Category: Guest Blog Post

Here’s a frustrating reality about securing an enterprise network: the more closely you inspect network traffic, the more it deteriorates the user experience.

Related: Taking a risk-assessment approach to vulnerabilities

Slow down application performance a little, and you’ve got frustrated users. Slow it down a lot, and most likely, whichever knob you just turned gets quickly turned back again—potentially leaving your business exposed.

It’s a delicate balance. But there’s something you can do to get better at striking it: build that balance into your network testing and policy management.

Navigating threats

Why do so many businesses struggle to balance network security and user experience? Because recent trends create new challenges on both sides of the equation. Trends like:

More distributed users and applications. Even before COVID, enterprises saw huge increases in people working outside the traditional corporate firewall. Today, users could be working anywhere, accessing applications and data from any number of potential vulnerable public and private clouds. It adds up to a much larger potential attack surface.

•More dynamic environments. Security has always been a moving target, with new threat vectors emerging all the time. Today though, the enterprise network itself changes just as frequently. With software-defined networks, shifting cloud infrastructures, and continuous integration/continuous delivery (CI/CD) pipelines, the network you have today might look very different tomorrow.

•Pervasive encryption: Most application and Internet traffic is now encrypted by default, making it much harder to secure the network from malicious traffic. Inspecting encrypted traffic adds significant latency—sometimes cutting application performance literally in half. If you don’t have much higher-performing security controls than you’ve used in the past, your latency-sensitive applications can become effectively unusable.

These are big challenges, and most organizations are still searching for answers. For example, half of enterprise firewalls capable of inspecting encrypted traffic don’t have that feature turned on due to performance concerns. You might preserve user Quality of Experience (QoE) that way, but you’re leaving your business vulnerable.

A smarter approach

Jeyaretnam

The constant push and pull between security and performance isn’t an anomaly. It’s baked into network threat defense, and no miracle tool is coming that will make the problem go away. But that doesn’t mean you can’t do something about it. In fact, the smartest thing to can do is just acknowledge it will always be a problem—and adapt your change management processes to reflect that. You do that via synthetic testing.

Using modern emulation assessment tools, you can deploy test agents at strategic points in your environment (within the on-premises network, in public and private clouds, at branch offices, and more) to simulate the network topology. You can then inject emulated traffic to test the performance limits of your network devices, web applications, and media services with all security controls engaged.

With this approach, you can establish a baseline for application performance on the network and ensure that user QoE remains good, even with network threat controls fully engaged. You can identify the right mix and size of security solutions to deploy and validate that you’re getting what you paid for. Then—and this is the key—you can proactively verify performance and security against the established baseline every time something changes in the network.

Balancing security and QoE

This approach is already widely used by organizations that can’t tolerate performance problems, such as service providers and financial enterprises in areas like high-speed trading. Given the steady growth of cyberthreats, encryption, and distributed users and applications, enterprises in every industry should be following their lead.

If you’re ready to implement continuous testing, here are four principles to keep in mind:

•Look beyond vendor data sheets. Enterprises often devote significant effort evaluating network security solutions prior to implementation, but surprisingly little to validating their performance once deployed. That’s a good way to get surprised. In too many cases, network and security organizations don’t even realize they have a performance problem until users start complaining.

•Emulate your unique environment. Even when a security vendor’s reported specs reflect reality, they’re based on ideal conditions—not your network. As you design your test scenarios, make sure you’re emulating the real-world production environment, with all applications and security controls configured as they will be for real users. You can then drill down into exactly what throughput looks like, what latencies different network applications are experiencing, and verify that you’re supporting your business practice.

•Think like an attacker. Along those lines, to validate security efficacy, make sure you’re testing against a realistic set of threat vectors that you’re looking to protect against. Keep in mind, attackers won’t just send basic threats; they’ll use evasions and obfuscations to try to hide what they’re doing. Your network security simulations should do the same.

•Test and test again. The most important step you can take to balance network security and performance: adopt a posture of continuous assessment. Start by identifying your baseline—what the environment looks like when everything is working as it should, when the security controls that matter to your business are active, and your users have good  quality of experience, QoE. Then, test against that baseline every time something changes.

Whether it’s a new network security solution, a software upgrade, a policy or configuration update, or any other change, you should immediately measure the effects of that change on user experience. You can now identify problems right away—before your users. And, since you’re measuring performance from multiple points across your environment, you can quickly zero in on their cause.

By taking these steps, you may not permanently solve the problem of balancing network security and performance. But you’ve solved it for today—and you’ve put the tools and procedures in place to keep solving it in the future.

About the essayist: Sashi Jeyaretnam is Senior Director of Product Management for Security Solutions, at Spirent,  a British multinational telecommunications testing company headquartered in Crawley, West Sussex, in the United Kingdom.

Employee security awareness is the most important defense against data breaches.

Related: Leveraging security standards to protect your company

It involves regularly changing passwords and inventorying sensitive data. Cybercriminals view employees as a path of least resistance. As such, you should limit the amount of information that employees have access to.

There are several ways you can protect your business from data breaches.

