Category: Detect

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Phishing attacks are becoming more and more common, and they're only getting more sophisticated. While there are a variety of ways to defend yourself against phishing attacks, one of the best methods is simply to be able to spot them. With that in mind, here are 10 common signs that an email or other communication may be a phishing attempt.

Calls from an unknown number

If you get a call from an unknown number, and the caller claims to be from your bank or another organization, be very careful. This is a classic phishing tactic.

The caller will try to obtain personal information from you, such as your credit card number or Social Security number. They might also try to get you to click on a link that will install malware on your computer.

Don't give out any personal information to someone who calls you out of the blue. And if they try to get you to click on a link, don't do it. Hang up and call the organization they claimed to be from using a number you know to be legitimate (e.g., the number on the back of your credit card or from the organization's website).

What’s more, consider doing a reverse phone lookup on them to see where the number is actually originating from.

The message is not personalized

If you receive an email that doesn't address you by name or refers to you as “Dear User” or “Dear Valued Customer,” be wary. Phishing emails often use generic greetings in an attempt to seem more widespread – and less suspicious – than they actually are.

That's because they are usually sent out en masse as part of a massive automated campaign. Phishers usually just have a list of email addresses and the idea isn't to find out the name of the person it belongs to or do any kind of in-depth personalization, but to get as many people as possible to click on the links in their message.

The sender's email address doesn't match the organization they're claiming to represent

This is a pretty straightforward way to spot a phishing attempt. If you get an email purporting to be from your bank, but the email address it comes from is something like johnsmith12345@gmail.com, then it's pretty clear that something is not right.

Organizations won’t send out official communications from a Gmail or Hotmail address. They will always use their own domain name (e.g., WellsFargo.com, PayPal.com). So, if the email you receive is coming from anything other than an organization's official domain, it's a huge red flag.

There are grammatical errors or typos in the email

If you receive an email that is full of grammatical errors, typos, or just generally seems to be poorly written, it's a good indicator that it's a phishing email.

Phishers often send out their emails quickly and without much care or attention to detail. So if an email looks like it was dashed off in a hurry, with no regard for proper spelling or grammar, it's probably a phishing email.

Phishing scams also originate overseas, and the architects of these scams aren't native English speakers. So another giveaway that an email might be a phishing attempt is if it contains poor grammar or strange phrasing.

The message is urgent or includes a sense of urgency

Phishers often try to create a sense of urgency in their emails in order to get people to act quickly without thinking. They might say that your account is about to be closed, or that you need to take action immediately to prevent some kind of negative consequence.

Of course, none of this is true. Phishers just want to create a sense of urgency so that you'll click on their links without thinking. So, if an email includes language that tries to create a sense of urgency, be wary.

The email contains attachments that you weren't expecting

If you receive an email with an attachment that you weren't expecting, be very careful before opening it. This is another common phishing tactic.

The phisher will send you an email with an attachment that appears to be benign, such as a PDF document or an image. But when you open the attachment, it will install malware on your computer.

If you weren't expecting an email with an attachment, be very careful before opening it. If you don't know the sender, or if the email looks suspicious in any way, don't open the attachment. Delete the email and move on.

The email contains threats or ultimatums

Phishers will sometimes try to intimidate their victims into taking action by including threats or ultimatums in their emails. They might say that your account will be closed if you don't take action, or that you'll be subject to legal action if you don't respond.

Of course, none of this is true. Phishers just want to scare you into taking action without thinking. So, if an email includes threats or ultimatums, it's a good indicator that it's a phishing attempt.

The email asks for personal information

Phishers will often try to obtain personal information from their victims, such as credit card numbers, Social Security numbers, or login credentials. They might do this by asking you to fill out a form with your personal information. Or they might include a link that takes you to a fake website where you're prompted to enter your personal information.

Never give out personal information in response to an email or click on a link that takes you to a website where you're prompted to enter your personal information. If you need to update your account information, log in to the website directly and update it yourself. Don't do it through an email or a link in an email.

The email is from a free email service

If an email is from a free email service like Gmail or Yahoo, that's a red flag. While there's nothing inherently wrong with free email services, phishers often use them to send their emails because they're easy to create and don't require any verification.

So if you receive an email from a free email service, be extra careful. It's not necessarily a phishing attempt, but it's worth taking a closer look before taking any action.

Someone with no followers or friends adds you on social media

This one is more common on social media sites like Facebook and LinkedIn. If someone with no followers or friends adds you, that's a red flag. It's possible that they're just trying to build up their network, but it's also possible that they're a phisher.

If someone with no followers or friends adds you on social media, be careful before accepting their friend request. Take a look at their profile and see if anything looks suspicious. If you're not sure, err on the side of caution and don't accept their request.

Conclusion

Phishing is a serious problem, and it's only getting worse. By understanding how phishing works and knowing what to look for, you can protect yourself from these attacks.

If you're ever unsure about an email or a website, err on the side of caution and don't take any action. It's better to be safe than sorry. And if you think you might have been the victim of a phishing attack, change your passwords and run a virus scan on your computer just to be safe.

The post 10 Ways to spot a phishing attempt appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

War, economic instability, external threats, and global politics affect the energy sector of a country or region. In addition, cyberattacks on critical infrastructure can cripple the strained energy market.

