FreshRSS

🔒
❌ About FreshRSS
☷
△ 🔃
There are new available articles, click to refresh the page.
Before yesterdaySecurity

There’s no better time for zero trust

By Neville Letzerich

Security resilience requires strong, user-friendly defenses

The concept of zero trust is not a new one, and some may even argue that the term is overused. In reality, however, its criticality is growing with each passing day. Why? Because many of today’s attacks begin with the user. According to Verizon’s Data Breach Investigations Report, 82% of breaches involve the human element — whether it’s stolen credentials, phishing, misuse or error.

Additionally, today’s businesses are hyper-connected, meaning that — in addition to your employees — customers, partners and suppliers are all part of your ecosystem. Couple that with hybrid work, IoT, the move to the cloud, and more emboldened attackers, and organizational risk increases exponentially.

Adopting a zero trust model can dramatically reduce this risk by eliminating implicit trust. It has become so crucial, in fact, that several governments including the U.S., UK and Australia have released mandates and guidance for how organizations should deploy zero trust to improve national security.

However, because zero trust is more of a concept than a technology, and so many vendors use the term, organizations struggle with the best way to implement it. At Cisco, we believe you should take a holistic approach to zero trust, starting with what you have and adding on as you identify gaps in your defenses. And while layers of protection are necessary for powerful security, so is ease of use.

Strengthen security resilience with zero trust

Zero trust plays a major role in building security resilience, or the ability to withstand unpredictable threats or changes and emerge stronger. Through zero trust, the identity and security posture of users, devices and applications are continuously checked and verified to prevent network intrusions — and to also limit impact if an unauthorized entity does gain access.

Organizations with high zero trust maturity are twice as likely to achieve business resilience.
– Cisco’s Guide to Zero Trust Maturity

Eliminating trust, however, doesn’t really conjure up images of user-friendly technology. No matter how necessary they are for the business, employees are unlikely to embrace security measures that make their jobs more cumbersome and time-consuming. Instead, they want fast, consistent access to any application no matter where they are or which device they are using.

That’s why Cisco is taking a different approach to zero trust — one that removes friction for the user. For example, with Cisco Secure Access by Duo, organizations can provide those connecting to their network with several quick, easy authentication options. This way, they can put in place multi-factor authentication (MFA) that frustrates attackers, not users.

Enable seamless, secure access

Cisco Secure Access by Duo is a key pillar of zero trust security, providing industry-leading features for secure access, authentication and device monitoring. Duo is customizable, straightforward to use, and simple to set up. It enables the use of modern authentication methods including biometrics, passwordless and single sign-on (SSO) to help organizations advance zero trust without sacrificing user experience. Duo also provides the flexibility organizations need to enable secure remote access with or without a VPN connection.

During Cisco’s own roll-out of Duo to over 100,000 people, less than 1% of users contacted the help desk for assistance. On an annual basis, Duo is saving Cisco $3.4 million in employee productivity and $500,000 in IT help desk support costs. Furthermore, 86,000 potential compromises are averted by Duo each month.

Protect your hybrid work environment

La-Z-Boy, one of the world’s leading residential furniture producers, also wanted to defend its employees against cybersecurity breaches through MFA and zero trust. It needed a data security solution that worked agnostically, could grow with the company, and that was easy to roll out and implement.

“When COVID first hit and people were sent home to work remotely, we started seeing more hacking activity…” said Craig Vincent, director of IT infrastructure and operations at La-Z-Boy. “We were looking for opportunities to secure our environment with a second factor…. We knew that even post-pandemic we would need a hybrid solution.”

“It was very quick and easy to see where Duo fit into our environment quite well, and worked with any application or legacy app, while deploying quickly.” – Craig Vincent, Director of IT Infrastructure and Operations, La-Z-Boy

Today, Duo helps La-Z-Boy maintain a zero trust framework, stay compliant, and get clear visibility into what is connecting to its network and VPN. Zero trust helps La-Z-Boy secure its organization against threats such as phishing, stolen credentials and out-of-date devices that may be vulnerable to known exploits and malware.