Create security awareness for employees. One of the most important ways to protect against data breaches is to increase employee security awareness. Employees are the first line of defense against cybercrime and should understand how to recognize phishing emails and what to do if they suspect them. With proper training, employees can prevent these attacks before they happen.

While the protection of the company’s assets can never be completely guaranteed, security awareness training should be a top priority for business owners. Without it, a business is vulnerable to a variety of risks, including financial loss, damage to intellectual property, and brand reputation. In addition, educating employees about cybersecurity issues can help to reinforce the security-minded culture of the organization and change employee behaviour.

Provide frequent training about the risks of cyberattacks. One of the best ways to increase employee security awareness is to provide frequent training and communication about the risks of phishing and other cyberattacks. This training should be short and concise and provide guidance on identifying security risks.

Additionally, employees should receive guidance on how to report suspicious activity and confront strangers in secure areas. After a few months, organizations should evaluate the security awareness training to make sure that it is still relevant and effective.

Shafiq

Cybercriminals are constantly searching for ways to gain access to an organization. As a result, they seek to exploit the weakest link. This can include phishing emails that contain malicious links that infect an organization’s network or steal its database login credentials. Training employees is a crucial part of fighting back against this kind of attack and can complement other technological security solutions.

•Change passwords regularly. One of the most overlooked ways to protect your business from data breaches is changing passwords on a regular basis. Many people have their original passwords from college, and they never update them. This can be risky. It can also leave your company vulnerable to disgruntled employees. That’s why it’s essential to change passwords regularly and change them after every staff change.

Passwords are easy to steal, and hackers can use them in just a few seconds. If you’re not changing passwords regularly, you’re inviting hackers and cybercriminals to steal your company’s sensitive data. Changing passwords regularly will make the lives of cyberbullies much harder. It also ensures that your account credentials won’t be used for as long. The best practice is to change passwords every 90 days. You can even use password managers to automatically create strong passwords for you.

In addition to changing passwords, you should also change passwords when entering sensitive information on public computers.

The best passwords are those that are difficult to guess. A common problem is that people tend to use the same password for too long. If you want to be completely safe, use passwords that are hard to guess and don’t use passwords you don’t know.

Inventory your sensitive data. Inventorying sensitive data is a crucial process in protecting your business from data breaches. It helps you determine gaps in security and prioritize your efforts. Data discovery technologies can scan data stores and label sensitive and regulated data by purpose and type. By doing so, you can better protect sensitive data and improve security. This process also helps you determine the amount of data you have in your possession.

Sensitive data may be stored on different media, including discs, tapes, mobile devices, or websites. Every potential source should be considered when creating an inventory. Make sure to involve each department in the process. This includes accounting, sales, and other teams. You should also include third-party service providers, like call centres and contractors.

Data inventory also makes your data searchable. Often, it is the first time a company has a common definition of data. If teams have different naming conventions, data inventory can be a confusing process. Make sure to use common, understandable labels and data value tags for your data.

•Use a corporate VPN. Encrypting data on corporate devices can prevent hackers from accessing sensitive information. The best way to protect data in this way is to set up a corporate VPN (a virtual private network). VPNs allow employees to connect to the internet securely while hiding the company’s IP address. This method is particularly important for employees working remotely and in public places.

Identifying sensitive data is an essential part of effective information security. You must understand how sensitive data is moved and who has access to it. The Federal Trade Commission recommends that organizations put sensitive data in inventory stored on storage devices and add the devices of employees who work from home. By identifying these locations, you can easily determine security vulnerabilities.

About the essayist: Idrees Shafiq  is a Research Analyst at AstrillVPN with diverse experience in the field of data protection, and cyber security, particularly internet security.

 

More and more consumers are using apps every year. In fact, Google Play users downloaded 111.3 billion apps in 2021 alone, up more than 47 percent since 2018.

Related: Microsoft CEO calls for regulating facial recognition.

This increased demand for apps also raises the need for improved data protection measures, which Google took steps to address with the new data safety section they launched in July 2022.

This data safety section aims to help users understand how apps handle their data (especially when it comes to collection and sharing) and make more informed decisions about which apps to download.

To provide even further insight into the data safety and privacy practices of app developers, researchers at Incogni conducted a study of the top 500 paid and top 500 free Google Play Store apps. The results shed light on how much data apps really share, which apps pose the biggest risks to data privacy, and how transparent developers are about their practices.

Rampant ‘sharing’

The study revealed that more than half (55.2 percent) of the apps share user data with third parties.

•13.4 percent share approximate location history

•6.77 percent share email addresses

•4.77 percent share names

•3.85 percent share home addresses

•3.85 percent share precise location

•3.23 percent share photos

•1.85 percent share in-app messages

•1.69 percent share videos

•0.62 percent share sexual orientation

•1.54 percent share files and docs

•0.46 percent share SMS or MMS

•0.15 percent share race and ethnicity

•0.15 percent share religious and political beliefs

Morelli

It turns out that free apps share the most user information, a staggering 7 times more data points than paid apps. Data is extremely valuable in the digital world, with some even calling it the “new oil.” In fact, the data trade industry is worth over $257 billion and growing yearly. It makes sense that free apps share the most data: users effectively pay with their personal information.

