Sunday, February 26, 2023

Your Employees Are The Best Safeguard For Avoiding Critical Infrastructure Attacks

 


On Friday of this past week, many countries around the world marked the one-year anniversary of the invasion of the Ukraine.  I certainly have my views on this entire matter, but that is a topic for a different kind of blog setting. 

There have been many ramifications from this war, especially from the Cyber front.  There were huge fears of Ransomware attacks, Phishing attacks, and even the invasion of our own Critical Infrastructure.  While there have been some hacks here and there, to the best of my knowledge, there has been no large scale one, at least not yet.

But is the latter threat, the one on Critical Infrastructure, that scares me the most.  Alarm bells have been flying off from all parts of the Cyber front that we need to take this much more seriously than we are now as a society.  Heck, even our own Federal Government has been issuing alerts this year as well.  Unfortunately, as I have written about before, our Critical Infrastructure was designed back in the 1960s and the 1970s. 

Back then, nobody even thought of Cybersecurity, rather, the main focus was that of Physical Security.  Because of this, many of the technologies are now outdated, and in fact, are even no longer produced.  So we are stuck with a conundrum here:  We simply can’t rip out the legacy systems and put new ones in, and at the same time, we simply cannot put in new patches and upgrades because the technology is so old.

So what is one to do?  Well, it all comes down to basics.  I came across an article this morning, which offered such tips.  Here is what the author proposed:

1)     Employees are the greatest threat:

We have heard about this who knows how many times.  Quite frankly, I don’t agree with it all.  Employees are actually one of your greatest assets.  They can literally be the eyes and ears that you need in order to keep up with any threats, especially when it comes to Insider based attacks.  Rather, it is the environment that they are in which leads to their bad Cyber Hygiene habits.  What I mean by this is that it all comes from the top.  Heck, if the C-Suite doesn’t care, why should the employees?  You can rant and rave as much as you want about how important Cyber Hygiene is in your security awareness training programs, but that won’t mean a hill of beans unless the upper management leads in this effort.  So if you are CISO at an oil supply company, you better be darned sure that that you are practicing good levels of Cyber Hygiene if you expect your employees to do the same.

2)     Social Engineering is the next new normal:

Now, this is something that I fully agree with.  The Cyberattacker of today is going to be ditching the older ways in which they could encroach upon your digital assets.  Now, they will be trying to con your employees (and even other key stakeholders) into giving out information and data.  A typical attack here would be a phone call to an administrative assistant working at a nuclear facility to give away some secrets.  Or, it could be a Business Email Compromise (BEC) attack which is sent to your Accounting department asking them to send millions of dollars to an phony, overseas account.  Now, this is where I believe that a good security awareness training program should focus on.  As a CISO, you need to be teaching your employees what to look out for if they feel they are close to becoming a victim of one.  In fact, just in the last year, Social Engineering attacks cost the Critical Infrastructure over $4.8 million per each incident.  (SOURCE:  https://securityintelligence.com/posts/whats-new-2022-cost-of-a-data-breach-report/?_ga=2.36984227.2031350507.1674256954-834892342.1674256954).  But here is something else you need to keep in mind:  Just because your employee may have fallen victim to a Social Engineering attack does not mean that they are the weakest link in the proverbial security chain!!!

3)     Beware of the IoT:

As you might already know, this is an acronym that stands for the “Internet of Things”.  In a very general sense, this is where all of the objects that we interact with on a daily basis in both the physical and virtual worlds are all interconnected together.  While this can bring in many great benefits, it also has its own set of pitfalls as well.  Many companies in Corporate America have now started to embrace this new kind of technology, and in fact, have started to deploy it.  But the gravest security risk here is that as a CISO, if you do follow suit with this, you are simply expanding the attack surface for the Cyberattacker.  So if you are leading the security initiatives for a Critical Infrastructure, be very careful as to how you deploy any kind of IoT device.  Remember, the vendors who make these kinds of products to bot factor security into them.  If they do, it is very minimal at best.  And always make sure that you set the security default settings to your own requirements.

My Thoughts On This:

As a CISO, trying to make your Critical Infrastructure as Cyber resilient as possible can be one of the most difficult things that you can ever face, given the obstacles just described.  In fact, you may not know where to turn to.  But the good news here is that is a starting point.  The Cybersecurity & Infrastructure Security Agency (also known as “CISA”) has come out with a new framework, which can be seen at this link below:

https://www.cisa.gov/topics/industrial-control-systems

This would be a good place to get started.  Another good place would be to stop thinking that your employees are to blame for every Cyber incident that happens.  We are all in this together!!!  It is very important not to cast blame first until a complete forensics examination has been completed.

