Is Cyber Incident Response better than Risk Insurance?

Cyberattacks are continuously evolving. They are rising exponentially and affecting businesses and users as never before. From the network infrastructure to sensitive data and applications, nothing is safe from the reach of cybercriminals. Large corporations, government agencies, as well as SMEs are struggling to protect their critical infrastructure from the wrath of threat actors. To successfully fight against cybercriminals, enterprises need a reliable solution that can save them from losing customer trust, dropping of stock value, disrupted business operations, bad impact on brand integrity, and guaranteed financial loss.

In the wake of hundreds of security breaches, organizations are stepping up their game with skilled security professionals. But cyberattacks being inevitable, businesses need a backup plan – cybersecurity insurance. It indeed offers protection from financial losses that occurred due to data breaches, including the provision of services like security audits, customer credit monitoring services, and legal expenses. Yet, it is incapable of covering the reputational loss. Interestingly, the incident response process is designed to safeguard not only a firm’s potential revenue, but also its sensitive data, reputation, and customer trust.

Here are a few pointers to help you decide which of the two is right for your organization.

Cybersecurity Risk Insurance Vs. Incident Response Team 

Cyber insurance provides coverage for – business liabilities for a data breach, remediation costs while responding to cyberattacks, and legal proceedings. After analyzing the size and scope of frequent security incidents, enterprises start adopting cyber insurance as a part of their risk management strategy. Besides all the benefits of cybersecurity risk insurance, it can’t replace the need for data security and protection.

On the other hand, if the reputation, revenue, and customer trust of the organization are at stake due to destructive security events, firms should build a robust incident response plan and hire a dedicated team to execute it. These professionals work to detect, respond, recover from the consequences of security incidents. They follow a procedure with six major phases – Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned to handle the incident. 

An incident response team can defend the organization from the dramatic effects of a security breach. At the same time, cyber insurance majorly focuses on recovering the financial losses the firm faced after hitting by the breach. Even adopting a combination of both will strengthen the defense system of the organization. But for that, the firm needs professionals with relevant hands-on experience.

Source: eccouncil.org

Continue reading

Is Your Data Secure Online?

All business, large or small, face the problem of secure data storage, at regular intervals of time. There are options when choosing the best place to store all the sensitive date that a company creates, (personal or financial data of clients or HR data of employees), but which is the best option? The three main options are storage on a computer or external hard drive, backing up to a (hopefully secure) server, and cloud storage. Each has its own challenges and requires a thoughtful approach to security.

I. Computer or External Hard Disk

If your business is small and limited to a few transactions, you may prefer to save your data on your own computer which is password protected. Of course, this could fill up your computer’s hard drive, so you may have to use an external hard disk. But even though your computer is password-protected and is your personal machine, there are various reasons that may cause loss of data.

Keeping a backup of your data on any personal computer or hard disk may not be safe, and there is a significant chance that you may lose the data. As the chart above indicates, there is so much risk when all of your data is on one machine. Laptops are frequently lost or corrupted. Of course, there are ways to make your computer a bit more secure.

1) Locking your hard drive with a password: This is one of the easiest options and can be done without any specialized software. This kind of locking is less secure than encryption but still better than no protection. When your computer or laptop gets stolen, the user won’t be able to access the system – at least not without some basic hacking skills. In this way, a password gives some minimal protection to your data. This means that it asks for a password at the initial setup screen and only then will the user be able to access the Windows setup. This kind of password lock is on the hard drive and not on the operating system.

2) Full disk encryption: This is the safest way of keeping your data safe on computer and encryption comes default-enabled on Apple devices. Windows, Linux, and Android users can enable encryption manually. You can also use specialized disk encryption software to lock your device.

II. Server Backup

For larger or more complex businesses, local back-up is not an option. For internal communication, data storage, and backup services, many organizations rely on a server which is well-installed in a separate cabin on the premises of the company. The server should be monitored under a strict surveillance system with uninterrupted power supply. Care must be taken to secure your server because data breaches are a common problem. Over the last year, 83% of organizations surveyed reported data security incidents, which included major vulnerabilities of the security systems and cyber mishaps.

Servers are vulnerable to two major types of threats: internal and external.

Sources of internal threats:

Of all security threats, 58% are attributed to internal threats, and the main sources are employees, ex-employees, and third parties. Sometimes, an employee or contractor knowingly threatens the security of an organization, but many times these incidents are caused by mistake. Problems with employees and contractors can include:

◉ Opening of malicious emails

◉ Getting trapped by phishing schemes

◉ Using corrupted devices

◉ Social engineering

◉ Insufficient vetting of employees and contractors

Sources of external threats:

External threats tend to be people or organizations purposefully attempting to access data that is not their own. These threat actors can include:

◉ Sponsored hackers

These cybercriminals are not money-oriented, but they are information-oriented. All they want is access to your IT infrastructure and (in many cases) your intellectual property (IP). They are sponsored by rival organizations or governments and therefore do not lack the resources required for long-term, sophisticated attacks.

◉ Criminal syndicates

These cybercriminals attack in organized groups and carefully select the targets from where they can get good returns. They tend to be motivated by the money they can earn from selling information they collect illegally.

◉ Hacktivists

These criminals are not motivated by money but instead work for political or social ideologies. One of the most famous hacktivist groups is Anonymous, which is notorious for shutting down websites promoting ideologies they disagree with. Many see them as a force for good instead of evil, but this of course depends on your political and ideological view point.

Combating internal and external threats:

◉ Assess Data Vulnerabilities: Check for vulnerabilities in your system by performing penetration testing and installing IDS (Intrusion Detection System). Also, track all your database access and activities, checking for data leakages, unauthorized access and data transactions.

◉ Calculate risk scores: With the help of a common vulnerability scoring system, you can record vulnerabilities and create a numerical score that can be sorted into low, high, or critical risk to get a broader picture of the threats facing your organization.