Following closely behind on the worst-offenders list are popular apps (with more than 500,000 downloads). These apps share 6.15 times more data than less popular apps. The reason behind this remains unclear and could be dependent on multiple variables. One possible explanation that Incogni researchers offered is that free apps have, on average, 400 times more downloads than paid apps.

Among the app categories, shopping, business, and food & drink were found to be sharing the most user data. So it’s best to think twice before downloading an app from one of these categories, especially if it’s free and/or popular.

Greediest data harvesters

Social media and business apps collect the most data. While sharing is usually what consumers find most alarming when it comes to how apps handle their data, collection can be just as important to online privacy and security.

According to Incogni’s study, social media and business apps collect the most data. Many of these apps know almost everything about their users – from who their best friends are to what secrets they share with them in private messages.

The apps that do the most snooping, unsurprisingly, are:

•Facebook

•Facebook Lite

•Messenger

•Messenger Lite

•Instagram

Yet, despite harvesting the most personal data, these apps declare sharing very few data points.

Aside from the obvious invasion of privacy concerns, having personal information stored by apps can pose other risks. Cash App, a popular mobile payment service, experienced a data breach in December 2021 that resulted in 8.2 million users’ personal information being leaked. Cash App isn’t the first and, unfortunately, isn’t likely to be the last app to experience such security issues.

Sharing vs. transferring

Even without breaches, more information on users may actually be proliferated online than what app developers declare sharing.

Google uses the term sharing only in relation to the transfer of user data to third parties. This does not include the transfer of anonymized data or the transfer of any data made to a service provider or for legal reasons.

This de facto means that your personal information may not be “shared,” according to the Google Play data safety section, but it may still be “transferred” without your knowledge.

While the transfer of data to service providers may be necessary, and for legal reasons,  justified, the transfer of anonymous data is still worrying. The term itself implies a level of privacy and security that may be misleading. In fact, research has shown that anonymous data can easily be re-identified 99.98 percent of the time using as few as 15 data points.

Bottom line

Google Play Store apps collect a lot of personal data. They share a lot of data. And they “transfer” a lot of data. Depending on their location, consumers are protected by data privacy laws like the GDPR or the CCPA but, ultimately, online privacy and security are still left mostly up to the individual.

This means that Google Play users should be very discerning when downloading apps. They should consider which types of apps they install, how much data these apps share, and how much data they collect (and “transfer”.)

About the essayist: Federico Morelli is a Content Manager at Incogni, a data removal company dedicated to helping consumers take back control of their personal information. Federico uses data analysis to tell stories about online privacy – which he believes to be a fundamental human right and a vastly underestimated issue of the digital world.
Headshot attached.

As digital technologies become more immersive and tightly integrated with our daily lives, so too do the corresponding intrusive attacks on user privacy.

Related: The case for regulating facial recognition

Virtual reality (VR) is well positioned to become a natural continuation of this trend. While VR devices have been around in some form since well before the internet, the true ambition of major corporations to turn these devices into massively-connected social “metaverse” platforms has only recently come to light.

These platforms, by their very nature, turn every single gaze, movement, and utterance of a user into a stream of data, instantaneously broadcast to other users around the world in the name of facilitating real-time interaction. But until recently, the VR privacy threat has remained entirely theoretical.

Berkeley RDI is a preeminent source of open-access metaverse privacy research. To test the true extent of data collection in VR, we designed a simple 30-person user study called MetaData. Users were asked to play an innocent-looking “escape room” game in VR, while in the background, machine learning scripts were secretly observing their activity and trying to extract as much information about them as possible.

The game was explicitly designed to reveal more information about users than they would otherwise have revealed, a unique threat of XR environments. In fact, most of the Montreal Cognitive Assessment (MoCA) test was hidden within the escape room.

Nair

In the end, the adversarial program had accurately inferred over 25 personal data attributes, from environmental data like room size and geolocation, to anthropometrics like height, wingspan, and reaction time, within just a few minutes of gameplay.

Why, one may wonder, should I care if my use of VR reveals my height or reaction time? In short, we should care not just which attributes can be directly observed, but also what that data can in turn be used to infer.

For example, by combining height, wingspan, and voice frequency, a user’s gender is revealed with a high degree of accuracy. On the other hand, the combination of vision, reaction time, and memory can reveal a user’s age to within a year. The sheer scale of data attributes available in VR make such inferences more accurate and abundant than on any conventional platform, such as web or mobile applications.

Garrido

And instead of having to combine numerous data sources (like a smartphone, laptop, and wearable device) to build a user profile, VR constitutes a one-stop shop for all of the biometric, environmental, behavioral, and demographic data an application could ever hope to harvest.

The story is not entirely pessimistic, however. In a follow-up work, called “MetaGuard,” we present a promising solution to our VR data privacy woes. Using a statistical technique called local differential privacy, we allow users to “go incognito” in the metaverse to obscure their identity and hinder tracking between sessions, just as they might on the web.