Saturday, February 25, 2023

Don't Blame Your Employees For Rogue Apps: Blame The Vendors

 


As I have written before in the past on numerous occasions, the Cloud (I really love Azure) is now becoming the trend  of the future for most businesses.  It comes with numerous advantages, such as scalability, fixed monthly costs, and even more security features than what your On Premises solution could or would ever have. 

In fact, there a lot of new software applications that you can get for just a mere fraction of the cost of what it would be retail.  For example, when I got Office 365 for my laptop a few years ago, I had to pay $300+ for a year subscription.

Now that I have an M365 account that is hosted in the Cloud, I am now only paying something like $70.00 per year.  A huge difference.  But with all of these new apps coming out and the low cost they have, employees are now getting and installing them like it’s a new craze.  But to make matters worse, very often, these apps are not approved by the IT Security team. 

Thus, they can pose a hazard to the Cloud deployments that you have.

This is technically known as “Shadow Management”.  This has been a huge problem for a long time, even well before the popularity of the Cloud mushroomed.  There can be numerous reasons why employees do this, but probably the most cited factor is that people are creatures of habit.  We don’t like to change our ways unless we are absolutely forced to do so.  And even then, we still try to revert to our old ways.

For example, if Dropbox was the main tool for backing up files, and all of a sudden you forced your employees to use SharePoint, you would probably get a lot of protests initially, and even after that, you would even have a good number of employees who still want to use Dropbox, and will continue to do so behind your back.  Trying to deal with these situations has been very tough for IT Security Teams recently.

So what is one to do in these instances?  Punish the employee?  In today’s world, this technique will not work anymore.  Instead as a manager, you need to take a step back, and take a holistic approach, and answer this very fundamental question:  “Why are my employees doing this”?  Well, here are some answers that might guide you:

1)     Vendors are pushing:

IT software vendors are pretty much now taking their products off of the retail shelves.  Now, they are putting everything into the Cloud, but it is up to your Cloud Provider to offer them or not.  In Azure, there is a market place from which you can choose any kind of type of software package you need.  It is totally incredible.  While this may be great, it is also very tempting for your employees to download these new apps without getting your approval.  For example, fi they can save a few clicks with a new file transfer tool, why not?  Everyday, employees are getting bombarded with emails from vendors, and the sad part is that they are making them even more enticing.  Btu even worse is that when an employee does download a new app without your permission, these vendors often claim that their products are totally safe to use.  While this might be true in an absolute sense, your employees will most likely forget that they are in a shared environment.  Meaning, whatever they download could have a negative impact upon another tenant that is using the same shared platform as you are.  Even still worse is that these new apps will most likely not be configured to fit your security requirements.  As a result, this could lead to serious cases of data leakages.

2)     Security is assumed:

Whenever we get an email solicitation from a well known IT Vendor, we always assume that their SaaS offering will be safe to use.  However, this is the very worst position to take.  These could be fake vendors who have created what is known as an “Application Marketplace”.  The apps that they create are often phony, and will very often contain malware that can spread through your Cloud deployment like wildfire.  Also, they will even offer cut throat pricing on them, thus enticing your employees even more.  Once again, this is where your employees need to understand how to identify a Phishing email and a spoofed site.  Worst yet, if one of your employees does indeed download one of these rouge apps, it could even open up backdoors in your environment for the Cyberattacker to penetrate through.

3)     More tricks up the sleeve:

The IT vendors will never cease to get your employees to try and use their products.  Some of the newest gimmicks include offering long free trial periods (like for months, rather than the usual 2 week or 30 day trial periods), or even offering them for sale at pennies on the dollar.  Again, most of these offers will come as emails. And while they may come from legitimate vendors, these emails are really spam and should be treated as such.  As a CISO, you can direct your IT Security team to examine all of the emails that are non-employee related.  If a lot of them are from IT vendors, then you can immediately mark them as spam at the point of entry so they do not get into your employees inboxes.  I know Exchange has something like this.

My Thoughts On This:

I should mention that another term for this is also known as “SaaS Sprawl”.  This simply means that you have a ton of Cloud apps downloaded by your employees, which not only increases your attack surface, but they are also consuming valuable resources which will drive up your Cloud costs even further. 

The best way to avoid this is to conduct audits at regular periods of all the apps your employees are using, and just cut them off.

But, you also need to educate your employees into the risks of downloading unapproved apps.  Tell them if there is something they really want or need, they should have it approved first by the IT Security team.  But of course this means that your team should not take forever to approve it, because this will just give the employee more temptation to download it without you knowing about it.

Sunday, February 19, 2023

How Employee Safety Also Extends Into The Personal World

 


In the world of Cybersecurity, employees and contractors are often blamed for any security breaches that occur.  This is just the human mindset these days, and we are literally brainwashed into thinking that they are often viewed as the weakest link in the security chain. 

