Category: How To

By Kathy Quashie, Chief Growth Officer at Capita 

It’s well known that cracks are beginning to show in the workforce of today. Demand for digital skills, permeating each and every industry, is not being met with supply. This digital skills gap is harming UK productivity – and will continue to do so until it is addressed by employers up and down the country.

Increased demand for digital capabilities is putting pressure on organisations to find people with the right skills to fulfil current and future business objectives. The cybersecurity industry is chief among them. The threat landscape is growing at such speed that skills and techniques are sometimes left outdated and made redundant within the span of a few years.

There is a clear need for organisations to identify and hire the best talent to fill the roles they need to enhance cyber resilience. There are countless exciting opportunities waiting for candidates to step into modern, exciting, and critical cyber roles.

But how can we bridge the gap?

Breaking down the barriers

Encouraging people to explore careers in cybersecurity requires employers to position career options in a way that excites those who previously disregarded it as a valid option.

Potential, highly skilled candidates are often put off exploring a career in cyber due to the technical language that is used in job descriptions and the lack of clarity that comes with it. Whilst technical in its nature, many cyber roles can be quickly learnt by those who demonstrate the aptitude for digital skills.

Contrary to most perceptions, cybersecurity is an industry that allows people to think outside of the box, inciting creative thinking and encouraging new perspectives to disrupt the legacy approaches that are failing to keep pace with changing threats. Often those hiring for cyber roles turn to the same talent sources rather than broadening their horizons.

An untapped pool of talent

There are a number of untapped pools of talent that are often overlooked when it comes to identifying and hiring digital roles in cybersecurity.

Looking at current demographics in the industry, cyber roles are largely male dominated. In addition, statistics show that 1 in 7 people are neurodivergent. Many hiring processes are misaligned to how these neurodivergent individuals process information and can therefore detract them from exploring roles in the sector.

There is also a third group of skilled resource in the form of military veterans who are overlooked in traditional recruitment due to the large gaps in their CVs or lack of prior industry experience. The use of CVs to assess a person’s suitability for a certain role date back to 1482 and Leonardo DaVinci, yet it’s a method we continue to use today.

An effective approach to cybersecurity requires a diverse team that brings a combination of both soft and hard skills to reflect the diverse challenges that are being faced. Promoting and making roles more accessible for diverse applicants can be instrumental in helping to close the cyber skills gap.

In recognition of this issue, end-to-end talent management platform WithYouWithMe, uses aptitude testing as a more effective way of identifying candidates that are best suited to each role by assessing real-life skills and aptitude. This allows candidates to showcase skills from their careers that are hard to describe on a CV, and helps employers identify the very best candidates in a more effectual way.

By solely hiring individuals with similar backgrounds and skillsets, organisations are more likely to build a team with a greater depth of knowledge, but only in one particular area. To gain the breadth of skills and experience, organisations need to branch out to these untapped talent pools.

Technology and cyberthreats are advancing. Methods for identifying and hiring talent for cyber roles must advance with them.

Working together to deliver the solution

Coming together as an industry in an effort to support businesses that need greater technical resource is the next step to overcoming the cyber skills gap.

By partnering with innovative companies like WithYouWithMe, Capita seeks to reduce the shortage by matching highly capable individuals with suited roles left vacant by the technical skills gap. Looking at a candidates’ potential and aptitude for cyber skills rather than their past experience, opens up opportunities of employment for those that are often overlooked by the current hiring processes.

With an adaptive recruitment strategy that reflects the changing nature of the cyber threat landscape to improve talent acquisition, organisations will be better able to retain and grow talent over time to build a future-proof workforce.

The post Addressing the cyber skills gap through strategic partnerships appeared first on Cybersecurity Insiders.

We’re all aware that cybercrime is everywhere. FUD to the max. When things become commonplace, we start to become numb to the news. We are no longer surprised or shocked that these things happen, or who they happen to.

There is no instruction manual to perfect security. All businesses run differently and no product is impenetrable. Plus, humans work at our companies. As much as humans are needed, they are also our greatest weakness. According to Verizon’s 2022 Data Breaches Investigations Report, 82% of data breaches involved a human element.

We spend billions on cyber protection, continuing to layer on solutions for each attack vector. Security teams are drowning. But can anyone say, with certainty, they are 100% protected from something no one has seen before? Probably not. And probably not ever. In security, there are no guarantees.

So if we can’t control the actions of our fellow humans and we can’t rely on knowing which attack is going to happen – what is something we can control?

The first step in becoming more secure

One thing is true of all cyber attacks: they require a connection to happen. Multiple stages in the cyber kill chain need a connection to move on to the next, or to complete the attack. A “call-home” for instructions. An execution command.

So the first step in becoming more secure is to have complete visibility of every connection traversing the network – both in and out. Zero Trust tells us our network is compromised, so all connections leaving your network need to be checked too. Every single email click. Every website download. Every single URL a malvertisement script takes you without knowing. Every. Single. Connection.

Four things you should know about every connection

After you have total visibility of connections in and out, now the question is: what am I looking for?

There are four things your solution should be able to tell you about a connection in real time for it to be effective.

1) A connection’s origins

Simply pulling up who owns an IP or domain doesn’t tell you the whole story. Yes, company B is legitimate and owns this domain, but it had been used by X for numerous exploits 10 years ago. So I’m not going to trust it.

2) The connection’s reputation

So legitimate company A owns that IP right now, but it has been affiliated in the past with company B based in country Y, who has a history of doing bad things. Therefore, I see no reason to let this in until I am convinced otherwise. If there’s no legitimate business reason to access this, I most likely never will.

3) The connection’s behavior

I’m not seeing a problem with the owner or the reputation, but I am seeing behavior indicative of something malicious. Therefore, I don’t trust it.

4) Has it been seen before?

Everything unknown is not to be trusted. If something has never been seen before, it should never be allowed to enter your network.

These four components need to be assessed in real-time as connections are coming in and out of the network. There aren’t many companies that have the vast history to know the origins or reputations of connections, but they do exist.

Knowing the unknown

To safeguard from the unknown, you must know what is unknown. And to do that, you need a lot of history, a lot of intelligence, and some serious tech.

