Category: How To

By Larry Goldman, Senior Manager of Product Marketing, Progress

To this point, many businesses have failed to look at application experience (AX) management holistically, as its own challenge with its own set of distinct––and interlocking––solutions. This oversight has been to their detriment.

The fact is that every second of lag time on an online banking app risks alienating the consumer. Every glitch on an e-commerce app risks sending the consumer to a competitor.  Multiplied out over thousands or millions of touchpoints and interactions, interruptions like these can lead to incalculable losses in both revenue and reputation. Skimping on any one aspect of AX management inevitably leaves businesses open to both financial and reputational harm.

Managing AX the right way means knowing precisely what’s happening in your infrastructure and network at all times. It means having a firm, real-time grasp of how your applications are performing. It means, crucially, being hyper-prepared for potential threats––ready to intervene at any sign of an anomaly.

These four quadrants––infrastructure monitoring and network visibility; security and app performance––intersect and overlap. Without careful attention to all four, no application can hope to compete in today’s marketplace.

Infrastructure monitoring and network visibility

Before you set off in a car, you’re going to want to make sure that the engine works and the brakes are intact. That’s infrastructure monitoring. Run an application on a faulty infrastructure and it’s likely to crash and burn. Proper infrastructure monitoring means knowing precisely how your hardware’s running at all times––your servers, your virtual machines, your routers, and your switches. How’s your memory looking? Is the performance of a certain server running slow? When questions like these are answered instantaneously––and anomalies are automatically flagged and reported––you greatly minimize the odds of disruption or disaster.

Of course, many application performance problems can’t be explained by infrastructure alone. On those occasions, you’re going to need to know what’s happening with your network traffic.

Network visibility is precisely what it sounds like: granular insight into precisely what’s happening on your network. When network visibility is inadequate or partial, routine application problems can quickly spiral. IT scrambles to find the source of the problem as customers get frustrated (best-case scenario) or bad actors worm deeper and deeper into your system (worst-case scenario). Addressing issues on a case-by-case basis is untenable in today’s digital environment: you need total network visibility, 24/7.

Network visibility accounts for the information of everyone who interacts with your servers––from their IP address and protocol to the amount of time they’ve spent on your network. When network visibility is comprehensive, there are no surprises: IT can be made aware of suspicious activity before it becomes a real problem. Your application experience, accordingly, stays fast, reliable, secure and seamless.

Why it all matters: security and application performance

It’s essential to drive home the two main reasons that infrastructure visibility and network monitoring are so important for seamless AX: security and application performance.

Let’s start with security. In the last few years, fueled partly by the pandemic, internet traffic has exploded, growing at an annual rate of 30% between 2018 and 2022. Meanwhile, bad actors are more prevalent than ever––global cyberattacks increased by 28% in the third quarter of this year alone.

Not every house needs a state-of-the-art surveillance system. But if your house is under continual attack by bad actors, you’re going to want to be prepared. And if you run any kind of business in 2022, it’s important to remember: you are always a target. As far as the application experience goes, comprehensive preparedness is the only answer: all it takes is one small breach to lose a non-negligible percentage of your user base.

And then there’s performance. In general, businesses have no room for error here. Just take a look at these stats: according to one survey, a negative mobile experience can make a customer 62% less likely to purchase from a brand in the future, while 90% of users have reported that they stopped using an app because of poor performance. The markets are simply too competitive to risk inconveniencing the consumer in any way.

Of course, when application experience management is done correctly, it is invisible to consumers: the experience on their end is seamless. But this kind of flawless AX is only possible with comprehensive infrastructure monitoring and network visibility, a proactive stance towards potential threats, and a true sense of how your app is performing. You can keep on plugging away in the dark, only half-aware of the trouble awaiting you––or you can make sure, through holistic AX management, that the trouble is turned away at the door.

About the Author

Larry Goldman is the Senior Manager of Product Marketing for Progress. He is an accomplished marketing leader with over 20 years of experience in enterprise software, SaaS, services, and technical B2B marketing.

The post The Four Keys to Achieving an Optimal Application Experience appeared first on Cybersecurity Insiders.

By Geert van der Linden, EVP & Head of Global Cybersecurity Practice at Capgemini

You might feel like we live in an age of permacrisis. The past year has brought about rising geopolitical tensions, mass digitalization, more hybrid working, and a skilled labor shortage. Adding to these challenges is the new era of almost limitless connectivity, which is changing the way we live and work, all the while causing havoc for cybersecurity teams. As a result, organizations must adapt quickly or risk significant costs.

More companies are recognizing the importance of investing in cybersecurity. According to Gartner, global spending on cybersecurity could reach $1.75 trillion by 2025, with current spending at around $172 billion. In certain areas, such as data analytics, this investment is paying off with improved security capabilities, making it easier for IT teams to proactively identify and address cyber threats with data and automation.