Europe is facing a severe energy crisis, and European governments are getting prepared for this winter by managing the demands and keeping energy reserves. The EU (European Union) also accelerated the work to improve critical infrastructure defence and resilience. This energy crisis is the outcome of Russia’s war in Ukraine (attacks on pipelines to disrupt the supply chain) and strict Russian policies towards European countries.

Cyberattacks on the energy sector

In addition to the physical challenges, the growing cyberattacks on the energy sector could worsen the energy crisis. According to Energy Security Sentinel, thirteen cyberattacks targeted energy infrastructure this year, making it the highest number of annual attacks over the last six years. Oil and electricity were the most vulnerable infrastructure, followed by gas and shipping.

The cyberattacks don’t only target critical European infrastructure. In 2021, the Colonial Pipeline in the United States was affected by the ransomware attack, which caused authorities to declare a regional emergency in 17 states and Washington, D.C.

The same year, Saudi Aramco – Saudi Arabia’s state oil giant, came under cyberattack. In that case, the hackers asked for $50m extortion money.

Why is the energy sector is a target for cyberattacks?

The energy sector is a lucrative target for financially motivated cybercriminals; they know the companies tend to be financially sound and can pay the heavy ransom to keep their operations running.

The economic activities of a country also rely on the energy sector; thus, a disruption can cause substantial damage. For example, a six-hour winter black-out in France could result in damages totalling over €1.5 billion ($.1.7 billion). It motivates state-sponsored hackers to target the opponent’s critical infrastructure to achieve political outcomes.

Despite the critical nature of the industry, the energy infrastructure is particularly vulnerable for three primary reasons:

• Large attack surface
• Lack of skilled professionals
• Digitalization and integration

Large attack surface

Attack surface refers to all the possible entry points into any system. The energy sector has a broad attack surface. Their attack surface includes distribution networks, supply chains, partners, powerlines, smart meters and so on. Generally, organizations don’t have the capability to monitor or tag their assets, which increases the risk and can leave unprotected doors of entry.

Lack of skilled professionals

People working in critical infrastructure are typically not equipped with the skills required to protect the infrastructure from cyberattacks. Even organizations investing in security products and solutions face the human resource problem, which makes them vulnerable.

Interestingly, the public and private sectors are joining forces to overcome the skilled professional supply problem. ENCS in Europe shares information and knowledge and is owned by grid operators. Similarly, the US House of Representatives passed a bill named “Industrial Control Systems Cybersecurity Training Act”, intending to give free ICS training to IT professionals.

Digitalization and integration

Though digitalization and IT integration facilitate critical infrastructure management and operations, they introduce several security risks. IT/OT convergence arguably raises security risks, such as unauthorized system changes and logic could put human life in danger. The security risk can be minimized by actively monitoring the systems, managing patching carefully and having skilled people protecting the network.

What to do?

The inevitable nature of digitalization could introduce more risks, and cyberattacks could become more frequent and organized. This in turn could worsen the energy crisis. Thus, leaders in the energy sector must build their systems to be cyber resilient and implement a business continuity plan.

Energy organizations must also consider a security by design approach while initiating any energy project, and they must also include cybersecurity leaders and experts on the project.

To achieve economic stability, protecting the energy sector from cyberattacks is vital. This requires organizations and governments to work closely in protecting the energy sector.

The post Cyberattacks could worsen the global energy crisis appeared first on Cybersecurity Insiders.

Stories from the SOC is a blog series that describes recent real-world security incident investigations conducted and reported by the AT&T SOC analyst team for AT&T Managed Extended Detection and Response customers.

Executive summary

Humans are considered the weakest link in cybersecurity. No matter how much a company invests in firewalls, antivirus, and other security software to detect, deter, and prevent attacks humans will always be the main vectors for compromise. If no adequate user-security training is provided within the organization, they will always be at risk. Phishing is one of the oldest cyber-attacks yet one of the most used by attackers due to its effectiveness and low cost.

The Managed Extended Detection and Response (MXDR) team received an alarm indicating a user had successfully logged in from a country outside of the United States (US. Upon further review, this was the first time the user had logged in from outside of the US. The analyst team created an investigation in which the customer responded and took the necessary steps to recover the account from the attacker. 

Investigation

Initial alarm review

Indicators of Compromise (IOC)

The initial alarm was triggered as a result of the account being accessed from outside of the United States. Due to the recent shift of remote working, it is common to see users accessing their accounts from different countries that could be caused by Virtual Private Network (VPN) or because of travel activity.

Expanded investigation

Events search

When investigating potentially malicious behavior, it is important to understand what the baseline of a user's activity looks like. While looking at the historic data for their activity, logs showed this was the first instance the account has been accessed from outside of the United States.

The logs did not show any failed login attempts from another country, which is usually seen whenever an attacker attempts to compromise an account.

Response

Building the investigation

After gathering enough information, an investigation was created for the customer to confirm if this should be expected from this user.

Customer interaction

Within minutes of the investigation being created, the customer confirmed the user had clicked a phishing email and input their credentials, which the attacker then used to successfully logged in into their account.

The phishing email contained a URL to the following site:

Once clicked, this site would send the user to a page that impersonated a login for an email account that was used to harvest credentials.

Limitations and opportunities

Limitations

For this investigation, the MXDR team did not have full visibility into the Microsoft Office 365 Exchange environment, hindering visibility into the initial attack. We were unable able to see the phishing email being sent to this account. The only events being observed by the SOC were the successful log ins from outside of the United States.