At Intrusion, we focus on one thing: connections. We pair threat intelligence with automated detection and response giving you visibility of every connection entering and exiting your network. With nearly 30 years of history on billions of IPs and domains, we help you see the unseen, and know the unknown.

The post All Cyberattacks Have This in Common appeared first on Cybersecurity Insiders.

By Moinul Khan, Vice President & General Manager, Data Protection, at Zscaler

In 2022, Gartner established its first ever Magic Quadrant for Security Service Edge (SSE), a new security industry category. SSE acknowledges that protecting a distributed digital business from malicious actors requires three integrated technologies: secure web gateways (SWG) to control internet access, zero trust network access (ZTNA) to control private application access and cloud access security broker (CASB) to fix misconfigurations and oversharing from cloud apps. The message is clear: data protection is not a stand-alone endeavour but should be part of a broader security strategy in which organisations should attempt to disrupt attacks at every stage. The ideal outcome is to block malicious actors outright. The next best thing is to mitigate attacks by limiting access and the ability to exfiltrate.

Protecting against malicious and accidental data exfiltration requires complete visibility into all encrypted data; both, while in motion and when at rest; along with a sophisticated DLP solution which can accurately identify, and protect it from exfiltration.

Consider following best practices to help you build a solid foundation when it comes to protecting your data, users and business from malicious or accidental data loss.

1.)   Know your data: Before you can protect your data, you need visibility and insight into what you’re protecting. Scope, understand and prioritise sensitive data based on how valuable it is for your business and what is potential risk if compromised. Zscaler data protection leverages AI based, ML powered state of the art algorithms to simplify data classification with unmatched accuracy to help you build a solid foundation for your data protection program. Zscaler data protection can classify and tag sensitive data that contains:

  • Financial statements (accounts payable, stock, liabilities and others)
  • Credit card information
  • Intellectual property (source code and more)
  • Personal identification numbers (SSN, NIN, tax IDs and others)
  • Health records (medical information, IDs, insurance)
  • Contact lists
  • Business property (i.e., CRM data in Salesforce)
  • Other regulated data types for your industry

2.)   Identify your data loss channels: Identify and flag which channels are utilized and require scrutiny. Traditional approaches to data protection are typically limited to corporate devices and sanctioned apps. However, as we make an unprecedented shift to work from anywhere, from any device; data protection program requires unconventional thinking and needs a broader approach as per your risk tolerance.  Zscaler offers exceptional protection across all your data loss channels including physical storage devices. With its ground up design, Zscaler can dramatically reduce ramp-up time compared to traditional approaches as new  devices, apps and users are rapidly added.

3.)   Define your risk profile: Security and convenience require a fine balance. Tipping the scale in either direction can negatively impact productivity and/or security. Developing risk-based policies can help strike that perfect balance that your business requires.  But first, it is important to identify what data is critical for your business, , Second, which applications or storage mediums that data resides in and third, the channels from which that data can be compromised.. Your risk profile is not just limited to DLP policies, but proactively implementing zero-trust strategy for an all encompassing data protection strategy for greater security.

Learn more about how Zscaler can help you with your data protection program by protecting your attack surface, inspecting encrypted traffic, implementing granular micro-segmentation and by deploying identity-based multi-factor access control.

4.)   Invest in an integrated data protection technology: Just as too many chefs in the kitchen can spoil the broth, too many products can make your data protection journey cumbersome when it comes to implementing, configuring and fine tuning DLP policies. Similarly, you should invest in a DLP solution that is tightly integrated with major vendors across all channels such as Google, Microsoft, Salesforce etc.

A tightly integrated solution can greatly reduce complexity when it comes to remediating risks; identifying and correcting misconfigurations, policy violations and assessing permissions and entitlement based on user identity.

Learn how Zscaler with its extensive integrated partner ecosystem can give you watertight security and prevent your data from leaking.

5.)   Build your response workflows: Start by defining security groups and team distribution lists. Document your response workflows and develop detailed playbooks that leverage automation using a security orchestration, automation and response (SOAR) solution, if available.  When these tools are integrated into the platform, you get a streamlined way to assign, triage and manage incidents and policy in one single location

6.)   Don’t operate in a bubble: Data protection is more than technology; it needs to be part of the company culture. From executives to all employees, contractors and partners, DLP should be consolidated under a larger data management protection program with continuous C-suite support. Leverage end user notifications and deliver timely security awareness training to educate your employees and the third parties you do business with about data protection. The more they understand goals, expectations and best practices, the more successful your data protection program will be.

7.)   Be accountable to metrics and the board: Establish meaningful metrics around your data protection program to track and improve upon. Use these to communicate value and improvement to the C-suite.  Many companies track metrics such as IT incidents, data breaches and hours to investigate. Commit to continuously monitoring and improving your metrics.

8.)   Anticipate supply chain attacks: Mitigate the impacts that a third-party supply chain attack has on your organisation by assuming that any vendor in your network of suppliers can be breached and expose your business to downstream risk. Conduct data security evaluations of potential vendors and include requirements in your contracts. Address critical supplier dependencies in your business continuity and incident response plans and apply strict zero trust access policies and controls to third-party users.

9.)   Implement zero trust architecture: Transform your hub and spoke network infrastructure by upgrading to a secure access service edge (SASE) platform that helps stop data loss, eliminates the attack surface and prevent lateral movement by enforcing the zero trust principle of least-privileged access using context-based identity and policy enforcement.

10.)   Review your DLP strategy regularly: DLP policies should be updated on a continual basis. As a leader, you should conduct an annual review of your DLP program (policies, practices and products) to identify gaps and roll out any major updates needed to keep up with your changing business needs.

To learn more about how Zscaler can help secure your sensitive data, download our ebook.

The post 10 Best Practices for Data Protection appeared first on Cybersecurity Insiders.

By Hermann Hesse, vice president of solutions, strongDM 

As organizations continue the fight to keep outside adversaries from penetrating networks, it’s also become critical for security teams to make sure employees, partners and contractors are also not threatening the enterprise.

An insider data breach costs companies an average of $15.38 million and takes 85 days to contain. That combined with reputational damage and loss of trust has catapulted the topic of the insider threat to the top of many CISOs’ minds.

In this piece, I’ll take a look at insider threats in cybersecurity and the dangers they pose. By the end, you’ll have a clearer understanding of the entire insider threat ecosystem and the best practices you can use to protect your organization, data, and systems.

