Category: How To

By Rafael Lourenco, EVP & Partner, ClearSale

Cybersecurity attacks against businesses are unrelenting, and while retail and ecommerce typically focus on fraud prevention, they’re often targets of other digital attacks as well. For example, the 2022 Verizon Data Breach Investigations Report (DBIR) documented 241 confirmed retail data breaches in 2021, resulting in stolen credentials, personal information, and payment data. At the same time, 56% of Merchant Resource Council members reported phishing attacks in 2022, which can lead to data theft, malware attacks, and fraud.

These cybercrimes have costly consequences for businesses. The average cost of a data breach worldwide in 2022 is $4.35 million, a figure that could easily put a smaller retailer out of business and create budgetary problems for a larger retailer. These numbers show why it’s so important for ecommerce businesses and retailers to maintain a culture of security that includes — but also goes beyond — fraud prevention.

A focus on security is important for retailers of all sizes, even small ones. It’s always been clear that fraudsters and criminals prefer to target businesses that they suspect have weak or outdated security, which usually means smaller businesses that lack the resources to have a large in-house security team. For example, the DBIR found that of 620 documented incidents against retailers, 157 targeted companies with fewer than 1,000 employees, compared to 68 incidents aimed at retailers with more than 1,000 employees (the size of the other 404 companies wasn’t known).

Among confirmed breaches at retailers whose size was known, 54 companies had less than 1,000 employees, compared to 35 larger companies. Smaller retailers, therefore, can’t assume that their size or lower profile compared to major retailers will protect them. There is no “security through obscurity” for B2C companies.

Common cybersecurity attacks on retailers

The DBIR lists system intrusion, social engineering, and web app attacks as the most common attack patterns involved in retail data breaches in 2021. Once attackers made it into their victims’ systems, their most common actions were hacking and launching malware — especially malware designed to scrape payment data from web apps. This kind of attack can lead to costly brand damage and loss of customer trust. 84% of online shoppers in 5 countries surveyed by ClearSale in March 2021 said they would never shop again with a website that allowed a fraudster to use their credit card information.

Data-scraping malware can be avoided with continuous website scanning and security to prevent installation of malicious code and to remove any malware as soon as it’s detected. Malware prevention also relies on employees who are educated about email threats and how to avoid them.

Provide security awareness training for retail employees

Social engineering attacks can take many forms, including multiple varieties of phishing. One common mode of attack is to impersonate a professional service that many businesses rely on, like Microsoft, Gmail, or a shipping company. The attackers send emails that include the company logo, a display name that appears to come from the real company, and a request to log in for a policy update, password change, or some other “critical” task. Then they steal the credentials to commit fraud, spread malware, or steal protected information.

Encourage your employees to report any suspicious emails to your security team before they click on any links or open any attachments. When your security analysts find phishing emails, they can save them to use in training so that your employees can see exactly what to look out for and what types of attacks are trending now.

Review your access control management policies and practices

The pandemic pushed many retailers to a work-from-home model for some or all of their employees. The result is that people may be accessing company systems from a variety of devices, over many different networks. This approach can increase the risk that an attacker — perhaps someone who launched a successful phishing attack or who intercepted a communication over a public Wi-Fi network — can access those company systems and move between them causing damage and stealing data.

If your company has policies on what types of devices and networks employees can use to log in to work, it might be worth reviewing them to see if they need updating. If your business has no such policy, it’s time to start creating one. Ideally, your employees would only use company-issued devices and log in over a company VPN. At a minimum, they should avoid working over unsecure Wi-Fi networks and make sure their home router’s default password has been changed.

Your company’s IT person or team can also review who has access to each of your company’s systems and then set appropriate controls based on job role or department. For example, your warehouse team does not need access to your company’s financial database, and your entry-level employees don’t need access to your executive team’s files. Setting these controls and removing employee’s access completely when they leave the company can prevent intrusions from spreading and avoid internal breaches.

It’s also wise to periodically review the settings on all your company’s software, operating systems, cloud storage, and hardware to ensure that access is private and limited to the employees who are authorized to use it. More than 10% of 2021 breaches were caused by errors including misconfigured cloud storage, per the DBIR.

Preventing attacks that can lead to data breaches, fraud, and brand damage requires an ongoing commitment to thinking about security and talking about it with your employees. While retailers are rightly concerned with preventing transaction fraud, it’s important to build and maintain a company culture focused on the full range of security awareness and best practices.

The post Cybersecurity Retail Risk Trends to Watch Now and in 2023 appeared first on Cybersecurity Insiders.

There are countless service accounts in any given organization. The number of these non-human accounts – and the number of applications that rely on them – is growing each day. These accounts can become high-risk assets that, if left unchecked, may enable threats to propagate throughout the network undetected.

In the new eBook ‘4 Steps to Comprehensive Service Account Security‘, we’ll explore the challenges of protecting service accounts and offer guidance on how to combat these issues. Topics covered, include:

+ 3 key problems created by service accounts
+ Why current methods of securing service accounts fall short
+ 4 steps to comprehensive service account security
+ And more

Download the eBook here

The post New eBook: 4 Steps to Comprehensive Service Account Security appeared first on Cybersecurity Insiders.

