Category: For technologists

Today, all organizations are required or encouraged to meet certain standards and regulations to protect their data against cybersecurity threats. The regulations vary across countries and industries, but they are designed to protect customers from the threat of posed data breaches. 

Related: The value of sharing third-party risk assessments

With estimates suggesting there are currently over 15 billion user credentials scattered across the dark web, the importance of compliance is clear to see. In spite of this, many organizations today still see compliance as a nuisance, rather than a business enabler.

All too often, organizations will analyze compliance requirements and harden their systems and practices to meet them, without really thinking about their importance to the business. Instead, they will tick the mandatory checkboxes, even if security measures haven’t been enacted, and file the record away as quickly as possible.

Job done! Compliance has been met — or may appear to have been met; now let’s make some money… That is until they learn they have been breached. When the CEO tries to defend the business by pulling out a dusty copy of its two-year-old compliance record, they then face the harsh reality that single “point in time” compliance doesn’t cut it in today’s threat landscape.

Strategizing compliance

Compliance is no longer a “set and forget” security framework. To keep up to speed in today’s evolving threat landscape, compliance is a process that must be maintained continuously.

Here are a few ways for organizations to implement an effective cybersecurity compliance strategy, so that it remains current, providing protection against new and emerging threats:

•Keep up to date with the evolving and growing attack surface

Today, organization’s digital environments evolve continuously: new devices are added into networks daily, staff is on-boarded and off-boarded, new suppliers are taken on, and as more organizations adopt hybrid working measures, staff are accessing corporate networks from locations worldwide. The threat landscape is also continuously changing, with new attacker trends coming to light and new software vulnerabilities discovered which put organizations at risk if they are not patched.

This means threats to corporate data are constantly changing. What might be secure today could be an organization’s greatest weakness tomorrow.

As a result, compliance needs to keep up with new threats and network changes; otherwise, organizations could inherit serious gaps in their architecture that will be easy for cybercriminals to exploit.

•Take a risk-based approach

One of the biggest mistakes organizations make when meeting compliance regulations is the belief that all requirements can be met through products. They don’t think about the impact security risks would have on their organization.

Today breaches cost organizations millions of dollars, both in losses and in fines. When they suffer attacks, reputations are damaged, customers and investors are lost and sometimes the very survival of the business is at stake. This means cybersecurity should never be viewed as just a technical issue; it is a businesswide problem.

Business leaders need to understand the risks to prioritize security spending effectively.With an organization’s data its most valuable asset today, understanding where it is held, who has access to it, and what is being done to protect it from intruders is critical.

Jemmett

Business leaders should also think about risks posed by specific attacks and take time to understand what the organization would stand to lose if attackers were to breach their network. Is data backed up regularly? Would the business recover if it was hit with ransomware?

Once they have these answers, what can be done to reduce the risk? Security threats are here to stay and perfect software doesn’t exist, so hardening and resilience must be the priority for any business leaders.

•Remember cybersecurity is a culture, not a product

Cybersecurity is a companywide challenge, and all departments need to be involved to get it right. Business leaders therefore need to prioritize security and promote its importance from the top down, training employees and encouraging them to mirror the attitude.

This means when attacks do target an organization, employees can stand as the first line of defense, armored with the correct knowledge to know not to click on links and attachments that seem suspicious.

Compliance is an important driver for security, and organizations should never view it as a mere technical nuisance. Cybersecurity is a critical business enabler today, and those that get it right will excel. Those that get it wrong, and do not prioritize their defenses, could stand to lose everything.

About the essayist: David Jemmett is CEO of Cerberus Sentinel a Managed Compliance and Cybersecurity Provider (MCCP) with its exclusive MCCP+ managed compliance and cybersecurity services plus culture progra.

While global commerce is an important aspect of the world economy, individuals who hold national security clearances need to be aware that some of the activities they engage in could pose a security risk and may negatively impact their security clearances.

Related: Russia takes steps to radicalize U.S. youth

Individuals who possess security clearances are not prohibited from traveling to foreign countries; however, there are certain acts and behaviors that may raise foreign influence and/or foreign preference concerns.

Under Guideline B of the security clearance adjudicative guidelines, the United States government is concerned with any potential for foreign influence. This includes contact with foreign nationals or obtaining financial or property interests in a foreign country, that could create a heightened risk for foreign exploitation.

First, there are reporting requirements which indicate that any foreign travel, aid, logistics, obtaining property in a foreign country, or other such activity must be reported to one’s security officer.

It is common for people to want to expand their financial portfolios, sometimes including investments overseas; however, that possesses a security concern as any foreign assets may be used to exert pressure or influence over individuals who possess a security clearance. in order to persuade them to divulge U.S. national security secrets.

Nerney

The conflict in Ukraine is a prime example of how engaging in global commerce and providing aid to foreign countries or foreign nationals may pose a security risk. Anybody who wants to provide aid to Ukraine could be put in a position of potentially exposing themselves to exploitation, inducement, manipulation, or pressure, which may conflict with the interests of the United States.

Guideline C of the security clearance adjudicative guidelines provides potentially disqualifying conditions in relation to participation in foreign activities, which includes serving the interests of a foreign person, group, organization, or government in any way that conflicts with the U.S. national interests.