What is an Insider Threat?

An insider threat occurs when a person with authorized access—such as an employee, contractor, or business partner—compromises an organization’s data security.

A History of Insider Threats

Insider threats have existed throughout history—in religions, ideological groups, government and financial institutions and more. Those with special knowledge or access to ideas, information, money and even other people often used their advantageous positions to block opposition or to gain power, money and influence for themselves. Espionage is a classic example of an insider threat.

Over time, the nature of insider threats has evolved and expanded. In today’s digital age, insider threats frequently involve a cyberattack or IT incident. These security incidents occur across industries and institutions of all sizes and are growing more prevalent as organizations shift to a remote work approach. In fact, 75% of insider threat criminal prosecutions in 2021 were the result of remote workers.

The Three Types of Insider Threats

There are three categories of insider threats: intentional, accidental and compromised.

An intentional threat is caused by a malicious insider—someone who aims to cause harm to or negatively impact the organization. Typically, malicious insiders are motivated by financial, emotional or political gain. Examples include a recently terminated employee who is aiming to get revenge for being fired or someone who is being financially persuaded by a competitor.

An unintentional insider threat occurs when someone accidentally causes harm to an organization or exposes it to future risk. Common examples are employees or contractors who haven’t been given adequate security training, don’t know how to use a piece of technology correctly or simply make an honest mistake by sending an email to the wrong person.

A compromised insider threat incident is when a legitimate user’s credentials have been harvested by a threat actor. In this circumstance, the adversary is able to gain unrestricted access while remaining under the guise of an employee or partner. One example of this is when an employee falls victim to a phishing attack where a hacker is able to lure the login and then use it to exfiltrate sensitive documents.

The Danger and Risks

Today’s businesses are so reliant on I.T. and systems to operate that any threat—whether malicious or not—opens up your organization to major financial, compliance and legal fallout.

Data breaches can expose a trove of sensitive and confidential information about your company and customers, seriously hurting your organization’s trust and credibility. Once trust is lost, customers take their business elsewhere, leading to lost revenue. If a law or regulation was violated during the data breach or its containment, your organization could face fines, penalties and lawsuits.

Who Is at Risk?

Any organization can fall prey to insider threats, especially if it deals with sensitive data. But while small and large organizations alike can both experience threats, the nature of the insider threat risk is different for each.

Small organizations tend to have fewer IT resources and smaller budgets, which limits how much they can devote to insider threat user activity monitoring and securing networks, infrastructure, and personnel. On the other hand, large organizations have a larger attack surface—with hundreds if not thousands of employees spread out across multiple locations.

Protecting Against Insider Threats

Now that you have a better understanding of what an insider threat is, its important to also know how to protect against them.

One of the easiest ways to protect against insider threats is never putting credentials in the hands of an insider in the first place. Security teams can do this by using a centralized access management platform so that users can only sign onto a single workspace to access all the applications or tools they need. Centralized access management platforms enable authentication, authorization, networking and observability to help protect organizations against insider threats. Security teams get centralized access to user accounts while automated access workflows eliminate time-consuming manual tasks. Role- and attribute-based access control restricts network access to authorized users, and the system’s auditing capabilities provide a clear audit trail of privileged session activities.

The Bottom Line

Insider threats can come from anywhere, no matter the size or makeup of your organization. By having a clear understanding of the history of insider threats, how they might appear and using a centralized access management platform, security teams can stay one step ahead.

The post Insider Threat 101: Understanding The Insider Threat Ecosystem And Best Practices appeared first on Cybersecurity Insiders.

By Rajesh Ram, Chief Strategy Officer at Egnyte

The impact of ransomware attacks on businesses is twofold. Not only do businesses have to grapple with the impact of actual attacks, but they also must continue to prepare for the possibility of additional attacks. While many equate ransomware with encrypted files and potential ransom payments, the consequences go even further in terms of the costs and requirements of an organization.

The Dangers of Ransomware Attacks

An immediate consequence of a ransomware attack is extended downtime. This can severely affect an organization’s operations, with a typical attack resulting in about three weeks of downtime. In particular, businesses that are schedule driven, such as construction, can be extremely impacted.

Ransomware attacks can also damage brand reputation — nowadays, even unsubstantiated claims of an attack will make headlines. What’s more, ransomware is considered a gateway for cyberattacks. Once one attack occurs, bad actors tend to further exploit a company’s vulnerabilities and continue to target the company.

From a budgetary standpoint, ransom payments and cyber insurance premiums have continued to rise over time. Recent research found that 47% of mid-sized organizations experienced premium increases of 76% or more in the past year. Even though this can damage companies of any size, smaller organizations and startups in particular can feel the financial impact.

Best Practices for Prevention

While the easiest way to prevent ransomware is to avoid being a victim in the first place, that’s not a position anyone can guarantee. Still, there are several best practices companies can follow to better protect themselves. Let’s take a look at a couple of ways that organizations can stay one step ahead of an attack.

Organizations should develop a comprehensive incident response plan. A fully developed, flexible incident response plan is one of the best ways for companies to ensure security preparedness. The plan should carefully document security controls and include proactive steps to manage supply chain partner risk. Any incident response plan must be flexible and able to adapt to rapidly-changing circumstances, so it’s important to routinely update processes and incorporate real-time, always-on monitoring of critical data. Cyber attacks are evolving so rapidly that present defense methodologies may be obsolete as soon as 2023, which is why routine updating is so important.

Along with a well-designed plan, organizations need internal safeguards in place. While it may seem overly cautious to some, organizations must assume that everyone is a potential insider threat. In 2021, an average of 3.98+ million people voluntarily left their jobs per month in the U.S. Before resigning, employees have access to their company’s sensitive data, which, if in the wrong hands, could easily be taken to a business competitor or provided to users who don’t have legitimate access to the data in the first place. Additionally, new employees might not know all of the organization’s procedures and policies and will take time to fully get up to speed. Therefore, they are more likely to create an unintentional risk for the organization.

Organizations can protect themselves against insider threats by leveraging technology that analyzes unusual behavior around sensitive data (e.g., customer lists, product release plans, and financial records), especially when users download a higher volume of files than normal. This way, IT teams can be alerted about potentially malicious activity and take action as soon as possible.