However, the scope of cyber breaches continues to grow. Malicious actors continue to evolve, and so do their targets. Today, businesses, such as car manufacturers, must be aware of potential malware infections not just in their own systems, but also in those of their suppliers and equipment. With IT teams often being small, it can be difficult to constantly monitor and analyze everything. That’s why it’s crucial for employees – who are often the most vulnerable targets – to be better educated on cybersecurity threats and more proactive in preventing attacks and unintended vulnerabilities.

Where does that leave us for the year ahead? Here are the five challenges that will alter the industry in 2023:

Zero trust will replace perimeter security

Hybrid working has become the norm for many businesses now; employees are just as likely to be working from another country as they are from the office. Organizational data is flowing outside of traditional closed networks and into the cloud, while the 5G-powered Internet of Things (IoT) is vastly multiplying endpoints at risk from attack.

These factors spell the end of perimeter security, and in response, we need a zero-trust approach. This means that every user is suspicious until verified and must be granted access every time they pick up tools – eliminating any room for doubt and allowing for better monitoring of unusual behavior. Zero trust is essential for enabling the growth of digitalization and the cloud. In fact, Gartner reports that zero-trust network access will remain the fastest-growing segment in network security, with growth of 36 percent in 2022 and 31 percent anticipated in 2023.

Implementing a zero-trust security model cannot be done overnight but is a multiyear journey. It will depend on the amount of legacy infrastructure and will need to cater to the specific requirements of certain industries. The zero-trust model involves going beyond traditional network zoning to create a more stable and secure framework, and it’s likely that we will see more organizations fully adopting zero-trust in the coming year.

5G security hots up

Whether its cars, washing machines, or factories, 5G is transformative. It’s the foundation for Intelligent Industry. Almost everything can be connected to the internet, expanding the potential points of vulnerability. As such, 5G security and its security architecture will come under the spotlight as businesses continue to migrate to the cloud – with data flowing freely between organizations and telcos.

As adoption of 5G technology grows, it is essential to prioritize cybersecurity at the board level in order to effectively manage the challenges of the digital age. Without this focus on security, organizations will struggle to address potential threats, educate employees and vendors, and facilitate effective communication between cybersecurity teams and decision makers.

Security by design

Cybercriminals are now targeting vulnerabilities further down the supply chain as more specialized connected devices are produced. Take a specialist manufacturer of a connected car part as an example. These attacks are likely to become more prevalent as geopolitical tensions around intellectual property and influence rise.

To address this, it’s crucial to incorporate security measures during the development stage through a process called DevSecOps. This involves bringing together development, security, and operations teams to automate security throughout the software development lifecycle, which can help reduce effort, cost, and improve compliance.

Neglecting to prioritize security early on in the development process could have serious consequences for critical industries like healthcare, automotive, energy, and agriculture.

Invest in data over AI

While there’s no doubt that AI and automation technology will continue to advance, their progress is not happening as quickly as some may hope. Instead, next year, data analytics and data mining will take greater prominence.

Both will be critical to relieving some of the pressure on IT teams. A study by IBM, found that 67% of Cybersecurity Incident Responders say they experience stress and/or anxiety in their daily lives, with an alarming 65% seeking mental health assistance as a result of responding to cybersecurity incidents. By better harnessing data, teams can deliver better insights and correlation on attack trends, while forecasting future attacks. In this way, organizations can help to reduce the pressure on cybersecurity professionals.

Growing concerns in hyperscalers

As more and more businesses migrate to the cloud, worldwide spending is expected to reach $1.3 trillion by 2025. At the same time, 79% of companies experienced at least one cloud data breach in the last 18 months.

The added values and integrations of platforms like Microsoft Azure and Amazon Web Services are significant. However, such hyperscalers put more pressure on smaller security providers who will continue to lose their market share in the year ahead – they have to prove that they’re capable of delivering secure cloud environments as part of the package. Businesses need to be able to move into the cloud with confidence, and for SME’s especially, affordability is crucial.

There’s still room for hope in 2023 despite the scale of these challenges. The security environment can feel overwhelming, but investments continue to rise even within the context of global inflation.

Advancements in data analytics and capabilities are improving and showing the benefits they bring to the table, but organizations will have to invest in talent to help teams alleviate forthcoming pressure. By leveraging this technology and promoting a culture of security at all levels, including among suppliers and employees, businesses can position themselves for success in the security industry in the coming years.

The post What’s Next in Cybersecurity: Insights for 2023 appeared first on Cybersecurity Insiders.

By Tyler Reguly, senior manager, security R&D at cybersecurity software and services provider Fortra

The pandemic ushered in an unprecedented wave of online purchasing, as people around the world became far more comfortable with virtual shopping. In fact, the U.S. Census Bureau’s latest Annual Retail Trade Survey reports e-commerce expenditures rose from $571.2 billion in 2019 to $815.4 billion in 2020, a 43% increase.