Additionally, providing any aid, including military aid such as logistics, equipment, or fighting for Ukraine in general, while possessing a security clearance poses major security concerns under Guideline C.

This poses a risk because providing aid to a foreign government or individual could be perceived as exhibiting a foreign preference for another country.  It also opens individuals up to exploitation and may put them in a position of heightened risk, especially if they are providing this aid and are captured by foreign enemies or intelligence personnel.

The events in Ukraine have the potential to change things for security clearance holders in the United States. There is always an element of concern about foreign influence from countries like Russia and China, as these countries are typically known to target U.S. citizens to obtain classified or sensitive material.

The conflict in Ukraine has the potential to further alienate Russia and place Russia in a category much like North Korea. Any security clearance holder that has ties to Russia in the future may be met with heavier scrutiny and may find it more difficult to obtain and maintain a security clearance in the future.

About the essayist: Ryan C. Nerney, Esq. is a partner in the Ladera Ranch, California office of Tully Rinckey PLLC, where he has represented numerous clients in security clearance revocation proceedings. He has a proven record of saving clients’ jobs, as well as anticipating and resolving potential future issues with their security clearances. He can be reached at info@tullylegal.com or at (619)-357-7600.

It’s no secret that cyberattacks can happen to any business, and we should all be suspicious of messages from unfamiliar senders appearing in our email inboxes.

Related: Deploying human sensors

But surely, we can feel confident in email communications and requests from our organization’s executives and fellow coworkers, right? The short answer: Not always

The reason is the rise in business email compromise (BEC) schemes. This type of targeted phishing or whaling (executive-level) attack tricks email recipients into believing someone they know and trust is asking them to carry out a specific financial task. Here are a few examples of how these insidious campaigns use the power of human relationships to defraud businesses via email:

Scenario 1. A CFO receives an urgent email request from the CEO asking her to pay a supplier invoice immediately. The CFO commonly carries out such tasks and arranges a wire transfer using the account information provided on the invoice. In actuality, the request is coming from a BEC fraud ring, and the payment details direct the funds to an account controlled by the attackers.

Scenario 2. An HR benefits manager receives an email from the department VP asking him to purchase gift cards for a new employee rewards program. The email specifies that the HR manager should include the codes associated with each card, which the scammer behind the scenes then sells online for cash or cryptocurrency.

Scenario 3. An accounts receivable rep receives an email from a C-Suite executive asking for the company’s most recent Aging Report. If the rep complies, the attacker now has a list of customers who owe the company money.

Wilson

It tells him how much the customers owe, when the payments are due, and the terms. The attacker also has the rep’s email signature. The attacker then creates a look-alike domain and contacts each customer on the report explaining that all future payments should be sent to a new bank account.

Planned attacks

BEC is a growing concern, and attackers have taken full advantage of the upheaval the COVID-19 pandemic has caused to ramp up their efforts. These campaigns are hard to spot because the perpetrators have done their homework to make emails appear completely legitimate, from the formatting to the language, to the type of request being made.

Today’s BEC attempts aren’t the easy-to-spot, typo-laden phishing campaigns of the past. For starters, attackers leverage social engineering tactics and information gleaned from websites and social media profiles to determine employees’ working relationships and connections.

They can also include personal details in messages, so the recipient doesn’t think twice about the message or request. On top of this, internal employee-to-employee email is rarely scanned, meaning BEC-driven access can go undetected.

Fraudsters prey on the target using the killer combination of trust, authority, and urgency. Businesses large and small can be the target of a BEC campaign because at the end of the day, most of us are trusting souls ready to help others. We would never expect someone we know and work with to scam us, much less defraud our organization.

BEC attacks don’t get the media attention of ransomware incidents and records theft, but they are far more prevalent and costly overall. In its most recent BEC report, the FBI estimated such attacks cost enterprises more than $1.8 billion in annual losses during 2020, resulting from 19,369 incidents. Although it’s possible for funds to be recovered, the cost of business disruption can be significant.

Prevention is the cure

We need to put a stop to this all-too-common attack vector.

As with any type of cyberattack, prevention is the best strategy. Employee awareness training is an important first step as most people aren’t familiar with BEC attacks. Training can include simulation so employees can learn to spot phishing or whaling exploits before blindly completing requests or clicking on links.

DMARC email authentication is also helpful to prove the sender is legitimate, and two-factor authentication (or multi-factor authentication) can reduce the risk an email account is compromised. Likewise, as these scams typically seek a transfer of funds, tighter accounting controls to verify legitimacy are crucial, as are identity-based phishing defenses that can recognize BEC in its varied forms.

About the essayist: John Wilson is senior fellow, threat research, at Agari by HelpSystems. He works with businesses of all sizes to prevent financial loss from BEC campaigns and help them achieve peace of mind in a fast-changing cybersecurity landscape. 

Cyberattacks preceded Russia’s invasion of Ukraine, and these attacks continue today as the war unfolds. As the United States and other nations condemn Russia’s actions, the odds of Russian cyber actors targeting the U.S., allied countries, and businesses steadily increases.