Furthermore, cybersecurity training must be an ongoing initiative for all companies, instead of annual refresher courses. Organizations should ideally train employees right after hiring, followed by shorter, targeted training modules every quarter. All employees should also be encouraged to “say something if they see something” when it comes to unexpected password or network access alerts, apparent phishing emails, and other suspicious activity. In order to combat outside attacks, an organization needs its internal workforce engaged, trained, and on alert to defend against the many directions from which an attack may strike.

If safeguards are developed properly and employees are thoroughly trained, this will help engender a culture of vigilance, where everyone does their part to keep the company’s data secure. Even the most advanced program will fail if the community isn’t engaged and involved. In light of more frequent, impactful ransomware attacks, defense strategies that include preparedness and widespread company cybersecurity training can go a long way.

The post How to Protect Against the Costly Impacts of Ransomware appeared first on Cybersecurity Insiders.

The education sector is increasingly vulnerable to simple and sophisticated cyber threats, and higher learning is especially vulnerable. No matter how airtight a university’s cybersecurity system is when operating in a vacuum, the best-laid plans begin to crumble as soon as third parties less concerned with maintaining that security get involved.

And, increasingly, students are either less concerned or less caring about their school’s security infrastructure and compliance and are direct causes of these breaches, according to a mid-year 2022 report from Check Point: “Students are not employees; they use their own devices, work from shared flats, and connect to free WiFi without necessarily thinking about the security risks. This combination of a lack of understanding and ignorance has contributed to the perfect storm, giving hackers a free run,” he said.

These attacks also tend to be more successful in access and payout in the event of ransom demands, with 74% of attacks ending successfully for hackers. Here are a few prime examples of cyber-attacks in the education sector.

Albuquerque, New Mexico hit with a one-two punch

From December 2021 through January the following year, Bernalillo County was slammed by a ransomware attack that targeted government services. Freshly on the heels of this cyber security nightmare, the Albuquerque school system was breached.

Specifically, the school attack targeted critical systems and “compromised the student information system used to take attendance, contact families in emergencies, and assure that students are picked up from school by authorized adults.” This type of personally identifiable information and verification processes are vital to student safety, and the school was closed as officials dealt with the issue.

Amongst other things, the Albuquerque attack illustrates the importance of dispersing critical services amongst multiple systems, providers, or software, even if doing so disparately is inconvenient. From banking to personal data collection, schools must ensure that their systems come with security features and that their employees comply with those security features.

Whitworth University compromised

In July, poor password hygiene led to another ransomware attack. In this, nearly a terabyte of student data was stolen, and systems were taken offline for over a month as frustrated staff and faculty were kept in the dark by the administration. Many found out what was happening from a third-party cybersecurity firm via Twitter.

The group known as LockBit is notorious for sending email attachments to trick gullible workers into providing access or passwords to access systems before capturing data and holding it hostage. 

From Microsoft’s report: “LockBit is typically deployed during human-operated ransomware campaigns. Attackers distribute this ransomware as an email attachment or try to exploit vulnerabilities in web browsers and other services exposed to the internet. Once in the network, attackers steal credentials, move laterally to other devices, and obtain privileged credentials before installing this ransomware on multiple target devices.”

This type of increasingly common attack shows that, no matter how secure a system, human error and lack of security protocol knowledge can still bring a firm or school to its knees.

The University of California at San Francisco pays over $1M to hackers

While researching COVID-19, hackers shut down UCSF’s epidemiology and biostatistics department demanding $3 million to get the system and data back. The cause, again, was poor protocol implementation by people as “the researchers hadn’t taken the time to duly back up their data.” 

This breach was of physically present servers, rather than a breach of third-party cloud security and also shows how typical security protocol is sometimes less effective than, say, blockchain-based systems.

Publishing portions of the data on the dark web as proof, the hackers’ representative, known as Operator, negotiated with university administrators through secure digital chat and demanded the payout: “You need to understand, for you as a big university, our price is shit. […] You can collect that money in a couple of hours. You need to take us seriously. If we’ll release on our blog student records/data, I’m 100% sure you will lose more than our price what we ask.”

After back-and-forth negotiations, the university was lucky enough to agree to a payout of 116 Bitcoin worth, at the time, $1.14M to get their data back. Again, this incident demonstrates the importance of maintaining backups of data (especially sensitive and critical data) and managing human behavior as they access the systems. It also shows how inexpensive even pricy frontloaded costs can be compared to the aftermath of not spending it, as paying at least $60 an hour is still less expensive than a multi-million dollar payoff to hackers.

Lessons Learned

While these are just a few high-profile examples, these types of attacks and demands happen to schools often and are sometimes under the radar as officials try to avoid embarrassment. One report from Sophos shows the full spectrum of what’s happening in the education sector’s cybersecurity systems. The report is comprehensive and comprises IT professionals from 320 lower-education and 410 higher-education systems across 31 countries, so it is particularly applicable to interested professionals:

Attacked by ransomware

  • 56% of lower education respondents were hit by ransomware in 2022
  • 64% of higher education

This is a sizable increase from a 2021 average of just 44% across education. And, compared to global norms, these statistics are higher than average, indicating that education is a ripe target: “the education sector is poorly prepared to defend against a ransomware attack, and likely lacks the layered defenses needed to prevent encryption if an adversary does succeed in penetrating the organization.” That layered approach to security is critical, as creating additional barriers can frustrate and repel lower-level hacking groups looking for easy money.

Cyber insurance

Often, educational institutions see cyber insurance as a needless expense. Until they need it. Unlike professional organizations and companies, education has a much lower cyber insurance policy protection rate. This predominantly appears to be a cost-based issue and is driven by a lack of understanding on the administrations’ parts:

  • 39% in lower education and 44% in higher education say fewer providers are offering cyber insurance
  • 50% in lower education and 49% in higher education say the level of cybersecurity they need to qualify for cyber insurance is now higher
  • 46% in lower education and 40% in higher education say policies are now more complex
  • 35% in lower education and 41% in higher education say the process takes longer
  • 34% in lower education and 31% in higher education say it is more expensive

All of this shows that, of course, schools need to take these policies seriously. But it is also a failure of cyber insurance providers to adequately message the threat level and importance of having a policy.