◉ Train your employees: It is important that your employees should be aware of the part they play in keeping the system secure. They should be trained on the risks of spam emails, online payments, social engineering, data sharing, introducing unsafe flash drives, and the many other ways they can help or harm the system.

◉ Restrict privileges: Access to sensitive databases should be in accordance with the job function and who is allowed to access what level of data should be reviewed regularly. When an employee leaves the job or changes roles, their access should be immediately removed or changed to ensure that data remains secure.

◉ Encrypt data: Data encryption is a good option for most companies’ data. In this practice, the data is encrypted by mathematical algorithms that are decoded only with authorized access.

3. Cloud Storage

Cloud-based data storage can be more secure than other data storage options when it is configured correctly and strong contracts with service providers are established. When stored in the cloud, the data is first split into chunks, and each chunk is encrypted and stored separately so that if anyone tries to decode the encrypted data, they will be able to access only a part of it if they are successful.

The concept of cloud storage has been developed to provide robust security for databases, but security challenges remain. Cloud security can be strong but no security system is impenetrable. There have been incidents where cybercriminals have hacked cloud systems. Many attempts have been made either to destroy the data or retrieve information from the cloud, and many a times, the hackers were successful too.

According to Microsoft, cyberattacks on the cloud are accelerating every year at a rapid speed. In fact, Microsoft’s Identity Security and Protection team has observed a 300% increase in attacks on cloud services.

How to secure your cloud data:

◉ Use strong authentication: The cloud developers should enable multiple authentications in order to access the data by the cloud owners. Password stealing or change of passwords are common practices for accessing the data from the cloud. A strong authentication policy can curb these practices. Two factor authentication should be employed to secure access to the cloud.

◉ Implement access management: Cloud developers should assign role-based access to the cloud owners to restrict the equal amount of data access to everyone in the company. This way, the most crucial data is only accessible by those who truly need it.

◉ Detect intrusions: Always use an intrusion detection system that can detect and report any malicious activity within the cloud.

◉ Secure APIs and access: Data access should be restricted to only secure APIs by limiting IP addresses or restricting the access to VPNs. If this difficult to implement, then you can secure the data via API using scripts.

Cloud computing technology can be the most secure form of data backup, but due to certain vulnerabilities in the cloud, data can still be quite vulnerable. To safeguard the clouds from cybercriminals, skilled cybersecurity professionals are needed to address specific incidents and situations.

Do you want to be a cybersecurity professional and protect data from cyberattacks? All you need to do is to begin your career path in cybersecurity.

EC-Council has been the world’s leading cybersecurity credentialing body, offering training programs that are mapped to the NICE framework. The industry of cybersecurity is growing as is the need for cyber professionals due to rising cybercrime. This has led to the emergence of specialized job roles including Ethical Hackers, Penetration Testers, Forensic Investigators, and Threat Intelligence Analysts.

Source: eccouncil.org

Continue reading

5 SOC and SIEM Tools that go hand-in-hand

In 2019, 93% of all malicious Windows executables were found polymorphic, following the previous year’s trend; Polymorphism is a tactic designed to avoid traditional antimalware detection. To this end, businesses are under constant threat of being exploited by ransomware, phishing, denial-of-service, and other forms of attacks. Since the COVID-19 outbreak, professionals have started working remotely. Thus, it created a need for Security Operations Center analysts more than ever before. In order to fight these possible cyberattacks, organizations require a robust defensive layer. Owing to this, they are looking for the right solutions and expertise to detect and respond to potential cyber threats actively, which is why enterprises need cutting-edge security strategies as offered by the Security Operations Center (SOC) as well as SIEM tools.  

Firstly, let’s begin by understanding how SOC and SIEM can be put together to gain the maximum benefits.

Explaining SOC and SIEM  

SIEM tools offer a centralized approach for identifying, monitoring, analyzing, and recording security incidents in a real-time environment. At the same time, SOC is a dedicated team of security professionals who continuously monitors an IT infrastructure and raises an alert whenever spots any suspicious activity or threat.  

Furthermore, SOC also uses various foundational technologies, with one of them being the Security Information and Event Management (SIEM) system. The tools under the SIEM system aggregates system logs and events across the entire organization. Most importantly, this system relies on correlational and statistical models, which then look for a security incident, alerting the SOC team.

5 Tools that every SOC Analyst should know about  

No SOC is complete without a set of tools. This is why, we have created a list of the best SIEM tools available in the market. Take a look –  

1. IBMQRadar  

QRadar is suitable for medium and large-scale businesses as it offers comprehensive insights by gathering log data from network devices, applications, operating systems, and vulnerabilities and quickly detects threats. Thus, it reduces the alert volume rapidly.  

It supports the Linux OS platform. 

2. Splunk 

Splunk SIEM serves all sizes of businesses – small, medium, and large and can be deployed on-premises and Software-as-a-Service (SaaS). Therefore, this premium, analytics-driven tool provides insight into machine data generated from the network, endpoint, malware, vulnerabilities, and other security technologies. 

It supports the Windows, Linux, Mac, and Solaris OS platforms. 

3. Elastic

Elastic SIEM is a free tool, which enables security teams to triage security incidents and conduct an initial investigation. Besides these two primary tasks, Elastic helps monitor cyber threats, gather evidence, forward possible incidents to ticketing and SOAR (Security Orchestration, Automation, and Response) platforms.  

It supports the Linux OS platform. 

4. McAfee 

In short, the tool is best for small, medium, as well as large enterprises and can be deployed as on-premises, cloud, and hybrid solutions. It also provides security insights by combining events, threats, and risk data. Therefore, with the help of the information, professionals can efficiently perform rapid incident response, log management, and compliance reporting.  

It supports the Windows and Mac OS platforms. 

5. LogRhythm

LogRhythm SIEM offers overall threat detection and response. This powerful suite of security tools is apt for medium-sized organizations. It also helps conduct endpoint monitoring, forensics, as well as security analytics. Moreover, the tool is designed to process unstructured data. This is done while supporting a wide range of devices and log types. 

It supports the Windows and Linux OS platforms. 