Cybercriminals everywhere matched the uptick with clever new schemes to filch payment card data and defraud victims of billions of dollars. The Nilson Report estimated $28.6 billion in payment card-related losses occurred in 2020 (over one-third of them in the U.S.). They also predict this number will reach $408 billion in losses by 2030.

Time for change

With the boom in digital commerce paired with the increased popularity of contactless payment and cloud-stored accountholder data, the Payment Card Industry (PCI) Security Standards Council decided to re-evaluate the existing standard. First launched in 2004 and updated most recently in 2018, the PCI Data Security (PCI DSS) standard is continually updated to reflect the evolving challenges of the cyberthreat landscape.

The current version, PCI DSS v3.2.1, is clearly failing to protect cardholder account details effectively in today’s environment. The Council gathered input from 200+ organizations and announced the updated requirements in March 2022, which will become mandatory on March 31, 2024. Organizations also have until 2025 to implement a set of future-dated changes. The full timeline can be found on the PCI Security Council website.

The 12 controls

PCI DSS 4.0 spans 12 controls, several of which have received updates in the latest version. According to the PCI Council, the enhanced requirements promote security as a continuous process while adding flexibility for different methodologies.

  1. Install and maintain network security controls
  2. Apply secure configurations to all system components
  3. Protect stored account data
  4. Protect cardholder data with strong cryptography during transmission over open, public networks
  5. Protect all systems and networks from malicious software
  6. Develop and maintain secure systems and software
  7. Restrict access to cardholder data by business need-to-know
  8. Identify users and authenticate access to system components
  9. Restrict physical access to cardholder data
  10. Log and monitor all access to system components and cardholder data
  11. Test security of systems and networks regularly
  12. Support information security within organizational policies and programs

Changes in PCI DSS 4.0

In looking at the new standard more closely, there are several requirements with notable changes. Below is a high-level overview of the differences between PCI v3.2.1 and PCI v4.0:

Requirement 2: Broader scope defining the need for security configuration management (SCM) on more types of assets.

Requirement 3: “Account Data” instead of “Cardholder Data” indicates a potential increase of scope for PCI assets.

Requirement 4: Less specificity on the type of encryption used means your organization is freer to follow industry best practices. An important takeaway is to internally define what those technical standards are and be able to justify why they are now “Strong Cryptography” so that you can still pass your PCI audit (essentially, just document what standards you are following and why).

Requirement 5: It is no longer sufficient to just have standard antivirus software. This requirement now specifically calls for anti-malware to be in place, necessitating a strong antivirus solution with malware protection or EDR/MDR/XDR solution.

Requirements 7–9: These requirements are primarily the same as before, but the big takeaway is that instead of just enforcing access controls to systems, it’s now requesting this to be done more granularly to specific components such as software, databases, etc.

Your five-step PCI DSS 4.0 transition checklist 

As you get up to speed on how the standard itself has evolved, you’ll begin to understand the potential impact to your own processes and operations. This isn’t a one-and-done type of effort. It will require a phased approach over time. Successful organizations will view the new requirements as an opportunity to strengthen the security mindset across many aspects of their business.

To help you get started, you’ll want to build the following components into your initiative:

  1. Plan a phased implementation according to the PCI timeline
  2. Review potential changes to scope
  3. Conduct a people and process evaluation
  4. Strengthen security configuration management (SCM) processes
  5. Onboard a tool that automates continuous compliance

Go in-depth on how to approach each of these items in this executive guide, the Five-Step PCI DSS v4.0  Transition Checklist. This essential resource helps you understand the requirements of PCI DSS 4.0 and how to ensure your organization is addressing the changes needed to avoid audit fines and data breaches.

Above all, securing payment card information helps protect your customers’ sensitive information and your company’s reputation by preventing costly business disruption in a fast-changing cyberattack environment.

Tyler Reguly is senior manager, security R&D at cybersecurity software and services provider Fortra, responsible for overseeing TACTIC, a team of security researchers that provide the security expertise that powers the company’s Tripwire product line.

In addition to security research, Tyler has worked closely with Fanshawe College, from which he graduated with a diploma in Computer Systems Technology, developing five courses including subjects like Advanced Hacker Techniques & Tactics, Hacking and Exploits, Malware Research, Evolving Technologies and Threats, and Python Programming.

Tyler has contributed to various standards over the years including CVSSv3 and has provided technical editing to a number of published books. In addition, he is a co-founder of the IoT Hack Lab that has been offered at SecTor (Security Education Conference Toronto) since 2015.

Follow Tyler Reguly on Twitter.

The post The Five-Step PCI DSS 4.0 Transition Checklist appeared first on Cybersecurity Insiders.

Smart Phones have become a need for us these days as they assist us in commuting, help in entertaining us if/when bored, help communicate with near & dear, read news and do more such stuff. But as these gadgets have turned crucial in our lives, many hackers are also interested in infiltrating them, to get our glimpse of our lives or where we are heading.