Related: Cyber espionage is in a Golden Age

These Russian cyber actors are government organizations and include other parties who take their orders from the Russian military or intelligence organizations – while not technically under government control. Additionally, there are also Russian cybercrime organizations that are not state-sponsored but are allowed to operate.

Each of these organizations performs cyber operations for various reasons. The Russian government, military, and intelligence service may wish to achieve some operational effect, for example, disrupting the power grid or interfering with telecommunications infrastructure, which may be part of a larger war plan. Some Russian cyber actors may gather intelligence while others are financially motivated.

Cybercrime is big business as global losses to ransomware are projected to reach $42 billion within the next two years.The economic sanctions that many nations have put in place to influence Russia will most likely trigger an increase in the illicit business of cybercrime to help offset losses to what was legitimate trade.

Cyber attack targets

Russia isn’t the only cyber actor increasing its pace of cyber operations during this time. While the world focuses on Ukraine, other state actors have increased actions to penetrate government and private sector organizations. While you might think that these actors are interested in government and defense information, their operations prove they are interested in much more – including software development and information technology, data analytics, and logistics.

Boian

Your company’s intellectual property may be a target – and don’t think you are not just because you aren’t associated with defense contracting. Cyber actors are commonly after intellectual property or revenue.

Although there’s no one magic solution to eliminating cyberattacks and cybercrime risks, there are steps you can take to reduce the chances of becoming a victim. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has started a campaign to increase awareness of these risks to U.S. businesses called #ShieldsUp.

The efficacy of hygiene

Many of their recommendations are basic cybersecurity hygiene that require minimal effort to implement but can dramatically reduce your risk:

•Ensure all software (operating system and applications) are updated and patched. Enable auto-update features if available.

•Educate your employees on threats and risks such as phishing and malware.

•Enforce strong passwords and implement multi-factor authentication (MFA) — by educating users about using a unique password for each account and enforcing higher security for privileged accounts (administrators, root).

•Segment or isolate portions of your network that are critical to your business, process, or store sensitive information

•Configure all IT systems with hardened profiles that only allow network services essential to your business function; harden or eliminate the use of protocols such as RDP and SMB.

Accounting for humans

While all these technical steps to reduce the risks of cyberattacks are valuable, the step that’s often overlooked or underfunded is the one that can be the most impactful – employee awareness. Implementing a culture of security and empowering employees to report suspicion of abnormal activity on information systems is key to stopping these threats early.

Not all cyberattacks take advantage of a user and result in penetration of your system. Still, the most common infection vectors are through a user – clicking a link, browsing to a page, sharing their password, or choosing a weak password. Therefore, educating your employees about the importance of security to your network is critical. Enabling employees to be your first line of defense can boost security and reduce risks.

In addition to the best practices above, it’s prudent to also have plans and procedures in place if a cyberattack is successful. These procedures will not only help get your business back up and running more quickly, but are critical to staying compliant with state or federal regulations requiring the reporting of cyber incidents. Just as businesses focus on resiliency and disaster recovery, they must also consider a cyberattack or incident that can cripple their product and/or revenue.

As the world watches the events in Ukraine, cyber incursions by hostile actors will continue across the globe. These threats will continue to plague businesses and our personal lives for the foreseeable future. Instead of falling into the trap of thinking you won’t be a target or have nothing of value for cyber attackers, take these steps to address and prepare to defend against these risks.

For more details on how to harden your IT infrastructure to ransomware attacks, consult the CISA and Multi-State Information Sharing and Analysis Center’s Ransomware Guide.

About the essayist: Don Boian is the Chief Information Security Officer at Hound Labs, Inc., which supplies ultra-sensitive, portable marijuana breathalyzer technology. He  worked at the National Security Agency for 30 years on defensive and offensive cyber operations, and most recently served as CISO for a large regional bank.

From financial institutions to meat producers, it seems every industry has been impacted by ransomware in the past year — maybe even the past week. The world’s largest enterprises to the smallest mom-and-pop shops have been devastated by cybercriminals who are looking to hold assets hostage for a big pay day.

Related: Tech solutions alone can’t stop ransomware

Why the stark increase? Put simply, ransomware attacks are on the rise because of profits. This return on investment is bringing in new players, and the ransomware monster continues to grow…and we’re not ready to fight it off. Why? We’re not prepared to defend against persistent threats.

With ransomware-as-a-service (RaaS) as popular as it is, the attribution conversation becomes more difficult. Most of the ransomware attacks that use RaaS are done by affiliates who bounce from service to service, often using two to four different services at the same time. Shutting down a service doesn’t stop the attacks – the affiliates move to another RaaS provider, the RaaS owners just rename, retool, and go again.

While it’s nice to see law enforcement and governments go after the gangs, that won’t stop the monster that has grown out of control, that we, as an industry, continue to feed. While attribution and following the money can get a few wins, we need a multi-pronged strategy to slay the ransomware beast.

Low cost attacks

Understanding the root cause of these attacks is crucial so we can adjust defenses to protect against them. Actionable forensics on how these attacks were carried out go a long way into understanding the attack methodology and innerworkings of these affiliates and criminal gangs.

