Cyber Threat Scores – What you need to know

Yesterday’s defenses cannot be compared to today’s threats. The ongoing battle of ever-rising cyberattacks has required that defenders innovate new methods in order to remain ahead of advanced cyber threats. Looking forward, these new threats require actionable threat intelligence coupled with a threat score before they damage the infrastructure.

Threat intelligence provides data to security professionals to help them with prompt decisions on cyber defense strategy.

The first step to creating a threat score is to analyze the effect of cyber threats over business risks to determine the most effective cyber threat intelligence management plan.

◉ What threats are impacting your specific business region?
◉ Are your supply chain partners secure?
◉ To what extent are the supply chain partners granted access to your networks?
◉ What type of malicious activity does your first-line security team observe on the network?
◉ Did your security team record malicious activity on the adjacent networks too?

From Threat Score to Risk Assessment

The cyberthreat intelligence process provides threat severity scores and these scores assess the impact of each threat. Even though these threat scores convey insufficient information about each threat’s probability, they can be compared with each other to begin to get a clear picture of the threat landscape. We need the probability and severity information of potential threats to assess the risks to the organization. The threat score helps you tune your security to challenge or block the attacks based on their severity.

Threat intelligence feeds report potential network threats, including those already within an organization’s firewalls, and their probability of causing harm. However, solely relying on threat feeds to assess threat possibilities is not enough because there is so much to know about threats that can’t be adequately summarized by threat feeds.

6 Factors influencing the risk of cyber threats

The various factors that influence the probability and risk of encountering various threats are as follows –

1. Cyber supply chain

It’s not enough to just security an organization’s network assets. According to Symantec, supply chain attacks were up by 78% in 2019, making third-parties with access to your organization’s networks a major area of concern. Any access given to partners, consultants, or other contractors should be scrutinized heavily and managed thoughtfully. Another way criminals can use your relationships with third parties against you is by taking advantage of their potentially weaker security systems and accessing any of your data they have on their networks that way. Organizations should required supply chain partners follow security practices as stricts as their own before sharing data or network access.

2. Industry

Threats can be industry-specific or impact each industry differently. For example, IoT threats in healthcare are more dangerous than in other industries, point-of-sale malware can cripple retail businesses in ways not seen in other sectors, and threats to the industrial control systems in the infrastructure sector could cause nation-wide outages and mass chaos.

3. Vulnerabilities

Some threats exploit vulnerabilities in segments of the application services, firmware, open ports, etc. of specialized devices. Information gathered from regular vulnerability scans enables the prioritization of threats in accordance with the organization’s network inventory. Of course, any actionable information regarding vulnerabilities requires attention.

4. Network connectivity

Threats can multiply rapidly in the local network framework either by activity patterns or design. Upon activation of these rapidly multiplying threats in autonomous blocks, the risk of the threat spreading across network assets increases significantly. Therefore, being aware of threats in and around the network is essential to protecting them. It is equally important to assess the risks accurately in the ever-evolving topology of the internet.

Understanding the organization’s network segmentation is important too. The location of malicious activity on the network defines the prioritization of response activity. Similarly, it’s important to verify whether the newly discovered malware instance has access to the server or to any crucial databases.

5. Interaction effects

Threats cannot be treated in isolation. They are largely influenced by other factors like network connectivity, vulnerabilities, and location on the network. Interaction can be the most difficult part of implementing an organization’s cyber risk assessment. At the same time, understanding how threats on different segments of the network can affect the network as a whole is an essential part of any security program.

6. Value

While performing cyber risk assessments, it is important to consider the different values of the assets you are protecting. The value an adversary places on a piece of information could be different from how the organization sees the asset. The internal value assessment, or how the organization sees the asset, influences the impact of a data attack and calls for cybersecurity action. The external value assessment, or how a criminal sees the asset, affects the probability of a targeted cyberattack.

Organizations need automated risk assessment capabilities that perform in tandem with threat severity scores. Information from threat intelligence enables cybersecurity professionals to understand and follow the dynamic threat landscape. However, the integration of contextual data is crucial for cybersecurity management to assess the probability associated with each threat as it pertains to their specific organization.

Source: eccouncil.org

Continue reading

EC-Council Announces the Launch of Online Masterclass Training in Europe

Europe, May 2020: EC-Council’s motive of bringing cybersecurity mastery via global experts and local delivery, is not compromised even during the adverse situations raised amid COVID-19. The cybersecurity masterclass training is now delivered in Europe, via live online classes to benefit professionals from different sectors. The first online live training was delivered by EC-Council’s master trainer, George Dobrea, on May 18, 2020. Where cybercrime is on the rise, EC-Council’s Online Masterclass Ethical Hacking Program (MCEHP) equips professionals to defend their IT infrastructure.

There is no contradictory thought that the trend of online learning has outpaced traditional learning, all thanks to COVID-19! The institutes and universities have shifted their presence online to ensure uninterrupted education for their students, while continuing to follow social distancing practices. Technavio has predicted the e-learning market in Europe to post a CAGR of close to 15% by 2023.

Jay Bavisi, CEO and President of EC-Council Group, envisions Masterclass training as a ready bucket of EC-Council’s cybersecurity courses. “The Masterclass from EC-Council is a hub for all in-demand cybersecurity certification courses. The online conduct of the EC-Council’s Masterclass Ethical Hacking Program will help bridge the existing skill gap in Europe,” says Jay. “We now pursue a greater objective of conducting such online masterclass cybersecurity skill training across the world”

Interestingly, the live online session in Europe witnessed participation from the sectors which are most vulnerable to cyberattacks. The certified course will enable them to establish security standards in their respective sectors to protect themselves from facing such cyberattacks.