To put it differently, check this brilliant coverage on “Exploiting and Augmenting Threat Intel in SOC Operations” by Vijay Verma, a dynamic security professional. Simultaneously, with more than 24 years of cross-functional experience in the Indian Army and Corporate Sector in Information Security and Telecom domains : https://www.youtube.com/watch?v=pgeTNCh8S4g. 

Source: eccouncil.org

Continue reading

5 Crucial Elements that Every Cyber Disaster Recovery Plan Must Have

We’ve all heard the stories of businesses collapsing after hit by an unforeseen event. The primary cause behind this fall is usually the longer cut off from the regular business operations. Interestingly, the ill-effects of a disaster or security incident can completely be avoided with a strategic cyber disaster recovery / business continuity plan (BCP).

Most of the businesses understand the consequences of lengthy downtime; still, 68 percent of small business owners do not have a documented cyber disaster recovery plan. The unpreparedness of organizations against natural or man-made disasters met with several negative impacts, including loss of customer trust, drop in overall revenue, disrupted business productivity, compromised data, and in most cases, business failure.

Experts believe that business leaders have a few misconceptions about the cyber disaster recovery and business continuity plan. A few of them say that DR plans are not meant for corporations scattered over multiple locations, or the executives should think on their feet during an event occurrence. Companies must stay ready for all kinds of known and unknown events.

Before we dive into the five significant elements of a DR plan, watch this amazing video by Tim Foley, Director of Information Security for the Dataprise CYBER division, explaining how to recover from unfortunate events:

5 Elements of cyber disaster recovery

1. Detailed Inventory

Every good disaster plan starts by listing out what tools you have, where they are stored, and how they are configured. Assess the physical space of server rooms, data centers, network operation centers, and others to check if they can accommodate IT equipment. 

Index any hardware or software in use, also include their serial numbers, contact information, and other useful technical details. With that, create a list of login credentials to access different cloud-based programs and data backups.

2. Communication Plan

Before creating an efficient communication plan, everyone should be clear about their responsibilities after and during the occurrence of an unanticipated event. Once the plan covered it all, strategize a way to communicate with employees, vendors, and end-users.

During a disaster, it’s possible that employees can’t rely on regular modes of communication. In such a case, outline the entire process with backup plans when cell coverage and email communication go down. As a part of the process, keep customers informed through an in-use online portal or dedicated web page.

IT disaster recovery requires collaborative team efforts, so ensure that no involved professional is left in the dark.

3. Outsourced Services

The third-party service providers and suppliers are expected to sign a comprehensive Service Level Agreements (SLAs). Their assistance in this crucial time is very much required. The service providers should diligently work alongside the affected organization so that its regular business operations can get back to normal.

4. Cyber disaster recovery(DR) Protocol for Employees

Cyber disaster recovery plans should also be inclusive of a protocol dedicated to employee safety and security during a disaster. Assign specific roles to all the involved professionals based on different disasters so that they understand the DR protocol before the event occurs and will be able to act during the event immediately. While assigning roles, consider factors like employee location and priorities. When asking employees for a helping hand, ensure that they are not dealing with the same disaster at home. In such cases, assign the role to a remote employee.

5. Timely Reviews and Testingwith “Fire Drills”

To check the effectiveness of a DR plan, the organizations must put it to test. As recommended, a DR plan should be tested at least twice a year. While testing the documented cyber disaster recovery plan, ensure to simulate realistic emergency environments. This will help in strengthening the business continuity and disaster recovery plan.

Source: eccouncil.org

Continue reading

All you need to know about Memory Forensics – Identifying potential volatile data

In the case of digital forensic, data present in the digital assets serves as strong evidence. The systems’ memory may have critical data of attacks, like account credentials, encryption keys, messages, emails, non-cacheable internet history, network connections, endpoint connected devices, etc. Memory forensics provides insights into network connections, executed files or commands, and runtime system activity. To execute any program, it must be first loaded on the memory, which makes it critical for forensic to identify attacks.

Memory forensic tools and skills are in high demand due to rapidly growing sophisticated attacks. The tools like antivirus and anti-malware serve no purpose in detecting malware, which is directly written into a computer’s physical memory, i.e., RAM. In that case, security teams have to depend on memory forensic tools to protect their valuable business information from stealthy attacks like DoS and fileless.

What is memory forensic?

What is volatile data?

Volatile data is any data that is stored temporarily on a computer device while it is running and would be lost if the device shuts down for any reason. It exists in temporary cache files, RAM and system files. For example, if you are working on any text file without saving it in any persistent memory on the computer, then there is every possibility of losing the file in case if the system closes. Volatile data also contain the last unsaved actions performed in a document.

Tools for memory forensics –

Traditional security systems can analyze typical data sources and can protect against malware in ROM, email, CD/ DVD, hard drives, etc. But they fail to analyze volatile data stored in execution. The volatile data may still be at risk as malware can be uploaded in the memory locations reserved for authorized programs.

The latest security systems are now equipped with memory forensics and behavioral analysis capabilities. These sophisticated tools can identify malware, rootkits, zero-days and other data present in the system’s physical memory. Memory forensic tools can provide a considerable amount of threat intelligence from the system’s physical memory.

Sources of physical memory for digital forensics are as follows –

Decrypted programs – The threat intelligence in case of encrypted malicious files identifies and attributes threats. The executed encrypted malicious file shall decrypt self in order to run.

Usernames and passwords – The credentials entered by the users to access their accounts can be stored in the physical memory of your system.

Content on the window – Content on chat windows, clipboards, emails, instant messengers, form field entries, etc. can be traced for information.

Thought the above-listed sources are limited, they signify their contribution into the memory forensics capabilities and their offerings. There are certain open source and commercial tools designed to conduct memory forensics. Based on the security needs, the decision concerning security solutions for memory forensics capabilities is decided. The decision to use commercial software of open source tools also differs according to the security requirements.