Krien

The living off the land/fileless attack methodology has not changed in years, despite the uptick in attack severity and frequency. Behaviors change and tools change, but the methodology remains the same. Yet, at the macro level, we don’t stop known malware, known malicious behaviors, remedy commodity tools that are used maliciously, or patch known actively exploited vulnerabilities immediately.

We’re failing as an industry to make it difficult for attackers to reach their goals. We spend millions to defend while attackers spend as little as $100 to conduct an attack with a potentially huge return on that investment.

Small-to-medium-sized businesses make up 99 percent of all businesses in the United States, and are a big ransomware target. Roughly 60 percent of successful ransomware attacks are against SMBs.

Enterprises have higher payouts, but ransomware gangs know they’re likely to face higher scrutiny after major attacks, especially when the impact of those attacks extends past the company (think the Colonial Pipeline attack).

Because of this, ransomware gangs are starting to focus more on SMBs. They’re easier to attack and provide moderate consistent payouts with little retribution from law enforcement or governments. Most SMBs don’t have the resources to defend against persistent threats and are more vulnerable than large enterprises that have more resources.

Bricks in the wall

There is no silver bullet in an industry that’s evolving (both in good and bad ways) as fast as cybersecurity. However, starting with a strong security foundation goes a long way. A security program built on a strong foundation will be strong, a security program built on a shaky foundation will be shaky.

A few things that are involved in most attacks include social engineering, passwords, and vulnerabilities. At the macro level, password hygiene is abysmal. Avoiding password reuse and using strong hard to guess passwords goes a long way. The use of multi-factor authentication (MFA) that is not easily socially engineered is critical.

Vulnerability management with proper prioritization is also a must. The US CERT has a database of actively exploited vulnerabilities that is consistently updated. If you patch nothing else, patch vulnerabilities you’re affected by that are or have been actively exploited.

BAS technology allows you to test and tune your security controls, exercise your people and processes, and provide visibility not previously available into how your security program is working. Having a security tool such as endpoint protection isn’t enough. You must understand if it’s configured correctly and if you’re getting what you’re paying for.

While there is no one tool that can slay the ransomware beast for good, focusing on areas that are highly exploitable can help prevent the bad guys from reaching their goals. The more expensive it is to attack before a profit, the closer to eliminating the ransomware monster we are. Until the profits diminish to a point that running the criminal organizations is no longer viable, we’ll be stuck in the fight.

About the essayist: About the essayist: Derek Krein is Security Services Director at SafeBreach, supplier of a patented platform that enables security teams to conduct offensive security maneuvers.

Purple teaming is a way to use red teaming to understand and improve your defensive posture. Militaries improve operations through wargames. In the 1820s, the Prussian military labeled the two teams for this as “red” and “blue,” with red traditionally associated with the attackers, while blue represented the defender.

Related: Deploying human sensors

With increased dependence on computers, the military applied this war-gaming concept and color scheme to cyber. It became clear that the blue team could benefit from a more collaborative relationship with red, leading to the creation of “purple teaming.”

This collaboration is the key ingredient to successful purple teaming. The blue team decides on specific threats they want to test themselves against and the red team emulates those threats. The red team helps the blue team understand what’s working – and what they’re missing – by sharing information about their actions. By seeing blue team’s defenses, the red team can modify their attack to help highlight defensive gaps relative to real threats.

Marshaling defenses

While traditional red teaming often aims to motivate a network owner to take the threat seriously and identify vulnerabilities, purple teaming focuses on illuminating exactly what actions defenders must take to effectively mitigate or respond to the Tactics, Techniques, and Procedures (TTPs) of real adversaries. This allows cyber defenders to gain valuable insight about what realistic malicious TTPs will look like in their network and how they are impacted by existing defenses.

Luke

The entire process is a much more collaborative effort to truly understand how the current defenses are working and where improvements can be made.With increased communication, defenders can confidently and rapidly design, test, and tune new defenses to keep pace with the constantly evolving threat landscape.

Although it’s still somewhat of a niche practice, there’s a great opportunity to provide defenders more resources to effectively defend their organizations through purple teaming. Also, implementing it on a regular cadence – weekly, monthly, or quarterly – can be beneficial. This way, it’s a regular part of security operations and the industry will see more cases where the first targeted organization detects and stops an attack.

One of the biggest benefits provided by purple teaming is that it leads to meaningful and actionable insight for the defenders. It clearly shows them their current posture, both strengths and weaknesses, against real-world TTPs to see what is and isn’t working to make the appropriate modifications.

The red team can now emulate a known threat that the defenders are very likely to encounter and the blue team will now have known malicious activity in their data to validate that their mitigations and detections will work.

It’s like a scientific experiment, where teams can repeatedly control and update each variable until the desired outcome is achieved.

Flexibility is essential

However, there are a couple challenges associated with implementing purple teaming. For example, there’s often a psychological challenge associated with purple teaming. It’s human nature to always want to “win,” but in the case of purple teaming, the red team can’t be preoccupied with getting the best of defenders. Both sides need to ensure they’re using a repeatable and intelligible process that can mitigate this challenge.

