Monday, August 15, 2022

Protecting Yourself From The Coming Worldwide Cyber War

 


As the world becomes more digital by nature, and the Remote Workforce now taking a permanent foothold here in the United States, security awareness training is becoming even more paramount than ever before, as literally, employees can work wherever they want to know.  With this in mind, how do you know your employees are maintaining a good level of Cyber Hygiene?

Sure, you can spy on them.  But that probably would not settle with them too well. Again, it goes down to training them in what they need to do, and what to be on the look for in this regard.   Many companies have failed, and continue to fail their employees in this regard.  It is not just a one-time deal, it needs to be happen on a regular basis, like at least once a quarter.

But apart from that, delivering a security awareness training program can be hard.  It should not be just a one-hour lecture, but rather, it should be fun, entertaining, and even competitive.  But how do you all of this?  What is the secret sauce?

Well, listen into our podcast and you will find out.  We have the honor and privilege of interviewing Tom Kirkwood, the CEO and Co-Founder of Iron Tech Security.  One of their prime service offerings is in the area of security awareness training.  Find out how the pros do it!!!

You can download the podcast here:

https://www.podbean.com/site/EpisodeDownload/PB129C4F582YBY

Sunday, August 14, 2022

The OCSF: Just How Effective Will It Be???

 


As I have said repeatedly, the Cyber industry is one in which there is plenty of technojargon.  So the next one to come of age is “Framework”.  There is nothing really new about it, it’s been around for quite some time, but it is being used quite a bit these days. 

Generally speaking, a framework can be thought of as a set of guiding principles in which to guide companies from accomplishing a certain task that they want to.  For example, the National Institute of Standards and Technology, also known as a “NIST” has compiled a ton of these Frameworks to help business owners better protect themselves.

They range from providing checklists as to how you should conduct a risk assessment to how you should become compliant with the many data privacy laws that are now coming about.  I know about some of them, but not in a lot of detail.  Probably the one I am the most well versed in is the NIST SP 800-171, which deals with the CMMC. 

While the NIST documents do provide excellent content in how to use the tool that is provided in it, it is always wise to check with a compliance expert first to see if that is what you really need.

OK, so fast forward a little bit, and just last week, a major Cyber conference was held, known as Black Hat USA, very similar to that of the RSA conference which is held in the Bay Area every year.  At these venues, everybody is showing off their latest gadgetry, but something unique came from this one. 

The AWS and Splunk sponsored the start of a new initiative, called the “Open Cybersecurity Schema Framework” or “OCSF” for short. 

There are also 18 other vendors that have agreed to help sponsor and contribute to this framework, and they are as follows:

Broadcom (Symantec);

Cloudflare;

CrowdStrike;

DTEX;

IBM Security;

IronNet;

JupiterOne;

Okta;

Palo Alto Networks;

Rapid7;

Salesforce;

Securonix;

Sumo Logic;

Tanium;

Trend Micro;

Zscaler.

So as you can see from this list, you have some big players that want to help out this new framework.  So you, may be asking at this point, what is this all about?  Well, as you may realize, there are literally hundreds of network security products out there, and they all record every last detail that transpires in your security environment. 

These files can be quite huge, so advancements have been made to consolidate all of these transactions into the most relevant ones into one central dashboard, which is known as a SIEM.

AI and ML have a big part in this filtering process, as they comb through all of the false positives, and discard them.  Thus, only the real warnings and alarms are presented to the IT Security team, so that they triage them from just one dashboard. 

But the problem here is that all of these different devices output their data into different formats, which can be quite time consuming to decipher.  So, the primary objective of this new framework is to try come with a best of standards so that these different formats can be created into a single one.

The benefits of this are twofold:

1)     The IT Security team can make better decisions in a shorter time period;

2)     Any intel and information gathered can be shared with other organizations as well.

One of the other key advantages of this framework is that it is based on an open-sourced platform, meaning any individual or company can contribute to it, thus expanding the knowledge base. It is important to note that this is not something that just came out of the air, rather, it has its groundings in the set of ICD Schema specifications as it has been developed by Broadcom. 

More information about this can be seen at this link:

https://icd-schema.symantec.com/

The technical details about the OCSF can be found at GiHub, at this link below:

https://github.com/ocsf/ocsf-docs/blob/main/Understanding%20OCSF.pdf

In fact, recent studies have also discovered that the Cyber industry wants some sort of set best standards to follow.  Here are some of the results of that:

*77% of the respondents want to see as many open frameworks as possible;

*85% view integration and cooperation with other vendors as almost being necessary these days.

