Category: Detect

Executive summary:

Fortinet’s newest vulnerability, CVE-2022-40684, allowing for authentication bypass to manipulate admin SSH keys, unauthorized downloading of configuration files, and creating of super admin accounts, is put a big target on the back’s of  unpatched and exposed Fortinet devices.

An AT&T Managed Extended Detection and Response (MXDR) customer was involved in a true positive compromise that was discovered through a threat hunt initiated off an Intrusion Protection System (IPS) alert from Fortinet. With coordination between customer and MXDR and the customer’s network and security teams, the threat was remediated and contained, and the vulnerable devices were patched.  

Investigation

The initial investigation began during a tactical check-in with the customer, who mentioned an investigation regarding an IPS detection for two IP addresses that were attempting the authentication  bypass exploit. 

If we pivot to the event, we can see Fortinet created detections for potentially unauthorized API requests to the cmdb filepath.

Through Fortinet’s advisory on the vulnerability, we learned that potential malicious activity would originate from a user Local_Process_Access and would utilize the Node.js or Report Runner interface. Reports indicate that some of the handlers for API connections check certain conditions, including IP address being a loopback address and User-Agent being either Report Runner or Node.js. Off that information, we’re able to turn our attention to potential true positives that weren’t picked up by the IPS. Doing a quick filter on the Local_Process_Access user produced some interesting events:

 

This doesn’t look good. The first event we can see the attacker manage to successfully download the Local Certificate: 

This allows the attacker to see certificate information such as email address for the certificate owner, IP address of the Fortigate, company name, location where the Fortigate was installed, and other sensitive details. These local certificates a generated and provided to the Certificate Authority (CA) for environment trust.

Shortly after, the attacker managed to download the system config of the Fortigate:

Finally, a few hours later they managed to upload a script and run it to create a super_admin user:

This is where the observable activity ended from the Local_Process_User and newly created admin account. Remediation began at this point.

Response

After discovery of the administrator account, a network administrator was urgently contacted and was able to remove the account. During the remediation process, the network administrator observed that the management port’s external interface had HTTPS open, which is likely how the attacker gained the initial foothold. It’s believed the super_admin account that was created was to be used as a backdoor in case the device was patched, as no activity was seen from the account after creation. The script used by the attacker was not recovered, but following its upload and execution it was likely just used to create the admin account.

Importance of patching:

Fortinet did release a patch the day this vulnerability was announced, as well as mitigation steps if patching was not immediately feasible. One of the mitigation steps was to disable HTTPS/HTTP on the external facing management interface if not needed. The Fortinet Fortigate in question was the only device that had the management interface open, and thus allowed the attacker an easy path to exploit the vulnerability.

As a result of the detection of this activity through threat hunting through customer logs, additional correlation logic was created for the USM Anywhere platform to detect future compromises.

The post Stories from the SOC: Fortinet authentication bypass observed in the wild appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

The majority of today's web applications contain dangerous vulnerabilities. To analyze their security, one cannot do without a dynamic scanner. DAST (Dynamic Application Security Testing) tools allow you to detect and evaluate security problems quickly. Let me tell you what to look for when choosing such a tool.

According to various studies, 70% of vulnerabilities have to do with errors in the code. Using vulnerabilities in your web application code, hackers can distribute malware, launch cryptojacking attacks, employ phishing and redirect users to malicious sites, hack a phone remotely, or steal personal data using social engineering techniques. 

Yes, sure, it is impossible to create perfectly secure software, but it is quite possible to reduce the number of vulnerabilities and increase the level of product security. To do this, you can rely on DevSecOps – a process that links development and security and where software is checked and tested for vulnerabilities at every stage of its creation.

The DevSecOps process is very voluminous; it may include numerous information security tools. In this article, I want to talk about DAST and how to choose the right scanner for dynamic application analysis. Together we will figure out what tool characteristics and parameters you need to pay attention to and what product types are currently available on the market.

What is DAST, and how does it work?

Dynamic application security testing is one of the secure development practices where an automated analysis of a deployed and functioning application is carried out. The dynamic scanner checks all access points via HTTP, simulates external attacks using common vulnerabilities, and simulates various user actions. The tool determines which APIs the service has, sends verification requests, uses, where possible, incorrect data (quotes, delimiters, special characters, and more).

The dynamic scanner sends and analyzes a large number of requests. The analysis of the sent request and the received response, as well as their comparison with a regular request, allows you to find different security problems.

Most scanners have similar functions and modus operandi. Their main components are a crawler and an analyzer.

The crawler traverses every link on every page it can reach, examining the contents of files, pressing buttons, and going through a dictionary of possible page names. This process allows you to estimate the size of the attack surface and possible attack vectors taking into account the existing ways of interacting with the application.

The analyzer checks the application directly. It can work in passive or active mode. In the first case, the analyzer studies only information that the crawler sends to it. In the second, the analyzer sends requests with incorrect data to the points found by the crawler and to other places that are not currently present on the pages but can be used in the application. It then infers the presence of a vulnerability based on the server's responses.

What should you pay attention to when choosing a DAST tool?

• Scan quality

This is the ratio of found and missed vulnerabilities. It is impossible to immediately understand how well the scanner analyzes. To do this, you should at least approximately understand ​​what vulnerabilities can be there and compare your estimates with the scan results. There are several ways to evaluate a tool:

1. If you have an application and have already checked it for vulnerabilities through a bug bounty program or penetration testing, you can compare those results with the results of the scanner.
2. If there is no application yet, you can use other pre-vulnerable software, which is created, as a rule, for training. You need to find an application that is close to your development environment in terms of the technology stack.

The number of false positives plays a decisive role when assessing the scan quality. Too many false positives clog the results. Besides, real errors can be missed. To determine how well the tool scans, you should analyze the report, parse the responses, and calculate the number and proportion of false positives.

• Crawling

If there is no information about the application and you need to analyze it from scratch, it is important to understand how many paths and transitions you can collect, that is, how accurate the crawling will be. To do this, you can look at the DAST product settings. You need to find out if it can monitor requests from the front-end to the back-end, parse, for example, Swagger or WSDL applications, find links in HTML or JS. It is also worth studying the process of obtaining information about the application.

Before scanning, you can, for example, find out which APIs are used. This will help you understand what the tool needs to perform a full program scan. When choosing a scanner, it is helpful to make a list of what each tool can import and see if it can be built into the development process.

• Scan speed

This parameter is also important, especially if checks are integrated into the development process. Scanning can slow down the process and, as a result, lead to a waste of time and money. Scan speed largely depends on how quickly the application responds to requests, how many simultaneous connections it can handle, and several other factors. Therefore, in order to compare the speed of different DAST tools, you need to run them with the same software under approximately the same conditions.

• Advanced settings

Automatic analysis tools must have detailed settings. They will allow you to remove unnecessary requests and limit the scan area. This will increase the quality of the process and the speed of analysis. To set tasks for the tool appropriately, you must have all available options and settings.

There are “smart” scanners that adapt themselves to applications. But such tools still have to be manually configured since the goals of the checks are different. For example, sometimes you need to scan an application in several ways, starting with a full scan and ending with a superficial analysis; in this case, the manual mode will definitely come in handy.

When choosing a tool, you need to pay attention to the total number of possible parameters, as well as how easy it is to configure them. To compare the work of different tools, you can create several scan profiles in each of them: fast and shallow for initial analysis, full and maximum for a full-fledged one.

