THE IT SECURITY PROFESSIONAL |
Barlowtek
The It security Pro
Helping Organizations Understand IT Security
&
Best Practices
Artificial Intelligence (AI) in IT Security is shaping up to be transformative. It helps the IT Security Pro focus on the essential aspects of the business, educating the end users. While AI allows for an additional intelligence source in the field, the biggest fear is that it will replace IT Security Professionals and the industry. This is not the case, but there will be synergy between the human in the loop and the machine in response to potential threats to the corporate business network. AI vs. Machine Learning AI implies that adaptive learning is involved, and actions can change based on a given set of inputs. With Machine Learning (ML), a set of automated processes is developed with a given scenario or input that matches the specified criteria. Understanding these key differences allows the IT Security Pro to use the best technology for any situation they may run into. ML is familiar with most IDS and IPS applications as they provide quick action and prevent further issues for the network with a specific set of inputs. This can be anything from disconnecting servers, preventing certain IP packets from traversing the network, or being addressed to a specific targeted IP address. AI will take more time to determine if the behavior is malicious and may also consider other inputs before acting. Data Overload As an IT Security Pro, your day is filled with reviewing logs and data collected from various sources around your computer network. Whether these are firewall logs or network IP packets, there are large amounts of data to process. This is one of the reasons that security applications that can correlate these records are one of the most critical components of any well-established IT Security Program. IT Security Pros need to sift through these tens of thousands of entries to find the information that is meaningful to us. Even with this, sometimes the IT Security Pro may be overwhelmed with the amount of information they may be presented. This is where AI and ML come into their own. These technologies can help sort out this data, provide the IT Security Pro with actionable information, and suggest a course of action depending on all the inputs that have been gathered. Work with AI in IT Security
With the ever-complex state of IT Security these days, it is crucial that we use all the tools in the fight against any potential threats to our networks. This means leveraging the strengths of AI and ML to keep up with the changing attack vectors of the adversaries we must defend against. There are an ever-growing number of threats that the IT Security Pro must protect against, and having a backup or additional support to help determine the course of action will be helpful. Especially when we must do more with less. Some of these areas may be any of the following:
Automated Processes for AI & ML While there are several areas that AI and ML can help, these technologies can also help streamline or automate repetitive processes that require attention from the IT Security Pro. These automated processes can be worked into an application or as part of a solution:
Summary While AI and ML are advancing in their skills and capabilities, it is essential to remember that these two supporting technologies will help ease the load from overwork and few IT Security Pros. Having an electronic eye on all the various operations that go on a computer network day in and day out will allow staff to address issues that they should pay attention to, and not all the static or background noise. Technology should help enable IT Security Pro to secure better the networks we are responsible for and not take the jobs away from human beings.
0 Comments
Phishing attacks are among the most common and dangerous cyber threats, as they can result in data breaches, financial losses, and reputational damage. As such, organizations need to understand how to protect their computer networks from phishing attacks and compromise. This article will discuss the best practices organizations can use to protect their computer networks from phishing attacks and compromise. We will cover employee training on cyber security awareness, anti-phishing tools, and technologies, email authentication protocols, URL scanning tools, etc. Following these best practices, organizations can protect their computer networks against phishing attacks and compromises. Motivation of Attack Hackers are looking for ways to compromise your network to access your data. The other motivation that attackers see is that the target may have access to systems or networks that may be needed to further the attack. The initial stages of an attack are observation and looking for weaknesses in the protections that may be employed. This may take several days or even minutes, depending on the strength of your security measures. Once the reason for the attack has been determined, and the initial surveillance has been completed against the target network or system, the plan of attack can be created or developed. An attacker must go through this critical stage in the attack matrix. How will they compromise the network to access the information or data they are after? This will also cost them time and resources that they may have to spend to get a "foot in the door," so to speak. Planning the Attack Phishing attacks are a popular way for cybercriminals to access sensitive information. Planning a successful phishing attack requires looking for weaknesses within network security, understanding the target's behavior, and determining the best approach to exploit those weaknesses. To plan an effective phishing attack, it is essential to understand the target's vulnerabilities and how they can be exploited. This involves analyzing the organization's existing security measures, identifying potential gaps in its defenses, and researching methods for using those weaknesses. Attackers must also consider how their victims may respond to their attempts at gaining access and adjust their tactics accordingly. By considering these steps when planning an attack, attackers can increase their chances of success while minimizing any potential risks associated with the attack. 1.Employee Awareness
