Mobile threat defense or bust

The case for unified endpoint management and mobile threat defense

The evolution of endpoint management

Unified endpoint management (UEM) has played a significant role over the years in enabling companies to improve the productivity and security of their corporate mobile devices and applications. In the early days of endpoint management there were separate workflows and products as it pertains to traditional endpoints, such as desktops and laptops, versus mobile devices. Over time, administrators grew frustrated with the number of tools they were required to learn and manage so developers moved toward an integrated solution where all endpoint devices, regardless of type, could be inventoried, managed, and have consistent policies applied through a single pane of glass.

Today, UEMs allow IT administrators to be more productive by enabling them to set and enforce policies as to the type of data and applications an employee can access, providing the administrators with granular control and more effective security. These UEM platforms boast security features including the ability to identify jailbroken or rooted devices, enforcing passcodes, and enabling companies to wipe the data from mobile devices in the event they become lost or stolen. In general, UEMs have and continue to play an integral part in improving the management and productivity of business-critical mobile endpoints. 

Possible avenues for attack

However, in today’s environment, companies are experiencing a significant rise in the number of sophisticated and targeted malware attacks whose goal is to capture their proprietary data.  Only a few years ago, losing a mobile device meant forfeiture of content such as text messages, photographs, contacts, and calling information. Today’s smartphones have become increasingly sophisticated not only in their transactional capabilities but also represent a valuable target, storing a trove of sensitive corporate and personal data, and in many cases include financial information. If the phone stores usernames and passwords, it may allow a malicious actor to access and manipulate a user’s account via banking or e-commerce websites and apps. 

To give you a sense of the magnitude of the mobile security issues:

• The number of mobile users in enterprise environments clicking on more than six malicious links annually has jumped from 1.6% in 2020 to 11.8% in 2022
• In 2021, banking trojan attacks on Android devices have increased by 80%
• In 2022, 80% of phishing attacks targeted mobile devices or were designed to function on both mobile devices and desktops 
• In 2022, 43% of all compromised devices were fully exploited, not jailbroken or rooted-an increase of 187% YOY  

Attack vectors come in various forms, with the most common categorized below:

Device-based threats – These threats are designed to exploit outdated operating systems, risky device configurations and jailbroken/rooted devices.

App threats – Malicious apps can install malware, spyware or rootkits, or share information with the developer or third parties unbeknownst to the user, including highly sensitive business and personal data.

Web and content threats – Threats may be transmitted via URLs opened from emails, SMS messages, QR codes, or social media, luring users to malicious websites.  These websites may be spoofed to appear like a legitimate site requesting payment details or login credentials. Other websites may include links that will download malware to your device.

Network threats – Data is at risk of attack via Wi-Fi or cellular network connections.  Attacks can come in the form of man-in-the-middle attacks or rogue access points enabling hackers to capture unencrypted data.     

Enter mobile threat defense

While UEM can inventory assets, offer employees a more consistent experience, and can be used to push updates, its threat detection capabilities is extremely limited. The increased sophistication of malware attacks makes UEM platforms insufficient to detect or prevent these attacks from occurring.

To address these attacks more companies are adopting mobile threat defense solutions to work in tandem with their UEM subscriptions. Mobile threat defense (MTD) enables companies to identify and block mobile threats across most, if not, all attack vectors. The following outlines how mobile threat defense protects against the four main categories of mobile device threats: 

Device-based threats – Continuous evaluation of user and device risk posture with the ability to prevent jailbroken devices, those with outdated OS, and risky device considerations from accessing the network

App and content threats – Continuous scanning for malicious malware, viruses, trojans and side-loaded apps.  Threat detection is alerted in real-time with device remediation.

Network threats – Scans through each of the customer’s mobile devices to determine missing OS security patches, identifies man-in-the-middle attacks and other network related vectors providing remediation guidance such as fixing vulnerabilities or bug fixes.

Web and content threats – Mobile threat defense will alert users phishing attempts from email, SMS, or browsers.  It can also block malicious websites depending on the MTD features and capabilities.

Use cases

Remote payment processing

Companies are beginning to increase flexibility and decrease time to revenue by offering mobile payments in the field.  If mobile devices are part of the company’s payment path, they require protection. Malicious actors may use man-in-the-middle attacks to intercept network transactions. Equally threatening are surveillanceware attacks that capture information during a transaction. Mobile threat defense will identify these attacks, alert the user, and potentially block depending on the MTD’s solution’s capabilities.

Defend high-value targets against breach

Executives are commonly targeted as they may have access to sensitive data (e.g., financial, and strategic plans, customer, and human resources related information) and often use mobile devices while “on the road”.  Attack vectors such as spear phishing may be deployed by hackers with targeted attacks. Such highly sensitive information warrants the need to secure executives’ devices. Mobile threat defense applications will aid the IT administrator in identifying these attacks and alert the user on their device. 

Mobile threat defense vendors and solutions

There are a few mobile threat defense offers for consideration in terms of their effectiveness in addressing threat vectors that target mobile devices. 

IBM MaaS360 Mobile Threat Management: IBM recently introduced a new version of its mobile threat management application to complement its UEM offering. IBM MaaS360 Mobile Threat Management enables companies to detect, analyze and remediate enterprise malware on mobile devices. It provides SMS and email phishing detection, advanced jailbreak, root and hider detection with over-the-air updates for security definitions. Administrators can configure compliance policies based on these advanced threats and remediate vulnerabilities—improving the security of bring your own device (BYOD) and corporate-owned devices.

SentinelOne Mobile Threat Defense: This solution enables comprehensive, on-device, autonomous security for corporate-owned and personally owned BYOD devices that protects against modern day threats and exploits. The mobile agent detects application exploits in real-time, untrusted networks, man-in-the-middle attacks, system tampering, and delivers mobile phishing protection.

Lookout Mobile Endpoint Security:  Lookout Mobile Endpoint Security (MES) is considered by many to be the industry’s most advanced platform to deliver mobile endpoint detection and response (EDR). Its capabilities include extending zero trust policies to any device having access to corporate data, evaluates the risk posture of every user and mobile device throughout their session and automatically ends the session if the risk posture changes informing both user and admin of the threat.

The post Mobile threat defense or bust appeared first on Cybersecurity Insiders.

September 01, 2023 at 09:09AM

Read More

Battling malware in the industrial supply chain

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Here’s how organizations can eliminate content-based malware in ICS/OT supply chains.

As the Industrial Internet of Things (IIoT) landscape expands, ICS and OT networks are more connected than ever to various enterprise systems and cloud services. This new level of connectivity, while offering benefits, also paves the way for targeted and supply chain attacks, making them easier to carry out and broadening their potential effects.

A prominent example of supply chain vulnerability is the 2020 SolarWinds Orion breach. In this sophisticated attack:

• Two distinct types of malware, “Sunburst” and “Supernova,” were secretly placed into an authorized software update.
• Over 17,000 organizations downloaded the update, and the malware managed to evade various security measures.
• Once activated, the malware connected to an Internet-based command and control (C2) server using what appeared to be a harmless HTTPS connection.
• The C2 traffic was cleverly hidden using steganography, making detection even more challenging.
• The threat actors then remotely controlled the malware through their C2, affecting up to 200 organizations.

While this incident led to widespread IT infiltration, it did not directly affect OT systems.

In contrast, other attacks have had direct impacts on OT. In 2014, a malware known as Havex was hidden in IT product downloads and used to breach IT/OT firewalls, gathering intelligence from OT networks. This demonstrated how a compromised IT product in the supply chain could lead to OT consequences.

Similarly, in 2017, the NotPetya malware was concealed in a software update for a widely-used tax program in Ukraine. Though primarily affecting IT networks, the malware caused shutdowns in industrial operations, illustrating how a corrupted element in the supply chain can have far-reaching effects on both IT and OT systems.

These real-world incidents emphasize the multifaceted nature of cybersecurity risks within interconnected ICS/OT systems. They serve as a prelude to a deeper exploration of specific challenges and vulnerabilities, including:

1. Malware attacks on ICS/OT: Specific targeting of components can disrupt operations and cause physical damage.
2. Third-party vulnerabilities: Integration of third-party systems within the supply chain can create exploitable weak points.
3. Data integrity issues: Unauthorized data manipulation within ICS/OT systems can lead to faulty decision-making.
4. Access control challenges: Proper identity and access management within complex environments are crucial.
5. Compliance with best practices: Adherence to guidelines such as NIST’s best practices is essential for resilience.
6. Rising threats in manufacturing: Unique challenges include intellectual property theft and process disruptions.