Teams also must be flexible enough with their plan to achieve what the blue team is trying to accomplish, and clearly communicate what TTPs were used in the event. This means that organizations need a red team that understands real adversary TTPs.

Often, the events detected by the blue team are consequences of the red team actions, but not the actions themselves. The red team and blue team must work together to bridge this gap to check if the blue team detections are connected to the red team actions.

Since cyber operations can often be the most appealing approach for criminals to achieve their goals, one of the best ways to fight back is to hit them where it really counts: their wallets. With a threat-informed approach to defense that includes the benefits of purple teaming, defenders have the potential to make cyber intrusions cost more than they’re worth to adversaries.

About the essayist: Steve Luke is Director of Training and Certification, MITRE ATT&CK Defender.

As the dust settles following the recently disclosed hack of NewsCorp, important lessons are emerging for the cybersecurity and journalism communities.

Related: How China challenged Google in Operation Aurora

The Chinese government is well known for its censorship– and frequent harassment and intimidation of foreign journalists. These are the foremost reasons China is ranked fourth worst globally regarding press freedoms.

China has enclosed its national internet servers within what is colloquially called ‘the Great Firewall.’ This firewall even goes as far as to block the latest versions of the encryption service TLS (v1.3) because it puts mechanisms in place to prevent third parties from decrypting traffic.

Internationally, there is no doubt that this predominantly serves to facilitate the detection and blocking of topics sensitive to the Chinese Communist Party, such as the events of June 4, 1989, in Tiananmen Square. The recent Western reporting on the Uyghur internment camps in Xinjiang triggered further sensitivity around how the international community views the Chinese Communist Party’s domestic policies.

In a recent statement, the Foreign Correspondents Club of China (FCCC) commented, “Covering China is increasingly becoming an exercise in remote reporting, as China cuts off new visas and expels journalists.” Only 4 percent of respondents to an FCC poll said their organization received a new J-1 visa in 2021, and 46 percent said their bureaus were understaffed because of a lack of visas.

Even those physically in China increasingly face obstruction as they investigate their stories. This ‘remote journalism’ largely relies on access to in-country sources, typically Chinese nationals willing to share their day-to-day experiences with foreign reporters.

Lewis

If the Chinese government cannot prevent a story from being published outside of the country, it can act against sources. Identifying sources has become a tool in countering the anti-China narrative in the foreign press, and it acts as a powerful disincentive to anyone inside China who might consider speaking to a foreign journalist.

Like many organizations and industries, NewsCorp migrated its digital estate to make greater use of the cloud, including leveraging SaaS providers like Google Workspaces to host email infrastructure.

Migrating from on-premises infrastructure to the cloud has substantial benefits, including increased efficiency, capabilities, and cost-savings. But it also has a considerable downside. If your staff can log on to the internet to access their emails, so can an attacker. These bad actors are no longer constrained by the need to access a physical device in an office location.

For organizations that have made that jump, sticking with a simple username and password to protect a globally accessible email server is far from good enough. Password leaks are commonplace. Employees often reuse passwords between other services and accounts. Credential harvesting attacks via phishing emails are now a daily occurrence. With these factors compounded, it’s only a matter of time before an attacker acquires an email address and password and can simply log in—no need to hack; no need to exploit a zero-day vulnerability.

Multi-factor authentication (MFA) is a powerful defense from these sorts of attacks, limiting the use of a username and password to the individual who possesses the physical key. MFA is a must for organizations using SaaS for email.

MFA can be challenging to implement for some organizations from a technology or cost perspective or due to user pushback. In some cases, there have been attacks against MFA systems targeting the companies that make them or exploiting the underlying technology. MFA, however useful, is no silver bullet.

From a detecting and monitoring perspective, determining what is and is not a legitimate user log-on event can be difficult, often reliant on attackers mounting their heists from known bad infrastructure on the internet, infrastructure known because systems caught attackers using it before. But this leaves security teams powerless to stop novel threats and zero-days.

Some mitigation techniques rely on simply blocking vast swathes of the internet, based on the country from which the IP address allegedly exists – but even geolocation of an IP address is more art than science, and this heavy-handed security can disadvantage an international business. In the case of NewsCorp, blocking access to any IP address believed to be in China would make reporting remotely even more challenging.

We have entered a new era of cyber threats. If measured as a country, cybercrime would possess the third-largest economy in the world, behind the U.S. and China. Cyber tools now undoubtedly play a role in international espionage, and last month, NewsCorp bore the brunt of cyber-attackers using the most sophisticated tools in their arsenal to breach its digital estate. 

About the essayist: Toby Lewis is Global Head of Threat Analysis at Darktrace, which supplies technology that applies Self-Learning AI to enable machines to understand the business in order to autonomously defend it.

APIs have become a security nightmare for SMBs and enterprises alike.

Hackers don’t discriminate based on the number of employees or the size of the IT budget. The same types of security risks impact businesses, whatever their size.

Related: Using employees as human sensors

Day in and day out, small-to-medium businesses are targeted by cyberattacks. They are often unaware of the risks they take on, which can include hacking, fraud, phishing, and more. A primary culprit of these attacks is the lack of understanding of application programming interfaces, or APIs.