 

Therefore, it becomes imperative to protect these devices from cyber-attacks and that can be achieved by following these simple tricks-

  • Always ensure that you are logged out of the website you are visiting while shopping or while connecting with the world, like Facebook. And if it is an app, please ensure that the account is enabled with a 2-Factor authentication.
  • While connecting to public charging ports, please be aware that such charging points can act as access points to cyber crooks who are into “Juice Jacking” where a fake charging station accesses all private data or install a malware.
  • It is recommended to do an audit of the apps installed on the smart phone once in a month. And check whether they are using data and the internet more than intended.
  • Keep the remote phone wiping option active as it helps to clean the information stored on the phone, if it gets stolen or misplaced. This helps in keeping data secure from prying eyes.
  • Always keep your apps, security software and operating system up to date from time to time.
  • Keep the Bluetooth and Wi-Fi ON only when required
  • Avoid using easy guessing passwords and use only those that are of minimum 15 characters and are made of a mix of alphanumeric characters topped by 1-2 special characters.

 

The post Follow these simple tricks to keep your smart phone secure in 2023 appeared first on Cybersecurity Insiders.

By Marcos Lira, Lead Sales Engineer at Halo Security

Nearly 10 years ago, Mark Zuckerberg pivoted away from a phrase he coined: “Move fast and break things.” Silicon Valley is largely still living by that mantra. Competitive pressures have pushed organizations to build and deliver products and services faster and closer to their customers.

But too often the risks associated with this rapid pace have left organizations exposed to too many connections gone forgotten, unmanaged, or misconfigured. These assets eventually drift to what is considered “out-of-scope” for testing and monitoring.

“Out-of-scope” assets are the assets that security teams neglect. These are generally considered non-critical, but the risk of chained attacks stemming from issues like subdomain takeovers make it more essential than ever to monitor and secure the full attack surface. ESG Research says 69% of organizations have suffered a cyberattack that began with the exploitation of an unknown, unmanaged, or misconfigured internet-facing asset. Some common examples we see include:

  • Third-party marketing and support platforms (like HubSpot or Zendesk)
  • Subsidiary and legacy environments
  • Development and staging environments
  • Internal and partner tools
  • Vanity domains and forgotten projects

While these aren’t generally the most critical assets, if these are exposed to the internet, they are easily available to attack by threat actors.

Unfortunately, this means that an organization’s internet-facing attack surface has only grown in complexity and is ever-expanding. There are new assets, new libraries, new code, and the likelihood of new vulnerabilities increases. In reality, there’s no such thing as “in-scope” or “out-of-scope” for an attacker that might be licking their chops seeing just how vulnerable their target is.

These types of assets broaden an organization’s attack surface and can introduce critical vulnerabilities that slip through the cracks. Sometimes those awareness gaps stem from ongoing staff shortages, the sheer number of vulnerabilities to manage, or alert fatigue.

To understand what you need to protect, let’s look at the attacker’s playbook, identify your true attack surface, and what can be done to protect it.

How attackers think

The stock image of a nefarious actor sitting behind a laptop wearing a hooded sweatshirt as they aim to take down the largest organizations doesn’t properly paint the picture. Attackers don’t discriminate; they are equal opportunists that will find the easiest way to infiltrate a target and hop around until they find what’s most valuable.

Often, it’s the “out-of-scope” assets that are most vulnerable and attackers count on them for the easiest entrance into your organization. These attackers hack for fun, learn from their community, and leverage vulnerability disclosures from bug bounty programs to worm their way in.

Attackers are as agile as NFL running backs; they can cut, pivot, sidestep defenses, and even audible to pull off their breaches. A study by the University of Maryland found that malicious attackers have an increased skill in vulnerability detection because of the wide array of networks and software they target. Their playbook may start with a subdomain takeover and ultimately compromise a primary target.

What your attack surface truly looks like

In the JPMorgan Chase case, it was an exposed database from an acquired subsidiary that was compromised, ultimately resulting in 83 million accounts being exposed. This is a common pain point for organizations. In order to understand your attack surface, you need visibility and most organizations don’t have enough.

According to a report from Trend Micro, 62% of IT security decision-makers admit to having blind spots that weaken their security posture and 73% are concerned about the size of their digital attack surface. It can grow unwieldy as more assets that you didn’t build in-house get added. Most of these third-party connections come via domain name system (DNS) canonical name (CNAME) records or application programming interface (API) calls.

Many security teams think by using a third-party asset, like software as a service (SaaS) or infrastructure as a service (IaaS), they are transferring risk. They’re simply not. If you’re using it, you’re responsible for it. Consider the 2019 Capital One breach, the company tried to pass the responsibility to a weakness within the AWS infrastructure. Unfortunately for Capital One, the courts sided with AWS that it was the bank’s responsibility to ultimately protect its customer data. Public cloud providers have a similar policy with shared responsibility. While the cloud provider is responsible for the infrastructure of what it offers, any data you add or configurations you make are on you.