About the Trainer: George Dobrea

George Dobrea has been a Microsoft Certified Trainer (MCT) since 1998 and is Microsoft’s MCT Regional Lead for Romania. He was also awarded the Microsoft MVP (Most Valuable Professional) Award for Enterprise Security in 2005- 2018. George has an outstanding legacy as an EC-Council Instructor (CEI) since 2011 and has been awarded EC-Council’s ‘Instructor of the Year’ Global Award in 2016, 2017, and 2018. He has delivered training in 22 countries over four continents and is a frequent speaker at cybersecurity conferences in Europe and U.S. He also dedicates a significant amount of his free time to volunteering instructional activities for emergency response teams of humanitarian agencies – NetHope, CRS, Oxfam, and SaveChildren.

About EC-Council:

EC-Council’s sole purpose is to build and refine the cybersecurity profession globally. We help individuals, organizations, educators, and governments address global workforce problems through the development and curation of world-class cybersecurity education programs and their corresponding certifications and provide cybersecurity services to some of the largest businesses globally.

Trusted by 7 of the Fortune 10, 47 of the Fortune 100, the Department of Defense, Intelligence Community, NATO, and over 2000 of the best Universities, Colleges, and Training Companies, our programs have proliferated through over 140 Countries and have set the bar in cybersecurity education.

Best known for the Certified Ethical Hacker program, we are dedicated to equipping over 230,000 information age soldiers with the knowledge, skills, and abilities required to fight and win against the black hat adversaries. EC-Council builds individual and team/organization cyber capabilities through the Certified Ethical Hacker Program, followed by a variety of other cyber programs including Certified Secure Computer User, Computer Hacking Forensic Investigator, Certified Security Analyst, Certified Network Defender, Certified SOC Analyst, Certified Threat Intelligence Analyst, Certified Incident Handler, as well as the Certified Chief Information Security Officer.

We are an ANSI 17024 accredited organization and have earned recognition by the DoD under Directive 8140/8570, in the U.K. by the GCHQ, and a variety of other authoritative bodies that influence the entire profession. Founded in 2001, EC-Council employs over 400 people worldwide with 10 global offices in the USA, U.K., Malaysia, Singapore, India, and Indonesia. Its U.S. offices are in Albuquerque, NM, and Tampa, FL.

Source: eccouncil.org

Continue reading

What does a Digital Forensics Analyst do? Is this job for you?

Getting a job in any area within the cybersecurity field can be extremely challenging as a lot of employers seek experience with a wide range of tools. Computer forensics is not much different as there is not one specific toolset a digital forensics analyst should have, but they also need a digital forensics certification, experience, and training.

Computer forensics jobs exist in all levels of government and the private sector. It does not matter how big or small a company is, if a security incident compromises PII or PHI, computer forensics plays a major role in the investigation. The forensic data analyst might be charged with analyzing either a single computer or hard drive or an entire network, depending on the severity of the incident. Digital Forensics Analysts may end up working odd hours just like a regular detective that solves a homicide. Computer forensics investigators may be called to a crime scene to perform an immediate investigation based on the severity and urgency of the case.

Industries hiring Digital Forensics Professionals

5 Common tasks of a Digital Forensics Analyst

One of the most important things a Digital Forensics Analyst must follow is a chain of custody. When a proper chain of custody is followed, any evidence found can be used in a court of law to help the case. To put it another way, the evidence presented in court is the same evidence seized at the crime scene and that it was, at all times, in the custody of a person designated to handle it and for which it was always accounted for. This helps rule out any tampering with evidence.

Here are 5 other common tasks that a Digital Forensics Analyst might perform:

◉ Advising on the availability and reliability of digital evidence

◉ Working with investigators to acquire digital evidence through onsite and virtual searches

◉ Conducting examinations of digital evidence and preparing evidence for trial

◉ Conducting interviews and taking statements concerning computer evidence

◉ Supervisors will also train other investigators and stay up to date on current events in the industry

8 Skills needed for computer forensics

As mentioned before, a certified forensic examiner requires an array of skills to excel in this career field. Here are 8 common skills needed to be a Digital Forensics Analyst:

◉ Knowledge of Various Technology
     ◉ Digital Storage Devices
     ◉ Computer Operating Systems
     ◉ Computer Programming
     ◉ Malware Types
◉ Ethical Issues regarding Data
◉ Legal Issues regarding Data
◉ Ability to learn new things
◉ Analytical Thinking
◉ Critical Thinking
◉ Communication Skills
◉ Problem-solving Skills

The average salary of a Digital Forensics Analyst

According to the Bureau of Labor Statistics, the 2018 median pay for a Digital Forensics Analyst was $98,350 per year or $47.28 per hour. This can depend on whether the forensic investigator is salaried with a company or if they solely do contract work.

The lowest 10% earned less than $56,750, while the highest 10% earned more than $156,580. The experience needed can be less than 5 years, but it depends on what the employer needs. If they don’t require a lot of experience, they may want to bring in someone fairly new and train them on their equipment using their procedures. A lot of government clients pursue this method. Employers like to see candidates with at least a Bachelor’s and may substitute experience with the level of required degree.

Source: eccouncil.org

Continue reading

Deadly DDoS Attacks Are On The Rise – Are You Prepared?

ec

On September 20, 2016, security blogger Brian Krebs, was hit with “an extremely large and unusually distributed denial-of-service (DDoS) attack designed to knock the site offline”. According to Krebs, “The attack did not succeed thanks to the hard work of the engineers at Akamai, the company that protects my site from such digital sieges”. Akamai has said, “It was nearly double the size of the largest attack we had seen previously and was among the biggest assaults the Internet has ever witnessed.”

However, on September 22, 2016, Akamai dropped Mr. Krebb’s blog from protection due to the cost of a second sustained distributed denial-of-service. It’s thought that the source of the attack was from tens of thousands of compromised digital video recorders that either had default passwords or vulnerable web serving code.

Types of Denial of Service and Distributed Denial of Service attacks

A Denial of Service (DoS) attack overwhelms a computer network gateway by either sending too many connection requests or by the sheer volume of packets which can exhaust the systems resources. These are known by their technical terms as Volumetric, Network, or Application Attacks. When many computers combine their computing power together the attack is called a Distributed Denial of Service, a.k.a. the DDoS. Most DoS attacks are from multiple sources using multilayer attacks and as such are true DDoS attacks.