The post Stories from the SOC – Phishing for credentials appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Blockchain has been outlined as a digital, decentralized ledger that keeps a record of all transactions that present itself across a peer-to-peer network. It permits the secure transfer of assets while not being an associate mediator. It conjointly provides a record of transactions that's absolutely clear and displayed in time period for the good thing about participants.

GDPR is a law that protects data/Information security, promotes a lot of management over a person’s individual data and information on digital platforms. Blockchain, on the opposite hand, is a technology that develops unvarying rransaction ledgers.

The interaction between GDPR’s data privacy rights and therefore the idea of blockchain serving as a decentralized, incorrupt digital junction have led to varied takes on classic philosophical conflicts.

What is GDPR?

GDPR is a General information Protection Regulation that was adopted as a law in the EU. The purpose of the law is to cater to the requirements of  information privacy of an individual.

The law offers rights to the users, that include:

Legality of blockchain and privacy:

The governance parties can decide with certain conditions that the specific transaction will occur in blockchain or not.

• As blockchain technology evolves, it'll become a lot more powerful thanks to choosing the organization to use transactions on the blockchain. For an emptor, it's useful if the suppliers conjointly comply with including the blockchain transactions.
• For a decentralized platform, it's difficult to use blockchain laws because the info is distributed round the globe.
• Although blockchain is taken into account extremely securely, it poses some regulation barriers to data privacy such as the California Client Privacy Act of 2018 (“CCPA”) and also the EU’s GDPR.
• Both GDPR and CCPA require that private data is to be removed under any circumstances.

CRUD vs. CRAB

In order to fully understand the blockchain & data privacy (GDPR), one needs to understand the difference between CRUD & CRAB. Many tech professionals call the process CRAB (An alternative of the term CRUD) – CRUD (For traditional databases) stands for Create, Read, Update & Delete.

The term CRAB stands for Create, Retrieve, Append & Burn. The burn is the method of deleting encryption keys.

Keeping private data/information “off the chain, instead of on the chain” is the one obvious solution. As the blockchain info is  “on the chain”, deleting & redaction info is sort of not possible.

Developing a closed blockchain is another solution. In a closed (permission-based) blockchain, information is stored on local devices or rented cloud storage. So it is relatively easier to delete personal data on an individual's request using the process called forking.

Now, because there is no definition in GDPR of “erasure of data” at this point for blockchain, you probably need to interpret this as meaning that throwing away your encryption keys for blockchain technology, isn't acceptable as ‘erasure of data’ in line with GDPR.

Solution:

Storing private data on a blockchain is not an option per GDPR policies. A good option to get around this issue is a really simple one: You store the private data off-chain & store the reference to this data (along with a hash of this information and alternative data like claims and permissions regarding this data) on the blockchain.

This workaround will increase the complexity of fetching and storing information on a blockchain. Now, let's cover the pro’s and con’s of this approach.

The pros:

The approach described above is a 100% GDPR compliant solution, which makes it possible to completely erase data in the off-chain storage. Therefore, rendering the links & hashes on the blockchain is utterly useless.

In this situation, you use the blockchain primarily as an ‘access control’ medium, wherever claims are publicly verifiable. This would be able to provide somebody the suggestions to prove that some node mustn't store the information once an opt-out is chosen. This benefit may also be present if private data was kept on a blockchain.

The cons:

Transparency with blockchain is reduced. By storing your information off-chain, you have got no method of knowing who has accessed your information, and who has access to your information. Once any company has the link to retrieve the info, they’re not bound to access anything.

Data ownership with blockchain is also reduced. Once your information has been kept off-chain, who owns it? The information owner has all the encryption keys to administer his data.

It would be desirable to have a point-to-point integration between all the collaborating parties. When obtaining the link from the blockchain, you wish to share information from A Company to B company. For each new party supplemental to the system, you may have to be compelled to add new point-to-point integrations with every existing member as provision of a secure PKI.

This may mean more attack vectors. Every company has their own infrastructure and application landscape. By spreading private information over these totally different corporations, the risk will increase for a possible breach where information can be stolen.

Conflict:

But here is the conflict: The goal of GDPR is to “give users back the management of their personal information, while imposing strict rules on those hosting and ‘processing’ this data, anyplace within the world.” Also, GDPR states is that data “should be erasable”. Since abandoning your cryptography keys isn't identical to ‘erasure of data’, GDPR prohibits the world from storing personal data on a blockchain level.

This removes the power to reinforce management over your personal data. Now, I know that sounded harsh. And in defence of GDPR, you could optimize the proposed solution above to counter some disadvantages. Or select a very totally different resolution than the one represented to tackle the issue of close immutability of transactions. However, no matter the resolution you're going with, more complexity can still be a significant disadvantage.

Conclusion:

With blockchain technologies being used in many ways, we've got new ways in which to strengthen data-ownership, transparency and trust between entities (to name a few). The way GDPR is written, we have a tendency to not store personal data directly on the blockchain since in GDPR terms ‘it isn't erasable’. This prohibits the world from using this technology to its full potential, therefore we want to think about ‘older’ systems for storing data that simply will not guarantee same advantages as most blockchain technologies: who owns (the data|the information) in your off-chain storage? Is the off-chain data even encrypted? Who can access this data? Wherever is it stored? Is it already copied to alternative systems?