• Integration

To make the dynamic analysis as effective as possible, it is worth integrating this practice into the development process and periodically running the scanner during the build. It is necessary to form a list of what is used in the CI/CD process in advance, draw up an approximate plan for launching the tool.

This will help you understand how easy it will be to integrate it into the development process and whether it is convenient to use its API.

• Technology

Choosing a scanner, you should consider the technologies your company uses in development. To do this, you can analyze applications and create a list of technologies, languages ​​, and frameworks that are used. The list can get quite extensive, especially if the company is big. Therefore, it is appropriate to choose only a few critical parameters as criteria for evaluating scanners:

1. The number of technologies and frameworks that the tool covers.
2. The ability to support key technologies the company uses in its critical services.

• Login sequence recording

Recording the login sequence is extremely important for dynamic scanners since authentication is required to enter the application. There are many pitfalls in this process, such as hashing the password before sending it or encrypting it with a shared key on the front-end, etc. Therefore, you must check in advance whether the tool will cope with all such nuances. To do this, you need to select as many different applications as possible and see if the scanner can go through the login stage in each of them.

It is also good to check how the tool behaves when logged out. The scanner sends a lot of requests during the analysis process. In response to some of them, the server can “throw the user out” of the system. The tool should notice this and re-enter the application.

• Tool updates

Technology is constantly evolving, so when choosing a tool, it is vital to consider how often its updates or new versions of signatures/patterns or analysis rules are released. It is worth studying this information on the product website or requesting it from the vendor. This will show whether the developer is following trends and how up-to-date your database of checks will be.

It is desirable to find out if you can influence the development of the product and how the developer handles requests for new features. This will show how quickly the functionality you need will appear in the product and how communication with the vendor is arranged as part of the options update.

Which tool to choose?

There are plenty of tools on the market offered by such companies as Netsparker, Acunetix, Nessus, Rapid7, AppScan, and others. Let me briefly describe two instruments that I use.

• BurpSuite Enterprise

This tool was developed by PortSwigger. The product has a full-fledged REST API for interacting and managing scans, sending reports, and much more. The scanning agent is the classic BurpSuite. It is launched in “headless mode” but has limitations. For example, you can interact with it only through control commands from the head portal, and you will not be able to load your plugins. Generally, if the tool is configured correctly, it can provide excellent results.

• OWASP ZAP (Zed Attack Proxy)

This popular tool was created by the OWASP community, so it is completely free. It has different SDKs and APIs for different programming languages. You can use OWASP options or your own plugins.

The product has extensions for various CI/CD tools. It can be run in different modes and controlled programmatically. You can easily insert the tool into your development process. At the same time, the scanner has its drawbacks. Since it is an open-source solution, the quality of scans is lower than that of enterprise solutions. Also, the tool's functionality is not very extensive and deep, but it can be extended and improved.

Conclusion

When choosing a dynamic analyzer, you can use the criteria noted above in this article, but they must be applied correctly. Each company is unique and has its own nuances and features – all this must be taken into account in conjunction with all the selection criteria. It is also good to define your needs in advance and understand what results you want to receive from the tool. Not to make a mistake, it is advised to conduct full-fledged testing of various options, compare them with each other and choose the best solution.

The post Choosing a DAST solution: What to pay attention to? appeared first on Cybersecurity Insiders.

The cybersecurity industry has seen a lot of recent trends. For example, the proliferation of multifactor authentication (MFA) to fight against credential harvesting is a common thread. Threat actors have been creating legitimate-looking phishing campaigns, which have been a big driver for this trend. Although some of the tools for MFA can be complex, proper authentication/authorization is an absolute fundamental that every enterprise should embrace.

Where should we start with fundamentals?

People, Process & Technology

Let’s have a little more strategic look at this, though. To provide a holistic approach to security, a higher-level perspective is necessary. Your Process must be sound. Yes, that means policy-level guidance. Yes, that means that standards need to be in place. Finally, it means that procedures to provide more detailed guidance must be available for employees.

Again, perspective is essential. Nobody wants to work on the process first. Indeed, I was guilty of having a negative view of process early in my career. Let’s take the first example and reveal how the process might assist. An enterprise policy statement might provide simple guidance that access to all company resources requires management approval (as a policy).

How does an enterprise define who needs access to specific resources? Glad you asked. Standards can be used to and determine data classification and controls for accessing and protecting the various categories of data. An access control standard would also be appropriate to complement the data categories. So far, we have policy-level guidance, data classification, and access control standards which guide the controls necessary to control access to company resources.

Where does the requirement for MFA live? That is a good question; my thoughts are likely in the standards area. However, requiring MFA could be a policy, standard, or process/procedure level requirement. The next reasonable question is: where do the requirements for implementing an MFA belong? In an authentic consultant manner, I would say: It depends. Take that with the lighthearted intention I meant it with. Implementing MFA may be a process/procedure used by IT. Why did I say, “maybe?”

The reality is that there may be automation that handles this. It is possible that HR defines each employee’s role, and based on that, an HR system provides that through API to the systems used to provide authentication/authorization. Doesn’t that sound pleasantly streamlined?

More likely, things are not that automated. If they are, then kudos to your enterprise. There are likely multiple processes and procedures required before even setting this up, but I think most of the folks reading this will understand where I’m trying to go with this.

HR will have processes and procedures around defining roles and requesting implementation. IT will have processes and procedures focused on implementing the solution. The information security team will have processes and procedures for monitoring authentication/authorization mechanisms. This is just to state that Process is as important as the tool or technology chosen to meet the need. None of these documents state which tool or Technology to use. That is the point. If you have policy guidance and standards that define the need and processes to guide implementing MFA, then the Technology should be interchangeable. So, the first fundamental which should be a foundation is sound process.

I spoke about various teams here (IT and HR). That is another fundamental: People. People need to understand the requirements. People need to understand their role, and people need to be part of the solution.

Finally, the last high-level fundamental is Technology. But I said Technology could be interchanged. Yes, in many cases it can but it is one of the three primary fundamentals required to manage and secure an enterprise. Are their differences in the technical solutions used for MFA? Certainly, there are and what Technology is used very much depends on your environment and the resources that will be accessed using MFA.

OK, Cybersecurity 101 so far: People, Process & Technology. The title uses fundamentals in battling complex cybersecurity threats. Right you are! The introduction shows that People, Process and Technology are critical to managing and securing your environment (Technology and facilities). Now let’s look at another group of 3 fundamentals: Prepare, Respond & Recover.

3 more fundamentals: Prepare, Respond & Recover

Prepare – How do you prepare for cyber threats? Based on the intro, it would be evident that having the correct people, process and technologies in place would be good preparation. Gold star for you if you were already thinking that. Let’s take a closer look.

Ransomware as an example

How do you prepare for Ransomware? Let me answer that question with several other questions: Do you have an incident response plan (Process [Policy])? Do you have a playbook (Process [procedure]) that provides your IT or Security group guidance for identifying, containing, eradicating, responding, and recovering from a ransomware attack?

Do you have an endpoint detection and response (EDR) solution (Technology) that can help prevent or minimize the spread of malware? Do you have a standard for collecting inventory and vulnerability information on your network resources or a tool like a vulnerability scanning platform to collect that information? Does the standard guide the prioritization of remediation of those vulnerabilities?