In fact, MetaGuard goes far beyond “incognito mode” on the web, protecting not just metadata but the telemetry data itself. It does so by literally warping the coordinate system virtual world to hinder the accuracy of adversarial measurements, while achieving a provably-optimal balance of privacy and usability impact. The result: a 94.6 percent reduction in the ability to deanonymize VR users even at the lowest supported privacy setting.

MetaGuard is by no means a complete solution to privacy concerns in VR. Instead, it is a first step towards solving a dangerous technological disparity: despite posing an unprecedented degree of privacy risk, VR currently lacks even the most basic privacy tools.

We hope our work begins to shed light on the risks that lie ahead, and encourage practitioners to advance research at the intersection of data privacy and VR.

About the essayist: Vivek Nair is an NSF CyberCorps Scholar, NPSC Fellow, Hertz Foundation Fellow, IC3 Researcher, and an EECS Ph.D. student researching applied cryptography at UC Berkeley. Gonzalo Munilla Garrido is a researcher at the BMW Group and CS Ph.D. student researching differential privacy at TU Munich. Nair and Garrido are members of the UC Berkeley Center for Responsible, Decentralized Intelligence, a preeminent source of open-access metaverse security and privacy research.

 (Editor’s note: This work was supported by Berkeley RDI, the NSF, the NPSC, and the Hertz Foundation. Opinions expressed in this material are exclusively those of the authors and not the supporting entities.)

How did America and Americans regress to being much less secure than before the Internet?

Everyone knows the many amazing conveniences, benefits, and advances the Internet has enabled.  What everyone doesn’t know is how irrational the Internet’s utopian founding premises have proven to be concerning America’s and Americans’ security over the last quarter century.

The first irrational security-related premise is that U.S. Government policymakers decided in the 1990s to promote inherently insecure, nascent Internet technology to be the world’s primary global information infrastructure for all the world’s communications, content, and commerce.

Unfortunately, the Internet was never designed to operate at that scale, or with the necessary authentication, security, and privacy capabilities essential for such an infrastructure.  Utopia meet reality.

The Internet’s co-designer, Vint Cerf, in a 2008 Guardian interview, explained how the Internet’s 1974, essential enabling Internet-protocol had a design flaw in not enabling packet authentication, security, or privacy at scale.

The idea of a virtual private network was not part of the original design,” says Cerf, with a grin. “It was actually an oversight. It didn’t occur to me that it would be useful until afterwards.” “In the end, it seems every machine has to defend itself. The internet was designed that way.”

For twenty-five years, an ever-behind, cybersecurity industry has struggled to secure an un-securable, “fragile infrastructure,” that was “built vulnerable,” and where “the scale of cyberattacks grow steadily.”

The second irrational security-related premise was the de facto, bipartisan, U.S. foreign policy decision, without a Senate approved treaty, that promoted virtual global surrender of “Westphalian sovereignty’ that for 350 years facilitated international law and order, peaceful diplomacy to deter wars, and reciprocally-beneficial travel, trade, commerce, and law enforcement.

Cleland

America’s de facto virtual sovereign suicide irrationally surrendered its virtual sovereignty over all things America, to a non-sovereign,  autonomous Internet technology, with “no controlling authority,” organization, leader, accountable governance, rule-of-law, dispute resolution, recourse, or legal tender.

As a result, America has de facto aided and abetted our leading adversaries—ChinaRussia, and cybercriminals—with impunity.  China has specialized in cyberattacking, hacking, and stealing much of America’s valuable government and corporate secrets, intelligence, security clearances, and data.  Russia has specialized in out-of-control facilitation of rampant ransomware, serial cybercrime, and political disruption.

A recent Council on Foreign Relations report confronts this irrational Internet utopianism. “The utopian vision of an open, reliable, and secure global network has not been achieved and is unlikely ever to be realized.  Today, the internet is less free, more fragmented, and less secure.”  The authors are right that “its time for a new foreign policy for cyberspace.”

The third irrational security-related premise is that U.S. Government policymakers decided in the 1990s to de facto nationally abdicate governing online.  Specifically, how is U.S. Internet unaccountability policy a root cause of Internet insecurity?

It has subverted most of America’s foundational security essentials, i.e., surrendering sovereignty; banning borders; denying defenses; prohibiting police and public safety; abdicating authority; cancelling the Constitution; rejecting rule-of-law and rights; and denying a duty-of-care.

At the time, there was bipartisan policy consensus to encourage, not impede, rapid adoption and buildout of the Internet and its enabling infrastructure.  It succeeded at that goal.

America’s 1990s ‘Wild West’ Internet policies were: Internet and Internet services be “unfettered by Federal and State regulation;” ecommerce should be “global,” “self-regulated,” and “minimalist” government; and de facto all Internet speech has been presumed free speech,  never illegal conduct.

Apparently, few have considered or cared about the predictable negative repercussions of permanently granting Internet technology and its corporate leaders’ impunity via Internet unaccountability policy.

Now it is easier to see how America and Americans have regressed to being much less secure than before the Internet.  It doesn’t have to remain that way.

America’s existential problem here is the U.S. Government de facto imposing Americans’ dependence on inherently insecure Internet technology and irrational foreign and U.S. policy.  All three irrational premises endanger and do not protect Americans.