[ This article was originally published here by Indusface.com ]

There are over 40,756 open vulnerabilities in applications – according to Indusface AppTrana, August-September 2022.

90% of all vulnerabilities are exploitable, even by attackers with little technical knowledge or skills.

Given the circumstances, you need to build and maintain a sound security posture. And an ongoing vulnerability assessment process is vital to your security puzzle. 

What Does an Ongoing Vulnerability Assessment Entail? 

The typical vulnerability assessment process includes these 5 steps:

  1. Vulnerability identification to unearth the comprehensive list of vulnerabilities in the IT environment.
  2. Vulnerability analysis process wherein vulnerabilities’ root cause, source, and impact are identified and analyzed.
  3. The risk associated with each vulnerability is identified based on its severity score.
  4. The security gaps are closed through patching, virtual patching, configuration, debugging, etc.
  5. Re-evaluation is done to check the improvement status.
  6. The vulnerability assessment process ends with reporting and documentation.

This risk-based vulnerability assessment process cannot be an isolated, one-off event as the threat landscape constantly evolves and new vulnerabilities are discovered every day.

To keep your risks limited to tolerance levels and protect your assets, you must regularly perform vulnerability assessments.

Further, regular penetration testing and security audits need to augment the VA process.

Ongoing Vulnerability Assessment Process: Why it’s the Key to Your Sound Security Posture? 

Offers Insights into the Risks 

To build a solid security posture, you need to know where you stand regarding risks. As a function of vulnerabilities and threats, risks keep fluctuating over time. Regular vulnerability assessments offer real-time insights into your organization’s risks, enabling you to take the necessary action quickly.

Unearths Vulnerabilities, Misconfigurations, and Security Weaknesses

Using diverse tools, techniques, and technology, the vulnerability assessment process helps unearth all the security vulnerabilities, misconfigurations, weaknesses, and gaps in the IT infrastructure.

The vulnerability assessment tools leverage the power of intelligent automation to usher agility, speed, accuracy, and flexibility into the scanning process. They can conduct deep, intelligent scans across the IT infrastructure while automatically discovering and adding new areas to crawl. The best tools can test for existing and emerging threats that target your IT infrastructure.

Automated scanning tools are typically augmented with regular manual penetration testing by trusted security experts. This helps you identify logical flaws, misconfigurations, and unknown vulnerabilities that scanners may miss.

Finds the Cracks in the Armor 

Through ongoing risk-based vulnerability assessments, you can continually evaluate the strength of your security defenses and promptly detect cracks in the armor – on the human, network, application, and systems fronts. This way, you can instantly take steps to strengthen your defenses and ensure that your data, mission-critical assets, and infrastructure remain protected. It helps you maximize the efficiency of your security systems.

Helps Understand the Potential Impact of Vulnerabilities 

The vulnerability assessment process does not stop with identification. It includes vulnerability analysis and prioritization. When the process is ongoing, you will get an insight into the following:

  • Exploitability of different vulnerabilities
  • How could they be exploited?
  • The impact of attacks

So, you can keep hardening your security posture.

Creates an Updated Inventory of Assets 

The attack surface is ever-expanding with several moving parts, shared services, third-party components, and software. You can create and keep updating your asset inventory with an ongoing vulnerability assessment process. The automated vulnerability assessment tools make this process quick, accurate, and efficient.

So, you can gain real-time visibility into your attack surface and identify the areas of exposure.

Enables Prioritization of Business-Critical Assets 

Ongoing vulnerability assessments also tell you about the position and condition of each asset/ system/ device connected to the network, its purpose, and related systems. Based on this, you can prioritize and put more effort toward business-critical assets.

Empowers Smarter Decision-Making and Strategy Formulation 

From real-time, actionable insights to thorough reporting and documentation, an ongoing vulnerability assessment equips you to:

  • Make the right decisions at the right time
  • Prepare solid incident response plans
  • Formulate robust strategies
  • Ensure strong security controls

You are not basing your strategy and decisions on dated information and reports but the latest insights. This helps strengthen your security posture.

In Conclusion

Vulnerability assessment processes enable you to know your risks and alleviate them, thus, hardening your security posture.

The post Why Do You Need Ongoing Vulnerability Assessments? appeared first on Cybersecurity Insiders.

Whilst it’s easy to assume cybersecurity breaches are a technology issue, the main culprit is human error. Even with an increase in security investment over the past decade, companies still face an onslaught of cyberattacks.

No matter what anybody tells you, nobody is perfect (yes, even you George Clooney!). We all make mistakes, and we all have odd moments of error. But errors resulting in cybersecurity breaches can have disastrous consequences for all involved.

Verizon’s 2022 Data Breaches Investigations Report concluded that 82% of data breaches involved a human element. Whether through lack of awareness or negligence, employees and contractors at all levels can make a mistake. 

Most errors are made without realizing how dangerous they can be for cybersecurity. Whether it’s clicking on a link, downloading, or simple misconfiguration, these everyday mistakes can lead to system and operational disruption.

A simple wrong click can snowball into an escalating concern. And with over 65% of companies being targeted twice a year with cyberattacks, these mistakes need to be addressed to cut their impact. Organizations must take the relevant steps to educate their employees and mitigate these mistakes.