1. Volumetric Attack

A Volumetric Attack can occlude the gateway with too many packets to a targeted network in an effort to overwhelm its bandwidth capabilities. By flooding the target and slowing or stopping their services, the attackers achieve their goals. Request packet volume can be in the 100’s of Gbps and recent attacks have scaled to 1.7 Tbps.

Usually this type of attack comes from botnets of compromised computers that can amplify the attack with all bots transmitting in a single direction. When a single computer is “bot compromised” it may work normally for an owner but it has a Manchurian Candidate-like switch that, when turned on, joins an army of “bot compromised” computers with the single aim of smothering the target with massive requests. Imagine trying to receive a phone call when thousands of callers were all trying to call your number at the same time. No one would get through.

2. Network Based Attacks

Network Based Attacks are similar but are more specifically aimed at the Transmission Control Protocol (TCP) which uses a handshake connection with each party in a conversation. The attacker makes the initial request, called a synchronize or “syn” request, and the victim says “hello” and then waits for the attackers responding “hello” acknowledgement, or “ack” packet, but never receives it – and therefore waits with the connection left open. When this happens in the thousands, eventually the system runs out of connection resources and memory depletion occurs and it may even cause the system to crash.

3. Application Layer Attacks

Although less frequent and more sophisticated, Application Layer Attacks can be harder to detect and circumvent. Usually, as a part of a multi-vector approach, the attacker targets DNS, HTTP, and HTTPS, mostly because these are typical internet protocols in everyday network-to-network conversations. Think about the internet’s Domain Name Service (DNS). When you type in a domain name like google.com, your computer needs to find out the IP address of that domain name, because that’s how computers find each other, via IP addresses. DNS translates blog.eccouncil.org to an IP address like 172.217.5.228 or in IPv6 2607:f8b0:4004:804::2004. When the DNS is overwhelmed then no one can look up the IP address and everyone gets a ‘Web Page Unavailable’ page.

Application Layer Attacks also target web servers as well, and taking out a web delivery service is the easiest way to affect thousands of users that need that website.

How They Do It

The attacks are done with an array of botnets and tools. Some tools are very simple and generate the “syn” request, while others are more sophisticated, like the Low Orbital Ion Cannon (LOIC) and High Orbital Ion Cannon (HOIC) and can be used by groups to make hacktivistic public statements.

According to Wikipedia, LOIC was used by 4chan (a group growing into Anonymous) during their Project Chanology to attack websites like the Church of Scientology and the Recording Industry Association of America. LOIC was again used by Anonymous during their Operation Payback in December 2010 to attack the websites of companies and organizations that they opposed.

Why They Do It

There are many motivations for DoS attacks, including random pranks, hacktivism against your industry or country, theft by ransom (“pay us and we’ll stop”), disgruntled employees, market manipulation, diversion to mask data theft, competition and bragging rights amongst hackers and Nation State-sponsored social engineering.

Some Instances of Recent DDoS Attacks are:

1. In 2015, as residents of New Jersey were getting ready to celebrate Independence Day, those who tried to partake in a little online gambling on a Thursday afternoon were met with some unwanted resistance. Four of New Jersey’s internet gaming sites were hit by a DDoS attack, causing them to be inaccessible for a short period of time. “At least four casinos were impacted and experienced downtime,” said New Jersey Division of Gaming Enforcement (DGE) Director David Rebuck.

2. In Serbia last year, the Pescanik website said that it had been brought down by a DoS attack, directly after publishing allegations that that Serbian Interior Minister Nebojsa Stefanovic had plagiarized parts of his PhD thesis.

3. According to Spirent, the later part of 2017 has seen a marked increase in the number and size of DDoS attacks around the world. The political crisis in Qatar was coupled by an attack on the Al Jazeera website, one of the largest news networks in the world. Presidential elections in France were disrupted by attacks on Le Figaro and Le Monde websites. And in Great Britain, the website that was used for Brexit voter registrations was rendered useless due to an attack that stopped certain voters from registering.

As we can see, the use of DoS & DDoS attacks is very commonplace and the easiest type of attack to perpetuate.

Countering DoS Attacks

DoS attacks can also be costly to defend against. The cost of the attack on Brian Krebs was estimated to cost $100,000 a day to stop. A cost this high could put most businesses into the red quickly if allowed to continue.

The bigger commercial sites use third party DoS prevention services, but they stand to lose money with their sites down from loss of use. Some ISPs can provide sufficient DoS mitigation as well as some networking and firewall techniques.

DoS defense and mitigation needs to be considered with regards to your business, especially before it is too late.

Source: eccouncil.org

Continue reading

Everything You Need to Know About Firewalls and Everything to Avoid

In today’s digital landscape, top-notch network security solutions are the need of the hour. Apart from concrete anti-malware programs and different cybersecurity solutions, having a proper network security plan with a good firewall is a must.

Traditional firewalls protect the internal network against the incoming traffic. They have been serving as the first line of defense in network security for almost the past three decades. Over this period, they evolved to become—traditional, next-generation, hardware, and software, to name a few. Like any other cybersecurity solutions, the firewalls have transformed since its initial years, thus making it challenging for network owners to decide upon the appropriate firewall to use as per their requirements. Choosing a wrong firewall can leave your network and data susceptible to various types of cyber threats.

All About Firewall

A firewall can be defined as either a hardware or a software program, designed to block all unwanted incoming traffic while allowing authorized communications to flow freely. As a security enhancement mechanism, the firewall filters out the flagged data packets as per the defined rules and standards. In simpler words, a firewall acts as a shield between the private network and the Internet to protect the former from unauthorized access.

A few basic facts about firewalls may be listed as follows:

◉ Without a firewall, your internal network is under constant threat of unauthorized access, security breach, and data theft.

◉ A firewall sometimes even prevents outgoing traffic from visiting certain websites or web pages to keep it safe from the unsafe environment.

◉ The rules need to be defined by the administrator of the network to block unnecessary traffic from entering.