More information about these findings can be seen at the link below:

https://www.esg-global.com/research/esg-research-technology-perspectives-from-cybersecurity-professionals?

While many participants at Black Hat applauded this effort, many also still wonder if this framework will have the legs to walk and continue to grow.  For example, at the heart of any framework, is the Steering Committee. 

These are made up of government officials, private industry vendors, and even day American citizens. The purpose of them is to make sure that the framework is fulfilling its purpose, and not veering off course from it.  At the present time, the steering committee is still made up largely of vendors, there is very little input yet that has been provided by the American public.

My Thoughts On This:

From the outset, I think that this new framework is a great step forward.  But as it was eluded to before, many Cyber pundits still wonder how long this will last.  For example, some wonder is this all talk full of hot air, or will there actually be something that comes of it?  It is still too early to tell, primarily because this not a government directed effort, like the NIST frameworks have been.

But on this theme, many CISOs in Corporate America are now starting to realize that they have what is known as “network security sprawl”.  This is where there have been too many products deployed to beef up the lines of defenses.  The thinking here is that the more you have, the better off you will be.  But this is far from the truth.  The more tools you have out there, simply makes the attack surface that much larger. 

Plus, many CISOs often purchase network security devices from different vendors, which makes the differing output files even more problematic to solve.  The reason for this is that each vendor has their own set of rules for outputting events, and the is the exact problem that the OCSF framework is trying to solve. 

Perhaps one of the first mandates of this new framework should be that before embarking on new products, a CISO must first conduct a risk assessment to determine how any existing devices can be more strategically placed.  For example, instead of purchasing would just 3 firewalls suffice instead of having 10 of them?

Not only will this make formatting the log output files easier, but it will streamline the reporting process into a much more efficient one.

Saturday, August 13, 2022

The SOC2 & ISO 27001 Certs - Are They Worth Getting?

 


In the world of IT and Cyber, there is one common denominator:  Certifications.  I have written about this before, and in fact, have even written a couple of whitepapers on this very topic for a couple of writing clients that I have. 

Back in the day of the .com craze, it was the Microsoft MCSE cert that ruled.  Btu now with everybody either going into the AWS or Azure, the plethora of certs have exploded even more.  In fact, just a few days ago, I was looking at all of the Cloud certs available, and my head just exploded.

This is an addition to the other certs that are offered through the other institutions as well, such as those of ICS(2) and CompTIA.  So its no wonder that when a person wants to get a Cyber cert, they are very often bewildered as to even where to start.  

But it is not just individuals.  The same holds true for companies as well.  Given how compliance  a lot of things are today, companies are pursuing their own type of cert that they think are relevant to them.

A lot of this relates to the data privacy laws, such as those of the GDPR, the CPPA, HIPAA, etc.  Also, many other states are now passing their own version of them, and even other countries around the as well.  Now imagine if you are a multinational company, what kind of certs do you need so that you can have the regulators and auditors stay off your backs?

This can be a difficult question to answer, as you will be subject to the data privacy laws of each country that you operate in, or at least conduct financial transactions.  In other words, at the present time at least, there does not exist a set of international standards that a company can follow. But here in the United States, the two most popular certs that companies go after tending to be the SOC2 and IOS27001. 

But now, here comes the tradeoff:  It can take up to 6 months to get one of these certs (it’s not the same as passing as a Cyber cert).  Because of this huge time commitment, it takes a drainage of employee resources, and worst yet, it can even make an impact on the bottom line, as this is considered to be a non-revenue generating activity.  So now the question comes is it really worth it?

It can actually be quite helpful from two different angles:

*By having one of these major certs, it proves to a regulating body of one these data privacy laws that you are taking compliance very seriously, and that there are very good chances the controls that you have implemented are up to snuff.  As a result, the chances that you will get audited and/or even face financial penalties are thus greatly lowered.

*Having these certs is actually a good thing to have when approaching sales prospects and new customers.  It shows to them also that you are taking Cyber and the protection of PII datasets seriously, and have a proactive mindset.

*You will have greater chances of getting quality third party vendors that you can outsource your business processes to, as they will also be required, to varying degrees to have this cert.