This self-defeating Internet Insecurity is mindless madness and also a form of tyranny, in government irrationally dictating Americans’ dependence on undependability.

If you fear this irrational Internet insecurity is not the only unchecked technological tyranny, you are correct.  Nineteen additional tyrannies are found in Restore Us Institute’s petition of grievances to the U.S Government in the form of A Declaration of Independence from Unchecked Technological Tyranny.

About the essayist: Scott Cleland is Executive Director of the Restore Us Institute, a non-partisan, non-profit that educates the public about Internet accountability problems and solutions.  Cleland was Deputy U.S. Coordinator for International Communication and Information Policy in the H.W. Bush Administration.  To learn more, visit www.RestoreUsInstitute.org.

Phishing attacks are nothing new, but scammers are getting savvier with their tactics.

Related: The threat of ‘business logic’ hacks

The Iranian hacker group TA453 has recently been using a technique that creates multiple personas to trick victims, deploying “social proof” to scam people into engaging in a thread. One example comes from Proofpoint, where a researcher began corresponding with an attacker posing as another researcher.

Other Iranian-based cyberattacks have included hackers targeting Albanian government systems and spear phishing scams. According to a new study, phishing attacks rose 61 percent in 2022, with cryptocurrency fraud increasing 257 percent year-over-year.

Companies and consumers must be more cautious than ever when using their devices. Here are four new phishing trends keeping businesses on their toes.

Spear phishing

Spear phishing attacks have taken the dangers of traditional phishing to another level, mainly because it’s highly targeted and precise.

Nowadays, small businesses are more susceptible to spear phishing since they lack the IT security infrastructure in larger organizations. As more people work remotely, companies must be vigilant when sending and filling out online forms, such as login pages — a newly-preferred mode of enticing potential victims.

These cases involved employees entering a harmless site, then getting redirected to a dangerous one. From there, they enter their credentials and unknowingly give them to hackers.

Compromised email

Malicious ransomware is one of the top-growing cyberattack threats companies face. However, hackers are getting smarter as they develop new money-making methods to exploit businesses.

Amos

Compromised emails are now the norm, as attackers have found a way to infiltrate these systems to send phishing emails to employees, vendors and consumers. Because the address comes across as an internal team member, people trust them, ultimately exposing themselves to cybercrime.

Business email compromise also increased during the COVID-19 pandemic — it’s a common entry point for cybercriminals. As such, staff must avoid sending personal and sensitive information via email for hackers to steal.

Wire fraud

Imagine someone is about to buy a house and receives email instructions for wiring the closing costs — with just one click, they’ll be a new homeowner. Now imagine how they’d feel finding out they were the victim of wire fraud, as the $20,000 payment suddenly disappears.

Business impersonation is increasing exponentially with hackers gaining access to company email accounts. After monitoring conversations for some time, they look for the start of the transaction and insert themselves into the chain. The hackers then send a legitimate-looking, well-crafted, error-free email with a link that wires the money to a separate bank account.

The real estate industry is currently battling an influx of these cyberattacks. A recent survey showed that one-third of all real estate transactions had a wire fraud attempt in 2020. Additionally, 76% of real estate agents reported increased fraud attempts from the previous year.

Phishing via texting

If it seems more spam texts are coming in, that’s because they are — the FCC reported a 146% uptick throughout the pandemic.

Text message phishing — also known as “smishing” — is when scammers send texts to entice people to transmit personal information, such as passwords or credit card numbers. Because people tend to open messages within 15 minutes of receiving them, scammers have found it a lucrative way to trick people.

Smishing might impersonate the government, banks or other agencies to seem more legitimate. Although most people can tell when they’ve received spam texts, 6% report losing money through text fraud.

Steps to effective security

Developing a secured network strategy is essential to avoid cyberattacks, as these new phishing tactics could negatively impact a business. To prevent malicious scams, companies should do the following:

•Install high-quality antivirus software and spam filters.

•Implement a policy to update passwords every 90 days.

•Require strong passwords or two-step and multi-factor.

•Encrypt all sensitive information and documentation.

•Secure web browsers and only use those providing adequate security.

•Train workers on how to identify phishing attempts.

Human error often drives phishing success, so deploying the right security tools and ensuring employees understand their place in avoiding cybercrime is the best way to protect company data.

Companies must implement several security measures to prevent the repercussions of cyberattacks. Otherwise, they risk dire consequences.

About the essayist: Zac Amos writes about cybersecurity and the tech industry, and he is the Features Editor at ReHack. Follow him on Twitter or LinkedIn for more articles on emerging cybersecurity trends.

Cybersecurity is a top concern for individuals and businesses in the increasingly digital world. Billion-dollar corporations, small mom-and-pop shops and average consumers could fall victim to a cyberattack.

Related: Utilizing humans as security sensors

Phishing is one of the most common social engineering tactics cybercriminals use to target their victims. Cybersecurity experts are discussing a new trend in the cybercrime community called phishing-as-a-service.

Why should companies be aware of this trend, and what can they do to protect themselves?