◉ Routers vs. Firewalls—A router and a firewall are not the same. A router directs the traffic to the desired target without blocking any incoming traffic, except Access Control List (ACL). In fact, routing is one of the functions of a firewall with the primary objective of blocking unusual traffic.

Different Types of Firewalls

Organizations have several different types of firewalls to choose from, which are:

1. Proxy Firewall

A proxy firewall filters out flagged messages at the application layer to protect the resources of a private network. Its add-on functionalities include content caching and provision of security for direct connections between internal and external networks. It is also known as an application firewall or gateway firewall.

2. Stateful Inspection Firewall

A firewall blocking incoming traffic based on state, port, and protocol is known as stateful inspection firewall. Such firewalls monitor an active connection throughout its different states to check which network packet should be allowed to pass.

3. Unified Threat Management (UTM) Firewall

A UTM firewall combines the features of a traditional firewall with various other security aspects. Usually, this UTM appliance offers the functionalities of gateway antivirus, intrusion detection, and prevention, which are loosely coupled together. Such firewalls are ideal for small- to medium-sized enterprises.

4. Next-Generation Firewall (NGFW)

Next-Generation Firewalls are designed to block modern-day cyber threats, such as advanced malware and application-layer attacks. However, this firewall should also be capable of performing the standard stateful inspection.

5. Threat-Focused NGFW

Apart from the functions of a traditional NGFW, threat-focused NGFW offers advanced threat detection and remediation. It also knows which assets are more prone to risk with a complete context awareness report. It can respond to attacks using intelligent security automation and is capable of handling various other security-related issues.

Why Do You Need Firewalls?

If you are doubtful and are still looking for more reasons to install a firewall, look at the following benefits of having an active firewall:

◉ No More Unauthorized Remote Access

Consider a scenario where a cyber attacker can access your entire data and private accounts remotely; this can be prevented by disabling the “remote desktop access” feature of the firewall. Note that this feature is not capable of blocking manually allowed third-party applications to use your data. Also, if some malware program is pre-installed in your system, which usually comes along with other security issues—like Trojans, keyloggers, and backdoors, then a firewall is incapable of protecting your network and data.

Note: As firewalls are designed to block malicious apps from gaining access to the private network, there is a probability that a few trustworthy software and applications can also be blocked.

◉ Blocking Unwanted Messages

Anti-spam feature of firewall helps in controlling, detecting, and preventing unwanted messages, which can contain spam, viruses, or any other threats. This responsibility makes it crucial to keep your firewall active and appropriately configured. If not done correctly, you will be an easy target for cyber attackers.

◉ Safe Online Gaming Experience

Online gaming brings potential cybersecurity risks while being one of the most significant developments in the gaming world. McAfee has recently reported in its survey “Game Over” that 75 percent of PC gamers are concerned about the security aspect of future gaming. This problem has a great solution—firewall installation.

Mostly, firewalls are designed to configure themselves according to the requirements of the game. It will update the firewall with a suitable title, software type, and any other required attribute. The “Gaming Mode” of most of the games helps the gamers to automate the security-related configurations. They will also get the option of changing the firewall application settings to manual.

◉ Filtering Out Immoral Content

With all the above-listed pros, firewalls can protect directories and folders from ransomware and can even block specified online locations. This setting usually comes under parental control, but this feature is similar to the roles and responsibilities of a firewall too.

Firewall Rules

Firewalls follow the fundamental constraint of matching the incoming traffic with the defined rules to allow it to get through. The following instances give you a closer look at how firewall rules are applied:

Example 1: Accept established incoming traffic to the public network interface on port 80 and 443, which stands for HTTP and HTTPS web-based traffic.

Hypertext Transfer Protocol (HTTP) is an “application layer protocol” responsible for presenting information rather than focusing on how data gets transferred from one point to the other. HTTP is suitable for those websites that do not hold sensitive information. On the contrary, HTTPS (or “secure http”) allows authorized access and secures transactions. Note that HTTP and HTTPS don’t pay attention to the transfer of data.

Example 2: Reject incoming traffic from public networks on port 22 (SSH).

The SSH protocol (or “Secure Shell”) allows secure remote login. It offers several features like authentication, communication security, and integrity with robust encryption. SSH is a substitute protocol for other login protocols, such as telnet and rlogin, which not protected in nature. It can also be used in place of FTP, which is again an insecure file transfer protocol.

That’s how the firewall rules are applied to avoid unwanted network traffic.

Cybercriminals targeting small- to large-scale businesses—this has become a common cybersecurity issue. To avoid this, you should prepare yourself with a line of defense containing a properly configured firewall, the one that can fulfill the security requirements of your organization. Choose between hardware and software firewalls or install both to add an extra layer of security. A proactive firewall can protect your organization from various malware attacks and unauthorized intrusions.

Source: eccouncil.org

Continue reading

5 Ways to Intelligent Network Security with Software-Defined Networking

Today’s businesses compete in a very challenging landscape of network security. From large corporations to small- and medium-sized enterprises, even many start-ups are adopting cloud services. It not only offers the flexibility of resource utilization, but also reduces operational costs, increases data integrity and security, lowers the risk of data unavailability, and tenfold collaborative productivity.

The migration from on-premise to cloud-based infrastructure has resulted in massive changes in network design and security. To support this digital transformation, organizations need advanced tools and support of automation to improve security. In such a situation, software-defined networking could be the optimal solution.

Software-defined networking – Solving network security challenges

Software-defined networking (SDN) is a network architecture that enables centrally and programmatically efficient network configuration, improving network performance and monitoring. With this arrangement, network security operators can easily manage network consistency without being concerned about the underlying network technology.

SDN impacts organizations positively. With the help of this technology, companies now understand the widening threat landscape and real-world challenges of SDN.

SDN and network security

Network defense professionals are looking for innovative ways to protect their organizations from complex security concerns. With SDN, experts have the right opportunity to improve network security. Here’s how:

1. Centralized network control

In a traditional IT environment, network security solutions, such as router and switches, make decisions regarding incoming and outgoing traffic. SDN can centralize the network control, routing the entire traffic using a single controller. It can separate the control plane, forwarding plane, and data plane from each other. This technology gives a clear picture of the network topology and architecture. For network security, SDN can also regulate data packets through a single firewall and improves the data capture ability of IDS and IPS.