The post The blockchain & data privacy (GDPR) appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

The tech professional labor market is an extremely competitive and difficult place right now. The stakes are so high that CNBC has highlighted certain companies that are offering paid vacations before new hires even begin the job.

This is a great environment for workers, and is something pushing employer standards higher and higher. This includes the onboarding process, in which employees are brought into the fold and then provided with all of the setup they need to get a running start in the business. As companies seek to move through the onboarding process quickly, cyber risks are presented – as with any expedited business process.

Sensitive data exchange

As part of the onboarding process, employees will need to exchange sensitive personal data. Indeed, having a well-structured “day 1” plan in which pay schedules, security codes, personal information and HR data is exchanged is absolutely crucial to maintaining good employee service and ensuring engagement. Dealing with these requests in a quick fashion achieves that, but it’s also important to note that this is where security risks can occur.

Indeed, US News highlights the fact that 2022 has been a bumper year for data breaches; Microsoft, Uber, Ronin and News Corp have all experienced huge attacks. In order to ensure that sensitive data can be exchanged safely, a holistic review of corporate and third-party security systems is essential. Secure portals, to allow the transfer of data into the business from the employee onboarding, will protect both parties.

Protecting corporate data

With employees in the corporate system, it’s important that they have immediate access to local resources and knowledge to start their development and to support their work as they get going. It’s important that these knowledge bases have significant and accurate resources, but they also need to be protected. Corporate cyber espionage is a serious risk; according to Security Magazine, hundreds of millions of dollars of damage was inflicted in 2020-21 through corporate information theft. Accordingly, operating a stringent data management policy and ensuring files are maintained securely is key.

Generating social connections

A key benefit that companies can offer employees is networking. Being a conduit for new industry connections and all the benefits that comes from that is a key part of onboarding – but, as with other aspects, it brings risks. Bringing a new employee into the fold and then putting them in touch with established networks brings its own risks and, furthermore, without the familiarity that existing employees have with corporate networks, there is a definite risk of exposing those networks to additional risk and cyber threats.

As with all corporate cybersecurity solutions, the key to securing social networking and promoting assurance comes in the form of systems checks. That’s staying up to date with high quality security technology, keeping check of what valuable data and assets are being shared, and ensuring that employees are aware of their security responsibilities.

The post Employee onboarding needs to be engaging – But how can security be preserved? appeared first on Cybersecurity Insiders.

As we head into 2023, we look back at the last year and the focus will continue to be on reducing risk exposure and resilience. Organizations are strengthening their ransomware defense, security, and privacy approach to product development, cyberattack response, supply chain risk management and operational technology (OT) security and based on working with customers across industry sectors, here is a compilation of some trends we predict for 2023.

1. Critical Infrastructure and Public Sector will continue to become attractive targets.

As cyberattacks become more sophisticated, building collaborative communities between the public and private sectors will be crucial to synchronize operations and take preventative measures as a unified front to critical infrastructure threats. The public sector has become a favored target for cybercriminals. Armed with automated botnets, hackers rummage through computer systems to locate “soft targets.” In recent years, US state and local government agencies have fallen prey to cyber-attacks.

Legacy security is proving ineffective against the growing legion of diverse, sophisticated, and confrontational cyber threats. Public agencies collect and store sensitive data. Like the private sector, government institutions have gone digital. The addition of cloud, mobile, and SaaS have expanded an organization's attack surface, and it further illuminates that your cyber security is only as strong as your weakest point.

2. OT attack patterns will become more prevalent.

IT and OT teams must find common ground to eliminate the substantial risk factors of planned and accidental IT/OT convergence. But the mission does not end there. OT security solutions that work in conjunction with IT security solutions can be the catalyst that not only provides the visibility, security, and control needed to thwart new cyber threats but also brings these once separate teams together for the common security of every manufacturing, critical infrastructure and industrial organization will need to fulfill its core mission efficiently and securely.

The rising demand for improved connectivity of systems, faster maintenance of equipment, and better insights into the utilization of resources has given rise to internet-enabled OT systems, which include industrial control systems (ICS) and others such as supervisory control and data acquisition (SCADA) systems, distributed control systems (DCSs), remote terminal units (RTUs), and programmable logic controllers (PLCs).  With everything becoming internet-facing and cloud-managed, the manufacturing and critical infrastructure sector (i.e., healthcare, pharma, chemicals, power generation, oil production, transportation, defense, mining, food, and agriculture) are becoming exposed to threats that may be more profound than data breaches. In the coming years, OT attacks will become more prevalent and be used in cyber warfare.

3. Privacy will start getting more attention within the US.

We are going to see more states pass laws with a focus on privacy. Data privacy laws in the United States have been primarily sector-based, with different data privacy laws applying to other sectors of the economy. For example, HIPAA for health care, FERPA for education, GLBA for finance, etc. While this approach has allowed laws to be tailored to specific contexts, it has also resulted in many businesses being exempt from meaningful data privacy regulation.

Recognizing these gaps, these state consumer data privacy laws will seek to establish a comprehensive framework for controlling and processing personal data by many businesses currently exempt from other regulatory schemes. While the state laws vary somewhat, they share a few common principles around establishing standards and responsibilities regarding a business's collection of personal data from consumers; granting consumers certain individual rights concerning their data, such as the rights to access, correct, delete, and obtain a copy of the personal data a business holds about them; and establishing an enforcement mechanism allows state governments to hold businesses accountable for law violations.