Do you have a security information and event management (SIEM) solution that ingests this type of information and assists with identifying possible indicators of compromise? Do you have the People necessary to remediate the problems? So many questions. Preparing for complex attacks can be hard.

But aren’t we still talking about fundamentals? Yes, Preparing includes understanding the environment which means the inventory of assets and vulnerabilities. Preparing includes good cyber hygiene and remediation of problems when they are found. Training is an essential aspect of preparation. Support people need the correct knowledge and skills. End users must understand the importance of reporting anomalies and to whom to report them.

Respond – What happens when you have prepared, and Ransomware still impacts you? It is time to respond. Proper response requires an even more detailed understanding of the issue. It requires research using tools like a SIEM and containing the problem by isolating with EDR tools or network controls. The response includes communicating to leadership that a problem exists. Response may require that you inform employees on proper guidance for sharing information. Response can also mean that you reach out to a partner or third-party expert to assist with investigating the problem.

Depending on the severity of the issue, response may include your leadership notifying customers that there is an issue. How well we prepare can greatly impact how well we respond. Ransomware is often complex and frequently an attack by a sophisticated threat actor. Even if an organization doesn’t have the qualified People part of the three fundamentals, they can still successfully respond to these attacks by having the right Technology in place and processes that include engaging partners with the right skills.

Recover – What does recovery look like? First, let me ask: Do you have any disaster recovery (DR) or business continuity plan (BCP)? Have you tested it? Ransomware is a type of cyber incident and certainly a type of disaster. Does that mean you can use disaster recovery procedures to recover from a ransomware attack?

The procedures may be different, but your DR processes can be leveraged to recover from a ransomware attack. Of course, the exact processes may be a little different. Still, fundamentals like recovering systems from backup and using alternative processes for system outages may be necessary during a ransomware attack. Just like with any type of disaster, recovery should be the highest priority. How do you know if you can successfully recover from any type of disaster?

Closing / recommendations

It would be easy to write a book on this stuff, and I’m sure others have done exactly that. I have talked about fundamentals like People, Process and Technology as well as Preparing, Responding and Recovering. The question you may have is: what is the short list of things we need to ensure we have or are doing?

1. Have a plan! (Prepare) – Have a formal DR Plan. Have a formal Incident Response Plan. Have supporting processes like playbooks that provide specific guidance to maintain calm rather than letting chaos rule.
2. Test the plan! (Prepare) – Practice like you are under attack. Perform a tabletop exercise. Engage a partner to conduct a Red Team exercise. You want to test the Processes, People, and Technology to make sure they are all sound.
3. Build or buy! Have processes, technologies, and people needed to respond! (Respond) – If you don’t have the expertise in-house, find a trusted firm that can step in and assist. Implement tools (SIEM, EDR & scanning) or outsource if necessary.
4. Recover – Just having backups isn’t good enough anymore. Data needs to be backed up to prevent altering (immutable). Make sure that all of the identified problem areas have been remediated. The last thing an organization wants is to restore operations only to find that the problem is still resident. Use a scanning tool to verify that common vulnerabilities are fixed.

These are all basic fundamentals. Every organization needs to evaluate their environment to see where the gaps are. Using a framework like NIST, CIS or other industry standards to assess your environment is a great place to start. These assessments can reveal gaps in People, Process or Technology. Once you have the gaps identified, create a plan to address those areas.

The post Prepare, respond & recover: Battling complex Cybersecurity threats with fundamentals appeared first on Cybersecurity Insiders.

Wayne Bridgeman II, a Senior Manager on AT&T’s Network Cybersecurity team, offers a 5-point checklist for businesses in 2022 alongside tidbits of often overlooked tactics that can strengthen security.

Wayne Bridgeman II is no stranger to the fighting ring. He fought professionally in the martial arts community for 5 years and has since transitioned to helping businesses combat the growing risk of cybercrime. Although the specifics differ, Wayne approaches his fights with the same strategic mindset. In both the ring and in cyberspace, success begins with knowing your own vulnerabilities. For the past 10 years, Wayne specialized in Network Technology and Cybersecurity, where he identified the needs of businesses and customized solutions to secure their networks. When asked about common misconceptions regarding cybersecurity, Wayne identified one pitfall many small business owners fall into: underestimating their potential to be victims. 

“Put yourself in the shoes of a criminal and pretend you’re breaking into a car with a limited amount of time. Which is more appealing: the expensive car with the newest locks, or the late model car with rolled-down windows and a purse in the seat? Criminals often choose the option with less deterrence,” Wayne said, “One of the biggest traps small businesses fall into is thinking that they aren’t as appealing to cybercriminals because they’re smaller and have less to offer. Cybercriminals are opportunists with a keyboard, looking for low-hanging fruit. It’s not necessarily what the businesses have that’s appealing, but what they have exposed. By not keeping up to date on security and practicing ‘cyber hygiene’, businesses are making themselves easy targets.”

Wayne offered a few immediately applicable tasks for businesses of any size to get started, “Ultimately, the goal is to take your business from being an easy target to a hard target. But you don’t have to throw a bunch of money to form the basics. First, practice password hygiene. Update regularly and enable a multifactor authentication. Second, utilize the principle of least privilege. Only give people access to things that they absolutely need to perform their job. Third, regularly backup data onto your network so that in the event of an outage, you are secure. All of these are steps you can take now to make yourself a harder target.”

While these steps will give business owners a head start, proper cyber hygiene may require an even deeper cleaning. Wayne continued, “Nowadays, there are many cybersecurity options out there. But not all dollars you invest in cybersecurity are created equal. There are strategies that will mitigate risk more than others, and you can waste funds by investing in the wrong places. It’s important to ask the right questions first.”

According to Wayne, here are five of the most critical questions business owners can ask themselves in 2022:

1. Are the people trained?

Oftentimes, people are the number one targets for hackers, “Human beings are inherently fallible. Finding ways to masquerade and attack through an email or phone call is the primary vehicle a hacker will utilize because it is scarily effective,” Wayne said. Hackers need an entry point into a network, and far too often it’s the untrained workers who accidentally give them the keys. “We must educate our employees and help them be aware that these things are coming to them. You can do this by investing in security awareness training. When employees are aware of potential attack strategies, it’ll be a lot harder for hackers to get in.”

2. Are the endpoints secure?

Endpoints are the physical devices that connect to networks, and the first step to securing them is to protect the entry points. “Every home has a door, and every network has a front door as well. We know them as firewalls. Firewalls allow us to securely detect threats that attempt to come into the network and lock them at that edge.” Wayne continued, “Firewalls have evolved over the years, and nowadays it’s best to utilize multiple layers of protection. One type of layer to consider is web traffic filtering. These filters protect employees that use the internet and defend them from accidentally getting phished on bad websites. You can also consider adding layers that inspect encrypted traffic. Most traffic on the internet today is encrypted and hackers use that to bypass traditional firewalls, get into the network, and cause damage.”

As technology evolves, Firewalls need to stay up to date, and this takes time and expertise. One solution is to utilize managed firewalls that can automatically detect and respond to activity on endpoints.

3. Have we addressed the vulnerabilities?

“All networks have vulnerabilities,” Wayne said. “The question is how critical these vulnerabilities are and if the business has taken action to mitigate them or put in controls to prevent them from being used in an attack.” The two-part step to assess vulnerabilities is as follows:

1. Know what’s on your network (known as asset identification) and know what you must protect.
2. Know what vulnerabilities are present on those assets.