The common misconception about risk is often made obvious by bug bounty programs. Security teams may direct ethical hackers to only look for solutions in a certain area, ignoring others they believe to be “out of scope.” When attackers read about these bug bounties — which they commonly do — they know exactly where security teams aren’t looking and know just where to strike.

What can be done

Organizations should carefully consider the entirety of their internet-exposed infrastructure and regularly assess each asset for security gaps. The interconnectedness of “non-critical” and “critical” assets is difficult to avoid, so we can’t ignore “non-critical” or “out-of-scope” assets anymore.

This may mean a more comprehensive assessment of your attack surface, but it’s a worthwhile investment. Attackers are becoming more creative and finding new paths to your most valuable assets. Even if you consider certain data, applications, or repositories to be “out-of-scope,” it could be those forgotten resources that do far worse than break as you move quickly; they could be holding the door open for an attack.

The post Why Out-of-Scope Assets are Prime Targets for Attackers appeared first on Cybersecurity Insiders.

By Yaron Azerual, Senior Security Solution Lead, Radware

The shift to hybrid working and digital transformation has accelerated the use of APIs. According to Radware’s 2022 State of API Security Survey, conducted with Enterprise Management Associates, 97% of organizations use APIs for communications between workloads and systems; 92% have significantly or somewhat increased API usage within the last year; and 59% already run most of their applications in the cloud – all of which underscores the critical role APIs play in enterprise computing.

The challenge is that API protection is not only failing to keep up with the increase in API usage, but many companies are working under a false set of assumptions and over confidence that they are adequately protected from cyberattacks ­– a risky combination. The reality is security teams need to rethink their approach to securing their APIs.

THE STATE OF API SECURITY

In our recent survey, 203 companies from across Europe, Asia, and North America paint a real-world picture of the state of API security in today’s organization. The results of the survey  reinforce the narrative that companies have a false sense of security in solutions that are inadequate and ineffective:

Undocumented APIs pose a substantial and underestimated threat.
While 92% of the organizations surveyed believe they have adequate API protection and 70% believe they have visibility into applications that process sensitive data, most (62%) admit that one-third or more of their APIs are undocumented.

Commentary: While the survey discovered that a fair portion of APIs are known and documented, there is a real (and underestimated) threat that comes from a large percentage of undocumented APIs. This is coupled with the fact that only some people believe that automatic API discovery and protection are necessities, and an even smaller portion is actually using a solution with auto-discovery capabilities. This is part of the false narrative that can lead to a major breach for many organizations: the belief that they have adequate security, but actually have significant gaps in their protection from APIs that are unknown and undocumented.

API attacks are largely undetected.
Half of companies surveyed viewed their existing tools as only somewhat or minimally effective at protecting their APIs, with 7% reporting that the solutions that did not identify any attacks at all.

Commentary: The inability of the existing tools to adequately protect APIs from common threats further adds to the false security narrative. The fact that respondents reported that the solutions they had in place did not identify any attacks (7.4%) is even more troubling.

Bot attacks remain a threat.
Nearly one-third of companies report that automated bot attacks are among the most common threats to APIs. In detecting an API attack, 29% say they rely on alerts from an API gateway and 21% rely on web application firewalls (WAFs).

Commentary: Organizations continue to base API security on the false assumption that API gateways and traditional WAFs offer sufficient protection, leaving their APIs vulnerable and exposed to common threats, like bot attacks. A comprehensive API protection solution addresses these threats, but few respondents indicate they have deployed such solutions. Bot protection and automated-attack protection should be a priority when evaluating solutions to protect APIs. 

BEWARE OF FALSE ASSUMPTIONS

There are many challenges involved in securing APIs – ­false assumptions are among them. Dispelling the myths and false beliefs while debunking the over confidence that most organizations have around API security is a great place to start in improving security posture.

Here are a few prevailing misassumptions further hampering API security and leaving APIs vulnerable and exposed to threats.

  1. “A WAF will protect our applications and their APIs.

While WAFs are a great solution for protecting against embedded attacks, they only cover a fraction of the attack vectors APIs are exposed to. APIs require specific capabilities, such as the ability to parse the content and compare it to the API’s specific schema – something standard WAFs usually don’t do.

Second, most WAF solutions (especially cloud WAF managed services) only deploy negative security models. This limits protection against zero-day attacks (unfamiliar attacks for which no signature yet exists). The OWASP API list of the top 10 threat vectors includes many types of attacks and malicious API calls that simply can’t be covered through a negative security model.  They require a positive security model and behavioral analysis to determine whether the API call is malicious or not – a feature most WAFs don’t offer.

Finally, there are automated threats, including malicious bots, that can pose a major problem for APIs. How can an API distinguish between a bad bot and a legitimate machine-to-machine call? Companies need advanced bot management solutions that can also analyze API calls to protect against account takeovers (ATO), data scraping, and other types of application DoS attacks. Currently, no WAF offers this functionality.