As businesses suffer severe cybersecurity breaches, sensitive data can be exposed to the digital sphere. Let’s take an in-depth look at six key human error behaviors and what they could mean for your business.

What is human error in cybersecurity?

It’s no secret that cyber-threats are a blotch on our digital landscape. Despite recent global efforts and AI technology solutions, the number of cybersecurity breaches continues to grow. In this unnerving statistic, it’s reported that cybercriminals can penetrate 93% of company networks.

This is why cybersecurity should be a top priority for most businesses. No matter the industry, cybercriminals can access private and sensitive data. Even with enhanced modern anti-malware and threat detection software, cybercriminals know their effectiveness depends on the system’s users.

Human error can manifest in a myriad of ways. It plays such a significant role in cybersecurity that addressing it head-on could deter vulnerabilities instantly. The issue is that human error is not a simple problem to fix. 

Hackers find and exploit even the simplest forms of human errors. Whilst it’s easy to pinpoint how an error was made, the hard part is understanding why it was made in the first place.

Cybercriminals are driven by financial motives to amass data collection. Data infiltration can occur at any part of a company’s life cycle, making continuous testing in DevOps crucial for security success.

The constant threat of data infiltration looms over employees’ heads daily. Whilst this can have a positive effect on individual security measures, it can make it easier for cybercriminals to succeed. Their constant interference will take a toll on employee decision-making capabilities.

These instances of human error can be categorized into two different types:

Skill-based errors

If you’ve ever had a role that consisted of repetition, you would have been susceptible to skill-based human errors. By nature, repetitive tasks can lead to a lack of attention, which in turn can lead to small mistakes. These small mistakes are referred to as skill-based errors. 

Skill-based human errors consist of small mistakes that involve temporary lapses of judgment. These mistakes can occur due to tiredness, distraction, and repetition. Even though they are small, these occurrences can be disastrous.

The environment can lead to many skill-based errors too. Privacy, noise level, and even temperature can all be contributing factors. Employees know the correct course of action, but these factors can lead to an error.

Decision-based errors

Whilst skill-based errors are temporary oversights, decision-based errors are flawed employee decisions. These faulty decisions often involve users not having enough training on a specific scenario. Or, in many cases, using inaction as a response rather than making a decision.

This is what makes training an essential part of cybersecurity. Companies cannot expect employees to have the relevant information on security at their disposal. It’s up to the organization to keep employees informed and up-to-date. 

Imagine if you were working for a video chat app that hadn’t provided the necessary level of privacy knowledge. This lack of awareness would increase the chances of a breach, through no fault of your own.

6 examples of human errors 

Organizations pride themselves on machine learning and AI capabilities. However, their biggest asset is people. By providing effective training, the rate of human error will decline. 

Let’s take a look at some examples of human errors in our digital landscape.

Phishing scams

The goal of today’s phishing attack landscape is to lure individuals into providing sensitive data. This includes passwords, user information, and banking details. Hackers tailor their scams using advanced psychology tricks.

Email and spear phishing are the two most common types of scams. Email phishing involves hackers creating emails that impersonate legitimate companies. Email subject lines will include words or phrases such as “urgent” with a link inside for the user to click.

Spear phishing is more commonly found in the workplace. Attackers use email messages that are more personal and thus more likely to be opened. Hackers find ways to imitate trustworthy colleagues or even a boss to obtain specific pieces of valuable data. 

Due to the nature of the fast-paced office environment, employees sometimes engage with emails that shouldn’t be opened. But rather than risk falling behind, the need to respond is too great to ignore.

Phishing scams are the most common example of human error. It’s why many companies are investing in sentiment analysis to provide rich customer insight

Using weak passwords

You may be surprised to learn that the most popular password in the world is “123456”. This frightening statistic may explain why password management practices should become essential within the workplace.

Passwords are the front line of cybersecurity defense. Selecting a weak and easy-to-remember password gives attackers easy access to private information. Companies that introduce clear rules and two-factor authentication will reinforce additional security measures. 

Besides creating weak passwords, employees make the mistake of storing passwords unreliably. Many employees keep passwords out in the open or on paper. Whether leaving notes on their desks or storing them on their computer, passwords can be easily retrieved.

Unlike VoIP phone number new zealand that use encryption to secure calls, unencrypted messages sent between colleagues can be easily exploited. 

Email Misdelivery 

New digital features are being established every day. From auto-suggest to file sharing, easy-to-navigate applications simplify employee productivity. Unfortunately, this simplicity can lead to many cybersecurity breaches. 

Auto-suggest in particular makes it easy to send emails to the wrong recipient. If the misdirected email includes customer information, the organization will have to inform those involved in the breach. This can then affect customer confidence and relationships.

Depending on privacy laws, companies will have to report the data breach to regulators, and a fine may be issued. 

Imagine if Dialpad’s call recording feature accidentally shared a customer interaction with the wrong person. The legal repercussions of such an action would be huge, damaging any further chance of success down the line.

Patching

Cybercriminals constantly look for weaknesses in software. Once a weakness is spotted, a race between attackers and software developers ensues. The longer the weakness remains vulnerable, the longer hackers have to infiltrate.

When the software issue is resolved, a patch is sent to all company employees. The patch has the solution to the problem and will need to be updated immediately by the recipient. If it’s not, cybercriminals can continue to exploit their internal vulnerabilities.

