Category: Detect

This blog was written by an independent guest blogger.

The banking and financial sector is known for its dependence on third-party vendors that help provide customers with quality financial products and services. It is one of the most interconnected sectors, making it one of the most vulnerable to cyberattacks. And because third parties operate through the banks they are contracted with, any losses are the bank's responsibility. 

The interconnectivity and shared data of embedded finance enable banks to provide more effective solutions and better financial products. But because numerous systems and processes are intertwined across networks and organizations, there are many avenues for attackers to wreak havoc on banks and their customers. 

There are several third-party services that are necessary for banks to operate efficiently, but there are many risks that come with the territory. What are the risks? And how can banks reduce the impact of vulnerabilities from third-party vendors? Let’s discuss some of the top risks associated with outsourced banking services and how banks can protect themselves. 

Common third-party vendors

Relationships with third-party vendors are highly valuable for banks and financial institutions. Using third parties enables banks to offer their customers a wide variety of services to increase revenues, reduce overhead costs, and expand the institution’s ability to reach new customers. When third-party relationships are managed effectively, they can be an essential piece of a larger business strategy. 

Here are some examples of services provided by third parties:

  • Mortgage lending
  • Credit cards
  • Overdraft protection
  • Auditors
  • Brokerage services
  • Auto dealer relationships
  • Flood insurance 

But services are not the only place that banks use third parties. Companies often use software and other technologies like CRM, invoice generators, communications tools, and more. 

And with new services being added all the time, banks also use third parties to educate workers and customers about new products and services. Third-party service providers allow banks to innovate and stay ahead of the curve, giving them an edge over the competition and improving customer experiences. 

You might never have thought to deploy a crypto 101 module, but cryptocurrency banking is an up-and-coming service. One day we may all require a crypto account. Third-party vendors make shifting to new technologies and rolling out new service offerings simple for everyone involved. So what’s the problem with third-party vendors?

Risks of outsourcing to third-party vendors

Despite the benefits of working with third-party vendors, banks are up against numerous risks when they choose to outsource a service:

Regulatory risks

Privacy is a key issue involved with third-party vendors. Banks are required to maintain regulatory compliance to protect consumer data, or else they could face steep fines and penalties. If a bank experiences a data breach, it’s highly likely that they were not in compliance with data privacy regulations. Not only does this affect consumers, but it could have serious impacts for national security as well.  

Reputation risks

Working with third-party vendors can sometimes mean putting a bank’s reputation on the line. Aligning with the wrong vendors can lead to inconsistencies that have a domino effect on an organization. If there is a negative public image of a third-party service provider due to a security breach, regulatory violations, or bad press, the bank could experience some pushback as well. When banks use poor judgment in choosing service partners, they run the risk of dissatisfied customers, unexpected financial losses, and even public backlash.

Operational risks

Unsecure or immature third-party vendors can also cause banks to suffer from operational risks. Many banks use third-party services that integrate with their own processes. Some implement third-party services to run a certain program or financial offering. Even the systems that control daily operations are built on third-party platforms. But if internal systems are affected by a third-party failure, operations could come to a halt. 

Financial risks

There are also several financial risks associated with working with third-party vendors. Banks and vendors typically enter into legally binding contracts that detail performance expectations and financial obligations. But the financial condition of all vendors can immediately affect banking institutions. If the third party doesn’t adhere to the contract agreement, originates loans outside of approved limits, or lacks the ability to mitigate financial losses, the bank could end up paying. 

How to reduce third-party risks in banking

Outsourcing financial programs and services can help banks improve customer experiences, reach new customers, and increase revenues. Still, the risks can leave organizations open to data breaches, financial losses, and operational failures. When banks enter relationships with third-party vendors, they absorb the consequences of failures, data breaches, and costs. 

According to the Federal Deposit Insurance Corporation (FDIC), there are 5 steps that banks can take to reduce the risks of working with third-party vendors:

Conduct thorough risk assessments

Before entering an agreement with a third-party vendor, banks should conduct a thorough risk assessment to evaluate the potential of their alignment. A vendor risk assessment should include oversight for fourth-party applications and services, risk vs. reward analysis, and ensuring that the relationship aligns with the bank’s strategic business goals.

Perform adequate due diligence

In addition to a thorough risk assessment of potential third-party vendors, banks should also perform adequate due diligence. Gathering the correct information can help management address more specific details about vendors' capabilities. Surprises about operational factors, business limitations, and financial obligations can create serious legal and regulatory problems. 

Review contracts carefully 

Once a decision has been made to move forward with a particular vendor, the bank must ensure that all documentation is carefully examined. Specific expectations should be lined out from the beginning for both parties before any services operate through a third party. Management, executives, and the board must all approve contracts before they are offered to vendors. Legal counsel is important at this stage to reduce any legal risks associated with the third party. 

Ensure proper oversight

Banks can ensure proper oversight of third-party activities through specific workflows dedicated to the flow of approvals and reviews. The board should initiate the approval of the third parties’ activities and conduct regular reviews of these arrangements, especially when there is a change to the program. Banks can implement continuous monitoring activities through the company’s compliance systems to ensure that vendors are operating according to federal and state laws. 

Implement robust cyber security processes

Finally, banks, third-party vendors, and fourth-party vendors should all perform regular reviews of network security processes. Companies must have end-to-end transparency across all vendor activities while at the same time protecting their perimeter from data loss. The key is that organizations have a plan to implement changes, patch management protocols, and vulnerability mitigation in addition to detection and response processes. 

Final thoughts

Third-party service providers enable banks to offer various services to meet customer needs. But vendor management is complex and comes with several risks that can damage a bank’s reputation, credit, and ability to perform. 
A reactive approach to changes in regulations, technology requirements, and vendor abilities leaves banks vulnerable to risks. But standardized methodology, vendor requirements, and ongoing oversight can help maintain positive vendor relationships. Plus, a proactive approach to third-party management can help reduce security risks and keep attackers at bay.

The post Risks that third-party vendors pose to outsourcing banks appeared first on Cybersecurity Insiders.