However, I take a different approach to this.  I firmly believe that blame and accountability should not be cast until a full examination is done, and it has been determined what the root cause of the security breach was.

But unfortunately in our society, we have an itchy trigger finger to cast the blame, and very often it is the CISO that is first to fall.  I take the contrarian view of this.  I firmly believe that employees are probably one of the biggest assets a company can have, especially those that have stayed around for a long time.  With this kind of mindset, it is also important to realize that employees need help to protect themselves even outside of the office.

The crux of this issue lies in the use of the many social media sites that are available today.  Although a manager at the workplace can put restrictions as to what employees can post on these sites during work hours, they have no control over what happens after that.  So for instance, an employee can post whatever they want to on Facebook, Instagram, Twitter, etc. whatever they want to.

But keep in mind that the Cyberattacker is building up a profile of their victims on these same sites.  They do it very cunningly, in a slow time manner so that nobody will notice, and they will even use the tools of Open Source Intelligence (also known as “OSINT”) to get whatever more information they can. 

For instance, one can get all of the contact details of a victim, and even where he or she may live at, and even all of the details of their family members.

Once the Cyberattacker has built up this profile, they can target these unsuspecting victims at their place of employment.  In these kinds of cases, Social Engineering is the preferred attack vehicle.  Some illustrations of this include launching BEC like Phishing emails, or simply getting on the phone and scaring a lower level employee (such as an administrative assistant) into giving away confidential information that can be used later in an APT attack.

So as one can see now, protection of employees in both the workplace and at home is now becoming a blurred line, and an impact in one area will have a cascading impact in the other, with possible, devastating consequences. 

So while a CISO may think that giving Security Awareness training once a quarter may be enough, this is not the case anymore, given the digital world that we live in.  Now of course, a manager cannot tell an employee what they can or cannot do after work hours, they can at least for sure offer some kind of tips and advice to help protect themselves more.

So what can be done about this?  Here are some key steps for the CISO and the IT Security team:

1)     In the Security Awareness Training programs, although the primary focus should be on workplace safety, there should also be some time spent on teaching employees on how to stay safe after hours – especially on the social media sites.

 

2)     If you make use of Password Managers in the workplace, try to offer the same for your employees after work hours.  For instance, point their way to a free version of Last Pass, or perhaps even offer to pay for half of the subscription package if they still want to use a paid version of it (this can be actually padded into the benefits package).

 

3)     Have your IT Security team set up “office hours” for employees.  By this, employees can approach a team member and ask questions and get help about their home security, or even get tips and advice into how to do something better.  If an employee is working remotely, then he or she can use these hours to figure out how to better fortify their home network, so that there are no holes or gaps when interfacing with the business network.

 

4)     Train your employees into what to look out specifically in terms of Social Engineering attacks.  After all, what takes place at the work environment can also happen in the home environment as well.  Most importantly, teach them in how to avoid Vishing, Smishing, and Robocall attacks.  Remember, Phishing attacks just don’t have to come in email.  It can also come in the form of a text message, an instant message on Facebook, or even in an In Mail on Linked In.

 

5)     Keep a central repository of available literature and resources that your employees can readily access.  Always be available if they have questions about any of the content.

 

6)     Keep an open lines of communication.  For instance, if your employee needs help with a suspected Phishing email in their personal account, a member of the IT Security team should be able to help out.  In this regard, even consider having a 24 X 7 X 365 hotline.  I have written about this before, and employees should feel free to call in after work hours if they have a problem.  Of course, this number should be used for work related Cyberthreats, and you don’t want your IT Security team to be inundated with personal issues.  So consider a rotation cycle where one member can handle only these kinds of calls from employees.

My Thoughts On This:

As I mentioned earlier in this blog, the lines of what is now personal and work related has literally vanished, given the fact that now everything is pretty much interconnected with another. Protecting employees has to go beyond the workplace and into their personal lives.  The CISO cannot treat employees as the weakest link in the security chain.

If they take the opposite view, then employees will realize that there are truly a valued resource.  If the levels of Cyber Hygiene improve at home, then there is a greater chance that will spill over also into the working world.

Saturday, February 18, 2023

The Emergence Of DataSecOps & How You Can Deploy It

 


As we all know, the lifeblood of any business is the data it contains and processes.  This could be anything ranging from PII datasets to competitive intelligence.  Not only does this data has to be optimized, but given today’s world, it has to be as secure, especially given the data privacy laws that we have today.  But the question of who is really responsible for the protection of this data is one that all fingers will point to the IT Security team.

But they are too busy trying to fight off the threats they face, as well at the same time, trying to protect all of the digital assets of their company.  So in the end, who is really held accountable?  Well, it is actually every employee in the company, and all of the third party vendors that they deal with. 