Whilst it is easy to blame software issues, human error bears the brunt of the blame. Many users will delay the security update until the end of the day to avoid the update interfering with their workload. This leaves the company infrastructure open to attack for the whole working day.

Remote work

The COVID-19 pandemic caused employees to move to their homes. Though this move resulted in a better work–life balance for some, it also opened the doors to remote desktop vulnerabilities

Working from home can bring many difficulties to cybersecurity policies. Sending data over unsecured Wi-Fi leaves companies open to attack. Furthermore, remote work relies heavily on online messaging, which causes phishing scams to raise its ugly head. 

Employees may have the option to use their own devices during remote work. This can lead to unscanned devices which may or may not be breached. There is also the problem of ex-employees having confidential data stored on their devices, which can make them susceptible to an easy attack.

Poor employee habits

As with repetition, employees can develop bad habits that are hard to shake. Becoming too comfortable can cause issues with even the simplest of tasks. As the famous quote says, familiarity breeds complacency, through no fault of the employee.

Common negligent habits include leaving a computer unlocked, sharing passwords, and leaving sensitive information on paper for all to see. Confidential printouts can be forgotten, and public Wi-Fi can be accessed without a VPN. 

Files can be shared via even more unsecured means, such as personal text messages and emails, meaning that online security is a result of external sources rather than an internal organization.

Wrapping up

Even with the increase in security measures and operations, errors are still going to occur. These cybersecurity breaches cost organizations not only money, but also their reputation. 

And as we all know, a good reputation leads to success. If we take the example of a salon business, the best way to boost online bookings is reputation and word-of-mouth.

Humans don’t have to be the weakest link. By promoting education via discussions and constant reminders, employees are more likely to be kept aware. It will also encourage them to continue the best practices of keeping their workplace safe. 

About the Author

Gerard D’Onofrio – Country Manager, Australia, Dialpad

Gerard D’Onofrio is the Country Manager for Dialpad Australia. Dialpad VoIP is an AI-equipped business communications solutions platform for better communications at work. Gerard is experienced in discovering world-class developments and turning them into effective business advancements, wherever he goes. Gerard D’Onofrio also published articles for domains such as BizCover. Here is his LinkedIn.

The post 6 Human Errors That Become Windows For Cybersecurity Breaches appeared first on Cybersecurity Insiders.

Cybersecurity is one of the fastest-growing industries and one that will likely see a lot of opportunities for career progression over the years. As a result, more people than ever are now looking to work in this field. However, there are a lot of challenges when it comes to working in cybersecurity, and you’ll need to understand how to make the most of your opportunities. There are many different paths within cybersecurity, and your progression will depend on which path you take and the choices you make along the way.

Improving Your Soft Skills

Soft skills are common skills that can be applied to a range of different professions. These are skills that we can use throughout our lives and careers and are often more important than hard skills, although not as technical. If you want to progress in any career, focusing on developing and improving your soft skills is important. This doesn’t just apply to a career in cybersecurity, but soft skills are often overlooked by those who think simply having technical skills is enough.

Some of the most important soft skills for a successful career in cybersecurity include communication, teamwork, problem-solving skills and leadership. You can develop these through life and experience, or you can take a course. You’ll find online communication courses that teach you how to use your spoken and written communication to influence people and impact projects. You can also find courses on teamwork, problem-solving and leadership, all of which can help you develop to become more effective at your role.

When you look for a cybersecurity role, you’ll normally have to highlight the soft skills that you possess in your interview. You can do this by bringing up examples of the times you demonstrated these skills in previous roles. It’s important that you let potential employers know your soft skills as well as any technical skills you might have, as these are just as important.

Getting Your Certifications

There is now a wide range of different certifications available within the cybersecurity industry. These are designed to increase cybersecurity awareness and make it easier for candidates to show their technical skills to potential employers. Before embarking on a career in cybersecurity, you should think about the area you’d like to work in and the kind of certifications you’ll need. These certifications can range from basic to advanced, and you need to make sure you have the right one for your preferred career path.

The CompTIA Security+ certification is widely recognized and shows a high proficiency in cybersecurity skills. Getting this certification is typically a requirement for professions that explicitly include cybersecurity. It is highly regarded in the US, where the US Department of Defense requires all employees to hold this certification. It includes practical skills with performance-based questions and is designed for those looking to move from entry-level to intermediate cybersecurity roles.

The CISM or Certified Information Security Manager certification is another highly coveted credential that is often key for accessing higher-paid roles within the industry. It is not only well acknowledged but also well-known worldwide, setting a standard for the sector. The exam is only available to professionals with five years of relevant experience because it is notoriously challenging and demands substantial knowledge and preparation.

Finding Experience

While it’s important to train both your soft and hard skills and gain the right qualifications, relevant experience is always required when it comes to progressing within your career. Developing your practical skills is one of the most important reasons why experience is so necessary. Not only do you have to show on paper that you have the skills, but it’s important to prove that you can make use of them in a real setting.

You can find experience in cybersecurity by attending workshops and taking part in capture the flag events, which are designed to help people develop practical skills. Additionally, you can find internships, apprenticeships and other entry-level positions within the industry. There’s a growing demand for qualified cybersecurity professionals, and you’ll soon be able to work your way up and progress.