There are different tools to investigate computers for breaches, vulnerabilities, crime, cyberattacks, etc. It requires a digital forensic investigator having knowledge of investigation processes, tools, and techniques and with a skill to investigate efficiently. The Certified Hacking and Forensic Investigator (C|HFI) program prepare students with the skills to conduct investigations using ground-breaking digital forensic technologies.

Source: eccouncil.org

Continue reading

Cybersecurity and coronavirus: keeping your business safe

As governments and businesses work on mitigating the impact of the ongoing COVID-19 outbreak, social distancing measures are leading to an increase in remote working across all sectors.

The reasoning behind the measures is best left to health authorities, and are discussed at length elsewhere. The purpose of this article is to shed light on some of the key cybersecurity challenges around the sudden spike in remote work arrangements, and propose potential measures to keep networks as secure as possible during these times.

Today, the idea of working from home is not exactly a new thing. Plus, we are well equipped to work away from the traditional bricks and mortar, as our cloud infrastructure has matured a lot in the past years.

That said, conducting activities remotely poses complex challenges from a number of perspectives.  We’ll focus on the impact of infrastructure, remote working security, and how organisations can help mitigate threats to their cybersecurity.

Infrastructure Concerns

One immediate risk that has been raised is that the telecommunications infrastructure wouldn’t have the capacity to support the increase in demand. Experts have warned that bottlenecks could appear, especially in the parts of the country that are not operating on fibre.

The pledges to have full-fibre broadband across the UK by 2025 may prove to be a little too late for the moment. Although the UK average speed is still behind that of, say, Germany and France, there have been assurances from providers that the country has the necessary capacity.

Another issue that has been highlighted to me in my conversations with large organisations is the individual company’s infrastructure. With employees in the tens of thousands, remote working systems have not yet been tested at potentially critical levels.

From an infrastructure perspective, these are unchartered waters, and it can potentiate any existing shortcomings in both internal company infrastructure as well as specific country capacity.

Security Concerns

Working remotely also throws up a number of security concerns that cause headaches for any internal networking/cybersecurity team.

With networks becoming more complex, initiatives such as BYOD (Bring Your Own Device) and literally thousands of access points to police, cybersecurity professionals have it tough.

Throw into the mix the fact that the reasonably new GDPR regulation has made data protection a crucial part of any strategy, and having the majority of staff working from home adds yet another layer to an already large checklist of concerns.

Here are some of the most pressing challenges facing security professionals in the current situation:

◉ Is the employee’s Wi-Fi connection secure/are they using an open Wi-Fi?

◉ Do they have appropriate anti-virus/firewall/security tools in place?

◉ Have they received adequate training?

◉ Will they adhere to security protocols?

Wi-Fi hacking is a staple skill for Ethical Hackers and Penetration Testers around the world, and I’m sure less technical readers would be horrified to find out just how easy it is. Despite this, a recent study from the UK showcased that 82% of those surveyed had never changed their Wi-Fi admin password.

We won’t delve into the devil’s detail too deeply, but this sort of statistic is the stuff of nightmares for an organisation’s cybersecurity team when employees are returning to work with their devices.

If devices have been compromised or have unwittingly initiated a malicious download, they can pose a threat to the internal network. Similarly, with open Wi-Fi networks, there is the potential for various credentials to be stolen and accounts to be hijacked.

Companies often have a number of security tools that can range from firewalls, anti-virus software, VPNs, and penetration tests – all part of a robust protective layer. Of course it depends on the types of tools each organisation employs, but the security tools at the disposal of companies are usually far superior than those of the individual. But when away from the office, the influence of such an armoury can be weakened.

In this age of convenience, running routine scans or taking an additional 30 seconds to fire up your VPN may seem like annoyances, but are all the more important now.

Training is usually the most reliable way to ensure not only solid, up-to-date knowledge, but also the accountability of security professionals. Training plays a huge role in building a culture of security, and the cyber awareness market has seen unprecedented growth over the last few years as organisations scramble to train employees.

Security Tools such as OhPhish can help – not only by testing against regular phishing campaigns, but also to support train the end-user.

Since the dawn of the industrial revolution, we have grown accustomed to evolving technology making our lives easier, more efficient and more convenient. But in this age of information, we are at a crossroads where convenience and security are often a trade-off.

Protocols are an important feature of network cyber security. That said, humans are prone to errors, which means protocols that are put in place may not be adhered to – even though they are there to protect both companies and employees’ data.

So how can companies influence a culture change from convenience to secure?

Mitigation

How do organisations mitigate the various risks posed by having their workforce work from home? There are a number of best practices that can be adhered by both the individual and the organisation.

Companies should create a checklist with key measures and circulate them across their workforce in a plain and clear format so as to minimise friction. Employees, on the other hand, should remain vigilant and conscious of threats outside the usual work environment.

The following lists can serve as a starting point, and are by no means exhaustive:

Companies

◉ Clear policies and procedures for your employees to follow when working from home

◉ Put an action plan and guidelines for employees returning to the office

◉ Incident response and handling should be in place

◉ Ensure appropriate tools, such as VPNs, are available to all remote employees

◉ Training (ideally certification training) is important.

◉ Put out clear, straightforward communication aimed at getting buy-in from employees

For the employee

◉ Adhere to the company security policies and protocols

◉ Always use the VPN if provided with one

◉ Don’t use open wi-fi connections – ideally, use a wired connection if possible

◉ Always use two-factor authentication for personal and work accounts

◉ Avoid working from public networks

◉ Protect access to your work computer at home

◉ When handling customer data, always double-check that you are following relevant data protection policies

Working remotely doesn’t have to be risky. However, without the right protocols and tested infrastructure in place, issues can escalate a lot quicker and can be much harder to mitigate than in a centralised office environment.

We are facing a uniquely challenging situation in our response to the coronavirus threat, and this carries some cyber security risks. But with the correct approach, training and policies in place, your business can potentially make through these times even more efficient, well-oiled, and safe.