As energy and utilities companies strive to use the edge to innovate new solutions for delivering more efficient and resilient services, cybersecurity risks to carrying out those business missions loom large. Ransomware attackers and other cybercriminals have increasingly found energy and utilities organizations a profitable target, lobbying high-profile attacks in the last few years that have threatened safety and uptime in the process.

Operational and security experts at these companies are well aware of the balancing act they must achieve under these conditions, according to a new industry breakout of the AT&T Cybersecurity Insights Report. Released this week, the AT&T Cybersecurity Insights Report: Focus on Energy and Utilities shows that technologists in these organizations are called upon by the business to roll out edge use cases such as remote-control operations, self-healing assets, and intelligent grid management. At the same time, they must ensure these deployments are done with cybersecurity as a central component, as the impact of attacks against this vertical's edge-connected assets could have drastic consequences for companies tasked with delivering the most vital resources for modern living.

Rapid rate of energy and utility innovation

One of the key areas examined by the AT&T Cybersecurity Insights Report is the rate of adoption of edge computing, the use cases in play, and their stage of maturity. This was tracked across six major sectors. This latest industry report dives into the trends for companies that provide services and resources such as electricity, oil and gas, water, and sewer. The study shows that some 77% of energy and utilities respondents worldwide are planning to implement, have partially implemented, or have fully implemented an edge use case. The study dug into nine industry-specific use cases and examined their stage of adoption across the energy and utilities sector.

Combining the mid-stage and mature stage adoption rates reveals that the use of edge computing in infrastructure leak detection has the highest combined adoption maturity (82%) among survey respondents. Some examples of how this looks in action includes using sensors to gauge the flow of water in a municipal water system and using the low latency of edge connections to monitor that data in real time for drops or spikes in pressure that could indicate the need for preventive maintenance or immediate servicing of equipment. This is of course a single example in a broad range of use cases currently under exploration in this sector.

Edge computing has opened up tremendous opportunities for energy and utilities companies to solve tough problems across the entire value chain, including the safe acquisition of energy supplies on the front end of the supply chain, the proper monitoring of consumption of energy and resources on the back end, and the efficient use of facilities and equipment to run the functions between the two phases. Some additional examples most commonly cited were:

  • Remote control operations
  • Geographic infrastructure exploration, discovery, and management
  • Connected field services
  • Intelligent grid management

Interestingly, in spite of many energy companies engaged in proof-of-concept and insulated projects, overall the sector's rate of mature adoption was the least prevalent compared to all other sectors, sitting at about 40%. Survey analysis indicates this isn't from a lack of interest, but instead a product of the justifiably cautious nature of this industry, which keeps safety and availability top of mind. The fact that this market segment had the highest level of adoption in mid-stage compared to other industries offers a clue that these companies are all-in on edge deployments but taking their time considering and accounting for the risks—including those on the cybersecurity front.

Compromise worries grow

The study shows that 79% of energy and utilities respondents believe there is a high or very high likelihood of a compromise in one of the use cases intended for production within the next three years. When respondents were asked about the impact that a successful compromise would have, energy and utilities industry respondents were the most concerned of all industry respondents. This is hardly shocking given the grave real-world, physical consequences that can stem from a loss of control or safety over operational technology (OT) assets that run the power plants and pipelines within this industry.

 Given the media attention surrounding very public ransomware attacks in this sector recently, it's no surprise that ransomware is one of the top cybersecurity concerns for technology leaders in this space. However, it is nevertheless not the number one cybersecurity concern for technology leaders in the energy and utilities space, sitting instead as number two behind the more pressing issue of potential sniffing attacks against radio access networks (RAN). Also tied for second alongside ransomware were attacks against 5G core networks, and attacks against user/endpoint devices.

energy and utilities

An interesting point to note about this industry is its heightened level of concern over physical attacks against technical components such as IoT devices. The industry rated this concern much higher than the average respondent. This is likely a function of the industry's growing reliance on remote sensors, devices, and endpoints in low-latency (and often far-flung) environments.

The unique cyber considerations in energy OT environs

Protecting the ability of an organization to safely provide reliable electricity, accurate bills, and safe pipelines will increasingly require cyber controls be applied to the external assets that deliver the benefits of edge computing use cases.  Fortunately, energy and utilities leaders are investing accordingly in cybersecurity controls around the edge.

The study shows that the energy and utilities sector has the second-highest commitment to major security investments baked into edge use cases compared to the others, lagging only slightly behind the US public sector. Approximately 65% of energy and utilities firms are allocating 11% or more of their edge funding directly for security.

One of the challenges in applying that funding is the so-called IT-OT security gap that face industrial sectors like this one. Energy and utilities firms can't rely on many classic cybersecurity controls like other industries, due to the limitations in technology and operational factors not found elsewhere. For example, many OT systems can't be patched in a timely fashion due to the operational risks posed by a failed update and the fact that many OT devices may run months or even years between scheduled maintenance windows. Operators in this sector have an extremely low tolerance security actions that potentially risk bringing down an entire oil refinery or wastewater treatment facility. This is why when the report examined the effectiveness rating of security controls in this industry, patching ranked dead last, as compared to a relatively high rating in all other industries.

Further, it may be challenging to collect and normalize data for monitoring purposes given the increase in data across merged IT/OT networks. OT networks cannot be monitored in the same way that IT networks are, due to unique protocols and also similar risk problems that the security 'cure' may be worse than the disease. For example, active scanning techniques can often disrupt or take down OT networks. This is likely why intrusion detection solutions were rated to have the highest total cost of ownership (TCO) within this particular sector.

As energy and utilities companies strive for the right balance of innovation and security at the edge, we recommend a careful approach that accounts for the fact that traditional endpoint-centric controls like patching can't always be the go-to solution. Proactive controls such as micro segmentation, passive vulnerability scans, and threat hunting should be considered for these more difficult use cases. These organizations should consider getting professional guidance from service providers on the front end to evaluate road maps for current and proposed use cases. The experts at these providers have already tread this ground and can best advise on the potential hazards that an organization may face along the way.

The post AT&T Cybersecurity Insights Report: Focus Energy and Utilities appeared first on Cybersecurity Insiders.

This blog was written by an independent guest blogger.