Cyber security is an ever-evolving challenge requiring businesses to stay updated with the latest threats. Therefore, organizations must ensure that their employees know the current cybersecurity risks and how to protect their data and systems. Employee training on cyber security awareness is crucial in building a secure environment, as it helps employees understand how to identify potential threats and respond appropriately. This training can include identifying phishing emails, understanding password best practices, recognizing malicious websites, and more. By educating employees on these topics, businesses can reduce their risk of falling victim to a cyber-attack. 2.Tools & Technologies One of the key components to dealing with phishing attacks is to detect these threats within its primary attack vector, inside emails. No matter what executable file type, these files can be seen with various tools and technologies. Additionally, some of these attacks may hide the potential attack; this is done through the obfuscation of the code execution files. This is one of the key attack vectors that potential hackers will use to gain access to your computer network. Preventing these files is crucial in reducing the attack surface the attackers must use. Using technologies that disable executable files or prevent them from running in the first place may help avoid these malicious files from executing correctly. This ability goes a long way in helping to secure the computer network as it prevents possibly malicious files from running. With those files unable to provide a backdoor into the network, it shuts down a primary path used by most phishing campaigns. 3.Email Authentication Knowing whom you are getting emails from is one of the biggest things that you, as an administrator, can do to help to prevent potential threats. Restrictions on the type of files or attachments that can be sent may help avoid potential dangers. Additional settings within the various email service providers (Outlook/Gmail) provide different domain and business controls that restrict the size of files and help validate the email's sender using cryptographic controls. This can also be done with third-party authentication applications that will determine if the domain for which the email was sent is reflective of a potentially compromised environment or whether it is legitimate. 4.URL Scanning This is where a user has clicked on a link and they have been taken to a potentially harmful website. Numerous applications can be used that will help to isolate these websites. Additionally, these sites can get reported in real-time as they are continuously uncovered and added to the list of potential threats. While we would hope that our end users would do the right thing and not click on the links in emails, we know that if they do, we need to have a remediation plan in place. Connecting these reporting applications to your already robust white or blacklisted sites will help to restrict which sites your users are going to be able to access. This will help reduce the number of potential sites accessed within the business. This can be crucial when you are targeted by a phishing campaign, as you will want to restrict or prevent your end users from clicking on a potentially harmful link to a compromised site. This is especially helpful if you see several emails or other such communications come in from the same address or domain. Summary While we can't do everything that would prevent our end users from potentially clicking on a phishing email, we must focus on these best practice areas and start to combat the threat that phishing has on our organizations. Whether you conduct phishing tests or simulated phishing campaigns, the end users must understand that they can help prevent a compromise of the network by being cautious as to whom they respond to and what information they provide. Organizations of all sizes are using mobile devices in new and innovative ways. The device may be “that you have” part of the Multi-factor Authentication (MFA) process, as the device contains an application that authenticates end users to access the business systems. Or the devices may be used to respond to the business’s needs more effectively. Managing these devices can be difficult because users may want to use their own devices. Additionally, the organization may assign devices as they can better manage these without causing legal liability issues with the management of them. This article explores the various security controls an organization can take to help secure these devices. Managing mobile devices within an organization can be challenging at the best of times. This is additionally complicated by the emergence of targeted mobile device malware, as it continues to be an attack vector that attackers are looking to take advantage of if they can. Threats to Mobile Devices Mobile devices have become an integral part of our lives, and with their increasing use, the risk of cyber threats has also increased. Cybersecurity threats to mobile devices can come from malicious apps, phishing attacks, or other online scams. Users need to be aware of these threats and take steps to protect the data of the business and their privacy. This article will discuss the cybersecurity threats on mobile devices and how IT Security Pros can protect the organization. We will also discuss current best practices to help users stay safe while using their or the businesses’ mobile devices. Controls to Implement Here are the actions that you can take today to help secure the mobile devices used by the business you work for:
IT Security Pro Tip: Summary
Mobile devices can and will continue to be used within the enterprise environment. The IT Security Pro’s role is to establish the controls that will be used for the secure management of these devices. Whether you are dealing with a privately owned device or one owned by the company, they should be treated the same regarding security. Helping to secure these devices against the ever-persistent threats they are exposed to will help protect the organization’s data and the information they may have access to. Securing these devices and implementing a robust management process will allow for a more effective security program within your organization. The cloud has become ubiquitous in today’s IT infrastructure as most organizations have adopted it as an integral part of their infrastructure architecture, but it continues to be difficult to implement and setup properly. While there are controls and specific settings that can be applied to your cloud resources, it is important to understand which ones and how to do it. This begins with choosing the right service provider and developing an overall strategy on how it will be implemented within your company.
