r-sec

Understanding and Implementing Cloud Security Practices

In an era where digital technology and innovation seem ubiquitous, cloud services have gained considerable traction with enterprises across various sectors of the economy. These services provide applications, storage, and managed servers, substantially reducing the burden on corporate entities to manage their infrastructure.

In view of the widespread adoption of cloud services, the Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have jointly released a series of bulletins outlining best practices for securing cloud environments.

Cloud Security Guidelines

The five CISA and NSA documents focus on several key areas:

1. Identity and access management solutions
2. Key management solutions
3. Encrypting data in the cloud
4. Managing cloud storage
5. Mitigating risks from managed service providers

The recommendations span from guidance on configuring Multi-Factor Authentication (MFA), encrypting data at rest, and backing up and recovering plans, to securing corporate accounts used by Managed Service Providers (MSPs). These bulletins offer insights that can benefit both cybersecurity professionals and IT executives.

Assessing the Threat Landscape

Cloud services have increasingly become targets for threat actors due to the valuable data these platforms store. Furthermore, they serve as potential gateways to internal networks, thus making them critical targets. A report by Microsoft in 2021 highlighted a surge in attacks from a Russian threat consortium, Nobelium, seeking to exploit these vulnerabilities.

In response to these emerging threats, CISA released a tool named the ‘Untitled Goose Tool,’ which enhances cybersecurity defenses by extracting telemetry data from Azure Active Directory, Microsoft Azure, and Microsoft 365 environments.

In Conclusion

As cyber threats evolve and become more sophisticated, organizations must strive to stay ahead through the constant implementation and review of cloud security practices. Taking advantage of best-practice recommendations from agencies like CISA and NSA can play a critical role in navigating this challenging cybersecurity landscape.

Related links:

https://www.bleepingcomputer.com/news/security/cisa-nsa-share-best-practices-for-securing-cloud-services/
https://media.defense.gov/2024/Mar/07/2003407866/-1/-1/0/CSI-CloudTop10-Identity-Access-Management.PDF
https://media.defense.gov/2024/Mar/07/2003407858/-1/-1/0/CSI-CloudTop10-Key-Management.PDF
https://media.defense.gov/2024/Mar/07/2003407861/-1/-1/0/CSI-CloudTop10-Network-Segmentation.PDF
https://media.defense.gov/2024/Mar/07/2003407862/-1/-1/0/CSI-CloudTop10-Secure-Data.PDF
https://media.defense.gov/2024/Mar/07/2003407859/-1/-1/0/CSI-CloudTop10-Managed-Service-Providers.PDF

Introduction

There’s a common belief, held by many Apple users, that their devices are immune to malware and attacks. However, a recent study conducted by Mobile Device Management firm, Jamf, warns this may not be the case. The report indicates that there’s a sense of complacency among macOS users when it comes to cyber hygiene, which is concerning given the intricate attack methods used by hackers today.

The study, popularly known as the “Security 360” report, is a reflection of the last quarter of 2023. It has gathered data from 15 million desktops, tablets, and smartphones across 90 countries.

According to Jamf’s findings, Mac Trojans – types of malware targeting Apple users – are on the rise, making up approximately 17% of all malware products aimed at the platform. At present, Jamf is tracking an alarming 300 malware families under macOS, with a total of 21 new ones discovered in 2023. However, it’s worth noting that these figures are still considerably lower than the number of malicious software aimed at Windows and Android users.

Interestingly, one key issue that the report highlights is the lackluster update policy followed by many organizations. About 39% of the surveyed organizations were found to be running devices with known security flaws. It was also revealed that about 40% of mobile users have devices with similar security vulnerabilities.

Another alarming issue is the growing success rate of phishing attacks, especially on iPhone and similar Apple devices. In fact, according to the report, such attacks have a 50% higher success rate on these devices when compared to their macOS counterparts.

The Threat of Third-Party App Stores

There’s an apparent danger lurking around Sideloading or third-party app stores, which are now becoming accessible on iPhones. Although the intent behind using these alternative app stores might seem harmless at face value, they are oftentimes filled with misleading apps that coax users into downloading suspicious applications.

Interestingly, the report also highlighted the fact that about 57% of the users are under the impression that macOS is immune to malware or refuse to believe otherwise. Clearly, these misconceptions and a misguided sense of security put users at a higher risk of cyber threats.

Conclusion

While the figures raised by this report might seem alarming, Jamf suggests that many of these problems can be resolved by practicing basic secure behaviors. Regular updates, strong passwords, and activating 2-Factor Authentication are some of the simple yet effective steps that can significantly enhance the security of a device. It’s also crucial that end-users are adequately educated about the vulnerability of their devices to fend off potential cyber attacks effectively.

