Saturday, April 29, 2023

What Is Happening On The Cyber Threat Front In 2023???

 


Well, we are not even halfway through the yet, and Cyber experts have already been coming up with what some of the top threat variants have been so far.  These were announced at the latest RSA Conference, which was held just last week.  So what has been happening? Here is the breakdown:

1)     SEO Attacks:

This is the tool that pretty much all businesses use to get their websites ranked high in the Google search engine whenever a query is done.  But believe it or not, even the Cyberattackers are now starting to do this, for their own gain.  How are they doing it?  Long story short, they create phony websites of real, legitimate, and highly reputable businesses.  Take for example Wal-Mart.  Their website is of course Walmart.com.  But anybody register a domain that is very close to that, such as walmartt.com.  From there, a Cyberattacker can then create a very realistic looking, but spoofed up website of the real Walmart.com.  The problem is that most customers will not recognize that extra “t” in the domain.  Thus, through Phishing emails and other tactics, the Cyberattacker will lure them into this phony site.  But instead of just relying upon that, the Cyberattacker is now using the principles of SEO as well in order to boost their rankings, in order to draw in more unsuspecting victims.  The moral of the story here:  Make sure to the best extent that you can to make sure that you are at a real website.  Many browsers, especially those of Edge and Chrome, are doing a decent job alerting you of a phony website before you actually go it.

2)     Malvertising:

This technojargon is a combination of two words:  Malware and Advertising.  If they can afford it, many businesses also make use of what are known as PPC (Pay Per Click) ads to get prospects to their website.  These usually appear on the left side of your browser.  While this can be a good tool to use depending upon your marketing budget, Cyberattacker is also doing the very same thing, but instead, trying to get traffic to their spoofed site.

3)     The Software Developer:

For the longest time, the software developer and their respective teams worked in an isolated environment, away from all of the company politics and even the Cyberattacker.  But guess what?  Now they have become a prime target.  Why is this so?  Well, a lot of the security breaches that happen out there are due to web applications that have poorly constructed source code that is embedded into them.  To make matters even worse, software developers often unintentionally leave backdoors open when the project is delivered to the client.  From here, the Cyberattacker can also penetrate in, and stay in for very long periods of time going unnoticed.  Also, they can move laterally, and scope out first what they want to steal. Very often it is the PII datasets of employees and customers, and when this is taken, it is called “Data Exfiltration”.  Unfortunately, nobody realizes that is gone until it is too late.  Another criticism for software developers is that they use open-source APIs when they construct the source code.  Nothing wrong with this, but these APIs often remain untested and not kept up to date with the needed patches.  And the software developers simply assume that is safe, so they never test it in a sandbox environment first.  Also, software developers are also given higher than needed privileges, rights, and permissions to do their work.  To make things even worse, the IT Security team does even terminate the accounts of the software developers once they are done with their work.  And guess what?  The Cyberattacker loves to go after these privileged accounts.

4)     Artificial Intelligence:

Remember the heydays of the .com boom?  Well, this is now happening to the AI and ML markets.  Although they have been around for quite some time, its popularity gained rapid steam earlier this year with the release of ChatGPT.  This is the new AI tool from OpenAI.  Simply put, it is an ultra-sophisticated version of the traditional Chatbot agents.  You can ask ChatGPT anything you want to, and it will produce an answer very quickly.  It has become a very lovable tool especially for content generators (though I have made a promise to myself to never use it for these purposes).  But with the good, also comes the bad.  There have been many fears and even actual cases where ChatGPT has been used for malicious purposes by the Cyberattacker.  Probably the best example of this is in using it to write malicious lines of code which essentially becomes Malware.  But apart from the technical bad stuff that comes with ChatGPT, there are also the societal implications, such as fear of job loss due to automation of it.  Even some of the top leaders in the business world have called out to slow down the pace of AI development so that we can all catch up and breathe, as well as absorb the impacts of ChatGPT.  Heck, even Italy banned the use of ChatGPT, but I think it is now back up and running there.  Another huge fear of ChatGPT is that it will be used for Social Engineering tactics.  The best example of this are Deepfakes.  Until ChatGPT, many hackers used lower-level algorithms to build spoofed-up images and videos.  But with ChatGPT, the algorithms have become far more sophisticated, resulting in more advanced Deepfakes being created. Although Open AI has claimed that there are security features built into it, they are simply not enough.  Another huge fear now is if the pace of hardening it lose pace with the Cyberattacker using it for nefarious purposes.

My Thoughts On This:

Again, the key is to be proactive in your own safety.  Probably the most important takeaway is to be extremely careful of what you post on Social Media, especially that of Facebook.  The Cyberattacker can look at your profile, and record any sounds you make on it and feed that into an AI program, to create a very convincing Deepfake.

As this list gets updated, I will post them!!!

Two Golden Ways To Cyber Harden Your Kubernetes Platform

 


When May rolls around (in just a couple of days now), I am planning to appear for an Azure cert.  This is the most basic one, which is about the Azure Fundamentals.  Technically it is known as the AZ-900.  The one thing I have liked studying for this is that I can get a traditional study book and learn that way.  I don’t mind the online stuff as much, but I am still old fashioned in a lot of ways.

I have learned a lot about Azure in these last few years I have been studying, and one concept that has always eluded me was that of “Kubernetes”.  I always wondered what it was, and I finally got my answer while I was reading my study book.  But in technical terms, Kubernetes can be defined as follows:

“It is an open-source system for automating deployment, scaling, and management of containerized applications”.

(SOURCE:  https://kubernetes.io/)

In much simpler terms, containers are another way of deploying the software applications that you create on a Cloud based platform.  Groups of containers are called “Pods”, and a group of Pods is called a “Node”. 

Ok, enough blabbering on that.  Unfortunately, despite all of the benefits and advantages that it has to offer, it too is prone to Cyberattacks.  But usually, it comes in the form of unknown data leakages.  If you want to do a deep dive on the Cyber risks that are posed to Kubernetes, click on the link below:

https://www.darkreading.com/edge-articles/understanding-the-3-classes-of-kubernetes-risk

A major root of these risks has been the over privileging of the end users.  Most often, an employee is given more rights and permissions than what they absolutely need, and once they don’t need them anymore, the IT Security team very often forgets to bring down the level of those permissions. 

