Triple Threat: IT Security Pros Face Increasing Attacks, Challenges and Costs

| April 26, 2016

article image
As cyber crime continues its steadfast climb, it’s become more important than ever to stay abreast of the security landscape and improve defensive methods constantly. And for good reason, too: Enterprise security teams are increasingly concerned about the growing volume and sophistication of attacks, the challenge of managing security complexity and the rising cost of data breaches.

Spotlight

Radiflow

Radiflow is a leading provider of cyber security for critical infrastructure networks. The Radiflow solution provides operators visibility and control of their OT network; including both non-intrusive Industrial IDS to monitor real-time networks and security gateways to secure access to devices in critical zones. Radiflow was founded in 2010 as part of the RAD group, a family of ICT vendors with over $1Bn in annual revenues. Since 2012 Radiflow has sold more than 10,000 systems used by major utilities world-wide and validated by leading research labs in the US.

OTHER ARTICLES

Webroot: Widespread Lack of Cybersecurity Best Practices

Article | April 7, 2020

A new list of most and least cyber secure U.S. states shows a disturbing lack of cybersecurity best practices. According to Webroot‘s fourth annual ranking, New York, California, Texas, Alabama and Arkansas are the least cyber secure states in the country, while Nebraska, New Hampshire, Wyoming, Oregon and New Jersey are the most cyber secure. Tyler Moffitt, Webroot security analyst, tells us none of the states had an average score greater than 67%. Also, there is very little difference between the most secure and least secure states, he said. No state scored a “C” grade or higher. That underlines a lack of cybersecurity education and hygiene nationally. However, the most cyber secure state (Nebraska at 67%) did score substantially better than the least (New York at 52%). This score was calculated through a variety of action- and knowledge-based variables, including residents’ use of antivirus software, use of personal devices for work, use of default security settings, use of encrypted data backups, password sharing and reuse, social media account privacy, and understanding of key cybersecurity concepts like malware and phishing,” Moffitt said.

