Disadvantages of Cyber Insurance

Cyber insurance provides financial protection for businesses in the event of a cyber attack. However, despite its benefits, there are several drawbacks to consider before committing to a policy. Here are some key disadvantages:

Evolving Cyber Threats: The landscape of cyber threats is constantly changing as cybercriminals develop new tactics to exploit vulnerabilities. This poses a challenge for insurance providers, as it may be difficult to accurately predict and cover the financial impact of emerging threats. As a result, coverage gaps may arise, leaving policyholders vulnerable to losses that are not adequately addressed by their insurance policies.

Lack of Standardization: Unlike other forms of insurance, such as health or auto insurance, there is no standardized framework for cyber insurance policies. Each provider offers its own terms and exclusions, making it challenging for businesses to compare and select the most suitable coverage. It is essential for businesses to carefully review and understand the terms of any policy before making a decision.

Limited Coverage: Many cyber insurance policies offer limited coverage for certain expenses associated with a cyber attack, such as data restoration, business disruption, and legal fees. Some policies may only cover business disruption costs, leaving businesses responsible for other expenses. It is important for businesses to assess their potential liabilities and ensure that they have adequate coverage for all potential costs.

Vulnerability Assessment: Insurance providers often require businesses to undergo a vulnerability assessment to determine their level of risk exposure. This may involve evaluating the organization’s existing security measures and identifying any vulnerabilities that need to be addressed. While this assessment can help insurers calculate premiums more accurately, it may also result in higher premiums for businesses with greater risk exposure.

Premium Costs: The cost of cyber insurance premiums can be prohibitive for many small and medium-sized businesses (SMBs). Insurers take into account factors such as the organization’s size, industry, and security posture when calculating premiums, which can result in higher costs for businesses with limited resources. As a result, some SMBs may choose to forego cyber insurance coverage altogether, exposing themselves to significant financial risk in the event of a cyber attack.

In conclusion, businesses should carefully consider the potential drawbacks of cyber insurance before purchasing a policy. By thoroughly evaluating their coverage needs and consulting with insurance providers, businesses can make informed decisions that mitigate their cyber risk exposure effectively.

The post Disadvantages of Cyber Insurance appeared first on Cybersecurity Insiders.

May 17, 2024 at 08:42PM

Read More

7 Essential Security Tips to Identify Fake Mobile Apps

In today’s digital age, mobile applications have become an integral part of our daily lives, facilitating various tasks from communication to banking. However, with the proliferation of mobile apps, there’s also an increase in fake and malicious applications aiming to compromise users’ security and privacy.

To help you navigate the digital landscape safely, here are seven essential security tips to spot fake mobile apps:

1. Verify the Developer: Before downloading any app, take a moment to research the developer. Legitimate apps are usually developed by reputable companies or individuals with a track record of producing quality apps. Check the developer’s website, reviews, and ratings to ensure authenticity.

2. Check App Permissions: Be wary of apps that request excessive permissions. If a flashlight app asks for access to your contacts and location, it’s a red flag. Review the permissions requested by the app and question if they align with its functionality. Avoid apps that ask for unnecessary access to your personal data.

3. Read Reviews and Ratings: User reviews and ratings provide valuable insights into an app’s reliability. Look for patterns of complaints or suspicious activity reported by other users. If an app has numerous negative reviews citing security concerns or unexpected behavior, it’s best to steer clear.

4. Inspect the App Description: Pay close attention to the app description and screenshots provided in the app store. Genuine apps often have detailed descriptions, including information about features, functionality, and company background. Beware of apps with vague descriptions, grammatical errors, or inconsistent branding, as these could indicate fraudulent intentions.

5. Download from Official Sources: Stick to reputable app stores such as Google Play Store for Android devices and the Apple App Store for iOS devices. These platforms have robust security measures in place to detect and remove malicious apps. Avoid downloading apps from third-party sources or unverified websites, as they pose a higher risk of malware infections.

6. Verify App Authenticity: Some counterfeit apps mimic the appearance of popular legitimate apps to deceive users. Before downloading, double-check the app’s authenticity by comparing its icon, name, and logo with the official version. Look for subtle differences or inconsistencies that may indicate a fake app.

7. Install Security Software: Consider installing reputable antivirus or mobile security software on your device. These tools can help detect and prevent the installation of fake apps, as well as provide ongoing protection against malware, phishing attempts, and other cyber threats.

By following these security tips, you can safeguard your mobile device and personal information against the threat of fake apps. Stay vigilant, trust your instincts, and prioritize security when downloading and using mobile applications. Remember, it’s better to err on the side of caution than to fall victim to malicious actors in the digital realm.

The post 7 Essential Security Tips to Identify Fake Mobile Apps appeared first on Cybersecurity Insiders.

May 17, 2024 at 11:30AM

Read More

Know the least common PIN numbers that can thwart Cyber Threats

In the modern digital era, safeguarding devices and the sensitive information they contain is paramount, as any vulnerability can attract unwanted attention from malicious actors. Biometrics stands out as a formidable method for protecting devices and the data stored on them from prying eyes of cybercriminals. Among the various security measures, employing a 4 or 6-digit PIN code serves as a fundamental defense against unauthorized access.

Delving into the realm of 4-digit PINs, Jake Moore, a security advisor at ESET, offers insightful perspectives. Particularly noteworthy is the exploration of the least common PIN numbers, which can significantly bolster account and device security. This compilation originates from the late Nick Berry, who was associated with Data Genetics, providing a curated list of 4-digit PINs adept at mitigating contemporary cyber threats.

Here’s a glimpse at some of these less common yet effective 4-digit PINs-

1.    8557
2.    8438
3.    9539
4.    7063
5.    6827
6.    0859
7.    6793
8.    0738
9.    6835
10.    8093

While these PINs aren’t impervious to automated guessing techniques employed by cybercriminals, they offer a layer of defense by being less frequently utilized. This aspect makes them particularly valuable in thwarting password spray attacks and similar security breaches.

Contrastingly, the following are the most commonly used 4-digit PINs:

1.    1234
2.    1111
3.    0000
4.    1212
5.    7777
6.    1004
7.    2000
8.    4444
9.    2222
10.    6969

It’s crucial to recognize that for every 4-digit PIN, there exist over 10,000 possible combinations, illustrating the vast array of choices available for enhancing security. Similarly, 6-digit PINs offer even greater permutations, with over 100,000 combinations, a concept rooted in mathematical principles of permutations and combinations.

For individuals less acquainted with the evolving landscape of cyber threats, it’s essential to grasp the essence of the risks prevalent in today’s digital environment. Merely relying on a PIN for security is insufficient. Whenever feasible, implementing Multi-Factor Authentication (MFA) is advisable, or alternatively, leveraging biometric authentication methods such as fingerprint or iris scans can significantly fortify the security of online accounts.

The post Know the least common PIN numbers that can thwart Cyber Threats appeared first on Cybersecurity Insiders.

May 17, 2024 at 11:21AM

Read More

The six rules of secure software development

Code Responsibly: Developers’ Blueprint for Secure Coding

Software is more important than ever – our connected world’s beating heart is made of it. Unfortunately, as the importance of software increases, so does the activity of cybercriminals and other bad actors trying to make a profit at the developers’ expense. The Department of Homeland Security has long claimed that 90% of security incidents are a consequence of defects in the design or code of software. Many developers are unarmed against this onslaught – the number of new vulnerabilities discovered in software has been steadily going up each year since 2016 and this trend is showing no signs of slowing down. If anything, the process is accelerating at a worrying rate. But this doesn’t mean the situation is hopeless – far from it! Many of these security problems have been known for a long time and we have a long list of industry best practices to help deal with them. In this eBook we introduce our six rules of secure software development that present the most important things you can do right now to stem the tide.

1. Shift left

The rule of ʻshift left’ has turned into a bit of a buzzword in the last 7-8 years. Like the rest of these six rules, this is not a great revelation or a closely-held secret – in fact, the concept of shift-left testing was originally coined in 2001 in a Dr. Dobb’s article by Larry Smith. Back then, ʻshift left’ referred to testing early and often to nd defects as early in the SDLC as possible – literally shifting activities to the left in the V-model of software development.

So, what does this have to do with security?