SMBs and enterprises alike have been struggling with APIs as a mechanism for information security. According to Forbes, “the first half of 2018 was marked by an increase in API-related data breaches, with the 10 largest companies reporting the loss of 63 million personal records.”

These types of attacks can allow hackers to steal massive amounts of sensitive data, disrupt operations, and even take down websites. To protect against these attacks, businesses need to implement a wide range of strong API security measures such as authentication, authorization, encryption, and vulnerability scanning. The sheer number of options has a direct impact on the budget.

The fact that there are so many different APIs is the main challenge for enterprises when it comes to API security. Storing authentication credentials for the API is a significant issue. This can be compounded by certain enterprises using the Internet of Things (IoT) that don’t have good security.

Sitbon

Companies are realizing that they have to keep putting out fires on personal devices, leaving them vulnerable to attacks. The other issue with APIs is that once one is compromised, it’s likely that all of your accounts are affected because whoever does gain access will just use your username and password to log in to other sites, apps, etc.

The threat that API security breaches pose to enterprises should not be taken lightly. A breach should always trigger a comprehensive crisis communication plan involving the board, C-suite, and other stakeholders. This communication plan should specify how governing bodies will stay informed should there be a data breach as well as.

As you can see, handling API security is a tedious operation, none the less expensive, even for enterprises. But big budget enterprises can mitigate similar breaches, while SMBs can barely spare a budget for them, thus making them an easy target for similar attacks.

For the most part, SMBs believe that they’re small targets and are unlikely to be attacked, but that’s really not true. We see high numbers of attacks against SMBs. Hackers aren’t looking for buckets of cash.

SMBs  tend to be the target of common criminals. In some cases, they’ll start with a specific target in mind and work their way up to attempting to breach that specific target, but in other cases, it’s very opportunistic. It’s really about finding the easiest target to penetrate or a low-hanging fruit.

However, in recent years, we can see that SMBs are increasingly using cloud-based services to manage many areas of their information technology. These services used to be enterprise-only solutions.

At the same time, the same goes for cybersecurity, where SAST (Static Application Security Testing), DAST (Dynamic Application Security Testing), and penetration testers which help organizations identify and resolve security vulnerabilities are readily available to SMBs, as well as enterprises.. used to be solutions aimed at those businesses.

However, solutions such as BLST (Business Logic Security Testing) that provide automatic penetration testing at a budget price are increasingly used. These are tools that cans continuously scan APIs; security vulnerabilities can be accurately identified and located, allowing development and security testing to detect and remediate vulnerabilities more quickly.

In conclusion SMBs are at a disadvantage when it comes to API security because they often don’t have the same level of security resources as larger enterprise size businesses. Hackers know this and often target SMBs because they’re an easy target. However, nowadays, solutions that were commonly used by enterprises are more commonly used by SMBs, and the price is reasonable.

About the essayist:  Nathan Sitbon is a penetration tester at BLST Security which supplies technology that finds broken logic in your API and maps it, with an easy-to-use & integrated platform.

Cybersecurity has never felt more porous. You are no doubt aware of the grim statistics:

•The average cost of a data breach rose year-over-year from $3.86 million to $4.24 million in 2021, according to IBM.

•The majority of cyberattacks result in damages of $500,000 or more, Cisco says.

•A sobering analysis by Cybersecurity Ventures forecasts that the global cost of ransomware attacks will reach $265 billion in 2031.

The FBI reports that 3,000-4,000 cyberattacks are counted each day.

That’s just a sample of what is obvious to anyone in the industry: we’re in a war with cybercriminals, and we can hardly say we’re winning.

The vulnerabilities of internet security, once mostly a nuisance, have become dangerous and costly. Data privacy breaches expose sensitive details about customers, staff, and company financials. Security software may have been a satisfactory product at the turn of the century, but despite massive levels of investment, many experts now realize that it is not adequate for dealing with contemporary threats.

We reached this point of friction because of the compound effect of two shortcomings. One, security was too often treated as an afterthought by the industry, taking a backseat to a device’s speed, functionality, and design. Security remains an added expense that isn’t easy to market, especially when third-party software solutions have been so widely adopted.

But those software choices have proven to be lacking in dependability and often require patches or upgrades that are costly to the end user. Second, the design of security solutions struggled to scale up properly or adapt to the technological changes in the industry, especially in disaggregated compute networks.

Sirineni

Meanwhile the attack surface keeps broadening with the increasing interconnectivity of services, product chains, and user interfaces. Seeing the flaws continue year after year, the industry began linking authentication of valid software components to the underlying hardware, or the “root of trust”.

This approach allows for compromised software to be identified during the authentication process. However, hackers have attacked unsecured hardware and compromised this root. Thus, secure implementations are critical.

Compounding issues is the nature of threat response: it’s reactive, searching for known threats, while cybercriminals regularly devise new, surreptitious methods to avoid detection. Too frequently, security upgrades occur only after successful attacks have taken place, and most fixes are not sufficient to stand up to a new type of attack.

The good news is, artificial intelligence is here and is showing great promise to deliver what the market needs, that is, pre-emptive and proactive threat detection. In fact, AI is on the verge of providing a remedy for problems that have seemed insurmountable. New AI-based applications are poised to be game-changers for cybersecurity.