Build a comprehensive zero trust framework

As mentioned, zero trust is a framework, not a single product or technology. For zero trust to be truly effective, it must do four things:

  1. Establish trust for users, devices and applications trying to access an environment
  2. Enforce trust-based access based on the principle of least privilege, only granting access to applications and data that users/devices explicitly need
  3. Continuously verify trust to detect any change in risk even after initial access is granted
  4. Respond to changes in trust by investigating and orchestrating response to potential incidents

Many technology companies may offer a single component of zero trust, or one aspect of protection, but Cisco’s robust networking and security expertise enables us to provide a holistic zero trust solution. Not only can we support all the steps above, but we can do so across your whole IT ecosystem.

Modern organizations are operating multi-environment ecosystems that include a mix of on-premises and cloud technologies from various vendors. Zero trust solutions should be able to protect across all this infrastructure, no matter which providers are in use. Protections should also extend from the network and cloud to users, devices, applications and data. With Cisco’s extensive security portfolio, operating on multiple clouds and platforms, zero trust controls can be embedded at every layer.

Map your path to zero trust

Depending on where you are in your security journey, embedding zero trust at every layer of your infrastructure may sound like a lofty endeavor. That’s why we meet customers where they are on their path to zero trust. Whether your first priority is to meet regulatory requirements, secure hybrid work, protect the cloud, or something else, we have the expertise to help you get started. We provide clear guidance and technologies for zero trust security mapped to established frameworks from organizations like CISA and NIST.

Much of our Cisco Secure portfolio can be used to build a successful zero trust framework, but some examples of what we offer include:

  • Frictionless, secure access for users, devices and applications through Cisco Duo
  • Flexible cloud security through Cisco Umbrella
  • Protected network connections and segmentation with the Cisco Identity Services Engine (ISE)
  • Application visibility and micro-segmentation via Cisco Secure Workload
  • Expert guidance from the Cisco Zero Trust Strategy Service

All of our technologies and services are backed by the unparalleled intelligence of Cisco Talos — so you always have up-to-date protection as you build your zero trust architecture. Additionally, our open, integrated security platform — Cisco SecureX — makes it simple to expand and scale your security controls, knowing they will work with your other technologies for more unified defenses.

Enhance security with an integrated platform

As Italy’s leading insurance company, Sara Assicurazioni requires complete visibility into its extended network, including a multi-cloud architecture and hybrid workforce. The company has adopted a comprehensive zero trust strategy through Cisco Secure.

“Our decentralized users, endpoints, and cloud-based servers and workloads contribute to a large attack surface,” says Paolo Perrucci, director of information and communications technology architectures and operations at Sara Assicurazioni. “With Cisco, we have the right level of visibility on this surface.”

“The main reason we chose Cisco is that only Cisco can offer a global security solution rather than covering one specific point…. Thanks to Cisco Secure, I’m quite confident that our security posture is now many times better because we are leveraging more scalable, state-of-the-art security solutions.” – Luigi Vassallo, COO & CTO, Sara Assicurazioni

Expand your zero trust strategy

To learn more, explore our zero trust page and sign up for one of our free zero trust workshops.

Watch video: How Cisco implemented zero trust in just five months 

We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn

How Vice Society Got Away With a Global Ransomware Spree

By Lily Hay Newman
Vice Society has a superpower that’s allowed it to quietly carry out attacks on schools and hospitals around the world: mediocrity.

Domestic Kitten campaign spying on Iranian citizens with new FurBall malware

By Lukas Stefanko

APT-C-50’s Domestic Kitten campaign continues, targeting Iranian citizens with a new version of the FurBall malware masquerading as an Android translation app

The post Domestic Kitten campaign spying on Iranian citizens with new FurBall malware appeared first on WeLiveSecurity

A Quick Look at the "Strengthening America's Cybersecurity" Initiative

By The Hacker News
Acknowledging that you have a problem is the first step to addressing the problem in a serious way. This seems to be the reasoning for the White House recently announcing its "Strengthening America's Cybersecurity" initiative. The text of the announcement contains several statements that anyone who's ever read about cybersecurity will have heard many times over: increasing resilience, greater