Even if an IT Security team does all it can to protect the databases, if one employee lets one piece of dataset loose into the public, that is just one more hole that the Cyberattacker can penetrate into.

That is why you will keep hearing the importance of conducting audits and making sure that your employees maintain a strong level of Cyber Hygiene by giving them proper Security Awareness Training on a regular and consistent basis.  But now, there is yet another vehicle that is emerging which will given even more strength to a company to protect its datasets.

This is a newer technojargon in the Cyber industry, and it is called “SecDataOps”.  It is very similar to another methodology called “DevSecOps”, and this is where the IT Security and Operations Teams from within an organization all come together to work with the software development team to ensure that secure source code is being compiled and delivered.  Of course, it is more complex than that, but that is the general point of it all.

The same can be said of SecDataOps.  This is where the IT Security and Operations teams come together with the other company leaders (or department heads, if you will) to come with the various means and controls to protect the datasets in the company. 

If they choose to, they can even hire a vCCO (virtual Chief Compliance Officer) to help spearhead the efforts.  In this kind of methodology, the concept of that all employees are responsible for the protection of the datasets is strictly enforced.

Although the DevSecOps team is much more formalized, the SecDataOps team does not need to have a rigid structure, at least for right now.  The primary reason for this is that this concept is still relatively new, and there are no formal frameworks that are established yet (such as from NIST). 

But as just stated, it is important to have a leader, and to make sure that there is accountability and a system of checks and balances, so that no group or individual has more power than the other. 

But, in the world of SecDataOps, the buck has to stop with somebody, and once again, this falls onto the shoulder of the CISO, or vCISO.  So a potential team could have leads from all of the departments of the company, with the point of contact from the IT Security team coordinating the efforts. 

This person would then report to the vCCO, and in turn, they would report to the CISO (or vCISO).  The primary objective of this new team would be to conduct various Risk Assessments against the databases the company has, and from there, not only develop the plan for remediation, but also recommend the controls that need to be deployed to plug those gaps which are found.

But even after conducting the initial Risk Assessment, the work does not stop there.  This has to be done at least on a semiannual basis, with audits being conducted at least on a quarterly basis.  But there is also another issue that the SecDataOps team will have to face, and this will happen if the company makes use of both AI and ML tools.  As I have written about before, keep in mind that these kinds of technologies require a lot of data in order for them to learn, and to produce the desired output.

But you cannot just feed them any kind of data, it has to be the right kind, and they have to be cleansed and optimized in order to get the best results.  For example, if the IT Security team is using AI and ML to help predict the future Cyber threat landscape, the correct and right kind of data has to be fed into it. 

If not, the future threat variants that are predicted (which would be the output) could be totally off, and in the end creating a lot of false positives, with the end result having a team that is suffering through “Alert Fatigue”.

Optimizing datasets can be a real pain and be time consuming, the organization can always outsource this particular function to a third party vendor that specializes in this task.  But of course, the SecDataOps team will have to go through an extremely rigorous vetting process in order to select the right vendor.  After all, you are dealing with data which will become proprietary and confidential into the future.

Another key point that the SecDataOps team has to keep in mind is that all team members do not have time to waste in sifting through all of the datasets that they need to use for their daily job functions.  All of this should be centralized, such as by using dashboards or consoles.  This will not only help to make your datasets secure, but it will also lead to higher levels of productivity from your employees as well.

My Thoughts On This:

As this new concept emerges, remember to try to keep things simple and easy in the formative stages.  For instance, get the team assembled, and share what the objectives (both short term and long term) should be.  Then from there, out your plan of action together.  Don’t get excited by first deploying all kinds of fancy tools, just start from the very basic and build up from there.

Eventually you will need some new tools (such as AI and ML), but let the circumstances and your security requirements dictate that for you. 

Sunday, February 12, 2023

Quality Vs. Quantity: Which Is More Important For Cyber?

 


I still keep in touch with friends I have made over 20 years ago when I was in undergrad and grad school.  The one thing we keep asking each other is:  “How did we make it back then”?  I am talking about the resources we had then versus to what is available now to get papers, projects, and even theses done. 

Back in my day, there was no Google, and hardly even an Internet. All computing was done on mainframe machines, and the terminal that was given to you.

Although it took time to do things (especially the theses), life was far simpler back then.  We didn’t have social media, cellphones, or even having to worry about Cyberattacks or Identity Theft.  Heck, even my Purdue ID card had my social security number all over it. 

But now, with everything all digital and interconnected with one another, life has really become confusing (at least for me).  It’s hard to keep up with what is happening out there, and especially so on the Cyber front of things.