  1. “An API gateway will manage and protect our APIs.”

API gateways are designed to manage the lifecycle of APIs, like translating protocols and routing API calls to correct destinations. On the security side, API gateways authenticate the entity that makes the API call and ensure the entity has proper authorization to execute a specific call.

With more companies expecting API gateways to offer increased levels of security, some API gateway vendors have started integrating basic API protection capabilities (beyond authentication and authorization enforcement). Unfortunately, there is no API gateway solution to date that safeguards APIs with a positive security model engine, bot protection capabilities, behavioral analysis, and application denial-of-service (DoS) protection. Most API gateways include connections to third-party API protection solutions — a clear indication that API vendors understand their products’ limitations in protecting the very APIs they manage.

  1. “The APIs we are using are well-documented, enabling effective protection.”

A well-protected API is a well-documented API. To effectively protect an API, you need to intimately know the API structure, parameters, the type and range of values, and expected content of the API body. Combined with a good API protection solution, a well-documented API dramatically improves your security posture. However, in many organizations, there are numerous undocumented and unmanaged APIs that go unaddressed. And even if they are documented, APIs change more frequently than applications. As a result, their documentation and security policies need to be updated regularly.

Effective API protection must include automatic discovery of APIs. A good discovery engine can also automatically generate and apply a tailored security policy to match the discovered APIs. This is the best way to effectively protect an API throughout its lifecycle.

A Snapshot of Effective API Security

API security requires an in-depth understanding of a multitude of environments and platforms. An effective API security solution will:

  • Integrate with existing security and visibility tools.
  • Leverage advanced machine-learning algorithms to detect emerging threats and automatically create and optimize API security policies.
  • Enable accurate and automated API discovery, protection, and security policy generation without requiring application or security expertise.
  • Comprehensively protect all parts of the API across a broad range of threats, including access violations, data leakage, denial of service, automated threats (bots), and embedded attacks.
  • Protect against automated, bot-based threats.
  • Support positive and negative security models while enabling continuous and automatic security policy optimization and adjustments to correct and eliminate false positive events.
  1. “We’re covered by a dedicated API protection solution.

Good API protection that takes into account the above recommendations is a great start. But it isn’t enough to fully protect your application. APIs don’t exist by themselves. They are part of an application deployed on an infrastructure. Hackers who can’t penetrate the API will look for application vulnerabilities unrelated to the API. They might launch a bot attack, or they might simply launch a distributed denial-of-service (DDoS) attack.

The threat landscape for organizations has changed significantly over the past several years. It is simply not possible to identify and mitigate all security risks using traditional methods and tools. Instead, it’s important to take a holistic approach to application protection that covers all bases, including a strong WAF, bot management, threat intelligence, and DDoS protection. If you can manage these solutions from a single pane of glass and synchronize them, your applications and APIs will be effectively protected.

API security may not be making news headlines like ransomware and DDoS attacks yet. However, for most organizations, it has quickly become the most significant vulnerability surface — a threat that will remain as long as proper protection lags behind the growing risks.

# # #

Yaron Azerual, Senior Security Solution Lead at Radware, has more than 25 years of engineering, product management and product marketing experience, which is grounded in a deep understanding of the development of communication and security products and the market challenges they solve.

The post Dispelling the Myths and False Beliefs of API Security appeared first on Cybersecurity Insiders.

By Ted Wolcott, PhD, Chief Strategy Officer, Quokka

Mobile devices may not have changed fundamentally in recent years, but the way they are used within businesses has. The massive shift toward work-from-anywhere policies means that employees are no longer just bringing their own devices to the workplace. They’re increasingly relying on personal devices to conduct work remotely – and creating new privacy and security challenges for mobile device managers in the process.

Here’s what the work-from-anywhere phenomenon means for mobile security and BYOD management, and how administrators can meet newfound challenges while also protecting the business and respecting employee privacy.

How Remote Work Has Changed BYOD

The practice of bringing personal devices to work is nothing new, of course. For decades, businesses have allowed employees to use personal phones, tablets, and other mobile devices while working on-site, and they’ve defined Bring Your Own Device (BYOD) policies to govern exactly how those devices can be used.

What has changed over the past few years, however, is that large numbers of employees – about 45 percent, according to Gallup – now work fully or partly from off-site. Before 2020, that number was as low as 6 percent.

For today’s remote employees, BYOD doesn’t mean simply bringing personal devices into the office and using them for personal reasons. It often involves using devices to work remotely. Remote employees are likely to use personal devices to join meetings, access enterprise SaaS software, manage two-factor authentication, and so on.

Practices like these create a huge difference from a mobile device management perspective because employees are now relying on personal mobile devices to conduct work. They’re no longer merely bringing them into the office and placing them on their desks while they use other, company-owned devices to perform their jobs.

