THE IT SECURITY PROFESSIONAL |
Barlowtek
The It security Pro
Helping Organizations Understand IT Security
&
Best Practices
Phishing attacks are among the most common and dangerous cyber threats, as they can result in data breaches, financial losses, and reputational damage. As such, organizations need to understand how to protect their computer networks from phishing attacks and compromise. This article will discuss the best practices organizations can use to protect their computer networks from phishing attacks and compromise. We will cover employee training on cyber security awareness, anti-phishing tools, and technologies, email authentication protocols, URL scanning tools, etc. Following these best practices, organizations can protect their computer networks against phishing attacks and compromises. Motivation of Attack Hackers are looking for ways to compromise your network to access your data. The other motivation that attackers see is that the target may have access to systems or networks that may be needed to further the attack. The initial stages of an attack are observation and looking for weaknesses in the protections that may be employed. This may take several days or even minutes, depending on the strength of your security measures. Once the reason for the attack has been determined, and the initial surveillance has been completed against the target network or system, the plan of attack can be created or developed. An attacker must go through this critical stage in the attack matrix. How will they compromise the network to access the information or data they are after? This will also cost them time and resources that they may have to spend to get a "foot in the door," so to speak. Planning the Attack Phishing attacks are a popular way for cybercriminals to access sensitive information. Planning a successful phishing attack requires looking for weaknesses within network security, understanding the target's behavior, and determining the best approach to exploit those weaknesses. To plan an effective phishing attack, it is essential to understand the target's vulnerabilities and how they can be exploited. This involves analyzing the organization's existing security measures, identifying potential gaps in its defenses, and researching methods for using those weaknesses. Attackers must also consider how their victims may respond to their attempts at gaining access and adjust their tactics accordingly. By considering these steps when planning an attack, attackers can increase their chances of success while minimizing any potential risks associated with the attack. 1.Employee Awareness
Cyber security is an ever-evolving challenge requiring businesses to stay updated with the latest threats. Therefore, organizations must ensure that their employees know the current cybersecurity risks and how to protect their data and systems. Employee training on cyber security awareness is crucial in building a secure environment, as it helps employees understand how to identify potential threats and respond appropriately. This training can include identifying phishing emails, understanding password best practices, recognizing malicious websites, and more. By educating employees on these topics, businesses can reduce their risk of falling victim to a cyber-attack. 2.Tools & Technologies One of the key components to dealing with phishing attacks is to detect these threats within its primary attack vector, inside emails. No matter what executable file type, these files can be seen with various tools and technologies. Additionally, some of these attacks may hide the potential attack; this is done through the obfuscation of the code execution files. This is one of the key attack vectors that potential hackers will use to gain access to your computer network. Preventing these files is crucial in reducing the attack surface the attackers must use. Using technologies that disable executable files or prevent them from running in the first place may help avoid these malicious files from executing correctly. This ability goes a long way in helping to secure the computer network as it prevents possibly malicious files from running. With those files unable to provide a backdoor into the network, it shuts down a primary path used by most phishing campaigns. 3.Email Authentication Knowing whom you are getting emails from is one of the biggest things that you, as an administrator, can do to help to prevent potential threats. Restrictions on the type of files or attachments that can be sent may help avoid potential dangers. Additional settings within the various email service providers (Outlook/Gmail) provide different domain and business controls that restrict the size of files and help validate the email's sender using cryptographic controls. This can also be done with third-party authentication applications that will determine if the domain for which the email was sent is reflective of a potentially compromised environment or whether it is legitimate. 4.URL Scanning This is where a user has clicked on a link and they have been taken to a potentially harmful website. Numerous applications can be used that will help to isolate these websites. Additionally, these sites can get reported in real-time as they are continuously uncovered and added to the list of potential threats. While we would hope that our end users would do the right thing and not click on the links in emails, we know that if they do, we need to have a remediation plan in place. Connecting these reporting applications to your already robust white or blacklisted sites will help to restrict which sites your users are going to be able to access. This will help reduce the number of potential sites accessed within the business. This can be crucial when you are targeted by a phishing campaign, as you will want to restrict or prevent your end users from clicking on a potentially harmful link to a compromised site. This is especially helpful if you see several emails or other such communications come in from the same address or domain. Summary While we can't do everything that would prevent our end users from potentially clicking on a phishing email, we must focus on these best practice areas and start to combat the threat that phishing has on our organizations. Whether you conduct phishing tests or simulated phishing campaigns, the end users must understand that they can help prevent a compromise of the network by being cautious as to whom they respond to and what information they provide.