Not All Sandboxes Are for Children: How to Secure Your SaaS Sandbox

By The Hacker News
When creating a Sandbox, the mindset tends to be that the Sandbox is considered a place to play around, test things, and there will be no effect on the production or operational system. Therefore, people don't actively think they need to worry about its security. This mindset is not only wrong, but extremely dangerous.  When it comes to software developers, their version of sandbox is similar to

RESTRICT: LOCKING THE FRONT DOOR (Pt. 3 of “Why Don’t You Go Dox Yourself?”)

By Zoe Lindsey

In the first step of our doxxing research, we collected a list of our online footprint, digging out the most important accounts that you want to protect and obsolete or forgotten accounts you no longer use. Because the most recent and relevant data is likely to live in the accounts you use regularly, our next step will be to review the full scope of what’s visible from these accounts and to set more intentional boundaries on what is shared. 

It’s important to note here that the goal isn’t to eliminate every trace of yourself from the internet and never go online again. That’s not realistic for the vast majority of people in our connected world (and I don’t know about you, but even if it was I wouldn’t want to!) And whether it’s planning for an individual or a giant organization, security built to an impossible standard is destined to fail. Instead, we are shifting you from default to intentional sharing, and improving visibility and control over what you do want to share. 

LOCKING THE FRONT DOOR 

Before making changes to the settings and permissions for each of these accounts, we’re going to make sure that access to the account itself is secure. You can start with your email accounts (especially any that you use as a recovery email for forgotten passwords, or use for financial, medical, or other sensitive communications). This shouldn’t take very long for each site, and involves a few straightforward steps: 

  • Set a long, unique password for each account. Weak or reused passwords are most vulnerable to attack, and as you most likely discovered during your HaveIBeenPwned search, the odds are better than not that you found your username or email in at least one previous breach. 

The best way to prevent a breached password from exposing another account to attack is to use a unique password for for every website you visit. And while you may have heard previous advice on strong passwords (along the lines of “eight or more characters, with a mix of upper/lower case letters, numbers, and special characters”), more recent standards emphasize the importance of longer passwords. For a great explanation of why longer passwords work better than shorter, multi-character type passwords, check out this excellent XKCD strip: 

dox

A password manager will make this process much easier, as most have the ability to generate unique passwords and allow you to tailor their length and complexity.  While we’re on the topic of what makes a good password, make sure that the password to access your password manager is both long and memorable.

You don’t want to save or auto-fill that password because it acts as the “keys to the kingdom” for everything else, so I recommend following a process like the one outlined in the comic above, or another mnemonic device, to help you remember that password. Once you’ve reset the password, check for a “log out of active devices” option to make sure the new password is used.

  • Set up strong authentication using multi-factor authentication wherever it is supported. Whether short or long, a password on its own is still vulnerable to capture or compromise. One way experts have improved login security is through the use of multi-factor authentication. Multi-factor authentication is often shortened to MFA and can also be referred to as two-step authentication or 2FA.

MFA uses two or more “factors” verifying something you know, something you have, or something you are. A password is an example of “something you know”, and here are a few of the most common methods used for an additional layer of security:

  • Email/SMS passcodes: This has become a common method for verifying logins to secure services like bank accounts and health portals. You enter your username and password and are prompted to enter a short code that is sent to your email or cell number associated with the account. It’s a popular method because it requires no additional setup. However, it suffers from the same weaknesses email accounts and phone numbers do on their own: If you set up 2FA for a social media service using email passcodes on an email using only a password for access, you’re effectively back to the security of a password alone. This is better than nothing, but if one of the other factors is supported you should likely opt for it instead.
  • Hardware/software passcode generators: This method uses either a physical device like a keyfob or USB dongle or an installed soft token generator app on a smart device to generate a short code like those sent to SMS or email without relying on those channels. You may use an app tied to the service (like the Steam Authenticator on the iOS/Android Steam app) or scan a QR code to store the new account in a third-party authenticator app like Google Authenticator or Duo Mobile. This still isn’t ideal, because you’re typing in your passcode on the same device where you entered your password – meaning if someone is able to intercept or trick you into revealing your password, they may very well be able to do the same with the passcode.