Implementing security solutions, such as secure hardware root-of-trust and proactive AI in a piecemeal approach and through multiple compute processor vendors, creates complexity and increases the attack surface for cybercriminals. That can cause deficiencies because of varying implementation quality.

Ideally, these security measures can be offloaded to a dedicated security co-processor that would reside in the control and management plane, separated from the data plane of the main processors. Such a co-processor would be positioned to act as a security watchguard for the entire system and provide a pre-emptive measure to fight cybercrime.

At Axiado, we believe an AI-driven trusted control/compute unit, or TCU, provides the level of protection the data-communications industry is demanding. The TCU is designed as a stand-alone processor that will reside on a motherboard next to a CPU, GPU or other compute engine.

This security-by-design solution for the control and management plane is based on proprietary Axiado technology, including Secure Vault™ (a secure hardware root-of-trust, cryptography engine and secure key/certificate storage), Secure AI™ (a pre-emptive threat-detection hardware engine), and firewall advancements.

Hardware with a TCU included will allow companies to pre-emptively detect threats and minimize the endless and often inadequate number of security patches they have been forced to choose for years.

Cybercriminals are nimble, use updated software, and are often determined. With an unprecedented number of attacks inundating global databases, it is the time to end threats with an AI-assisted hardware solution that denies cybercriminals entry into networks and the precious data they store.

About the essayist. Gopi Sirineni is the CEO of Axiado, which supplies advanced technologies to secure the hardware root of trust.

Log4j is the latest, greatest vulnerability to demonstrate just how tenuous the security of modern networks has become.

Log4j, aka Log4Shell, blasted a surgical light on the multiplying tiers of attack vectors arising from enterprises’ deepening reliance on open-source software.

Related: The exposures created by API profileration

This is all part of corporations plunging into the near future: migration to cloud-based IT infrastructure is in high gear, complexity is mushrooming and fear of falling behind is keeping the competitive heat on. In this heady environment, open-source networking components like Log4j spell opportunity for threat actors. It’s notable that open-source software vulnerabilities comprise just one of several paths ripe for malicious manipulation.

By no means has the cybersecurity community been blind to the complex security challenges spinning out of digital transformation. A methodical drive has been underway for at least the past decade to affect a transition to a new network security paradigm – one less rooted in the past and better suited for what’s coming next.

Log4j bathes light on a couple of solidifying developments. It reinforces the notion that a new portfolio of cloud-centric security frameworks must take hold, the sooner the better. What’s more, it will likely take a blend of legacy security technologies – in advanced iterations – combined with a new class of smart security tools to cut through the complexities of defending contemporary business networks.

I’ve recently had several deep-dive discussions with cybersecurity experts at Juniper Networks, about this. The Sunnyvale, Calif.-based networking systems supplier, like any number of other established tech giants, as well as innumerable cybersecurity startups, is deeply vested in seeing this transition through to the end. Here are key takeaways:

Messy co-dependencies

It’s ironic that open-source software is steeped in altruism. In the early days of the Internet, coders created new programs for the sake of writing good code, then made it available for anyone to use and extend, license free. However, once the commercial Internet took hold, developers began leveraging open-source components far and wide in proprietary systems.

Open-source vulnerabilities in enterprise networks have since become a massive security blind spot. Log4j was preceded by JBoss, Poodle, Shellshock and Heartbleed. These were all obscure open-source components that, over time, became deeply embedded in enterprise systems across the breadth of the Internet, only to have a gaping vulnerability discovered in them late in the game.

Log4j, for instance, is a ubiquitous logging library. Its rather mundane function is to record events in a log for a system administrator to review and act upon, later. Log4Shell now refers to the family of vulnerabilities — and related exploits — unearthed last December by a white hat researcher at Alibaba, the Chinese equivalent of Google. Left unpatched Log4Shell vulnerabilities present easy paths for a threat actor to take full control of the underlying system.

The bigger picture, says Mike Spanbauer, security evangelist at Juniper Networks, is that enterprises to this day continue to deploy open-source components often without consistent rigor of lacking the formal infusion of security quality assurance coding practices. Gaping security holes regularly get discovered by hackers – both white hat and black hat – engaged in probing randomly for soft spots.

Expediency and cost savings drove commercial adoption of open-source components in the early days of the commercial Internet. And the very same mindset persists today, perhaps even more so, as companies increasingly rely on open-source software to keep pace, observes Kate Adam, Juniper Network’s senior director of security product marketing.

Adam

“This is an established practice that’s now influencing in a new way due to how the business environment has shifted,” Adam says. The intensely competitive cybersecurity talent market is partly to blame here. Companies increasing reach for off-the-shelf open-source components, Adam says, to some degree because of the scarcity of skilled coders, especially those steeped in security.

“Some enterprises never use anything open-source and always do everything themselves, but that’s a massive undertaking, and they’re in a tiny minority,” she says. Indeed, according to the Linux Foundation, as much as 80 percent of the code in current applications is open source, often buried deep.