It is easy to think of cybercrime as a phenomenon only impacting the digital space. However, as trends are showing, digital attacks have a very real and very physical impact. According to the FBI, there has been a surge in rental and real estate property scams conducted via digital means, whether that’s the insertion of rogue actors into the property purchase chain, or hijacking of legitimate websites to promote false, money scamming listings. With the real estate market in such a state of volatility, with house prices seemingly rising or falling in lurches from week to week, it’s an especially prosperous time for criminals. Protection is key.

Staying safe online

The most common real estate scams are focused on the scammer impersonating the role of the real estate agent. This can be done through exploiting improper security protections on the website itself or through the scammer inserting themselves into the process of purchasing through, for instance, SQL injection. Older styles of scams, such as selling homes by someone impersonating the homeowner, are becoming increasingly digitized too.

The key here is in cyber security and awareness from anyone involving themselves in the real estate business. Firstly, choose a realtor with a professional reputation, and ensure they have a distinct and established local profile. Google NAM data will help to further establish their legitimacy. Secondly, by using a high-quality browser – such as Edge, Firefox or Chrome – you’ll quickly be able to see just how well protected a website is. This is crucial; according to CISA, a huge number of websites simply do not have the requisite level of protection to be secure. Ensure anything you work with does.

Practicing enhanced due diligence

Every house sale or real estate exchange is subject to a significant level of due diligence. Both the seller and the buyer need to ensure they are meeting various levels of control; this prevents fraud, smooths the transfer of funds, and ensures that every party within the transaction has the peace of mind and financial information to be satisfied that they are getting what they’ve paid for; or that the buyer is legitimate. For this reason, with digital attacks in the offing, it’s important to be diligent. This can admittedly be difficult, due to the sense of expedience that’s currently being felt in the real estate world. Staying slow is key from a security perspective.

Understanding the risk

When it comes to the realty industry, there is, according to Deloitte, an overriding sense that real estate agents don’t need to worry about cybercrime. This is because they have, relatively speaking, lower volumes of customer protected data. Most cybercrime seeks to obtain data, given its inherent value; this is something that real estate businesses generally doesn’t have in great amounts.

However, even small attacks, where successful, can yield big returns for cyber criminals. The amount of money being exchanged in real estate, in addition to the sheer variety of payment types, means there are plenty of points at which a single attack can result in a big financial win. With long-term, concerted attacks, which aren’t unheard of, serious damage can be caused. Accordingly, the real estate firms themselves need to undertake sufficient protection.

Just like every other industry with significant levels of digitization, real estate is at risk of cybercrime. The attacks seek to create financial harm by deceiving either party. Staying safe is chiefly about education; all parties in the real estate chain; but technical knowhow has a part to play, too, chiefly on the part of realtors.

The post Amid real estate volatility, cybercriminals are profiting appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

The majority of today's web applications contain dangerous vulnerabilities. To analyze their security, one cannot do without a dynamic scanner. DAST (Dynamic Application Security Testing) tools allow you to detect and evaluate security problems quickly. Let me tell you what to look for when choosing such a tool.

According to various studies, 70% of vulnerabilities have to do with errors in the code. Using vulnerabilities in your web application code, hackers can distribute malware, launch cryptojacking attacks, employ phishing and redirect users to malicious sites, hack a phone remotely, or steal personal data using social engineering techniques. 

Yes, sure, it is impossible to create perfectly secure software, but it is quite possible to reduce the number of vulnerabilities and increase the level of product security. To do this, you can rely on DevSecOps – a process that links development and security and where software is checked and tested for vulnerabilities at every stage of its creation.

The DevSecOps process is very voluminous; it may include numerous information security tools. In this article, I want to talk about DAST and how to choose the right scanner for dynamic application analysis. Together we will figure out what tool characteristics and parameters you need to pay attention to and what product types are currently available on the market.

What is DAST, and how does it work?

Dynamic application security testing is one of the secure development practices where an automated analysis of a deployed and functioning application is carried out. The dynamic scanner checks all access points via HTTP, simulates external attacks using common vulnerabilities, and simulates various user actions. The tool determines which APIs the service has, sends verification requests, uses, where possible, incorrect data (quotes, delimiters, special characters, and more).

The dynamic scanner sends and analyzes a large number of requests. The analysis of the sent request and the received response, as well as their comparison with a regular request, allows you to find different security problems.

Most scanners have similar functions and modus operandi. Their main components are a crawler and an analyzer.

The crawler traverses every link on every page it can reach, examining the contents of files, pressing buttons, and going through a dictionary of possible page names. This process allows you to estimate the size of the attack surface and possible attack vectors taking into account the existing ways of interacting with the application.

The analyzer checks the application directly. It can work in passive or active mode. In the first case, the analyzer studies only information that the crawler sends to it. In the second, the analyzer sends requests with incorrect data to the points found by the crawler and to other places that are not currently present on the pages but can be used in the application. It then infers the presence of a vulnerability based on the server's responses.

What should you pay attention to when choosing a DAST tool?

  • Scan quality

This is the ratio of found and missed vulnerabilities. It is impossible to immediately understand how well the scanner analyzes. To do this, you should at least approximately understand ​​what vulnerabilities can be there and compare your estimates with the scan results. There are several ways to evaluate a tool:

  1. If you have an application and have already checked it for vulnerabilities through a bug bounty program or penetration testing, you can compare those results with the results of the scanner.
  2. If there is no application yet, you can use other pre-vulnerable software, which is created, as a rule, for training. You need to find an application that is close to your development environment in terms of the technology stack.

The number of false positives plays a decisive role when assessing the scan quality. Too many false positives clog the results. Besides, real errors can be missed. To determine how well the tool scans, you should analyze the report, parse the responses, and calculate the number and proportion of false positives.

  • Crawling

If there is no information about the application and you need to analyze it from scratch, it is important to understand how many paths and transitions you can collect, that is, how accurate the crawling will be. To do this, you can look at the DAST product settings. You need to find out if it can monitor requests from the front-end to the back-end, parse, for example, Swagger or WSDL applications, find links in HTML or JS. It is also worth studying the process of obtaining information about the application.