Source: eccouncil.org

Continue reading

2-step remedy to a Cloud Sprawl

The increasing cloud adoption by businesses has also led to the rise in the risk of cloud sprawl, resulting in a large number of cloud security threats. The enterprises rush to capitalize on efficiency, flexibility, and scalability with the help of cloud technology. An Enterprise Strategy Group performed a survey on 600 IT professionals, of which more than half (64%) believed that spending on cloud technology would increase in 2019 and 2020 concerning the previous years. During the survey, only 4% predicted a decrease in usage.

Moving your business to cloud storage was once considered careful planning, whereas now the enterprises are primarily dependent on cloud technology. The Cloud Security Alliance reported that 66% of the enterprises operate in multi-cloud environments, where every cloud has different security requirements. While dealing with data access controls of different levels to multiple cloud storage services, it is quite easy for an enterprise to get lost in cloud sprawl.

To overcome the challenges of cloud security, organizations try applying a blanket approach. But with the differences in cloud services like Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS), the blanket approach is no longer inevitable. To reduce the chaos of cloud sprawl with a viable roadmap, enterprises should take the following two steps –

Step 1: Realize responsibility

The public cloud is believed to attract many security risks, whereas this is not the exact cause. Many enterprises were not open to adopting public clouds as they were in a notion that a public platform would host security threats. Cloud security is not gaining confidence as it is otherwise the most secure and safest platform than any other data storage. When companies like Amazon got onto providing cloud storage as an open entity, the confidence of many enterprises also developed.

According to Gartner, by 2025, there will be overwhelming support for cloud security. Gartner predicted that the shortcomings in cloud security would be 99% due to the customer’s fault. The security shortcomings can be due to overlooked access risks, security misconfiguration, or a cloud sprawl. When customers have too many clouds, it becomes difficult to attend the security issues responsibly. Dealing with different cloud providers, need a systematic approach towards securing the cloud infrastructure individually. Enterprises should match the security perspectives of the cloud providers and the security measures that they undertake in their infrastructure.

Step 2: Define a process on security

The security process defines the division of responsibilities between the customer and cloud provider. The different kind of cloud security providers like SaaS, IaaS, and PaaS, dictate the security providers and customers on security processes. It is the responsibility of an enterprise to know about the various security provisions from the different cloud providers. The variation in cloud services offering different cloud infrastructures may not be clubbed under one size.

The corporate systems can be secured by introducing an owner who can create a security strategy and attend security audit requirements. Overlooking of data access, in a typical scenario, can be attended to by the owner.

Cloud technology is driving incredible value to solve business data security issues. When an enterprise deals with multiple cloud environments, it is likely to adopt misconfigurations and overlooked details. Mishandling or negligence may cause a massive financial loss to the enterprise.

A Certified Ethical Hacker (C|EH) is a credential that ensures that you have the knowledge and skills to intrude cloud security and explore vulnerabilities that must be fixed. The program takes you through the five phases of ethical hacking and with dedicated lab provision, it also enables you to practice ethical hacking on various domains like cloud storage and mobile phones.

Source: eccouncil.org

Continue reading

4 Cybersecurity Challenges affecting Business Continuity since the Coronavirus Outbreak

With the rise of coronavirus (COVID-19), businesses around the world are facing major disruptions. They are struggling to continue business operations and secure their corporate assets. At the same time, employees are combating a tough fight against the virus itself. To make things worse, cybercriminals are riding on this opportunity, trying to make the most of the situation. A couple of weeks ago, Proofpoint researchers discovered coronavirus-themed attacks. Apart from the increase in malicious messages, experts observed a form of attack budding on the fear of purported unreleased cures for coronavirus.

Amid the spread of this global pandemic, employers are tossing between allowing their employees to work from home or continue to operate from the established offices. Regardless, organizations need to consider the risks associated with their data security and data privacy in the wake of potential impact.

As coronavirus is not only affecting one’s health but also the continuous growth of businesses, it is time for them to expand their IT disaster recovery and contingency plans to address unforeseen scenarios. Enterprises need a plan that covers all possible types of fabricated attacks during the rapid emerging outbreak of COVID-19.

Address These Cybersecurity Risks in the Wake of Coronavirus

With threat actors entering the picture, enterprises and their management board should consider the listed security risks that have surfaced after the birth of COVID-19.

1. Phishing frauds thriving on fear

Recently, WHO released a warning, alerting individuals to beware of the phishing emails appearing from “WHO representatives.” These emails ask for sensitive login credentials or encourage individuals to either click on a link or download malicious software. Other renowned publications also came forward, showing similar phishing scams that seemed to be generated from ‘authorized professionals.’

Source: Wired

How to mitigate the risk?

In such a situation, organizations should raise awareness to make their employees follow valid COVID-19 related alerts and subscribe to official institutions only. For instance, The Office of Homeland Security Cybersecurity and Infrastructure Agency (CISA) published its insights on ‘Risk Management for Novel Coronavirus.’ Furthermore, the management team should concentrate on finding a secure way to communicate with their employees.

2. Challenges of working from home

For smooth business operations, companies may decide to permit their employees to work from home. In that case, employees may use a VPN to access the company’s network remotely. Evidently, in today’s world, dependency on VPN not only exposes sensitive data to security risks but, with the adoption of cloud services, multiplies the existing cyber risks exponentially.

How to mitigate the risk?

The increased network traffic on VPN exposes the larger community to security risks. The solution to this problem may start with the patching of installed software regularly. But the inability of IT representatives to be available on various remote sites adds on to the primary challenge. Companies should accommodate a disaster recovery plan that can deal with the issues of a remote workforce. The plan must contain timely solutions to address all the associated problems.

3. Accessing sensitive data on public Wi-Fi

Do not presume that employees will use corporate assets on a safe wireless network. A few may expose corporate accounts to insecure public Wi-Fi networks. Cybercriminals can attack these networks to gain unauthorized access to sensitive data. For instance, when an unencrypted form of information is transmitted through an unprotected network, a threat actor can intercept it to steal the data.

How to mitigate the risk?