dox

  • On-device prompt: Rather than using a trusted email or phone number to verify it’s you, this method uses a trusted device (something you have) to confirm your login. If you’ve tried logging into a Gmail account and been prompted to approve your login through another already-approved device, you’re completing an on-device prompt. Another type of on-device prompt would be login approvals sent through push notifications to an authenticator app like Duo Mobile, which will provide you with other details about the login to your account. Because you approve this prompt on a separate device (your phone) than the device used to log in (your computer), this is more resistant to being intercepted or captured than a passcode generator.

  • Biometric authentication: If you buy an app on the Google Play Store or iOS App Store, you may be prompted to confirm your purchase with a fingerprint sensor or facial recognition instead of entering a password. The shift to unlocking our mobile devices through biometric methods (unique physical measurements or “something you are”) has opened up a more convenient strong authentication. This same method can be used as a prompt on its own, or as a requirement to approve an on-device prompt.

If you want to know more about the different ways you can log in with strong authentication and how they vary in effectiveness, check out the Google Security Team blog post “Understanding the Root Cause of Account Takeover.”

PASSWORD QUESTIONS: WHERE DID YOUR FIRST PET GO TO HIGH SCHOOL?

Before we move on from passwords and 2FA, I want to highlight a second step to log in that doesn’t meet the standard of strong authentication: password questions. These are usually either a secondary prompt after entering username and password, or used to verify your identity before sending a password reset link. The problem is that many of the most commonly-used questions rely on semi-public information and, like passcodes, are entered on the same device used to log in.

Another common practice is leveraging common social media quizzes/questionnaires that people post on their social media account. If you’ve seen your friends post their “stage name” by taking the name of their first pet and the street they grew up on, you may notice that’s a combination of two pretty common password questions! While not a very targeted or precise method of attack, the casual sharing of these surveys can have consequences beyond their momentary diversion.

One of the first widely-publicized doxxings happened when Paris Hilton’s contact list, notes, and photos were accessed by resetting her password using the password question, “what is your favorite pet’s name?”. Because Hilton had previously discussed her beloved chihuahua, Tinkerbell, the attacker was able to use this information to access the account.

Sometimes, though, you’ll be required to use these password questions, and in those cases I’ve got a simple rule to keep you safe: lie! That’s right, you won’t be punished if you fib when entering the answers to your password questions so that the answers can’t be researched, and most password managers also include a secure note field that will let you save your questions and answers in case you need to recall them later.

We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn

Researchers Detail Azure SFX Flaw That Could've Allowed Attackers to Gain Admin Access

By Ravie Lakshmanan
Cybersecurity researchers have shared more details about a now-patched security flaw in Azure Service Fabric Explorer (SFX) that could potentially enable an attacker to gain administrator privileges on the cluster. The vulnerability, tracked as CVE-2022-35829, carries a CVSS severity rating of 6.2 and was addressed by Microsoft as part of its Patch Tuesday updates last week. <!--adsense--> Orca

Chinese Hackers Targeting Online Casinos with GamePlayerFramework Malware

By Ravie Lakshmanan
An advanced persistent threat (APT) group of Chinese origin codenamed DiceyF has been linked to a string of attacks aimed at online casinos in Southeast Asia for years. Russian cybersecurity company Kaspersky said the activity aligns with another set of intrusions attributed to Earth Berberoka (aka GamblingPuppet) and DRBControl, citing tactical and targeting similarities as well as the abuse of

A Quick Guide for Small Cybersecurity Teams Looking to Invest in Cyber Insurance

By The Hacker News
In the world of insurance providers and policies, cyber insurance is a fairly new field. And many security teams are trying to wrap their heads around it.  What is it and do they need it? And with what time will they spend researching how to integrate cyber insurance into their strategy?  For small security teams, this is particularly challenging as they contend with limited resources. Luckily,