Traditional defenses are proving inadequate, and a multifaceted strategy, including technologies like Content Disarm and Reconstruction (CDR), is required to safeguard these vital systems.

Supply chain defense: The power of content disarm and reconstruction

Content Disarm and Reconstruction (CDR) is a cutting-edge technology. It operates on a simple, yet powerful premise based on the Zero Trust principle: all files could be malicious.

What does CDR do?

In the complex cybersecurity landscape, CDR stands as a unique solution, transforming the way we approach file safety.

• Sanitizes and rebuilds files: By treating every file as potentially harmful, CDR ensures they are safe for use while maintaining full functionality.
• Removes harmful elements: This process effectively removes any harmful elements, making it a robust defense against known and unknown threats, including zero-day attacks.

How does it work?

CDR’s effectiveness lies in its methodical approach to file handling, ensuring that no stone is left unturned in the pursuit of security.

• Content firewall: CDR acts as a barrier, with files destined for OT systems relayed to external sanitization engines, creating a malware-free environment.
• High availability: Whether on the cloud or on-premises in the DMZ (demilitarized zone), the external location ensures consistent sanitization across various locations.

Why choose CDR?

With cyber threats becoming more sophisticated, CDR offers a fresh perspective, focusing on prevention rather than mere detection.

• Independence from detection: Unlike traditional methods, CDR can neutralize both known and unknown malware, giving it a significant advantage.
• Essential for security: Its unique approach makes CDR an indispensable layer in critical network security.

CDR in action:

Beyond theory, CDR’s real-world applications demonstrate its ability to adapt and respond to various threat scenarios.

• Extreme processes: CDR applies deconstruction and reconstruction to incoming files, disrupting any embedded malware.
• Virtual content perimeter: Positioned outside the network, in the DMZ, it blocks malicious code entry through email and file exchange.
• Preventative measures: By foiling the initial access phase, CDR has been shown to deliver up to 100% prevention rates for various malware.

Integration possibilities:

CDR technology can be seamlessly integrated into various network security modules.

• Secure email gateways: Enhances email security by integrating with existing systems, providing an additional layer of protection.
• USB import stations: Offers controlled access to USB devices, ensuring that only sanitized content is allowed.
• Web-based secure managed file transfer systems: Enables comprehensive coverage of file transfers, ensuring sanitized content at every step.
• Firmware and software updates: Aims to cover all content gateways, securing a ‘sterile area’ behind these modules, including essential updates.

NIST’s guidelines that call for the adoption of CDR

The National Institute of Standards and Technology (NIST) has outlined specific guidelines that highlight the importance of CDR. In the NIST SP 800-82 Revision 3 document, the emphasis on CDR’s role is evident:

1. Physical access control:

• Portable devices security: Under the section ‘6.2.1.2 Physical Access Controls (PR.AC-2),’ the guidelines stress that organizations should apply a verification process to portable devices like laptops and USB storage. This includes scanning for malicious code before connecting to OT devices or networks, where CDR can play a vital role in ensuring safety.

2. Defense-in-depth strategy:

• Multi-layered protection: Under section 5.1.2, the document defines defense-in-depth as a multifaceted strategy. It states: ‘a multifaceted strategy integrating people, technology, and operations capabilities to establish variable barriers across multiple layers and dimensions of the organization.’ This approach is considered best practice in the cybersecurity field.
• Widespread adoption: The quote continues, emphasizing that ‘Many cybersecurity architectures incorporate the principles of defense-in-depth, and the strategy has been integrated into numerous standards and regulatory frameworks.’ This highlights the broad acceptance and integration of this strategy in various cybersecurity measures.
• OT environments: This strategy is particularly useful in OT environments, including ICS, SCADA, IoT, IIoT, and hybrid environments. It focuses on critical functions and offers flexible defensive mechanisms.
• CDR’s role in defense: CDR contributes to this defense-in-depth approach, especially in handling content with browser isolation solutions. Its role in enhancing security across different layers of the organization makes it a valuable asset in the cybersecurity landscape.

Mitigating the risks

The SolarWinds breach was a frightening sign of what has already begun, and it might just be a small part of what’s happening now. With criminal groups capitalizing on the increasing cloud connectivity at ICS/OT sites, attacks on hundreds or even thousands of organizations simultaneously are actual risks we face today.

But amid these challenges, there’s a solution: CDR. This cutting-edge technology offers a robust defense against the known and unknown, providing a shield against malicious forces that seek to exploit our interconnected world. In the ongoing battle against malware, CDR stands as a vigilant sentinel, ever ready to protect.

The post Battling malware in the industrial supply chain appeared first on Cybersecurity Insiders.

September 01, 2023 at 09:09AM

Read More

Deploying AI Code: Safety Goggles Needed

Pieter Adieux Co-Founder and CEO, Secure Code Warrior

The possibilities of generative AI (GAI) technology have had both developers and non-developers wide-eyed with excitement, particularly around automation, productivity and business development. What makes it so engaging is that it’s clearly more than just hype: Developers are finding real use cases for GAI, signaling the likelihood that it will become an everyday tool in most roles before long.

However, the free rein some developers have been given to test GAI tools has seen many security processes overlooked, resulting in poor, insecure coding patterns and opening the door to new threats. This is on top of other potential security issues GAI is capable of creating.

ChatGPT, the most prominent GAI application, has had a rough first year when it comes to security. Only a few months after its launch, OpenAI disclosed that it took ChatGPT offline due to a bug in an open-source library, potentially exposing payment-related information. Purdue University recently found ChatGPT consistently gave the wrong answers to programming questions 50% of the time. And a team at Université du Québec discovered that nearly a quarter of programs generated by ChatGPT were insecure.

The reality of the situation is that GAI tools, while fast, make the same mistakes we do, but because it’s generated by a computer we tend to trust it too much, just as a high-school student might rely too much on Wikipedia to write their history essay. However, the consequences could be much greater than receiving an F grade.

GAI will inevitably become an everyday part of the way developers work but even as the technology improves, developers must be in a position to hone their security skills and maintain code quality.

Embed security within your team from the beginning

The lack of secure code created by GAI has solidified the long-term importance of cyber-skilled workers. Developers with expertise in secure coding best practices that work with GAI will be able to develop code at scale while keeping quality to the highest standard. Our own research found that, at present, just 14% of developers are focused on security, but as GAI takes on the role of generating code it will be on security-skilled developers to ensure both quality and security.

Ultimately, it will take a security-aware team to enable safer coding patterns and practices. At the Université du Québec, researchers studying insecure code generated by ChatGPT found that the chatbot was able to deliver secure code, but only after an expert stepped in to identify the vulnerabilities and prompt it to make the right amends.

Organisations need to get on the front foot and enforce clearer guidance and training on how developers should use the technology. This security-first approach will have the additional benefit of enforcing a more secure culture throughout the organisation beyond the use of GAI to accelerate the development process.

Safe research and testing is important

A blanket ban on GAI may be tempting, but it is not the right solution. A survey from BlackBerry found that 66% of IT decision-makers were considering banning the technology from employee devices altogether; however, this approach may just drive the use of AI underground—aka “shadow AI”—and limit the ability to mitigate any issues caused by GAI.

These tools will be part of the way modern developers work, so it’s imperative that we get familiar with them. Just as human error is an issue that developer teams deal with nearly every day, AI error will need to be mitigated too (after all, these LLMs are trained using human-created information).

By learning how to securely manage and identify which tools are most useful, businesses will find that it adds much more value than those which refuse to engage with this technology. By setting up secure learning environments, developers will be in a position to identify benefits from GAI, but they will also gain a better understanding of how to best protect the organisation from emerging threats and vulnerabilities.

Create a code of conduct for best practices

Gartner recently announced that GAI was one of the top risks worrying enterprise IT leaders in 2023. With more developers using the technology, IT leaders need to be proactive and start to establish best practices and guidelines for integrating AI into their work.

The Cabinet Office recently issued guidance to all civil servants on the use of GAI, which included never inputting classified information as well as being aware that any output from GAI tools is susceptible to bias and misinformation, which should be checked and cited appropriately. While we can look to the Government as an example to follow, it’s up to each organisation to manage its own risk appropriately.