The post How to Progress in Your Cybersecurity Career appeared first on Cybersecurity Insiders.

Whatever assets you happen to control, you want to be sure that they’re secure. Even if your system is lucky enough to be based in Sweden – the country with the lowest malware infection rates in the world – it needs vigilant protection. 

The uncomfortable truth is that there are innumerable threats out there, and more companies than ever are being targeted by cybercriminals. 

Common Vulnerabilities and Exposures (CVEs) proliferate, and cyber-security is a hotbed of danger. For this reason, you need to identify your weakest points – you need vulnerability management. 

While machine learning – for instance, databricks MLOps – is starting to make inroads into vulnerability management, there are certain steps that you should be taking to beef up your program. We’ll assess these in turn, but let’s start with a definition. 

What is Vulnerability Management?

Whether you are responsible for hardware, software or personnel, you need to be sure of your security measures. You need to know what the threats are so that you can tackle them effectively and quickly, not least because to leave threats unchallenged is expensive. 

So although it can be costly to implement these processes, it can be far more pricey in the long run not to. There are a number of different processes you can use to ascertain threats and their risk to your assets. 

One such process is the Common Vulnerability Scoring System (CVSS), which is an open framework detailing the characteristics and seriousness of threats to all kinds of software, from customer experience management software to database retrieval routines. 

CVSS works with a scoring system, with marks out of 10 denoting severity. 9 and above are critical, 4 and below are considered low severity. 

We’ll return to CVSS shortly, when we look at its work with triage. For the moment though, we’ll see briefly what information it gives re vulnerabilities. It can provide the following information:

  • Base metrics – this is a depiction of constant threats and vulnerabilities. 
  • Temporal metrics – this is a depiction of threats and vulnerabilities that change over time, but stay constant across user environments.
  • Environmental metrics – this is a depiction of threats and vulnerabilities that depend on the user environment and user behavior.  

This can be used in conjunction with a range of penetration testers using automated tools to identify vulnerabilities across products and services. 

Technical and non-technical information is produced enabling an understanding of the situation by staff with both technical and non-technical backgrounds. Diagnostics can then begin

A common finding at this stage is a paralysis in the face of an array of threats and vulnerabilities. This is why vulnerability triage is required. 

What is Vulnerability Triage?

Just as in a medical situation, vulnerability triage is all about deciding on what needs remedying now and separating it from the cases that aren’t quite as time critical. In the cyber-security arena, this means separating out the largest, most dangerous and most imminent threats from the medium to low risk threats. 

Vulnerability triage is intended to combat the two common reactions to vulnerability assessment. Reaction one is characterized by a tendency to file the results of the assessment away until there’s more time available. After all, you’re busy right now and you can always make time later, right? Not necessarily. And meanwhile, those threats are still there and might grow in intensity. 

Reaction two is where the decision is made to deal with the problems right away, but the individual makes the mistake of methodically working through the list from top to bottom in chronological order, rather than rationally assessing which needs dealing with first. 

Quite often what happens here is that enthusiasm for the task diminishes as the operation wears on, which means that some of the threats at the bottom of the list may end up unremedied, even though they may be the most dangerous. 

First Step: Get Your Team Together

Vulnerability triage should be undertaken by a team with expertise in data analytics, IT management, cyber security risk and general business risk. So, choose its team members wisely, as they’re going to have a lot of responsibility on their shoulders. Your Vulnerability Triage Group (VTG) will be what stands between your business and profound danger.

Second Step: Plan

The importance of planning is paramount. It can be tempting to launch straight into firefighting mode, but this can be inefficient and result in the wrong threats being targeted first. 

Planning means being proactive – this is important, as to be purely reactive is to fail to provide good vulnerability management. Planning separates threats into three different groups:

Fix

Establish what you’re going to tackle first. Describe what fixes you’re going to put in place to protect the Confidentiality, Integrity and Availability (CIA) of the organization’s systems. 

Acknowledge

For those risks that you’re downgrading, you need to detail them and describe why they aren’t such an imminent threat. They’re to be kept on file so that they can be returned to when necessary. 

Be careful with this group. If you place a threat here that then turns out to be severe enough to need immediate fixing, you’ll need to be able to furnish stakeholders with the reasons why you put it in the Acknowledge class. So, ensure you have recorded full background to any decision making. 

Investigate

This is for when the VTG isn’t altogether sure if the threat is sufficiently imminent or severe to warrant immediate remedy. Occasionally, even with the best talent on hand, there has to be a recognition that the data is inconclusive. 

For this reason, an investigation to fill in the knowledge gaps is necessary. A completion date can be allocated at this stage, with the intention being that the investigation will decide if the threat should go in the Fix or Acknowledge pile. 

Third Step: What Goes Where?

So, you have your groupings. You now come to the meat of the task: you have to decide what threat goes into which group. 

Start by looking at the vulnerability that’s been identified. Firstly, how likely is the vulnerability to be leveraged? Secondly, what’s the damage that could be done? It’s very similar to any risk assessment: likelihood of risk occurring multiplied by the severity of the possible outcome. 