There are also the downsides of this as well:

*As mentioned, it is a huge expense and time commitment for a company to get one.  Perhaps it may be time to rethink if it is really worth the effort, when these resources can be diverted to other revenue generating projects.  Also, you have to keep in mind the industry that you are in.  Not all of them are subject to the guises of the data privacy laws previously described.

*Now, here is the catch 22.  Even though you have may the cert in hand, you can still become a victim of a Cyberattack.  There is no stopping that.  All the certs will do for you is have you engage in certain types of activities that will help reduce this risk from happening, such as by deploying the right set of controls and/or upgrading the existing set that you have.  Now if you are hit and have this cert, people are then going to ask you, “How did this happen?”  Unfortunately, this can be a very difficult situation to be put into.

*Even here in the United States, there is no set of best standards when it comes to the actual awarding of the certs.  As a result, the number of organizations that that put you in the ringers has increased by 4x.  So, how do you know who is for real and who is not in this regard?  This is where you have to practice your due diligence.  To make things worse, every training organization has their own methods of awarding one of these certs has their own set of guidelines in terms of rewarding it.  So how do know which one is better?

*After a company has received their cert, the chances are fairly high that they will let their guard down.  For example, being proactive is not just a one-time deal.  It has to happen on a daily basis, with each and every employee.  Obtaining the cert has taught you and your employees valuable skills to keep that mindset. But after achieving it, many companies let out a sigh of relief and forget all that they have been through.

My Thoughts On This:

So in the end, the fundamental question remains: Should your company get either one of these certs that have been examined in this blog?  Once again, it comes down to the market you are in.  If you are business that deals with a lot of data, then of course it makes sense to have one. 

But if you are not one, then it may make more sense to pursue a cert that is closely aligned to what you are actually doing. 

But keep in mind that if you decide to get this kind of cert, it is merely a starting point.  You still need to keep your guard up, by conducting routine drills, security awareness programs, and pen testing exercises (it is highly recommended that the last two be done on at least a quarterly basis). 

Also, make sure that you carefully vet out the testing agency who will be awarding your cert in the end.

 

Sunday, August 7, 2022

Why It Is Important To Take A Top Down Approach For IAM - 2 Key Considerations

 


Day by day, businesses across America and even globally are starting to understand the importance of moving entirely to the Cloud, and totally eradicating with their On Orem infrastructures.  Now, there is really nothing wrong with the latter per se, it’s just that these are old legacy systems, which can cost a fortune to maintain.

In today’s world, nobody can really afford that.  In fact, many of the vendors that use to make the reliable ecommerce back in the day, are probably no longer even in existence today (one good example of this is Compaq – I bought their ProLiant server many years ago). 

And with the world going all digital one day, with the expectations that we will soon evolve into the Metaverse, being totally in the Cloud makes much more sense.  Keep in mind tough that a complete migration to the Cloud requires careful planning and is usually done in phases in order to make sure that nothing is left out.

In this regard, it is best to make use of what is known as a Cloud Services Provider, or CSP for short.

Not only can they plan the entire migration for you, but they can also do it, and maintain it after it has been all said and done.  But after a smooth transition from On Prem to the Cloud has been done, your work has just started, at least from the standpoint of security. 

Probably the biggest issue here is that of Identity and Access Management.  This is essentially a field of Cyber in which you establish all of your user and group profiles, and from there, assign the needed rights and permissions.

If you are using Microsoft Azure, then a lot of this headache will be eliminated if you make use of the Active Directory.  This is actually pretty complex, but cut to the chase, this is the centralized database in which all of the above is stored at.  It can be very simple or complicated to use, a lot depends upon your security requirements, and just how big your organization is.

It is important to keep in mind that Azure gives you all of the tools you need in order to create a sound IAM Policy.  But Microsoft won’t do that for you (of course you hire them for a huge consulting fee), it is up to you to configure your security environment the right way, which is according to your requirements.  In fact, this is where many companies fail at. 

They think that simply because they have moved into the Cloud, all is well.  No, there is much more work to be done.

In fact, this is why data leakage has been such a huge issue with the AWS.  It’s not that the Private Cloud that has been deployed is weak, it’s the fact that the owners of it have not configured the S3 buckets properly. They leave it at the default settings, thinking that it is enough. 

But on the flip side, the Cyberattacker already knows what they are, such it is just a matter for them of breaking into your Cloud environment, tampering with the settings, and from there, exfiltrating all of the data that they can get their hands on.  This is the first area a good IAM policy must address.