GAI is maturing and is expected to become part of our standard suite of IT tools, just like email and cloud storage. But before we get there, we need to be strict on the way developers use GAI by creating healthy and safe environments to test and use it.

Research has shown that on its own and without oversight from security experts, inappropriate use of GAI can have serious consequences. However, there is a real opportunity for developers to stand out by building their skills and demonstrating that they can use these new tools while ensuring quality and security.

The post Deploying AI Code: Safety Goggles Needed appeared first on Cybersecurity Insiders.

August 31, 2023 at 10:51PM

Read More

LockBit Ransomware targets a province in Quebec Canada

The historical Municipality of Montreal, situated in Canada, has fallen victim to the LockBit Ransomware, an event that underscores the increasing menace of cyber threats. This century-old establishment faced a critical juncture as it chose not to comply with the hackers’ ransom demands, leading to the release of a teaser of pilfered information from their servers. The hackers have ominously promised a more comprehensive data dump in the upcoming week.

Montreal, the sprawling metropolis in Quebec Province, exhibited resilience by retrieving the encrypted data using its meticulously designed data continuity strategy. It is evident that the city’s administration is not inclined to negotiate with the hacking syndicate, exemplifying a strong stance against cybercriminal activities.

However, the gravity of the situation lies in the compromised data originating from the IT infrastructure of the Commission Des Services Electriques de Montreal (CSEM). The organization responsible for managing electricity distribution confirmed that the ransomware assault occurred on August 3, 2023. In response to the victim’s failure to meet their financial demands, the perpetrators opted to unveil a fraction of the stolen data as proof of their successful infiltration.

Assurances provided by CSEM indicate that the exfiltrated data holds minimal real-world threat. This is attributed to the fact that the information, originating from the engineering and management divisions, is already accessible to the public through the organization’s website. Consequently, the leaked data is deemed to pose a marginal risk to the victim.

Recent developments have highlighted the nefarious tactics employed by the LockBit gang. The Spanish National Police issued an alert regarding a surge in phishing emails originating from this group, targeting architectural firms specifically.

It’s worth noting that LockBit ransomware perpetrators demand a minimum ransom of $3 million, payable in cryptocurrencies such as BTC or Monero. LockBit, which traces its origins back to the infamous ABCD Ransomware discovered in 2019, has undergone evolution, with LockBit 3.0 emerging in 2022. This version deviates from its predecessor by appending a random nine-character file extension instead of the conventional “.lockbit” extension.

The post LockBit Ransomware targets a province in Quebec Canada appeared first on Cybersecurity Insiders.

August 31, 2023 at 08:25PM

Read More

Court asks DPC to reinvestigate massive Google Data Breach

Approximately 3 to 4 years ago, Dr. Johnny Ryan, a senior member of the Irish Council of Civil Liberties (ICCL), initiated a legal case against the Data Protection Commission (DPC) in the high court. He alleged that the DPC had inadequately addressed a significant data breach that occurred on Google’s servers.

However, Mr. Justice Garrett Simons rejected the claim, asserting that the DPC was the appropriate entity to investigate any instances of data breach or misuse involving the servers of private American technology firms, such as Google, a subsidiary of Alphabet Inc.

Ryan, responsible for highlighting data protection concerns at ICCL, contended that Google was abusing its authority by exploiting user personal data for Real Time Bidding (RTB) analysis carried out by a third party. This practice involved targeting advertisements based on users’ web browsing activities, which contravened the 2018 Data Protection Act and the General Data Protection Regulation (GDPR). These regulations strictly prohibited web companies from sharing substantial amounts of data with third parties.

In his lawsuit, Ryan asserted that the DPC had merely observed the situation without delving into a comprehensive investigation.

Contrary to this, DPC, represented by Joe Jeffers in the high court, argued that an inquiry had been initiated in 2019 and was still ongoing. The watchdog, headquartered in Ireland, assured that once the 2019 inquiry concluded, it would examine Ryan’s allegations. This approach aimed to expedite and enhance the handling of data misuse concerns.

Dr. Johnny Ryan dismissed these assertions, stressing that the delay in proceedings was providing the advertising giant with extra time and fostering a misguided belief that the law favored their actions. This could potentially bolster the internet powerhouse’s confidence in the legitimacy of its existing data handling procedures.

It’s important to note that a comparable complaint lodged by Dr. Ryan gained traction with the International Advertising Bureau (IAB) Europe and is currently under review by the Belgian Data Protection Authority, also known as the Belgian DPA.

The post Court asks DPC to reinvestigate massive Google Data Breach appeared first on Cybersecurity Insiders.

August 31, 2023 at 10:41AM

Read More

The SEC demands more transparency about Cybersecurity incidents in public companies

The Securities and Exchange Commission (SEC) has introduced a new rule for public companies that requires them to be more transparent about cybersecurity incidents. The new rule requires companies to disclose any material cybersecurity incidents within four business days of that determination. The disclosure should describe the material aspects of the incident, including the nature of the incident, the impact on the company, and the company’s response.

The SEC’s proposed rules include written cybersecurity policies and procedures, IT risk assessments, user security, and access controls, threat and vulnerability management, incident response and recovery plans, board oversight, recordkeeping, and cybersecurity incident reporting and disclosures.

To help CISOs incorporate this requirement seamlessly into their existing incident response plan, here are some actionable tips:

Revisit your incident response plan: An incident response plan is a structured approach that outlines the steps you’ll take during a security breach or other unexpected event. Your business may be unprepared for a security incident without a response plan. An effective plan helps you identify and contain threats quickly, protect sensitive information, minimize downtime, and lessen the financial impact of an attack or other unexpected event.

Update the notification procedure and proactive planning for notification: Craft a well-defined notification procedure outlining the steps to comply with the SEC’s requirement. Assign roles and responsibilities for crafting, approving, and forwarding notifications to relevant parties. Develop communication templates with pre-approved content, leaving room for incident-specific details to be filled in during a crisis.

Material incident identification and impact: Define the criteria for determining materiality, including financial, reputational, and operational implications. This step is critical in meeting the tight four-day reporting deadline.

Data protection and disclosure balance: Develop protocols to protect confidential information during public disclosures and collaborate closely with legal counsel to ensure compliance with disclosure regulations.

Regular plan reviews and third-party assessments: Regularly update your incident response plan to stay abreast of evolving threats and compliance requirements. Engage external cybersecurity experts to conduct thorough assessments, identifying gaps and potential vulnerabilities that need immediate attention.

Conduct tabletop exercises: Organize tabletop exercises that simulate real-world cybersecurity incidents. Ensure these exercises involve the business aspect, focusing on decision-making, communications, and incident impact assessment. These drills will sharpen your team’s skills and enhance preparedness for the new 4-day deadline.

Foster a culture of cybersecurity awareness: Cultivate a company-wide culture that prioritizes cybersecurity awareness and incident reporting. Encourage employees to report potential threats promptly, empowering your team to respond swiftly to mitigate risks.

To determine your readiness posture, ask yourself the following questions:

Incident reporting and management questions

• What is your process for reporting cybersecurity incidents?
• How can you effectively determine the materiality of a breach or attack?
• Are your processes for determining materiality thoroughly documented?
• Have you determined the right level of information to disclose?
• Can you report within four days?
• How will you comply with the requirement to report related occurrences that qualify as “material”?

Incident management policies and procedures

• Are your organization’s policies and procedures, risk assessments, controls, and controls monitoring strong enough to disclose publicly?
• Are your policies and procedures aligned with the specifications in at least one recognized industry framework? Are they updated regularly? Does everyone in the organization know what they are and how they are responsible for following them? Are they well-enforced?

Governance and risk management

• Is your risk assessment robust, and is it applied throughout the organization, focusing on top risks to the business?
• How often do you do risk assessments? Are assessment results incorporated into your enterprise cyber strategy, risk management program, and capital allocations?
• Have you engaged a third party to assess your cybersecurity program?

Board and leadership awareness

• How does your organization monitor the effectiveness of its risk mitigation activities and controls? How mature are your capabilities, as evaluated against an industry framework?
• How are leadership and the board informed about the effectiveness of these controls?
• Are your C-level executives getting the information needed to oversee cybersecurity at the board level?

Conclusion

In conclusion, the new SEC rule for public companies and cybersecurity incidents requires companies to be more transparent about material cybersecurity incidents. To comply with this requirement, companies should revisit their incident response plan, update their notification procedure, conduct material incident identification and impact assessments, develop protocols for data protection and disclosure balance, conduct regular plan reviews and third-party assessments, conduct tabletop exercises, and foster a culture of cybersecurity awareness. By asking the right questions and taking the necessary steps, companies can ensure they are ready to comply with the SEC’s new cybersecurity incident disclosure rule.