4. Culture of resilience and safety versus compliance and prevention of breaches.

Resilience means more than bouncing back from a fall at a moment of significantly increased threats. When addressing resilience, it's vital to focus on long-term goals instead of short-term benefits. Resilience in the cybersecurity context should resist, absorb, recover, and adapt to business disruptions. Cyber resiliency can't be accomplished overnight. For the longest time, the conversation around getting the cybersecurity message across at the board level has revolved around the business language.

Businesses cannot afford to treat cybersecurity as anything but a systemic issue. While the board tends to strategize about managing business risks, cybersecurity professionals tend to concentrate their efforts at the technical, organizational, and operational levels. According to the World Economic Forum, 95% of cybersecurity breaches are caused by human error.

Unfortunately, many businesses still mistakenly believe that cyber-resilience means investing in bleeding-edge technologies while paying scant heed to the human factor. Fixing human vulnerabilities start with culture. Business leaders must reassure staff that it's okay to develop questioning attitudes and challenge high-risk requests, such as emailing sensitive information or processing payments.

5. Strengthening of fundamentals- Vulnerability and patch management, risk reduction, and Managed Extended Detection and Response (MXDR).

As digital transformation initiatives accelerate, CSOs require a deep and accurate understanding of their organization's cyber risk. Understanding the details of your risk, what should be prioritized, and how it can be effectively reduced is the best foundation for building a holistic plan for managing threats across the organization—priorities for cyber resilience now and into 2023.

This will be the year for MXDR with a unified platform that automates incident investigation such as enrichment, analysis, classification, and response rather than relying on an overworked security Organizations will look for MXDR to include 24/7 monitoring, critical alerting, root cause analysis and around-the-clock “eyes on glass” support. 

6. Growth of cybersecurity as a service – Security at scale and not a roadblock!

With budgets tightening across the board and competition for a limited pool of IT and security talent growing fiercer, cyber as a service provider will continue to become an optimal solution for many companies. Internal security teams can concentrate on their core missions because they can count on their partners to focus on specific vectors. Cyber Security as a Service (CSaaS) allows the services utilized to change over time and be periodically realigned to ensure the customer's business needs are met.

7. CISO –role change and mindset of the future, the impact of burnout and blame game.

The future is here and now, with digital transformation driving organizations rapidly. Today the role of a Chief Information Security Officer (CISO) within organizations has become transformational. The CISO leads cross-functional teams to match the speed and boldness of digital transformations with agile, forward-thinking security and privacy strategies, investments, and plans.

The operational leader and master tacticians are tech-savvy and business-savvy CISOs. They can deliver consistent system performance, with security and privacy throughout the organization and its ecosystem amid constant and changing threats. It's time to stop repeating how things can't be done (on security grounds). Instead, we need to preach from the business transformation book and explain how they can be.

We must stop operating out of silos and build relationships with all business players, embedding 'scenario thinking' and responsiveness into organizational cyber functioning. But just as importantly, to address the first part, the board needs to plan and prepare for a cyber-crisis proactively; only by understanding the risks can the business be in the right strategic place to combat them successfully.

8. Security mesh, Zero Trust and SASE- Consolidation and optimization.

As 2023 planning kicks off, it would be interesting to look at how many Zero Trust initiatives have surfaced during budget discussions, how many product investments are tied to this initiative, and, more importantly, which are real Zero Trust or ones just seeking a budget home?  Organizations in the early strategy stages for Zero Trust need to think of this as a multi-year plan which is probably starting to take shape, but it's not the playbook you need to make today's priority calls.  Many teams will struggle to move an emerging Zero Trust strategy to practical implementation. The need will arise further for approaches that can help with practical implementation and accelerate Zero Trust data initiatives.

9. Board with more cyber knowledge and investment.

Business and cybersecurity success go hand in hand. As the board's role in cyber-risk oversight evolves, the importance of robust dialogue with the cyber influencers within an organization cannot be overestimated. Without close communication between boards and the cyber/risk team, the organization could be at even greater risk. If this sounds like a cybersecurity grooming exercise, that's because it is. Preparing cybersecurity practitioners with business acumen for the board to act as the voice of educated reason isn't such a bad idea.

The best businesses thrive because they have people at the very top who can exert control based on informed decision-making when a crisis looms. Leaving cybersecurity out of this success equation in 2023 is a risky game. Cybersecurity teams should equip the board with the following as a starting point. 

• A clear articulation of the current cyber risks facing all aspects of the business (not just IT); and
• A summary of recent cyber incidents, how they were handled, and lessons learned.
• Short- and long-term road maps outlining how the company will continue to evolve its cyber capabilities to address new and expanded threats, including the related accountabilities in place to ensure progress; and
• Meaningful metrics that provide supporting essential performance and risk indicators of successful management of top-priority cyber risks that are being managed

10. Skills shortages and product silos exacerbate the situation.

There's no question that cybersecurity should be a number one focus for businesses that want to keep growing. But improving and scaling cybersecurity efforts in a constantly changing environment is challenging, with new threats and technologies continually being developed. To make things worse, the cybersecurity labor crisis is going to intensify.

A saturation of cybersecurity products with umpteen features is a desperate cry for consolidation, and the future is about cyber platforms and not siloed feature sets. The focus should not just be on finding issues but instead on remediation. There is going to be a need to demonstrate speed to value. We need technology that shows immediate value with simple implementation. Everyone talks about tech spending but forgets to include all the labor to roll out and maintain the technology platforms and the reason to consider cyber as a service.