Also bear in mind that many organizations also fail to remember that one of the key mantras of the Cloud is automation.  What once took hours to do On Prem can now be done in minutes in Azure.  For example, this means that all of the network log files, enabling new software applications once the triggers and conditions have been met, managing all of the Cloud Access Brokers (CASBs), etc.  With all of this stuff being interconnected together, privileges and rights can cross each other, and in fact, even be used in the wrong way, thus leaving more exposure for the Cyberattacker,  You can consider all of this automation as little robots running around in your Private Cloud trying to get their assigned tasks done.

And if the right privileges are not in place, chaos is about too erupt to a degree of which you have never seen before.  This is the second area that a solid IAM policy must also address.  In fact, these are referred to as Non-Human Identities, and have become a prime target for the Cyberattacker to chase after.

My Thoughts On This:

So there you have it, the two main areas in the Cloud in which IAM must address.  Of course, there are many other areas as well, especially those that relate for the Remote Workforce.  The traditional security technologies of yesterday are simply not enough to keep up with the security demands of today. 

Thus, companies have to invest into some newer technologies in order to keep up.  These are also, I believe, available in Azure, so take a look around.

But remember, one of the key tenets of an IAM policy is a top-down approach.  This simply means that if the top brass, such as the C-Suite are obeying it, then there is a far greater chance that the employees underneath will follow in the same fashion.  This is how you should also plan for your IAM strategies.  You should always start from a holistic sense, using this top-down mentality. 

For example, take a look at all of the departments you have.  Then from there, craft out the user groups you will create for each one of them, as well as their respective rights and permissions.  Once this has been done, then add in your employees to each of the groups that they will be a part of, and assign the right rights and permissions in an en masse format. 

Also, it is equally important to set up the permutations either the deactivation or total eradication of a particular individual once their job assignments have been completed.

Many IT Security teams fail to do this key task, and because of that, it leaves a huge, backdoor for the Cyberattacker to penetrate into.  You should never have to take a micro approach with an IAM Policy.  If you are, then that means something is not right and needs to be seriously reevaluated.

Finally, don’t discount the use of your log files that are outputted from your network devices. They will give you all the information that you will need when it comes to calculating the patterns of when your employees log in and log out of all your Cloud based applications.  This can also be useful in crafting out a good IAM policy.

Saturday, August 6, 2022

4 Golden Ways How Chess Can Ante Up Your Cyber Mindset

 


This may sound like an odd question to many of you out there, but with most of us WFH, have you been finding that you are playing more board games with your kids in an effort to spend more time with them?  If so, you are not alone.  There are a number of families with whom I have had conversations over the last week or so, and it seems like that board games are the norm after dinner.

Whether its playing Twister, Trivial Pursuit, etc.  at least you are engaging your mind with others which helps stimulate the brain and the thought process far more that just sitting in front of your computer or watching TV. 

But there ,is one game out there, that could do more than just that.  It is called Chess.  This is probably one of the most “thinking” games that are involved, as it requires, skill, strategy, and even knowledge about your opponent.

But being good at it does not happen overnight, rather it takes time, and perhaps even a lifetime.  In fact, they are some people who are so good at it that they can even make it a career.  Personally, I have played Chess the most back in high school, when I was on the team, and on and off throughout college.  Heck, I even played it online a few times with friends as well.

So, you may be asking at this point where am I going with this?  Well, Chess can also be a great way to build up your mindset to hone in your Cyber skills.  Yes, everybody wants to have their skills sharpened, but simply getting certs after certs or doing online training is not going to cut it in the end.  As Cyber professionals, we all need to find ways to increase our thinking power, so here are some ways in which playing Chess can actually do that:

1)     You can understand your opponent’s doubts:

In the world of Pen Testing the goal of the Red Team is to get into the minds of a Cyberattacker, and literally break down within the legal bounds of your contract.  The same can said of Chess.  You are trying to get inside the mind of your opponent to see where their weaknesses may lie at.  But the best thing about this particular situation is that you are sitting directly in front of him or her.  So, this gives you an opportunity to study their gestures and reactions.  Remember, human beings react differently to certain things in the physical sense, so this is the perfect opportunity to study those moves.  And no, it does not AI or ML to do this.  Remember, as I have pointed out before, humans are also creatures of habits.  It is quite likely that the same bodily gesture will be used to reflect the same manners of weaknesses.