The post The SEC demands more transparency about Cybersecurity incidents in public companies appeared first on Cybersecurity Insiders.

August 31, 2023 at 09:09AM

Read More

AT&T Cybersecurity wins SC Media Award for Best Threat Intelligence

Today, SC Media announced the winners of its annual cybersecurity awards for excellence and achievements.

At AT&T Cybersecurity we are thrilled that AT&T Alien Labs was awarded Best Threat Intelligence in this prestigious competition. The Alien Labs team works closely with the Open Threat Exchange (OTX), an open and free platform that lets security professionals easily share, research, and validate the latest threats, trends and techniques.

With more than 200,000 global security and IT professionals submitting data daily, OTX has become one of the world’s largest open threat intelligence communities. It offers context and details on threats, including threat actors, organizations and industries targeted, and related indicators of compromise.

The full list of winners is here.

The post AT&T Cybersecurity wins SC Media Award for Best Threat Intelligence appeared first on Cybersecurity Insiders.

August 30, 2023 at 09:10PM

Read More

Navigating economic uncertainty with managed security services

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Uncertainty looms large on the horizon as businesses deal with the difficulties of a downturn in the economy. Financial limitations, workforce reductions, and rising cyber threats exacerbate the complexity of such times. Organizations must prioritize their core competencies in this constantly changing environment while protecting their valuable assets from potential risks. By utilizing managed security services, organizations can achieve this delicate balance. This article explores why organizations should use managed security services during economic downturns to reduce uncertainty and potentially dangerous cybersecurity risks.

Cost-effectiveness in a time of hardship

Economic downturns frequently force businesses to review their spending and find cost-saving opportunities. Maintaining an internal security team can be expensive, mainly when there are financial limitations. Managed security services, however, offer a more affordable option. Organizations can access top-tier security expertise without the expense of full-time staffing by outsourcing their security operations to specialized providers.

Because of the managed security services’ economics, companies can take advantage of the economies of scale that result from handling numerous clients. As a result, the cost per organization decreases, making it a tempting proposition for businesses looking to maximize their budget allocations during challenging economic times.

Scalability to meet changing needs

During recessions, the economic environment is frequently erratic, which causes changes in business operations and staffing. Organizations require a security solution that can change with the needs of the environment. The ability to scale up or down based on an organization’s needs is provided by managed security services, ensuring that they receive the necessary level of security without expending excessive resources.

Managed security services providers can modify their services as necessary, whether by growing operations to take advantage of new opportunities or shrinking operations to save money. Thanks to this scalability, organizations can remain flexible and responsive to the demands of a volatile market.

Unwavering focus on core competencies

In tough economic times, organizations must put their core competencies first to survive and thrive. Building and maintaining an internal security team can take time and money away from crucial business operations. Managed security services allow companies to outsource security-related tasks to professionals, freeing internal staff to concentrate on their core competencies and increasing overall effectiveness and productivity.

In addition to ensuring security is a top priority, outsourcing security-related tasks frees up business executives’ time to focus on essential decision-making procedures, long-term planning, and promoting growth even during trying times.

24/7 Monitoring and rapid response

Cyber threats abound in the digital world, and the risk of attacks frequently increases during recessions. Hackers try to take advantage of weak defenses by finding vulnerabilities. Managed security services give businesses 24-hour monitoring and quick response options.

Managed security service providers can identify potential threats early on and take proactive measures to prevent or mitigate attacks by continuously monitoring the organization’s infrastructure and data. Even during economic uncertainty, quick response times are essential for minimizing the effects of security incidents and maintaining business continuity.

Access to cutting-edge technologies

Fortifying an organization’s defense against changing cyber threats requires cutting-edge cybersecurity technologies and tools. However, buying and keeping up with these technologies can be expensive, especially in tough times. Managed security service providers invest in modern security solutions, making them available to their clients without a sizable initial outlay.

Organizations can benefit from the most recent developments in cybersecurity, such as sophisticated threat detection systems, artificial intelligence-based analysis, and strong encryption technologies, by collaborating with managed security services. Thanks to access to cutting-edge tools, businesses can maintain an advantage in the never-ending struggle against cyber adversaries.

Risk reduction and compliance support

Data breaches are more likely to occur during economic downturns because bad actors are more likely to try to take advantage of weaknesses resulting from logistical and financial difficulties. Organizations’ exposure to threats is significantly decreased thanks to the assistance of managed security service providers in identifying and addressing potential risks.

Furthermore, adherence to industry regulations and data protection laws is essential even in challenging economic times. Managed security service providers frequently have a great deal of experience dealing with compliance requirements, ensuring businesses comply with their legal obligations regardless of their financial situation.

Incident response and recovery expertise

Cyberattacks can affect any company in some capacity. An incident response plan that has been carefully thought out is essential in the unfortunate event of a security breach or cyber incident. Managed security service providers have the specialized knowledge to handle these circumstances skillfully.

These service providers can react to security incidents quickly, contain the breach, and start the recovery process thanks to their extensive knowledge and experience. A well-planned response can reduce the harm brought on by cyberattacks and hasten the return to regular operations.

Continuous improvement and threat intelligence

New threats are constantly emerging, changing the cybersecurity landscape. By regularly updating their skills and knowledge, managed security service providers stay on the cutting edge of this rapidly evolving industry.

They gain knowledge of the most recent attack vectors and vulnerabilities thanks to their access to threat intelligence and collaboration with numerous clients from various industries. With this knowledge, managed security service providers can promptly implement security improvements and proactively bolster their clients’ defenses.

Conclusion

Managed security services are an effective choice for businesses seeking to cross treacherous terrain during uncertain economic times. Companies that use these services gain access to scalable, cost-effective security expertise and a laser-like focus on their core competencies. Managed security services’ 24-hour monitoring and quick response capabilities offer critical resilience against cyber threats required to protect priceless assets. The benefits of managed security services are further supported by access to cutting-edge technologies, compliance support, incident response know-how, and continuous threat intelligence improvement.

Turning to managed security services is a strategic move that promises stability and resilience in a cybersecurity landscape that is constantly changing as organizations deal with the uncertainties of difficult economic times. By adopting this strategy, businesses can strengthen their defenses and concentrate on their primary goals, ready to face challenges and become stronger after the recession.

The post Navigating economic uncertainty with managed security services appeared first on Cybersecurity Insiders.

August 30, 2023 at 09:10PM

Read More

Enhancing Higher Education Security: The Role of Security Service Edge

Jaye Tillson, Field CTO at Axis Security

Amidst the ever-evolving terrain of modern information technology, the domain of higher education has emerged as a focal point for malicious activities. Consequently, ensuring the safety and security of students, educators, and intellectual property assets has become a top priority at all levels.

Educational institutions find themselves in the crosshairs of escalating cyberattacks. The aftermath of these attacks, characterized by data breaches, has yielded not only the compromise of sensitive information but also the disruption of the smooth continuum of academic pursuits.

In response, the emergence of Secure Access Service Edge (SASE) has surfaced as an indispensable solution capable of fortifying the security resiliency of higher education establishments.

Understanding Secure Access Service Edge (SASE)

Secure Access Service Edge (SASE) represents a holistic security framework that seamlessly integrates security with wide area networking (WAN) capabilities within a single cloud-based service. SASE strategically relocates security services to the cloud’s edge, thus positioning security protocols closer to users, devices, and data.

This dynamic approach, in contrast to traditional centralized security models, effectively curbs latency, enhances performance, and extends robust protection. Such attributes render SASE impeccably suited for the dynamic and widespread landscape of higher education institutions.