The best solution to prevent the theft of information is not to disclose sensitive data on unknown public networks. Apart from that, use SSL (Transport Layer Security) connections to set up a layer of encryption for all your communications. Employees can do this by enabling the “Always Use HTTPS” option that will protect their login credentials even on public Wi-Fi.

4. Easy Communication for Outsourced Services

The dependency on third-party service providers can also affect the business after COVID-19’s ill-effects on the outsourced parties. Especially if the enterprise is relying on these providers for critical services, including specific IT operations, website management, or many others. The viral outbreak can lead to disruption, creating loopholes in the existing system.

How to mitigate the risk?

To deal with the issue, the company must consider a factor addressing supply chain management. This plan should help the IT team to identify and connect with alternative service providers quickly.

Under critical circumstances, organizations should review their existing business continuity and disaster recovery plans to address the challenges born out of a pandemic. The program should be able to adapt in the face of additional changes.

A specialized disaster recovery plan steps should include pandemic events, such as COVID-19, and must possess the following –

• Inclusion of a proactive program that ensures the firm’s business operations will run uninterruptedly during a pandemic event. It will work on smooth communications and coordination with third-party service providers.
• The documented plan must identify and follow the company’s process and controls.
• Contain a framework that covers all the business locations of the enterprise and check whether they are capable enough to continue regular business operations.

Source: eccouncil.org

Continue reading

5-Step process to power your Cyber Defense with Cyber Threat Intelligence

With more connected systems and devices performing more individual tasks today, it’s imperative to keep them up and running and protected. This requires not just traditional security but cyber threat intelligence. Cyber intelligence has been around for quite a few years, with it being called many different things. To get good cyber threat intelligence, a cyber threat intelligence analyst must know what they are trying to gather intelligence on. In other words, if you’re trying to gather cyber threat intelligence on a credit card company, you need to have a good understanding of the financial industry. With the average cost of a data breach in 2020 exceeding $150 million and possibly getting a tarnished public image, companies will look to build up their cyber threat intelligence division.

Cyber threat intelligence helps solve everyday issues with security policy, strategy, even down to the defense layer. This is done by answering the following questions:

◉ Who are our adversaries?

◉ What are the adversaries using?

◉ Where are the adversaries targeting?

◉ When are the adversaries going to attack?

◉ Why are the adversaries attacking?

◉ How does the adversary operate?

Once a report has been created from the above questions, the organization can make changes to its policy to help mitigate and prioritize certain threats and modify any controls to align with the new security strategy. A cyber threat analysis that goes into more depth than just adding anti-virus software or a shiny new firewall adds a great deal of value to the company and its employees and customers.

Cyber Threat Intelligence Life Cycle

1. Planning and Direction

This is where the 5 Ws and How from above come into play. An organization might even want to see if other companies in the same industry are experiencing the same attacks.

2. Collection and Processing

This step builds on the first step. Since the information that needs to be collected will play a role in how an organization builds its cybersecurity structure, the information needs to come from reliable and trustworthy sources. A very good start would be from data within the organization, like network logs and scans. Another good source is from reputable security research companies.

3. Analysis

During this step, the threat intelligence analyst tries to find any holes where an attacker can get in or has already gotten inside. If an attacker has already breached the network, a SOC analyst will get called in to investigate. With this information, the organization can choose to share it with the cyber community, so other organizations don’t fall victim to this attack.

4. Production

Here is where the threat intelligence analyst creates a formal report which may include recommendations for the organization to make, whether it be in policy or at the defense layer, to help mitigate the risk of an attack.

5. Dissemination and Feedback

This is where the cyber intelligence analyst communicates their report and recommendations to senior leadership.

What does a Cyber Threat Intelligence Analyst Do?

Source: eccouncil.org

Continue reading

Cybersecurity Trends in 2020 & the Threats Facing the Industry

2019 saw cybersecurity as a massive issue, both for the technology industry and the general public. Between ransomware attacks, credit card fraud, and a tsunami wave of new app releases (some of them with little to no security measure in place), cybersecurity has never been more important for organizations. This is set to continue in 2020 and well into the future.

In 2020, cyberattacks will be on the increase, and not just from the isolated hackers we have usually characterized in our minds, but by Nation-State actors who run these attacks to exfiltrate data from governments and corporations. While organizations are now more aware than ever before as to the importance of cybersecurity, many (if not most) are struggling to define and implement the required appropriate security measures.

From data breaches to IT security staff shortages, to cloud technology and the future of AI and 5G, let’s take a look at the trends and threats that are bound to shape the cybersecurity industry in 2020.

2020 cybersecurity trends

1. 5G implementation

With the bandwidth that 5G technology enables, data volumes and the number of connected devices and sensors is set to explode. Electronic health applications will collect data about a user’s wellbeing, new car technology will monitor a user’s movements, and smart applications will collect information about how users live and work. With so many personal data being collected from us, 5G technology will mean high levels of security against breaches and data theft will be required.

2. The continued rise of AI

Advances in artificial intelligence (AI) are bringing machine learning technologies into products across all market segments – including cybersecurity. Deep learning algorithms are being used for face detection, natural language processing, threat detection, and many more concepts.

Most cybersecurity solutions are built on detection engines that have been based on human logic, however keeping them up-to-date and across the latest threats, technologies and devices can be close to impossible to do manually. Artificial intelligence (AI) accelerates the identification of new threats and responses to them and can help to block cyberattacks before they spread throughout organizations.

However, as the future of AI progresses, it’s also being weaponized by cybercriminals to develop increasingly sophisticated malware attack methods. This means organizations are having to deploy advanced heuristic solutions, rather than relying on already-known vulnerabilities and attack signatures.

3. Cybersecurity skills gaps

Into 2020, the demand for cybersecurity professionals will continue to exceed supply, as security teams have to deal with more online threats than ever before. According to a DDLS survey, more than two-thirds of respondents said that ensuring their skills and the skills of their team were up to date was the biggest challenge, suggesting not enough is being invested to improve in-house cybersecurity expertise.