“This is a process known as vulnerability management, and businesses would be best served to practice it in a quarterly (or more) rhythm. They must understand what’s on their network, the vulnerabilities that exist, and how to patch them up. This helps minimize opportunities for hackers to exploit vulnerabilities on the network.”

4. Have we factored in edge security?

As hybrid workforces become the standard for many businesses, employees are increasingly working outside of the network. Wayne talked about the dangers this can pose. “While it can be nice to work from a coffee shop or from home, mobile employees don’t get the benefit from being behind a firewall. Mobile employees need to be protected, and the firewall needs to ‘follow’ them somehow. Layering firewalls with solutions such as secure web gateways that protect users while they’re outside of the network is one solution. This is where layering endpoint security can really come into play.” 

5. What is our incident response plan?

“When it comes to cyberattacks, it’s no longer a matter of ‘if’ but ‘when’. It may sound cliché, but it’s a reality today,” Wayne warned. “The difference between recovery and failure in the event of an attack is having a plan. Businesses of all sizes must have an incident response plan that should be tested from time to time. Preparation may include partnering with a third party or instant response services if they don’t have the resources themselves so that experts can engage on their behalf in the event of a critical business-impacting cyber-attack.”

“Oftentimes, small businesses take the hardest hit. Small businesses that get attacked often go out of business because they haven’t built a plan of how they’ll respond to those events. Having a written incident response plan where owners of the business know who does what in the event of an attack, paired with access to third party experts, can be critical for recovery. Your ability to respond to an attack will be dictated by how well you plan to respond.”

When asked about the trending shift from Copper to Fiber and Fiber’s effect on security, Wayne offered some insight. “Cybersecurity is often measured by the acronym CIA: Confidentiality, Integrity, and Availability. The Fiber network moves at the speed of light and has higher availability, meaning that its uptime is better. When you can’t get to your data, your network is less secure. By having a Fiber connection with higher availability, you’re hitting one part of the triad. Notice the contrast with Copper, that has lower availability due to issues with degradation and the frequent need for repair. But note that copper and fiber are just the physical layers of connectivity and what you layer with your network is just as crucial.”

Ultimately, knowing the state of your network and preparing adequately is the key to protection. When it comes to successful defense, Wayne found many parallels between martial arts and cybersecurity. “In the event of an attack, I’ve learned in both the martial arts community and cybersecurity world that people revert to their training. In martial arts, we say that ‘everyone thinks they have a plan until they get punched in the face’ and it’s just as true when protecting your network. The key is to train and prepare well before the attack occurs.”

The post Attention business owners: Top 5 Cybersecurity questions to ask in 2022 appeared first on Cybersecurity Insiders.

This blog was written by an independent guest blogger.

The average cost of a data breach will continue to rise, which means companies need to start planning accordingly. To protect your business, you need to invest in cybersecurity. Here are 11 areas you should focus on.

Cyber insurance

Cyber insurance is designed to protect businesses from the financial repercussions of a cyber-attack. It can cover costs such as business interruption, data recovery, legal expenses, and reputational damage. It is increasingly common across industries and at companies of all sizes, even small businesses, which have become a growing target of cybercriminals.

Cyber insurance has also become a new compliance requirement in many industries, including healthcare, finance, and retail. In the event of a data breach, companies are often required to notify their customers and partners, which can be costly. Cyber insurance can help cover these expenses.

Employee training

Employees are often the weakest link in a company's cybersecurity defenses. They may not be aware of the latest cyber threats or how to protect themselves from them. That's why it's important to provide employees with regular training on cybersecurity risks and best practices.

There are many different types of employee training programs available, ranging from in-person seminars to online courses. Some companies even offer financial incentives for employees who complete training programs.

In the remote work era, employee education also increasingly means arming remote workers with knowledge that will keep company data safe while they are working on networks that might not be well secured. This is especially the case if you know people are connecting via public networks at cafes, co-working spaces, and airports.

Endpoint security

Endpoints are the devices that connect to a network, such as laptops, smartphones, and tablets. They are also a common entry point for cyber-attacks. That's why it's important to invest in endpoint security, which includes solutions such as antivirus software, firewalls, and encryption.

You can invest in endpoint security by purchasing it from a vendor or by implementing it yourself. There are also many free and open-source solutions available. Make sure you test any endpoint security solution before deploying it in your environment.

Identity and access management

Identity and access management (IAM) is a process for managing user identities and permissions. It can be used to control who has access to what data and resources, and how they can use them. IAM solutions often include features such as Single Sign-On (SSO), which allows users to access multiple applications with one set of credentials, and two-factor authentication (2FA), which adds an extra layer of security.

IAM solutions can be deployed on-premises or in the cloud. They can also be integrated with other security solutions, such as firewalls and intrusion detection systems.

Intrusion detection and prevention

Intrusion detection and prevention systems (IDPS) are designed to detect and prevent cyber-attacks. They work by monitoring network traffic for suspicious activity and blocking or flagging it as needed. IDPS solutions can be deployed on-premises or in the cloud.

There are many different types of IDPS solutions available, ranging from simple network-based solutions to more sophisticated host-based ones. Make sure you choose a solution that is right for your environment and needs.

Security information and event management

Security information and event management (SIEM) solutions are designed to collect and analyze data from a variety of security sources, such as firewalls, intrusion detection systems and web filters. This data is then used to generate reports that can help identify security risks and trends.

SIEM solutions can be deployed on-premises or in the cloud. They can also be integrated with other security solutions, such as incident response and vulnerability management. Think of SIEM as a centralized platform that allows you to see all the different security events happening across your environment in one place.

Email security

Email is a common target for cyber-attacks, as it is often used to deliver malware or phishing messages. That's why it's important to invest in email security, which includes solutions such as spam filters and email encryption.

You can invest in email security by purchasing it from a vendor or by implementing it yourself. There are also many free and open-source solutions available.

Vulnerability management

Vulnerability management is the process of identifying, assessing, and mitigating vulnerabilities in systems and networks. It includes both automated and manual processes, such as scanning for vulnerabilities and patching them.

There are many different types of vulnerability management solutions available, from simple scanners to more comprehensive suites. Make sure you choose a solution that is right for your environment and needs.

Web security

Web security refers to the process of securing websites and web applications from cyber-attacks. It includes both server-side and client-side security measures, such as firewalls, intrusion detection systems and web filters.

You can invest in web security by purchasing it from a vendor or by implementing it yourself. There are also many free and open-source solutions available. Make sure you test any web security solution before deploying it in your environment.

Data loss prevention

Data loss prevention (DLP) is a process for preventing sensitive data from being leaked or lost. It includes both technical and organizational measures, such as data encryption and access control.

DLP solutions can be deployed on-premises or in the cloud. They can also be integrated with other security solutions, such as firewalls and intrusion detection systems.

Business continuity and disaster recovery

Business continuity and disaster recovery (BC/DR) are processes for ensuring that businesses can continue to operate in the event of an outage or disaster. BC/DR solutions often include features such as data backup and replication, which can help minimize downtime and data loss.

BC/DR solutions can be deployed on-premises or in the cloud. They can also be integrated with other security solutions, such as firewalls and intrusion detection systems. Don't forget to test your BC/DR solution regularly to make sure it is working as expected.