1. Determining the Right Service Provider This begins with determining the right service provider. While there are a couple of HUGE players in this area (we don’t need to drop names here). They are not the only ones these days as there are more and more independent or affiliated providers that are becoming more competitive in the market. When implementing cloud security, it’s not just the data center that you are evaluating. It is the services that the provider has to offer and what types of security application resources they have to offer. Understanding what you will be using the cloud infrastructure and resources for is an important part of the evaluation and implementation process. The controls that are used to secure the cloud infrastructure will be different depending on its usage within your infrastructure. This is a key component of securing the cloud, including the cloud as part of the network, and securing as you would those within your corporate firewalls. 2. Zero Trust DON’T TRUST ANYBODY! REALLY, I MEAN IT, DON’T TRUST ANYBODY! This seems to be a great mantra these days as we find that even the slightest kink in the armor of a well-protected network can lead to a compromise. Employing Zero Trust across your cloud infrastructure will allow you to enforce and implement security controls that require your users to validate who they are by multiple methods. Why is this important? Because the cloud is one of those resources that once you are able to compromise a server or application, or even a service, it is easy to pivot and try to get into other resources of the same company (yes, even if they are logically separated) or even a different one for that matter. Zero trust allows you to be able to require and restrict all users regardless of who they say they are. This is critical for those services that your organization depends on to deliver for your customers and clients. 3. Access Management Once the service provider has been determined, it is important to determine who will gain access and how will they be granted it. The various service providers all have the capability to help determine who will be granted it. Additionally, they may have the capability of implementing multi-factor authentication (MFA). Logs and access events will also be recorded and documented, which is important if you want to know who is access your cloud resources and when. 4. Endpoint Security Securing your endpoints in the cloud is one area that most organizations do not employ when setting up and configuring their resources. This is a mistake and these assets should be protected as much as the systems that sit in the office or in the homes of your employees. Its important to have the same security measures in place for your cloud assets. A majority of organizations will depend on service providers for their security controls, even when this is not the case. The organization pays for the hardware and the bare metal of the servers and the infrastructure for which those assets reside. It is up to the company to employ endpoint security measures to secure those endpoints. Whether this means employing malware detection software, or scanning those assets for vulnerabilities, it is important that those systems are managed in a similar manner as those that are on premises. 5. Network Monitoring One of the key areas of monitoring will be the network environment, this is especially true of the resources and infrastructure that your utilizing in the cloud. This resource is something that your business will be paying for and it is important that it be utilized effectively. Monitoring traffic, access, and utilization are all important aspects that should be monitored closely be any company. 6. Define Cloud Usage Policies/ Procedures No matter why you are using the cloud, defining the policies and procedures that you will use is important for your company to establish right away. The reason for this is that resources in the cloud are finite and you may be restricted based by capacity or availability, and even monetarily. These restrictions can be detrimental to an organization that is using the cloud infrastructure to enhance their network environment. Establishing the guidelines for its usage is important as it will lay the groundwork for future development and utilization of those resources. 7. Determine Trusted Services
What services are you employing using the cloud? Setting up trusted services allows for the organization to employ automated processes to help secure those services in a timely manner. Whether it is the deployment of certificates from a trusted certificate authority as soon as the previous one expired. This allows your IT Security staff to be one step ahead of a potential bad actor. Establishing the trust relationship will enable an organization to secure its perimeter by trusting that those services meet specific requirements. Its important for an organization to determine what specific factors they will want in a trust relationship and how those factors are measured. While most cloud providers will be able to help in this process, it is important that IT Security Pros follow up and do their own evaluation. 8. Manage Data Understanding your data and how it will be transmitted and stored is important especially when monitoring network traffic. Data can accumulate at a rapid pace and it can be difficult to sift through the complex and exhaustive logs and datasets. Developing a process for how this data will be managed and monitored will help to make sure that this information is manageable. Depending on which industry you are working in, there may be specific requirements as to how long the data will need to be stored for. It is important to understand these requirements as they will effect which standard your organization adopts. With data storage, it all comes down to the capacity to store the data and how it is managed once it is collected. Having this addressed when you setup your cloud environment will go a long way in saving headaches later on. 9. Adopt a Standard While there is a myriad of standards out there, it is important to pick and adopt a standard that makes sense for your organization. This may be due to the type of work your company does, or industry specific requirements. Whatever the reason, adopt a standard. Here are some cloud related standards to consider:
Having an established baseline to build from will help to determine configurations and settings that will be employed during the development of your cloud infrastructure. Being compliant with these standards is different than being certified as the majority of the standards listed here require a third-party assessment in order to validate their processes. SummaryOrganization’s are continuing to adopt cloud services in order to realize the cost savings and the flexibility that these service providers are able to offer their business. No matter the reason that you are looking to adopt the cloud infrastructure, it is important to remember that there are things that you can do to help secure the environment and infrastructure. By employing the 9 Cloud Security Best Practices as outlined in this article, your organization will greatly benefit from the enhanced settings and configurations outlined here. Companies and organizations continue to grow and develop, and as a part of that process, they end up acquiring other businesses through a merger or acquisition. The question always comes, how do you integrate the diverse networks while still being secure? This can be a complicated and difficult question to answer because of all of the variables and moving pieces involved in such a issue. Whether you are the VP of IT, or the Director of IT Security, there is just not one way to tackle this issue. There are steps and some initial guidance on how this should be approached. While this is not a “one size fits all” type of recommendation, it can provide some of those basic aspects that you as the IT Security Pro will be facing. Getting a Handle on Things So, determining how you will integrate your computer networks and determining the direction from your senior management team will help facilitate a strategy that will be employed by your organization. This is true no matter if you are the acquiring organization or the one being acquired. This direction will help to provide a roadmap of how the integration will be accomplished and the ultimate goals that are looking to be achieved by its implementation. Risk Assessment & Evaluation Since you will be integrating two different networks, it is important to understand the potential risks involved and how those risks are evaluated. There could be quite dramatic differences between how the networks are managed and the resources that have been allocated to those requirements. Reconciling how this is accomplished will help to determine the course of action in merging these networks. Evaluating network security is an important part of this initial assessment in that it will provide a gap analysis as to what might be missing in one network, and what is available with the other. Having this detailed out will also allow the IT Security Pro to determine the best course of action that needs to be taken. This will also help those in senior management to make decisions based on what is occurring instead of guess work done by non-technical staff members. Course of Fire Each of the organizations have a responsibility to inform the other of what actions and process were taking place prior to the acquisition. This area should be accomplished prior to finalization of the process, but due to the complexities that go into these sorts of deals, its not usually thought of till after the fact. This is where the IT Security Pro will step in and help guide and provide information to all of the stakeholders involved in the network integration. Information Integration
This can be a very difficult aspect of the merger process to handle and should be carried out with integrations from both parties of the merger. Databases and repositories can be in diverse locations and both on premises and in the cloud. This can cause a headache to even the most seasoned IT Security Pro. Developing a plan on how to consolidate this information will be crucial in helping to determine the ultimate course of action that will be implemented. There are two common methods that organizations may employ initially: with a full integration and merger coming later in the process:
Compliance Complicates Everything Compliance requirements add to all the integration efforts a complication that can be very frustrating. This is especially true if you are in healthcare dealing with HIPPA requirements or PCI DSS for those in the banking industry. Some of these requirements and standards come into play when the organization hits specific benchmarks or capacities. Additionally, there could be fines associated with non-compliance to these standards as well. Integrating Standards With diverse organizations merging, some will have certifications and others may not. Determining what certifications to go with can or how they can be combined can pose its own difficulties. Some of these may be overcome with the accreditation body or the certification body that one of the organizations have used for their certification process. Also, adopting policies, procedures, and standards will have to be a course of action that should be addressed at the time of this integration process. The IT Security Pro will need to know the processes they need to follow and how that will relate to the work that they need to accomplish. Making it Work One of the most difficult aspects of this process is making everything work like it is all on the same network. Cost savings and combining resources is a huge reason why acquisitions happen. Once a strategy has been developed; it is up to the IT Security Pro to implement the plan and execute the various projects that can come from such a complicated project. Organizations will greatly benefit from the efforts that are put into the planning process and the IT Security Pro will benefit with they communicate these plans and issues to all the stakeholders involved. Summary Merger and acquisitions of corporate networks can