There have been so many advances made in terms of tools and technology, but yet we still cannot keep up with the Cyberattacker.  It has become a cat and mouse game of sorts, and of course, the good guys are falling behind.  So, this begs the question:  When it comes to digital warfare, which is better?  The quality of the defenses, or the total number of defenses that you have?

In other words, is it better to have 10 firewalls or 5 really smart threat hunters who are well trained and can keep the hackers at bay?  Well, according to a report by McKinsey, businesses in Corporate America are spending an annual of 12% year over year on new tools and gadgets to beef up their lines of defenses. 

While this may sound good initially, the bad news is that security breaches will cost Corporate America at least $10 trillion by the time 2025 rolls around (which is only two years away).  This report can be downloaded at this link:

https://www.mckinsey.com/capabilities/risk-and-resilience/our-insights/cybersecurity/new-survey-reveals-2-trillion-dollar-market-opportunity-for-cybersecurity-technology-and-service-providers

So what is a CISO or even a vCISO supposed to do?  Well, according to recent article I found this morning, here are some key steps to help make the quality stand out versus the quality:

1)     Watch who you hire:

Yes, there is still a huge shortage of workers in the Cyber field. This fact still remains even despite the inflationary fears that still abound and the number of tech layoffs that are happening today.  Also, I have been advocate to hire really just about anybody who has the passion for Cyber and willing to take risks to get ahead in the crowd.  But, there is yet another group of people you may want to look at hiring for your IT Security team.  These are former members of the US military.  These individuals have been taught structure, discipline, and how to stick with things when the going gets rough.  Also for the most part, they have received a good amount of training in Cyber.  So why not look into this pool of candidates?  After all, if you really need somebody that has experience, well, here you have it.  And it is a great way of giving back to our country.

2)     The Zero Trust Framework:

Although this methodology has been around for quite some time, its adoption has just started to take root right now.  Under this framework, absolutely nobody is trusted, and all individuals have to be verified over and over again for every time they need to access shared resources.  It sounds extreme, but in today’s environment, this is all that is left to truly fight off the Cyberattacker.  The motto here is to never trust, but verify, verify and further verify.  Now, the other leg is starting to come out, which involves continuous testing.  Meaning, you have to keep testing your Zero Trust Framework to make sure that it is airtight.  The logic here is that you should have a Red Team that is constantly trying to break through your walls of defenses in order to find out any gaps or weaknesses which are hidden.  This also sounds extreme, but once again, Corporate America has to go through these extraordinary measure in order to make sure that their digital assets remain as safe as possible.  When it comes to this Red Teaming, humans do not have to be involved each and every time.  There are tools now out in the market place that will let you conduct Penetration Testing exercises on both an autonomous and automatic level.

3)     Keep practicing:

One of the main things that COVID-19 taught us is the need to have a comprehensive set of Incident Planning/Disaster Recovery/Business Continuity Plans in place.  But that is just one part of the equation.  The other part is to rehearse them on a regular basis, at least on a quarterly basis.  Another aspect here is Security Awareness Training for not only the C-Suite, but for all of your other employees as well.  This is not a one off, it too should be done on a regular basis as well.  Part of a good training program is to have what are known as Tabletop Exercises.  This is where you engage your attendees in a mock Cyberattack, and get their feedback as to how they would respond and try to resolve the situation at hand.  It is important to keep in mind that even tis kind of input can be used in upgrading your recovery plans.

My Thoughts On This:

Remember that in the end, it takes a combination of both people and technology in order to have a finely tuned Cyber machine.  But even more critical is to have communications with all key stakeholders, and to keep that line open during all times, 24 X 7 X 365.  Also keep in mind to keep things simple when planning your Cyber strategies. 

There is no need to get into all of the Cyber technojargon, in the end nobody cares about that.  Instead, take those efforts and funnel them into conducting a risk assessment to determine which of your digital assets are most at risk.

Then from there, try to figure out how to strategically place your lines of defenses so that you can get maximum protection without having to procure additional technology.  Think quality instead of quantity.  Remember that instead of deploying 10 firewalls, try to make use of just 5 of them.

Saturday, February 11, 2023

6 Cloud Migration Issues You Need To Be Aware Of

 


As we are now in the thick of Q1 of this year, many businesses are now realizing that having an On Prem infrastructure can be a very costly affair.  For example, not only do you have hardware replacement costs, but you also have software licensing issues, creating backups, hiring the staff to maintain all of the critical equipment, etc.  As a result, they are now starting to see the benefits of what the Cloud can bring.

But keep in mind that a 100% migration to the Cloud is not an easy task, given the size of your business.  It takes careful planning, and very often, you will probably need the help of a Cloud Services Provider (CSP) to make sure that everything has gone smoothly. 

Moving to the Cloud (like AWS or Azure) can be a great thing, there are also a number of pitfalls that you need to be aware of as well.  These all come from the standpoint of Cybersecurity.