Conclusion

These are just a few of the many cybersecurity investments you can make right now. By implementing even just a few of these solutions, you can help improve your organization's overall security posture and reduce the risk of cyber-attacks.

The post 11 Cybersecurity investments you can make right now appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Blockchain has been outlined as a digital, decentralized ledger that keeps a record of all transactions that present itself across a peer-to-peer network. It permits the secure transfer of assets while not being an associate mediator. It conjointly provides a record of transactions that's absolutely clear and displayed in time period for the good thing about participants.

GDPR is a law that protects data/Information security, promotes a lot of management over a person’s individual data and information on digital platforms. Blockchain, on the opposite hand, is a technology that develops unvarying rransaction ledgers.

The interaction between GDPR’s data privacy rights and therefore the idea of blockchain serving as a decentralized, incorrupt digital junction have led to varied takes on classic philosophical conflicts.

What is GDPR?

GDPR is a General information Protection Regulation that was adopted as a law in the EU. The purpose of the law is to cater to the requirements of  information privacy of an individual.

The law offers rights to the users, that include:

Legality of blockchain and privacy:

The governance parties can decide with certain conditions that the specific transaction will occur in blockchain or not.

• As blockchain technology evolves, it'll become a lot more powerful thanks to choosing the organization to use transactions on the blockchain. For an emptor, it's useful if the suppliers conjointly comply with including the blockchain transactions.
• For a decentralized platform, it's difficult to use blockchain laws because the info is distributed round the globe.
• Although blockchain is taken into account extremely securely, it poses some regulation barriers to data privacy such as the California Client Privacy Act of 2018 (“CCPA”) and also the EU’s GDPR.
• Both GDPR and CCPA require that private data is to be removed under any circumstances.

CRUD vs. CRAB

In order to fully understand the blockchain & data privacy (GDPR), one needs to understand the difference between CRUD & CRAB. Many tech professionals call the process CRAB (An alternative of the term CRUD) – CRUD (For traditional databases) stands for Create, Read, Update & Delete.

The term CRAB stands for Create, Retrieve, Append & Burn. The burn is the method of deleting encryption keys.

Keeping private data/information “off the chain, instead of on the chain” is the one obvious solution. As the blockchain info is  “on the chain”, deleting & redaction info is sort of not possible.

Developing a closed blockchain is another solution. In a closed (permission-based) blockchain, information is stored on local devices or rented cloud storage. So it is relatively easier to delete personal data on an individual's request using the process called forking.

Now, because there is no definition in GDPR of “erasure of data” at this point for blockchain, you probably need to interpret this as meaning that throwing away your encryption keys for blockchain technology, isn't acceptable as ‘erasure of data’ in line with GDPR.

Solution:

Storing private data on a blockchain is not an option per GDPR policies. A good option to get around this issue is a really simple one: You store the private data off-chain & store the reference to this data (along with a hash of this information and alternative data like claims and permissions regarding this data) on the blockchain.

This workaround will increase the complexity of fetching and storing information on a blockchain. Now, let's cover the pro’s and con’s of this approach.

The pros:

The approach described above is a 100% GDPR compliant solution, which makes it possible to completely erase data in the off-chain storage. Therefore, rendering the links & hashes on the blockchain is utterly useless.

In this situation, you use the blockchain primarily as an ‘access control’ medium, wherever claims are publicly verifiable. This would be able to provide somebody the suggestions to prove that some node mustn't store the information once an opt-out is chosen. This benefit may also be present if private data was kept on a blockchain.

The cons:

Transparency with blockchain is reduced. By storing your information off-chain, you have got no method of knowing who has accessed your information, and who has access to your information. Once any company has the link to retrieve the info, they’re not bound to access anything.

Data ownership with blockchain is also reduced. Once your information has been kept off-chain, who owns it? The information owner has all the encryption keys to administer his data.

It would be desirable to have a point-to-point integration between all the collaborating parties. When obtaining the link from the blockchain, you wish to share information from A Company to B company. For each new party supplemental to the system, you may have to be compelled to add new point-to-point integrations with every existing member as provision of a secure PKI.

This may mean more attack vectors. Every company has their own infrastructure and application landscape. By spreading private information over these totally different corporations, the risk will increase for a possible breach where information can be stolen.

Conflict:

But here is the conflict: The goal of GDPR is to “give users back the management of their personal information, while imposing strict rules on those hosting and ‘processing’ this data, anyplace within the world.” Also, GDPR states is that data “should be erasable”. Since abandoning your cryptography keys isn't identical to ‘erasure of data’, GDPR prohibits the world from storing personal data on a blockchain level.

This removes the power to reinforce management over your personal data. Now, I know that sounded harsh. And in defence of GDPR, you could optimize the proposed solution above to counter some disadvantages. Or select a very totally different resolution than the one represented to tackle the issue of close immutability of transactions. However, no matter the resolution you're going with, more complexity can still be a significant disadvantage.

Conclusion:

With blockchain technologies being used in many ways, we've got new ways in which to strengthen data-ownership, transparency and trust between entities (to name a few). The way GDPR is written, we have a tendency to not store personal data directly on the blockchain since in GDPR terms ‘it isn't erasable’. This prohibits the world from using this technology to its full potential, therefore we want to think about ‘older’ systems for storing data that simply will not guarantee same advantages as most blockchain technologies: who owns (the data|the information) in your off-chain storage? Is the off-chain data even encrypted? Who can access this data? Wherever is it stored? Is it already copied to alternative systems?

The post The blockchain & data privacy (GDPR) appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Retirement plans are an easily overlooked but often critical cybersecurity concern. Employee stock ownership plans (ESOPs), while less common than others, may face particular risks.

ESOPs can provide a valuable way to foster employee engagement and reward loyal workers, but businesses must consider their cybersecurity risks. Without proper security, these plans and those who depend on them may be in danger.

ESOP security risks

Employee Retirement Income Security Act (ERISA)-regulated plans covered an estimated $9.3 trillion as of 2018. Individual ones can hold millions of dollars, making them tempting targets for cybercriminals.

ESOPs pose unique risks, as participating employees have an ownership stake in the company. Consequently, cyberattacks that damage the business’s reputation will affect ESOP participants. Lower stock values will reduce workers’ payouts when they retire.

This ownership stake means an attack doesn’t have to target the retirement plan directly to impact its participants. Any cybersecurity incident against the business poses a significant risk, and ESOP security means safeguarding the entire company’s attack surface.

How to minimize ESOP security concerns

ESOP cybersecurity concerns are significant, but you can take several steps to address them. Here’s how you can mitigate these security risks.

Assess company-specific risks

The first step in ESOP cybersecurity is to assess your specific risk landscape. Every organization and plan within one has unique considerations determining the most effective mitigation measures, so these assessments are a crucial starting point.

Every risk contains two key components: an event that could happen and the consequences if it does. Teams must compile a formal list of threats facing their ESOP plans, ensuring to cover both these categories. This will reveal the most important vulnerabilities to address, helping guide further security steps.

Verify vendors

Like many retirement plans, ESOPs typically rely on third-party vendors to manage funds. Consequently, breaches in these partners could impact the business itself. About 51% of all organizations have experienced a data breach from a third party, so verifying their security before going into business with them is crucial.