It’s worth noting, too, that even if businesses give remote employees company devices to use when working out of the office, special security challenges still apply. Those devices are typically connecting using networks that the business doesn’t control, which exposes them to additional network-borne security risks. They are also more difficult to secure physically if employees are constantly using them off-site. And if the devices never connect to the local corporate network, administrators can’t perform the same types of security scans and monitoring that they could when employees bring mobile devices to the office.

All of the above means that businesses with work-from-anywhere policies face a host of new mobile security challenges that wouldn’t apply in settings where workers simply bring personal devices into the office. Conventional BYOD policies, which assume that personal devices are not routinely used for business purposes and that they can be managed through a network that the business controls, don’t suffice for meeting these challenges.

How to Manage BYOD for Remote Workforces

Now, the question for mobile device administrators has become: How can they enforce strong mobile security protections for devices that rarely or never come to the corporate campus and don’t always operate on a corporate network?

The answer starts with developing traditional BYOD governance guidelines that spell out what remote employees should and shouldn’t do with remote devices.

But those guidelines don’t enforce themselves, which is why businesses also need a way of automatically scanning and monitoring remote mobile devices for security risks. To work well, mobile device security solutions for remote workforces should be capable of the following:

  • Enforcing security policies on remote devices that aren’t connected to a local corporate network.
  • Controlling which business applications, data, and other resources the mobile devices can access, even if the devices are off-site and connected via remote networks.
  • Managing mobile security risks at the application level rather than the device level. This is the only way to secure remote devices that employees use both for personal reasons and for work, and which therefore host business as well as personal apps.
  • Detecting and evaluating security risks without collecting large volumes of personal information from employee-owned devices. This is crucial because remote employees who rely on personal devices to conduct work are likely to resent having to expose personal data to their employers’ MDM software. Plus, collecting personal data could create compliance complications for the business.

Ultimately, the goal of modern BYOD strategies should be to detect and remediate mobile security risks in a granular way while simultaneously protecting users’ personal information.

Conclusion

The work-from-anywhere revolution has blurred the lines separating personal mobile devices from business devices like never before. Expecting employees to bring devices to work but use them only for personal purposes is no longer realistic. Nor is relying on the local corporate network to contain mobile security threats and enforce security rules as part of a BYOD policy. BYOD for remote workforces requires more extensibility, more granularity, and – last but not least – more attention to employee privacy.

The post How to Manage BYOD in the Work-from-Anywhere World of Mobile Security appeared first on Cybersecurity Insiders.

By Mike Wilkinson

Mike Tyson famously said, “Everyone has a plan until they get punched in the mouth.” That applies to the world of boxing—and to the world of cyberattacks. Many companies have an Incident Response (IR) plan in place. But those plans don’t always hold up when an actual cyberattack occurs.

At Avertium, we carry out hundreds of IR engagements a year, so I’m highly familiar with what makes IR plans useful—and what doesn’t. Strong IR plans can help eliminate headaches and wasted time and help your organization more effectively respond in what is typically a very stressful situation. Here are six things you need to do to craft an effective incident response plan.

  1. Establish your escalation points. One of the most useful parts of an IR plan is guidance on your escalation points. That is, “If we reach this point, these are the people we need to contact and these will be the next steps.” It provides the triggers that will cause the next level of action.
  2. Include contact information. It’s a common scenario: A company suffers a breach and needs outside help. Someone in IT places a phone call and gets asked whether the company has cyber insurance. They know it does … but the finance team purchased it, and the IT department knows nothing about it. That’s an avoidable situation. Your IR plan should contain the contact information for everyone who might be needed, from your service providers to key employees to outside counsel to, yes, the insurance provider.

    The list of contacts should appear in an appendix at the back of the plan, which makes it simple to consult in the heat of the moment, as well as easy to update. Elsewhere in the document, use generic titles rather than names so that you don’t have to refresh the entire document any time an employee or vendor changes.

  1. Define the communication parameters: One incident sticks in my mind. A client detected a ransomware outbreak on a Friday night and called us by Sunday afternoon. They had been working on the issue for 40 hours straight, or so I thought. It turned out that senior management’s understandable concern about the situation had caused them to hold hourly update calls, meaning the tech team was unable to focus and work on investigating and resolving the incident for more than about 30 minutes at a time.

    Define how information and updates will be shared, to whom, and how often. Set the cadence up front so that expectations can be managed: For instance, a daily update call unless something critical is uncovered that requires action on the part of a larger group.

  1. Word choice, and word count, matter: Avoid too much legalese or language that’s tough to parse. Keep it readable. Consider using bullet points. Look for the happy medium between an IR plan that’s overly brief and sparse and one that’s too lengthy, where you have to read through 10 pages of instructions before you can get anything done.

    Keep it as simple and precise as possible: for X type of incident, Y is the response group and their responsibilities, and Z are the steps they take. Consider having a one- to two-page high-level policy that sets out your organization’s principles—the things the business is most concerned with.