Here are some of the key issues that you need to keep in mind:

1)     The Supply Chain:

I don’t mean anything like UPS or FedEx, but if there are any gaps in your Cloud deployments, the Cyberattacker can easily discover these, and from there drop in a malicious payload.  But this is not going to affect just your systems.  If you have a remote service installed here and you have other clients that are dependent upon using it to get to your services, there is a very high chance that they will be infected as well.  In fact, this is how the Solar Winds hack happened.  The Cyberattackers were able to find just one weak spot, deploy the malicious package into that, and from there, thousands of organizations were impacted by it.  Therefore, you will always need to keep an eye on gaps which open up, and remediate them quickly.

2)     Ransomware:

Yes, this particular threat variant can strike the fear in anybody.  Although it has slowed down from its peak in 2021, this attack vector has become even nastier than it has ever been before.  For example, there are now instances of extortion attacks, and even the fear of having PII datasets being exfiltrated to the public at large.  Ransomware is something that is not going away anytime soon, and its going to be here for a long time to come.  Even when you are in the Cloud, you are not totally immune to a Ransomware attack.  There are various ways in which you can get penetrated:  By using file sharing services that synchronizes up with your Cloud account, and even heisting your Cloud email platform in order to launch Phishing attacks.  Your best to counter a Ransomware attack?  Always backup your mission critical datasets, and store your Cloud deployments in different data centers.

3)     Lateral Movements:

Once a Cyberattacker has found a hole in your system, they will try to stay in as long as they can, of course, going unnoticed.  From here, they will then assess the state of your total Cloud infrastructure, and see where they can move next to.  This is what is called as “Lateral Movements”.  In other words, the Cyberattacker will move sideways either to the left or to the right in order to avoid detection.  Once they know what they want to take out, they will do that in a very covert fashion.  What is the best way to defend against this?  Always keep an eye for any abnormal behavior that strays from your baseline profiles.  Of course this can be a very time consuming task for any human being, but it can be totally automated by using AI or ML tools.

4)     Cloud Sprawl:

With the advancements in the Cloud, there are many options you have today than you would versus an On Prem solution.  For example, you can now have an IaaS, a PaaS, an SaaS, a Private Cloud, a Hybrid Cloud, a Public Cloud, etc.  With all of this, and the affordable price it has, the temptation now remains strong to use everything.  If you try this approach, you are now entering the land of what is know as “Cloud Sprawl”.  The main downside of this is that you are simply expanding the attack surface for the hacker to penetrate into.  In fact, it is now claimed that 64% of organizations are now becoming a victim of this.  (SOURCE:  https://www.sdxcentral.com/articles/news/nutanix-report-64-of-orgs-will-adopt-multi-cloud-within-3-years/2022/01/).  What is the best way to avoid this?  Consult with your CSP.  See what you absolutely need first, and just stick with that.  If you feel the need to expand into other various Cloud based formats as just described, make sure you absolutely need those extra services first.

5)     The effects of Shadow Data:

One of the biggest challenges for any IT Security team is to make sure that when a migration happens, everything goes through.  Meaning, there is not one piece of data which is still lying around somewhere.  But this is all in theory.  In the real world, this never happens.  There is always something which is still lying around.  Any residual pieces of data like this is technically known as “Shadow Data”.  How do you ensure that when do you a migration, everything as much as possible does go through?  Always do your Cloud transformation in steps.  Make sure that you do this in phases, so that you can double check if anything is missing.  If you try to do everything at once, there is a far greater probability that you will more missing datasets on your hand, which can also be prey for the Cyberattacker.

6)     Giving too many permissions:

Once you have migrated to the Cloud, one of the next major projects that you need to work on is giving all of your employees the rights and permissions that they need to conduct their job tasks on a daily basis.  You always want to observe the principle of Least Privilege, in which you give no more and no less than what is absolutely required.  There are tools now which make this process easier, such as the Azure Active Directory.  But the problem here is that by accident, you can give away too many permission that you don’t intend to do.  Like Server Sprawl, this has become known as “Permission Creep”.  How can you avoid this from happening?  Use the Privilege Access Management (PAM) tools thar are available. I know for a fact that Azure has some great tools that you can use as well.

My Thoughts On This:

The mass migration to the Cloud started really when the COVID-19 pandemic hit back in 2020.  It is not slowing down, and recent statistics show that 95% of all business processes will be done in the Cloud by 2025, and that at the current time, the average Fortune 500 company uses some 2,000 different Cloud based services on a daily basis.  (SOURCE:  https://www.darkreading.com/cloud/7-critical-cloud-threats-facing-enterprise-2023).