CISA Warns of Critical Flaws Affecting Industrial Appliances from Advantech and Hitachi

By Ravie Lakshmanan
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday released two Industrial Control Systems (ICS) advisories pertaining to severe flaws in Advantech R-SeeNet and Hitachi Energy APM Edge appliances. This consists of three weaknesses in the R-SeeNet monitoring solution, successful exploitation of which "could result in an unauthorized attacker remotely deleting files on the

How the World Will Know If Russia Is Preparing to Launch a Nuclear Attack

By Lily Hay Newman
While tensions over a possible nuclear attack on Ukraine remain high, experts say surveillance will likely catch Russia if it plans to do the unthinkable.

Chinese 'Spyder Loader' Malware Spotted Targeting Organizations in Hong Kong

By Ravie Lakshmanan
The China-aligned espionage-focused actor dubbed Winnti has set its sights on government organizations in Hong Kong as part of an ongoing campaign dubbed Operation CuckooBees. Active since at least 2007, Winnti (aka APT41, Barium, Bronze Atlas, and Wicked Panda) is the name designated to a prolific cyber threat group that carries out Chinese state-sponsored espionage activity, predominantly

Making Merger and Acquisition Cybersecurity More Manageable

By Dan Burke

Dan Burke is the director of strategy, risk, and compliance for AppDynamics, a company acquired by Cisco in 2017. Burke and his team are a vital part of the Cisco acquisition process in helping acquired companies adhere to a higher level of cybersecurity. This blog is the fourth in a series focused on M&A cybersecurity, following Shiva Persaud’s post on When It Comes to M&A, Security Is a Journey.

Engaging Earlier to Identify and Manage Risk

Part of the secret to Cisco’s success is its ability to acquire companies that strengthen its technology portfolio and securely integrate them into the larger organization. From the outside, that process might appear seamless—consider Webex or Duo Security, for instance—but a fruitful acquisition takes tremendous work by multiple cross-functional teams, mainly to ensure the acquired company’s solutions and products meet Cisco’s rigorous security requirements.

“My team is responsible for aligning new acquisitions to Cisco controls to maintain our compliance with SOC2 and FedRAMP, as well as other required certifications,” says Burke.

When Cisco acquires a new company, it conducts an assessment and produces a security readiness plan (SRP) document. The SRP details the identified weaknesses and risks within that company and what they need to fix to meet Cisco standards.

“In the past, my team wouldn’t find out about an acquisition until they received a completed SRP.  The downside of this approach was that the assessments and negotiations had been done without input from our group of experts, and target dates for resolution had already been decided on,” shares Burke.

“We needed to be involved in the process before the SRP was created to understand all risks and compliance issues in advance. Now we have a partnership with the Cisco Security and Trust M&A team and know about an acquisition months before we can start working to address risks and other issues—before the SRP is completed and the due dates have been assigned,” Burke adds.

“Another issue resolved in this process change is that Cisco can gain earlier access to the people in the acquired company who know the security risks of their solutions. During acquisitions, people will often leave the company, taking with them their institutional knowledge, resulting in Cisco having to start from scratch to identify and assess the risks and determine how best to resolve them as quickly as possible,” says Burke. “It could be vulnerabilities in physical infrastructure or software code or both. It could be that the company isn’t scanning often enough, or they don’t have SOC 2 or FedRAMP certification yet—or they’re not using Cisco’s tools.”

“Third-party vendors and suppliers can also present an issue,” he adds. “One of the biggest risk areas of any company is outside vendors who have access to a company’s data. It’s vital to identify who these vendors are and understand the level of access they have to data and applications. The earlier we know all these things, the more time we must devise solutions to solve them.”

“Now that I’m in the process earlier, I can build a relationship with the people who have the security knowledge—before they leave. If I can understand their mindset and how all these issues came about, I can help them assimilate more easily into the bigger Cisco family,” says Burke.

Managing Risk During the M&A Process

The additional benefits of bringing teams in earlier are reduced risk and compliance requirements can be met earlier. It also provides a smoother transition for the company being acquired and ensures they meet the security requirements that customers expect when using their technology solutions.