Ask for third-party audits and similar proofs of security to ensure any vendors meet strict cybersecurity standards. Contracts should include detailed pictures of their security responsibilities and consequences for noncompliance. Ensuring all vendors have sufficient cybersecurity insurance is also a good idea.

Minimize access

You should minimize access privileges across the organization and its partners even after verification. Well-meaning employees can still make critical errors, but if each account can only use a few resources, a breach in one won’t jeopardize the entire system.

Operate by the principle of least privilege: Every user, program and endpoint should only be able to access what it needs to work correctly. That applies to third parties as well as company insiders. This will minimize lateral movement risks, helping keep ESOPs safe from attacks elsewhere in the organization.

Create a culture of Cybersecurity

ESOP participants slowly gain increasing ownership stakes in the company, so their cybersecurity responsibilities should follow. Employees should understand how their actions impact the wider organization’s security and use best practices out of habit.

You can foster a cybersecurity culture by offering regular training, tying security goals to their impact on employees’ personal lives, and encouraging feedback and questions. When cybersecurity comes as second nature, the company will become inherently more secure, protecting ESOPs.

Develop a business continuity plan

It’s important to realize that no defenses are 100% effective. There were at least 1,862 data breaches in 2021 alone, and that figure has consistently risen over the years. Given this trend, it’s too risky to assume you’ll never suffer a successful attack, so business continuity plans are critical.

These plans should cover encrypted backups of all sensitive data, emergency communications protocols and steps to contain a breach. Ideally, they should also include cybersecurity insurance to cover any losses. These backup plans and resources will ensure ESOP participants can still protect their resources when a breach occurs.

ESOPs need strong Cybersecurity

Attacks on ESOPs and the organizations sponsoring them can cause substantial damage. In light of that risk, any company offering such a plan should also implement strong cybersecurity measures.

These steps will help any ESOP organization minimize its risk landscape. They can then ensure that cybersecurity incidents won’t jeopardize plan participants’ hard-earned retirement income.

The post Minimizing security concerns of ESOPs appeared first on Cybersecurity Insiders.

As we head into 2023, we look back at the last year and the focus will continue to be on reducing risk exposure and resilience. Organizations are strengthening their ransomware defense, security, and privacy approach to product development, cyberattack response, supply chain risk management and operational technology (OT) security and based on working with customers across industry sectors, here is a compilation of some trends we predict for 2023.

1. Critical Infrastructure and Public Sector will continue to become attractive targets.

As cyberattacks become more sophisticated, building collaborative communities between the public and private sectors will be crucial to synchronize operations and take preventative measures as a unified front to critical infrastructure threats. The public sector has become a favored target for cybercriminals. Armed with automated botnets, hackers rummage through computer systems to locate “soft targets.” In recent years, US state and local government agencies have fallen prey to cyber-attacks.

Legacy security is proving ineffective against the growing legion of diverse, sophisticated, and confrontational cyber threats. Public agencies collect and store sensitive data. Like the private sector, government institutions have gone digital. The addition of cloud, mobile, and SaaS have expanded an organization's attack surface, and it further illuminates that your cyber security is only as strong as your weakest point.

2. OT attack patterns will become more prevalent.

IT and OT teams must find common ground to eliminate the substantial risk factors of planned and accidental IT/OT convergence. But the mission does not end there. OT security solutions that work in conjunction with IT security solutions can be the catalyst that not only provides the visibility, security, and control needed to thwart new cyber threats but also brings these once separate teams together for the common security of every manufacturing, critical infrastructure and industrial organization will need to fulfill its core mission efficiently and securely.

The rising demand for improved connectivity of systems, faster maintenance of equipment, and better insights into the utilization of resources has given rise to internet-enabled OT systems, which include industrial control systems (ICS) and others such as supervisory control and data acquisition (SCADA) systems, distributed control systems (DCSs), remote terminal units (RTUs), and programmable logic controllers (PLCs).  With everything becoming internet-facing and cloud-managed, the manufacturing and critical infrastructure sector (i.e., healthcare, pharma, chemicals, power generation, oil production, transportation, defense, mining, food, and agriculture) are becoming exposed to threats that may be more profound than data breaches. In the coming years, OT attacks will become more prevalent and be used in cyber warfare.

3. Privacy will start getting more attention within the US.

We are going to see more states pass laws with a focus on privacy. Data privacy laws in the United States have been primarily sector-based, with different data privacy laws applying to other sectors of the economy. For example, HIPAA for health care, FERPA for education, GLBA for finance, etc. While this approach has allowed laws to be tailored to specific contexts, it has also resulted in many businesses being exempt from meaningful data privacy regulation.

Recognizing these gaps, these state consumer data privacy laws will seek to establish a comprehensive framework for controlling and processing personal data by many businesses currently exempt from other regulatory schemes. While the state laws vary somewhat, they share a few common principles around establishing standards and responsibilities regarding a business's collection of personal data from consumers; granting consumers certain individual rights concerning their data, such as the rights to access, correct, delete, and obtain a copy of the personal data a business holds about them; and establishing an enforcement mechanism allows state governments to hold businesses accountable for law violations.

4. Culture of resilience and safety versus compliance and prevention of breaches.

Resilience means more than bouncing back from a fall at a moment of significantly increased threats. When addressing resilience, it's vital to focus on long-term goals instead of short-term benefits. Resilience in the cybersecurity context should resist, absorb, recover, and adapt to business disruptions. Cyber resiliency can't be accomplished overnight. For the longest time, the conversation around getting the cybersecurity message across at the board level has revolved around the business language.

Businesses cannot afford to treat cybersecurity as anything but a systemic issue. While the board tends to strategize about managing business risks, cybersecurity professionals tend to concentrate their efforts at the technical, organizational, and operational levels. According to the World Economic Forum, 95% of cybersecurity breaches are caused by human error.

Unfortunately, many businesses still mistakenly believe that cyber-resilience means investing in bleeding-edge technologies while paying scant heed to the human factor. Fixing human vulnerabilities start with culture. Business leaders must reassure staff that it's okay to develop questioning attitudes and challenge high-risk requests, such as emailing sensitive information or processing payments.

5. Strengthening of fundamentals- Vulnerability and patch management, risk reduction, and Managed Extended Detection and Response (MXDR).

As digital transformation initiatives accelerate, CSOs require a deep and accurate understanding of their organization's cyber risk. Understanding the details of your risk, what should be prioritized, and how it can be effectively reduced is the best foundation for building a holistic plan for managing threats across the organization—priorities for cyber resilience now and into 2023.

This will be the year for MXDR with a unified platform that automates incident investigation such as enrichment, analysis, classification, and response rather than relying on an overworked security Organizations will look for MXDR to include 24/7 monitoring, critical alerting, root cause analysis and around-the-clock “eyes on glass” support. 

6. Growth of cybersecurity as a service – Security at scale and not a roadblock!

With budgets tightening across the board and competition for a limited pool of IT and security talent growing fiercer, cyber as a service provider will continue to become an optimal solution for many companies. Internal security teams can concentrate on their core missions because they can count on their partners to focus on specific vectors. Cyber Security as a Service (CSaaS) allows the services utilized to change over time and be periodically realigned to ensure the customer's business needs are met.

7. CISO –role change and mindset of the future, the impact of burnout and blame game.

The future is here and now, with digital transformation driving organizations rapidly. Today the role of a Chief Information Security Officer (CISO) within organizations has become transformational. The CISO leads cross-functional teams to match the speed and boldness of digital transformations with agile, forward-thinking security and privacy strategies, investments, and plans.