The idea is simple: move security considerations earlier in the software development lifecycle. Obviously, the earlier a security issue is discovered, the cheaper it is to x it. Programmers shouldn’t just rely on security experts to “do security stuff” a few weeks before shipping the code, but each team member should be actively involved with preventing, finding, and eliminating potential vulnerabilities during development. Of course, this only works if developers actually have the necessary security expertise! This makes understanding the potential threats and best practices (and thus, secure coding) absolutely critical for everyone: all architects, developers, testers and ops folks, not just a few chosen security champions.

This makes understanding the potential threats and best practices (and thus, secure coding) absolutely critical for everyone: all architects, developers, testers and ops folks, not just a few chosen security champions.

2. Adopt a secure development lifecycle approach

It is tempting to deal with software security as an ʻadd-on’ to the process: a brief penetration test just before release, or maybe a two-week security review at the end of a project. But as discussed before in the context of shifting left, the later we deal with a security issue, the more expensive it gets. And, unfortunately, a lot of security issues stem from decisions made at an early stage of development such as design or even requirements specification!

We can solve this conundrum by building security in: instead of just ‘doing security’ at a certain point in the development Lifecycle, we introduce security activities throughout the entire software development lifecycle (SDLC). This is an established best practice popularized within Microsoft via the MS SOL (Security Development Lifecycle) as well as security experts via the BSIMM (Build Security In Maturity Model) or the OWASP SAMM (Security Assurance Maturity Model):

We can solve this conundrum by building security in: instead of just ʻdoing security’ at a certain point in the development lifecycle, we introduce security activities throughout the entire software development lifecycle (SDLC). This is an established best practice popularized within Microsoft via the MS SDL  (Security Development Lifecycle) as well as security experts via the BSIMM (Build Security In Maturity Model) or the OWASP SAMM (Security Assurance Maturity Model):

• MS SDL is the most prescriptive of the three – which makes sense, considering it was a process that Microsoft originally developed for internal use in the early 2000s. Its 12 main practices cover security training of all stakeholders, the creation and maintenance of security requirements, threat modeling via data flow diagrams (DFD), secure use of cryptography, managing the risk of third-party components, heavy use of automated tools (SAST, DAST, SCA) and incident response.
• BSIMM, on the other hand, is a descriptive model. It is released every year, containing data about what companies are doing these days to improve their security and provides a scorecard to measure your company’s security posture. Then you can figure out which of those activities are most reasonable to implement in your specific context. The activities are grouped into 4 domains: Governance (managing a software security initiative with training as one of its three pillars) Intelligence (threat modeling and proactive security guidance), SSDL touchpoints (building security into development via design and code reviews as well as security testing), and Deployment (secure configuration and maintenance).
• OWASP SAMM is also a prescriptive model, giving concrete guidance in various categories, depending on what maturity level (1to3) the company is aiming for in the area of Governance (improving security at the organizational level-via education and guidance among others), Design (security requirements, secure design and threat modeling), Implementation (secure build and deployment including vulnerability management), Verification (manual and automated security testing and reviews), and Operations (incident response, hardening and patch management).

As for validating the real-world use of these models: the longitudinal analysis in BSIMM 14 (2023) shows that companies are steadily improving their security posture. In particular, after adopting BSIMM, companies tend to implement a secure SDLC, scale it with the development of security champions, create (and enforce) a security policy, and manage the risk of third-party components. The two priorities after these are threat modeling and security training for engineering teams. As a matter of fact, training engineers on security is emphasized in all of the above models: it is the very first practice in SDL and is part of Governance in both BSIMM and SAMM.

As a final note, penetration testing is often brought up as a one-size-fits-all solution. It is true that a quick and focused test to identify vulnerabilities in the system is useful as an ‘acid test’ before release. But over-reliance on penetration testing is quite dangerous, and it is not a real substitute for secure software development! On the other hand, training developers in security is included in each of these secure SDLC models, with good reason.

3. Cover your entire IT ecosystem

When we’re talking about securing code, we don’t just mean the code specifically written by you – but also all third-party code that’s included in the application. What are weak links in the npm supply chain? Zahan et al (2022) points out that 80% of all code in modern software comes from third-party packages! That is a massive attack surface, and ultimately the hackers don’t care where the weak point in the system is and how it got there. If a third-party component is vulnerable, they’ll exploit it just the same -as it happened with the Log4Shell vulnerability at the end of 2021 that impacted almost every Java application – and thus, Java developer – in the world.

Not to mention that it is also lucrative for attackers to perform supply chain attacks: injecting malicious code into one of the open-source packages (or replacing them entirely). This can be difficult to notice if the package in question is, maybe, a forgotten dependency-of-a-dependency-of-a-dependency somewhere. The attack trends support this as well: according to the paper, supply chain attacks against applications (not just talking about npm here!) have increased 650% in 2021 alone. The SolarWinds supply chain attack against the United States government was so impactful it has shaped the country’s cybersecurity strategy as a whole.

These issues are exacerbated in the container world – for example, the ‘Red Kangaroo’ study has found that at the end of 2020, 80% of all images on Docker Hub were found to contain at least one known vulnerability, with 51 % of all images containing critical vulnerabilities!

We like to say that

“vulnerabilities in third-party code are not your fault, but they will definitely become your problem”.

You definitely need to have vulnerability management processes in place to identify, assess, and deal with vulnerabilities discovered in any of the program’s dependencies – and a strategy on how to release security patches and even hotfixes if the situation calls for it.

4. Move from reaction to prevention

Discussing code security goes hand in hand with robustness and resilience. Resilience implies a system that is not significantly impacted by failures (limiting the amount of damage they can do, and making it possible to recover from them), while robustness implies a system that anticipates failures and prevents them from happening in the first place. Even though both of these are important, preventing an incident is always better than reacting to an incident after the fact!

There are two philosophies to ensure robustness and resilience that are sometimes said to be opposites of each other: design by contract and defensive programming.

• Design by Contract (DbC) defines so-called contracts for functions to declare expected preconditions, postconditions and invariants – and works under the assumption that these contracts will not be broken. These contracts are frequently implemented via asserts (not present in production code) and in case there is a failure at runtime, they are typically handled via exceptions. In type-safe languages, DbC may be a built-in feature of the language itself that won’t even allow compilation if the contracts can be violated. Rust is a good example for this.
• Defensive programming assumes that any interaction with the system may be incorrect, erroneous, or even malicious. To this end, the developer should explicitly implement input validation in functions that process user input of any kind. Input validation means the implementation of checks that verify that the received input corresponds to the developer’s expectations. This should happen in the context of the specific function, “there and then”, right before the input is to be used. If the input fails these checks, it is rejected, so that no piece of code will be executed with unexpected inputs it is not prepared to handle.

Design by contract seems to be better for code efficiency and maintainability – after all, implementing defensive programming techniques requires writing additional code, which adds complexity and is itself a potential source of bugs. But when we look at code security, the goal is to reduce the attack surface and thus guard against intentional misuse, which is exactly what defensive programming provides. Furthermore, reacting to a bad input after it’s already been processed is much more dangerous than proactive input validation that can catch it beforehand. This is recognized by many secure coding standards (see e.g. MISRA C:2023 Directive 4.14)

Just to reiterate: in security, preventing an error is always better than catching the error after it has already happened!

As an example, consider processing an XML document describing a money transfer. Following DbC, we can define a ‘contract’ (an XML schema) and make sure the input conforms to it. This prevents many different attacks (e.g. the attacker duplicating tags, or specifying a negative value for the money transfer). But not every kind of bad in put can be covered by a schema. Just a few examples: the attacker can send us a document that references a nonexistent user, performs XXE, contains an invalid transaction date (e.g. 2 years in the future), or performs a cross-site scripting attack against the recipient by specifying a comment like <script>alert(‘hacked’)</script>.

This doesn’t mean that design by contract is bad – in fact, those techniques are very useful, but they need to be combined with defensive programming techniques to effectively protect against vulnerabilities. Whenever code security is concerned, input validation is perhaps the single most critical thing you can do according to experts – it’s the first category in the Seven Pernicious Kingdoms and its improper use comprise the root cause of many other vulnerability types; it is #5 on the OWASP Proactive Controls (OPC) list, and also has its own cheat sheet on OWASP! Even redundancy isn’t necessarily a dirty word here – in fact, validating the same input multiple times (in different parts of the code) is an example of defense in depth, which is an essential protection principle. For example, even if the XML schema ensures that the money transfer value isn’t negative, the function doing the transfer should still have a sanity check on the value to be transferred. We should simply accept that everyone makes mistakes, and the code should be always prepared for that.