Phishing-as-a-Service (PhaaS)

Countless organizations have adopted the “as-a-service (-aaS)” business model. It describes companies that present customers with an offering, as its name suggests, to purchase and use “as a service.” Popular examples include artificial intelligence-as-a-service (AIaaS), software-as-a-service (SaaS) and infrastructure-as-a-service (IaaS).

Phishing-as-a-service, also called PhaaS, is the same as the SaaS business model, except the product for sale is designed to help users launch a phishing attack. In a PhaaS transaction, cybercriminals or cybercrime gangs are called vendors, and they sell access to various attack tools and technical knowledge to help customers carry out their crimes.

Ready-to-use phishing kits with all necessary attack items are available on the web. Some vendors offer more specialized products, such as back-end codes to build fraudulent websites for harvesting credentials. They might provide access to collated open-source intelligence (OSINT) to create highly sophisticated phishing attacks.

Rising popularity

PhaaS services are growing in popularity for a few reasons. These products lower the barrier to entry for malicious actors and are relatively affordable.

Amos

Traditionally, people faced high barriers to entry to become successful hackers. With PhaaS, this is no longer the case. Anyone with enough funds and access to the dark web can purchase PhaaS tools to help them launch a phishing attack.

Aside from a low barrier to entry and affordability, PhaaS is a win-win situation for vendors and their customers. Vendors benefit from PhaaS because they earn a profit from selling their skills while avoiding the risks associated with committing a cybercrime. On the customer side, it requires minimal effort to pay for a phishing kit and launch a professional-level attack on a victim.

PhaaS has grown so popular that it’s now a commercialized industry on the dark web. As a result, the number of phishing attacks worldwide will increase, allowing lucrative cybercrime to flourish in the digital age.

Mitigating PhaaS

The PhaaS industry is rapidly expanding and presenting more risks to businesses of all types and sizes. An individual company is likely unable to take down the entire PhaaS community, but it can certainly take proactive cybersecurity measures to reduce the chances of facing a phishing attack.

Many modern organizations know the basics of online safety and follow the best cybersecurity practices. However, this new trend could change the landscape, forcing businesses to adapt, use new technologies and implement different defense strategies.

Businesses can respond to the rise of PhaaS services in three ways:

•Heed cybersecurity standards and compliance rules

Many industries implement cybersecurity standards and compliance requirements to protect businesses and their clients or customers. For example, government defense contractors must pass the Cybersecurity Maturity Model Certification (CMMC) assessment to conduct business with the Department of Defense (DoD).

By passing the CMMC, the DoD ensures that contractors maintain a strong cybersecurity posture so any sensitive data remains secure. Organizations should determine which industry standards and compliance requirements they must follow to improve their security measures.

•Leverage security software

Several new technologies, including artificial intelligence (AI) and machine learning (ML), are included in today’s cybersecurity software solutions. Those with a zero-trust approach or powered by AI and ML tech can help companies defend themselves against cyberattacks.

•Prioritize training

Human error is the main factor contributing to a successful phishing attack. Employees who receive exceptional cybersecurity training are less likely to put an organization at risk of attacks. Businesses must prioritize education for employees so they can act as the company’s first defense.

PhaaS is not going anywhere. Organizations must take various preventive measures to bolster their cybersecurity as this black-market industry grows. Company leaders must be aware of PhaaS and take phishing attacks seriously to keep their business running.

About the essayist: Zac Amos writes about cybersecurity and the tech industry, and he is the Features Editor at ReHack. Follow him on Twitter or LinkedIn for more articles on emerging cybersecurity trends.

The pace and extent of digital transformation that global enterprise organizations have undergone cannot be overstated.

Related: The criticality of ‘attack surface management’

Massive global macro-economic shifts have fundamentally changed the way companies operate. Remote work already had an impact on IT strategy and the shift to cloud, including hybrid cloud, well before the onset of Covid 19.

Over the past two years, this trend has greatly accelerated, and working practices have been transformed for many workers and organizations.

Yet, with all these changes, the specter of security breaches remains high. This explains the rise and popularity of Zero Trust as a framework for securing networks in these new realities as an effective tool to drive cybersecurity initiatives within the entire enterprise.

Fundamentally, Zero Trust is based on not trusting anyone or anything on your network by default and using least required privilege concepts. Every access attempt by any entity must be validated throughout the network to ensure no unauthorized entity is moving vertically into or laterally within the network undetected.

At the same time, digital resilience has arisen as a top priority for enterprises across all sectors, especially as cyber threats continue to accelerate. Ensuring the maximum uptime and network and application availability is critical to digital business.

Now is an ideal time to explore enterprise perceptions about the future. To gain these insights, A10 Networks surveyed 2,425 senior application and network professionals from across ten regions around the globe. Not surprisingly, there were high levels of concern about digital resiliency, with a strong focus on business continuity.

Four top resiliency trends surfaced in the findings, including: digital resilience is a top priority; cyberthreats are accelerating; private cloud is the preferred environment; and Zero Trust strategies are being implemented to shore up defenses.