Read More

5 Digital Transformation-Driven Cybersecurity Considerations

Article | November 25, 2020

On their road to recovery from the pandemic, businesses face unique dilemmas. This includes substantial and entirely necessary investments in digital transformation, however tight budgets are making such endeavors difficult if not impossible. Businesses continue to struggle with pivots like adopting new digital platforms, shifting their corporate model to resolve supply chain disruption and enabling a remote workforce. The inability for businesses to quickly adopt technologies that support digital transformation processes, including identity-based segmentation, virtual desktop interfaces and full-stack cloud, is hindering their ability to adequately address new threats and even to test new security systems and protocols. “Now more than ever, it’s imperative to remediate risk exposure and vulnerabilities within an organization’s existing systems—optimally from the get-go,” urges cybersecurity expert Nishant Srivastava, Cyber Security Architect and field expert at Cognizant—an IT Solutions and Services firm for which he's focused on designing and implementing Identity and Access Management (IAM) solutions. “Biggest threats should get highest priority, of course, but the magnitude or even likelihood of a threat should not be the sole consideration. Organizations should also look at other forms of value that new technologies can bring.” Below Srivastava, a senior-level IAM, governance and cyber risk authority, offers key digital security vulnerabilities businesses need to be mindful of given increased digital dependency amid the pandemic. Heed these best practices to help keep your company—and customers—uncompromised. Consumer-Facing App Gaps For consumer-facing web applications, some of the biggest security threats include path traversal, cross-site scripting (XSS), SQL injections and remote command execution. Of course, protecting customer data is an utmost security concern and breaches abound. One of the biggest challenges to address these kind of issues lies with lacking human resources. There is a lack of aptly trained and skilled security staff in even the most sophisticated of regions, which is cultivating a gap in cybersecurity skills across the globe. It goes without saying that employee training and investing in highly-qualified staff are among the best ways to establish, maintain and uphold security levels of consumer facing apps. Rifts, however small, can induce excessive damage and losses. eCommerce Exposure Online delivery businesses that are aware of security risks would be wise to introduce more secure logins, automatic logouts and random shopper ID verification and are preventing shoppers from swapping devices when ordering. Such measures will help thwart breaches that expose of customer names, credit card information, passwords, email addresses and other personal and sensitive information. Companies selling goods or services online also should not launch without a secure socket layer (SSL) connection. It will encrypt all data transfer between the company’s back end server and the user's browser. This way, a hacker won’t be able to steal and decode data even if he or she manages to intercept web traffic. Another useful strategy is to enforce password limitations. Passwords should be as complicated as possible with a combination of symbols, numbers and letters. Investing in a tokenization system is worthwhile because any hacker who accesses the back end system can read and steal sensitive information, which is held in the database as plain text. Some payment providers tokenize cardholder information, which means a token replaces the raw data so the database then holds a token rather than the real data. If someone steals it, they can’t do anything with it because it’s just a token. Ransomware Recourse Ransomware threats are escalating, which is why those doing business digitally should enforce a multi-layer security strategy that incorporates data loss prevention software, file encryption, personal firewall and anti-malware. This will protect both a company’s infrastructure and its endpoint. Data backups are key because there’s still a mild chance of a breach even with all of the aforementioned security solutions in place. The easiest and most effective way to minimize cyberattack damage is to copy files to a separate device. This very reliable form of backup makes it possible for people to recommence work as usual with little to no downtime, and all their computer files intact, should an attack occur. Gone Phishing Gmail blocks over 100 million COVID-related phishing emails every day, but more than 240 million are sent. That means less than half sent via Gmail alone are blocked. Experts cite imposing limits on remote desktop protocol (RDP) access, multifactor authentication for VPN access, in-depth remote network connection analysis and IP address whitelisting as some of the best strategies to maintain security. In addition, businesses should secure externally facing apps like supplier portals that use risk-based and multifactor authentication—particularly for apps that would let a cybercriminal divert payments or alter user bank account details. Shielding Teleconferences The shift to remote work after the pandemic hit has given cybercriminals more and more opportunities, directing their focus on the tools people use for work. It’s important that people recognize their vulnerabilities, particularly while they work from home. Among these are hacked videoconference passwords and unprotected videoconference links, which criminals can use to access an organization’s network without authorization. Many people who work from home do not use secured networks, unknowingly and unintentionally. Many are just not aware of the risks. To avoid online teleconference security issues, meetings should always be encrypted. This means a message can only be read by the recipient intended and that the host must be present before the meeting begins. There should also be waiting rooms for participants. Screen share watermarks, locking a meeting, and use of audio signatures are additional recommendations. When asked what his best advice would be to tweak security for a workforce that’s predominately working remotely, Nishant says that companies should start by analyzing the basics (like those specified above) against the backdrop of a wide range of ever-escalating and evolving threats. “Employees should use dual-factor authentication and make sure apps, mobile phones and laptops are updated and that available patches and updates are always installed,” he says. “They should certainly be wary of all information requests and verify the source. These even include unexpected calls or emails seemingly from colleagues.” Srivastava also pointed out that insiders at the CIO Symposium in July 2020 agreed that the pandemic packed years of digital transformation into just a few weeks. The use of third parties emerged as a major security concern to take into account. For instance, some employees abroad were unable to move their computers to their homes, so employers rushed to supply them with new equipment. In the process, some of it was not set up correctly thus compromising security. Companies should have done more to determine out whether individuals were using technology properly, such as if employees were sharing work devices or using their own personal equipment. On the plus side, the shift toward working from home sped up multi-factor authentication adoption. This is a great opportunity that today’s digitally-driven businesses should take advantage of. In short, Srivastava advocates taking a zero-trust approach. “It might sound harsh, but this is the idea that you can’t trust devices, people and apps by default,” he says. “Everything needs to be authorized and authenticated. Users should always verify and never trust, and businesses should act as if there has already been a breach and work to shore up weak links in the security chain. Finally, businesses should give access to information and data to as few people as possible—and wholly ensure those who do have access are appropriately trained to recognize when a red flag presents. By employing all or even some of the advice above, businesses can continue to thrive as the digital transformation age unfolds—and do so more confidently and contently all around.

Read More

Critical Gaps Remain in Defense Department Weapons System Cybersecurity

Article | March 13, 2020

While the U.S. military is the most effective fighting force in the modern era, it struggles with the cybersecurity of its most advanced weapons systems. In times of crisis and conflict, it is critical that the United States preserve its ability to defend and surge when adversaries employ cyber capabilities to attack weapons systems and functions. Today, the very thing that makes these weapons so lethal is what makes them vulnerable to cyberattacks: an interconnected system of software and networks. Continued automation and connectivity are the backbone of the Department of Defense’s warfighting capabilities, with almost every weapons system connected in some capacity. Today, these interdependent networks are directly linked to the U.S. military’s ability to carry out missions successfully, allowing it to gain informational advantage, exercise global command and control, and conduct long-range strikes. An example of such a networked system is the F-35 Joint Strike Fighter, which the Air Force chief of staff, Gen. David Goldfein, once called “a computer that happens to fly.” Underpinning this platform’s unrivaled capability is more than 8 million lines of software code.