Conclusion

Overall, smaller and less well-known schools are more vulnerable. These schools often have less sophisticated security systems and are more likely to pay out. But no matter the size, a common trend is that employees and students not following simple cybersecurity protocols is a primary driver of hacker access to school data systems. This isn’t the final stop for security, though, and Sophos offers some additional tips based on their research trends:

  • Ensure high-quality defenses at all points in your environment. Review your security controls and make sure they continue to meet your needs.
  • Proactively hunt for threats so you can stop adversaries before they can execute their attack – if you don’t have the time or skills in-house, work with a specialist MDR (managed detection and response) cybersecurity service.
  • Harden your environment by searching for and closing down security gaps: unpatched devices, unprotected machines, open RDP ports, etc. Extended Detection and Response (XDR) is ideal for this purpose.
  • Prepare for the worst. Know what to do if a cyber incident occurs and who you need to contact.
  • Make backups, and practice restoring from them. Your goal is to get back up and running quickly, with minimal disruption.

The post Education Sector has Seen a 44% Rise in Cyber Attacks Since 2021 appeared first on Cybersecurity Insiders.

Email has a lot going for it. It’s quick, easy, and incredibly widely used. However, just like every other remote form of communication, it faces a glaring challenge. How can an email recipient be absolutely sure that the email is from who it says it’s from?

Welcome to the world of email spoofing. Thankfully, there are some simple techniques you can adopt to fight it. Let’s dive in. 

What is email spoofing?

Email spoofing is what happens when, in a phishing attack, an email appears to be from somebody it actually isn’t from. What has happened is that a fraudster has forged the email header so that the receiving server mislabels the email’s sender. 

The receiver then gets the email and thinks that they know the sender. As a result, they are more likely to treat the message content with a degree of trust than they would otherwise. Where this ends can mean data breaches or even corporate funds being appropriated. 

So, it’s serious. The phishing that’s often associated with email spoofing is rising at a phenomenal rate. 

Why is email so vulnerable to spoofing? The main reason lies in the limitations of the actual process used to send emails. SMTP (Simple Mail Transfer Protocol) doesn’t have the facility to check that the sender’s identity is actually genuine. 

So, if somebody wants to send a spoof email, all they have to do is to find one of the many free SMTP services that are available online. Then, they can create the message, and input the desired address in the From box. That’s it. No, email spoofing is not the exclusive realm of criminal masterminds, using hi-tech banks of computers and hardware like an IBM AS 400 mainframe.

There are even dedicated email spoofer programs available. So a would-be email spoofer’s work is basically done for them. 

You may be thinking to yourself ‘Ah – but if the hacker inputs a fraudulent email address in the From box, then surely any replies will go to that address rather than the hacker’s. What’s the point in that?’

This is the reason why the message itself will have links within it that the recipient is strongly urged to click on. Enticements might be positive (‘Click to win!’) or negative (‘Follow this link to stop your car insurance from going through the roof’). Whatever they are, they tend to work. 60% of security professionals report that their organizations have lost data thanks to a phishing attack. 

So, it’s clearly a major problem with enormously damaging potential consequences. What can be done about it? An increasingly important source of help is the government. For instance, in the UK, the National Cyber Security Centre has launched an Email Security Check service to combat the problem of email spoofing. 

This aside, there are plenty of ways you can help yourself. 

1. Check the address

Although the identity may be fraudulent, the actual address that’s in the mail-to box will be authentic. In other words, look beyond the stated identity to see the blahblah@blahblah.com address. Be alert for real addresses that ape respectable ones. Like g00glehelp@gmail.com.  

Check things like domain extensions. For instance, if you’re dealing with Australian companies, they’re likely to have Aussie domain names. If not, a closer inspection might be warranted. 

Gmail users have a powerful weapon here. You can open the email, then click on the drop-down under the sender’s name. This will reveal information about the sender’s address as well as a signed-by field. Other email servers will have this information available in their own ways. 

If this all looks consistent, the chances are you’ve received a legitimate email. This is because it’s passed SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) verification protocols. These are security techniques put in place by the server. 

See below for further details on these and other software means of verification. 

2. Does it seem out of place?

This might be more of an obvious one, but sometimes the obvious needs to be pointed out. Does the email clash a little with what you would normally expect to receive? 

Say you’re a VoIP engineer, ordinarily engaged in matters related to call routing in Dialpad. If you receive an email concerning how much money there is waiting for you on the other end of just one little click, then you might be somewhat taken aback, and more than a little skeptical. 

3. Try asking

If you receive an email you’re not sure about, there’s nothing wrong with asking for more information. But let’s have a caveat here – make sure to only use the sent-from address. Don’t click on anything in the message itself. 

A further caveat. Let’s say the email looks like it comes from a family member, in which they ask for an emergency loan. You can email them back, asking to see if it’s legitimate. If they reply from their own address saying ‘yeah, cash please!’ then that should be fine, shouldn’t it? Actually, not necessarily. Your family member’s email account may have been hacked. 

In short, by all means ask for more information, but still don’t commit to doing anything fast and drastic. Best bet? Give them a call. 

4. Google it

If you’ve received an email that seems suspicious, put its details into Google. You can just copy and paste the whole message if you like. If it’s a phishing gambit that’s doing the rounds, the chances are it’ll pop up in your SERP. 

If it’s as dodgy as you thought it might be, go back to your email and delete it. And report to your line manager if it happens at work. 

5. Distrust urgency

When you get an email emphatically prompting you to click in order to avoid some dreadful impending misfortune, the chances are it’s a spoofed email. By intoning urgency, the sender is hoping to bypass the recipient’s natural skepticism, encouraging them to stand checkpoints down in the interest of averting disaster. 

There are certain words in the subject line to beware of that are often associated with spoofed emails. These include request, follow-up, business proposal, are you available, invoice due, and, simply, hello.

If the email warns of something like irregular bank account activity, go directly to your account via your usual means. Don’t click on any link in the email. 

It should go without saying that if you’re feeling in any way coerced or manipulated, then you should apply the brakes and report the email to your line manager. 

After all, if it really is an emergency, there’s always the phone. 