This concept falls under the area of Cyber which is known as “Identity and Access Management”, or also known as “IAM” for short.

So as you can tell, this is the area in which the IT Security team has to start in order to help mitigate the risks that are posed to Kubernetes.  So what is a good starting point?  Check out the list below:

1)     Take a look at all of the end user profiles:

If you make use of Azure, and also if your company is large enough in terms of the total number of employees it has, you are probably making use of the “Azure Active Directory”, also known as the “AAD” for short.  This is where you manage the profiles of all of your employees when you give them the resources that they need to access in order to complete their jobs.  But very often, blanket permissions are granted.  Meaning, if a certain group of employees fall into one profile, they are all given the same permissions and privileges as everybody else in that profile.  And this very often results in the problem of over privileging.  For example, if you hire somebody to contract work on your network, you will likely give them the same set of permissions as you would your network administrator.  But this is overkill.  You only need to give them what they need.  This is referred to technically as giving out granular permissions, because you are digging into the details of what they will be doing exactly.  Many companies shy away from doing this because it takes too much time to do.  Instead, the thinking is that it is easier to lump employees into one common bucket.  This does make sense from the outset, but later on, it becomes a huge problem as you can see.  So IMHO, CISOs need to get out of this habitual way of working and take the time to see what each employee really needs.

2)     The Concept of Least Privilege:

As the name states, this is where you are giving employees just enough access to do what they need to do, as just examined.  For example, if you have just hired a brand-new administrative assistant, you will only give him or her what they need for their job.  Obviously, you are not going to give them the level of access that you would give to your IT Security team.  This has always been a theoretical, cardinal rule in Cyber, but many companies still fail to implement it, for just about any kind of reason that you can think of.  But you should not be a statistic here, take the time to review on a regular basis all of the permissions that each and every employee needs, and from there, keep refining your security policy.

My Thoughts On This:

An area in which you can get started to help you govern the IAM part of Kubernetes is to use a subfield of it, which is known as “Privileged Access Management”, or “PAM” for short.  You can use the tools here to specifically manage all of the rights, permissions, and privileges that you assign to each and every employee.

But probably one of the best things about using PAM is that you can configure rules and policies that will allow you to automatically delete the rights and permissions of an employee, just right after they leave your company, no matter what the reason might be. 

There are numerous vendors out there that offer this solution, so it might be best to check them out first and try to watch a demo or two of it.

That way, you will get a good feeling if this is something that your company needs.  But in the meantime, if you want to learn more about PAM, buy our recently published eBook on it.  The link is right here:

https://www.amazon.com/dp/B0BX1QZH7G

Sunday, April 23, 2023

The 7 Roadblocks In Creating An IR Plan & How To Overcome Them

 


When a security breach occurs, what is the first thing that a company should do?  Respond of course!!!  But unfortunately today, many businesses do not know how to do this. If they do become a victim, the time to respond is usually much slower, and in the end, usually everything is thrown at it including the kitchen sink. 

So what can be done to avoid this kind of situation?

The one thing to keep in mind is that we, even individuals, are at risk of becoming a victim.  The only thing that we can do here is to mitigate as much as possible that risk of happening from the first place.  But when it comes to responding to a security breach, this is an area that becomes technically known as “Incident Response”. 

But in order to respond properly, a business needs to have what is known as an “Incident Response Plan”, also known as an “IR Plan” for short.

This can be a lengthy document, as it spells out in general terms how an entity should respond.  Now this document does not spell out how to combat each and every security threat, as there are so many of them.  But the crux of this document is how effective communications should take place so that all relevant parties can react accordingly.

But creating such a plan is not an easy task to accomplish, as the Cybersecurity threat landscape has become extremely complex, covert, and stealthy.  So what are the top challenges that organizations face when they try to craft their IR plan?  Here is a sampling:

*The complexities of the Cloud environment, especially when it comes to deployments into the Hybrid Cloud.

*The connection of IoT devices to both On Prem and Cloud infrastructures.

*The emergence of all kinds of mobile devices.

*The complexities of IAM.

*Complete dependence upon SaaS based solutions.

*The lack of modernization of the SOC to keep up with the latest threats.

*Too much dependence on automation, especially in the way of AI and ML tools.

Of course, the list is much longer than this.  But to get on the right path, what can a business do to start creating the right kind of IR plan?  Here are some of my thoughts:

1)     Conduct a Risk Assessment:

It is imperative that you conduct an inventory of both your digital and physical assets, and rank them in terms of their vulnerability, using a quantitative scale.  Then from there, you will know the right controls that will need to be implemented.

2)     Create a Data Map:

Once you have categorized your assets, then the next thing to do is to create what is known as a “Data Map”.  This provides a holistic view of where all of your assets are at, even those that are being used by your employees and contractors.  That way if a security breach occurs, you can get a view of what is being impacted.  Keep in mind that there are many tools that can be used today to create such a map.  Very often in this regard, it is both AI and ML that are used.  If you do not know how to create this map, then have your MSP or MSSP help you with it.  The moral of the story is don’t to a half backwards job doing this, go with it all the way.

3)     Get a view of the Cyber threat landscape:

Once you have completed the last two steps, the next thing you can do for your IR Plan is to get a detailed view of the Cyber threat landscape.  This is where you view where the existing threat variants are at, as well as those potential ones also.  But also keep in mind that while this may sound like a hard task to accomplish, it is really not that bad.  Once again, you can use AI and ML to plot this view for you, but what is most important here is that the data that is used to keep it moving has to be fresh and optimized on a daily schedule.so that your view of the threat landscape is a realistic one.  The bottom line here:  You need to have a picture that is updated on a real time basis.

My Thoughts On This:

An IR Plan is not a hard copy Word based doc.  It is something that is also digital, which is updated on a regular basis, and all key parties have access to it, especially when it comes tin to containing a breach.  But the key thing to remember here is that communication is most critical!!!

In this document, you will be spelling out those responsible people who will be participating in an IR.  It is also important to keep all contact information up to date for all of these people, most importantly cell phone numbers and email addresses.