Read More

Harnessing the power technology to protect us

Article | January 21, 2021

There is a saying, ‘you can fool all the people some of the time and some of the people all the time.’ Given the fact that there is no such thing as 100% security and human nature being trusting, this has been the backbone of many cyber security scams over the past 20 years. Cyber-criminals know that they will always fool some of the people, so have been modifying and reusing tried and tested methods to get us to open malware ridden email attachments and click malicious web links, despite years of security awareness training. If you search for historic security advice from pretty much any year since the internet became mainstream, you will find that most of it can be applied today. Use strong passwords, do not open attachments or click links from unknown sources. All really familiar advice. So, why are people still falling for modified versions of the same tricks and scams that have been running for over a decade or more? Then again, from the cyber-criminal’s perspective, if it isn’t broken, don’t fix it? Instead, they evolve, automate, collaborate and refine what works. Sound advice for any business! It is possible though to be in a position where you can no longer fool people, even some of the time, because it is no longer their decision to make anymore. This can be achieved by letting technology decide whether or not to trust something, sitting in between the user and the internet. Trust becomes key, and many security improvements can be achieved by limiting what is trusted, or more importantly, defining what not to trust or the criteria of what is deemed untrustworthy. This is nothing new, as we have been doing this for years as many systems will not trust anything that is classed as a program or executable, blocking access to exe or bat files. The list of files types that can act as a program in the Microsoft Windows operating system is quite extensive, if you don’t believe me try to memorize this list: app, arj, bas, bat, cgi, chm, cmd, com, cpl, dll, exe, hta, inf, ini, ins, iqy, jar, js, jse, lnk, mht, mhtm, mhtml, msh, msh1, msh2, msh1xml, msh2xml, msi, ocx, pcd, pif, pl, ps1, ps1xml, ps2, ps2xml, psc1, psc2, py, reg, scf, scr, sct, sh, shb, shs, url, vb, vbe, vbs, vbx, ws, wsc, wsf, and wsh. As you can see, it is beyond most people to remember, but easily blocked by technology. We can filter and authenticate email based on domain settings, reputation scores, blacklists, DMARC (Domain-based Message Authentication Reporting and Conformance) or the components of DMARC, the SPF and DKIM protocols. Email can also be filtered at the content level based on keywords in the subject and body text, the presence of tracking pixels, links, attachments, and inappropriate images that are ‘Not Safe For Work’ (NSFW) such as sexually explicit, offensive and extremist content. More advanced systems add attachment virtual sandboxing, or look at the file integrity of attachments, removing additional content that is not part of the core of the document. Others like ‘Linkscan’ technology look at the documents at the end of a link, which may be hiding behind shortened links or multiple hops, following any links in those documents to the ultimate destination of the link and scan for malware. Where we are let down though is in the area of compromised email accounts from people that we have a trust relationship and work with, like our suppliers. These emails easily pass through most email security and spam filters as they originate from a genuine legitimate email account (albeit one now also controlled by a cyber-criminal) and unless there is anything suspicious within the email in the form of a strange attachment or link, they go completely undetected as they are often on an allow list. This explains why Business Email Compromised (BEC) attacks are so incredibly successful, asking for payments for expected invoices to be made into a ‘new’ bank account, or urgent but plausible invoices that need to be paid ASAP. If the cyber-criminals do their homework and copy previous genuine invoice requests, and maybe add in context chat based on previous emails, there is nothing for most systems or people to pick up on. Only internal processes that flag up BACS payments, change of bank of details or alerts to verify or authenticate can help. Just remember to double-check the telephone number in the email signature before you call, in case you are just calling the criminal. Also, follow the process completely, even if the person you were just about to call has just conveniently sent you an SMS text message to confirm, as SMS can be spoofed. Not all compromised email attacks are asking for money though, many are after user credentials, and contain phishing links or links to legitimate online file sharing services, containing files that then link to malicious websites or phishing links to grant permission to open the file. To give you an idea of the lengths cyber-criminals go to, I’ve received emails from a compromised account, containing a legitimate OneDrive link, containing a PDF with a link to an Azure hosted website, that then reached out to a phishing site. In fact, many compromised attacks are not even on email, as social media is increasingly targeted as well as messaging services or even the humble SMS text message via SIM swap fraud or spoofed mobile numbers. As a high percentage of these