2)     The creation of a plan:

In everything that I write as it relates to security breaches, I always harp upon the need to have an Incident Response/Disaster Recovery/Business Continuity Plans in place.  These are the documents that will guide you when you are hit.  The same of true is of chess.  You need to have some sort of plan in place before you embark on your next game.  It doesn’t have to be on paper, but you need to have some sort of strategy mapped out as to how you want to defeat in your opponent.  Of course, unless this is a good friend of yours, you will not know who your opponent is, therefore you need to be on your toes to keep changing your strategy as your game evolves.  This is the very same true of Cybersecurity.  Simply knowing what the threat signatures have been in the past are not enough to predict future strategies.  Of course, you have AI and ML to help you to do this, but in the end, you have to make your own calls. For example, you need to have a game plan in mind every day as to how you plan to identify future threats and combat them.  Of course, they probably will not evolve the way as you have planned out, but that is the beauty here:  Learning to be adaptable and make changes to your game plan, as you have to do in Chess.

3)     Time management:

In the world of Cyber, there is no such thing as time. We have to act quickly in order to keep the Cyberattacker at bay.  But of course, reality dictates the opposite, as it takes IT Security teams at least 6 months to detect an attack in progress, and the Cyberattacker of today is staying in for longer periods of time in order to fully understand your environment.  But once the moment happens, you have to be ready to strike back in a minute’s notice.  This is where the value of time management comes into play.  But unfortunately, the IT Security teams of today are so overburdened that time management is not even heard of.  For them, just trying to keep their heads above for a single day without going insane is a herculean task.  But playing a game of Chess (and often) and making use of a time clock will help to a great degree sharpen your time management skills.  For instance, you are given a X amount of time in order to make a move, and this could be the one that dictates whether you win or lose the game.  The same can be said of trying to capture the Cyberattacker or fighting off a threat.

4)     An Introduction to Automation:

As mentioned earlier in this blog, humans are creatures of habit.  We simply don’t want to change unless we have to, even of it makes our lives easier.  The same could also be said of automation.  This is where the role of AI and ML come into Cyber, especially when it comes to doing repetitive tasks and filtering out for false positives.  But in the world of Chess, you do not have to all the time have a human opponent – you can also have an automated one. This was made famous after Chess Master Garry Kasparov lost to a computer automation tool developed by IBM called “Deep Blue”.  This all happened back in 1997, so who knows how much the technology has evolved since then?  More information about this historic Chess match can be seen at the link below:

https://www.history.com/this-day-in-history/deep-blue-defeats-garry-kasparov-in-chess-match

My Thoughts On This:

So, here are some ways in playing a game of Chess parallels the world of Cybersecurity, and how it can sharpen your IT Security Teams reasoning and thought processes.  Of course, it would be great to sit in front of a Cyberattacker to learn their tactics and strategies, but of course this will never happen until the turn to the good side.

As an IT Security manager, you need to challenge your staff in different ways.  Perhaps consider having a Chess camp once a quarter where they do nothing but play games against each other or a computer.  True, it may sound kind of boring, but have it some place where relaxation is the key, such as a hotel.  And of course, add some extra incentive as playing a game of Chess may not excite all of your employees:  A gift card for each attendee, and a grand prize for the ultimate winner.

Sunday, July 31, 2022

The Hay Days Of Cyber Bug Bounties Could Be Disappearing Soon

 


This is a topic that I have written about before, and in fact, I plan to be writing an eBook about it in Q1 of next year.  This is the issue of secure source coding, but more importantly, finding any weaknesses or gaps, and immediately remediating them. 

Many people like myself have fully advocated for using a modular based approach, in which each module of the source code that is being compiled is thoroughly vetted for any issues.

After all, it makes sense to do it this way, right, rather than waiting till the very end, when really, it is just too late?  However, to many software developers, security is not something they are familiar with, or really for lack of a better term, even care about. 

But that is now catching up with them, as there are more and more headlines coming out as to how software developers need to be much more cognizant in this realm of their employer.

In an effort to help ensure that all is good before the project is delivered to the client, other initiatives have also taken place such as implementing a rock solid DevSecOps program, making more use of the OWASP initiative, etc.  But yet, there is another area in which companies have been using for quite some time in order to unearth the gaps and weaknesses.

This is known as the Bug Bounty program.  This is where a company, before they are just about to launch a new software application into the world, hire a bunch of both ethical and even unethical hackers to totally rip it apart, and report on the most serious vulnerabilities that were discovered.  In return, the hacker is also supposed to provide a fix or fixes to the situation, and submit that back to the company in the way of a detailed report. 