Finally, once you have crafted your IR Plan, it is not a one and done deal.  It must be rehearsed on a regular basis, preferably at least once a quarter.  And remember, keep this plan updated at all times, with all of the new information and data that your company receives, and as well as those lessons learned from doing all of the rehearsals!!!

Saturday, April 22, 2023

The Cyber Dream: Overcoming Team Silos & Creating Unity

 


As many more businesses are now entering into the Cloud, whether it is AWS or Microsoft Azure, data leakage has become a serious problem.  A lot of this can be attributed to the misconfigurations that occur, usually at the fault of the IT Security team that have deployed the applications. 

Another reason is that there is too much over privileging that is being done with the end user accounts.  For example, an administrative assistant might be given read, write and execute permissions, when all they really need are the read and write and permission.

Or another example is when a Network Administrator is given not only the permissions that they need, but they may also be given other permissions that fall outside of their domain, such as being assigned Database Administrator privileges as well. 

With these misconfigurations, data leakages, giving out too many permissions than are needed, it is no wonder that online fraud, or even that of ID Fraud is now becoming rampant in today’s Cyber world.

  Thus now the cries are being heard to merge all three of these Cyber specialties into one force:

*Fraud prevention

*Identity and Access Management

*Cloud Security

Of course, not every business has the manpower or even the financial resources to combine all of these into force.  Before you embark on this herculean feat, your IT Security team needs to address the following questions:

*Despite adopting Multifactor Authentication and other protective measures, are your customers still complaining about the lack of security on your website (especially your online store)?

*Are these complaints and/or concerns causing your overall revenue to fall?

*Is your market growth severely restricted because of an increased level of fraud risks?

*Have your customers ever become a victim of Ad Fraud, Online Fraud, or even ID Theft?

*Do you have too many devices from too many different vendors which is leading to a spawl like effect?

*Does your IT Security team even understand how to take into account Fraud Prevention services?

*Is your IT Security team feeling a strong sense of burnout because of all they have to do?  Is your business experiencing a high rate of employe turnover?

If you have answered “Yes” to most of these questions, then it is probably time to bring in all the three mentioned Cyber areas into one roof.  But this is not something that is to be jumped into quickly, rather, you need to craft a comprehensive plan, using a phased in approach.  Here are some guidelines you can follow to help achieve this:

*What are your Cyber goals and priorities?  What is the overall goal and vision? Keep in mind that this is the job for the CISO or the vCISO, not the IT Security team, but their input should be sought and seriously considered.

*What is your current budget like?  Can it accommodate for all three of the Cyber areas to be formed into one unit?  Also, will your budget be increased if and when needed?

*What extra staffing do you need?  If full-time hires are out of the question, can you make do with just contractors?

*Can you use your existing security technologies to bring in all three Cyber areas together, or will newer technologies be needed?  This is probably best answered by conducting a Risk Assessment, and from there deciding what is needed.  Remember you do not want to expand the attack surface by bringing in many newer technologies and vendors.

Once you have formulated the answers for all of the above questions, the next step is to then find the common goals and objectives to bring all of these areas into one silo.  Remember, you do not have to include all of your IT Security team employees in this, as they are busy and stressed out enough as it is. 

Rather, all that is probably needed is to have just one or two representatives from each specialization form this new, siloed team.

Finally, once this proposed new team is in place (at least in theory), it is very important to have the buy from the upper brass, especially your CISO.  Then from there, it needs to be taken to the rest of the C-Suite and ultimately, the Board of Directors for final approval.

My Thoughts On This:

Trying to get rid of the siloed approach in Cyber has always been a dream, and unfortunately, it has never been realized yet, at least completely.  The problem is that many businesses try to rush into this too quickly, without giving much thought to how it will be done. 

As a result, things fail in the end.  Therefore, it is very important to have that plan first, and use a phased in approach.

Remember, humans are creatures of habit and don’t like change. Trying to create one huge Cyber silo will for sure bring in a lot of resistance to change.  Therefore, taking well thought out baby steps and being slow is the best way forward.

Also, in the end, everybody has to be on board for this new effort, especially from the top.  Unfortunately, you will not get an immediate buy in from them, and they will have to be poked and prodded to finally go along with the new plans.  Keep things as to how it will impact the bottom line, as that is the only thing that they can relate to.

Also, don’t hesitate to use AI and ML tools for bringing all of your siloes under one roof.  They can automate many of the mundane tasks, thus freeing up your staff to focus on the most pressing issues, one of them maintaining a proactive stance on Cybersecurity, and the threat landscape.

Why Biometrics Should Be Part Of An MFA Solution - 5 Golden Reasons

 


Remember all of my blogs about passwords?  The basic premise behind most of them was that no matter how much we hate our passwords, they are still going to be around with us for the longest time.  Although they have proven their huge weaknesses, and IMHO, will be the weakest link in the security chain (no, not humans) we will still use them.

Sure, businesses have tried to make their employees adopt stronger and more complex passwords, but the truth of the matter is that we are creatures of habit. 

No matter what new things might be ahead of us, we still want to use what we already have and for the longest time.  Heck, people still use the same passwords over and over again.

To combat this, businesses have adopted the use of what are called Password Managers.  These are relatively easy to use software apps that essentially create long and complex passwords, stores them, and even changes out the passwords once they have reached a certain time limit, as set forth by the IT Security team. 

They will even alert the end user if the passwords that are in use succumb to a security breach.

But to add more security to this, companies then adopted what is known as Two Factor Authentication, simply known as 2FA for short.  This is where the employee (for example) will not only have to enter their password, but also be authenticated by another mechanism (such as a challenge/response kind of thing).  But like the password itself, this also proved to be highly vulnerable to the Cyberattacker.

So then, businesses turned over to what is known as Multifactor Authentication, or MFA for short. This is where the employee now has to be authenticated by at least three or more different types of authenticating mechanisms.  So for example, this could involve the password, an RSA token, and even the challenge/response question.

But even with this, there are still issues that have arisen.  The reason for this is that many entities still use weaker forms of authentication.  Once again, this falls down to again using the password.  Once that is hacked into, the Cyberattacker, for the most part, can make a reasonably good attempt to get into the other credentials.