4. A continually growing awareness of the importance of cybersecurity

With so many organizations undergoing huge digital transformations, awareness of the ongoing looming presence of cyberattacks continues to grow – not only for large organizations but also for small businesses. It’s starting to dawn on companies that having a highly effective cybersecurity strategy and cyber incident response plan is not just a luxury for the well-informed; it’s absolutely necessary. Security is developing a permanent place in the software development lifecycle, with SecDevOps (the process of integrating secure development best practices and methodologies into development and deployment processes) now being integrated at all stages of development.

Threats facing the cybersecurity industry in 2020

1. Ransomware and malware

The major form of attack in 2020 will be ransomware. According to Mobliciti, The first half of 2019 saw a 50% increase in attacks by mobile banking malware compared to 2018, and this trend is likely to continue to skyrocket in 2020.

The most nefarious ransomware attacks are against hospitals, whose patients can suffer through their medical data being made unavailable by the ransomware attack.  Security personnel will need to have a hard look at the possibility of what a ransomware attack on their business would entail and take appropriate precautions to minimize the effect that such an attack would have.

Ransomware is most often distributed in the form of a phishing email, in which the user is enticed to click a link within an email that will give the user some benefit. This is a form of social engineering, but with disastrous consequences when the ransomware encrypts files on the target system or network, requiring either payment to get the files back (never recommended) or restoring the files from a recent off-line backup.

2019 saw ransomware exploits getting highly targeted against specific businesses, as well as government and healthcare organizations. Attackers are spending time intelligence-gathering on their victims to ensure they can inflict maximum disruption, and ransoms are scaled up accordingly.

2. Cloud computing

The dangers of cloud computing are also set to increase in 2020. According to Forbes, 83% of organizational workload will be shifted to the cloud in 2020. Cloud providers are usually on-hand to protect cloud data, but it’s still the user’s responsibility to keep their cloud data secure ultimately. Thorough knowledge regarding cloud security will be required for organizations to protect their resources better. The level of understanding about cloud security remains low, and security is often an afterthought when it comes to cloud deployments. Cybersecurity solutions need to involve new, flexible, and scalable cloud-based architectures.

3. Mobile apps

Mobile phones will be a big target in 2020, with a multitude of apps now being ‘must-installs’ for a large percentage of the population. These apps are often downloaded with no concern for security at all. One such app is the Chinese-developed TikTok – an app that allows the user to create short videos and is immensely popular with young people. TikTok has been found to have many vulnerabilities, some of which have been closed. Regardless, TikTok is, in the United States of America, being considered as a threat to national security, particularly so with the likelihood of the Chinese government’s access to the application’s data and user profiles.

How can we improve cybersecurity?

The first defense against cyberattacks remains to be education. Educating all users in every business is a requirement for security not only in the workplace but also at home and when a user is traveling. Posting our whereabouts for all the world to see on social media might seem like harmless fun, but can be downright dangerous, particularly so for most vulnerable children. Courses such as Resilia Frontline can help here.

Training again is very important for IT administrators, security personnel, and management when it comes to defending an organization’s security network. Having staff trained in security is another giant step towards maintaining security in any organization.

Once the staff is trained, they need to be vigilant, and this should include everyone; from the CEO,  through to the office and floor workers who should be concerned about security in everything they do and see. In 2020, security should be on the same wavelength as Workplace Health and Safety, and be everyone’s responsibility.

Source: eccouncil.org

Continue reading

5 Steps to building an Incident Response Plan for a Large Organization

Large organizations are encountered continuously by questions like, “Will the data collected be safe?”, “What happens if a breach occurs?”, “What information did they gain access to?”, “Do we have the right skill/plan to protect the organization from being infiltrated?” It is because of these questions that large organizations must have an incident response plan.

Creating an Incident Response Plan for Large Organizations

A strong incident response plan ensures that the organization can handle the attack with efficiency and minimal damage. However, building the plan is not as easy as it seems. Not to worry, we’ve broken it down into five steps that you can follow to draft an incident response plan for a large organization:

Step 1: Prepare

When working with large organizations, start by analyzing the organization’s environment, determine essential services, components, and applications sensitive to maintaining operations in the event of the breach. Identify what data must be protected, understand where and how it is stored, and whether any changes must be made.

Step 2: Build an incident response team

Have a group of skilled professionals on board who are trained and certified to deal with an incident should it arise. The incident response manager will be in charge of ensuring coordination and communication with all different members of the team.

Step 3: Establish a disaster recovery strategy

To ensure business continuity, it is essential that disaster recovery is a part of the incident response plan. This is done to reduce dwell time, thereby reducing potential damage – financial and reputational.

Step 4: Test the plan

Much like how a fire drill is implemented, it is important to test the plan to ensure that you have covered all areas. It is also essential that the cyber forensic team is included in the process to help the incident response team identify areas that need focus.

Step 5: Plan for debriefing

For the last step, consider all the areas that must be improved. Create a report that covers all that was done, including recommendations. Conducting a gap analysis will help you uncover which areas need more focus.

Become an incident handler and help reduce dwelling time

EC-Council’s Certified Incident Handler (ECIH) program is designed in collaboration with cybersecurity and incident handling and response practitioners across the globe. ECIH is a comprehensive specialist-level incident response program that imparts the skills and knowledge organizations need when handling the incident to reduce the impact of both a financial and reputational perspective.

Continue reading

5 Reasons Why Your Threat Intelligence Strategy Will Fail and How You Can Salvage It

A well-established cybersecurity team is equipped with the latest tools, valuable experience of infosec professionals, a dedicated budget, and plenty of data from threat intelligence sources. Is this not enough for a team to give excellent performance and stay untouched by emerging threats? Perhaps not if you are doing it wrong.

In a study performed by PwC (Price Waterhouse Coopers), of 10,000 global CSOs and CIOs, only 51% monitor and analyze threat intelligence for detecting incidents and risks.