0 Comments
Organizations of all sizes are using mobile devices in new and innovative ways. The device may be “that you have” part of the Multi-factor Authentication (MFA) process, as the device contains an application that authenticates end users to access the business systems. Or the devices may be used to respond to the business’s needs more effectively. Managing these devices can be difficult because users may want to use their own devices. Additionally, the organization may assign devices as they can better manage these without causing legal liability issues with the management of them. This article explores the various security controls an organization can take to help secure these devices. Managing mobile devices within an organization can be challenging at the best of times. This is additionally complicated by the emergence of targeted mobile device malware, as it continues to be an attack vector that attackers are looking to take advantage of if they can. Threats to Mobile Devices Mobile devices have become an integral part of our lives, and with their increasing use, the risk of cyber threats has also increased. Cybersecurity threats to mobile devices can come from malicious apps, phishing attacks, or other online scams. Users need to be aware of these threats and take steps to protect the data of the business and their privacy. This article will discuss the cybersecurity threats on mobile devices and how IT Security Pros can protect the organization. We will also discuss current best practices to help users stay safe while using their or the businesses’ mobile devices. Controls to Implement Here are the actions that you can take today to help secure the mobile devices used by the business you work for:
IT Security Pro Tip: Summary
Mobile devices can and will continue to be used within the enterprise environment. The IT Security Pro’s role is to establish the controls that will be used for the secure management of these devices. Whether you are dealing with a privately owned device or one owned by the company, they should be treated the same regarding security. Helping to secure these devices against the ever-persistent threats they are exposed to will help protect the organization’s data and the information they may have access to. Securing these devices and implementing a robust management process will allow for a more effective security program within your organization. As the investigation continues into the breach of the computer system for the Bruce T. Haddock Water Treatment Plant in Oldsmar, Florida on February 5th. What is becoming clearer is that this hack was due to several different failures in security that led to the site to be compromised by attackers. While the damage was little, it could have been a lot worse. Security Failures While this investigation into the breach of security is still ongoing at the time of this blog post, the common theme is that the facility was using older equipment with lax security protocols. These issues were compounded by the other and helped to provide a path for an attacker to take advantage of these vulnerabilities. Additionally, remote management software could connect to these systems without being blocked. Here is the list on known security failures as of this post:
While each of these failures are not the only reason for the compromise, all of them in conjunction with one another led to what could have been a serious issue if it were not for someone watching the system and taking corrective action to return the systems to normal. Attacker Accomplished The FBI was called in to investigate the compromise and found that the levels of sodium hydroxide in the water treatment had been raised from 100 parts per million to 11,100 parts per million for only a few minutes. This chemical is used to clear clogged drains and could have caused potential deaths if ingested by members of the public. Corrective Action Addressing the failures that have been identified by this attach should be remediated so that a similar type of attack does not occur. But this threat has showed what IT Security Pros already know, our infrastructure is not keeping up to date with evolving technologies. This creates vulnerabilities where it should be more secure. Municipalities are notorious for not updating or upgrading systems or software due to not having the funds to replace or update them. While taking corrective measures now will address these issues, this is a systemic issue that will only be solved when municipalities, and jurisdictions start taking security seriously and not putting off the much-needed upgrades and enhancements that are required to stay up to date. Microsoft for one puts out notices to the public to let them know that there is going to be an end-of-life date for its systems and applications. Why didn’t the municipality head those warnings and transition to supported hardware and software applications? Remaining Threat Due to the attention that this event is getting, it seems that these corrective actions will be taken as the city tries to deal with the fall out of it. But the underlying fact remains that all public utilities face, a crumbling infrastructure and the management systems that are needed to keep them up and running. This is a high visibility event, and the attention will be on the city to see how they handle these issues in the future. These remaining threats are going to continue to plague our technologically evolving infrastructure as well. As mentioned in infrastructure-security-securing-the-grid-of-the-future.html there are growing threats to the use of new technologies as well as securing the already well established infrastructure by upgrading the network hardware, software, and IT Security posture. Security for Infrastructure
Here are some of my recommendations for dealing with these same issues, whether you are a small business, or a large municipality, here are some commonsense guidance that you can follow: 1.Only use supported hardware/software This means to use only those systems and applications that are fully supported by the manufacturer and that if they are not, you replace them ASAP. This is one of the most common mistakes organizations make, waiting to upgrade later. Do not put it off, when it’s the end of life for a system or application, replace it. 2.Have a patch management program With the hardware and the OS not receiving updates on a regular basis, these systems continue to increase in the amount of risk and potential vulnerabilities that they pose to the organization. Have an established patch management program and update software and hardware systems as soon as the patches come out. This helps to limit vulnerabilities while also ensuring that potential risks are mitigated in a timely manner. 3.Establish Strong Security Policies/ Standards The need to establish strong policies and standards can’t be understated here. The use of the following types of characters should be used:
With all of these measures, access account passwords would be more complex and more difficult to potential cracks by an attacker. While no password is 100% secure, there are steps that administrators can take to improve the security of these accounts. 4.Restrict VPN Access to Key Systems This can be accomplished by preventing incoming connection requests from being responded to, or by securing systems behind a firewall or in a DMZ with restricted IP access points. While there may be ways in which these steps can be overcome, those steps are made more difficult than by not having them in place. This should be especially true to those systems such as a water purification plant or even an electric distribution center. Summary While nobody was killed during this attack and someone was quickly able to respond to changes within the purification process, it could have been much worse. Like a lot of other assets that are government owned and operated, our infrastructure is prime for being targeted by those that want to do our country or our cities harm. No matter what is found when the actual source of the attack is eventually discovered, this should be a wake-up call for all governmental organizations and jurisdictions that they can be compromised and that they need to be up to date with their security posture, just like in the private sector. The worst thing about this attack on the purification plant is that all these security issues should have been addressed a long time ago. Even if just upgrading and patching their systems could have helped deter a potential attack. Some of the simplest things make the biggest difference when it comes to these sorts of events. We can only hope that they employ a well-respected IT Security Pro to help them address these issues in the most effective and expedient manner possible. Reference Site abcnews.go.com/US/outdated-computer-system-exploited-florida-water-treatment-plant/story?id=75805550 Scanning won’t cut it anymoreWhen it comes to IT Security, an organization wants to make sure that they are doing everything right. Whether it is scanning for vulnerabilities or looking for malware on the network, a company will spend time, effort, and money to make sure that they are doing everything right in protecting their business. As the IT Security Professional, it is our responsibility to make sure that those resources are used effectively. Are you using applications or systems that are actually helping you? How do you know? Network Monitoring Network monitoring and vulnerability management are areas that many IT Security Professionals focus their time and energy on these days. Especially with all of the compliance requirements that have been mandated by the government. This has led to a sense of security when it comes to using network monitoring applications or systems. As we rely on these systems to automate the processes that we were doing by hand just a few years ago. It is important to remember that these systems need to have a human in the middle to interpret the information, and then to take action on those areas that have been highlighted. Making the Case Making the case for going after advanced persistent threats (APTs) should be a no brainer. Nevertheless, the truth is that not every threat is going to make itself known to the scanning application(s) (or to multiple applications, for that matter) which may give a false sense of security. This will cause those that may be responsible for network maintenance to not believe the results. The goal for all IT Security Professionals is to both, educate others in the organization to the importance of vulnerability scanning, and to make sure action is taken when a threat or vulnerability is found. While APTs do pose a threat to the network, they are a hidden threat that goes under the radar until they actually do something to the company. By then, it’s too late, and the potential for information loss is significantly greater. Behavior is NOT a Signature While a lot of network monitoring software will utilize a signature of the potential malware or threat in order to detect it. Looking at system behavior and network traffic is a better way to track down those systems that may be compromised. Heuristics is an area that has the ability to look at the whole picture and to see areas that may not look like they are connected, but when looked at heuristically, they make perfect sense. The benefit for heuristics is that software changes at a rapid pace, but behaviors don’t. In order to detect malware applications, some network monitoring applications require a signature in order to detect it. Between the time the new version of the detection application is being updated and sent out to customers, a heuristic application may have already caught it due to its behavior. The malware will utilize any means necessary in order to hide or go undetected. Attack Approach Most APTs will use a multiphase attack methodology. These are the phases regardless of how they entered the network that may be followed depending on the organizational structure of the group(s) conducting the attack against your network:
Key Indicators of APT Attack
While APTs have been known to evade detection by most anti-virus scanning applications, there are some signs to watch for if you suspect that your network may be compromised by an APT:
Mitigation Strategy While detection of APTs may be difficult, there are mitigation steps that every organization can take in order to lessen the potential risk of an attack. The steps are listed below:
Gaining Control Once an APT has been identified, all effected systems should be brought offline and network access disabled. This will help to isolating the systems on the network and also helps to lessen the damage that may be caused by an ongoing compromise of the network. While this will stem the loss of data, it is not meant as a fix. These steps just remove the immediate threat, recovery steps will need to be taken once the threat has been identified and isolated. Summary APTs are continuing to plague organizations as they struggle with dealing with securing their data. This can lead to data loss and an impact to the business in ways that may not be realized for years to come. No matter what type of business you are in, the potential threat is there for APTs to cause havoc for your network. Also, due to the complexity of detecting and protecting against APTs, businesses need to be proactive in their approach to these threats and all members of the support teams and groups need to understand the need to act swiftly once a threat has been identified or suspected. Using an application and systems that not only use heuristics but also those that use signature based detection in conjunction with the behaviors are the ones best utilized in these circumstances. It is not just the signature that will catch the threat, but what is actually going on behind the scenes that you are not looking at that will help to identify what is really going on, on your network. |
IT Security ProSecuring the future one byte at a time! Mr. Barlow is here, staying ahead of the curve in Information Security Leadership. Ready to help your company stay safe and secure. Categories
All
Archives
January 2023
|