Log4Shell illuminated the security snarls and tangles created by software co-dependencies that, in many organizations, have congealed into a chaotic, indecipherable mess. Here’s how Spanbauer describes what this looks like — from the perspective of an enterprise’s IT and security teams.

“How a given open-source library works in a specific app can be a mystery because arbitrary parties contributed pieces of coding that may or may not have been documented,” he says. “This makes for very flexible, very agile code, but there is also an absence of the data that you need for your security models — to determine how to best protect the assets you’re responsible for . . . This is the current state of affairs for practically every organization, almost without exception. And these types of co-dependencies are here to stay. They’re now the norm and security teams must assess and manage the risk of these stacks.”

Legacy tech’s role

Log4Shell actually contributes to progress in this sense: it heightens awareness, which should help accelerate the transition to a much-needed new security paradigm. Many more Gordian-knot issues that need to be dealt with, to be sure. Complex and evolving cyber risks need to be resolved, for instance, when it comes to securing human and machine identities, tightening supply chains, mitigating third-party risks, protecting critical infrastructure and preserving individuals’ privacy.

Emerging frameworks, like Zero Trust Network Access (ZTNA,) Cloud Workload Protection Platform (CWPP,) Cloud Security Posture Management (CSPM) and Secure Access Service Edge (SASE) aim to help mitigate this spectrum of intensifying risks. Frameworks like these serve as guideposts. The task at hand is to steer the center of gravity for securing networks to the Internet edge, where cloud-centric resources and services increasingly reside.

This trend is well underway, and the handwriting is on the wall for many costly cybersecurity tools and services that were first installed 20 years to protect on-premises datacenter: obsolescence is on the near horizon. That said, a couple of prominent legacy technologies seem sure to endure as security cornerstones, moving forward. I’m referring to Security Information and Event Management (SIEM) systems and to firewalls.

SIEMs failed to live up to their hype in the decade after they were first introduced in 2005. Then about five years ago SIEMs got recast as the ideal mechanism for ingesting event log data arriving from Internet traffic, corporate hardware, mobile and IoT devices and cloud-hosted resources — the stuff of digital transformation.

This rejuvenation of SIEMs coincided with the emergence of advanced data analytics tools that could make more effective use of SIEM event logs; system orchestration became streamlined, human behavior got factored in and incident response became automated.

As cloud-hosted processing power and data storage have gained more traction, the role of on-premises data centers has declined. Yet legacy protections for on-premises data centers continue to predominate. The unhappy result: cyber exposures — and successful network breaches – have continued to scale up.

Log4Shell is just the latest reminder that gaping security holes lay dormant everywhere, just waiting to be discovered and exploited, in both the cloud and on-premises environments. Consider how ransomware has thrived in the transitional environment we’re now in, and how cyber espionage and cyber warfare have come to factor into geopolitical power struggles.

“Having the requisite technology to protect the data center and the edge actually is not enough, in and of itself,” Adam observes. “It’s now vital to be able to see the entire environment and respond to anomalies in near real time. SIEMs have become so popular because they pull everything together through logs.”

Visibility is vital

Where is this all taking us? New security frameworks, like ZTNA, CWPP, CSPM, and SASE are the blueprints for networks where the event logs ingested by SIEMs get put to higher uses detecting and responding to legitimate threats. This will come to fruition on smarter platforms using automated tools, including advanced firewalls.

Firewalls predate SIEMs. Firewalls arrived on day one of companies connecting their networks to the Internet. While a SIEM unit ingests incoming traffic for analysis, a firewall filters traffic flowing in and out of a network.

The earliest firewalls filtered the tiny packets of data exchanged between applications, allowing only the packets that met certain criteria to pass through. This became the basis for blacklisting traffic originating from known bad IP addresses and for restricting employees from connecting to malicious webpages.

Next Generation Firewalls (NGFW) came along in approximately the same time frame as the earliest SIEM systems. NGFWs could conduct deeper, much more detailed packet filtering and soon began taking on more advanced functionalities. NGFWs today can enforce security policies at the application, port, and protocol levels – often detecting and blocking the stealthiest malware from slipping into a network.

The evolution of firewalls, in fact, has never really slowed down and is continuing apace. Firewalls today come in an array of form factors; they’re available as an on-premises appliance, they can be set up to run virtually, or they can even be delivered as a subscription service.

Spanbauer

“You can’t protect what you can’t see,” Spanbauer says. “Visibility is the key. Companies today, at a minimum, need a way to accurately detect potentially malicious events in a highly complex environment, one that’s only getting more complex. When it comes to visibility, a SIEM helps me see as much data as possible, and a firewall helps me to enforce policy and ensure the accuracy of my verdicts. It’s vital to eliminate any false positives, otherwise I’d just be adding to the chaos and creating more work for teams to investigate.”

SIEMs and firewalls clearly will remain at the core of bringing machine learning and leading-edge analytics to bear in the data-rich environment we’re in. “These legacy technologies are going to have a place for a very long time to come — helping companies to more effectively manage this transition and to limit the chaos as much as possible,” Adam says.

It’s logical for SIEMs and firewalls to play ever larger roles in automating detection and response tasks as part of helping enterprises cut through the complexity and calm the chaos — and materially raise the bar for network security.  I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)