  1. Get broad input: When you’re writing the IR plan, get input from all the stakeholders. That sounds basic, but I’ve often seen plans where it’s obvious the legal or risk team put it together without consulting others. It needs to contain more than just the technical or legal response.
  2. Give it a test run: Practice makes perfect. Once you think you’ve got it, practice your plan. Pick some scenarios and work through them using the plan to figure out whether it works or not. You may run across systems that maybe haven’t been identified or people whose contact details you didn’t include.

These exercises can also be valuable ways of unearthing issues unrelated to the IR plan. For instance, in working through a ransomware scenario your IT team may realize there is sensitive information being stored on a system where it shouldn’t be, or that the data retention time isn’t adequate considering the amount of time that can pass between compromise and detection. It may highlight an opportunity to make a fix or fixes that will actually make you less vulnerable.

Being hit with a cyberattack can be a scary and confusing time; coming up with an IR plan shouldn’t be. If you let the above tips shape your process of creating or updating one, you’ll be in good shape.

Mike Wilkinson leads Avertium’s Cyber Response Unit, which is dedicated to helping clients investigate and recover from IT security incidents on a daily basis. He has been conducting digital investigations since joining Australia’s NSW Police Force, State Electronic Evidence Branch in 2003, where he led a team of civilians in one of the world’s largest digital forensic labs, and has led Incident Response teams in Asia, Europe, and the Americas.

The post 6 Ways to Create an Incident Response Plan That’s Actually Effective appeared first on Cybersecurity Insiders.

Business success increases when organizations foster employee communication and collaboration. Simultaneously, they must maintain secure communication to protect their assets and valuable information.

Unfortunately, security is a common issue in corporate spaces. Many have experienced data breaches and they must continue to find ways to mitigate these risks. Here is how secure each communication method is and how companies can take steps to enhance security.

1. Video Conferencing

Video conferencing is an effective way to connect people from any remote location during a meeting. Since working from home has become the norm, various businesses have used video conferencing tools to communicate with staff members.

While video conference tools are considered relatively safe, one security vulnerability has recently made headlines. Uninvited attendees are gaining access by clicking on an invitation link. That way, they can interrupt important calls by sharing inappropriate images. This situation typically occurs when users share these links online and on social media sites.

To prevent unauthorized users from getting into a vital call, ensure the video conferencing tool has end-to-end encryption. This feature will protect video conferences and guarantee those conversations are secure.

2. Email

In most organizations, email is the preferred way to communicate with others. It allows users to send and receive complex information to an extensive list of recipients with the click of a button.

Unfortunately, email has a track record of breaches. From phishing to spam and breached email servers, it has been one of the most prominent security issues for companies. When using email, it’s best to look for a platform that verifies users’ identities and sends a warning if someone is outside of the network.

Businesses must train employees to use strong passwords and change them as often as possible. They should also use two-factor authentication to prevent hackers from gaining email access. In addition, they should avoid opening email attachments without scanning them with an anti-malware or anti-viral tool.

3. Text Messaging

Close to 81% of people own a smartphone in the U.S. Chances are, people use their smartphones to conduct business and use text messaging to communicate. Direct messaging is typically a secure communication method.

However, texting others through another platform isn’t always secure. More particularly, messaging apps are vulnerable to hackers.

The key is ensuring workers use a solution that provides enhanced security. For instance, Whatsapp is a text messaging platform that provides enhanced security for users. Always ensure these tools are using end-to-end encryption to protect individual text messages.

4. Voice Calls

While voice calls are an older technology, it remains one of the top ways of communication. Employees can quickly gather the necessary information with a quick phone call without setting up a video conference.

It is an important tool many companies use today. However, landlines and cellular calls have significant security risks. Unwanted third parties can intercept a private conversation by tapping into the call.

Voice calls are one of the least secure communication methods. However, they have less risk when businesses carry the conversation on a secure communications platform. Various platforms use the same end-to-end encryption video call technologies use. Ensure they have this feature to sustain more peace of mind during an important business call.

5. File Sharing

Staff must have access to essential data, especially remote workers. This may require sharing files in real-time. Whether it’s a video or a word document, employees need to guarantee confidentiality and security when transferring and storing files.

The key is end-to-end encryption. This feature will protect files for each user sending and sharing documents. A straightforward way to share files securely is by using cloud services.

A cloud file-sharing service allows users to upload their data to a central location. Then, users can download these files to their devices. The third-party provider hosts all of the data and users can specify who has access to files and their permission level.

For example, many enterprises adopt Google Drive, allowing users to share, collaborate and download files. While this requires a Google account, it’s a great way to keep information secure.

Keep Your Business’s End-to-End Communication Secure

Communication is essential to conducting business effectively. However, different communication methods can be vulnerable and are easy for hackers to breach.

Ensure these methods are up-to-date in security by implementing these tips. Doing so helps the company to move forward without disruption. Therefore, everyone can keep communications running smoothly and retain productivity.

The post How Secure Are Your Business’s Communication Methods? appeared first on Cybersecurity Insiders.