2. Simplified configuration

VLAN configuration demands a lot of dedication and sincerity as it offers a highly secured environment for the organizations. The more VLANs a company implements, the more complex it becomes for the professionals managing them.

With the help of SDN, the organizations can automate the VLAN configuration and improve the traceability of these configurations. Along with that, SDN allows dynamic programming and restructuring of network settings, which eventually results in the elimination of DDoS attacks.

3. High-level network policies

The SDN technology offers central management of security policies instead of physically configuring them. This feature enables a network operator to be more flexible and efficient. In addition, organizations are replacing the current management approaches like SNMP/CLI with efficient policy management.

4. Handy Application Programming Interfaces (APIs)

Cloud APIs are crucial for SDN controllers and applications. With easy to use APIs, professionals can conveniently manage network resources, enhance the efficiency of IT resources, and keep the vital tools in easy reach.

Also, take a look at Dhananjaya Naronikar’s coverage on cloud security:

5. Additional qualities

SDN comes with automatic quarantine capabilities, which implies that it can automatically isolate malicious code on a network. Though the quarantine capability may be applicable from a selected point to an infected part on the network.

Source: eccouncil.org

Continue reading

The role of Cyber Threat Intelligence in patching

Vulnerabilities put your business at risk and with thousands of them emerging every year, it becomes impossible to patch them all, and that is where your research is required. Threat intelligence helps identify specific vulnerabilities that are a risk to your organization and provide custom solutions.

Gartner’s research has identified that among all the vulnerabilities identified in the previous decade, only about one-eighth of them were actually exploited in real-world attacks. The vulnerabilities that do not get exploited are often reused and leveraged in a wide range of threats.

Gartner recommends shifting focus from vulnerability management to ranking threats based on their severity. Though both vulnerability management and ranking of threats are important, systems like Common Vulnerabilities and Exposures (CVE) and Common Vulnerability Scoring Systems (CVSSs) does not consider the performance of threats. At the same time, relying solely on the severity of the vulnerabilities won’t help combat threats.

Refocus your goals

The security system to obtain perfection should be completely immune to exploitation. But due to a large number of vulnerabilities, the “patch everything, all the time, everywhere” approach is impossible to achieve. With restricted time and resources, the approach should be the “biggest vulnerabilities first.” When we review the security breaches from the last decade, it is clear that the approach was misguided. Gartner in his research has suggested achieving a balance between what can be fixed, and what difference it makes with available resources and time.

The difference between perceived goals and actual outcomes is due to the negligence of the organization towards fencing against the vulnerabilities. The security teams consider attending the biggest and newer vulnerabilities due to the impression that the attackers target them immediately. Whereas, attackers do not switch to new vulnerabilities if they identify that the existing ones can be exploited multiple times with decreasing costs and less expertise. Gartner observed that the attackers exploit vulnerabilities that are relatively easy and present in widely used software.

To overcome this issue is to gain fundamental right on vulnerability management and patch the vulnerabilities that were exploited earlier, instead of focusing only on the new ones.

Gartner’s report on patching

Gartner, is its research found that nearly 8000 vulnerabilities were disclosed during the past decade, with a marginal rise in their number every year. The new exploited vulnerabilities, due to new software releases, account for only one-eighth of the actual number, whereas the number of threats has increased exponentially. This shows that though the number of breaches has increased in the past decade, new vulnerabilities contribute to only a fraction of them.

Further, zero-day problems form a part of new vulnerabilities that go around 0.4% of all vulnerabilities exploited throughout the decade. Although cyber threat intelligence vendors cannot label them as ‘zero-days’ technically, patching the vulnerabilities of the software is the solution to fix a majority of expected zero-day threats. Through all these years, threat actors have evolved in exploiting vulnerabilities. They are now able to exploit them in 15 days, as against the previous 45 days. Organizations are now left with two options – either patch the systems in 15 days or have a plan to mitigate the damages.

How to fix this flaw

1. Track a metric that identifies the conjunction of existing vulnerabilities and the ones that are been exploited by the threat actors. The highest repeated metric should be patched on priority as a defense against a breach.

2. Protocols like network segmentation, intrusion protection, and privileged identity management are a great help in mitigating threats and preventing vulnerabilities in the absence of their patches. These protocols prioritize vulnerabilities that are being exploited.

3. Identifying and mitigating the threats and patching them requires specialized skills. A Certified Threat Intelligence Analyst (C|TIA). It is a program that gives an individual or organization the ability to run a threat intelligence process and allows ‘evidence-based knowledge’ and ‘actionable advice’ about existing and known threats.

Source: eccouncil.org

Continue reading

Is your Cyber Disaster Recovery Plan equipped to handle the latest cyber threats?

The expansion of the connected ecosystem is contributing to the complexity and growth of cyberattacks. According to Cybersecurity Ventures estimation, the human attack surface will grow to 6 billion by 2021 and the attacks will cost the global economy $6tn by 2021. Those who have experienced high profile cyberattacks have suffered devastating financial loss, reputational damage, and many legal suits. To avoid these consequences, businesses must have cybersecurity in place as a defense from cybercriminals. But despite all the necessary security measures, human errors and technical faults render the security mechanism useless creating the necessity for a disaster recovery plan.

The policies and procedures of a disaster recovery operates during and after the disaster, enabling businesses to recover important assets that they have lost in the crisis. Importantly, the disaster recovery plan shall be in accordance with the threats so that the management can continue to operate business even after an attack.

They’re too big to fail. Are you too small to recover?

Aligning your disaster recovery plan to cyber threats

1. Awareness of threats

Companies should develop a contextual understanding of threats to prevent and handle breaches. Pairing human capital with big data analytics may develop this understanding. With the regulations like GDPR, the key challenge for businesses is to shift the breach time to detection time. Companies can protect against the breaches by considering an approach that recognizes the context and intent of user behavior at an early stage and flags-off potential threats proactively. The understanding of users’ behavior with systems and data also determines the risk factor.