6. Look at grammar

If the message claims to be from an authoritative source but they struggle to string a sentence together without glaring typos and grammar issues, it’s time to get suspicious. Typically if senior management are getting paid the big bucks, they should at least be able to spell, so it’s worth double checking.

7. Don’t use the same email account for everything

If you’re just using an address in order to sign up for something but you’re not bothered about subsequent interactions with that business, then use throwaway addresses. This way your primary email address won’t get included on so many mass mailout databases, which means it won’t get so spammed up or spoofed up. 

8. Software solutions

There’s a wide range of verification protocols that you can implement in order to single out spoofed emails. We’ve already mentioned SPF and DKIM, but on top of these there’s also DMARC, or Domain-based Message Authentication and Secure/Multipurpose Internet Mail Extensions. 

Whatever system you use, the idea is that they work automatically, intercepting spoofed emails without you even being aware of the process. 

9. Training

There needs to be an extensive rollout of best practices for detecting email spoofing, just like with all other aspects of cybersecurity. Every user represents a vulnerability that a hacker can exploit, so make sure all your users are as savvy as possible. 

Give them easy-to-remember techniques for spotting spoof emails, and make sure they know what to do if they find something that looks suspicious.

Remember to update them on the latest threats, and carry out tests to see where the vulnerabilities appear to be concentrated. It might be an individual who needs a little more support, or it could be that there’s a high volume of emails that results in a number of employees feeling overwhelmed hence not capable of proper vigilance.

Staff need to be told that there’s no embarrassment in falling for an attack. After all, studies suggest that CEOs are the worst offenders. The most important thing is to let others know if there has been an incident. 

10. Stopping outgoing spoofing

Obviously, you’re not just going to want to spot spoofed emails coming in. You also want to stop hackers using your business as a means by which they can spoof emails to your customers and partners. If a client expects to receive a consulting report from you, but gets phished after clicking on a spoofed email’s links, they might leave with a negative impression of your company even though you had nothing to do with it. 

Apart from the above software protocols, you can also implement practices such as having clear branding and bold design in use on every official email that a spoofer might find difficult to copy. Branding is, after all, all about authenticity. 

The email newsletter below from the New York Times includes its distinct font and logo which both can help make a potential recipient feel more confident in clicking on the contents of the message. 

Put your business phone number from Dialpad on there too. This way, people can call to check if it’s really you. 

Conclusion

So, unfortunately spoofing is a lot less funny than it sounds. It can create havoc both with businesses and individuals and is incredibly widespread. 

Thankfully, there are a great many ways we can seek to combat it. Using these techniques, we can be reasonably confident. But we must stay vigilant. Often, the hacker only has to get lucky once to bring catastrophe to your business. Don’t have nightmares though. Just keep your eyes peeled. 

Bio:

Gerard D’Onofrio – Country Manager, Australia, Dialpad

Gerard D’Onofrio is the Country Manager for Dialpad Australia, an AI-equipped business communications solutions platform for better communications at work through features like Dialpad’s enterprise VoIP. Gerard is experienced in discovering world-class developments and turning them into effective business advancements, wherever he goes. He has also written for other domains such as Spa Industry Association and Agility PR Solutions. Here is his LinkedIn.

The post The Case of Email Spoofing: How to Identify And Avoid Email Attacks appeared first on Cybersecurity Insiders.

By Jason Dover, VP of Product Strategy at Progress

With the growing complexity and sophistication of modern security threats, organizations must make suitable investments and develop comprehensive strategies to keep their digital assets secure. This is not a new challenge, but the frequency of attacks is certainly on the rise.

The 2022 IBM Cost of a Data Breach Report showed that 83% of the groups studied have had more than one data breach. The report also estimates the average cost of data breaches to have risen to $4.35M. Interestingly, compromised credentials still are the most common factor, making up about 19% of all breaches based on the study.

With an increased remote workforce, BYOD has become the norm, and the ever-growing use of cloud-based services has increased the attack surface that SecOps must guard. The aforementioned report also noted that remote work-sourced breaches cost more than $600K, with an average of around ~$5MM per occurrence.

Considering this, most businesses do have a level investment allocated into security mechanisms for their ecosystem. This may range from the use of VPNs, firewalls, endpoint protection and other similar technologies. However, an often-underused tool is the network itself.

Anatomy of an Attack

For threat actors to successfully pull off a breach, they must carry out reconnaissance to identify exploitable vectors. They must gain persistent access to the environment where target assets and data exist, followed by some sort of privilege escalation to enable malicious behavior to be executed along with lateral movement from the initial entry point.

Sophisticated attacks may also have a level of defense evasion built in that allows true intent to be obfuscated. If all goes well (from the attackers’ perspective), the payload or program that they’ve brought into the environment can be executed to destroy information, achieve command and control of systems or hold critical data hostage.

For security operations teams responsible for protecting their organization’s environments, staying ahead of threat actors comes down to early detection. Successful breaches are built upon a series of small wins over days, weeks or sometimes months. While investment is required to instrument a framework that can identify these leading indicators, organizations that automate preemptive protective action can save millions in losses in the long run.

A Multi-Layered Security Approach

One specific technology that is gaining traction in the fight against cyber-attacks is network detection and response (NDR). NDR solutions extract data, metadata and insights from the network using methods such as flow analysis and packet capture. The solution then analyzes the network traffic using a number of mechanisms including machine learning, baseline comparison, signatures and variety of other methods to detect suspicious activity.

While in the past, these solutions were predominantly deployed by the most mature security operations teams, several vendors in the industry have made NDR more accessible for organizations of all sizes. They’ve done this by focusing on ease of use and using innovative methods to drive down total cost of ownership.

The concept behind NDR is that it closes off the last battleground of threat detection for operations teams. Security solutions such as firewalls and IPS are powerful tools in addressing threats that can be detected in vertical traffic (i.e., north-south) that traverses the perimeter. Endpoint protection provides another layer of protection by protecting devices in the environment, identifying compromise and automating quarantine. NDR completes the security stack by adding in analysis of network communications.

The reason why this approach is such an important part of a well-architected security model is that the network is the ultimate source of truth. NDR can detect the anomalous behavior that takes place when attackers carry out reconnaissance and scan a network to find and identify its weak points. Additionally, even if methods are used to hide the intent of an attack, such as scrubbing logs on a compromised endpoint before they can be shipped to a log analysis system, there is no way to hide actual communications over the network.