Introduction

Today’s increasingly complex and diverse network landscape demands advanced tools to prevent, detect, and respond to cybersecurity threats. One such arsenal in warranting advanced cyber defense is the Security Information and Event Management (SIEM) software. These tools play an integral role in any cybersecurity protocol, making them invaluable assets in maintaining a healthy network environment.

Understanding SIEM and Its Value

Security Information and Event Management (SIEM) software works by collecting log and event data to predict, detect, and prevent cyber threats. These platforms function by parsing event logs and monitoring security events, a task initially not glamorous, but indispensable in an era shaped by automation and Artificial Intelligence (AI).

The true value of SIEM lies in the correlation of system events, categorizing them for priority and analysis and presenting critical events for immediate visibility and response. Mature SIEM systems improve this visibility significantly by escalating automatic alerts to response teams or executing automatic actions in response to alarm triggers.

How SIEM Works

Contemporary computing systems, including network devices, applications, operating systems, and cloud services, maintain event logs that offer information on security monitoring and applications performance. The event logs and related system data would need to be exported into a SIEM platform, an activity the SIEM agents handle. These agents operate on various systems and enable data export into the SIEM system.

The choice of a SIEM system depends on aspects like network topography, bandwidth capabilities, and the types of systems from which you need logs. Irrespective of the chosen SIEM system, it is crucial to ensure the whole infrastructure is configured for SIEM, including both on-premises and cloud components.

SIEM and AI-Enhancement

AI is increasingly playing an integral role in SIEM systems. It helps analyze vast volumes of data, delivering only useful information to the security operations center. SIEM platforms leverage correlation engines, AI, and machine learning to identify threat patterns and differentiate their offerings from competitors.

AI-enhanced SIEM systems leverage vast cloud data feeds from various vendors and sources, using this accumulated knowledge to build deep contextual insights into event data. All without manual intervention. Having this context is essential for triaging events, identifying attack chains, and formulating incident response plans. However, it’s important to remember that the feasibility of AI utilization may be determined by whether your network is cloud-based or on-premise.

Choosing a SIEM for Your Business

The process of identifying an ideal SIEM for your business can often include considerations such as the ability to support business-critical systems, enhancing threat detection, and integrating seamlessly with other security platforms. Other important factors to consider include the SIEM’s ability to comply with regulatory requirements, role-based access for security, alert configuration capabilities, and their practical options for log ingestion.

Ultimately, the final choice depends on several factors including cost, resource requirements, and business-specific needs.

Conclusion

Implementing a robust Security Information and Event Management (SIEM) system in your enterprise can help fortify your cybersecurity protocols. It’s a comprehensive solution that consolidates event data from multiple sources, correlates events, identifies anomalies and violations, and sends alerts. By understanding the functionality and key considerations when choosing a SIEM system, businesses can better equip themselves with more advanced defenses against evolving cybersecurity threats.

Related Links:

https://www.csoonline.com/article/524286/what-is-siem-security-information-and-event-management-explained.html

An In-Depth Look at the NSA’s Zero-Trust Guidance to Guard Against Network Adversities

In a bid to bolster network security and hinder adversaries’ lateral movement, the National Security Agency (NSA) is recommending organizations to adopt the zero-trust framework principles. At its core, the zero-trust security architecture puts stringent controls on accessing network resources — whether they’re within or beyond the physical boundary. This results not only in limiting the breach impact but also in keeping the network protected.

The Zero-Trust Framework

Unlike the traditional IT security model, where everyone and everything within the network perimeter is trusted, the zero-trust architecture operates on the premise that a threat may already be lurking inside. Hence, it denies unrestricted access to the network, keeping potential risks at bay.

A key aspect of enhancing the zero-trust maturity involves addressing several elements, known as pillars, which threat actors could potentially exploit. One such pillar is the network and environment component, encompassing all hardware, software assets, non-person entities, and inter-communication protocols. The NSA released its detailed zero-trust guidance catered towards this pillar.

Seven Pillars of the Zero-Trust Architecture

At the heart of zero-trust lies in-depth network security, delivered through methods like data flow mapping, macro and micro segmentation, and software-defined networking. For each pillar, organizations must attain a specific level of maturity, in line with the principles of zero-trust, to further their security measures.

Data flow mapping involves identifying the location and process used for data storage. Macro and micro segmentation help limit lateral movement on the network by creating dedicated network areas for respective user departments and breaking down network management into smaller components.

Micro Segmentation in the Zero-Trust Framework

The zero-trust framework uses micro segmentation to further reduce the attack surface and limit the potential breach impact. It involves isolating users, applications, or workflows into individual network segments with strict access policies to limit lateral data flows.

Acquiring more granular control over micro segmentation is feasible through software-defined networking (SDN) components, enabling customizable security monitoring and alerting. SDN enhances network visibility and allows the enforcement of policies across all network segments from a centralized control center.