5. Mindset matters more than tech

If you ask anyone “what do you do to prevent cyberattacks?”, it is likely the answer will be “firewalls and IDS”. It’s true that web application firewalls and intrusion detection systems are important (see A9 in the OWASP Top Ten 2021!), but they won’t solve the problem of vulnerable code. They may mitigate the effects of already existing vulnerabilities and make exploitation of these vulnerabilities more difficult, but even in that arena the attackers are constantly coming up with new ways to get around perimeter defenses (e.g. Server-side Request Forgery aka SSRF) and evade WAF filters to deliver their payload.

As a matter of fact, no firewall could stop the exploitation of zero-days like Heartbleed or Log4Shell before it was already too late.

But how do we deal with vulnerable code, especially in codebases that have been around for decades?

The sheer amount of code that developers must deal with is increasing rapidly. Source graph’s The Emergence of Big Code (2020) shows that developers have to work with remarkably more code than ever before: 51 % of participants claimed the amount of code at a company has increased by a factor of 100 compared to the previous 10 years, and over 90% of them said coding velocity and the value of the code itself has also increased drastically. In order to find, fix, and prevent vulnerabilities, developers need to be responsible for them and take ownership of the code in question -that can be a challenge by itself in these massive code bases.

And then there is legacy code…

Some companies are looking at Al to solve this problem by automatically identifying vulnerabilities or just making sure all code is secure. Putting aside the nascent and vulnerable nature of machine learning applications, this ultimately relies on these AIs being able to write secure code by default. But right now, that goal is far out of reach. Let’s face it: we’re still light-years away from achieving flawless Al-generated code. Consider that the models are mainly trained on the ‘wisdom of the masses’: open-source projects and popular third-party Q&A sites such as Stack Overflow. Such sources have been hotbeds of vulnerable code exam pies in the past (see Stack Overflow Considered Harmful? The Impact of Copy&Paste on Android Application Security Fischer et al, 2017).

As always: garbage in means garbage out.

On the other hand, it doesn’t help to put the responsibility for security on developers’ shoulders while failing to give them the necessary resources and support for it.

Bruce Schneier pointed out in 2019 that even though 68% of security professionals believe it’s a programmer’s job to write secure code, they also think less than half of them can actually spot security holes.

Gitlab’s yearly Global Developer Report from 2022 underscored this as well: as DevOps transforms into DevSecOps, security is becoming the #1 concern. More importantly, now that 43% of “Sec” teams are fully responsible for security, despite the vast variety of tools at their disposal they feel much less optimistic and confident about this responsibility than the “Dev” and “Ops” part of the triad (56% vs 76%!). Automation is not going to solve the problem by itself. It isn’t a coincidence that DevSecOps folks sometimes call SAST tools “False Positives as a Service’.

Tools are handy and valuable, but there is no substitute for human expertise.

6. Invest in secure coding training

As we’ve seen so far, there are two challenges in cybersecurity today: how to deal with issues from the past (unknown vulnerabilities in existing code, legacy code, and third-party code) and how to deal with issues in the future (vulnerabilities in all code written by the developers from this point on).

For the first question, we have lots of answers: various code analyzers, testing tools, and vulnerability management. However, for the second question, the only realistic answer is writing code that is free of such vulnerabilities. And that’s not something a tool can do for us.

The only solution is education: making developers aware of these security problems in all phases of the SDLC and giving them the necessary mindset and skills so they will be able to avoid them (and spot them in existing code).

This is also well reflected in real-world numbers. Is Secure Coding Education in the Industry Needed? An Investigation Through a Large Scale Survey (Gasiba et al, 2021) indicates that over half of developers are not aware of secure coding guidelines and issues-furthermore, developers overestimate their awareness of security issues, leading to a false sense of security.

The best method to address this discrepancy is through secure coding education supported with hands-on exercises. Developers need to see vulnerable code in action, see the (often devastating) consequences of vulnerability exploitation, and then actually fix the vulnerable code themselves. Only this way will they acquire the needed skills and fully understand and retain knowledge about these vulnerabilities.

CTF – Capture the flag

Capture the ag (CTF) events and platforms are popping up as a popular alternative in this area. CTFs are popular when it comes to improving the offensive skills of cyber security experts: they are fun (and gamified out-of-the-box), they provide realistic hacking scenarios, and they help establish the ʻhacker mindset’. But when it comes to defensive best practices and establishing company-wide secure coding initiatives, they have pretty clear deficiencies compared to real training: a relative inability to cater to developers without prior experience in security, weak (or even negative) motivation for developers less interested in competition, and poor coverage of ʻless cool’ (but still critically important) security issues. 

Sometimes microlearning is also brought up as a possible solution: teaching about security issues in small bite-sized (even just 5- or -minute) videos or brief activities that programmers can check when they first encounter such an issue or just during their free time (if such a thing exists at all). But secure coding is one of the areas where this doesn’t really work. As per Amy Fox’s 2016 article Microlearning for Effective Performance Management:

“Microlearning is not a panacea for every training need. If an employee is learning something for the first time, particularly a complex skill, individual coaching or another form of more intensive training may be best. Microlearning often is best used for reinforcement to help learning stick and to build up employees’ skills.”

In the context of secure coding, microlearning can be effective only as a reinforcement technique once developers already know about vulnerabilities and best practices – in other words, once they have already taken part in an in-depth training course.

And that’s exactly what we believe in: with blended learning, developers should first establish a deep foundation for secure coding in their programming language(s) of choice via an instructor-led training course. And once this is achieved, they can follow it up with regular monthly ‘bite-sized’ e-learning modules to keep their skills sharp and up to date.

Finally, a note about gamified capture the flag (CTF) events and platforms. CTFs are popular when it comes to improving the skills of cyber security experts: they are fun (and gamified out-of-the-box), they provide realistic hacking scenarios, and they help establish the ‘hacker mindset’. But when it comes to learning about secure coding, they have pretty clear deficiencies compared to blended learning: they tend to focus on ‘fun’ attack scenarios and thus ignore many common vulnerability types, they aren’t adaptive to the needs of individual participants, and their competitive aspects can actually have a negative effect on motivation. On the other hand, blended learning also drives high engagement without having to lose the benefits of gamification. If you’re interested in the details, we have analyzed these limitations in a separate article: CTF in secure coding education – a critical look.

About Cydrill

Established in 2019 and recognized by Enterprise Security in 2021 as one of the top companies shaping the cybersecurity landscape, Cydrill is on a mission to tackle the root cause of poor cyberdefense: inadequate coding practices.

Cydrill’s blended learning journey provides training in proactive and effective secure coding for developers from Fortune 500 companies all over the world. By combining instructor-led training, e-learning, hands-on labs, and gamification, Cydrill provides a novel and effective approach to learning how to code securely.

Learn more about our courses and learning environment.

The post The six rules of secure software development appeared first on Cybersecurity Insiders.

May 16, 2024 at 07:58PM

Read More

Cybersecurity in Utilities: How the Utility Industry has Become a Pioneering Force in Cybersecurity Tech

Historically, the utility industry has been thought of as reliable, slow moving, and heavily regulated. People want to know that their lights will turn on and water will run, and by prioritizing that consistency, the general public and regulators have not pushed the industry to be particularly innovative. However, in recent years, the utility industry has transformed to become modern, innovative and technology-centric with cutting edge automation and controls. With the increased reliance on technology, the need to invest in cybersecurity has pushed utility companies to the cutting-edge of cybersecurity innovation. 

With technology driving utility operations, a cyberattack against critical infrastructure, including the power grid and water systems, has the potential to cause catastrophic consequences. Even a data breach that doesn’t directly impact critical infrastructure can become extremely costly. In fact, according to IBM, the average cost of a data breach hit a worldwide record high in 2022, reaching $4.72 million in the energy sector. 

Government Regulation as a Force for Change

In the utility industry, cybersecurity serves as the fortress within the organization. Just as you secure your home against potential intruders, cybersecurity protects utility organizations from technology breaches that impact the intricate systems managing power plants, grids and overall business operations. Common regulations such as the North American Energy Reliability Corporation’s (NERC) Critical Infrastructure Protection (CIP) standards were created to keep the fortress secure. Regulations impose stringent requirements on utilities, ensuring that only authorized personnel and trusted advisors can operate within the highly secured environment. As another impact of these regulations, utility organizations have been compelled to collaborate with government agencies in an ongoing effort to identify, manage and communicate emerging vulnerabilities and risks. This proactive approach has positioned the industry to embrace new technologies as they come to market, rather than relying on periodic updates every few years.