Is there a solution for all of this?  Actually, yes there is.  It is known as “Biometrics”.  This is where an individual’s identity can be confirmed based upon taking a snapshot of their physiological and/or behavioral features.  From here, the unique features are extracted which are then used for authentication purposes.

It has a number of distinct advantages which include the following:

*The raw image of the physiological and/or behavioral features are never stored.  Rather, they are converted over to mathematical files which are stored and used for authentication purposes.

*If in the chance that a Biometric Template is stolen, it is not the same thing as credit card theft (I have been asked this a lot).  After all, what can a Cyberattacker do with a mathematical file?  Really nothing.

*If a template is damaged or even hijacked, all that needs to be done are new raw images to be collected. There are no reset costs, which is typically true of the password.

*Biometric Templates are truly unique identifiers.  For example, nobody has the same fingerprint, retinal structure, or even the same iris structure.  That is what makes Biometrics so appealing in MFA situations.

Now there is the concern of what are known as Deepfakes.  Long story short, this is where AI and ML are used to construct a real live image of somebody or something.  But, to a trained eye, one can notice the subtle differences to spot out a Deepfake.  Now the question arises if Deepfakes can be used to reconstruct the raw images as just described? 

I have never really thought about this until now. But given the way that technology is evolving, it is possible that it could happen.  But here is the beauty of Biometrics.  All modalities require a live scan sample. 

Meaning, if Fingerprint Recognition is being used, it requires that a pulse be taken from the finger first.  Although Biometric systems could still possibly be spoofed, the technology is also rapidly advancing in this area to stop this from happening as well.

My Thoughts On This:

Implementing the use of Biometrics in an MFA solution (or even as a stand alone one) is not too complex.  In fact, it is even easier to set up than your own smartphone.  Corporate America is now finally realizing the full benefits of using Biometrics, and here are some resources that I have come across:

The FIDO Alliance for Biometrics standards:

https://fidoalliance.org/fido2/

Using Smart Cards along with Biometrics in an MFA solution:

https://www.securetechalliance.org/smart-cards-intro-standards/#:~:text=The%20primary%20standards%20for%20smart,standard%20broken%20into%20fourteen%20parts.

A Playbook for avoiding Biometric Template Spoofing:

https://www.biometricupdate.com/202303/biometric-anti-spoofing-handbook-updated-with-liveness-competitions-legislative-impact

In the end, the best of MFA solutions will address these authentication questions:

*Something you have

*Something you are

*Something you know

Also keep in mind that a beauty of MFA is that you just don’t have to deploy three layers of authentication.  You can deploy as many as you deem necessary, in order to protect both your digital and physical assets.

Finally, the last thing to remember about Biometrics is its social implications.  Since it is the physiological and/or behavioral samples that are being collected, there is the issue of privacy rights and violation of Civil Liberties.  But that is a blog for the future.  Stay tuned.

Saturday, April 15, 2023

The Confusion Of Data Privacy Laws: Security Breaches Are Not Being Reported

 


As you know, the world we live in today is now filled with data.  Whether it is structured or unstructured, quantitative or qualitative, it has become the lifeblood of just about every business here in Corporate America. 

As a result, we have now become stewards to protect every bit of it as possible, and what is most at stake are the Personal Identifiable Information (PII) datasets that we have for our customers and employees.

Because of this new trend, there have been many legislations and mandates to ensure that all sorts of data and information are protected, with the right kinds of controls.  Probably the best examples of this are those of the GDPR and the CCPA.  But not every business is bound to them, a lot depends upon the revenue size, and where the customers are located.

But now, another question seems to be arising:  That is whether to report a security breach that has involved, which involves mission critical data.  The normal instinct would be yes, it needs to report, but according to a recent survey (in which 400 IT Security professionals were polled), the opposite has been found, which is quite alarming in my view.  Here are some of the highlights of it:

*42% of the total pool of respondents claim that they have been instructed by their CISO (or any other higher up) to not report a security breach.

*While notification of a data loss breach is expected, only 37% of the respondents viewed this as an important task that has to be addressed.

The survey is entitled the “2023 Cybersecurity Assessment Report”, and was conducted by a Cyber firm known as Bitdefender.  The actual report can be downloaded at this link:

http://cyberresources.solutions/LI_Blogs/BITFENDER_REPORT.pdf

Now, there are many reasons why an IT Security team may not want to disclose a security breach, for instance, there is the fear of job loss, or tarnished company reputation as a result.  But in this survey, many of the respondents felt that it was not their responsibility to disclose a breach. 

Rather, they felt that it should be up to the CISO to take full responsibility for this (which I agree with). 

But another catalyst that is keeping the reporting to a mum is the sheer amount of confusion that comes with these data privacy laws.  For example, the GDPR heavily governs those businesses that are based in the European Union.  But this can also have an impact on those US based businesses that have customers in the US. 

So which laws are to be followed?  That is a question that is still to be answered.

The same is true of the CCPA.  While it is mostly designed to protect the consumers in California, any business that has customers there is also governed by this law.  Compounding this problem even more is that now each state is coming up with their version of a data privacy law. 

So if a business has offices and customers in multiple states, which law are they supposed to abide by?  If it is for every state that they are in, this can cause some horrendous confusion, as you can see.

But is not only in the United States where this problem of not reporting exists.  Even those countries in the EU have similar issues, according to the survey:

*37% of the respondents in the United Kingdom were told to be quiet about any security breaches;

*35% of the respondents in Germany, Spain, and France were also told to be shut about any incidents which have occurred.

My Thoughts On This:

In the end, every human should feel compelled to report a security incident to their higher ups if a data breach has occurred.  Likewise, the CISO should also feel the same in reporting this to their Board of Directors and ultimately letting law enforcement, the regulators, and even the public know about it.  But as this blog has reviewed, this is not the case.

IMHO, if this trend keeps up, the data privacy laws are only going to get stricter and harsher, if they are not already so.  For example, under the GDPR, if a business has been audited and found guilty of not having the right controls in place, they can be levied a fine that equals 4% of their gross revenue. 

Also, it can be even harder for a company to get Cyber Insurance if they do not follow the proper protocols for reporting a security breach.