Challenges Confronting Higher Education

Higher education institutions confront an array of unique security challenges due to their intricate IT ecosystems and diverse user demographics. Among these, prominent challenges encompass:

• Remote Learning and the BYOD Culture: The advent of remote learning accelerated by the pandemic has fostered a “Bring Your Own Device” (BYOD) culture. This transition has broadened the attack surface, underscoring the need to secure a diverse spectrum of devices and endpoints.
• Guarding Sensitive Data: Higher education institutions harbor an extensive trove of sensitive data encompassing personal information and proprietary resources. The imperative to safeguard this data is twofold, protecting both individuals and institutional repute.
• Preserving Intellectual Property and Research: Academic research is a precious asset, consequently rendering universities attractive targets for intellectual property theft. Cybercriminals often set their sights on research data, with motives ranging from financial gains to competitive advantages.
• Navigating Compliance and Regulations: Educational institutions find themselves obligated to adhere to an array of data protection regulations such as the Family Educational Rights and Privacy Act (FERPA) and the General Data Protection Regulation (GDPR). It becomes even more complex for research universities involved in projects funded by the federal government. This layer of complexity adds nuance to their security strategies.
• Resource Constraints: Budget limitations and constrained IT resources can potentially impede the establishment of robust security measures.

Benefits of Secure Access Service Edge in Higher Education

The integration of SASE can effectively tackle these challenges and confer numerous advantages to higher education institutions:

• Elevated Data Protection: SASE takes a data-centric approach to security, ensuring that data remains encrypted and secure at every stage. Through this comprehensive approach, universities can safeguard sensitive information both in transit and at rest, thwarting unauthorized access.
• Scalability and Flexibility: The cloud-based nature of SASE empowers institutions to calibrate security services in alignment with their evolving requirements. Whether accommodating a sudden influx of remote learners or adapting to ever-changing threat landscapes, SASE provides flexibility without compromising security.
• Mitigated Latency: By situating security services proximate to the edge, SASE diminishes latency and optimizes the performance of applications. This facet proves pivotal for real-time collaboration tools and virtual learning environments.
• Holistic Threat Management: SASE introduces a unified paradigm for threat management, seamlessly encompassing features like firewalls, intrusion detection and prevention, anti-malware tools, and data loss prevention. This unified security suite minimizes vulnerabilities and simplifies management.
• Enhanced Compliance: SASE’s capacity for meticulous control over user access and data handling translates into enhanced compliance with diverse regulations. This capability enables institutions to effectively demonstrate their dedication to safeguarding the privacy of students and staff.
• Cost-Efficiency: The adoption of cloud-based SASE negates the necessity for on-premises hardware, facilitating the embrace of a subscription-based model. This pragmatic shift can effectively curtail capital expenditures and provide cost predictability.

Secure Access Service Edge emerges as a transformative force for higher education institutions seeking to fortify their security stance within an environment characterized by evolving technological landscapes and mounting security challenges. Through the adoption of an edge-centric security approach, universities and colleges can adeptly safeguard their students, educators, and invaluable intellectual assets.

The combination of reduced latency, heightened data protection, scalability, and compliance adherence makes SASE a strategic investment for higher education establishments. It is my conviction that the embrace of Secure Access Service Edge represents a proactive stride toward establishing a robust security bedrock for the future of education.

The post Enhancing Higher Education Security: The Role of Security Service Edge appeared first on Cybersecurity Insiders.

August 30, 2023 at 09:02PM

Read More

Unveiling Network and Security Architectures: SD-WAN, SASE, SSE, and Zero Trust

By Jaye Tillson, Director of Strategy, Axis Security

Over the past few years, our world has evolved at a rapid pace. This rapid evolution has given rise to innovative networking and security architectures such as SD-WAN, SASE, SSE, and Zero Trust. These are relatively new architectures (excluding SD-WAN) and I often get asked what are the differences between them and what are their key features so in this article, I will cover my definition of each, and highlight what I believe to be the key features.

SD-WAN (Software-Defined Wide Area Network)

SD-WAN, or Software-Defined Wide Area Network, is a technology that is designed to simplify the management and optimization of wide area networks (WANs). Traditional WANs often struggled to provide reliable connectivity, low latency, and efficient traffic routing across geographically dispersed locations. SD-WAN was designed to address these challenges by using software to dynamically manage and route network traffic based on real-time conditions. It enables organizations to leverage multiple network connections, such as MPLS, broadband, and cellular, while ensuring optimal performance and cost-effectiveness.

Key Features:

• Dynamic path selection: Traffic is directed along the most suitable path based on application requirements and network conditions.
• Centralized management: Network policies can be easily configured, monitored, and managed from a centralized console.
• Application-aware routing: SD-WAN can prioritize critical applications, ensuring their performance even in congested network conditions.
• Cost optimization: By utilizing multiple network links, organizations can reduce reliance on expensive dedicated lines.

SASE (Secure Access Service Edge)

SASE, or Secure Access Service Edge, envisioned by Gartner in 2019, is a holistic networking and security architecture that merges network connectivity (SD-WAN) and security services (SSE) into a single cloud-based solution. The core concept of SASE is to provide secure access to applications and data regardless of user location. By converging network and security functions, SASE aims to simplify management, improve user experience, and enhance overall security posture.

Key Features:

• Cloud-native architecture: SASE operates from the cloud, allowing for scalability, flexibility, and easy updates.
• Zero Trust security model: SASE assumes zero trust, requiring strict verification for users and devices before granting access.
• WAN optimization: SASE optimizes traffic routing to ensure fast and reliable application performance.
• Integrated security services: SASE combines features like firewalling, secure web gateways, data loss prevention, and more.

SSE (Secure Service Edge)

SSE, or Secure Service Edge, released by Gartner in 2021 places a strong emphasis on ensuring security at the service level. At its core is the concept of Zero Trust. In an SSE architecture, security is embedded directly into the service infrastructure, reducing the need for external security tools. This approach enhances protection for services and data, fostering a secure-by-design environment.

Key Features:

Service-level security: Security measures are integrated at the service layer, safeguarding data and applications.

Decentralized security controls: Each service has its security controls, reducing the potential impact of a breach.

Agility and scalability: SSE supports rapid deployment and scaling of services without compromising security.

Automated threat response: SSE platforms can autonomously respond to security threats based on predefined policies.

Zero Trust

Zero Trust is a security framework that challenges the traditional perimeter-based security model. It operates under the assumption that threats can originate from both internal and external sources. Instead of trusting entities based on their location (inside or outside the network perimeter), Zero Trust requires verification of all users, devices, and applications before granting access to resources.

Key Principles:

• Verify before trust: Users and devices must be authenticated and authorized before accessing any resources.
• Least privilege access: Access rights are granted based on the principle of least privilege, limiting potential damage.
• Micro-segmentation: Networks are divided into smaller segments, reducing the lateral movement of threats.
• Continuous monitoring: Ongoing monitoring ensures that security policies are consistently enforced.

The post Unveiling Network and Security Architectures: SD-WAN, SASE, SSE, and Zero Trust appeared first on Cybersecurity Insiders.

August 30, 2023 at 08:47PM

Read More

Barracuda Email Hack leaks government emails in America

China has reportedly focused its efforts on compromising email servers within several American government networks, raising concerns about potential data exploitation. According to findings from Mandiant, a state-sponsored criminal group targeted the Barracuda Email Security Gateway (ESG) between October and December 2022, deploying two variations of malware.

The ramifications of these cyberattacks involving the Barracuda email system are presently under investigation, with their full extent yet to be unveiled. However, suspicions point to UNC4841, an intelligence group believed to be backed by Beijing, as the orchestrator of the incident. This group is thought to have introduced the SeaSpy and Saltwater malware into approximately 5% of all Barracuda appliances.

The primary objective of the attack seems to be the extraction of sensitive information from high-ranking government officials in North America. In response, Barracuda has released an update addressing the Zero-Day vulnerability in ESG appliances. Those who have fallen victim to the attack or suspect a potential data breach are strongly advised to promptly replace their appliances. Additionally, affected parties are recommended to rotate their enterprise Active Directory (AD) credentials in order to bolster network defenses against potential future incursions.

In a parallel investigation, the Cybersecurity and Infrastructure Security Agency (CISA) disclosed that the same Chinese group was responsible for unleashing the Submarine and Whirlpool malware across a number of high-value targets.

Austin Larsen, Senior Incident Response Consultant at Mandiant, noted that “espionage actors with affiliations to China have refined their toolsets to an extent where they have become more impactful, elusive, and efficient.”

The post Barracuda Email Hack leaks government emails in America appeared first on Cybersecurity Insiders.