Our current global landscape is testing resiliency. As organizations continue to digitally transform it has created new and heightened cyber risk concerns. Protecting these digital connections needs to stay top of mind for leaders looking to help their organizations adapt to these changes while continuing to innovate. 

The post 10 Cybersecurity predictions for 2023 appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Digital transformation in banking began following the creation of the internet in the 1990s as a way for banks to deliver services to their customers more conveniently. Today, it has completely changed how most people interact with their banks. From opening a new account to making transactions and applying for loans, you can access all banking services directly from your computer or smartphone.

According to an FDIC survey on banking behavior, over 80% of account holders engage in some form of digital banking. The popularity of digital banking stems from the convenience and level of personalization that it offers. But is digital banking good for you, or do the risks, such as cybersecurity issues, outweigh the benefits? 

Below, let’s explore some of the pros and cons of digital transformation in banking.

Pros of digital transformation in banking

Digital banking offers several advantages to the modern banking customer. Here are a few:

• 24/7 Access to your bank

One of the most significant benefits of digital banking is that it gives you round-the-clock access to your account. You don’t have to wait for working hours to deposit your funds, get an account statement, change your account details, or transact funds. You can do it at any time from wherever you are. 

Additionally, you don’t have to waste time in long queues in the banking hall. Digital banking is like having your personal bank right in your pocket.

• Better rates, lower fees

Banks typically charge account maintenance and transaction fees to cover expenses like employees, bank premises, etc. Since digital banking allows customers to serve themselves directly over the internet, there’s less demand for bank employees and multiple brick-and-mortar branches. Therefore, banks embracing digital transformation have lower overheads and can offer their customers lower fees and higher interest rates. These benefits are especially pronounced for purely digital banks without physical premises.

• Better customer experience

A 2021 survey by Deloitte Insights found that digital-first banks routinely outperform traditional banks in multiple areas that matter most to customers, including simplicity of transactions, transaction speed, and the overall quality of the banking experience.

Digital banks provide a smoother experience compared to traditional banks. For instance, transacting on a digital bank takes just a few minutes on your smartphone or laptop. In contrast, simply making a transaction in a traditional bank could take close to an hour as you must get to the physical bank, wait in line, fill out transaction forms, and speak to a teller.

In addition, digital banks offer features like budgeting tools that make it easier to manage your money. They also update you on every aspect of your account with text and email alerts, such as when you make transactions, when you don’t have enough money for an upcoming bill, and so on. This makes the digital banking experience much better than what you get with a traditional bank.

• Automated payments

With digital banks, it’s amazingly easy to automate your payments. You can set up payments that you want to make from your account every month, so you don’t have to worry about fees and penalties for late or delayed payments. Plus, if you use a net-30 account to pay for goods or services and manage your cash flow, you can automate these payments too. 

You can also set up automated savings where the bank automatically deducts a specific amount from your account every month and deposits it in your savings account. This level of automation gives you a hands-free solution for managing your money instead of manually making all these transactions every month.

Drawbacks of digital transformation in banking

Despite offering convenience and better banking experiences, digital transformation in banking has flaws too. Some of these include:

• Security concerns

The convenience of digital banking also comes with security risks. The online capabilities that allow you to access your account and transact remotely introduce loopholes that people with malicious intents can exploit to steal your money.

Today, there are lots of cybersecurity challenges facing digital banking. For instance, hackers may break into the online banking platform and steal sensitive customer data. Other risks include malware and ransomware attacks, spoofing, credential harvesting, identity theft, fraud, etc. While banks have put many measures into place to avoid such situations, the risk is always there.

Digital banks also place some responsibility for the safety of your money on you. When you put your money in a traditional bank, the bank is solely responsible for keeping your money safe. With a digital bank, you’re involved in protecting your money. You have to use strong passwords and multi-factor authentication for your online banking accounts and avoid logging into your account on public Wi-Fi networks. 

You must also avoid clicking on dubious links, be aware of phishing attacks, and protect yourself from many other client-side security threats. If you’re not security conscious, there’s always the risk of losing your money.

• Possible technical issues

The electronic systems on which digital banks run are not always reliable. For example, the servers of your digital bank could experience an outage and lock you out of your account. Similarly, your bank’s website could have a technical issue that could prevent you from accessing your account. Even a problem with your internet connection can leave you unable to access your funds.

While the possibility of such scenarios is quite low, such technical problems can easily leave you stranded, especially when you need to access your money urgently.

• It’s easy to spend your money

The convenience of having fast and constant access to your money is a benefit, but sometimes, it can be a disadvantage. If your digital bank is linked to your online shopping accounts, you could easily find yourself spending your money on things you hadn’t budgeted for. 

Additionally, making such payments is so effortless that you can easily forget how much money you’re spending. With a traditional bank, you’d have to visit a physical branch to access your money, which is enough to deter you from most impulse purchases.

However, digital banks also make it easier to track where you’re spending your money. Linking your digital bank account with your budgeting tool can help you prevent spending your money on unplanned expenses.

Wrapping up

The digital transformation in banking has completely revolutionized how people interact with their money and banks. It offers many benefits: convenience, round-the-clock access to your money, payment automation, lower fees, higher interest rates, and a better banking experience.