2. Responding to attacks

To respond to attacks profoundly, it is vital for businesses to have tools and processes that can handle and respond to sophisticated cyberattacks. Being one step ahead from the effects of the attacks and the destruction that the cyber attackers may cause, is the only solution from avoiding becoming a victim of them. A better understanding of the data, accessibility, and human error leading to malicious acts, compliance with the GDPR regulations and protects sensitive information in the network. A process should be laid to identify and monitor potential threats on an hourly basis. The identification process embeds checkpoints into the security landscape to build stronger efficiency in analyzing behavior changes that could result in breach possibly. By analyzing the movement of data and behavior of the network, the team can ensure that the threat has been mitigated and they must move to the next step of protecting data, brand, and customers.

3. Continuous planning is significant

Businesses must consider disaster recovery as an evolving plan due to the constantly changing cybersecurity landscape. The security team should not be under an impression that the previous year’s policy /plan can be implemented this year too. The information collected by being vigilant and performing risk assessments regularly, a perfect security plan can be framed. A disaster recovery plan formed based on real observation can only ensure that the landscape is free of vulnerabilities.

4. Approach should evolve

A disaster recovery plan cannot be developed on the basis of traditional approaches. It needs time and effort as it is challenging to create and implement security measures. The traditional risks like an epidemic, terrorism, etc. can be adjoined together as they create the same impact. All cyber incidents are not similar and simple. When the data is encrypted and locked, restoring data from a backup source before ransomware spreads further takes time and involves a significant data loss too.

Source: eccouncil.org

Continue reading

4 Cybersecurity Lessons Learned the Hard Way

The cybersecurity landscape is dynamic. The threats are constantly evolving and today’s cybersecurity measures may not stand up to pressure tomorrow. However, time and time again we’ve seen companies and organizations slip into complacency or ignore certain processes—such as training or vetting outside tools—and pay in terms of costly cyberattacks.

In this post, we look at four of those cases, discussed below:

1. Atlanta, GA (2018)

On March 22, 2018, the city of Atlanta in Georgia was hit by a SamSam ransomware attack.

The ransomware attack locked municipal workers from accessing their systems. The attackers then demanded US$51,000 in Bitcoin payments in exchange for restoring access.

As a result of the SamSam attack, Atlanta was unable to effectively deliver essential services—such as processing water and sewage bills, issuing business licenses, or scheduling traffic ticket hearings—for over a month following the actual attack.

In general, ransomware attacks occur through phishing attacks aimed at fooling the user into downloading a malicious file (or clicking to a malicious website). The attack then locks the end user out of their system and, typically, the attacker will demand a ransom payment.

However, the SamSam attack does not proliferate through phishing emails, but “by exploiting vulnerabilities or guessing weak passwords in a target’s public-facing systems”.

Though the direct cause of the attack was SamSam, the underlying reason for it was the fact that Atlanta’s IT systems suffered from “between 1,500 and 2,000 security vulnerabilities”. In addition to inherent weaknesses, Atlanta was also ill-equipped to respond to the attack.

The lesson is that not only must you regularly conduct cybersecurity assessments or audits, but to regularly identify and resolve cybersecurity risks. This would involve phasing-out outdated or insecure platforms, such as the 100 servers running on Windows Server 2003 (which Microsoft ended support for in 2015). A solution would have been to expedite the move to the cloud and leverage the provider’s commitment to maintain the latest security standards.

It is a costly practice, but given how the city spent US$2.7 million in emergency contracts a month following the attack (with the total cost slated to reach as much as US$17 million), Atlanta was not spared from the expense either way. Instead, the Atlanta had found itself in the news for all the wrong reasons, which will not help the city or its government from a PR standpoint.

2. British Airways (2018)

In September 2018, British Airways announced that it suffered from a breach that affected as many as 429,000 of its customers and their credit card numbers. The breach, which had gone unnoticed for two weeks, effectively required affected patrons to cancel their credit cards.

RiskIQ, a security vendor, assessed the situation and determined that the breach was a result of attackers injecting malicious code into British Airways’ online payments page. RiskIQ concluded that the attack was specifically aimed at British Airways, making the airline a victim of a targeted and sophisticated attack. It is not clear how much the attack will cost to British Airways.

It appears that the attack exploited third-party code on British Airways’ website. This isn’t an easy issue to deal with considering how many businesses rely on the same third-party code to enable payments, show ads, and other user-centric services.

In fact, the challenge of this security breach was that you or your managed IT services provider(s) might have setup a solid cybersecurity system, but as cyber expert Dr Alan Woodward put it (via the BBC), “You can put the strongest lock you like on the front door, but if the builders have left a ladder up to a window, where do you think the burglars will go?”.

In this respect, the lesson for companies and organizations is to heavily vet and test any and all third-party codes (e.g., tools, scripts, plugins, etc.) they are bringing into their system. Moreover, it would also be good practice to regularly monitor or audit those for irregular activity.

3. eBay (2014)

In May 2014, eBay announced that it had suffered a major data breach affecting upwards of 145 million of its customers. Besides usernames, the breach was thought to have compromised user emails, real names, home addresses, phone numbers, and birthdates. In effect, millions of eBay users were at risk of identity theft or fraud as a result of the breach.

The breach—which had forced eBay to lower its annual sales target by US$200 million and report lower revenue for that year—was likely initiated through a spear-phishing attack.

In spear-phishing attacks, hackers craft sophisticated emails that look as though they are from a trusted source, such as a colleague, manager, vendor, or customer. The goal is to manipulate or fool end users into an action they wouldn’t take if they knew the reality of that email.

For example, a hacker masquerading as a vendor could trick the user into sending money to the hacker in response to a fake invoice. Alternatively, someone posing as a manager could get the user to give password information or click on a malicious link/attachment.