Before scanning, you can, for example, find out which APIs are used. This will help you understand what the tool needs to perform a full program scan. When choosing a scanner, it is helpful to make a list of what each tool can import and see if it can be built into the development process.

  • Scan speed

This parameter is also important, especially if checks are integrated into the development process. Scanning can slow down the process and, as a result, lead to a waste of time and money. Scan speed largely depends on how quickly the application responds to requests, how many simultaneous connections it can handle, and several other factors. Therefore, in order to compare the speed of different DAST tools, you need to run them with the same software under approximately the same conditions.

  • Advanced settings

Automatic analysis tools must have detailed settings. They will allow you to remove unnecessary requests and limit the scan area. This will increase the quality of the process and the speed of analysis. To set tasks for the tool appropriately, you must have all available options and settings.

There are “smart” scanners that adapt themselves to applications. But such tools still have to be manually configured since the goals of the checks are different. For example, sometimes you need to scan an application in several ways, starting with a full scan and ending with a superficial analysis; in this case, the manual mode will definitely come in handy.

When choosing a tool, you need to pay attention to the total number of possible parameters, as well as how easy it is to configure them. To compare the work of different tools, you can create several scan profiles in each of them: fast and shallow for initial analysis, full and maximum for a full-fledged one.

  • Integration

To make the dynamic analysis as effective as possible, it is worth integrating this practice into the development process and periodically running the scanner during the build. It is necessary to form a list of what is used in the CI/CD process in advance, draw up an approximate plan for launching the tool.

This will help you understand how easy it will be to integrate it into the development process and whether it is convenient to use its API.

  • Technology

Choosing a scanner, you should consider the technologies your company uses in development. To do this, you can analyze applications and create a list of technologies, languages ​​, and frameworks that are used. The list can get quite extensive, especially if the company is big. Therefore, it is appropriate to choose only a few critical parameters as criteria for evaluating scanners:

  1. The number of technologies and frameworks that the tool covers.
  2. The ability to support key technologies the company uses in its critical services.
  • Login sequence recording

Recording the login sequence is extremely important for dynamic scanners since authentication is required to enter the application. There are many pitfalls in this process, such as hashing the password before sending it or encrypting it with a shared key on the front-end, etc. Therefore, you must check in advance whether the tool will cope with all such nuances. To do this, you need to select as many different applications as possible and see if the scanner can go through the login stage in each of them.

It is also good to check how the tool behaves when logged out. The scanner sends a lot of requests during the analysis process. In response to some of them, the server can “throw the user out” of the system. The tool should notice this and re-enter the application.

  • Tool updates

Technology is constantly evolving, so when choosing a tool, it is vital to consider how often its updates or new versions of signatures/patterns or analysis rules are released. It is worth studying this information on the product website or requesting it from the vendor. This will show whether the developer is following trends and how up-to-date your database of checks will be.

It is desirable to find out if you can influence the development of the product and how the developer handles requests for new features. This will show how quickly the functionality you need will appear in the product and how communication with the vendor is arranged as part of the options update.

Which tool to choose?

There are plenty of tools on the market offered by such companies as Netsparker, Acunetix, Nessus, Rapid7, AppScan, and others. Let me briefly describe two instruments that I use.

  • BurpSuite Enterprise

This tool was developed by PortSwigger. The product has a full-fledged REST API for interacting and managing scans, sending reports, and much more. The scanning agent is the classic BurpSuite. It is launched in “headless mode” but has limitations. For example, you can interact with it only through control commands from the head portal, and you will not be able to load your plugins. Generally, if the tool is configured correctly, it can provide excellent results.

  • OWASP ZAP (Zed Attack Proxy)

This popular tool was created by the OWASP community, so it is completely free. It has different SDKs and APIs for different programming languages. You can use OWASP options or your own plugins.

The product has extensions for various CI/CD tools. It can be run in different modes and controlled programmatically. You can easily insert the tool into your development process. At the same time, the scanner has its drawbacks. Since it is an open-source solution, the quality of scans is lower than that of enterprise solutions. Also, the tool's functionality is not very extensive and deep, but it can be extended and improved.

Conclusion

When choosing a dynamic analyzer, you can use the criteria noted above in this article, but they must be applied correctly. Each company is unique and has its own nuances and features – all this must be taken into account in conjunction with all the selection criteria. It is also good to define your needs in advance and understand what results you want to receive from the tool. Not to make a mistake, it is advised to conduct full-fledged testing of various options, compare them with each other and choose the best solution.

The post Choosing a DAST solution: What to pay attention to? appeared first on Cybersecurity Insiders.

This blog was written by an independent guest blogger.

The impact of ransomware attacks on healthcare is as alarming as it is under-addressed.  The United States healthcare system alone faces an annual burden of nearly $21 billion due to these attacks. It pays well over $100 million in ransoms, and is beginning to acknowledge the tragic realities of impacted patient care, including higher patient mortality rates. For every headline related to cyberattacks, there are likely hundreds more that go unreported.

In a study released in 2021, IoT/IoMT devices were revealed to be the attack vector for 21% of ransomware attacks.  In May 2022, CISA Senior Advisor Joshua Corman further documented the rising risks during a Senate HELP Committee hearing.

And in August 2022, the Ponemon Institute dove even deeper into the impact of insecure medical devices on hospitals and patients in their Insecurity of Connected Devices in Healthcare 2022 report. Statistics from the report show:

  • 43% of respondents experienced at least one ransomware attack.
  • 88% of cyberattacks involve an IoMT device.
  • The average data breach cost is well over $1 million.
  • Tragically, 24% of attacks result in increased mortality rates.

Seven out of ten respondents (71%) believe that very high security risks are created by these otherwise overwhelmingly beneficial marvels of modern medicine. Recognition of risk is a step in the right direction, although it is unfortunately more of a talking point than one of action.

Over half (54%) of respondents did not report senior management requiring assurances of properly addressed IoT/IoMT device risk. Even more concerning, two thirds (67%) don’t believe their devices are being patched in a timely manner – the most basic, widely accepted and often required action for nearly any healthcare environment.

The current landscape of most hospitals – battling an epidemic with exhausted staff, strained resources, limited cybersecurity expertise and massive bullseyes – makes them easy targets.  A consolidated effort to improve hospital security is needed; AT&T, in partnership with Ivanti Neurons for Healthcare, offers specific solutions to support risk reduction through actionable guidance.  