The Cloud can be very exciting environment to be in, btu keep in mind that it too is growing, and that there will be pains along the road, as just described in this blog.  As also mentioned, your best way to navigate all of this is to work with a reputable CSP, and come up with a phased in plan for migration.  Also remember that your employees will be accessing the shared resources here, so keeping with Security Awareness Training on a regular basis will be key here as well.

Sunday, February 5, 2023

5 Ways To Tell If You Are At A Spoofed Site

 


One of the main objectives of a Phishing attack is to get the victim to open either an attachment with the malicious payload attached to it, or to get that person to go to a phony site where they can be lured in.  Many people have been educated enough now (I think) that they know not to open an attachment that they are not supposed to get. 

But now the problem is how to train your employees to recognize a spoofed-up site.  In all honesty, it is very difficult to tell what is real and what is not these days.  Heck even trained Cyber professionals can get duped pretty easily.

But in this blog, we focus upon some key areas for a person to focus on which are indicators of a phony site:

1)     Templates are used:

The Cyberattacker of today really does not want to waste time in creating and designing a whole new website on their own.  Rather, they would rather create one from a template, such as one that is provided by a hosting company.  Examples of these include GoDaddy, Namecheap, 1 and 1 Ionos, etc.  But the difference here is that these are very reputable providers.  When one creates a website from one of the templates provided them, there is usually a comment at the very bottom right of the site that says something like this:  “Website powered by GoDaddy”.  The templates that are used by the Cyberattacker typically don’t have this, or if they do, it will be some obscure name.  Or many times, the bottom of the website will have credit to the web design company that created it.  Always look for this. If there is nothing like this, then leave the website immediately.

2)     No real changes are made:

After the Cyberattacker chooses a template, they pretty much keep it the same.  They really don’t change anything of drastic nature.  So if you are in doubt, and if you do have the time, try to find the same template by going through some of the major hosting providers.  If there is a match, and there is not much changes made, then you know you are at a phony website.

3)     It takes time:

Today, reputable and honest companies are on the digital prowl to see if their website has been replicated in any way.  It’s rather easy to do that, given the search functionalities of Google today.  But if a Cyberattacker wants to create a spoofed site, at this point, they will then take their own sweet time, and do it carefully.  The thinking behind this is that if spoofed site is built quickly, then the search engines will catch on that quickly.  But if it is built up slowly, then the bots at Google which crawl every website on this planet would likely not detect in time.  But eventually, it would be noticed.

4)     Using Cybersquatting:

This is a technique used by the Cyberattacker to register a domain that is very close to the real thing.  For example, for the website of “amazon.com”, a hacker could very easily register a domain like "amazo-n.com” or even “amazon.tech”.  These are the domains that are used in spoofed sites.  Always make sure that you don’t encounter anything like this when you are visiting a site.  If the domain looks something like what was pointed out in the example, then you know for sure you are at a phony site, and leave it immediately.

5)     It looks local:

Once a website is launched, it is pretty much available for the whole world to see.  But many authentic websites will also give you a drop-down menu choice for the language you want to see it in.  But with a spoofed site, this choice is usually not offered, but rather, they make the website localized to where the end user is viewing it at.  So for example, if  somebody in Mumbai, India were to log into “amazon.tech”, the website would populate automatically in the Hindi language, without any language choice.  This is known as “localization”, and is something that is used heavily in social media.  Honestly, I never use this, and I would highly recommend that you don’t use it as well.  It’s just another great way for the Cyberattacker to track you down and build a profile on you in order to launch subsequent attacks.

My Thoughts On This:

Well there you have it, some of the top tips that you can use to tell if you are at a spoofed site or not.  Also keep in mind that the web browsers of today (especially those of Chrome and Edge) are doing a much better job of alerting you if you are going to a suspicious site.  For example, I use Chrome as my primary browser, and if there is no SSL installed on the site that I instantly get a warning message. 

But in the end, you should always trust your gut.  If a website does not look authentic to you for any reason whatsoever, then you should leave it.  But above all, you should never, ever submit your credit card number at any site unless you know for sure that it is for real.  If you have any doubts, poke around the web some more and see what other people have said about that website.

Saturday, February 4, 2023

5 Unique Traits Of Ransomware Groups You Need To Know

 


Ransomware is something that is not going to go away soon.  It proliferated greatly during the height of the COVID-19 pandemic, and 2021, IMHO, was deemed to be the worst ever.  But things slowed down in 2022, and so far, knock on wood, I have not seen any kind of major Ransomware attack happening so far. 

But the trends on the Cyberattacker groups that are launching these Ransomware attacks is getting very alarming.  For instance, many are now resorting to extortion attacks, and many hacking groups in the Dark Web are now resorting to what is known as “Ransomware as a Service”, or “RaaS”.  This is where a Cyberattacker hires a group to purposely launch an attack.