Though technical measures, such as sandboxing affected PCs and filtering traffic from high-risk sources, help, the solution is to train and educate your staff. Your employees should have both the knowledge to recognize phishing attempts and report such issues, not fall for them. In fact, training is relatively a low-cost, quick way of getting high-impact cybersecurity gains.

4. RSA Security (2011)

In 2011, RSA, a multifactor authentication company, reported that it was struck by two spear-phishing attacks. Besides resulting in a cost of US$66 million, the attacks also pulled RSA into the focus of the US government because the company’s SecureID tokens—which were compromised—were in use by Lockheed Martin, a marquee defense vendor.

The spear-phishing attack posed as a company-wide email discussing that year’s recruitment roadmap. An employee not only took that email out of their Junk/Spam folder, but opened the attached Microsoft Excel file, which contained a zero-day exploit of a vulnerability in Adobe’s Flash platform and, in turn, released a variant of the Poison Ivy Trojan.

As with the eBay hack, there were combinations of issues at play, such as the failure of RSA’s threat identification and sandboxing as well as lack of cybersecurity training. In fact, the gap in this case was severe enough that the malicious email was already filtered out, but the employee did not understand why and opted to retrieve and open it anyways.

In each of these four cases, there are two major lessons.

First, the cost of recovering from a cyberattack — be it in fiscal terms or reputation — is higher than the cost of preparing for it in advance.

Second, the root cause for an attack could occur despite solid cybersecurity efforts due to the end user’s lack of knowledge or awareness.

Thus, businesses and organizations must address their cybersecurity issues from every angle — that is, regular auditing, vulnerability scanning, automated response systems (e.g., sandboxing high-risk or unrecognized software), training, and response processes (e.g., disaster recovery).

Final Thoughts

In this post, we looked at four notable cybersecurity attacks. Though the cybersecurity industry has made strides in countering threats, the threats themselves keep evolving. This back-and-
-forth will keep businesses of all sizes on edge, forcing them to invest in understanding these threats and the solutions emerging to stop them.

Source: eccouncil.org

Continue reading

6 Skills every Ethical Hacker must have to protect an organization

On a rare occasion do we see a week go past without news of a massive data breach. There is a hacker attack every 39 seconds and a cybercriminals steal on an average 75 records every second. Both small and big businesses are targeted by cybercriminals, creating a need for skilled ethical hackers to protect their systems. Organizations, government and private, now need ethical hackers more than ever.

Who is an Ethical Hacker?

Ethical hackers identify potential vulnerabilities in the system, application or data before they are been exploited by cybercriminals. To protect businesses, organizations prefer investing in trained ethical hackers. These professionals are trained to use methodologies and technologies similar to those used by a criminal hacker.

6 skills that trained Ethical Hackers possess

Organizations are increasingly adopting technical methods and solutions to store their crucial business data and expanding their market. This has equally led to the expansion of a number of cybercriminals.

1. Identify loopholes

Businesses are highly prone to cyberattacks and therefore, organizations require ethical hackers to protect their systems and IT infrastructure. They identify loopholes and vulnerabilities that can be used by cyber attackers to exploit systems and compromised data. They perform tests that are aimed to protect data from getting leaked.

2. Knowledge of penetration testing

Ethical hackers are equipped with the knowledge of penetration testing or pentesting that will help to identify vulnerabilities in the system. An ethical hacking training consists of different penetration testing methods including, targeted testing, blind testing, internal testing, external testing of network servers or DNS servers.

3. Addresses risk of transitioning to the cloud

Transitioning to the cloud is putting a lot many organization’s data at risk. On one side, business data is vast, and it cannot be stored in-house, creating a need for a cloud network. On another hand, the transition involves security risks and a little negligence exposes the data. The demand for ethical hackers is evolving to overcome the challenges of the cloud transition.

4. Prepares for a real-time attack

In spite of being fortified with security measures, cyberattacks are inevitable. Eventually, a cyber attacker attacks the IT systems or applications by exploiting the smallest of the vulnerabilities present in the IT infrastructure. Cyberattacks are evolving and being prepared to handle them is the only solution when an incident happens. Finding vulnerabilities beforehand by ethical hackers is one of the best ways to prepare against a potential attack.

5. Uses real hacking tools carry out the attack

The organization’s staff may be curious about security processes but not every employee will be aware of the real hacking tools. To ensure better protection at the user end, staff members should be trained by ethical hackers on various tools and methods of identifying threats. An ethical hacker knows the use of real hacking tools and advanced methodologies that protects the organization from potential attacks.

6. Reduces loss in the case of an incident

An ethical hacker can identify vulnerabilities faster and suggest mitigation to prevent any ongoing attack. Mitigating an attack reduces the further loss of data, finance, and reputation of the organization.

Though organizations can easily find black hat hackers, finding an efficient ethical hacker ensures a code of ethics. They are now pragmatic in hiring certified ethical hacker as a security measure.

Source: eccouncil.org

Continue reading

Does hands-on learning make you a better Ethical Hacker?

Lab-based training is practically oriented as it directly trains you to perform specific tasks. On the other hand, traditional classroom training primarily focuses on theory ignoring practical implementation. Hence, we find a large gap between their grades on paper and their actual performance. The main advantage of hands-on learning, especially for an ethical hacker, is that it allows individuals to transition from the “why” to the “how.” At the same time, engaging physically with different concepts allows students to gain hands-on skills.

Here’s why an ethical hacker needs hands-on learning:

Ethical hacking is a white hat activity where an information security expert attempts to penetrate the network to protect the infrastructure. This is why an ethical hacker performs the test within the scope defined, only after attaining permission from the organization. The goal of an ethical hacker is to identify vulnerabilities and attempt to exploit them to determine the extent of the compromise.

A training program prepares an individual to get the technical skills required to perform the job,hands-on learning is crucial to ensure real-time exposure to a sensitive hacking environment. The first thing to remember is that ethical hacking is a practical process, and thus, the training should be lab-oriented, thereby ensuring that skills required in the real-world are attained.