Building A Zero-Trust Environment

Designing and building a zero-trust environment may seem like a significant undertaking, requiring systematic progression through multiple maturity stages. However, if executed properly, the end result is a robust enterprise architecture capable of identifying, resisting, and responding to threats attempting to exploit network weaknesses.

The NSA’s first guide for the zero-trust framework was introduced in February 2021, followed by another guidance provided in April 2023, dedicated to fostering the maturity of the user component within the zero-trust framework.

Conclusion

As enterprises hasten to secure their networks in an increasingly hostile digital landscape, the zero-trust framework offers an appealing strategy. By trusting nothing and validating everything, organizations can significantly reduce, if not eradicate, the risk presented by latent threats. The NSA’s comprehensive zero-trust guidelines provide a roadmap for companies looking to bolster their network security and protect their assets.

Related links:

https://www.bleepingcomputer.com/news/security/nsa-shares-zero-trust-guidance-to-limit-adversaries-on-the-network/
https://media.defense.gov/2024/Mar/05/2003405462/-1/-1/0/CSI-ZERO-TRUST-NETWORK-ENVIRONMENT-PILLAR.PDF

Introduction

When it comes to cybersecurity, compliance may not be the most eye-catching topic, yet it is undoubtedly significant. In the current digital age, security teams play a vital role in Governance, Risk, and Compliance (GRC) concerns thereby warranting their due recognition in any security organization’s objectives and priorities.

Notably, various compliance standards and frameworks have recently adopted requirements that echo security best practices rather than mere checkboxes, making the case for PCI DSS 4.0, the newest credit card standard, all the stronger. Let’s delve deeper into its facets and what security professionals can glean from the changes.

The Noteworthiness of PCI DSS 4.0

The Payment Card Industry Security Standards Council (PCISSC), comprising main credit card industry players like Visa, Mastercard, American Express, Discover, JCB International, and UnionPay, are responsible for setting up and administering the credit card standard. As per this norm, every entity accepting credit card payments needs to ensure the security of card users’ data. Hence, any business dealing in credit card payments must adhere to the PCI DSS 4.0 standard that was rolled out in March 2022, with a two-year transition period. From March 31, 2024, onwards, PCI DSS 4.0 will be the sole active version of the standard.

Security Aspects of the PCI DSS 4.0 Standard

Let’s focus on some of the most prominent changes in v4.0, particularly concerning us as security professionals:

Avoidance of Malicious Scripts

With an increasing number of attacks and fraud occurrences involving malicious third-party scripts, PCI DSS updated their standard to include specific requirements for managing payment page scripts and deploying mechanisms to detect skimming. Thus, businesses need to ensure no malicious scripts exist on their payment pages and regularly monitor these scripts for any suspicious activity as needed.

Installation and Maintenance of Network Security Controls

The upgraded PCI DSS standard emphasizes the need for implementing and maintaining network security controls. It indicates that, in today’s complex network realm, securing your business entails devising a solution for network security concerns in hybrid and multi-cloud settings, preferably through a distributed cloud strategy.

Development and Maintenance of Secure Systems and Software

Requirement 6 of the updated standard hints towards the need for appropriate API security and the significance of a secure software development lifecycle (SSDLC). It further implies that businesses need to remain alert to system changes and ensure that these changes adhere to proper change control procedures. By securing APIs, businesses are ensuring a key aspect of modern business operations remains safeguarded.

Logging, Visibility, and Monitoring

Company logs need to be accessible across all environments, as detailed in Requirement 10 of the update. Every business must confirm that they have appropriate logging and monitoring capabilities across their hybrid and multicloud environments and use this visibility to monitor these areas for security, fraud, abuse, and compliance issues effectively.

Conclusion

The PCI DSS 4.0 update may focus on payment card security, but its importance extends far beyond that scope. It provides much needed, updated guidance to security teams amidst an evolving threat landscape and the increasing prevalence of hybrid and multicloud environments. By absorbing its learnings and implementing its recommendations, security professionals can significantly bolster their businesses’ safety measures.

Related Links:

https://www.darkreading.com/cybersecurity-operations/pci-dss-4-0-is-good-security-guidance-for-everyone

Defending Against BlackCat: An Inside Look at a Ransomware Attack

In the continually evolving world of cybersecurity, one of the most significant threats that organizations face is ransomware. Ransomware attacks are continually evolving, giving rise to more complex and devastating forms of cybercrime. Cybercriminals focus on various targets, including data breaches, fraud, identity theft, and vulnerabilities, making it crucial for companies to understand the hallmarks of these attacks to formulate their defense strategies.

The spotlight of this article is on a BlackCat ransomware attack, as reported from the perspective of incident response experts at Sygnia. The company was approached by a victim, a company experiencing suspect activity on its network, leading to a ransomware attack diagnosis. Given the imminent danger, Sygnia recommended the victim to disconnect immediately from the internet to mitigate further damage.