In the end, whether you like it or not, it is always in your best interest to report if our business has become a victim of a security breach.  If not, the financial and brand damage will be far more severe than you think it will be.

How To Use The Microsoft Enterprise Model To Protect Your Active Directory

 


As some of you may or may not know, I have a book that is coming out next month on the Zero Trust Framework.  It deals with the topic of Quantum Physics, and how it can be used in this respect.  I also just recently signed the book contract for another one, and this will deal specifically with how to deploy the Zero Trust Framework into Microsoft Azure.

As you probably know as well, Azure is one of the Cloud deployment juggernauts, along with the likes of AWS, and Google Private Cloud.  A key component of Azure is what is known as the “Azure Active Directory”, or the “AAD” for short. 

Long story short, this is where all of the employee groups and profiles are stored, in an effort to streamline the permissions, rights, and privileging process.  Now, I am far away from being an expert on Azure, but I do know that from the standpoint of Cybersecurity, this is has always been a favored target to prey upon.

But unfortunately, there are many avenues from which a Cyberattacker can enter into the AAD in a covert fashion, so this leaves many IT Security teams scratching their heads trying to figure out how to best protect their infrastructure.  Probably one of the best ways to do this is to see what is most at risk for you, based upon what your security requirements are.  This is also known as the “Tier Zero Assets”.

So what are some of these that you should include in your list?  The following is a sampling of what you should consider:

1)     Focus on the Domain Control Groups:

This simply means to focus your attention on those objects in the AAD that have control over mission critical domains.  This does not necessarily mean something when you register a domain, but rather, a domain is something that has achieved a main of classification.  For example, you can designate your accounting department as domain, and all of the employees profiles that you put into this category would become known as the “Objects”.  This is the level in which you will also super user privileges, which are the “Privileged Accounts”.  So as you can see, looking at and carefully scrutinizing these domain control groups should become of prime importance.

2)     Look at the mission critical processes:

Remember, it is not just all about your employees.  Some of your important processes could also be contained in your AAD infrastructure as well.  For example, these could also include any computing resources that are stored On Prem or and in your Azure account.  Here are some examples of what I am talking about:

*Root Certificate Authorities

*The Azure Active Federation Services

*Azure Active Directory Connect Services

*Any other Privileged Access Management tool that you make use of, such as those offerings from CyberArk

But keep in mind that the above is not an all-inclusive list.  There are other so-called objects that could be important to your business as well, and this is where conducting an all-encompassing Risk Assessment will come into play.

3)     Automation:

At the present time, automation is a big buzzword in Cyber.  With this in mind, also comes the usage of AI and ML tools.  This is starting to become a big trend today, especially with the ChatGPT software platform that has come out from Open AI.  To keep up with all of this, all of the major Cloud providers are planning to offer their own version of this, and developing new tools that can be accessed and deployed within a matter of minutes.  In this regard, the automation of code execution processes becomes popular, given the fact that a business could have hundreds or thousands of them to run on a daily basis.  

My Thoughts On This:

As I have mentioned, what I have provided here is by no means an exhaustive list, rather, it is just to give you an idea of what to look for as you further try to protect your AAS infrastructure.  Also keep in mind that keep in mind that depending upon the size of your business, an AAD infrastructure can become quite complex. 

Therefore, it is important that your IT Security team, or even the IT Department, try to streamline it as much as possible to better protect it.

Also, it is important that you come up with a plan of attack as to how you are going to do this.  Therefore it is highly recommended that you do this in phases and steps, in order to make sure that no mistakes are made and nothing is overlooked in the end. 

A great place to use as a resource is the “Enterprise Access Model”.  It spells out in greater detail what should be deemed as a “Zero Tier” Asset.  It can be downloaded at this link:

https://learn.microsoft.com/en-us/security/privileged-access-workstations/privileged-access-access-model

 

 

Tuesday, April 11, 2023

Find Out How Data Privacy Is Shaping Up In 2023

 


In the world today, data privacy is becoming of prime importance.  This term can have different definitions to many people, but in the end it all comes down to securing the Personal Identifiable Information (PII) datasets of both your customers and employees.  However, this is no easy task to accomplish, as there are many kinds and types of controls you can implement.

To make things even more confusing, all businesses, depending on where they are located and the size of revenue, must also comply with the tenets of the GDPR, CCPA, HIPAA, and other related data privacy laws.  Also, it can be an expensive proposition to keep up with all of this, making it very difficult for the SMBs.

What can a business do?  Well, in this podcast, we have both the honor and privilege of interviewing Brian Hileman, Solution Architect at Cyberhaven.  They have created a new Data Privacy service, which offers three layers of protection to your datasets:

*Data Loss Prevention

*Insider Risk Management

*Cloud Data Security

You can download the podcast at this link:

https://www.podbean.com/site/EpisodeDownload/PB13CFA739XHQX

Saturday, April 8, 2023

You Need To Pay Attention To Printer Security - Must Read

 



Given the fact that now pretty much everybody uses the Cloud in some form or another, we tend to forget the good ole days of the hardware aspects of it all.  For example, we no longer have to deal with workstations or portable media devices, everything is a Cloud based instance. 

But there is one thing that we still take for granted, and even forget about as we go about our daily work activities.

That is the printer.  They come in all forms and sizes, and even range in complexity if it is an office based one.  With these, not only can you print, but you can also scan, send email attachments, send faxes, make phone calls, etc.  But because of all of this, this hardware has become a prized target for the Cyberattacker. 

Of course, there are probably many backdoors with these ultra sophisticated office printers, but even some of the most basic ones have become a target.

Look at some of these latest hacks which have happened:

*Lexmark:

https://www.darkreading.com/cloud/critical-rce-lexmark-printer-bug-has-public-exploit

*HP:

https://support.hp.com/us-en/document/ish_7905330-7905358-16/hpsbpi03838

*Microsoft:

https://www.cisa.gov/news-events/bulletins/sb23-052

*Canon and Lexmark:

https://www.darkreading.com/application-security/hackers-score-nearly-1-million-at-device-focused-pwn2own-contest

You can click on the above-mentioned links to get more details about these Cyberhacks that have happened to these major printer vendors. 