This is where you need to deploy as broad a vision as possible. Think about the shape of the system and all its touch points regarding other systems. Here, having a thoroughly heterogenous VTG can really pay off. The wider the frame of expertise in the group, the more vulnerabilities can be recognized and brought to the table. 

Certain questions should be asked, such as ‘does the system hold critical data?’, ‘what can the attacker gain access to?’, ’which mainframe modernization strategy is wrongly applied?’, ‘how readily can the system gain awareness of any incursion?’, ‘who is responsible for the asset?’ and ‘who is responsible for the remedy?’.

Further questions can then be leveled, including ‘how long will the fix take?’, ‘do we need assistance from another body?’ and ‘is there anything we can do to temporarily mitigate the concern while the final fix is being worked on?’.

Step 4: CVSS in Triage

We’ve seen how CVSS is used in initial threat detection. It can also prove extremely useful in triaging those threats. 

The most straightforward way to use CVSS is to take the basic metrics and decide on threat level just using those. 

However, the drawback here is that basic metrics don’t take into account any countermeasures that the system already has in place. For this reason, the information pouring out of this data pipeline may give a skewed picture of the situation, and you may end up rushing to defeat a threat that’s not actually that critical. 

This is why it makes a good deal of sense to get a custom CVSS score. This is done by also utilizing the temporal and environmental metrics. Once these are all in place, you’ll have a much more detailed and accurate picture of the vulnerability landscape.

However, there’s a problem here too. To factor temporal and environmental factors in can be an enormously laborious and time-consuming task, especially in a large and/or complex organization. This will occupy your VTG for an inordinate period and stop the individuals applying themselves to other areas of endeavor. 

As an alternative solution, one could seek to identify all the vulnerabilities that are specific just to the system’s critical components. 

This can be where Operational Support Systems (OSS) professionals can lend a hand in that they’ll have information on system critical points. They may for instance have access to different types of test cases in software testing that could furnish you with exactly the information you need. 

Step 5: Triage Filters

CVSS is by no means the only tool at your disposal. Just as with convolutional neural network layers, wherein a combination of information sources is used, it can be sensible to combine a CVSS basic metric sweep with a filter.  Let’s have a look at two of them. 

Attack Vector Filter

The attack vector description determines the exact circumstances in which the vulnerability can be exploited. It can be:

  • Network – internet-based remote threat, perhaps from the most innocuous source, eg a free image service. 
  • Adjacent – has to be geographically (eg via Bluetooth) or closed-system (eg within a VPN) linked. It could be accessed via a database, so it’s worth running a vulnerability check here. If it’s an open source program eg apache kudu performance in this area can be checked with the originators.  
  • Local – threat via keyboard or other interaction with the user interface.
  • Physical – threat via insertion of physical device, eg USB stick.

How does this help? Well, if your system uses, for instance, cloud call center software involving no physical interactions via USB etc, then you can filter this attack vector out. This will remove a substantial number of CVEs from the CVSS picture and you can then just concentrate on the threats that remain.

Configuration Filter

This simply means that if your system is not using the particular component that has been identified as severely vulnerable, you can filter this out. Just one word of caution: make sure that this remains the same over temporal and environmental factors, otherwise you’ll be opening the system up to threat at other times and in other uses. 

Other filters exist, including Platform Filters, Hardware Architecture Filters and Status Filters, and are worth investigating for the increased power they give to your triaging, as are many of the latest cybersecurity technologies that come in all the time.

However, if you’ve asked all the relevant questions and used all the tools you can lay your hands on and you are still struggling, whether because of time pressures or just a lack of all the requisite information, there are some shortcuts you can apply. 

Step 6: Time for Shortcuts

The UK National Cyber Security Centre (NCSC) has been kind enough to supply a list of four priorities one can use for a quick result vulnerability triage. Threats should be dealt with in this order:

  • Priority 1: Internet services and standard web applications that have vulnerabilities that are open to attack with no user interaction. 
  • Priority 2: Niche and tailor-made web applications that have vulnerabilities that are open to attack with no user interaction.
  • Priority 3: Vulnerabilities that are potentially internet-wide and open to attack with minimal user interaction.
  • Priority 4: Vulnerabilities that are potentially internet-wide and open to attack with significant user interaction. 

Step 5: Admit Defeat?

Never. You really don’t want to end up in a chart like this.

OK, sometimes, one has to accept that a system is too vulnerable to attack for the ideal fix to be implemented. Or it might be that there aren’t sufficient funds available to remedy the problem properly. When this happens, you can’t just walk away, so what do you do?

What you do is introduce what are known as compensating controls. These contain or hamstring the risk to an acceptable level. Then make sure that it’s documented thoroughly enough so that everyone is aware of the problem and what to do to avoid its worst aspects. 

Not perfect, but at least it’s a way forward, to keep things going until a root and branch upgrade is possible. 

Conclusion

Triage can be slow, painful, forensic work. But it is hugely important, and growing more so with every new threat that emerges, along with development in systems such as artificial neural networks types of which can be full of CVEs. 

To stay on top of the burgeoning dangers to your system, you need to establish a robust and organically evolving vulnerability management approach that can deal with the most pressing cases with the greatest urgency. 