“Without that early involvement, we might treat a low-risk issue as high risk, or vice versa. The misclassification of risk is extremely dangerous. If you’re treating something as high risk, that’s low risk, and you’re wasting people’s time and money. But if something’s high risk and you’re treating it as low risk, then you’re in danger of harming your company,” Burke shares.

“The key is to involve their risk, compliance, and security professionals from the beginning. I think other companies keep the M&A process so closely guarded, to their detriment. I understand the need for privacy and to make sure deals are confidential but bringing us in earlier was an advantage for the M&A team and us,” Burke adds.

Ensuring a Successful M&A Transition

When asked what he thinks makes Cisco successful in M&A, Burke says, “Cisco does an excellent job of assimilating everyone into the larger organization. I have worked at other companies where they kept their acquisitions separate, which means you have people operating separately with different controls for different companies. That’s not only a financial burden but also a compliance headache.”

“That’s why Cisco tries to drive all its acquisitions through our main programs and controls. It makes life easier for everyone in terms of compliance. With Cisco, you have that security confidence knowing that all these companies are brought up to their already very high standards, and you can rely on the fact that they don’t treat them separately. And when an acquisition has vulnerabilities, we identify them, set out a remediation path, and manage the process until those risks are resolved,” Burke concludes.

Related Blogs

Managing Cybersecurity Risk in M&A

Demonstrating Trust and Transparency in Mergers and Acquisitions

When It Comes to M&A, Security Is a Journey

 

We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn

Why Crypto Winter is No Excuse to Let Your Cyber Defenses Falter

By The Hacker News
Don’t let the ongoing “crypto winter” lull you into a false sense of cybersecurity. Even as cryptocurrencies lose value — and some crypto companies file for bankruptcy — cryptojacking still poses an urgent threat to enterprises across industries, from financial services to healthcare to industry 4.0 and beyond.  Broadly speaking, cryptojacking is defined as the unauthorized and illegitimate use

5 steps to protect your school from cyberattacks

By André Lameiras

What can schools, which all too often make easy prey for cybercriminals, do to bolster their defenses and keep threats at bay?

The post 5 steps to protect your school from cyberattacks appeared first on WeLiveSecurity

The Hunt for Wikipedia's Disinformation Moles

By Masha Borak
Custodians of the crowdsourced encyclopedia are charged with protecting it from state-sponsored manipulators. A new study reveals how.

How to Use Passkeys in Google Chrome and Android

By David Nield
Google wants to make your digital life—in its ecosystem, anyway—passwordless and more secure.

Elon Musk’s SpaceX Bails on Starlink Funding for Ukraine

By Andrew Couts
Plus: Hackers hit the Mormon Church, Signal plans to ditch SMS for Android, and a Fat Bear election erupts in scandal.

Indian Energy Company Tata Power's IT Infrastructure Hit By Cyber Attack

By Ravie Lakshmanan
Tata Power Company Limited, India's largest integrated power company, on Friday confirmed it was targeted by a cyber attack. The intrusion on IT infrastructure impacted "some of its IT systems," the company said in a filing with the National Stock Exchange (NSE) of India. <!--adsense--> It further said it has taken steps to retrieve and restore the affected machines, adding it put in place

Introducing “NEXT” by Cisco Secure

By Tazin Khan

Inspiring discussions around innovative tech  

Technology has typically had a reputation for being exciting and inventive. Unfortunately, this hasn’t always been the case for security. But times have changed. We are now recognizing the crucial role security plays in any groundbreaking technology. Without strong defenses, even the most visionary app is likely to crash and burn. So it’s imperative that big security players like Cisco stay on top of what’s next.

I am thrilled to announce that in November, we will be launching our new video series, “NEXT” by Cisco Secure. In the series, my esteemed co-host TK Keanini and I will interview some of the brightest new minds in tech to find out more about the future of the industry and how we can best secure it. Watch the series preview below!