The printer is often forgotten about piece in the IT/Network Infrastructure, and this is further exemplified according to a research project that was conducted by an organization known as Quocirca.  Their report is entitled  the "Global Print Security Landscape Report 2022.”  It can be downloaded at this link:

https://quocirca.com/quocirca-print-security-landscape-2022-press-release/

Here is what the survey found:

*Only 26% of the total respondents actually feel confident that their printers and other associated hardware are actually safe from a Cyber-attack;

*Almost 60% of the CISOs polled could not keep not with the just latest advances in printer technology, but also in terms of keeping up with the latest firmware/software patches and upgrades, because it has been such a low priority for them;

*67% of respondents feared that the home printers being used for WFH purposes will bring further risk to the business;

*Only 38% if the businesses polled have some sort of analytics dashboard in place to detect any abnormal or suspicious behavior to their printers;

*But the good news is that almost 70% of the respondents plan to increase Cyber spending for their networked office printers in 2023.

All of this is illustrated in the diagram below:


(SOURCE:  https://www.darkreading.com/vulnerabilities-threats/printers-pose-persistent-yet-overlooked-threat)

You may be asking at this point, why are printers so ignored when it comes to security?  The bottom line is that nobody wants to deal with them.  Once they are procured and installed at a place of business, people just don’t want to mess with them because they are viewed as being too complex to configure again if something goes wrong with it. 

They leave all of that to the maintenance person from the vendor who makes their periodic visits to the place of business.

The main issue also is that printers (especially the office ones) are just about bad to network together as are servers, especially if you are dealing with an On Prem Infrastructure.  Unlike a home printer, these ultra fancy printers have to be networked not only with other printers, but with all of the other servers as well. 

All of this can lead to an even further complex environment, which in the end only increases the attack surface for the hacker to penetrate into.

Also, since printers are very often overlooked (because of the previously mentioned reasons), this is a favorite hiding place as well for the Cyberattacker to hang out going undetected.  Once they have established the entire lay of the land with respect to the IT and Network Infrastructure, they can then move in a lateral fashion to deploy their malicious payloads.

In fact, an office printer would be the perfect vehicle for a Cyberattacker from which to exfiltrate private information and data as well.  Keep in mind that these super sophisticated printers retain a huge amount of memory after they have been used. 

For example, if you scanned a document in, and emailed to a particular recipient, the image of that document still remains for a very long period of time, until it is purged from the system.

The same holds true for doing photocopying.  All images are also stored theoretically indefinitely, until it is erased.  Not many people are aware of this, and the Cyberattacker knows this very well.  This is yet another reason why printers are such a favored target.

Another key area of weakness is that of the Remote Workforce.  For example, if somebody works from home, they can still very easily send that document to print from the actual physical location of the business.  This poses yet another area of risk, which is the intermingling of both the home and corporate networks.  This was an issue that became very stark at the advent of the COVID-19 pandemic, and even to this day, I don’t think it has been totally resolved.

My Thoughts On This:

The office printer is an item that must be included in every Risk Assessment that your company does.  Btu what makes this more complex is that it can be considered both a tangible and a digital asset.  But whatever it may be in the end, it needs to be protected.

Also, make sure that your IT Security team is aware of all of the software patches and upgrades that need to be deployed onto your printers.  It should be part of a regular schedule as anything else is in your IT/Network Infrastructure. 

Also, consider having the vendor come out your place of business to give security awareness training to the employees in your company.  After all, they need to learn how to use these pieces of equipment while also keeping up a strong level of Cyber Hygiene.

The Evolution Of BEC 3.0 This Tax Season

 


Well, whether you like it or not, the deadline for filing taxes is approaching – in fact, it is April 18th.  It can always be an unnerving time, especially for last minute tax filers.  But there is yet one more thing to worry about other than filing on time – and that is the Cyber threats that loom at this time of the year. 

This is one of the prime times for the hackers to come out of the woodworks, and do everything possible to submit a falsified return in order to get their hands on your well-earned refund.

In fact, there is really nothing new about these kinds of attacks, as they have even loomed since the last decade.  But it is not just the taxpayers that are hit, it is even the accountants and the tax preparers that are just as many targets as well.  Heck, even the IRS has become a highly favored target as well, by setting up fictitious and phony sites.

But what is different this time is that the Cyberattacker now has a powerful arsenal up their shoulders – and that is AI.  From using everything from Deepfakes to Chat GPT, phony emails and just about everything else now looks so real.  In fact, it is even difficult for the trained Cyber professional to tell the difference. 

An even scarier proposition is getting fake snail mail letters from the IRS.  Typically, this is how the agency communicates, they never send an email or even call a taxpayer directly.  So even here, one cannot tell the difference. 

Even the tax software packages are being hit as well.  Probably the best example of this is the latest hack into the QuickBooks platform. 

In this instance, the Cyberattackers were using the brand of QuickBooks and sending out phony emails in an effort to lure users into submitting their confidential and private information.  More details as to what exactly happened here can be seen at the links below:

https://www.darkreading.com/remote-workforce/cyberattackers-abuse-quickbooks-cloud-service-ouble-spear-campaign

https://www.avanan.com/blog/phishing-from-quickbooks

In fact, the security breach that happened to QuickBooks has been termed the evolution of the “BEC 3.0”.  This is simply an acronym that stands for “Business Email Compromise”.  This is a type of Phishing based email where it appears that it has been sent from an authoritative figure, such as a C-Level exec. 

These are then sent to lower ranking employees in order to scare them into sending large sums of money to an overseas account.

Of course, once the money is sent, it is gone, and it can be hard to recover.  But the good news here is that banks have started to put up very sophisticated controls to detect a fraudulent wire transfer before it is even started, and halts the transaction right there pending further verification. 

Even the Feds, such as the Secret Service and the FBI, are now able to retrieve most of the money if it were to be transferred to a phony account.

But in the end, it seems like Phishing is still the tried-and-true method used during tax season.  A key observation here is that the Cyberattackers are learning how to adapt to the newer technologies that are being used to detect a malicious email when it is inbound to the receiver.  For instance, typos and grammatical mistakes were the give aways when it came to detecting a Phishing email, but now the Cyberattacker is taking their time to make sure that write and spell everything properly.