The operational leader and master tacticians are tech-savvy and business-savvy CISOs. They can deliver consistent system performance, with security and privacy throughout the organization and its ecosystem amid constant and changing threats. It's time to stop repeating how things can't be done (on security grounds). Instead, we need to preach from the business transformation book and explain how they can be.

We must stop operating out of silos and build relationships with all business players, embedding 'scenario thinking' and responsiveness into organizational cyber functioning. But just as importantly, to address the first part, the board needs to plan and prepare for a cyber-crisis proactively; only by understanding the risks can the business be in the right strategic place to combat them successfully.

8. Security mesh, Zero Trust and SASE- Consolidation and optimization.

As 2023 planning kicks off, it would be interesting to look at how many Zero Trust initiatives have surfaced during budget discussions, how many product investments are tied to this initiative, and, more importantly, which are real Zero Trust or ones just seeking a budget home?  Organizations in the early strategy stages for Zero Trust need to think of this as a multi-year plan which is probably starting to take shape, but it's not the playbook you need to make today's priority calls.  Many teams will struggle to move an emerging Zero Trust strategy to practical implementation. The need will arise further for approaches that can help with practical implementation and accelerate Zero Trust data initiatives.

9. Board with more cyber knowledge and investment.

Business and cybersecurity success go hand in hand. As the board's role in cyber-risk oversight evolves, the importance of robust dialogue with the cyber influencers within an organization cannot be overestimated. Without close communication between boards and the cyber/risk team, the organization could be at even greater risk. If this sounds like a cybersecurity grooming exercise, that's because it is. Preparing cybersecurity practitioners with business acumen for the board to act as the voice of educated reason isn't such a bad idea.

The best businesses thrive because they have people at the very top who can exert control based on informed decision-making when a crisis looms. Leaving cybersecurity out of this success equation in 2023 is a risky game. Cybersecurity teams should equip the board with the following as a starting point. 

• A clear articulation of the current cyber risks facing all aspects of the business (not just IT); and
• A summary of recent cyber incidents, how they were handled, and lessons learned.
• Short- and long-term road maps outlining how the company will continue to evolve its cyber capabilities to address new and expanded threats, including the related accountabilities in place to ensure progress; and
• Meaningful metrics that provide supporting essential performance and risk indicators of successful management of top-priority cyber risks that are being managed

10. Skills shortages and product silos exacerbate the situation.

There's no question that cybersecurity should be a number one focus for businesses that want to keep growing. But improving and scaling cybersecurity efforts in a constantly changing environment is challenging, with new threats and technologies continually being developed. To make things worse, the cybersecurity labor crisis is going to intensify.

A saturation of cybersecurity products with umpteen features is a desperate cry for consolidation, and the future is about cyber platforms and not siloed feature sets. The focus should not just be on finding issues but instead on remediation. There is going to be a need to demonstrate speed to value. We need technology that shows immediate value with simple implementation. Everyone talks about tech spending but forgets to include all the labor to roll out and maintain the technology platforms and the reason to consider cyber as a service.

Our current global landscape is testing resiliency. As organizations continue to digitally transform it has created new and heightened cyber risk concerns. Protecting these digital connections needs to stay top of mind for leaders looking to help their organizations adapt to these changes while continuing to innovate. 

The post 10 Cybersecurity predictions for 2023 appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Digital transformation in banking began following the creation of the internet in the 1990s as a way for banks to deliver services to their customers more conveniently. Today, it has completely changed how most people interact with their banks. From opening a new account to making transactions and applying for loans, you can access all banking services directly from your computer or smartphone.

According to an FDIC survey on banking behavior, over 80% of account holders engage in some form of digital banking. The popularity of digital banking stems from the convenience and level of personalization that it offers. But is digital banking good for you, or do the risks, such as cybersecurity issues, outweigh the benefits? 

Below, let’s explore some of the pros and cons of digital transformation in banking.

Pros of digital transformation in banking

Digital banking offers several advantages to the modern banking customer. Here are a few:

• 24/7 Access to your bank

One of the most significant benefits of digital banking is that it gives you round-the-clock access to your account. You don’t have to wait for working hours to deposit your funds, get an account statement, change your account details, or transact funds. You can do it at any time from wherever you are. 

Additionally, you don’t have to waste time in long queues in the banking hall. Digital banking is like having your personal bank right in your pocket.

• Better rates, lower fees

Banks typically charge account maintenance and transaction fees to cover expenses like employees, bank premises, etc. Since digital banking allows customers to serve themselves directly over the internet, there’s less demand for bank employees and multiple brick-and-mortar branches. Therefore, banks embracing digital transformation have lower overheads and can offer their customers lower fees and higher interest rates. These benefits are especially pronounced for purely digital banks without physical premises.

• Better customer experience

A 2021 survey by Deloitte Insights found that digital-first banks routinely outperform traditional banks in multiple areas that matter most to customers, including simplicity of transactions, transaction speed, and the overall quality of the banking experience.

Digital banks provide a smoother experience compared to traditional banks. For instance, transacting on a digital bank takes just a few minutes on your smartphone or laptop. In contrast, simply making a transaction in a traditional bank could take close to an hour as you must get to the physical bank, wait in line, fill out transaction forms, and speak to a teller.

In addition, digital banks offer features like budgeting tools that make it easier to manage your money. They also update you on every aspect of your account with text and email alerts, such as when you make transactions, when you don’t have enough money for an upcoming bill, and so on. This makes the digital banking experience much better than what you get with a traditional bank.

• Automated payments

With digital banks, it’s amazingly easy to automate your payments. You can set up payments that you want to make from your account every month, so you don’t have to worry about fees and penalties for late or delayed payments. Plus, if you use a net-30 account to pay for goods or services and manage your cash flow, you can automate these payments too. 

You can also set up automated savings where the bank automatically deducts a specific amount from your account every month and deposits it in your savings account. This level of automation gives you a hands-free solution for managing your money instead of manually making all these transactions every month.

Drawbacks of digital transformation in banking

Despite offering convenience and better banking experiences, digital transformation in banking has flaws too. Some of these include:

• Security concerns

The convenience of digital banking also comes with security risks. The online capabilities that allow you to access your account and transact remotely introduce loopholes that people with malicious intents can exploit to steal your money.

Today, there are lots of cybersecurity challenges facing digital banking. For instance, hackers may break into the online banking platform and steal sensitive customer data. Other risks include malware and ransomware attacks, spoofing, credential harvesting, identity theft, fraud, etc. While banks have put many measures into place to avoid such situations, the risk is always there.

Digital banks also place some responsibility for the safety of your money on you. When you put your money in a traditional bank, the bank is solely responsible for keeping your money safe. With a digital bank, you’re involved in protecting your money. You have to use strong passwords and multi-factor authentication for your online banking accounts and avoid logging into your account on public Wi-Fi networks. 

You must also avoid clicking on dubious links, be aware of phishing attacks, and protect yourself from many other client-side security threats. If you’re not security conscious, there’s always the risk of losing your money.

• Possible technical issues

The electronic systems on which digital banks run are not always reliable. For example, the servers of your digital bank could experience an outage and lock you out of your account. Similarly, your bank’s website could have a technical issue that could prevent you from accessing your account. Even a problem with your internet connection can leave you unable to access your funds.