Reports demonstrate before-and-after security status, reflecting the improvements gained by taking action.  Network segmentation recommendations integrate with existing NAC solutions, adding intelligence and visibility to the process. Dashboards quantify risks by device, manufacturer, hardware type, and OS, providing a strategy to fight cybercriminals who leave morbid results in their ceaseless drive for ransoms.

In as little as five days, a proof of value engagement will demonstrate a reduction in risk for your healthcare organization. For more information about Ivanti Neurons for Healthcare, and how it can be part of a unified security approach with AT&T Cybersecurity visit us. There's also a nice e-book available to learn more.

The post Alarming attacks on Internet of Medical Things (IoMT) appeared first on Cybersecurity Insiders.

Wayne Bridgeman II, a Senior Manager on AT&T’s Network Cybersecurity team, offers a 5-point checklist for businesses in 2022 alongside tidbits of often overlooked tactics that can strengthen security.

Wayne Bridgeman II is no stranger to the fighting ring. He fought professionally in the martial arts community for 5 years and has since transitioned to helping businesses combat the growing risk of cybercrime. Although the specifics differ, Wayne approaches his fights with the same strategic mindset. In both the ring and in cyberspace, success begins with knowing your own vulnerabilities. For the past 10 years, Wayne specialized in Network Technology and Cybersecurity, where he identified the needs of businesses and customized solutions to secure their networks. When asked about common misconceptions regarding cybersecurity, Wayne identified one pitfall many small business owners fall into: underestimating their potential to be victims. 

“Put yourself in the shoes of a criminal and pretend you’re breaking into a car with a limited amount of time. Which is more appealing: the expensive car with the newest locks, or the late model car with rolled-down windows and a purse in the seat? Criminals often choose the option with less deterrence,” Wayne said, “One of the biggest traps small businesses fall into is thinking that they aren’t as appealing to cybercriminals because they’re smaller and have less to offer. Cybercriminals are opportunists with a keyboard, looking for low-hanging fruit. It’s not necessarily what the businesses have that’s appealing, but what they have exposed. By not keeping up to date on security and practicing ‘cyber hygiene’, businesses are making themselves easy targets.”

Wayne offered a few immediately applicable tasks for businesses of any size to get started, “Ultimately, the goal is to take your business from being an easy target to a hard target. But you don’t have to throw a bunch of money to form the basics. First, practice password hygiene. Update regularly and enable a multifactor authentication. Second, utilize the principle of least privilege. Only give people access to things that they absolutely need to perform their job. Third, regularly backup data onto your network so that in the event of an outage, you are secure. All of these are steps you can take now to make yourself a harder target.”

While these steps will give business owners a head start, proper cyber hygiene may require an even deeper cleaning. Wayne continued, “Nowadays, there are many cybersecurity options out there. But not all dollars you invest in cybersecurity are created equal. There are strategies that will mitigate risk more than others, and you can waste funds by investing in the wrong places. It’s important to ask the right questions first.”

According to Wayne, here are five of the most critical questions business owners can ask themselves in 2022:

1. Are the people trained?

Oftentimes, people are the number one targets for hackers, “Human beings are inherently fallible. Finding ways to masquerade and attack through an email or phone call is the primary vehicle a hacker will utilize because it is scarily effective,” Wayne said. Hackers need an entry point into a network, and far too often it’s the untrained workers who accidentally give them the keys. “We must educate our employees and help them be aware that these things are coming to them. You can do this by investing in security awareness training. When employees are aware of potential attack strategies, it’ll be a lot harder for hackers to get in.”

2. Are the endpoints secure?

Endpoints are the physical devices that connect to networks, and the first step to securing them is to protect the entry points. “Every home has a door, and every network has a front door as well. We know them as firewalls. Firewalls allow us to securely detect threats that attempt to come into the network and lock them at that edge.” Wayne continued, “Firewalls have evolved over the years, and nowadays it’s best to utilize multiple layers of protection. One type of layer to consider is web traffic filtering. These filters protect employees that use the internet and defend them from accidentally getting phished on bad websites. You can also consider adding layers that inspect encrypted traffic. Most traffic on the internet today is encrypted and hackers use that to bypass traditional firewalls, get into the network, and cause damage.”

As technology evolves, Firewalls need to stay up to date, and this takes time and expertise. One solution is to utilize managed firewalls that can automatically detect and respond to activity on endpoints.

3. Have we addressed the vulnerabilities?

“All networks have vulnerabilities,” Wayne said. “The question is how critical these vulnerabilities are and if the business has taken action to mitigate them or put in controls to prevent them from being used in an attack.” The two-part step to assess vulnerabilities is as follows:

  1. Know what’s on your network (known as asset identification) and know what you must protect.
  2. Know what vulnerabilities are present on those assets.

“This is a process known as vulnerability management, and businesses would be best served to practice it in a quarterly (or more) rhythm. They must understand what’s on their network, the vulnerabilities that exist, and how to patch them up. This helps minimize opportunities for hackers to exploit vulnerabilities on the network.”

4. Have we factored in edge security?

As hybrid workforces become the standard for many businesses, employees are increasingly working outside of the network. Wayne talked about the dangers this can pose. “While it can be nice to work from a coffee shop or from home, mobile employees don’t get the benefit from being behind a firewall. Mobile employees need to be protected, and the firewall needs to ‘follow’ them somehow. Layering firewalls with solutions such as secure web gateways that protect users while they’re outside of the network is one solution. This is where layering endpoint security can really come into play.” 

5. What is our incident response plan?

“When it comes to cyberattacks, it’s no longer a matter of ‘if’ but ‘when’. It may sound cliché, but it’s a reality today,” Wayne warned. “The difference between recovery and failure in the event of an attack is having a plan. Businesses of all sizes must have an incident response plan that should be tested from time to time. Preparation may include partnering with a third party or instant response services if they don’t have the resources themselves so that experts can engage on their behalf in the event of a critical business-impacting cyber-attack.”