The biggest takeaways here are two-fold. Remain vigilant, of course. And be communicative. A lot of your problems may have already popped up  elsewhere, so solutions and shortcuts might be available to you. You might also check in with OSS and any other relevant communities from time to time, as it’s good to keep in touch. 

 

About the Author

Pohan Lin – Senior Web Marketing and Localizations Manager

Pohan Lin is the Senior Web Marketing and Localizations Manager at Databricks, a global Data and AI provider connecting the features of Pyspark machine learning. With over 18 years of experience in web marketing, online SaaS business, and ecommerce growth. Pohan is passionate about innovation and is dedicated to communicating the significant impact data has in marketing. Pohan has also written in BigCommerce and Voilanorbert.

The post A Simple Guide to Vulnerability Triage: A Structured Approach to Vulnerability Management appeared first on Cybersecurity Insiders.

Staffing shortages in some industries have worsened since the COVID-19 pandemic began wreaking havoc in 2020, especially in cybersecurity. Cyberattacks have increased in many sectors, primarily targeting education and healthcare. What can employers do for their businesses with attacks rising alongside the widening cybersecurity skills gap?

What Is the Cybersecurity Skills Gap?

The cybersecurity skills gap has been growing for the last decade, and the pandemic has only worsened matters. Organizations lack personnel in their information technology (IT) departments, putting them at risk for cyber theft and attacks. There are about 715,000 cybersecurity job openings in the United States that companies need to fill but cannot.

There are multiple factors contributing to the gap. One main issue is the level of certification needed to secure these cybersecurity jobs — the best-paying positions often require certificates in addition to a prospect’s university degrees. This predicament puts employers in a challenging situation. Do they keep their high requirements, or should they reduce the criteria to open up the talent pool?

How Can Businesses Close the Cybersecurity Skills Gap?

The cybersecurity gap causes issues for companies in many industries. The lack of personnel puts businesses in a precarious situation. How can they close the skills gap? Here are five ways to address the issue.

1.    Evaluate Infrastructure and Employees

A practical first step for a business is to evaluate its current cybersecurity status. First, the company should assess the IT department itself. What is the current security model? What do the team members think could improve the infrastructure?

It’s wise to assess the cybersecurity knowledge in every department. The business should hold interviews, give skills tests and conduct performance reviews to gauge where the strengths and weaknesses are. From there, it will better understand where it needs to improve.

2.    Educate Workers

Another way businesses can directly address the skills gap is by taking manners into their own hands and teaching cybersecurity skills to employees. The IT department can hold special training sessions to engage workers and help them learn how to care for their hardware. For example, IT could test employees to see if they can detect phishing emails. These learning opportunities should occur regularly to educate people on what’s new in cybersecurity.

Taking preventive measures can significantly reduce the risk of a company facing cyber theft or an attack. Phishing scams are an excellent place to start with training employees on cybersecurity. These attacks soared by over 200% at the pandemic’s beginning, creating risks if an employee opens an attachment on their work computer.

3.    Encourage Certification and Continued Learning

Teaching employees about cybersecurity is an effective and direct way to help close the gap, but businesses can go a step further and incentivize workers to pursue certifications. There are numerous organizations they can go to for training.

For example, the Cybersecurity and Infrastructure Security Agency (CISA) has various courses on its website. CISA offers classes for federal and non-federal employees, cyber professionals and the general public. Students can learn coding and the essentials of cybersecurity. These free lessons start at beginner levels and become advanced.

4.    Utilize Third-Party Sources

Another way to strengthen a business and close the cybersecurity skills gap is using third-party sources. A prime example is corporations like Google using bug bounty programs to scope out security vulnerabilities in their software. These bounty programs often include white-hat freelance hackers who will try their best to find holes in the security infrastructure.

A bug bounty program tests the boundaries of security systems and can reduce the number of internal tests a business needs to do. Once weaknesses are discovered, a company’s IT team will still need to address them; but even so, third parties allow businesses to conserve resources by outsourcing vulnerability testing.

5.    Consider Automation

Automation has been an influential tool people have used across countless industries. Artificial intelligence (AI) takes human effort out of the equation and can make cybersecurity processes stronger and more efficient. Employers can use it to close the skills gap by putting cybersecurity in the hands of smart technology.

Automating cybersecurity is important because cyberattacks themselves have become automated. By constantly learning and understanding new threats, AI can improve a company’s infrastructure to fight attacks like ransomware. Automated software is typically quicker than humans in detecting cybersecurity issues and can provide better 24-hour protection.

Closing the Cybersecurity Skills Gap

Cybercriminals are becoming more sophisticated daily, increasing the demand for cybersecurity professionals. There are hundreds upon thousands of job openings in this field, which causes concern because of the rise in attacks. These problems have led companies to take matters into their own hands to stay safe from hackers.

The post How to Close the Cybersecurity Skills Gap in Your Business appeared first on Cybersecurity Insiders.

In today’s ultra-competitive MSSP market, business owners are looking for ways to make their offerings more attractive to customers and their SOCs more effective. To that end MSSPs add new technology to their security offering stack with the hopes that prospective customers will see this addition as an opportunity to outsource some, or all, of their security monitoring. There is some validity to that strategy; Unfortunately the new technology often fails to deliver their stated benefits leading to higher customer churn. So while keeping your technology and security team abreast of the latest and greatest security technology is essential, sometimes you must look at what is already in your security stack.