The only reals clue is the mismatch between the sending domain and the receiving domain if you were to accidentally reply to that email. 

Another key advantage that the Cyberattacker has in their arsenal is that all email providers are now pretty much SaaS based.  This includes everything all the way from Gmail to Yahoo mail to Exchange Server and Outlook.  The Cyberattacker knows how messages are sent on these platforms, and thus they can bypass any control quite effectively.

But another fearful tactic that Cyberattackers are using is stealing the victim’s phone number in addition to their tax and payment information.  Once the latter has been intercepted, the hacker will then call the victim and use the principles of Social engineering in order to con the victim into giving out further personal data. 

These calls can come on the smartphone, but now they are appearing on apps like What’s App and other telephony plug ins that are now available pretty much on all of the Social Media platforms today.

The bottom line in all of this is that the Cyberattacker is trying to use a trusted source in which to lure in their victims.  Once again here, QuickBooks is a perfect example.  It has been a trusted and well branded source for decades, and because of that, there level of trust that goes with it. 

Nobody really questions the authenticity of an email if it were to come through this platform, thus making it a very ripe target for the Cyberattacker.

My Thoughts On This:

A simple Google search will reveal all of the top tips that you need to know about, so I am not going to repeat them here again.  But keep in mind that tax fraud impacts everybody at all levels – all the way from the individual to the entire business.  So thus, one needs to take all precautions accordingly.

But whatever the case might be, always use a tax preparer to do your taxes.  Make sure that you use one that is reputable, and has been around for some time, for at least a few years.  As a client, it is your right to question what kinds of security controls they have in place, and how they protect your PII datasets. 

The reason why I say this is that if you or your business is impacted by a security breach during tax season, the responsibility of recovery is not totally all on you, the tax preparer has to shoulder the burden as well.

Also, one of the best pieces of advice here is to always confirm the sender of a piece of correspondence, whether it is digital or physical, and always trust your gut in these regards.  When it comes to calls, never answer unless you recognize who is calling.  If it is important enough, it can go to voicemail for you to parse through later.  Always do a Google search on a phone number if you do not recognize it.

In the end, becoming a victim of tax fraud is very serious.  It happened to a friend of mine a few years ago, and it took him almost one year to reclaim his identity and money.  Remember, we are all at risk of becoming a victim.  The key is being proactive to mitigate those risks as much as possible.

Sunday, April 2, 2023

Why IoT Vendors Don't Implement Security : 5 Expensive Cost Centers

 


The IoT (which also stands for the “Internet of Things”) is a term that is used to describe both the interconnection and the interaction of the daily objects that we interact with both in the virtual and physical worlds. 

Some of the best examples of this are virtual personal assistants of both Siri and Cortana, which can be found on both iOS and Android devices.  But of course, there are also more sophisticated IoT devices than that, such as a smart TV, smart car, smart coffee maker, etc.

While these products may have their set of advantages to an end user, they also come with their own share of Cybersecurity risks as well.  For example, with all of the interconnectivity that is occurring, the attack surface for the Cyberattacker grows by that much more. 

And unfortunately, many of these wireless communications that take place are often unencrypted.  Worst yet, the vendors that manufacture these IoT devices don’t even build in strong security functionalities.

At best, they may offer a set of minimal controls, which is nothing much really, in the end.  The concept of IoT has been around for quite some time, but as I mentioned in yesterday’s blog, the adoption of this did not proliferate until the COVID-19 pandemic occurred. 

But the biggest problem here was that of the meshing of both the home and corporate networks.  Even to this day, the growth of IoT devices is going up at an exponential clip.

For instance, at the present time, there are more than 1 billion devices that have found their way onto the Internet.  In other words, this what it is on a global basis, and there will be many more to come.  Much more statistics and details on this rate of adoption can be seen at the link below:

https://techjury.net/blog/how-many-iot-devices-are-there/

But now it comes back to this question:  Why can’t the IT Vendors offer more security into the IoT products that they manufacture??  One of the key reasons here is sheer cost.  IoT vendors are pushed to come out with products at a breakneck speed in order to fulfill the escalating demand for them. 

As a result, putting in more security controls simply becomes an added expense, which they unfortunately view as unneeded.

But this can only go so far.  There are other industries which make heavy use of IoT devices as well.  The healthcare industry is a prime example of this.  Gone are the days of having “analog” like equipment, now everything is all digitized and even IoT based. 

Because of this, a Cyberattacker can easily hack into a medical device, change the settings around of a pacemaker that exists in patient.  From here, either the heart will start to flutter out of control, and perhaps even causing death to the patient.

So as you can see, security devices for IoT devices really needs to be taken quite seriously.  It’s one thing if a Cyberattacker were to jack into your smart coffee maker, but a medical device?  That is a whole different ballgame altogether, with horrible consequences all together.

Now you might be asking, “What exactly are these costs that the vendors don’t want to think about”?  Well, here is a sampling of them:

1)     Trained personnel are needed:

If one expects an IoT vendor to add in the latest security controls, it all comes down to hiring the staff needed to design them, and to make sure that they are implemented properly, and that will be safe to the end user.  But hiring these kinds of people takes more money, something which no IoT vendor wants to do.

2)     More costs into the product:

If more security controls are going to be implemented, that is going to drive up the costs of the hardware and software of the IoT device.  But this can be transferred down to the customer, and it does happen in reality, they will simply go to a lower cost competitor.  Because of this, the IoT vendor could even be pushed out of business, which they don’t want to happen.

3)     Connecting the IoT devices:

Pretty much all IoT devices now connect with each other through wireless networks.  Now if you have just one or two devices, the costs of connection should not be that much.  But now if you something like a Smart Home, the costs can really go up per wireless connection.

4)     The User Interface/User Experience:

The acronyms for both of these respectively are “UI” and “UX”.  In order for an IoT to remain competitive, they need to have a fancy interface that is unlike what anybody else.  But once again, this involves hiring a team of developers that can accomplish this task.  But once again, this is going to cost more money.  Thus, in order to keep up, IoT vendors just have to have build a somewhat better mousetrap from their competitors, which is far cheaper than hiring a UI/UX developer.

