematics, and Bluetooth. These wireless services allow users to have connected experiences while driving to make their trips safer and hands-free, but they are also perfect entry points for hackers to take advantage of. 

If you’re unsure what features your vehicle has, look at the owner’s manual and see if there are any features you don’t use that can be disabled. This will help reduce the attack surface and limit the ways that hackers can interfere with your vehicle.

Be cautious about installing unauthorized software and systems 

Many connected cars come with options to download additional apps, and those that don’t can still be jailbroken so that users can install aftermarket software and systems. While a fully custom vehicle is a nice thought, installing unauthorized software and systems can seriously threaten your physical and digital safety. 

Be sure to only download official software from trusted brands using a secure network, and learn the potential vulnerabilities of jailbreaking and installing new systems to your vehicle. 

Visit your service department if you suspect you’ve been hacked

If you think your car has been hacked, it’s time to get it to the service department so that the professionals can determine whether it was breached or is suffering another malfunction. 

There is no way to say for sure that your connected vehicle has been hacked without a comprehensive checkup from your car’s servicer. If your systems start to act funny or you notice your car behaving unusually, it’s crucial to get your car checked out, even if it is just a bug or configuration issue.     

Final thoughts

Connected cars make our daily drives safer, easier, and more convenient, but they can also pose a serious threat to our digital and physical safety. If you plan to buy a connected vehicle or you already drive one, it’s important to know the cyber risks so that you can proactively prevent an in-car attack. 

In addition to these five tips for protecting your connected vehicle from hackers, it’s recommended that you update your vehicle’s software and patch security bugs when new releases become available. Usually, this is something that the dealership or car company will do themselves, but if you attempt to do it on your own, ensure that all vulnerabilities are safe and secure. 

Pay attention to the news about this emerging technology, and stay informed about how to keep your connected vehicle secure while you’re on and off the road.

The post 5 Tips for protecting your connected vehicle against Cyberattacks appeared first on Cybersecurity Insiders.