These are then completely reviewed by the IT Security team, and if a report is found that is deemed to be totally astonishing, the hacker is then paid a nice some of money.  We are not just talking about a few hundred dollars, we are talking about well into the five figures, like $30,000 or $40,000. 

This kind of program has been more widely used with those tech companies that have much deeper pockets like Microsoft, AWS, Oracle, IBM, Google, etc.

Obviously, it is not meant designed at all for the SMBs, because of the high amount of payouts that have to be made.  There are both advantages and disadvantages to using a  Bug Bounty program.  For example, this is yet another way for a company to get an outside pair of eyes to look at something, but you really don’t know who is looking at it, because hackers are usually not vetted. 

Also, you are giving an individual access to your IT and Network infrastructure, for a brief period of time.

But on the flip side, Bug Bounty testing is one of the best ways in which you can avoid Zero Day Attacks to external facing web applications. But whatever the situation is, there is now talk in the Cyber world that this program is now starting to crack under its own weight. 

While it may be exciting for the company to remediate something that they completely overlooked and for the hacker to get a great pay out, keep in mind the other party that has to review them:  The It Security team.

Research has found that Bug Bounty programs work great within the first 18 or 24 months since they are first launched, because of the new influx of cases that are being received.  But after that, it tends to become a mountain load of paperwork to be reviewed, and this in part is what causes IT Security teams to fall even further behind, as if they don’t have enough to do. 

Second, there has been a belief in the larger organizations that simply relying upon Bug Bounty programs will be enough to cure them of their Cyber woes.  But this is all myth.  For instance, it can take a while to discover new flaws, but it can take even longer to have them reviewed and their remediative plan of action to be approved as well. 

From then until here,  a newer version of the software package could have been released without knowing there have been bugs from the first version that still need correcting.

Third, Bug Bounty hunters are also getting burned out of the process as well.  It is important to keep in mind here that these hackers are not automatically paid for all of their submissions. Only if it has been selected by the IT Security team, will the hacker get their hard-earned payout.  So it could be years of trial and error until an ethical hacker can win their first bounty.

My Thoughts On This:

I have some numerous thoughts on the Bug Bounty program.  First, I think it is a good idea. As mentioned, it is simply a great way to get an extra pairs of eyes to try to find something that was overlooked. 

But the way in which the programs are offered needs to be changed.  For example, I honestly think that the hackers need to be vetted first before they are allowed to participate.  It’s like getting a third-party supplier involved.  You wouldn’t hire anybody just off the street, would you?

Also, I think all of the ethical hackers that participate and submit a report should get paid, even though if their particular report was not chosen.  After all, they are putting in their own time, and are giving you something in return.  You also need to reciprocate in turn, as well.  But of course, this is not something that you want to broadcast to the entire world, only to those people you have selected.

Perhaps also, you can even add a more motivating factor.  You could perhaps even make a job offer to the winning hackers, if you are so impressed by them.  They may not have to be direct hires, but you can at least get them to be contractors in the beginning. 

That way, you can not only tap further into their direct knowledge and skill set, but this can also be your way of trying to tighten up the job market for Cyber.

Second, I view having Bug Bounty programs pretty much as a nice resource to have for companies, but it should not be the primary tools used to check for vulnerabilities and weaknesses in the source code.  This should all be done internally, making use of DevSecOps. 

Third, if you are going to have a Bug Bounty program, make sure you spell everything out, like a job description. And when work is submitted, pay those hackers on time!!!

Fourth, don’t give everybody access to everything at your company.  Remember and enforce the concept of Least Privilege.

Saturday, July 30, 2022

The 3 Grave Consequences Of A Compromised Credential Attack

 


Introduction

The password has always been a long, sought after target of the Cyberattacker.  But given today’s Cybersecurity threat landscape – they are after much more than just that.  For example, they not only want to know more about you, but they want to come after you and literally take everything that identifies you.  It is challenging to know even you are a victim until it is too late.

One of the biggest reasons for this is that the Cyberattacker is taking their own time to find and research their unsuspecting victims.  For example, they are not interested in finding targets en masse, but rather, they are now interested in selecting just a few and finding their weakest spots.  Then, once they penetrate in, the goal is to stay in as long as possible and steal as much as they can in small bits, going unnoticed.