The Role of AI

As automation, AI and machine learning take over the digital landscape, utility companies are using these technologies to fortify their organizations against threats. For example, automation streamlines routine security tasks, such as threat detection and response, enabling utilities to detect and mitigate cyber threats in real-time. AI and machine learning solutions can continuously analyze data to identify shadow data, monitor for abnormalities and alert cybersecurity professionals about potential threats. 

One major application of AI in utilities cybersecurity stems from the ability of artificial intelligence to spot threats faster than humans and monitor a range of potential cyber issues. The rise of AI and automated cybersecurity technologies has also allowed the utility industry to decrease human error as professionals try to keep up with the increased volume of attacks.

Barriers to Implementation

When adopting new cybersecurity solutions, utility companies will often encounter the most significant hurdles during the implementation stage. Despite an organization’s desire to incorporate new technology and processes, the industry is challenged by limited availability and experience in resources needed for new implementations. Technology and cybersecurity skill levels can be critical bottlenecks in the process as even the most advanced systems require human oversight and intervention for effective operation. 

Cybersecurity education is critical during this implementation phase. Imagine a home with the best alarm system and security cameras. This technology is effective in both deterring bad actors and detecting suspicious activity, yet, if the front door of the home is left open, the protection offered by the technology doesn’t matter. Employee education is a necessary part of a cybersecurity strategy for this reason. The protection the technology offers won’t matter if a bad actor gains access to critical systems through a malicious URL or guesses the password on an unattended laptop at a coffee shop. 

Measuring the ROI

Even when an implementation is successful, many organizations overlook the importance of assessing the technology’s long-term value. It can be challenging to evaluate the return on investment, especially when that evaluation requires additional time and resources. However, neglecting this post-implementation value assessment means missing insights into the effectiveness of new cybersecurity measures. It’s incredibly valuable to measure how many threats or attempted breaches the technology prevented, and to extrapolate the potential cost of each incident. This comprehensive understanding will enable organizations to allocate resources efficiently in the future. 

Looking forward, the utility industry will continue to be a pioneering force in adopting innovative cybersecurity technologies to protect its data and evolving technology solutions, which serve as a blueprint for other industries to follow. Through the industry’s strict regulations and investment in new technologies, the utilities sector continues to forge the path forward to a secure digital future. 

 

The post Cybersecurity in Utilities: How the Utility Industry has Become a Pioneering Force in Cybersecurity Tech appeared first on Cybersecurity Insiders.

May 16, 2024 at 11:28AM

Read More

Google Android to lock screen of stolen smart phones with AI

Google is gearing up to introduce a groundbreaking feature aimed at enhancing smartphone security through the power of Artificial Intelligence (AI) in its upcoming Android 15 operating system.

The tech giant, a subsidiary of Alphabet Inc., is poised to unveil the ‘Theft Detection Lock’ safety feature, designed to thwart mobile device theft and fraud. Leveraging AI technology, this feature enables smart devices to detect instances where a phone is forcefully taken from its user and promptly locks the screen, preventing unauthorized access by thieves.

This functionality relies on monitoring motion and disruptions in motion patterns following a theft. To enable this feature, smartphones must be equipped with built-in sensors like accelerometers capable of detecting sudden movements indicative of theft, such as snatching the device and making a swift getaway on a bike or in a car.

Once these suspicious motions are identified, the device automatically activates a lock to thwart further access by unauthorized individuals.

“During the beta testing phase, this feature demonstrated promising results with participants in cities like Sao Paulo, London, Brazil, and France,” stated Dave Burke, Vice President of Engineering at Google. “Following positive feedback, we made the decision to include this feature in our upcoming Android release.”

This innovation is particularly significant for regions like Brazil and London, where smartphone theft occurs at an alarming rate, with incidents reported every 5 to 6 minutes, respectively.

Interestingly, this announcement coincides with Google’s initiative launched a year ago, wherein tech industry leaders were urged to take action against the rising trend of mobile phone thefts, which had seen a significant uptick over the preceding months.

In addition to the Theft Detection Lock, another noteworthy feature aimed at bolstering mobile security is the introduction of the Private Space Tool. This tool allows users to securely share data-intensive yet sensitive mobile applications, such as banking or social media applications, enhancing privacy and safeguarding personal information.

The post Google Android to lock screen of stolen smart phones with AI appeared first on Cybersecurity Insiders.

May 16, 2024 at 10:46AM

Read More

New Apple iOS security update blocks Bluetooth Spying

Apple has unveiled significant security enhancements with the introduction of iOS 17.5, addressing nearly 15 vulnerabilities. Among the key features is a capability to thwart Bluetooth-based iPhone tracking, a move aimed at bolstering user privacy.

The latest iOS update, version 17.5, includes an alert system to notify users of potential cross-platform tracking attempts. This feature serves as a safeguard against unauthorized surveillance of iPhones via Bluetooth signals. Additionally, enhancements to the AirTag System provide added security measures, assisting users in locating misplaced items like car keys while safeguarding against potential privacy breaches.

Apple has also prioritized the resolution of malware concerns, particularly those exploiting the Find My app to track user locations and transmit data to criminal servers. Furthermore, updates have been implemented to fortify the security of Apple Maps navigation software, thwarting attempts by hackers to exploit vulnerabilities and compromise user data.

These proactive measures underscore Apple’s commitment to ensuring the privacy and security of its users. Regular updates are integral to mitigating potential threats and maintaining a secure user experience.

Looking ahead, iOS 17.5 may mark the culmination of Apple’s ongoing efforts in this regard, as attention shifts towards the forthcoming iOS 18 release. Anticipated to debut with AI-powered features, iOS 18 is expected to be unveiled at the Worldwide Developers Conference (WWDC) scheduled for June of this year.

The post New Apple iOS security update blocks Bluetooth Spying appeared first on Cybersecurity Insiders.

May 15, 2024 at 08:41PM

Read More

Patient sues Ascension after BlackBasta Ransomware attack

A woman, whose identity has been protected, is taking legal action against Ascension Seton, alleging negligence in safeguarding patient data from ransomware attackers. This individual, hailing from Hays County, was admitted to Ascension Seton Williamson Hospital in Round Rock in 2023.

Following the revelation of a data breach at Ascension, which emerged online on May 8th, 2024, the woman asserts that the hospital administration failed to adequately secure her information from unauthorized access. Seeking compensation and justice for herself and fellow patients affected by the breach, she has initiated legal proceedings against the healthcare provider.

The lawsuit filed against Ascension stems from its purported failure to encrypt patient data, leaving it vulnerable to infiltration by the Black Basta gang, perpetrators of the cyberattack. The plaintiff seeks substantial compensation for all individuals impacted by the breach.

Regarding the likely course and outcome of the lawsuit, current ransomware laws in the United States hold the company’s leadership accountable in cases of malware attacks resulting in file encryption. Ascension may face legal ramifications for its alleged failure to implement adequate security measures.

In a recent development, the U.S. Department of Justice announced that CEOs or technology heads could be subject to legal proceedings and potentially forced to relinquish their positions to undergo trial. Consequently, Ascension may encounter significant legal challenges in the coming weeks, possibly including testimony before governmental bodies such as the White House.

It’s important to note that succumbing to hackers’ ransom demands can also constitute a criminal offense, with Chief Technology Officers (CTOs) or Chief Financial Officers (CFOs) potentially facing legal repercussions.

Given Ascension’s extensive network of facilities, including over 15 hospitals and 230 care sites across states like Illinois and Chicago, the digital disruption resulting from the cyberattack has caused operational disturbances, with many ambulance-related calls being redirected to alternative healthcare providers.

 

The post Patient sues Ascension after BlackBasta Ransomware attack appeared first on Cybersecurity Insiders.

May 15, 2024 at 11:10AM

Read More

Criminal IP and Quad9 Collaborate to Exchange Domain and IP Threat Intelligence

Criminal IP, a renowned Cyber Threat Intelligence (CTI) search engine developed by AI SPERA, has recently signed a technology partnership to exchange threat intelligence data based on domains and potentially on the IP address to protect users by blocking threats to end users.

Criminal IP underwent rigorous data evaluation to integrate with Quad9’s threat-blocking service, demonstrating high data uniqueness and accuracy. Particularly, test results revealed a remarkable outcome: 99.1% of malicious domains identified by Criminal IP’s threat intelligence were found to be non-duplicative with other TI data.