August 30, 2023 at 08:34PM

Read More

No More Band-Aids: It’s Time for IT and OT Security Convergence

By Sreenivas Gukal, Head of Products, VP of Engineering, and Co-Founder at Acalvio Technologies

Enterprises and regulated industries are becoming well aware that their risk management strategy must include cybersecurity for OT (Operational Technology) environments and the convergence of IT and OT isn’t just happening, it has happened. When it comes to OT, there’s a combination of high potential impact to safety and core operations paired with the unfortunately limited focus on IT security in industrial environments: which translates into substantial risk. Implementing security controls in such facilities is difficult for several reasons, including concerns that security controls will impact production availability, overall lack of understanding of OT systems and protocols by the IT staff charged with monitoring them, onerous change management restrictions, and the frustrating inability to deploy many types of security solutions on OT systems.

However, just because there’s a lack of symbiosis and a gap in education doesn’t mean that every OT system is a cybersecurity tragedy waiting to happen. When you look a little closer to the way these systems are set up and managed, there are clear solutions to protecting them—and protecting them can’t always wait for two sides to come to an agreement. When an OT device is attacked, it’s more than just critical data at risk. In the past several years, we’ve seen OT attacks at the heart of several critical infrastructure disasters; such as Solar Winds and the Colonial Pipeline attack, to name a few. This scale of attack is simply not acceptable in today’s world, especially when so much is at risk, and there are viable security solutions to prevent them from happening.

A Standalone Discipline – Or Is It?

Though OT and IT have always had standalone protocols that theoretically set them apart from each other, there has never been a world in which OT cybersecurity has existed without IT input. It’s in the name- cybersecurity. Previously, OT devices were assumed protected because of what we now know as the myth of the air gap– meaning the network the OT devices live on is not connected to either the Internet or any other outside network. Of course, air gapped networks do still need a solution to protect against potential insider threats, but those solutions are straightforward and have long been in action.

However: how do you update the software of a device that isn’t connected to a network? Historically, a tech has to physically bring in a USB stick to plug in to the equipment, run the upgrade, disconnect from the device, and hope nothing malicious gets in in the meantime. Another failure of the air gap is believing that the internal device network isn’t connected to anything else, when it in fact is. Especially as remote work has become more common, formerly “air gapped” networks have multiple points of outside entry.

In essence, if you want to have a protected network, you could never have been relying solely on OT expertise. When you bring a network of any kind into play, it requires the aid of someone well versed in IT solutions. With that in mind, what does the continued blending of IT and OT look like now?

OT and IT Security Aren’t Converging- They’re Already Converged

Though IT may have long been aiding OT in the setup of their networked devices, the whole concept of cybersecurity and OT still seems brand new. This is because the systems haven’t even been built until recently, leading to a lack of maturity in the space. In the past, when historically solely OT devices have had to be moved onto an IT network, they’ve been moved in a patchwork fashion utilizing outdated technology, typically because that’s all the organization had available to them. Cybersecurity solutions had to be developed specifically for OT environments because it’s difficult or even impossible to patch over those outdated IT protocols without customization. Even when organizations choose to fully adopt IT methods for their OT space, they might not have the manpower or expertise on their teams to execute cybersecurity solutions in a way that everyone on board can understand. This leaves us with a very specific need: a cybersecurity solution that can operate identically in OT and IT environments without the need for customization, and one that can be easily understood by anyone using it.

This is where deception technology based Active Defense comes in. Deception tech is unique in its ability to operate in OT and IT environments interchangeably, and makes the blending of the two exciting rather than frustrating or even frightening. Because deception technology doesn’t rely on sifting through after-attack reports, but rather “captures” the attacker within the network as soon as the attacker engages with a deception artifact, the rules of engagement are straightforward even for OT experts who aren’t well-versed in the cybersecurity space.

The convergence of IT and OT is not a future prospect, but a reality that demands immediate attention. The vulnerability of OT systems, coupled with the historical neglect of IT security in industrial settings has resulted in a cybersecurity risk to OT environments everywhere. Fortunately, solutions to protect OT environments are attainable, and the potential risk to critical infrastructure environments should supersede the fear of change. By simplifying the rules of engagement and enabling OT experts to navigate the cybersecurity landscape effectively, Active Defense and deception technology paves the way for a harmonious convergence of IT and OT security efforts, mitigating risks and fortifying critical infrastructures in an increasingly interconnected world.

The post No More Band-Aids: It’s Time for IT and OT Security Convergence appeared first on Cybersecurity Insiders.

August 30, 2023 at 05:04PM

Read More

The Latest in Cybersecurity Incidents making to Google Headlines

Collaborative Efforts Dismantle Qakbot Malware’s IT Infrastructure

In a significant joint operation, the FBI, in partnership with the Department of Justice and international allies, has successfully taken down the IT infrastructure owned by the Qakbot Malware group. Drawing expertise from cyber law enforcement units in countries including France, the USA, Germany, the Netherlands, Romania, Latvia, and the UK, a coordinated cyber attack was launched against the botnet infrastructure. This operation aimed to disrupt the malicious activities carried out by cybercriminals using Qakbot, including ransomware distribution, DDoS attacks, financial fraud, and various forms of social engineering.

The collaborative effort yielded positive results, with law enforcement agencies managing to infiltrate the Qakbot infrastructure. Their efforts unveiled a staggering 700,000 infected computers worldwide, all harboring the Qakbot malware. Particularly concerning was the identification of over 200,000 infected computers within the United States alone.

University of Michigan’s Network Disrupted Due to Suspicious Activity

In a recent cybersecurity development, the University of Michigan has taken the precautionary step of severing network connections for its students and staff since August 27, 2023. The decision came in response to the detection of suspicious activities within the university’s computer network across its campuses.

The university’s IT teams are working tirelessly to rectify the situation and restore network services as swiftly as possible. While the restoration process is underway, the administration has granted temporary permission for students and staff to access certain applications such as Zoom, Adobe, Dropbox, Slack, Google, and Canva from external networks using school devices.

Hospital Sisters Health System Takes Protective Measures Against Network Malware

Hospital Sisters Health System (HSHS) has taken a proactive stance in the face of a potential network malware infection. Over the past two days, the healthcare provider has opted to shut down its computer network to contain any potential threats and safeguard its clinical and administrative applications.

HSHS has released a statement regarding the temporary shutdown, outlining the suspension of services such as MyChart Communications. This platform is typically used by patients to manage appointments, view test results, access medical history, and make payments. The network will remain inactive until further notice, reflecting HSHS’s commitment to maintaining the integrity of patient data and healthcare operations.

The post The Latest in Cybersecurity Incidents making to Google Headlines appeared first on Cybersecurity Insiders.

August 30, 2023 at 11:13AM

Read More

Volatility Workbench: Empowering memory forensics investigations

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Memory forensics plays a crucial role in digital investigations, allowing forensic analysts to extract valuable information from a computer’s volatile memory. Two popular tools in this field are Volatility Workbench and Volatility Framework. This article aims to compare and explore these tools, highlighting their features and differences to help investigators choose the right one for their needs.

Volatility Workbench, a powerful tool built on the Volatility Framework, is specifically designed to simplify and enhance the process of memory forensics. This article explores the capabilities of Volatility Workbench, highlighting its importance in uncovering critical evidence and facilitating comprehensive memory analysis.

Understanding Volatility Framework:

Volatility Framework is a robust tool used for memory analysis. It operates through a command-line interface and offers a wide range of commands and plugins. It enables investigators to extract essential data from memory dumps – including running processes, network connections, and passwords. However, it requires technical expertise to utilize effectively.

Volatility introduced people to the power of analyzing the runtime state of a system using the data found in volatile storage (RAM). It also provided a cross-platform, modular, and extensible platform to encourage further work into this exciting area of research. Volatility framework can be downloaded here. The Volatility Foundation provides these tools.

Introducing Volatility Workbench:

Volatility Workbench is a user-friendly graphical interface built on the Volatility Framework. It simplifies memory analysis by providing a visual interface that is more accessible, even for users with limited command-line experience. With Volatility Workbench, investigators can perform memory analysis tasks without the need for extensive command-line knowledge. Volatility Workbench can be downloaded here.

One of the key advantages of Volatility Workbench is its user-friendly interface, designed to simplify the complex process of memory forensics. With its graphical interface, investigators can navigate through various analysis options and settings effortlessly. The tool presents information in a visually appealing manner – with graphs, charts, and timelines, making it easier to interpret and draw insights from extracted data.

The initial interface when the Volatility Workbench is started looks like this:

 

The Volatility Workbench offers options to browse and select memory dump files in formats such as *.bin, *.raw, *.dmp, and *.mem. Once a memory dump file is chosen, the next step is to select the platform or operating system that the system being analyzed is using.