Still, it’s important to be aware of its drawbacks, such as security concerns, the possibility of technical issues locking you out of your account, and the likelihood of spending your money on things you’ve not budgeted for.

Most people will find that the pros outweigh the cons, but if you decide to adopt digital banking, don’t forget to take the appropriate steps to keep your money safe. 

The post The pros and cons of the digital transformation in banking appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

In times of economic volatility, precious metals are a safe harbor for investors of all sizes. This has been reflected in choppy pricing for metals such as gold, which, according to CNBC, have only just settled down after weeks of gradual rise against a weakening dollar.

While there is a sense of solidity in trading precious metals, given their very real world physical sense, they are, like every other digitally traded item, subject to the same cyber threats and risks that attack the digital markets every day. Staying safe in the face of these threats is key and starts with protecting spot trades.

Understanding stock market attacks

Precious metals are traded, just like other stocks, shares and commodities, at spot price. This means the buyer will pay a determined price from the seller, in addition to a variable degree of commission to the broker or other middleman. The high-profile nature of stock markets means that they are often well protected against cyber-attack, but this protection is faltering as stock trades become more diversified.

As more and more brokers and agents get involved in trading, the number of weak points in the networks increases. This is especially the case in precious metals; the sensitive pricing of precious metals means that the trades need to be completed quickly, or at high frequency. According to Investopedia, this extreme need for expediency offers an ‘in’ for attackers in two main forms.

Seizing the algorithm

Cryptocurrency has helped to shed a light on one of the most important threats to counter – algorithm hacking. This is a process whereby the malicious actor will attempt to seize control of a trading algorithm, whether used on a wider scale by the market or by individual brokers. Through this, they can crash prices, causing instant damage that will be confusing to rectify with corrections.

As Yahoo highlights, cryptocurrency deals with such attacks on a minute-by-minute basis; through proper online hygiene and experienced 2+ factor authentication, trading houses can stop third parties from accessing this data.

Distributed outages

A very common form of cyber-attack in the modern day is the DDoS. This takes networks offline, denying users access to data, and can sow confusion. While proprietary vendors such as Cloudflare have helped to provide coverage, there have still been high-profile attacks on stock markets.

Consider, for instance, the multi-day outage of the New Zealand stock exchange, highlighted by GARP. While not a primary player in the world markets, these smaller hubs feed into the larger, regional markets, in London, New York and Tokyo. While smaller hubs are taken down, there are huge risks in terms of inaccurate costing, hijacked sales, and other risks. Ensuring that markets are protected as much as possible by DDoS protection is essential and, for individual traders, looking to take full logs and using a high-quality broker will help further.

Criminals will continue to exploit the increased amount of business being seen in the precious metals market. Protection must come first, or profits could be at risk.

The post ​​​​​​​As volumes continue to rise, precious metal traders must be cyber vigilant appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Today, an important measure for success in the tech sector is time to market. The speed at which you can launch your product and any new features can make a huge difference in meeting growing customer expectations, breaking new ground in an existing market, and standing out against your competitors.

For many organizations, this speed to market is accelerated by employing APIs that rapidly share critical data between systems, enable business operations and reduce the need to reinvent the wheel. As such, APIs have become a strategic technology for businesses that want to keep moving forward, and quickly. In fact, according to research from Salt Security, “26% of businesses use at least twice as many APIs now as a year ago.”

However, APIs can quickly lose their strategic value if they’re not protected properly. This is because today’s APIs expose more sensitive data than ever before, making them a highly valuable target for attack. Businesses that want to leverage the speed that comes from using APIs need to also invest the time and effort required to minimize the security risk they pose. Here’s a look into how.

What makes API security different?

So, what is API security? The Open Web Application Security Project (OWASP) defines it as strategies and solutions focused on mitigating the unique vulnerabilities and security risks of APIs. Sounds easy enough, right?

The thing to remember is that API security differs from other security initiatives. With so many different APIs emerging on the scene every day, each with its own set of logic paths, it’s almost impossible to have a ubiquitous approach to securing every one. Plus, most of the security tools that companies tend to have in place — from web application firewalls and API gateways to identity and access management (IAM) tools — weren’t designed to prevent attacks on APIs.

This is because APIs offer unique security challenges:

• The landscape is always changing and staying up to date with new and changing APIs is an insurmountable task.
• APIs are often subject to low-and-slow attacks that differ from traditional one-and-done mechanisms in that attackers spend time to evaluate the API and identify business logic gaps they can take advantage of.
• Common DevOps security tactics like “shifting left” don’t really apply to API security as they can’t uncover all the vulnerabilities rooted in API business logic gaps.

In addition to that, APIs can be exploited through a number of threat vectors (10, according to OWASP) that could expose sensitive information. These include potential issues around authorization, authentication, data management, misconfigurations, monitoring, and more.

What does this mean for businesses focused on growth?

For organizations prioritizing rapid growth, there are ways to incorporate API security without severely compromising on speed and efficiency.

Be proactive

For starters, businesses should avoid leaving security as an afterthought. Force-fitting security functions into your API strategy after the fact can all but guarantee that you’ll slow down your launch and leave more vulnerabilities exposed than you address.

That said, take your time to determine what proactive API security looks like for you. We referenced shift-left tactics above. This approach is one that has been at the center of many DevSecOps discussions, encouraging developers to build security into every part of the product development cycle. And while that’s a sound strategy, it’s important to note that a) it takes time to build out a robust DevOps model and b) API security can’t just happen at the development stage. As such, it might be worth investing in an API security platform that can help cover as much of your bases as possible.