Practical techniques used by ethical hackers

Ethical hackers use hacking skills and methodologies often used by malicious actors. In brief, here are a few significant hacking techniques used:

◉ Scanning ports to find vulnerabilities. Ethical hackers use various port scanning tools to scan an organization’s network. They identify open ports to study the vulnerabilities associated with each port.

◉ Using tools to sniff and perform network traffic analysis.

◉ Analyzing the process of patch installation to ensure that the system is not affected by the new vulnerabilities.

◉ Evading intrusion detection systems, firewalls, intrusion prevention systems, and honeypots.

◉ Applying social engineering techniques to get information about an organization’s computing environment.

To be ‘job-ready’, one should have hands-on training on various hacking methodologies. This, coupled with both theoretical and practical approaches to learning, ensures that you have the necessary skills to enter the industry. A lab-intrinsic ethical hacking program ensures that you get the right skills. This is crucial to secure the cyberinfrastructure of an organization.

CEH – A constructive hands-on training program in Ethical Hacking

EC-Council’s Certified Ethical Hacker (CEH) is a theoretical and hands-on certification program. It starts with the basics, fields of penetration testing, software installation, and more. The course trains you on everything from analyzing to exploiting the defined scope of IT architecture.

The practical approach of CEH –

◉ CEH is the world’s most comprehensive ethical hacking program with 20 of the most current security domains.

◉ 40% of the program is dedicated to hands-on learning.

◉ In 20 vast modules, the program covers 340 attack technologies that are commonly used by hackers.

◉ The program trains you in the five phases of ethical hacking. This is reconnaissance, gaining access, enumeration, maintaining access, and covering tracks. All these phases of ethical hacking are practiced in the lab too.

◉ It has 140 labs that mimic real-time scenarios.

◉ There are around 2200 hacking tools to allow you to understand and react according to the attacker’s mindset.

◉ EC-Council also provides the iLab range which focuses on the most common tools and techniques used by cybercriminals. Technologies like SQL injection, Cryptography, network scanners, IDS and IPS, and many more.

◉ The labs simulate real-life scenarios using different tools. This includes Kali Linux, dedicated to information security professionals.

CEH is one of the most recognized ethical hacking certifications in the industry. A follow-up to the CEH is another significant ethical hacking certification, the CEH (Practical), which is a 100% hands-on examination.

Key features of CEH Practical

◉ The world’s first ethical hacking industry readiness assessment available live, online, proctored, and verified.

◉ It tests the limits of students while unearthing vulnerabilities.

◉ SMEs from across the world came together to create the CEH Practical exam.

◉ The exam includes 20 real-life scenarios designed to validate the essential skills of being an ethical hacker.

◉ It is not a simulated exam. It asks to prove the application of knowledge acquired to meet real-life instances.

Source: eccouncil.org

Continue reading

All you need to know about Pentesting in the AWS Cloud

Quite recently, we have experienced many AWS (Amazon Web Services) breaches exposing vulnerabilities, like S3 buckets, compromised AWS environments, and more. To understand the strategies the strategies of specific attacks on AWS Cloud, one must have specific knowledge and a strategic approach. In this article, we will explain the dire need for AWS pentesting among organizations that are seeking to improve their security and reduce the probability of breaches.

What is AWS?

When we talk about AWS pentesting, we must consider the legal regulations of the cloud environment. To put it another way, AWS penetration testing focuses on access management user permissions, identity configuration, user-owned assets, and integration of AWS API into the AWS ecosystem. For example, testing S3 bucket configuration and permission flaws, covering tracks of obfuscating cloud trail logs, targeting and compromising AWS IAM Keys, etc. implies that the client-side components are tested, ignoring the AWS instance.

Why is AWS  penetration testing important?

Many organizations have openly adopted AWS services, but not everyone understands the technical flexibility provided for AWS incorporations. This often in misconfiguration of user permissions and identity management.

The following scenarios explain the significance of penetration testing in AWS environments to ensure security –

◉ Reported failures across security checks of AWS include open-wide security groups’ and excessive permissions.

◉ A false understanding of the ‘shared responsibility model.’ Organizations underestimate their risk exposure.

◉ Incompetency in implementation, operation, and requirements for multi-factor authentication. It is important to consider the effectiveness of social engineering attacks and personal identification information attacks.

◉ Maintaining compliance that impacts the networks and data centers. Specifically, HIPAA, PCI-DSS, FedRAMP, etc. are a few of the  required regulatory compliances that organizations must follow. Per regulatory authorities, pentesting enables recovering and eliminating security gap.

◉ Identify and remediate zero-day vulnerabilities. Addressing zero-day vulnerabilities enables good security posture in the cloud.

Endorsing AWS security implementation in the cloud forms a flexible security plan. Because of the shared responsibility model, AWS explains the need for penetration testing of the applications, operating systems, networks, and instances. Hence, AWS also has a recognized program that permits pentesting. Organizations should partner with businesses that are familiar with the program and create rules governing critical success.

How do AWS Methodologies differ from Traditional Pentesting?

There is a difference between pentesting of traditional security infrastructure and the AWS Cloud. The main difference being systemownership. Amazon owns the core infrastructure of AWS. Therefore, the methodologies used in AWS are different from that of traditional penetration testing. For this reason, the AWS security team involves specific incident response procedures.

5 Vulnerabilities to Test for in AWS

Even though there are numerous  vulnerabilities that are specific to AWS, a few in particular are quite common. Here are the top 5 vulnerabilities to be test for in the AWS landscape:

1. Testing permission flaw along with S3 bucket configuration

2. Implementing web application firewall (WAF)/ Cloudfront misconfiguration bypasses

3. Covering tracks by obfuscating Cloudtail logs

4. Targeting and compromising AWS IAM keys

5. Applying Lambda backdoor functionality and establish access to private clouds

Prior to hiring penetration testers, make sure ensure their understanding of your business deliverables is clear. Also, check to be sure their approach to the risk directly correlates to your business and  ensure  your organization will take appropriate action.

Source: eccouncil.org

Continue reading