are received on mobile devices, many of the standard security defences are not in place, compared to desktop computers and laptops. What is available though are password managers as well as two-factor authentication (2FA) and multi-factor authentication (MFA) solutions which will help protect against phishing links, regardless of the device you use, so long as you train everyone in what to look out for and how they can be abused. One area I believe makes even greater strides in protecting users from phishing and malicious links is to implement technology that defines what not to trust based on the age of a web domain and whether it has been seen before and classified. It really does not matter how good a clone a phishing website is for Office 365 or PayPal if you are blocked from visiting it, because the domain is only hours old or has never been seen before. The choice is taken out of your hands, you still clicked on the link, but now you are taken to a holding page that explains why you are not allowed to access that particular web domain. The system I use called Censornet, does not allow my users to visit any links where the domain is less than 24 hours old, but also blocks access to any domains or subdomains that have not been classified because no one within the global ecosystem has attempted to visit them yet. False positives are automatically classified within 24 hours, or can be released by internal IT admins, so the number of incidents rapidly drops over a short period of time. Many phishing or malicious links are created within hours of the emails being sent, so having an effective way of easily blocking them makes sense. There is also the trend for cyber-criminals to take over the website domain hosting cPanels of small businesses, often through phishing, adding new subdomains for phishing and exploit kits, rather than using spoofed domains. I’ve seen many phishing links over the years pointing to an established brand within the subdomain text of a small hotel. Either way, as these links and subdomains are by their very nature unclassified, the protection automatically covers this scenario too. Other technological solutions at the Domain Name System (DNS) level can also help block IP addresses and domains based on global threat intelligence. Some of these are even free for business use, like Quad9.net and because they are at the DNS level, can be applied to routers and other systems that cannot accept third party security solutions. On mobile devices both Quad9 and Cloudflare offer free apps which involve adding a Virtual Private Network (VPN) profile to your device. Users of public Wi-Fi can be made secure via a VPN, though it’s preferable to have a premium VPN solution on all your user’s mobile devices, as these can be centrally managed and can offer DNS protection as well. Further down the chain of events are solutions like privileged admin rights management and application allow lists. Here, malware is stopped once again because it is not on a trusted list, or allowed to have admin rights. There is also the added benefit that users do not need to know any admin account passwords, so as a result cannot be phished for something they do not know the answer to. Ideally, no users are working with full administrator rights in their everyday activities, as this introduces unnecessary security risks, but can often be overlooked due to work pressures and workarounds. Let’s not forget patch management is also key, because it doesn’t matter how good your security solutions are if they can be bypassed because of a gaping hole via an exploit or vulnerability in another piece of software, whether at the operating system or firmware level, or via an individual application. Sure, no system is perfect and remember there is no such thing as 100% security, which is where the Endpoint Detection and Response (EDR) solutions and Security Information and Event Management (SIEM) solutions come into play. These can help minimize the damage through rapid discovery and remediation, hopefully before the cyber-criminals fully achieve their goals. By harnessing the power of technology to protect us, layering solutions to cover the myriad of ways cyber-criminals constantly attempt to deceive us, we can be confident that emotional and psychological techniques and hooks will not affect technological decisions, as it is a binary choice, either yes or no. The more that we can filter out, makes it less likely that the cyber-criminals will still be able to fool some of the people all the time. This allows security awareness training to focus on threats that technology isn’t as good at stopping, like social engineering tricks and scams. The trick is to spend your budget wisely to cover all the bases and not leave any gaps, which is no easy feat in today’s rapidly changing world.

Read More

Spotlight

Radiflow

Radiflow is a leading provider of cyber security for critical infrastructure networks. The Radiflow solution provides operators visibility and control of their OT network; including both non-intrusive Industrial IDS to monitor real-time networks and security gateways to secure access to devices in critical zones. Radiflow was founded in 2010 as part of the RAD group, a family of ICT vendors with over $1Bn in annual revenues. Since 2012 Radiflow has sold more than 10,000 systems used by major utilities world-wide and validated by leading research labs in the US.

Events