Key Security Principles

In addition to the right tools and technologies, organizations should establish a consistent set of principles that guide the architecture and security posture. Broadly speaking, these can be summarized in four key areas:

  1. Focus on what matters – Data

Threat actors are typically trying to gain access to information that exists in the environment in order to cause damage. While this requires compromising systems, stealing credentials and many other mechanisms, they’re often a means to an end, as opposed to the prize. When architecting a security model, security teams should do this from the vantage point of the data that these vehicles can eventually compromise. Since every operations budget has limitations, security posture improvement initiatives should start with areas of the environment that can be a springboard to the organization’s most critical data.

  1. Ensure resilience

There is no single security technology or solution that is infallible. Because of this, organizations should adopt a multi-layer security model that allows for failure of one component without compromising the entire environment. As an example, the use of VPN doesn’t negate the need for having additional pre-authentication methods for key applications, just as having a next-gen firewall at the network perimeter doesn’t make it any less important to also apply firewalls within the data center to prevent unauthorized lateral movement.

  1. Assume Threat Actor Access

Approaching network security from the perspective that threat actors WILL gain access gives security operators an edge by focusing them on ensuring any mechanism used can be detected, contained and remediated. The number of external entities that employees engage with and external services that are logically co-located with internal infrastructure means that there is a very high likelihood that at some point, an exploit (even if minor) will occur. Incorporating this thinking into the operations of the security team puts them onto the offensive against adversaries as opposed to strictly playing defense.

  1. Prevent, Detect, Respond

Most organizations get a passing grade for having standard security threat prevention mechanisms in place in their environment. Both detection and response capabilities often show room for improvement. By going beyond capture and analysis of logs from network devices to analyzing network traffic with the addition of enriched metadata, organizations that extrapolate anomalies can identify many security threats earlier in their lifecycle. Investing in integration across the security stack – so that detection is directly linked to automated remediation – will further enable organizations to shorten their average time to resolution for security incidents and reduce their risk profile.

Early Detection – The Key to Winning Against Threat Actors

Early detection is critical in the battle against threat actors, and the network should not be underestimated in its ability to provide early indicators that can help security operators stay one step ahead. To do this, organizations need the right tools, and NDR and NDR should be considered for anyone looking to improve their approach to security.

Remember that, as a cyber threat progresses through its journey and takes the various steps it needs to successfully carry out an exploit, it only takes a win at one of those steps to set attackers back to zero. Security teams equipped with the right tools will go a long way in making sure their success in the ongoing efforts required to protect critical data and assets.

The post Early detection is the key to tackling security breaches appeared first on Cybersecurity Insiders.

Amit Shaked, CEO and co-founder, Laminar

One of the best pieces of business advice for any entrepreneur is this: “Look for a problem to solve. Not a product to sell.”

My co-founder Oran Avraham and I met at university at the age of 14 and after becoming best friends, we vowed to one day launch a security company together. Obviously, cybersecurity is a large industry so narrowing down our focus became key to being successful in all of the noise of the market.

In order to pinpoint our direction, we first asked ourselves: what is holding back valuable data innovations? What is the biggest problem in the data security space today?

The answer became clear fairly quickly: data breaches. We immediately knew that if we could create a solution that would disrupt data breach culture it would make a major impact on CISOs and data protection teams – and ultimately companies’ success overall.

Diving into Data Breach Culture

There are a lot of products on the market that claim to prevent data breaches, so Oran and I knew we had to dig a little bit deeper. We began to ask ourselves questions like, “How do data breaches occur today?” We compiled a list of dozens of recent, major breaches such as Marriott’s initial breach in 2018, Facebook’s breach in 2019, and LinkedIn’s data scraping incident back in mid-2021. A pattern emerged — nearly all originated from public cloud infrastructure.

This made a lot of sense. Experts estimate that by 2025, 200+ zettabytes of data will be in cloud storage. To put this into perspective, it’s important to understand how much a zettabyte actually is. A zettabyte is one billion terabytes and a terabyte is 1,000 gigabytes. A standard movie is only one to two gigabytes to download. All of this data is just as valuable to cyber adversaries as it is to businesses. As a result, hackers will do anything they can to get their hands on it.

The cloud has paved the way for data democratization, which in itself is a benefit to all organizations and consumers. Allowing greater access to data for those who need it, creates more opportunities and ultimately is more effective. However, the cloud has also allowed data to be spread around to various places data security professionals may not even be tracking. Known as “shadow data” this unknown data is not copied, backed up, or housed in a data store that is governed, under the same security structure, or kept up-to-date – which makes it easier for hackers to get their hands on it.

Solving the Problem, Not Just Selling a Product

Now that we had an understanding of the issue at hand, we then began to form the genesis of what would become Laminar.

First, we set ourselves on a path to being cloud-native. By “we,” I mean the company and its overall culture, not only the solution we would provide. We knew if we wanted to solve problems that are cloud-native, we must be cloud-native ourselves.

Next, we looked at how cloud infrastructure was run and modeled our internal team after it. We knew that the cloud was the driving force that was powering today’s businesses and that we simply could not slow it down or disrupt it. We began looking for individuals who had the experience and knowledge to move at the speed of the cloud and the heart to solve the data breach issue at hand. The team is now made up of Capture the Flag (CTF) players, kernel hackers, vulnerability researchers, and engineers who all believe that anything is possible.

Once our product was built, we turned to the very group of people we were trying to help: CISOs and data security professionals. Through Insight IGNITE, we were able to get product validation from hundreds of CISOs which confirmed that we were truly solving a problem and not just selling a product.

Finally, we took a no-nonsense approach. We both despise FUD – fear, uncertainty, and doubt, usually evoked intentionally in order to put a competitor at a disadvantage. Everything that we do with the company ties back to real-life scenarios and to real, important actions that data security teams could take in order to better protect their employees, partners, and customers.

Conclusion

Although it is cliché, there is weight to the saying, “Be the change that you want to see in the world.”

When an all-consuming problem is left unsolved, there are two options: build your own solution or wait around for someone else to make one for you. Oran and I tried to create an off-the-shelf solution to protect sensitive public cloud data because none existed. By taking the time to dive to ask questions and consult with other experts in our field, we were able to identify a gap in the market and fill in the blanks.