The attacker then was identified as BlackCat. This case represented a supply chain attack where the victim’s vendor was compromised first. Successful penetration into the victim’s network led the attackers to consolidate their position, making the battleground noisy.

The Anatomy of the BlackCat Ransomware Attack

The progress of the BlackCat attack was meticulously tracked by Syngia experts. Initial attempts to access the victim’s network were made using the compromised vendor. The attackers tried Remote Desktop Protocol (RDP) and Server Message Block (SMB) logon to the victim’s servers. After a few successful logons, brute force authentication attacks were attempted.

Once the attacker successfully connected over RDP to a server on the victim’s network, it started using it as a ‘pivot server’ for reconnaissance and lateral movement. This action set off alerts regarding anomalous activities in the victim’s security controls, but they were initially dismissed due to the common issue of alert fatigue and possible false positives.

By now, the attackers had managed to access and exfiltrate some data, but had not begun the encryption process thanks to the swift decision to disconnect from the internet. Despite the halted encryption process, the attackers attempted to extort the victim over the stolen data for the next three weeks.

Lessons Learnt: Early Response and Decisive Actions

There are numerous lessons to learn from this incident. One of the most critical takeaways is the importance of early and expert incident response. It is also crucial to consider how the attacker may react to various defensive actions, without revealing the defensive activities to the attacker. In this case, the victim’s senior management was courageous enough to disconnect the internet, a severe action that helped limit the damage.

In conclusion, dealing with cyber threats like ransomware requires swift action, expert knowledge, and the courage to take drastic measures. It is this combination that can limit the attacker’s actions and save the day, even if the attack has reached an advanced stage. Drastic action might not prevent all forms of data theft, but it does help limit the extent of the damage and increases the company’s chance of survival.

Related links:

https://www.securityweek.com/anatomy-of-a-blackcat-attack-through-the-eyes-of-incident-response/

Introduction

As cyber threats become increasingly complex and dangerous, there is an escalating demand for professionals in the field of cyber security. Organizations are not only tasked with attracting these experts but also retaining them and ensuring diversity within their ranks.

Finding The Right Talent

The crucial challenge lies in finding the right talent for the job. According to the latest state of cyber security report by ISACA, an astounding 71 percent of organizations have unfilled cyber security positions. The vacancies are especially widespread in non-entry level positions. Hence, there is a pressing need to not only secure professionals who can fill these roles but also ensure they have the appropriate qualifications and experience.

Curating Recruitment Strategies

In response to this predicament, organizations should prioritize internships, apprenticeships, and mentoring programs. It is also beneficial to encourage individuals to earn entry-level certifications, which can help new recruits demonstrate their expertise and experience.

Moreover, traditional recruitment strategies need to be adapted to foster more diversity within the cybersecurity industry. By casting a wider net, organizations can inject fresh perspectives and ideas, bringing in individuals from varied backgrounds and experiences.

Emphasizing Competence over Headcount

While expanding the talent pool is crucial, it is paramount that organizations place a strong emphasis on attracting and retaining individuals proficient in cybersecurity. Implementing rigorous screening processes and emphasizing soft skills alongside technical skills can significantly enhance the overall quality of the workforce.


Related links:

https://www.cshub.com/security-strategy/articles/building-a-robust-cyber-security-workforce?utm_medium=RSS

Importance of CEO and CISO Collaboration in Cybersecurity

It’s a common adage that a chain is only as strong as its weakest link. When it comes to protecting a company’s critical digital assets, this is especially true. The beefiest firewalls and advanced intrusion detection systems may fail if the company’s top leaders don’t understand their importance. Specifically, CEOs must collaborate with their Chief Information Security Officers (CISOs) in ensuring a robust cybersecurity strategy.

CEOs today increasingly understand the necessity for a strong cybersecurity infrastructure. Amid the constant rise in cyber threats, a capable security leader is indispensable not only to protect a company’s invaluable data but to secure its reputation as well. However, a recent report by PwC indicated that only 30% of CISOs felt they received adequate support from their CEOs.

CEO and CISO Relationship: Bridging the Gap

Securing organizations against digital malefactors has been complicated by two factors: budget limitations and a continual shortage of cybersecurity talent. Recent legal consequences for companies like SolarWinds and Uber have put CISOs in a precarious situation. The potential for facing criminal charges and regulatory repercussions has greatly increased—as underscored by the prediction by Gartner that nearly half the world’s cybersecurity leaders will change jobs by 2025 due to work-related stress.

It is in the best interest of every organization


Related links:

https://www.darkreading.com/cybersecurity-operations/what-cybersecurity-chiefs-need-from-their-ceos