be challenging, it is not as daunting as it looks on the surface. Integration needs to be planned and systematically applied across the network and its infrastructure. The effectiveness of this planning process will come in overall cost reductions in the management of the network and the increased efficiencies that come from integrating these systems. The roadmap to the integration should happen as soon as possible (during the negotiation period would be preferred) with both organizations providing resources and direction to the overall strategic outcome. Growth of Ransomware Attacks: Strategies for Preventing & Isolating Them in Your Organization5/24/2021 As the days continue to drag on with the most resent high-profile ransomware attack here in the US (Colonial Pipeline that started on May 6th 2021), the east coast and the south are feeling the brunt of the effects of this recent attack the most. This is not a new thing; ransomware has been around for a few years now and organizations of all sizes should be prepared for its potential effects on their business. We have seen attacks against municipalities infrastructure and also governmental services as well. Ransomware is indiscriminate in who or what they attack, and let’s be clear here, these are individuals that are out to extort money from whomever and wherever they can. It is that plain and simple. This was a targeted attack on a system that was vulnerable. Preparation for Attack One of the key aspects that is coming to light after the initial shock of it is that the infrastructure that supports the US economy is the largest target on the face of the planet for these types of attacks. Whether it is the lack of a Patch Management Process, or simply using outdated and unsupported equipment, the attackers have done their research in preparation for the attack. Additionally, it was also revealed that they were able to exfiltrate a large amount of data prior to the attack taking place. Is this preparation for more to come? Paying the Ransom or Not? As most IT Security Pros know, the company or organization will have to determine what is in their best interests to do. Is it to pay the ransom and get on with your business, or is it better to work to find the culprits who are behind it, or even to simply replace the systems that have been locked? This is the biggest decision that must be made, and it can’t be made in a vacuum, it must be made in public. But this has consequences for either decision or the potential impacts those may have on the organization. Social Stigma The issue that seems to come up is what sort of publicity is going to be generated by the ransomware attack? The Colonial Pipeline attack has proven that this key infrastructure is vulnerable and that security measures must be taken in order to address them. It’s a terrible thing to have the world know that you have lack security measures in place and that your organization has been using outdated processes and equipment on a vital piece of infrastructure. What has come out in the last day (May 12th, 2021) is that Colonial Pipeline has told the world that they were not going to pay the ransom that was demanded of them. But as it turns out, they actually did, to the tune of over $5 million dollars. And when they got the key to unlock their systems, it didn’t work. Talk about having egg on your face! How will Colonial Pipeline explain what happened? Increasing Threats As organizations continue to keep quite on how much they are actually paying for the ransoms of their own information, attackers are ever increasing the amounts that they are asking for. As of the writing of this article, CNA Financial has recently disclosed that they have paid up to $40 Million dollars in order to obtain access to their information. (A link the article is provided below). This shows that depending on the organization that is targeted, it could end up being a huge payday for the criminals involved in the extortion. Stemming the tide of Infection One of the key components of ransomware is that it will usually migrate from system to system depending on the type and complexity of the infection apparatus that is being utilized. The following may be considered as ways of helping to stem the tide of infection and preventing more systems from being compromised:
The End User Delma When it comes to security of the network, the key factor in all of the outbreaks of ransomware has been the end user doing or downloading something that they know they should not. This education process comes in the form of Security Awareness training and how often it is performed. People are creatures of habit and curiosity, and so they will perform tasks without really thinking of the consequences that it may cause them. Here are a few of the ways that a potential ransomware attack can compromise your network:
Solutions
These are current solutions or ways in which to mitigate or lesson the potential impact of a ransomware attack:
Even with all the actions that have been provided here, organizations are still going to be compromised and will be held ransom for the data that they can’t access. This is also an ever-evolving area of IT Security and the IT Security Pro will need to know what it takes to help prevent an outbreak to their systems. No matter what strategy is employed by the organization, there will be a way to defeat it or work around it. The easiest way as pointed out above, is to focus on the end user and their potential actions when provided a compromised system of file. User education will allow the IT Security Pro to know where a potential attack may be coming from and what form it may be coming in. Educating the end user will help to secure up the frontline in the threat of a potential ransomware attack or may end up preventing one. Reference: www.theverge.com/2021/5/20/22446388/cna-insurance-ransomware-attack-40-million-dollar-ransom |
IT Security ProSecuring the future one byte at a time! Mr. Barlow is here, staying ahead of the curve in Information Security Leadership. Ready to help your company stay safe and secure. Categories
All
Archives
January 2023
|