The post Filling in the Blanks: Identifying a Gap in the Crowded Security Market appeared first on Cybersecurity Insiders.

By Simon Eyre, CISO at Drawbridge

Cyber attackers search for any vulnerability they can target and once they find one, they move fast. In under four hours, a ransomware infection can infiltrate a system, making it critical for businesses to act quickly and efficiently. Cyberattacks pose a significant risk to businesses through data breaches – but ransomware magnifies the threat. Ransomware attacks risk demanding the payment of high ransoms with no guarantee of retrieving the stolen information.

As cyber criminals become more sophisticated and their attacks become increasingly successful, businesses must employ more robust strategies to protect themselves. By assessing their current cybersecurity framework, adequately training staff, and implementing the right vulnerability management and risk assessment policies, organizations can bolster their security and reduce the chance of paying a hefty ransom payment.

Employee Cybersecurity Awareness Training  

Ransomware attackers are not picky. They hunt for vulnerabilities and exploit them in any way they can. According to IDC, 37% of organizations globally reported falling victim to some form of a ransomware attack in 2021. Attackers predominantly utilize email phishing scams to lure targets but will also target other communication platforms such as fraudulent phone calls and scam SMS with the hopes of fooling their victims into clicking on malicious links.

Businesses are major targets for cybercriminals. What may appear as a friendly email can be a click away from encrypting the company network – and the ways to retrieve data are limited and often very expensive. In 2021, 83% of businesses reported being fooled by phishing attacks and being tricked into clicking on a link or downloading malware, a dangerous move that could give attackers control over the organization’s infrastructure and give an incentive to demand ransom. It is critical for businesses to ensure that their staff is more than prepared for potential ransomware attacks and well-versed in response plans in case the breach is successful. Rigorous cyber security training can help employees prepare for these encounters and identify suspicious activity through ongoing monitoring practices, ensuring companies always remain one step ahead of attackers.

Cyber awareness training and a prepared incident response plan can also help firms achieve regulatory compliance requirements. Under the U.S. Ransomware Disclosure Act (H.R. 5501), for example, businesses that have fallen victim to ransomware attacks are required to disclose ransom payments to the Department of Homeland Security within 48 hours. In the U.K., NIS Regulations require digital service providers to report cybersecurity incidents to U.K.’s Information Commissioner’s Office (ICO). Failure to comply with requirements can lead to fines and penalties causing monetary damage to the business.

Vulnerability Management  

A firm’s cybersecurity strategy is highly reliant on its vulnerability management policy; a policy that involves continuous monitoring of the environment can help businesses pick up on any vulnerabilities that can be exploited– including any risks associated with having remote workers.

Although I.T. teams may feel their patching procedures are sufficient, sometimes patching procedures that are not up to date can omit software, hardware, and IoT devices that can fall vulnerable to attackers. It’s also important to remember that ransomware attackers don’t work to a schedule – they can strike at any time – so it’s crucial that firms continue to monitor vulnerabilities in real-time, so they can pick up on new vulnerabilities before an attack takes place.

Risk assessments 

Risk assessments further the preventative controls of the vulnerability management by identifying threats from a system, policy, and procedural approach. A comprehensive chart of the gathered data makes it easier to identify high-probability risks that threat actors can exploit. Firms can use these insights to proactivity secure systems with the proper defenses they need to mitigate these potential risks. If your firm does not have the infrastructure to perform these assessments in house, risk assessment providers offer services that form a comprehensive analysis of a business’s data and continuously monitor for potential threat actors that may target vulnerable data.

In much the same way, building resiliency requires an understanding of how data flows through the business and who is processing it (which may be internal or at third parties). It’s important to perform this flow chart exercise before you begin looking at controls to mitigate outages. The mitigations may be technical in nature like redundant systems or signing up alternative Vendors for processing activities.

Investing in the Right Back Up Measures 

Since grade school, we have always been told to back up anything we do not want to lose. What was once a USB or hard drive, is now being redefined by the Cloud. Cloud platforms such as Microsoft 365, Google Workspace, and Amazon AWS offer backup services for businesses to ensure their data remains in a safe place. The all-in-one style of services of these platforms allow for a cost-effective and secure backup of data.

In case a breach does happen, insurance is there for backup. Cybersecurity insurance can lead firms in the right direction when handling security breaches. From an insurance firm, businesses have access to skilled forensic and recovery teams that have the in-house technical skills necessary to address an attack and more importantly, recover from one. Insurance firms offer the proper expertise to guide businesses in the right direction and identify the proper approach to a ransomware attack such as whether they should pay the ransom or not. Businesses can ensure they are choosing the right insurance by looking at their guidelines and Due Diligence Questionnaires before applying. Insurance companies may recommend the use specific cyber frameworks such as Cyber Essentials and NIST CSF to strengthen the security posture of a business.

Avoid Paying the Ransom 

The sad reality is that even after paying the ransom – you aren’t guaranteed your data back. Implementing the proper crisis management and response plans ensures your business endures the least amount of damage as possible if this does occur.

Avoiding paying the ransom, goes beyond a strong cyber resilience program. Understanding the laws and restrictions in place by different jurisdictions can help businesses determine how to approach cyberattacks. Different localities have rules in place banning ransom payment and if done so, companies can face legal action. In October 2020, the United States Office of Foreign Assets Control (OFAC) made it illegal to pay ransom in certain cases. Even if paying the ransom is found to be acceptable by legal standards, businesses must ensure it is the only and best option before handing over such large amounts of money.

Looking Forward 

As the cybersecurity landscape evolves, so do the complexities of the strategies that threat actors use to breach sensitive data. As long as sensitive data exists, so will threat actors looking to collect a ransom, making it even more important for businesses to ensure their cyber resilience strategy is adequate.

The cyber risk, regulatory and threat landscapes continue to evolve, making it even more vital for organizations to strengthen their cybersecurity posture. With the proper proactive measures in place including employee training, vulnerability management, and risk assessments – firms are better positioned to avoid facing a decision on if they should pay the ransom.

The post How Businesses Can Prevent and Mitigate Ransomware Threats appeared first on Cybersecurity Insiders.