Through this integration, Quad9 leverages the most up-to-date threat intelligence lists, incorporating data from Criminal IP’s database of malicious domains to block harmful hostnames. This process not only safeguards computers, mobile devices, and IoT systems from a diverse array of threats like malware, phishing, spyware, and botnets, ensuring privacy, but also optimizes performance.

Quad9’s Threat Blocking Enhanced by Criminal IP’s Threat Intelligence

Quad9 is a free anycast DNS platform delivering robust security protections and privacy guarantees that comply with rigorous Swiss Data Protection and GDPR rules. Quad9 is operated as a non-profit by the Quad9 Foundation in Switzerland for the purpose of improving the privacy and cybersecurity of Internet users.

Operating on a high-performance global network, Quad9 partners with Criminal IP, which offers extensive cyber threat information, including malicious IPs, domains, and CVEs, derived from sophisticated IP and domain scoring algorithms and big data analysis on a worldwide scale, enhances this mission.

The specially designed Criminal IP Malicious Domains Retrieval API is used to send the Domain Data Feed identified as malicious to Quad9 for integration. This feed is then utilized alongside other threat intelligence (TI) data sources integrated into the Quad9 platform, such as IBM, OpenPhish, F-Secure, RiskIQ, and Domain Tools, to create a comprehensive blocklist for user protection.

Criminal IP’s specialized Domain Threat Intelligence

In addition to these comprehensive threat-blocking results on Quad9, for those seeking more information about each component of domains, users can use Domain Search of Criminal IP. The vulnerability scanner tool meticulously analyzes a wide array of domain details including screenshots, WHOIS data, utilized technologies, page redirections, and certificates. It also identifies potentially malicious content and replicated phishing domains, providing an overall domain score and a Domain Generation Algorithm (DGA) score. This global threat intelligence is updated daily and can be accessed through flexible API integration enabling seamless incorporation of the data into existing security systems, such as SOAR and SIEM.

“Our partnership with Quad9 is a recognition of the accuracy of Criminal IP’s data,” stated Byungtak Kang, CEO of AI SPERA. “It is expected that our collaboration will contribute to the protection of Quad9’s end-users, who have a global reach, while simultaneously enhancing the quality of Criminal IP’s data.”

End users interested in utilizing the integrated threat-blocking security service of Quad9, which is linked with Criminal IP threat intelligence, can automatically activate the service simply by using the Quad9 DNS server (9.9.9.9).

About AI SPERA

AI SPERA launched its global cybersecurity service, Criminal IP, on April 17, 2023, following a successful year-long beta phase. The company has established technical and business partnerships with acclaimed global security firms and educational institutions, including VirusTotal, Cisco, Tenable, and Sumo Logic.

Criminal IP offers personalized plan options, also suitable for company use. Users can check their own credit usage for specific features (Web, Vulnerability Scanner, Tags, etc.) and API on the dashboard, and upgrade the plan anytime according to their needs.

Criminal IP is available in five languages (English, French, Arabic, Korean, and Japanese), providing a powerful and accurate CTI search engine for users worldwide. AI SPERA has been delivering cybersecurity solutions worldwide through a range of products, including Criminal IP CTI Search Engine, Criminal IP ASM, and Criminal IP FDS.

Contact Michael Sena AI SPERA support@aispera.com

The post Criminal IP and Quad9 Collaborate to Exchange Domain and IP Threat Intelligence appeared first on Cybersecurity Insiders.

May 14, 2024 at 06:10PM

Read More

Thinking about a Career in Security Operations? Follow this Path

Security operations professionals are the first to sound the alarm on intrusion attempts by bad actors. Organizations rely on them for security monitoring, security incident management, vulnerability management, security device management and network flow monitoring. 

Are you ready for a career in security operations? ISC2, creator of the leading advanced cybersecurity certification, the CISSP, recommends these specific steps. 

1. Become an ISC2 Candidate. Begin your journey by joining ISC2, the world’s leading cybersecurity professional organization, more than 500,000 members, associates and candidates strong. As part of their One Million Certified in Cybersecurity pledge to help close the workforce gap, you’ll be able to access free Official ISC2 Online Self-Paced Training for Certified in Cybersecurity entry-level certification and a free exam. Candidates can also tap a full range of benefits, including 20% off online training and up to 50% off textbooks. Sign up now to get your first year free.

2. Start your journey toward SSCP certification. Systems Security Certified Practitioner (SSCP) certification demonstrates you have the knowledge and skills to implement, monitor and administer IT infrastructure using information security policies and procedures. You’re key to protecting the confidentiality, integrity and availability of data for individuals and organizations.

To qualify for the SSCP, candidates must pass the exam and have at least one year of cumulative, paid work experience in one or more of the seven domains of the ISC2 SSCP exam outline. 

If you don’t yet have the required experience to become an SSCP, you can become an Associate of ISC2 after successfully passing the SSCP exam. You will then have two years to earn the experience needed for SSCP certification. 

3. Keep learning

Security operations never stand still. It’s a constantly evolving field that requires continuing education to stay in front cyberthreats and on top of trends. Professionals can choose from a variety of flexible learning options, including:

ISC2 Certificates turn a laser focus on specific subject matters. And with courseware created on the hottest topics by cybersecurity’s most respected certifying body, you’re assured the most current and relevant content. Choose from online instructor-led or self-paced education with content created by industry experts:

Online Instructor-Led*

• Prerecorded lessons led by an ISC2 Authorized Instructor
• Instruction that complements self-paced content
• Digital badges upon passing certificate assessments

Online Self-Paced

• Online learning at your own pace
• Videos available for download on demand
• Digital badges upon passing certificate assessments

*Online instructor-led only available for select certificates.

ISC2 Security Administration and Operations Certificates focus on the knowledge and skills needed to install, administer and troubleshoot security solutions. Online on-demand certificates include:

• Responding to a Breach
• Malware Analysis
• Crowdsourced Security
• Cryptography

ISC2 Security Operations Skill-Builders will help you learn valuable skills as you pursue a career in security operations. Grow what you know with short-format learning designed to fit your busy schedule.

A career in security operations provides the opportunity to make a significant impact on the world. Qualified professionals are indispensable to organizations, safeguarding their information and systems. See yourself in security operations and get started today. Learn More

More questions about SSCP? Get Answers in the Ultimate Guide, everything you need to know about SSCP. Download Now.

 

The post Thinking about a Career in Security Operations? Follow this Path appeared first on Cybersecurity Insiders.

May 14, 2024 at 04:13PM

Read More

How Security Service Edge is Revolutionizing Network Security

Learn how Security Service Edge (SSE) is transforming network security and protecting your organization from cyber threats. Discover the benefits of SSE and learn more about how SSE is revolutionizing network security

Security Service Edge is a novel concept in network safety that improves security by putting it closer to the network’s edge. Its implementation offers better performance and scalability than conventional security designs. 

Why Is SSE Important?

SSE is a growing industry trend that solves fundamental challenges organizations encounter regarding remote work, the cloud, secure edge computing, and digital transformation. With organizations increasingly adopting software and infrastructure as a service offerings and other cloud apps that shift their data outside on-premises data centers, organizations’ data is increasingly distributed. As of 2023, the SaaS space is more than $190 billion in value. Over the past 5 years, the SaaS industry has quadrupled in size. Moreover, more and more user populations access mobile and remote applications from anywhere and over any network to their cloud apps and data. In addition, 90% of organizations which utilize the cloud use multi-cloud solutions; data from the poll of 700  companies in 2022 indicated that customers store and handle data in more than one cloud.

Key Components of Security Service Edge

Secure Web Gateway (SWG): It provides secure access to the internet and protects against web-based threats. A SWG allows an organization to enforce security policies that filter the web traffic that passes between the employees on the network and the internet. It stops users from accessing insecure and malicious sites or content. The SWG acts as a defense line between the internet and users, monitoring the traffic in real-time and identifying anything suspicious. SWG adopts the latest security tools, such as URL filtering, malware detection, and data loss prevention. Thus an organization uses SWG to protect its users from malicious sites and have a comfortable browsing environment.

Zero Trust Network Access (ZTNA): It enables secure access to applications and resources irrespective of the network location. It is premised on the zero trust model, under which no user or device is to be taken as trusted by default, even if they are within the network perimeter. Therefore, ZTNA verifies the identity and trustworthiness of the user and the device prior to allowing access to the resources.

Cloud Access Security Broker (CASB): CASB provides visibility and control into cloud applications and data. CASB stands in between the user and the cloud service provider to allow companies to track and evaluate cloud usage, apply security policies, and safeguard company data. 