The one technology I am referring to specifically is your SIEM. Depending on who you talk to, we are currently in the third or fourth generation of SIEM technology; however, when I talk to practitioners, their frustration level with their SIEM is at Defcon.

  1. MSSPs continue to use a SIEM that is not delivering what they need because of the time and resources required to rip and replace it with something that will probably leave them with similar disappointment.

Let me talk about three ways this old SIEM (or even not-so-old SIEM) is causing more harm than you think.

SIEMs are Lazy

There, I said it, but we all know that SIEMs, up until recently, didn’t work smarter, they made you work harder. While they did allow you to collect all kinds of logs and correlate alerts from different security controls, the result you would get was only as good as your most ingenious security analyst. If they were a security ninja with a vast understanding of the threat landscape and knew how to write intelligent correlation rules, you were probably loving your SIEM.

If your team is like most, where companies try and lure your best players away, you’d see a dramatic shift in your SIEMs effectiveness if they did leave. Yes, NG-SIEM providers are trying to address this issue by delivering more out-of-the-box content (the jury is still out on it’s effectiveness). Nevertheless, just like that package of Oreo’s your kids open and forget to close correctly, that content quickly becomes stale, leaving you with the task of creating new rules or scouring communities for content you can import. Bottom line, the SIEM, even NG-SIEMs, are leaving the heavy lifting to your team, hampering your ability to add the number of customers your team could handle without this burden.

SIEMs are Data Hogs

Cybersecurity today is a data problem, scratch that, it’s a BIG BIG data problem. With so many products in use daily, the volume of logs a typical mid-size company generates is ridiculous. While specific industries require complete log collection and review to comply with this or that regulation, many customers that might look at an MSSP are not trying to solve a compliance problem. Instead, many are looking to do a better job of identifying and mitigating threats before they can harm their business. SIEMs, in their inherent, built-in bias to complete data collection, means that a security team looking to identify threats will wade through oceans of irrelevant log data in the hopes of uncovering a danger. It’s not an impossible task since you are probably doing this today, but imagine if you were a 49er panning for gold in the 1840s. Instead of using a pan to sift through small amounts of silt for gold, you decide to use a giant bucket with the hopes of eyeing that valuable mineral. Which do you think would take longer? Of course, I know this isn’t an apple-to-apple comparison, and our advanced computing capabilities can speed up the process. However, saving a few minutes a day adds up, especially across a SOC with ten, twenty, or fifty security analysts. Bottom line – SIEMs are great at solving pure compliance use cases since they collect all log data, but for security use cases, which is what you are typically selling, you need tech that understands the difference between relevant security logs and irrelevant ones, and only collects what it needs.

SIEMs don’t like Everyone

When I was running product marketing for another vendor (who shall remain nameless), one of the most common questions was, “Do you support XYZ product?” or “Can I bring in data from ABC product?” Savvy security buyers who have been around the vendor circus once or twice understand how security vendors will downplay the lack of pre-built integrations to your products. They will say things like, “I can get that for you, no problem,” or “I’m sure it’s on the way; let me get back to you,” while in reality, they will have to go back to their integration team and beg and plead for a new integration, especially if they need to close your deal to hit their number for the quarter. Now someone in the integration team whips up a one-off script that shows data flowing from your product into the SIEM backend, hoping no one takes a fine tooth comb to what was delivered. Again, if you have been around for a minute, I am sure this sounds familiar.

The sad reality is that most SIEMs are challenging to integrate, given the underlying complexity of their data models. You might be able to write your integrations, and if that is the case, great, but what happens when the SIEM vendor rolls out a new version and breaks your integration? It’s back to the drawing board. Bottom line – out-of-the-box integrations to a SIEM that work are what you should expect from your SIEM vendor. If that isn’t what you are getting today, your customer onboarding time will suffer, and, worst case, you will lose out on business waiting for your SIEM vendor to deliver an integration that you hope works.

We have helped many MSSPs see the benefits of ripping out their old or not-so-old SIEM and replacing it with our Stellar Cyber Open XDR Platform. With our platform, you get:

– The right automation, where you need it: Stellar Cyber’s goal is to make threat detection, investigation, and remediation as automated as possible. When you move to Stellar Cyber, your days worrying about correlation rules going stale are over. Stellar Cyber does the heavy lifting enabling faster customer acquisition.

– Intelligent data collection: we collect security-relevant data enabling our AI/ML threat detection engine to identify threats as fast as possible. When seconds matter, Stellar Cyber makes sure you have all the seconds you can get.

– Everyone is welcome: If your SIEM and Stellar Cyber were both throwing parties, our party would look like a class reunion with everyone having the time of their life; the SIEM party might look like a gathering of people that have never met. In other words, Stellar Cyber’s architecture is open, with integrations to just about every popular security, IT, and productivity tool around, making customer onboarding and your business growth faster than ever.

We owe a lot to SIEMs. They opened our eyes to the importance of data analysis, but today you can do better than the SIEM you are using. To learn more about Stellar Cyber, check out our MSSP-specific five-minute tour.

The post MSSP Focus: Three ways your SIEM (even NG-SIEM) is hurting your ability to grow appeared first on Cybersecurity Insiders.