Why Threat Intelligence Can Fail

1. Misunderstanding business value

It is significant to understand what type of threat intelligence is required for your business. Threat intelligence data is identified based on business problems. An analyst collects the data if a particular threat feed serves as a problem-solving tool and not because the data is interesting, and the chart looks cool. If the intelligence is not connected to the business problems, the purpose of having a threat intelligence team will not be met.

How to fix it:

Always analyze the data from the threat intelligence perspective and its ability to protect your business. Understand if it can help in finding direct threats to your organization and can correlate internal data with external sources. The correlation should able to create more effective security policies and prioritize vulnerabilities to reduce business risks.

2. The wrong feed

There are many feeds available on threat intelligence and if the feed that you own is not relevant to your business, it is of no value. When your business is operating from a challenging environment, then your business requirements are different than those of other companies working from a safer place. For example, if your business is healthcare and you are based in an environmentally challenging environment, then your business is exposed to threats that are different to that of other healthcare operating from developed towns and cities.

Consider the source of data, whether it is raw or processed, drawn from public or private sources. Find out what your requirement is and ensure that you minimize redundancy. The same threat on different feeds doesn’t make it important.

Getting overwhelmed with the information is equally worse to having too little. Be focused on the information relevant to your business.

How to fix it:

Simply having feeds are not enough for having a successful threat intelligence program. There should be context present in the threats that allow you to do security decisions quickly without drowning data. Understand that every threat does not address risks directly but ensure that the threat of intelligence is relevant to your business.

3. Wrong focus on the feeds

Do you focus on the feeds or the entire data as a whole? The entire collection of data includes the internal data of threat, attack, etc., feed data, and data related to event monitoring, traffic, rules, etc. Do you have enough metadata or are you missing on the valuable data about a real threat? Do you able to establish the connection? This is understandable that getting intelligence regularly is a critical task. But it is not possible to analyze the data on a weekly basis or expecting automation of the process serves no purpose.

How to fix it:

To fix the wrong focus of threat intelligence, move from collection to analyzing. But analyzing the entire data is time-consuming and the burden can be reduced by using the technologies that enable your team to concentrate on data analysis and not simply on data collection. Ultimately, threat intelligence is useful if it can prioritize threats based on the severity of the risks and enables you to focus on it.

4. Drowning the data

The Automation and Orchestration research study conducted by ESG, it was identified that despite investing heavily in information security solutions, nearly 74% of those surveyed reported that security events/alerts are simply ignored because their teams can’t keep up with the suffocating volume. The causes include feeds intended for wrong industries or inappropriately sized security teams. Hence, it is important to figure out what the requirement, whether raw data on threats or actionable intelligence which can help on finetuning firewall rules.

How to fix it:

Understand that the feeds are data and not real intelligence. If the feeds are bringing fatigue efforts should be made in tying the feeds with the business needs to make a faster security decision. If the data from the feed is not used, then it is not needed.

5. Inability to operationalize the data

In a survey conducted by the Ponemon Institute on IT leaders, it was observed that 65% believe that threat intelligence could have prevented from an attack to their organization. However, 66% are not satisfied with their current approaches to threat intelligence and felt that the information is not timely. 46% analyzed that the information is not well categorized according to threat trap and it needs to be improved.

Threat intelligence does not trigger a response to a breach but can help in developing tactical actions, provided the team knows how to drive the required action. For an effective threat intelligence, tools and feeds alone not enough and it should be aligned with the business requirements.

How to fix it:

Threat intelligence plays an important role with numerous teams while working to prevent, detect, respond and predict the latest known and unknown threats. it requires continuous monitoring and analysis and strategic to process the valuable feed throughout each phase.

Source: eccouncil.org

Continue reading

Threat Data Vs. Threat Intelligence

A comprehensive security program focuses on individual goals along with the understanding of processes that makes data useful intelligence. ‘Threat Intelligence’ has become a special buzzword in today’s cybersecurity landscape. However, not many people know what it truly means. The word ‘threat intelligence’ is often misused with ‘threat data’ but they are not the same. In fact, threat data is just a tiny part of the entire threat intelligence process.

What is Threat Data?

Threat data is an amalgamation of malicious domains and IP addresses. It is a vague data that does not provide any reference to cyber threats. It is available in huge quantities with unarguable facts.

What is Threat Intelligence?

Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications, and action-oriented advice about an existing or emerging menace or hazard to assets. This intelligence can be used to make informed decisions regarding the subject’s response to that menace or hazard.” – Gartner

The primary purpose of threat intelligence is two-fold. Firstly, to help organizations understand their threat landscape, and, secondly, to assess the risks that they are potentially exposed to, internal or external.

Threat data becomes threat intelligence when it can produce actionable and relevant information. Threat data, when enriched with threat context, allows organizations to align security strategies with security goals.

Using threat data and threat intelligence

Threat data has no value when it is not used by security teams as reference, prior to making an informed decision. The benefits of threat data are limited. It cannot be used to create tangible threat intelligence in the absence of a defined end goal. Regardless of how much threat data is generated, it will have no value if it is not integrated with the security program.

Threat data forms a core part of threat intelligence; although, the sources are not created equally. The most common sources of threat data are –

◉ Malware processing

◉ Honeypots

◉ Scanning/crawling

◉ Human intelligence

◉ Internal telemetry

Threat intelligence can be an open-source or a paid subscription. Organizations should maintain threat data to evaluate the results, as per internal intelligence. Selective threat data is passed in real-time, as old or incomplete data can misguide the security team, resulting in data overload and alert fatigue.

When it comes to cloud computing, the incomplete or old data may defocus the team from the security process. IP addresses are released and re-used many times in a day. For a threat intelligence program to be successful, proper analysis of threat data must be done. The goal here is to create operational changes to secure the environment.

The lack of proper planning and execution may reduce the effectiveness of threat intelligence incorporation. If a manufacturing company incorporates threat intelligence from the financial sector, it may not serve the purpose of securing the manufacturing company.

Source: eccouncil.org

Continue reading