Firewall as a Service (FWaaS): FWaaS provides network security and control access to network resources. In 2019, 32% of businesses had more than 100 firewalls set up throughout their network. It serves as a blockade between internal and external networks, overseeing and screening network traffic as it enters or leaves according to established policies and security rules. This helps to avoid hacking, privacy infringement, spyware, viruses, and other risks.

Market Size and Growth

The Security Service Edge (SSE) market is moving at a fast pace as enterprises focus on protecting their networks and data. The SSE Market size will be more than USD 15 Billion by the end of 2036 with CAGR of around 26% in the forecast period, 2024-2036. The industry size of the security service edge was nearly USD 2 Billion in 2023. The development can be mainly attributed to higher demand for cloud-based security solution s that deliver security services in a more elastic and flexible manner. Furthermore, organizations will be increasingly interested in managed security services as they outsource security to expert providers.

However, the Security Service Edge (SSE) market faces challenges in terms of adoption due to concerns around data privacy, security, and compliance. Organizations may be hesitant to migrate their security services to the cloud due to these concerns. Additionally, SSE offers the opportunity to enhance security by providing a centralized and scalable security infrastructure. It enables organizations to protect their networks and data from emerging threats and vulnerabilities.

Further, SSE market is rapidly growing, with several key players leading the way in providing innovative solutions. These companies offer a range of services and technologies that help organizations secure their networks and data. For instance, 

• Cisco Secure SD-WAN integrates security features such as firewall, URL filtering, and intrusion prevention into the SD-WAN infrastructure. 
• Palo Alto Networks Prisma Access provides secure access to the cloud and internet for remote users, with advanced threat prevention capabilities.
• Zscaler Cloud Security Platform offers secure access to applications and services, with advanced threat protection and data loss prevention.

Emerging Applications of SSE

Secure Access to Cloud Services 

The security service edge’s primary use case is SSE policy control over user access to the internet, web, and cloud applications. SSE policy control is also essential for risk mitigation; as end-users increasingly access content both on and off the network. The same is the case for enforcing corporate internet and access control policy for compliance among the SAAS, PaaS, and IaaS sub-segments.

Threats Detection 

Finding threats and prohibiting failed attacks over the open internet, website, and cloud service are among the most important reasons to secure the transition to SSE and, to a lesser extent, SASE. Due to users’ ability to link to content from any source or terminal, organizations must establish solid defense -in-depth barriers to malware, fraud, and other threats. 

Connect and Protect Remote Personnel 

The distributed workforce of today requires cloud service and private program access without the VPN’s inherent risks. Providing users with access to applications, data, and content without allowing them access to the network is a vital component of zero trust access because it obviates security throughout the act in the former of IP use.

Discovering and Securing Sensitive Data

It can be accomplished by SSE since SSE allows you to locate and manage sensitive data no matter where it is located. Key data protection tools are combined in an SSE platform to provide more visibility and simplicity across all data channels. Cloud DLP makes it easier to locate secure, classify, and secure sensitive data to assist Payment Card Industry and other compliance-related data policies. In addition, even after data is in the cloud, the DLP task can be much easier to handle since you only need to create a DLP policy once and promote it in-line traffic and data at rest in the cloud using CASBs.

Implementation Considerations

Network Architecture

• Implementing Security Service Edge requires a rethinking of network architecture to ensure seamless integration and optimal performance.
• Consider adopting a cloud-native approach to leverage the benefits of scalability, flexibility, and agility.
• Implementing a software-defined network (SDN) can help simplify network management and improve security.

Integration with Existing Systems

• Carefully assess the compatibility of Security Service Edge solutions with existing systems and infrastructure.
• Ensure that the implementation process does not disrupt critical business operations.
• Consider conducting a thorough analysis of existing systems and identifying potential integration challenges.

Security Policy Management

• Establish clear security policies and guidelines for the implementation of Security Service Edge.
• Define access control policies, threat detection and response mechanisms, and data protection protocols.
• Regularly review and update security policies to adapt to evolving threats and technologies.

Conclusion

Security Service Edge is changing network security, providing a holistic and adaptable method to secure networks and their data. SSE allows organizations to use cloud-native security services that are physically delivered at the network edge, which eliminates the use of conventional security appliances and reduces complexity. Because security capabilities are built in the network infrastructure, threat discovery and response become faster and more efficient for the organizations. Cloud connectivity that can scale with companies’ requirements and changes in security risk is SSE.

Source –  https://www.researchnester.com/reports/security-service-edge-market/5829 

 

 

 

 

 

 

The post How Security Service Edge is Revolutionizing Network Security appeared first on Cybersecurity Insiders.

May 14, 2024 at 03:59PM

Read More

LockBit using botnets to send 9 million emails

The New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) recently issued a warning regarding the LockBit ransomware group’s latest tactics. Dubbed the LockBit Black Ransomware Campaign, this operation utilizes the Phorpiex Botnet to orchestrate a large-scale phishing email onslaught.

According to NJCCIC’s alert, the Phorpiex Botnet has been active since April 2024, bombarding unsuspecting recipients with approximately 9 million emails. These emails contain ZIP file attachments harboring malicious payloads.

The attack method is straightforward: leverage the LockBit 3.0 version botnet to disseminate malware. Once clicked by the target, the attachment triggers the download of a binary file.

Security researchers, notably from Proofpoint, have analyzed the phishing emails accompanying this campaign. They’ve observed a plethora of subject lines, including “Your document,” “Photo of You,” and names like Jenny Brown and Jenny Green. The emails originate from over 1500 distinct addresses worldwide, spanning regions such as China, Russia, Iran, Uzbekistan, and Kazakhstan.

To combat such threats effectively, experts emphasize the importance of proactive measures. NJCCIC advises fostering awareness among employees regarding prevalent threats like phishing emails. Employees should exercise caution when encountering emails from unfamiliar sources, as they often harbor links leading to ransomware-related payloads.

Despite numerous law enforcement interventions and seizures of their IT infrastructure, the LockBit cybercriminal group persists in executing lucrative malicious campaigns. Implementing email filtering tools to mitigate the spread of spam may provide additional defense.

In a related development, the cybercrime group known as Salfetka, responsible for breaches targeting Yamaha Motors, Xerox Business, and Scotland’s National Health Services, has announced plans to sell the source code of INC Ransom for a substantial sum of $300,000. This development underscores the evolving landscape of cyber threats and the lucrative nature of ransomware operations.

The post LockBit using botnets to send 9 million emails appeared first on Cybersecurity Insiders.

May 14, 2024 at 11:01AM

Read More

Australia Firstmac hit by ransomware and info on Europol Data Breach

Australian financial institution Firstmac recently fell victim to a cyber attack, suspected to be a ransomware variant. The Brisbane-based mortgage firm was targeted by the Embargo ransomware group, which encrypted its servers on April 30th, 2024, and exfiltrated approximately 500GB of sensitive data, including names, addresses, email credentials, and bank details.

Despite the demands of the hackers, Firstmac chose not to comply, prompting the ransomware gang to leak the stolen information onto the dark web on May 8th, 2024. Subsequently, the data fell into the hands of a third party willing to pay a hefty sum for access.

In response to the breach, Firstmac released a statement assuring stakeholders that its operations are running smoothly. The affected systems have been isolated, and efforts to recover the compromised data are underway. The company emphasized its commitment to not negotiating with cybercriminals and expressed confidence in its recovery plan.

In a separate incident concerning Europol, a threat actor known as “IntelBroker” has been actively selling stolen details related to the organization since the beginning of the month. The data purportedly includes classified information, with screenshots posted on various platforms, including X, revealing FOUO (For Official Use Only) source code.

IntelBroker is demanding payment in XMR cryptocurrency, known for its privacy features that shield transactions from crypto sensors and ensure anonymity. The accuracy of the stolen data remains unconfirmed by Europol, although the threat actor has also been peddling information related to Five Eyes Intelligence, allegedly stolen from tech provider Acuity.

The post Australia Firstmac hit by ransomware and info on Europol Data Breach appeared first on Cybersecurity Insiders.

May 13, 2024 at 08:44PM

Read More

BlackBasta Ransomware targeted nearly 500 firms till May 2024

The BlackBasta Ransomware gang has been causing havoc across a spectrum of organizations, targeting nearly 500 entities from April 2022 to May 2024, as per a report jointly released by the Department of Health and Human Services (HHS) and the Multi-State Information Sharing and Analysis Center (MS-ISAC).