“Oftentimes, small businesses take the hardest hit. Small businesses that get attacked often go out of business because they haven’t built a plan of how they’ll respond to those events. Having a written incident response plan where owners of the business know who does what in the event of an attack, paired with access to third party experts, can be critical for recovery. Your ability to respond to an attack will be dictated by how well you plan to respond.”

When asked about the trending shift from Copper to Fiber and Fiber’s effect on security, Wayne offered some insight. “Cybersecurity is often measured by the acronym CIA: Confidentiality, Integrity, and Availability. The Fiber network moves at the speed of light and has higher availability, meaning that its uptime is better. When you can’t get to your data, your network is less secure. By having a Fiber connection with higher availability, you’re hitting one part of the triad. Notice the contrast with Copper, that has lower availability due to issues with degradation and the frequent need for repair. But note that copper and fiber are just the physical layers of connectivity and what you layer with your network is just as crucial.”

Ultimately, knowing the state of your network and preparing adequately is the key to protection. When it comes to successful defense, Wayne found many parallels between martial arts and cybersecurity. “In the event of an attack, I’ve learned in both the martial arts community and cybersecurity world that people revert to their training. In martial arts, we say that ‘everyone thinks they have a plan until they get punched in the face’ and it’s just as true when protecting your network. The key is to train and prepare well before the attack occurs.”

The post Attention business owners: Top 5 Cybersecurity questions to ask in 2022 appeared first on Cybersecurity Insiders.

Multiple reports in the media, including in Bloomberg US Edition, allege that Russian-associated cybercrime group Killnet is responsible for a series of distributed-denial-of-service (DDoS) attacks during the week of October 6 that took several state government and other websites offline. While most of the websites were restored within 48 hours, these volumetric attacks can leave even the most secure sites paralyzed and susceptible to further damage.

AT&T Alien Labs, the threat intelligence arm of AT&T Cybersecurity, suggests politically motivated cyber strikes such as the ones that hit web sites in October are nothing new. Killnet has a long history of successfully attacking both public and private organizations and businesses.

Research Killnet on the Alien Labs Open Threat Exchange (OTX),
among the largest open threat intelligence sharing communities in the world.
OTX pulse on Killnet

Figure 1: OTX pulse on Killnet.

“We have been following Killnet for years and have seen a marked increased activity in the last few weeks. Their attacks, however, appear to be opportunistic DDoS campaigns aimed at attracting media coverage,” says Research Director Santiago Cortes Diaz. “Their efforts seem to be coordinated with the Russian government as part of their FUD (fear, uncertainty and doubt) campaign around the geopolitical conflict.”

Aside from a temporary takedown that can disrupt operations, there is also a reputational cost to DDoS attacks. Moves against government websites potentially aim to destroy faith among voters that U.S. elections are a secure and insulated process. And, though the election process is mostly separated from the Internet, consecutive attacks of this nature could also negatively impact confidence in the United States’ digital defenses.

DDoS attacks, though typically short-lived, succeed in getting the public’s attention by causing a digital flood of information on websites with an otherwise regular flow of traffic. A botnet, a group of machines infected with malware and controlled as a malicious group, generates bogus requests and junk directed at the target while hiding within a site’s usual traffic patterns.  DDoS attacks are not to be underestimated. They will likely continue to proliferate as hackers acquire access to more botnets and resources allowing them to commit larger attacks — and the resources will come with the next era of computing.

As organizations continue to deploy edge applications and take advantage of 5G, the threat of DDoS attacks is potentially compounded. To this point, in a survey of 1,500 global respondents for the AT&T Cybersecurity Insights Report: 5G and the Journey to the Edge, 83% believe attacks on web-based applications will present a big security challenge.  

Why? Because along with the improvements in speed, capacity, and latency of 5G and edge computing, there is also going to be an explosion in connected devices. For example, in the same Insights Report, the top three use cases expected to be in production within three years for edge computing include: industrial IoT or OT, enterprise IoT, and industry-oriented consumer IoT functions — all of which are driven by applications that can be connected to the internet.  This increase in devices and network quality as well as explosion in applications serve as fertile ground for targeted attacks from bad actors.

Though these recent attacks appear to have political motivation, businesses should be considering pro-active DDoS protection if they do not already have it in place. The relatively cheap and frequent nature of DDoS attacks are what make them very dangerous and costly to business continuity.

To learn more about AT&T’s DDoS service solutions, click here.

The post Do the recent DDoS attacks signal future web application risks? appeared first on Cybersecurity Insiders.

This blog was written by an independent guest blogger.

The average cost of a data breach will continue to rise, which means companies need to start planning accordingly. To protect your business, you need to invest in cybersecurity. Here are 11 areas you should focus on.

Cyber insurance

Cyber insurance is designed to protect businesses from the financial repercussions of a cyber-attack. It can cover costs such as business interruption, data recovery, legal expenses, and reputational damage. It is increasingly common across industries and at companies of all sizes, even small businesses, which have become a growing target of cybercriminals.

Cyber insurance has also become a new compliance requirement in many industries, including healthcare, finance, and retail. In the event of a data breach, companies are often required to notify their customers and partners, which can be costly. Cyber insurance can help cover these expenses.

Employee training

Employees are often the weakest link in a company's cybersecurity defenses. They may not be aware of the latest cyber threats or how to protect themselves from them. That's why it's important to provide employees with regular training on cybersecurity risks and best practices.

There are many different types of employee training programs available, ranging from in-person seminars to online courses. Some companies even offer financial incentives for employees who complete training programs.

In the remote work era, employee education also increasingly means arming remote workers with knowledge that will keep company data safe while they are working on networks that might not be well secured. This is especially the case if you know people are connecting via public networks at cafes, co-working spaces, and airports.

Endpoint security

Endpoints are the devices that connect to a network, such as laptops, smartphones, and tablets. They are also a common entry point for cyber-attacks. That's why it's important to invest in endpoint security, which includes solutions such as antivirus software, firewalls, and encryption.

You can invest in endpoint security by purchasing it from a vendor or by implementing it yourself. There are also many free and open-source solutions available. Make sure you test any endpoint security solution before deploying it in your environment.