While the possibility of such scenarios is quite low, such technical problems can easily leave you stranded, especially when you need to access your money urgently.

• It’s easy to spend your money

The convenience of having fast and constant access to your money is a benefit, but sometimes, it can be a disadvantage. If your digital bank is linked to your online shopping accounts, you could easily find yourself spending your money on things you hadn’t budgeted for. 

Additionally, making such payments is so effortless that you can easily forget how much money you’re spending. With a traditional bank, you’d have to visit a physical branch to access your money, which is enough to deter you from most impulse purchases.

However, digital banks also make it easier to track where you’re spending your money. Linking your digital bank account with your budgeting tool can help you prevent spending your money on unplanned expenses.

Wrapping up

The digital transformation in banking has completely revolutionized how people interact with their money and banks. It offers many benefits: convenience, round-the-clock access to your money, payment automation, lower fees, higher interest rates, and a better banking experience.

Still, it’s important to be aware of its drawbacks, such as security concerns, the possibility of technical issues locking you out of your account, and the likelihood of spending your money on things you’ve not budgeted for.

Most people will find that the pros outweigh the cons, but if you decide to adopt digital banking, don’t forget to take the appropriate steps to keep your money safe. 

The post The pros and cons of the digital transformation in banking appeared first on Cybersecurity Insiders.

This blog was written by an independent guest blogger.

The banking and financial sector is known for its dependence on third-party vendors that help provide customers with quality financial products and services. It is one of the most interconnected sectors, making it one of the most vulnerable to cyberattacks. And because third parties operate through the banks they are contracted with, any losses are the bank's responsibility. 

The interconnectivity and shared data of embedded finance enable banks to provide more effective solutions and better financial products. But because numerous systems and processes are intertwined across networks and organizations, there are many avenues for attackers to wreak havoc on banks and their customers. 

There are several third-party services that are necessary for banks to operate efficiently, but there are many risks that come with the territory. What are the risks? And how can banks reduce the impact of vulnerabilities from third-party vendors? Let’s discuss some of the top risks associated with outsourced banking services and how banks can protect themselves. 

Common third-party vendors

Relationships with third-party vendors are highly valuable for banks and financial institutions. Using third parties enables banks to offer their customers a wide variety of services to increase revenues, reduce overhead costs, and expand the institution’s ability to reach new customers. When third-party relationships are managed effectively, they can be an essential piece of a larger business strategy. 

Here are some examples of services provided by third parties:

• Mortgage lending
• Credit cards
• Overdraft protection
• Auditors
• Brokerage services
• Auto dealer relationships
• Flood insurance 

But services are not the only place that banks use third parties. Companies often use software and other technologies like CRM, invoice generators, communications tools, and more. 

And with new services being added all the time, banks also use third parties to educate workers and customers about new products and services. Third-party service providers allow banks to innovate and stay ahead of the curve, giving them an edge over the competition and improving customer experiences. 

You might never have thought to deploy a crypto 101 module, but cryptocurrency banking is an up-and-coming service. One day we may all require a crypto account. Third-party vendors make shifting to new technologies and rolling out new service offerings simple for everyone involved. So what’s the problem with third-party vendors?

Risks of outsourcing to third-party vendors

Despite the benefits of working with third-party vendors, banks are up against numerous risks when they choose to outsource a service:

Regulatory risks

Privacy is a key issue involved with third-party vendors. Banks are required to maintain regulatory compliance to protect consumer data, or else they could face steep fines and penalties. If a bank experiences a data breach, it’s highly likely that they were not in compliance with data privacy regulations. Not only does this affect consumers, but it could have serious impacts for national security as well.  

Reputation risks

Working with third-party vendors can sometimes mean putting a bank’s reputation on the line. Aligning with the wrong vendors can lead to inconsistencies that have a domino effect on an organization. If there is a negative public image of a third-party service provider due to a security breach, regulatory violations, or bad press, the bank could experience some pushback as well. When banks use poor judgment in choosing service partners, they run the risk of dissatisfied customers, unexpected financial losses, and even public backlash.

Operational risks

Unsecure or immature third-party vendors can also cause banks to suffer from operational risks. Many banks use third-party services that integrate with their own processes. Some implement third-party services to run a certain program or financial offering. Even the systems that control daily operations are built on third-party platforms. But if internal systems are affected by a third-party failure, operations could come to a halt. 

Financial risks

There are also several financial risks associated with working with third-party vendors. Banks and vendors typically enter into legally binding contracts that detail performance expectations and financial obligations. But the financial condition of all vendors can immediately affect banking institutions. If the third party doesn’t adhere to the contract agreement, originates loans outside of approved limits, or lacks the ability to mitigate financial losses, the bank could end up paying. 

How to reduce third-party risks in banking

Outsourcing financial programs and services can help banks improve customer experiences, reach new customers, and increase revenues. Still, the risks can leave organizations open to data breaches, financial losses, and operational failures. When banks enter relationships with third-party vendors, they absorb the consequences of failures, data breaches, and costs. 

According to the Federal Deposit Insurance Corporation (FDIC), there are 5 steps that banks can take to reduce the risks of working with third-party vendors:

Conduct thorough risk assessments

Before entering an agreement with a third-party vendor, banks should conduct a thorough risk assessment to evaluate the potential of their alignment. A vendor risk assessment should include oversight for fourth-party applications and services, risk vs. reward analysis, and ensuring that the relationship aligns with the bank’s strategic business goals.

Perform adequate due diligence

In addition to a thorough risk assessment of potential third-party vendors, banks should also perform adequate due diligence. Gathering the correct information can help management address more specific details about vendors' capabilities. Surprises about operational factors, business limitations, and financial obligations can create serious legal and regulatory problems. 

Review contracts carefully 

Once a decision has been made to move forward with a particular vendor, the bank must ensure that all documentation is carefully examined. Specific expectations should be lined out from the beginning for both parties before any services operate through a third party. Management, executives, and the board must all approve contracts before they are offered to vendors. Legal counsel is important at this stage to reduce any legal risks associated with the third party. 

Ensure proper oversight

Banks can ensure proper oversight of third-party activities through specific workflows dedicated to the flow of approvals and reviews. The board should initiate the approval of the third parties’ activities and conduct regular reviews of these arrangements, especially when there is a change to the program. Banks can implement continuous monitoring activities through the company’s compliance systems to ensure that vendors are operating according to federal and state laws. 

Implement robust cyber security processes

Finally, banks, third-party vendors, and fourth-party vendors should all perform regular reviews of network security processes. Companies must have end-to-end transparency across all vendor activities while at the same time protecting their perimeter from data loss. The key is that organizations have a plan to implement changes, patch management protocols, and vulnerability mitigation in addition to detection and response processes. 

Final thoughts

Third-party service providers enable banks to offer various services to meet customer needs. But vendor management is complex and comes with several risks that can damage a bank’s reputation, credit, and ability to perform. 
A reactive approach to changes in regulations, technology requirements, and vendor abilities leaves banks vulnerable to risks. But standardized methodology, vendor requirements, and ongoing oversight can help maintain positive vendor relationships. Plus, a proactive approach to third-party management can help reduce security risks and keep attackers at bay.

The post Risks that third-party vendors pose to outsourcing banks appeared first on Cybersecurity Insiders.