Most importantly, all these forces are foundational to more remote and hybrid work as we enter a new phase of living with COVID-19. Additional key features of the enterprise IT landscape that we uncovered included the following:

Private clouds preferred

Some 23 percent of respondents have retained an on-premises environment, and this is unlikely to change for some organizations in the future. Private clouds were the preferred environment for 30 percent of respondents, while just under one quarter said their environment was in a public cloud with a similar percent in SaaS environments.

Nicholson

Looking forward, organizations expect to retain a similar split, with private clouds being the most popular in all regions apart from the U.S. and Eastern Europe, which favor public cloud. This is likely because private clouds give organizations more control over data. Organizations, such as financial services or government, deal with sensitive information and prefer a private cloud model with greater control over the security of applications, users, and data.

Strategy reassessment needed

Resilience has become a board-level discussion as senior leaders look to ensure that the business can cope with future disruption. Enterprise respondents said that digital transformation solutions, business continuity (both technically and organizationally), and stronger security requirements have all become paramount. This puts tremendous pressure on IT professionals to rethink their architectures and IT strategies to meet the challenge.

Asked to rate their concern about 11 different aspects of business resilience, nine out of 10 respondents expressed some level of concern about every issue. The top concerns were around the challenge of optimizing security tools to ensure competitive advantage, using IT resources in the cloud, and enabling remote access and hybrid working while ensuring that staff feel supported in whatever work style they wish to adopt.

Cyber threats impact

High among a broad array of issues is the loss of sensitive assets and data, followed by the disruptive impact of downtime or network lockdown. In response, AI and machine learning have entered mainstream adoption as proven technologies for automation, human error reduction, and increased efficacy.

Meanwhile, there has also been a shift to a Zero Trust security approach. Some 30 percent of enterprise organizations surveyed said that they had already adopted a Zero Trust model.

Looking to the future, the adoption of cybersecurity initiatives will remain high and continue to grow. The increased threat surface that developed under pandemic conditions will require a more pervasive adoption of the Zero Trust model.

Although the urgent demands of the pandemic have lessened, there is unlikely to be any less pressure for IT practitioners, whether in infrastructure or security. Enterprises will be dealing with the impact of these pandemic-related changes for years to come, along with the continued integration of newer technologies, strategies, and evolving standards.

Organizations must meet their multifaceted digital resiliency needs by continuing to invest in modern technologies that will support ongoing digital transformation initiatives while striking the balance between strong Zero Trust defense and operational agility.

About the essayist: Paul Nicholson is senior director, product marketing, at A10 Networks, a San Jose, Calif.-based supplier of security, cloud and application services. He has held technical and management positions at Intel, Pandesic and Secure Computing. 

The internet has drawn comparisons to the Wild West, making ransomware the digital incarnation of a hold-up.

Related: It’s all about ‘attack surface management

However, today’s perpetrator isn’t standing in front of you brandishing a weapon. They could be on the other side of the globe, part of a cybercrime regime that will never be discovered, much less brought to justice.

But the situation isn’t hopeless. The technology industry has met the dramatic rise in ransomware and other cyber attacks with an impressive set of tools to help companies mitigate the risks. From sharing emerging threat intelligence to developing new solutions and best practices to prevent and overcome attacks, it’s possible to reduce the impact of ransomware when it happens.

Prevalence

The FBI’s Internet Crime Complaint Center (IC3) received 3,729 ransomware complaints in 2021, representing $49.2 million in adjusted losses. Healthcare and public health, financial services, and IT organizations are frequent targets, although businesses of all sizes can fall victim to these schemes.

The increase in remote workforces and difficulty enforcing security controls with expanding perimeters has played a role in the rise of ransomware. Likewise, lookalike and spoofed web domains and well-crafted phishing emails now easily trick employees into thinking they’re dealing with trustworthy sources.

A typical attack

Ransomware usually starts with a phishing email. An unsuspecting employee will open a legitimate-looking message and click a link or download a file that releases embedded malware onto their machine or the broader company network.

This gives the perpetrator the access needed to launch the ransomware and lock the company out of its own infrastructure or encrypt files until the ransom is paid in cryptocurrency.

Victims have two equally unattractive choices to resolve the situation. They can refuse to pay the ransom and have criminals release sensitive data. Or they can pay it—and often see the information released anyway. Not surprisingly, cyber criminals don’t always stick to their word.

High-stakes threat actors

Who are these masterminds? These threat actors aren’t playful hackers just testing their abilities. They’re often state-sponsored entities, foreign governments, or actual businesses. In fact, ransomware-as-a-service is alive and well, educating would-be offenders on how to undertake an attack and even offering customer support.

You may remember ransomware incidents that made the news in recent years, such as the Colonial Pipeline attack in 2021 that crippled national infrastructure or WannaCry in 2017 that exploited a Windows vulnerability. Sometimes ransom payments are recovered, but not always.

The impact of ransomware

The price tag of the ransom is just one of the many costs of these attacks, and remediation can often exceed this fee many times over. The inability to run the business effectively or access crucial data for days, weeks, or even months can result in lost revenue, customers, and opportunity.

Data, even when returned, can be damaged or useless, delaying ongoing projects. Altogether, the situation can cause the business reputational harm and losses spanning long periods.