Identity and access management

Identity and access management (IAM) is a process for managing user identities and permissions. It can be used to control who has access to what data and resources, and how they can use them. IAM solutions often include features such as Single Sign-On (SSO), which allows users to access multiple applications with one set of credentials, and two-factor authentication (2FA), which adds an extra layer of security.

IAM solutions can be deployed on-premises or in the cloud. They can also be integrated with other security solutions, such as firewalls and intrusion detection systems.

Intrusion detection and prevention

Intrusion detection and prevention systems (IDPS) are designed to detect and prevent cyber-attacks. They work by monitoring network traffic for suspicious activity and blocking or flagging it as needed. IDPS solutions can be deployed on-premises or in the cloud.

There are many different types of IDPS solutions available, ranging from simple network-based solutions to more sophisticated host-based ones. Make sure you choose a solution that is right for your environment and needs.

Security information and event management

Security information and event management (SIEM) solutions are designed to collect and analyze data from a variety of security sources, such as firewalls, intrusion detection systems and web filters. This data is then used to generate reports that can help identify security risks and trends.

SIEM solutions can be deployed on-premises or in the cloud. They can also be integrated with other security solutions, such as incident response and vulnerability management. Think of SIEM as a centralized platform that allows you to see all the different security events happening across your environment in one place.

Email security

Email is a common target for cyber-attacks, as it is often used to deliver malware or phishing messages. That's why it's important to invest in email security, which includes solutions such as spam filters and email encryption.

You can invest in email security by purchasing it from a vendor or by implementing it yourself. There are also many free and open-source solutions available.

Vulnerability management

Vulnerability management is the process of identifying, assessing, and mitigating vulnerabilities in systems and networks. It includes both automated and manual processes, such as scanning for vulnerabilities and patching them.

There are many different types of vulnerability management solutions available, from simple scanners to more comprehensive suites. Make sure you choose a solution that is right for your environment and needs.

Web security

Web security refers to the process of securing websites and web applications from cyber-attacks. It includes both server-side and client-side security measures, such as firewalls, intrusion detection systems and web filters.

You can invest in web security by purchasing it from a vendor or by implementing it yourself. There are also many free and open-source solutions available. Make sure you test any web security solution before deploying it in your environment.

Data loss prevention

Data loss prevention (DLP) is a process for preventing sensitive data from being leaked or lost. It includes both technical and organizational measures, such as data encryption and access control.

DLP solutions can be deployed on-premises or in the cloud. They can also be integrated with other security solutions, such as firewalls and intrusion detection systems.

Business continuity and disaster recovery

Business continuity and disaster recovery (BC/DR) are processes for ensuring that businesses can continue to operate in the event of an outage or disaster. BC/DR solutions often include features such as data backup and replication, which can help minimize downtime and data loss.

BC/DR solutions can be deployed on-premises or in the cloud. They can also be integrated with other security solutions, such as firewalls and intrusion detection systems. Don't forget to test your BC/DR solution regularly to make sure it is working as expected.

Conclusion

These are just a few of the many cybersecurity investments you can make right now. By implementing even just a few of these solutions, you can help improve your organization's overall security posture and reduce the risk of cyber-attacks.

The post 11 Cybersecurity investments you can make right now appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

 

Retirement plans are an easily overlooked but often critical cybersecurity concern. Employee stock ownership plans (ESOPs), while less common than others, may face particular risks.

ESOPs can provide a valuable way to foster employee engagement and reward loyal workers, but businesses must consider their cybersecurity risks. Without proper security, these plans and those who depend on them may be in danger.

ESOP security risks

Employee Retirement Income Security Act (ERISA)-regulated plans covered an estimated $9.3 trillion as of 2018. Individual ones can hold millions of dollars, making them tempting targets for cybercriminals.

ESOPs pose unique risks, as participating employees have an ownership stake in the company. Consequently, cyberattacks that damage the business’s reputation will affect ESOP participants. Lower stock values will reduce workers’ payouts when they retire.

This ownership stake means an attack doesn’t have to target the retirement plan directly to impact its participants. Any cybersecurity incident against the business poses a significant risk, and ESOP security means safeguarding the entire company’s attack surface.

How to minimize ESOP security concerns

ESOP cybersecurity concerns are significant, but you can take several steps to address them. Here’s how you can mitigate these security risks.

Assess company-specific risks

The first step in ESOP cybersecurity is to assess your specific risk landscape. Every organization and plan within one has unique considerations determining the most effective mitigation measures, so these assessments are a crucial starting point.

Every risk contains two key components: an event that could happen and the consequences if it does. Teams must compile a formal list of threats facing their ESOP plans, ensuring to cover both these categories. This will reveal the most important vulnerabilities to address, helping guide further security steps.

Verify vendors

Like many retirement plans, ESOPs typically rely on third-party vendors to manage funds. Consequently, breaches in these partners could impact the business itself. About 51% of all organizations have experienced a data breach from a third party, so verifying their security before going into business with them is crucial.

Ask for third-party audits and similar proofs of security to ensure any vendors meet strict cybersecurity standards. Contracts should include detailed pictures of their security responsibilities and consequences for noncompliance. Ensuring all vendors have sufficient cybersecurity insurance is also a good idea.

Minimize access

You should minimize access privileges across the organization and its partners even after verification. Well-meaning employees can still make critical errors, but if each account can only use a few resources, a breach in one won’t jeopardize the entire system.

Operate by the principle of least privilege: Every user, program and endpoint should only be able to access what it needs to work correctly. That applies to third parties as well as company insiders. This will minimize lateral movement risks, helping keep ESOPs safe from attacks elsewhere in the organization.

Create a culture of Cybersecurity

ESOP participants slowly gain increasing ownership stakes in the company, so their cybersecurity responsibilities should follow. Employees should understand how their actions impact the wider organization’s security and use best practices out of habit.

You can foster a cybersecurity culture by offering regular training, tying security goals to their impact on employees’ personal lives, and encouraging feedback and questions. When cybersecurity comes as second nature, the company will become inherently more secure, protecting ESOPs.

Develop a business continuity plan

It’s important to realize that no defenses are 100% effective. There were at least 1,862 data breaches in 2021 alone, and that figure has consistently risen over the years. Given this trend, it’s too risky to assume you’ll never suffer a successful attack, so business continuity plans are critical.