My Thoughts On This:

Obviously, this is a catch 22.  The vendors and the customers don’t want to have higher costs, but unfortunately, it is going to have to go up if higher levels of security are going to be realized.  In fact, there have been some pieces of legislation to put pressure on the IoT vendors in this regard.  In fact, California passed an IoT law to this effect, and more information on it cab found at the link below:

https://www.security.org/blog/california-passes-first-cybersecurity-law-iot/

Also, the FDA is also now starting to crack down on Cybersecurity for medical devices that are IoT based.  Bu whatever maybe passed and/or enacted, security must be addressed soon into IoT products.  It would be easy to say that IoT devices should no longer exist, but this will never happen.

There have been some recommended best practices that IoT vendors should follow, such as:

*Using a Cloud based platform (such as Microsoft Azure) to push out software updates and patches at no extra cost to the consumer;

*Even having independent third party entities provide an honest, unbiased assessment of the IoT device in question from the standpoint of Cybersecurity.

Now these two items should not cost much money, and it is something that IoT vendors can adopt rather quickly.  But to somebody who wants to buy an IoT device or two right now, do your homework first. And when you buy a device, don’t ever rely upon the default security settings set forth by the IoT vendor.  Make sure that you configure it to your own security requirements!!!

Saturday, April 1, 2023

Online Sports Betting: How To Protect Yourself In The Metaverse

 


Now that the COVID-19 pandemic seems to have dissipated from the news headlines, one of the relics it has left has been the Remote Workforce.  As I have written before, this is something that many people thought would happen in a few years. 

But right when it hit, within a three-month timespan, everybody was pretty much WFH.  With this transition, many Americans now have taken up new hobbies, and one of them is online sports betting.

So what is this exactly?  Well, rather than going straight to the sporting venue to place a monetary as to which team will win, you can now do that all online, with a sports betting application.  You can do this directly from a web link on your device, or the more popular tool to use would be a mobile app. 

Do for example, if you wanted to bet on the March Madness basketball brackets, rather than doing at work, you can do it straight off the app.

It is actually quite convenient, as you get updates on your bets in real time, and once you have made enough money, you can transfer it in just a few seconds to your bank account.  But with all of these plusses, there comes downside as well. 

And this comes from the Cyber risks that come with it.  Since all betting transactions are done on the Internet, all of the platforms are just as prone (or maybe even more) to the Cyberattacker.

Take into account these hacking scenarios, which have actually happened:

*According to a recent survey from an organization called “Coda Labs” a survey of nearly 7,000 respondents showed that there is an almost 41% distrust in the security of online gaming platforms.

More information about this can be seen online here:

https://www.esports.net/news/fraudulent-web3-gaming-projects-what-they-mean-for-the-space/

*Back in 2021, Electronic Arts, a major online gaming vendor, there was a data security breach which resulted in well over 780Gb of information and data being heisted.  This was then sold by the Cyberattackers on the Dark Web.

More information abut this Cyberattack can be seen at the link below:

https://www.vice.com/en/article/wx5xpx/hackers-steal-data-electronic-arts-ea-fifa-source-code

But it’s also not the online gaming community that is being hit, but also the crypto trading platforms as well.  For example, Ronin Bridge a platform built for Ethereum trading was also hacked into, and from that, over $650 million was heisted. 

More details on this can be seen at the link below:

https://cointelegraph.com/news/the-aftermath-of-axie-infinity-s-650m-ronin-bridge-hack

So in the end, somebody has to take the lead in helping to protect these online betters.  And guess who it all comes down to?  You got, the CISO.  So what can they do?  Here are some steps that can be implemented fairly quickly;

1)     Find out where your betters hang out at:

Online gaming apps just do not exist on a smartphone app.  They also exist heavily in the social media world as well.  So, find out where your employees go to, and offer tips and advice as how your gamers can best protect themselves on that particular platform.  If needed, even offer specialized Security Awareness training in this regard.

2)     React immediately:

Although every Cyber threat variant should be taken very seriously, breaches when it comes to online betting should be taken more seriously.  The primary reason for this is that this is where real money is being transacted, and a lot of PII is being transmitted back forth between betters and the mobile apps.

3)     Be aware of BEC scams:

This is the type of Phishing attack where a CEO is impersonated, and very often, strikes a sense of fear into employees (or in this case the online betters) to act in a way that is not rational. For example, a scam like this could ask betters to place bets on phony sporting teams.  As a CISO, you need to be fully aware of this, and to have your IT Security monitor what is going on.  Also of need be here, even educate your betters about this particular threat variant as well.

4)     Ensure data protection:

This is a no brainer, and in fact is now mandated by the statutes and provisions of the GDPR and the CCPA.  As the CISO, you have primary responsibility to make sure that all of the PII datasets of your betters are as protected as much as possible, and that the appropriate alarms and warnings will go off once a threat variant is tracked aimed at your databases.

5)     Pay attention to the phony stuff:

At the height of the pandemic, phony websites became the norm.  Although this has dissipated somewhat, this trend is still there.  In fact, it has gotten so bad that it is even hard for a Cyber professional to discern what is real and not.  Make sure that your IT security is on top of this.  Also, be aware of typo squatting.  This is where a Cyberattacker will register a domain like yours, but instead, put an extra letter in it.  For example:

onlinegaming.com could very easily become:

onlinegamming.com

Notice the extra “m”?  It is from here that phony websites can launched.  You also have to be very mindful of this, and report any fictitious sites.

Also be aware of any phony ads or promotional codes that replicate your online betting site or app.

My Thoughts On This:

This blog has just provided some tips that a CISO can use to protect only their online betters but even their employees as well.  But keep in mind, that they have their part they need to do as well.  For example, these groups of people need to be aware of any Phishing based emails that they may receive, and report them.  But above all, they need to be able to detect what is normal activity and what is out of the norm, and report that immediately to your Cybersecurity team.

Some of these gaming platforms are now starting to exist in what is known as the Metaverse and the Web 3.0.  Eventually, these are the places where they will all exist. 

The downside of this is that not many people know about these newer kinds of online technologies, thus a strong level of trust will have to be built with your online betters if you are planning to take your platform into this direction.

 

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...