In fact, the GuidePoint Research and Intelligence Team (GRIT) just released a report which showed that at least one new Ransomware group is coming out each month.  This report examined a total of 2,507 victims, from 40 different market segments, and attacks that were carried out by at least 54 active Ransomware gangs.  Their report can be downloaded at this link:

https://www.guidepointsecurity.com/resources/grit-annual-ransomware-report-2022/

The illustration below depicts some of their major findings:


(SOURCE:  https://www.darkreading.com/attacks-breaches/7-insights-from-a-ransomware-negotiator)

One of the lead researchers for this report is also a Ransomware negotiator, in which they try to get the ransom payment lowered, or somehow negotiate in getting the decryption keys back.  From this perspective, here are some of the newer characteristics that are emerging from the Ransomware groups from just within the past year:

1)     A definite classification scheme:

Believe it or not, Ransomware groups fall into certain categories, which are as follows:

*The Full Timers:  These are the hacking groups that have been in existence for at least 9-10 months, and have impacted at least 10 or more victims. A good example of this is the Lockbit group, which has accounted for at least 33% of Ransomware attacks on a global basis.  These kinds of groups have the money to have a good infrastructure, and most importantly (to them) is evading detection by law enforcement.

*The Rebrand Groups:  These are the hacking groups which have been in business for less than 9 months or so, but are still just as active as the Full Timers.  The only difference here is that they infiltrate more victims, but stay in for a much shorter period of time.  And their pace is rapid fire.  They hit one victim, then move onto the next.

               *The Splinter Groups:  These are the Cyberattackers that have broken off from one of the    previous groups, as mentioned.  Either they have decided to go solo, or have joined another               group with more “exciting opportunities”.  These kinds of Cyberattackers are less known, and               are very erratic in their behaviors.  In other words, they are trying to discover their own brand             and identity.

               *The Ephemeral Group:  These are the groups that have been around for less than two months,      and launch a Ransomware attack every now and then, with no defined frequency to it.

2)           A lot of rebranding:

               In order to evade law enforcement, like the FBI, most Cyberattackers are constantly trying to go         from one Ransomware group to another.  But this of course makes it harder to for the IT        Security team to keep track of, so the report claims that the sharing of intelligence with other   entities (whether private or public) becomes very critical.

3)It is getting far more difficult to negotiate:

               When Ransomware attacks were just starting to happen, negotiating the payment was fairly            straightforward, as the negotiator was just dealing with the same group.  But with the advent of   RaaS groups, negotiating has become very difficult, as there are now many more threat actors              that are involved. 

4) The demands for payments are higher:

               In the early days of Ransomware attacks, the costs of payments were rather low comparatively    speaking, in the range of a few thousand to maybe perhaps a value in the five figures.  But given    the sophistication of the Ransomware groups of today, the demands for large payments are   now literally getting astronomical.  For example, seeing something as high as $15 million is now       not unheard of.  But many Ransomware negotiators are pretty successful at bring this amount     down, say something like in the six figures.

5) Extortion is on the rise:

               Locking up your device and encrypting your files is one thing, but now Ransomware groups are          kicking up their degree of punishment by now extorting their victims, as mentioned before.  For instance, they can now exfiltrate your PII datasets and sell them on the Dark Web for a nice                profit, or even threaten the victim to make them available to the public, thus causing brand and      reputation damage which is almost difficult to recover from.  Why do they do this?  Well they   figure if they are not going to get any money from the actual attack, perhaps threatening the victim on a much higher and personable level will result in getting some sort of payment.

My Thoughts On This:

In the end, Ransomware here is to stay.  Now the frequency in which it happens and to what degree it is going to get worst is anybody’s guess.  Nobody can predict the future.  But there is one thing that is for sure:  Your best line of defense against a Ransomware attack is to have an effective backup strategy. 

How that is supposed to be done will depend a lot on your organization’s security requirements.  But the rule of thumb here is keep backups both On Prem and at an offsite center.  The latter can be simply storing your PII datasets in the Cloud, such as using the AWS or Microsoft Azure.

The report I have highlighted here even mentions that although Cyberattackers really have no ethics amongst themselves, they do want to protect their reputation on the Dark Web.  This simply means that if you do make a ransom payment, you now have greater chances of getting the decryption algorithms in which to unlock your device and files. 

I am not sure if I agree with this or not, but then again, I am not a Ransomware negotiator. 

This now comes to another question:  Should you make the ransom payment in the end?  My answer to that is no.  This will only fuel the Cyberattacker to launch more attacks, and also, many insurance carriers will not make a payout if you file a claim in these circumstances.  Also, with new legislations coming out, it is now even considered to be a crime to make a ransom payment, depending of course on the circumstances. 


How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...