Preventing ransomware

Like all cyberthreats, ransomware is constantly evolving as attackers become more sophisticated and bolder in their attempts. Building security with a layered approach is the most effective strategy as you work to move from passive to active defense.

These are just a few of the tactics you can take:

•Understand where sensitive data resides, how it’s protected, and why it’s valuable to outsiders

•Keep up on the latest cyber threats and monitor for lookalike/spoofed domains and registrations

•Educate employees on how to spot and respond to suspicious emails that bypass filters

•Bolster your monitoring and email authentication capabilities

Incident response

Early detection is critical, and ransomware attacks evolve. This means the response you’re likely to take can shift as you learn more along the way. Have a response plan that details the steps you can take across all departments.

Even after you’ve determined whether to pay the ransom, you’ll need ongoing monitoring for stolen data and compromised domains on the dark web and social media sites. Your experience will also inform employee education practices and the types of safeguards you put in place going forward.

Go in depth on ransomware and learn how to protect your business in this report from PhishLabs by HelpSystems: Ransomware Playbook: Defense in Depth Strategies to Minimize Impact.

About the essayist: Eric George is the Director of Solution Engineering at PhishLabs by HelpSystems. He  has held over 10 industry certifications including CISSP and serves as a Technical Malware Co-Chair for the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG).

Web application attacks directed at organizations’ web and mail servers continue to take the lead in cybersecurity incidents.

Related: Damage caused by ‘business logic’ hacking

This is according to Verizon’s latest 2022 Data Breach Investigations Report (DBIR).

In the report’s findings, stolen credentials and exploited vulnerabilities are the top reasons for web breaches. This year, these were the top reasons for web breaches.

•A whopping 80 percent were due to stolen credentials (nearly a 30 percent increase since 2017!)

•Exploited vulnerabilities were the second leader at almost 20 percent

•Brute forcing passwords (10 percent) came in third

•Backdoors or C2 (10 percent) were the fourth runner-ups

Poor password practices are responsible for most incidents involving web applications and data breaches since 2009. Password security may seem like a simple solution for a huge problem, but it may be difficult to successfully implement in practice. Ignoring it, on the other hand, can lead to complications such as an unwarranted data breach.

Without strong, secure passwords or two-factor authentication (2FA) enabled in an organization or startup, it becomes easy for attackers to access stolen credentials on their web and email servers.

Consequently, sensitive data can become compromised, ending up in the wrong hands. In 2022, 69 percent of personal data and 67 percent of credentials became compromised in a web breach. This data strongly indicates that password management and 2FA are crucial for any organization or startup to become more secure from web attacks.

We’ve shared some helpful guidance on password security at Zigrin Security blog.

Shifting exposures

The landscape of the cyber domain is in flux. Money-motivated cybercriminals are no longer the main attackers on the web as a rise in nation-state attackers motivated by espionage comes in a close second for dominating web breaches.

Czarnecki

Moreover, 65 percent of web breaches are motivated by financial gains, and 31 percent are due to espionage motives. Both types of attacker’s target organizations, often those with weak credentials.

Strong password security for any organization or startup can avoid and reduce the number of attacks via default, shared, or stolen credentials on the web.

“From the chart, it is evident that many intrusions exploit the basic (mis)management of identity. Unauthorized access via default, shared, or stolen credentials constituted more than a third of the entire Hacking category and over half of all compromised records. It is particularly disconcerting that so many large breaches stem from the use of default and/or shared credentials, given the relative ease with which these attacks could be prevented.” (2009 DBIR page 17) 

It’s not just a web thing. It’s an e-mail thing too. Although web servers constitute nearly 100 percent of web breaches, 20 percent of mail servers have been compromised in web breaches recently.

Interestingly, 80 percent of mail servers became compromised due to stolen credentials too, and 30 percent were due to an exploit – a 27 percent jump from last year in 2021 when it was only 3 percent. Among those exploits, the most popular seem to target SQL injection vulnerabilities. Other reasons mail servers became breached are:

•Improperly constrained or misconfigured access control lists (ACLs)

•Authentication bypass

•Privilege escalation

•Brute forcing passwords

The need to guard identities

In conclusion, stolen credentials are the main threat and concern for an organization’s or startup’s infrastructure – primarily web servers and mail servers – that attackers frequently leverage for financial gain and espionage: stolen credentials were responsible for 80 percent of web and mail servers, a 30 percent increase since 2017.

Brute force remained near the top of the list, as well. That indicates that password management and 2FA are critical for organizations and startups to mitigate these threats, reducing web breaches to a great extent. Securing web and mail servers from exploitable vulnerabilities that attackers can leverage is just as important when the rise of web breaches increasingly makes organizations and startups more vulnerable.

For more details on how to secure your organization or startup from web attacks go to https://zigrin.com/services

About the essayist: Dawid Czarnecki CEO of Zigrin Security.  As has served as a senior penetration tester at NATO Cyber Security Centre and holds numerous cybersecurity certifications, including OSCP, GIAC Certified Incident Handler, and GIAC Certified Web Application Defender (GWEB.) ?He is also a member of the GIAC Advisory Board.