The group, notorious for its ransomware-as-a-service approach, has struck critical infrastructure organizations in the United States, numbering approximately 16 alone. Mainly focusing on healthcare-related entities in Australia, Europe, and North America, BlackBasta’s victim roster includes prominent names like Rheinmetall of Germany, Hyundai’s European Division, Capita, ABB, the Toronto Public Library, the American Dental Association, Sobeys, Yellow Pages Canada, and many others.

Meanwhile, a separate report titled “State of the Ransomware 2024,” issued by Sophos, reveals a staggering 500% increase in the average ransom payments by victims in 2023. Ranging from a minimum of $2 million to as high as $400,000, these payments indicate a concerning trend. Small criminal groups deploying malware are now demanding at least $1 million, with 30% of demands in 2023 falling between $3 million to $5 million.

The question arises: are these gangs making substantial profits? While the numbers may suggest so, the success rate is relatively low, with only 2% to 4% of targeted organizations succumbing to the demands. Many either evade the attack or refuse to comply.

Sophos‘ survey underscores another alarming trend: hackers are infecting backup copies and data continuity systems, leaving victims with limited options beyond paying in cryptocurrency. Despite proactive measures like threat monitoring solutions, no data storage is immune to ransomware attacks.

Moreover, paying the ransom doesn’t guarantee a decryption key, nor does it ensure that hackers won’t sell or leak stolen data on the dark web—a tactic known as double extortion. Change Healthcare’s ordeal serves as a stark example: despite shelling out $22 million in cryptocurrency to ALPHV or BlackCat ransomware group in March 2024, the company now faces another threat from RansomHUB, demanding an additional $15 million to prevent the sale of stolen data on the dark web.

The post BlackBasta Ransomware targeted nearly 500 firms till May 2024 appeared first on Cybersecurity Insiders.

May 13, 2024 at 10:26AM

Read More

Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware

Password stealing malware is again rising with several attacks making the news cycle in recent months. For instance, a new password-stealing malware named Ov3r_Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis into password-stealing malware has also revealed that one malware, in particular, is responsible for around 170 million passwords stolen in the last six months: Redline malware.  

Research shows that Redline malware obtained 170 million stolen credentials in the past six months, cementing it as a favorite among the hacking community. Still, there were other password-stealing malware variants available on the market for hackers to leverage, with the next three most popular credential-stealing malware being Vidar, Raccoon Stealer and Meta.

The stolen credentials extracted by this type of malware will be sold on the dark web and used to steal information and money from victims, especially if they are using the same passwords for other accounts. Password reuse is a problem that persists in the business world and if employees are reusing work passwords on sites or devices vulnerable to malware, this could lead to compromised passwords being used and eventually exploited by hackers on a large scale. 

Deeper analysis of password-stealing malware

Further insight into the top three password-stealing malware has been conducted to arm security professionals and businesses with the relevant knowledge to stay safe against latest threats against them, their users, and their users’ passwords.

Malware Number 1 – RedLine

The RedLine malware was first identified in March 2020 and surged in notoriety as a highly sought-after information stealer. Its primary objective revolves around the extraction of various personal data, including credentials, cryptocurrency wallets, and financial information. The information is then funneled into the malware’s command and control (C2) infrastructure.  A notable attribute associated with the RedLine malware is that it is often bundled together with cryptocurrency miners whose prime targets are users with powerful GPUs i.e. gamers.

Phishing is the main method for the distribution of RedLine malware with cybercriminals typically exploiting global events like the COVID-19 pandemic to entice victims to click on a malicious link to unknowingly download the malware. Since 2021, YouTube has been a go-to location to disseminate malware by embedding malicious links in the description of videos which are often promoting gaming cheats and cracks.

Malware Number 2 – Vidar

The Vidar malware is an evolution of the infamous Arkei Stealer, which employs sophisticated tactics to target specific regions based on language preferences, whitelisting certain countries for further infection. It initializes key strings and generates a Mutex for operation. Hackers have access to two distinct C2 versions: the paid Vidar Pro and the underground distributed Anti-Vidar associated with cracked versions. 

In 2022, Vidar was identified in phishing campaigns, often disguised within Microsoft Compiled HTML Help (CHM) files. Moreover, distribution expanded through PPI malware service PrivateLoader, the Fallout Exploit Kit, and the Colibri loader. By late 2023, Vidar was also being propagated through the GHOSTPULSE malware loader.

Malware Number 3 – Raccoon Stealer

First located on Russian-language forum Exploit in 2019, the Raccoon Stealer malware operates under a ‘malware-as-a-service’ model, enabling clients to rent it monthly. It’s advertised with the slogan “We steal, You deal!” Raccoon stealer found its niche primarily within Russian-speaking underground forums such as Exploit and WWH-Club. Expanding its reach, the threat actor began offering it on the English-language platform, Hack Forums, towards the end of 2019.

Those selling Raccoon Stealer have even been known to market the malware with “test weeks,” giving hackers the opportunity to sample the product before committing to its use. 

Issue of stolen credentials and password reuse

In the realm of cybercrime, stolen credentials are highly coveted assets. While some threat actors employ them directly for further attacks, many opt to sell them in bulk on the dark web for financial gain. The dark web, accessible only through specialized software like the Tor browser and VPN services, offers the trade of private data. This makes it a perilous space where end users’ credentials may be traded among Initial Access Brokers (IABs), posing a significant risk to organizations.

Due to the clandestine nature of the dark web and the challenges in detecting compromised credentials, organizations often struggle to ascertain if their users’ credentials have been compromised. Password reuse presents a major vulnerability, as even strong passwords can be compromised if reused on unsecure platforms. Without effective threat intelligence or scanning tools, organizations face difficulty in identifying compromised passwords listed for sale online. 

The effectiveness of password-stealing malware such as RedLine cannot be overstated, but many organizations will not have protections in place to defend against these malware threats. The issue boils down to password reuse. Continuous scanning of Active Directory for compromised passwords known to be circulating on the dark web is essential to mitigate such risks, because human behavior, including password reuse proves to be the most pervasive challenge.

All the protections and security protocols in place will unravel if employees are reusing work passwords on insecure endpoints and applications, putting the wider company squarely in the crosshairs of hackers. This analysis has detailed the tools available to steal passwords, which only compounds the overall challenge considering that 91% of users understand the risk of password reuse, yet 61% continue the practice, according to research from LastPass.

Conclusion

Ultimately, organizations need adequate password policies and protections to ensure compromised passwords are not in circulation. This can be achieved by continuously scanning the Active Directory, and there are free password auditing tools available to jumpstart the process.  Combined, threat intelligence and password protection are essential to stay ahead of the latest threats stemming from known breached passwords.

The post Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware appeared first on Cybersecurity Insiders.

May 12, 2024 at 08:19PM

Read More

PRODUCT REVIEW: SYXSENSE ENTERPRISE

Today’s digital transformation is rapidly changing the IT and cybersecurity landscape: Remote work and the  increased shift to the cloud has broadened the attack surface, introducing new vulnerabilities as employees  connect from everywhere. This situation is compounded by the rise of sophisticated cyber threats, like  ransomware and phishing, demanding proactive defensive security measures.  

Addressing these challenges, Syxsense Enterprise offers a comprehensive solution engineered to reduce an  organization’s attack surface and risk profile.  

Syxsense Enterprise is the world’s first cloud-based IT management and cybersecurity solution that combines  patch management for operating systems and third-party applications, security vulnerability scanning, and  remediation with a powerful no-code automation engine. This combination delivers a complete, unified  solution that supports patching, security, and compliance needs efficiently. 

What level of visibility do you have into vulnerabilities across your IT environment?

About half of the respondents (49%) have high or complete visibility into vulnerabilities across their IT environment, while the other half (51%) have, at best, only a moderate level of visibility. This is concerning, as lack of visibility can lead to unaddressed vulnerabilities and subsequent breaches

Source: 2023 State of Vulnerability Management Report produced by Cybersecurity Insiders

COMPLETE VISIBILITY AND MANAGEMENT OF IT ASSETS 

According to a 2023 Cybersecurity Insiders vulnerability management survey, 49% of the respondents have  high to complete visibility into vulnerabilities across their IT environment, while the other half (51%) have, at  best, only a moderate level of visibility. Syxsense Enterprise addresses this challenge by providing complete  visibility and management of IT assets regardless of their operating system (Windows, Mac, Linux, iOS and  

Android) or location (roaming, at home, on the network, or in the cloud). This is achieved through a live, two way connection to devices, providing real-time data that enables not just automated remediation but also  more accurate compliance reporting. 