Once the memory image file and platform is selected, click on Get Process List in Volatility Workbench.

It will begin memory scanning. After that, you can use the multiple option in the command tab by selecting a valid command. The description of the command will be available in the dialog box on the side pane.

When the Get Process list is finished, the interface will like this:

Now we can select the command we want to use – let’s try using the command drop down menu.

Voila, we have commands available for analyzing the Windows memory dump.

Let’s try a command which lists process memory ranges that potentially contain injected code.

As seen in image above you can see the command as well as its description. You also have an option to select specific process IDs from the dropdown menu for the processes associated with the findings.

Let’s use the Malfind command to list process memory ranges that potentially contain injected code. It will take some time to process.

The analysis of the Malfind output requires a combination of technical skills, knowledge of malware behavior, and understanding of memory forensics. Continuously updating your knowledge in these areas and leveraging available resources can enhance your ability to effectively analyze the output and identify potential threats within memory dumps.

Look for process names associated with the identified memory regions. Determine if they are familiar or potentially malicious. Cross-reference them with known processes or conduct further research if necessary.

Some of the features of Volatility Workbench:

• It streamlines memory forensics workflow by automating tasks and providing pre-configured settings.
• It offers comprehensive analysis capabilities, including examining processes, network connections, and recovering artifacts.
• It seamlessly integrates with plugins for additional analysis options and features.
• It lets you generate comprehensive reports for documentation and collaboration.

Conclusion

By leveraging the capabilities of the underlying Volatility Framework, Volatility Workbench provides a streamlined workflow, comprehensive analysis options, and flexibility through plugin integration. With its user-friendly interface, investigators can efficiently extract valuable evidence from memory dumps, uncover hidden activities, and contribute to successful digital investigations. Volatility Workbench is an indispensable tool in the field of memory forensics, enabling investigators to unravel the secrets stored within a computer’s volatile memory.

The post Volatility Workbench: Empowering memory forensics investigations appeared first on Cybersecurity Insiders.

August 30, 2023 at 09:09AM

Read More

Mobile threat defense or bust

The case for unified endpoint management and mobile threat defense

The evolution of endpoint management

Unified endpoint management (UEM) has played a significant role over the years in enabling companies to improve the productivity and security of their corporate mobile devices and applications. In the early days of endpoint management there were separate workflows and products as it pertains to traditional endpoints, such as desktops and laptops, versus mobile devices. Over time, administrators grew frustrated with the number of tools they were required to learn and manage so developers moved toward an integrated solution where all endpoint devices, regardless of type, could be inventoried, managed, and have consistent policies applied through a single pane of glass.

Today, UEMs allow IT administrators to be more productive by enabling them to set and enforce policies as to the type of data and applications an employee can access, providing the administrators with granular control and more effective security. These UEM platforms boast security features including the ability to identify jailbroken or rooted devices, enforcing passcodes, and enabling companies to wipe the data from mobile devices in the event they become lost or stolen. In general, UEMs have and continue to play an integral part in improving the management and productivity of business-critical mobile endpoints. 

Possible avenues for attack

However, in today’s environment, companies are experiencing a significant rise in the number of sophisticated and targeted malware attacks whose goal is to capture their proprietary data.  Only a few years ago, losing a mobile device meant forfeiture of content such as text messages, photographs, contacts, and calling information. Today’s smartphones have become increasingly sophisticated not only in their transactional capabilities but also represent a valuable target, storing a trove of sensitive corporate and personal data, and in many cases include financial information. If the phone stores usernames and passwords, it may allow a malicious actor to access and manipulate a user’s account via banking or e-commerce websites and apps. 

To give you a sense of the magnitude of the mobile security issues:

• The number of mobile users in enterprise environments clicking on more than six malicious links annually has jumped from 1.6% in 2020 to 11.8% in 2022
• In 2021, banking trojan attacks on Android devices have increased by 80%
• In 2022, 80% of phishing attacks targeted mobile devices or were designed to function on both mobile devices and desktops 
• In 2022, 43% of all compromised devices were fully exploited, not jailbroken or rooted-an increase of 187% YOY  

Attack vectors come in various forms, with the most common categorized below:

Device-based threats – These threats are designed to exploit outdated operating systems, risky device configurations and jailbroken/rooted devices.

App threats – Malicious apps can install malware, spyware or rootkits, or share information with the developer or third parties unbeknownst to the user, including highly sensitive business and personal data.

Web and content threats – Threats may be transmitted via URLs opened from emails, SMS messages, QR codes, or social media, luring users to malicious websites.  These websites may be spoofed to appear like a legitimate site requesting payment details or login credentials. Other websites may include links that will download malware to your device.

Network threats – Data is at risk of attack via Wi-Fi or cellular network connections.  Attacks can come in the form of man-in-the-middle attacks or rogue access points enabling hackers to capture unencrypted data.     

Enter mobile threat defense

While UEM can inventory assets, offer employees a more consistent experience, and can be used to push updates, its threat detection capabilities is extremely limited. The increased sophistication of malware attacks makes UEM platforms insufficient to detect or prevent these attacks from occurring.

To address these attacks more companies are adopting mobile threat defense solutions to work in tandem with their UEM subscriptions. Mobile threat defense (MTD) enables companies to identify and block mobile threats across most, if not, all attack vectors. The following outlines how mobile threat defense protects against the four main categories of mobile device threats: 

Device-based threats – Continuous evaluation of user and device risk posture with the ability to prevent jailbroken devices, those with outdated OS, and risky device considerations from accessing the network

App and content threats – Continuous scanning for malicious malware, viruses, trojans and side-loaded apps.  Threat detection is alerted in real-time with device remediation.

Network threats – Scans through each of the customer’s mobile devices to determine missing OS security patches, identifies man-in-the-middle attacks and other network related vectors providing remediation guidance such as fixing vulnerabilities or bug fixes.

Web and content threats – Mobile threat defense will alert users phishing attempts from email, SMS, or browsers.  It can also block malicious websites depending on the MTD features and capabilities.

Use cases

Remote payment processing

Companies are beginning to increase flexibility and decrease time to revenue by offering mobile payments in the field.  If mobile devices are part of the company’s payment path, they require protection. Malicious actors may use man-in-the-middle attacks to intercept network transactions. Equally threatening are surveillanceware attacks that capture information during a transaction. Mobile threat defense will identify these attacks, alert the user, and potentially block depending on the MTD’s solution’s capabilities.

Defend high-value targets against breach

Executives are commonly targeted as they may have access to sensitive data (e.g., financial, and strategic plans, customer, and human resources related information) and often use mobile devices while “on the road”.  Attack vectors such as spear phishing may be deployed by hackers with targeted attacks. Such highly sensitive information warrants the need to secure executives’ devices. Mobile threat defense applications will aid the IT administrator in identifying these attacks and alert the user on their device. 

Mobile threat defense vendors and solutions

There are a few mobile threat defense offers for consideration in terms of their effectiveness in addressing threat vectors that target mobile devices. 

IBM MaaS360 Mobile Threat Management: IBM recently introduced a new version of its mobile threat management application to complement its UEM offering. IBM MaaS360 Mobile Threat Management enables companies to detect, analyze and remediate enterprise malware on mobile devices. It provides SMS and email phishing detection, advanced jailbreak, root and hider detection with over-the-air updates for security definitions. Administrators can configure compliance policies based on these advanced threats and remediate vulnerabilities—improving the security of bring your own device (BYOD) and corporate-owned devices.

SentinelOne Mobile Threat Defense: This solution enables comprehensive, on-device, autonomous security for corporate-owned and personally owned BYOD devices that protects against modern day threats and exploits. The mobile agent detects application exploits in real-time, untrusted networks, man-in-the-middle attacks, system tampering, and delivers mobile phishing protection.

Lookout Mobile Endpoint Security:  Lookout Mobile Endpoint Security (MES) is considered by many to be the industry’s most advanced platform to deliver mobile endpoint detection and response (EDR). Its capabilities include extending zero trust policies to any device having access to corporate data, evaluates the risk posture of every user and mobile device throughout their session and automatically ends the session if the risk posture changes informing both user and admin of the threat.

The post Mobile threat defense or bust appeared first on Cybersecurity Insiders.

August 29, 2023 at 07:59PM

Read More

Battling malware in the industrial supply chain

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Here’s how organizations can eliminate content-based malware in ICS/OT supply chains.