Choose the right leaders

Whether you’re a small and agile team launching its first product, or a large organization releasing features every quarter, you need to have someone (or multiple someones) responsible for API security.

Yes, everyone on your team should contribute to making API security a priority but having someone who’s directly accountable can help the functionality feel like less of a burden and more of a key component for any project. Find the people that are knowledgeable in this area (they won’t just be in your dev team), choose one or more API leaders that can drive cross-functional collaboration across all groups, and give them the time and space to stay up to date on best practices.

Implement best practices

For any business prioritizing growth, speed is important — and enabling that speed comes down to establishing a strong foundation of best practices.

At a high level, the constant change of APIs requires a continuous feedback loop between engineering and security to keep teams in sync and enable continuous security improvement. Security teams need to have an accurate understanding of the attack surface, and developers must be able to eliminate gaps identified at runtime to ensure that attackers cannot exploit these potential vulnerabilities in the future. Meanwhile, runtime insights should also provide valuable feedback to developers to aid in the remediation of these vulnerabilities.

This continuous improvement doesn’t require a full DevSecOps program, but it does require strong collaboration between security and engineering teams, as well as leveraging security tools that can easily integrate with existing workflows.

Here are some of the best practices that can help improve an API security posture and facilitate rapid (and secure) growth.

On the development and testing side:

• Promote secure API design and development, and encourage secure coding and configuration practices for building and integration APIs
• Reduce exposure of sensitive data
• Conduct design reviews that include business logic
• Document your APIs to facilitate design reviews, security testing, and protection
• Maintain an accurate API inventory so that security teams can get a realistic view of the attack surface
• Do security testing on a regular basis

And for production:

• Turn on logging and monitoring, and use telemetry data as a baseline for normal behavior to identify outlier events
• Mediate your APIs with tools like API gateways to improve visibility and security
• Create a plan for identifying changes to an API — automated platforms can compare documentation against runtime behavior to identify these gaps
• Choose the right network security tools
• Continuously authenticate and authorize access
• Deploy runtime protection

API security and growth, no longer at odds

Moving quickly as a business should never mean having to compromise on your security posture. By incorporating API security into your overarching strategy, you can set a strong foundation that allows your business to stand out in the market with a product that’s equal parts effective and secure.

The post API Security in the fast lane appeared first on Cybersecurity Insiders.

Executive summary:

Fortinet’s newest vulnerability, CVE-2022-40684, allowing for authentication bypass to manipulate admin SSH keys, unauthorized downloading of configuration files, and creating of super admin accounts, has put a big target on the backs of  unpatched and exposed Fortinet devices.

An AT&T Managed Extended Detection and Response (MXDR) customer was involved in a true positive compromise that was discovered through a threat hunt initiated off an Intrusion Protection System (IPS) alert from Fortinet. With coordination between customer and MXDR and the customer’s network and security teams, the threat was remediated and contained, and the vulnerable devices were patched.  

Investigation

The initial investigation began during a tactical check-in with the customer, who mentioned an investigation regarding an IPS detection for two IP addresses that were attempting the authentication  bypass exploit. 

If we pivot to the event, we can see Fortinet created detections for potentially unauthorized API requests to the cmdb filepath.

Through Fortinet’s advisory on the vulnerability, we learned that potential malicious activity would originate from a user Local_Process_Access and would utilize the Node.js or Report Runner interface. Reports indicate that some of the handlers for API connections check certain conditions, including IP address being a loopback address and User-Agent being either Report Runner or Node.js. Off that information, we’re able to turn our attention to potential true positives that weren’t picked up by the IPS. Doing a quick filter on the Local_Process_Access user produced some interesting events:

 

This doesn’t look good. The first event we can see the attacker manage to successfully download the Local Certificate: 

This allows the attacker to see certificate information such as email address for the certificate owner, IP address of the Fortigate, company name, location where the Fortigate was installed, and other sensitive details. These local certificates a generated and provided to the Certificate Authority (CA) for environment trust.

Shortly after, the attacker managed to download the system config of the Fortigate:

Finally, a few hours later they managed to upload a script and run it to create a super_admin user:

This is where the observable activity ended from the Local_Process_User and newly created admin account. Remediation began at this point.

Response

After discovery of the administrator account, a network administrator was urgently contacted and was able to remove the account. During the remediation process, the network administrator observed that the management port’s external interface had HTTPS open, which is likely how the attacker gained the initial foothold. It’s believed the super_admin account that was created was to be used as a backdoor in case the device was patched, as no activity was seen from the account after creation. The script used by the attacker was not recovered, but following its upload and execution it was likely just used to create the admin account.

Importance of patching:

Fortinet did release a patch the day this vulnerability was announced, as well as mitigation steps if patching was not immediately feasible. One of the mitigation steps was to disable HTTPS/HTTP on the external facing management interface if not needed. The Fortinet Fortigate in question was the only device that had the management interface open, and thus allowed the attacker an easy path to exploit the vulnerability.

As a result of the detection of this activity through threat hunting through customer logs, additional correlation logic was created for the USM Anywhere platform to detect future compromises.

The post Stories from the SOC: Fortinet authentication bypass observed in the wild appeared first on Cybersecurity Insiders.