These plans should cover encrypted backups of all sensitive data, emergency communications protocols and steps to contain a breach. Ideally, they should also include cybersecurity insurance to cover any losses. These backup plans and resources will ensure ESOP participants can still protect their resources when a breach occurs.

ESOPs need strong Cybersecurity

Attacks on ESOPs and the organizations sponsoring them can cause substantial damage. In light of that risk, any company offering such a plan should also implement strong cybersecurity measures.

These steps will help any ESOP organization minimize its risk landscape. They can then ensure that cybersecurity incidents won’t jeopardize plan participants’ hard-earned retirement income.

The post Minimizing security concerns of ESOPs appeared first on Cybersecurity Insiders.

This guest blog was written by an independent guest blogger. He is a high school freshman with some fresh perspective.

October and Halloween are both fun and scary, just like cyberspace. Cyber Security Awareness Month is an excellent time for grown-ups to discuss cyber safety with us. It takes an informed cyber village to help raise savvy cyber kids, and I believe introducing cyber literacy to kids of all ages is increasingly critical. Today, every household is filled with connected devices, and I hope this information will help with better digital decision-making by kids.

After eighteen months of virtual schooling, using various digital devices has become second nature. In addition, our virtual collaboration with others via these devices has also increased. Games are not the only way we interact with digital devices anymore.

I crave my digital privacy just as much as every other high schooler. However, I have learned it is vital to know how to stay private online. I recently learned that things like having a clean credit history make me an easy target for identity theft (identity theft occurs when someone uses another person's personal identifying information, like their name, identifying number, or credit card number, without their permission), and this knowledge made my Halloween trickier without any treats.

It's never too soon to establish cybersecurity ground rules. Kids can soak up basic cybersecurity skills as rapidly as they pick up new technologies; grown-ups owe it to them to make that possible.

Below are some easy ground rules for grown-ups to share about cyber “stranger danger” with their kids.

  • An exception to the rule of Sharing is Caring:

It is easy to succumb to oversharing on the Internet, especially on social media. Be careful about divulging personal information such as your school names, team names, home addresses, and telephone numbers. Are these also answers to your secret question when you set passwords? Read more about that below.

  • Be on guard for Phishing:

No, this is not what you do with your parents on a nice day by the lake. “Phishing” is a popular way tricksters get information about you by baiting you. Someone might send you an email offering you a free toy or game, and when you click on the link, they take you to a webpage that infects your computer with something nasty. Or it asks for information that lets them pretend to be you on the Internet.

Maybe they know you like dogs or kittens, so they send you a picture of a dog or kitten as an attachment, and they hide the nasty thing in the picture file, so when you open it, your computer gets infected. How confidently can you spot bait? Ever click on an unfamiliar link and instantly regret it? You're not alone, and it happens every day. Tricksters go “phishing” and bait us into revealing our personal information to steal our data, money, or identity.

  • Don't be click happy:

When you unknowingly click on a link or visit a shady website, you open your door to let the trickster in, where they can either plant a harmful code that automatically steals your information or lock you out of your games unless you pay a million V bucks. Whether it is a link on your text message or a pop-up that lures you into clicking it, a social media link asking you for information to help enter a raffle or appeals to you as a sports fan, take a breath. Do you trust this link? Think about the 5 Ws: who, what, when, where, and why.

Be cautious. When something is too good to be true, it is usually not good! Trust your source.

  • Don't default to the default:

Change the default password if you have a device you will connect to the Internet.  A device is not just your phone or laptop; everything from your Internet router, gaming devices, TVs, and home thermostats, to Wi-Fi, is included.

What does a strong password look like? Use a phrase instead of a word. “Passphrases” are easy to remember but difficult to guess.  If the field allows, use spaces as special characters for added strength, making the phrase easier to type. Longer is stronger. The best passwords are at least ten characters in length and include some capitalization and punctuation. Typing the passphrase becomes a habit (usually within a few days).

Some examples of a strong passphrase include a strategy of misspelling, a nursery rhyme, a movie quote, or song lyrics with a twist.

Merging of the real and digital world:

As teachers incorporate more online educational tools into their curricula and parents permit children to play with online apps, they should simultaneously teach students of all ages basic cybersecurity skills and encourage them to become cyber aware. Just as Drivers Education and Financial Literacy are essential elements taught at high school to help equip us as adults, being cyber intelligent, savvy, and safe is also a skill that should be part of the curriculum. Kids should be prepared to protect themselves from cyber threats, just like they look both ways before crossing the street or taking candy from strangers.

Here are some excellent resources for you to try

NJCCIC E-Learning For Kids

CyberSprinters – NCSC.GOV.UK

We the Digital Citizens | Common Sense Education

My favorite “Cheat codes”

  I avoid using the same password for different accounts

  I change my passwords regularly

☐  My passwords are at least ten characters long (and ideally longer)

☐  My passwords involve a mix of upper- and lower-case letters plus symbols and numbers

☐ My passwords avoid the obvious – such as using sequential numbers (“1234”) or personal information that someone who knows me might guess, such as my date of birth or a pet's name

☐  I change the default passwords on my connected devices, including Wi-Fi routers, gaming consoles

☐  I avoid writing my passwords down or sharing them with others

☐  I avoid clicking on suspicious links or links I am not sure of

☐  I avoid opening emails that look suspicious as well as any attachment

☐ I don't respond to or click on pop-up windows on my phone or computer.

☐  I avoid downloading suspicious attachments from emails or text messages I am not expecting

☐  I don't click on ads that promise free money, prizes, or discounts

☐  I am wary of strange or unexpected messages, even from people I know

☐  I don't use personal usernames (gamertags) and avoid usernames and gamertags that can reveal their identity

☐  I don't answer personal questions when using a text or voice chat during a gaming session online

I hope this handy list of cheat codes helps strengthen your cyber defense. And remember, a click is all it takes to turn a cyber threat into a cyber-attack. And Happy Halloween! More treats, less threats!

The post Halloween feature: Cheat codes for Cybersecurity and preventing kids from being “tricked” appeared first on Cybersecurity Insiders.