ROBUST ENDPOINT MANAGEMENT  

The platform’s endpoint management capabilities deliver  critical intelligence on operating systems, hardware, software  inventory, and a complete endpoint timeline. This feature ensures that any missing patches, from the operating system  to third-party applications like Adobe, Java, and Chrome, are  immediately visible, presenting a clear picture of device changes over time. This allows security and IT operations teams to scan, track, prioritize, and customize security and patching actions, focusing on the most critical patches relative to exposed risk. 

With additional features such as pre-built security vulnerability remediations, a policy-based, Zero Trust  evaluation engine, and extensive integration capabilities with ITSM tools through its Open API, Syxsense  Enterprise addresses the multifaceted challenges posed by current IT and cybersecurity trends. It not only  ensures the security of systems but also supports robust audit and compliance initiatives, including compliance  proof, ultimately enabling organizations to maintain operational efficiency and security. 

UNIFIED SECURITY VULNERABILITY MANAGEMENT  

Syxsense Enterprise also offers a single console for vulnerability scanning, remediation, and advanced  policy automation. Coupled with endpoint management, this unified approach enables teams to work from  a singular information source that is fully aware of the environment’s health and each endpoint’s state.  Such comprehensive visibility is critical for improving security, making smarter decisions to reduce risk, and  maintaining compliance through actionable insights. 

Furthermore, the integration of endpoint management and remediation workflows alongside a Zero Trust  evaluation engine allows organizations to build trusted profiles for enterprise devices and verify each device is  in a trusted state before granting access, ensuring a seamless blend of security and management capabilities. 

ENHANCED PRODUCTIVITY WITH NO-CODE AUTOMATION AND ORCHESTRATION 

At the core of Syxsense Enterprise is Syxsense Cortex, a no-code workflow designer that enables operational staff to orchestrate complex IT and security processes without needing specialist scripting skills. Cortex is designed to streamline IT and security operations through automated endpoint and vulnerability management, enabling organizations to concentrate on their core business objectives rather than being bogged down by IT and cybersecurity risks.

KEY CAPABILITIES

Syxsense Enterprise distinguishes itself with an array of innovative features that empower organizations to  streamline processes, enhance security, and ensure comprehensive endpoint management: 

1. Syxsense Cortex Workflow Builder: An intuitive, no-code automation and orchestration builder  that simplifies complex IT and security processes with a drag-and-drop interface. Syxsense Enterprise  includes an extensive library of pre-built Cortex playbooks, ready to deploy at the push of a button  for effective management and monitoring of devices. 
2. Security Policy Enforcement: Easily implement a Zero Trust approach for continuous evaluation  and authentication of both user and device, alongside automatic remediation of noncompliant  endpoints to enforce compliance with security policies. 
3. Vulnerability Scanning and Remediation: Automatically identifies and resolves vulnerabilities upon  detection through policies triggered by predefined conditions. 
4. Vulnerability Database: Features over 3,800 common configuration vulnerability fixes and more  than 1,500 security remediation workflows. These are designed to conditionally respond to behavioral and  state changes and are available as standalone tasks or as part of automated policies on local systems.
5. Unified Secure Endpoint Management with Open API: Cloud-native and OS-agnostic,  Syxsense supports cross-platform management (Windows, Mac, Linux, iOS, and Android), enabling  the administration of desktops, laptops, servers, virtual machines, and mobile devices (MDM) from  a single console. Syxsense Enterprise includes software distribution, feature updates, configuration  management, a network map, and troubleshooting tools like remote control.
6. Patch Management and Deployment: Detects OS and third-party patch updates and security  configuration issues, prioritizing the management and deployment of updates to devices at critical  risk. It keeps systems up to date on releases, prioritizes critical patches, and targets vulnerable devices  with accurate detection and rapid deployment.  
7. Customizable Dashboards: Allows customization and sharing of discoveries and actionable  insights with key stakeholders through interactive visualizations of vital security metrics.
8. Compliance Reporting: Generates proof of compliance reports for audits by regulatory agencies,  covering standards like HIPAA, PCI, and SOX.

KEY BENEFITS

Exploring the benefits of Syxsense Enterprise, we highlight how it enhances security, improves  operational efficiency, and drives cost savings for organizations: 

• Reduced Risk of Security Breaches: The risk of data breaches and unauthorized access  due to exploitation of unpatched vulnerabilities is markedly reduced with Syxsense Enterprise’s  comprehensive approach to vulnerability scanning and remediation. The capability to quickly  identify and address vulnerabilities is crucial, especially when considering that 44% of  organizations report systems with unintended open access and 24% have reported breaches  caused by unaddressed vulnerabilities.  
• Improved Security Posture & Uninterrupted Productivity: Syxsense Enterprise offers  real-time visibility into all devices within an organization, identifying those in need of patches or  harboring vulnerabilities. This enables IT teams to prioritize critical tasks effectively, ensuring that  productivity remains uninterrupted, contributing to a remarkable 80% reduction in unplanned  downtime.
• Improved Productivity & Reporting: With Syxsense, reporting on key IT infrastructure  metrics becomes effortless, from patch status and time-to-patch to compliance with regulatory  requirements. This streamlined reporting contributes to a 30% decrease in IT support cases  related to maintenance. Moreover, the solution facilitates a more than 50% faster resolution of IT  support cases, underlining its efficiency-boosting benefits.
• Cost Savings Through Automation: The solution offloads tedious tasks, allowing IT  professionals to redirect their focus on more strategic initiatives. Specifically, Syxsense has  been shown to reduce patch management resource needs by up to 90% by automating policy  application and software installation, freeing up significant amounts of time for IT staff.

DEPLOYMENT

As a cloud-native software vendor, Syxsense delivers its solutions via Software as a Service (SaaS), ensuring  a seamless integration into existing IT infrastructures without the need for additional hardware investments.  This cloud-based delivery model not only facilitates rapid deployment and scalability but also offers the  flexibility required to adapt to evolving security needs.

Speed of Deployment  

One of the standout features of Syxsense Enterprise is its quick deployment time. Organizations can have the solution up, configured, and operational within 15 minutes, a stark contrast to the days or even weeks required for deploying traditional IT management solutions. This rapid deployment capability is especially beneficial in scenarios requiring swift action to mitigate existing vulnerabilities or to enhance IT management efficiency without significant downtime.

Subscription Pricing

Syxsense operates on a subscription-based pricing model, which is dependent on the number of endpoints managed. This model allows for a scalable and flexible approach to pricing, ensuring that organizations can tailor their subscriptions according to their specific needs and growth trajectories. Additionally, for Managed Service Providers (MSPs), Syxsense offers specific packaging options, enabling MSPs to utilize the platform both for managing their endpoints and for offering vulnerability management services to their clients.

Free Trial

Prospective clients can explore the benefits of Syxsense through a free trial, available for up to 50 devices and 50 mobile devices for 14 days. This trial offers organizations the opportunity to evaluate the solution’s effectiveness and ease of use in their environment before committing to a subscription. 

CONCLUSION

In summary, Syxsense Enterprise stands out as a unified solution tailored for the modern digital enterprise, tackling the multifaceted challenges of endpoint and vulnerability management with a comprehensive, efficient, and scalable approach. By providing detailed visibility, control over endpoints, and a suite of automated vulnerability management and remediation tools, it enables organizations to safeguard their IT environments against the evolving threat landscape while ensuring compliance and operational efficiency. In essence, Syxsense offers a robust platform that not only fortifies an organization’s cybersecurity framework but also streamlines its IT operations. Its comprehensive approach to managing security, efficiency, and compliance across a variety of use cases makes it an extremely valuable asset in the arsenal of modern IT and cybersecurity teams.

ABOUT SYXSENSE

Syxsense is the world’s first software vendor providing cloud-based, automated endpoint and vulnerability management solutions that streamline IT and security operations. With our advanced platform, businesses gain complete visibility and control over their infrastructure, reducing IT risks and optimizing operational efficiency. Our real-time alerts, risk-based vulnerability prioritization, pre-built remediations, and intuitive automation and orchestration engine enable organizations to focus on their core business goals—confident in the knowledge that their enterprise is secure, compliant, and running smoothly

 

The post PRODUCT REVIEW: SYXSENSE ENTERPRISE appeared first on Cybersecurity Insiders.

May 10, 2024 at 06:30PM

Read More