The Types of Attacks

There are three types of credential theft, which are as follows:

1)     Against the individual:

This when one particular individual or even a group of them are selectively targeted.  In this instance, the attack vectors may not be too sophisticated in nature.  For example, Phishing based Emails are still the favored weapon of choice.  Despite all of the publicity and notoriety that it gets, people still fall for phishing schemes.  It can come in one of two ways:

Ø  The victim can be duped into clicking onto a malicious link. Typically, the link that is in the body of the Email message is different than when you hover your mouse pointer over it.  But even this has changed.  The two links now appear to be almost the same, thus tricking the victim even more.  From here, he or she is then directed to a spoofed website that looks so legitimate and authentic that it is almost impossible to tell that it is really a fake one.  From here, the victim then enters their username and password, and the havoc starts.

Ø  The victim can also be duped into downloading a malicious document.  The most favored file extensions used here are that of the .DOC, . XLS, . PPT, and .PDF.  Once any of these attachments are downloaded and opened up, the malware spreads into the victim’s device, in an attempt to steal as many credentials as possible. An excellent example of this is keylogging malware.  The keystrokes are recorded and covertly sent back to the Cyberattacker, in an effort to ascertain all of the credentials that the victim uses.  This has also become rather sophisticated in nature, as the hijacking of the contact list is now commonly used, making it look like that Phishing Email has been sent by a person that the victim knows well.

 

2)     Against the business:

This is technically known as “Corporate Credential Theft.”  In these instances, the Cyberattacker has much more at their disposal in which to harvest as many credentials from victims as they can.  For example, many companies in their digital marketing efforts, very often use Social Media, such as Facebook, Linked In, and Twitter.  Although the communications may be careful in what they post about their company, the Cyberattacker can still glean quite a bit off of it.  Over time, they can see those employees that post material regularly, and the timeframes that they do so.  From here, they can narrow down their list to just a few potential victims and study them even more carefully through their social media activity.  In other words, the Cyberattacker is building up a profile of their victim that can be used to determine their vulnerabilities, even with publicly available information.  A commonly used threat vector is that of the Business Email Compromise (BEC).  This is where an email is sent, or even a Social Engineering based phone call is made purporting to be the CEO and asking his or her administrative assistant to wire a large sum of money to a bank account, which, of course, is located offshore.  Once the money has been transferred, and the mistake has been noticed, it is very difficult to get the money back or even trace down who launched this sort of attack vector.

3)     Credential Abuse:

This is the ultimate goal of any compromised credential attack.  Once all of the credentials have been harvested to the greatest amount possible, the Cyberattacker will then use them for credit card theft/fraud, hijacking money from banking and other types of financial accounts, and worst yet, launch long term Identity Theft attacks.  But there are two new trends that are occurring in this regard, which are:

Ø  The Dark Web:  The Cyberattacker can sell these credentials here for a rather nice profit.

Ø  Lateral Movement:  In this instance, the Cyberattacker will use their hijacked credentials in order to infiltrate the network infrastructure of a business, and from there, move in deeper in a “sideways” fashion in an attempt to find even higher-value targets, such as those of Intellectual Property (IP) and other mission-critical digital assets.  The time that the Cyberattacker resides is very often referred to as the “Dwell Time,” and given just how sophisticated they have become, they can stay in for weeks and even months without ever getting noticed.

How To Prevent Compromised Credential Attacks

This is a serious problem, as according to the Verizon 2020 Data Breach Investigations Report (DBIR), over 80% of the hacking attacks that take place make use of heisted or stolen credentials.  Further, at least 77% of the Cloud security breaches also involve the use of hijacked credentials. 

(SOURCES:  1 and 2).

In the end, probably the best line of defense that you can use is what is known as the “Zero Trust Framework.”  This is a methodology which stipulates that you cannot, under any circumstance, trust anybody internal or external to your company when it comes to accessing shared resources.  Anybody wishing to have this kind of access must be authenticated through at least three or more layers of authentication at each line of defense.

Sources

1)     https://securityboulevard.com/2020/06/credential-vulnerabilities-most-likely-breach-culprit-verizon-dbir/

2)     https://thycotic.com/company/blog/2020/06/17/verizon-2020-dbir-5-top-takeaways/

Protecting Yourself From The Coming Worldwide Cyber War

  As the world becomes more digital by nature, and the Remote Workforce now taking a permanent foothold here in the United States, security ...