As the Industrial Internet of Things (IIoT) landscape expands, ICS and OT networks are more connected than ever to various enterprise systems and cloud services. This new level of connectivity, while offering benefits, also paves the way for targeted and supply chain attacks, making them easier to carry out and broadening their potential effects.

A prominent example of supply chain vulnerability is the 2020 SolarWinds Orion breach. In this sophisticated attack:

• Two distinct types of malware, “Sunburst” and “Supernova,” were secretly placed into an authorized software update.
• Over 17,000 organizations downloaded the update, and the malware managed to evade various security measures.
• Once activated, the malware connected to an Internet-based command and control (C2) server using what appeared to be a harmless HTTPS connection.
• The C2 traffic was cleverly hidden using steganography, making detection even more challenging.
• The threat actors then remotely controlled the malware through their C2, affecting up to 200 organizations.

While this incident led to widespread IT infiltration, it did not directly affect OT systems.

In contrast, other attacks have had direct impacts on OT. In 2014, a malware known as Havex was hidden in IT product downloads and used to breach IT/OT firewalls, gathering intelligence from OT networks. This demonstrated how a compromised IT product in the supply chain could lead to OT consequences.

Similarly, in 2017, the NotPetya malware was concealed in a software update for a widely-used tax program in Ukraine. Though primarily affecting IT networks, the malware caused shutdowns in industrial operations, illustrating how a corrupted element in the supply chain can have far-reaching effects on both IT and OT systems.

These real-world incidents emphasize the multifaceted nature of cybersecurity risks within interconnected ICS/OT systems. They serve as a prelude to a deeper exploration of specific challenges and vulnerabilities, including:

1. Malware attacks on ICS/OT: Specific targeting of components can disrupt operations and cause physical damage.
2. Third-party vulnerabilities: Integration of third-party systems within the supply chain can create exploitable weak points.
3. Data integrity issues: Unauthorized data manipulation within ICS/OT systems can lead to faulty decision-making.
4. Access control challenges: Proper identity and access management within complex environments are crucial.
5. Compliance with best practices: Adherence to guidelines such as NIST’s best practices is essential for resilience.
6. Rising threats in manufacturing: Unique challenges include intellectual property theft and process disruptions.

Traditional defenses are proving inadequate, and a multifaceted strategy, including technologies like Content Disarm and Reconstruction (CDR), is required to safeguard these vital systems.

Supply chain defense: The power of content disarm and reconstruction

Content Disarm and Reconstruction (CDR) is a cutting-edge technology. It operates on a simple, yet powerful premise based on the Zero Trust principle: all files could be malicious.

What does CDR do?

In the complex cybersecurity landscape, CDR stands as a unique solution, transforming the way we approach file safety.

• Sanitizes and rebuilds files: By treating every file as potentially harmful, CDR ensures they are safe for use while maintaining full functionality.
• Removes harmful elements: This process effectively removes any harmful elements, making it a robust defense against known and unknown threats, including zero-day attacks.

How does it work?

CDR’s effectiveness lies in its methodical approach to file handling, ensuring that no stone is left unturned in the pursuit of security.

• Content firewall: CDR acts as a barrier, with files destined for OT systems relayed to external sanitization engines, creating a malware-free environment.
• High availability: Whether on the cloud or on-premises in the DMZ (demilitarized zone), the external location ensures consistent sanitization across various locations.

Why choose CDR?

With cyber threats becoming more sophisticated, CDR offers a fresh perspective, focusing on prevention rather than mere detection.

• Independence from detection: Unlike traditional methods, CDR can neutralize both known and unknown malware, giving it a significant advantage.
• Essential for security: Its unique approach makes CDR an indispensable layer in critical network security.

CDR in action:

Beyond theory, CDR’s real-world applications demonstrate its ability to adapt and respond to various threat scenarios.

• Extreme processes: CDR applies deconstruction and reconstruction to incoming files, disrupting any embedded malware.
• Virtual content perimeter: Positioned outside the network, in the DMZ, it blocks malicious code entry through email and file exchange.
• Preventative measures: By foiling the initial access phase, CDR has been shown to deliver up to 100% prevention rates for various malware.

Integration possibilities:

CDR technology can be seamlessly integrated into various network security modules.

• Secure email gateways: Enhances email security by integrating with existing systems, providing an additional layer of protection.
• USB import stations: Offers controlled access to USB devices, ensuring that only sanitized content is allowed.
• Web-based secure managed file transfer systems: Enables comprehensive coverage of file transfers, ensuring sanitized content at every step.
• Firmware and software updates: Aims to cover all content gateways, securing a ‘sterile area’ behind these modules, including essential updates.

NIST’s guidelines that call for the adoption of CDR

The National Institute of Standards and Technology (NIST) has outlined specific guidelines that highlight the importance of CDR. In the NIST SP 800-82 Revision 3 document, the emphasis on CDR’s role is evident:

1. Physical access control:

• Portable devices security: Under the section ‘6.2.1.2 Physical Access Controls (PR.AC-2),’ the guidelines stress that organizations should apply a verification process to portable devices like laptops and USB storage. This includes scanning for malicious code before connecting to OT devices or networks, where CDR can play a vital role in ensuring safety.

2. Defense-in-depth strategy:

• Multi-layered protection: Under section 5.1.2, the document defines defense-in-depth as a multifaceted strategy. It states: ‘a multifaceted strategy integrating people, technology, and operations capabilities to establish variable barriers across multiple layers and dimensions of the organization.’ This approach is considered best practice in the cybersecurity field.
• Widespread adoption: The quote continues, emphasizing that ‘Many cybersecurity architectures incorporate the principles of defense-in-depth, and the strategy has been integrated into numerous standards and regulatory frameworks.’ This highlights the broad acceptance and integration of this strategy in various cybersecurity measures.
• OT environments: This strategy is particularly useful in OT environments, including ICS, SCADA, IoT, IIoT, and hybrid environments. It focuses on critical functions and offers flexible defensive mechanisms.
• CDR’s role in defense: CDR contributes to this defense-in-depth approach, especially in handling content with browser isolation solutions. Its role in enhancing security across different layers of the organization makes it a valuable asset in the cybersecurity landscape.

Mitigating the risks

The SolarWinds breach was a frightening sign of what has already begun, and it might just be a small part of what’s happening now. With criminal groups capitalizing on the increasing cloud connectivity at ICS/OT sites, attacks on hundreds or even thousands of organizations simultaneously are actual risks we face today.

But amid these challenges, there’s a solution: CDR. This cutting-edge technology offers a robust defense against the known and unknown, providing a shield against malicious forces that seek to exploit our interconnected world. In the ongoing battle against malware, CDR stands as a vigilant sentinel, ever ready to protect.

The post Battling malware in the industrial supply chain appeared first on Cybersecurity Insiders.

August 29, 2023 at 07:59PM

Read More

Rackspace spends $10m in ransomware cleanup costs

In November of the previous year, Rackspace, a well-known company providing cloud computing services, fell victim to a cyber-attack orchestrated by the Play Ransomware group. This attack led to a disruption in their email exchange services for a duration of a few weeks. The company’s response to this incident included the release of an earnings presentation that highlighted the considerable financial impact. Approximately $10 million had already been expended on remediation efforts, affecting a substantial customer base of around 30,000 individuals.

In a statement submitted to the SEC, Rackspace indicated that the expenses associated with this incident could potentially rise further. This is primarily due to the emergence of multiple lawsuits from customers within the cloud business domain. These legal actions are seeking compensatory measures to address the business losses incurred as a result of the cyber attack.

Rackspace, headquartered in Texas, is not alone in bearing the financial brunt of such incidents. The financial burden extends to costs related to investigative processes, remediation endeavors, legal consultations, professional services, and the necessity of hiring additional personnel.

Although Rackspace remained resilient against the demands of the Play Ransomware group, the company’s financial outlay to counteract the adverse effects of the file encrypting malware has reached nearly $10 million thus far.

The FBI issued a statement in November 2020, emphasizing that paying ransoms to hackers is illegal, as it perpetuates criminal activities and does not guarantee the provision of a decryption key.

Security experts advise victims of such incidents to adopt a thoughtful approach in managing their IT environments. It’s crucial to take actions that are economically viable, as these situations can erode profits and cast a lasting shadow on annual earnings for an extended period of time.

The post Rackspace spends $10m in ransomware cleanup costs appeared first on Cybersecurity Insiders.

August 29, 2023 at 10:00AM

Read More