“NEXT” by Cisco Secure

Bringing cyber pioneers to the forefront  

As the CTO of Cisco Secure, TK has over 25 years of networking and security expertise, as well as a penchant for driving technical innovation. As for me, I’m a cybersecurity specialist of 10 years with an obsession for communication and empathy. Together, TK and I will bring new cyber pioneers to the forefront and highlight the criticality of digital protection and privacy for everyone.

Whether we’re discussing Web3, the metaverse, or next-generation healthcare, we’ll learn and laugh a lot. Through simple conversations about complex topics, we’re building a bridge between leading-edge tech and how Cisco is helping to safeguard what’s on the horizon.

Expanding security awareness 

And what better time to preview this series than during Cybersecurity Awareness Month? A time when we focus on the reality that security belongs to everyone — not just the threat hunter, or the product engineer, or the incident responder — but everyone.

We all have a responsibility to protect the world’s data and infrastructure, and should all have a seat at the table for important security conversations. We hope you’ll join us as we dive into what’s making waves out there, and how we can keep it safe.

Be a part of what’s next  

Follow our Cisco Secure social channels to catch our first episode in November, when we will speak with Michael Ebel, CEO of Atmosfy. Atmosfy is revolutionizing restaurant reviews by incorporating engaging live video that inspires others and supports local businesses. TK and I will chat with Michael about the origin of Atmosfy, and how the company keeps its content authentic and organization resilient.

In the meantime, explore our other Cybersecurity Awareness Month resources.

Who do you want to hear from next? Tell us your ideas for future guests in the comments.  

 

We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn

New Chinese Cyberespionage Group Targeting IT Service Providers and Telcos

By Ravie Lakshmanan
Telecommunications and IT service providers in the Middle East and Asia are being targeted by a previously undocumented Chinese-speaking threat group dubbed WIP19. The espionage-related attacks are characterized by the use of a stolen digital certificate issued by a Korean company called DEEPSoft to sign malicious artifacts deployed during the infection chain to evade detection. "Almost all

How To Build a Career as a Freelance Cybersecurity Analyst — From Scratch

By The Hacker News
With each passing year, the cybersecurity threat landscape continues to worsen. That reality makes cybersecurity analysts some of the most sought-after technology professionals in the world. And there are nowhere near enough of them to meet the demand. At last count, there were over 3.5 million unfilled cybersecurity jobs worldwide — and that number is still growing. The situation means that

The $1 Billion Alex Jones Effect

By Chris Stokel-Walker
The Infowars host now knows the cost of “free speech”—but does the landmark judgment signal a crackdown on disinformation?

COLLECTING OUR BREADCRUMBS (Pt. 2 of “Why Don’t You Go Dox Yourself?”)

By Zoe Lindsey

Sharing is caring… but on the internet, sharing can also be tricky! When we post something, we have to look at the forest and not just the trees. Doxxers usually start with one or two pieces of relatively innocent or public information, but by connecting the dots between those pieces they can build a frighteningly detailed picture of an individual. 

Seemingly innocuous details can be pieced together into a much more personal profile when collected and leveraged to learn more. As one example, your wish list/wedding registry makes it easy for friends and family to get you gifts that you actually want, but could also be used to find out products/services you’re interested in as pretext (setting the scene) of a conversation or phishing email trying to gather more. You may have Google Alerts set up for your name (a great idea!), but this may not flag text in scanned documents such as school yearbooks, newspapers and other digitized paper records available online.  

If the above sounds scary – don’t panic! Your first step in this auto-dox is going to be brainstorming as much personally identifying information (PII) shared online as possible. I suggest doing this either in a secure note or longhand. The goal is to write down all of the accounts/addresses/phone numbers that come to mind, as these are some of the top things that attackers will try to gather in their search. Start your list here: 

  • Your name: This can be your real name, as well as any other names you go by in public like a writing pseudonym, nickname, or stage name. 
  • Your phone number(s): Many social media networks let you look up friends through your contact book or by their phone number, and many other legitimate websites  will use simple verification of your phone number as a way to prove your identity. An attacker can take advantage of both of these things. Don’t forget work numbers or old phone numbers! 
  • Your email address(es): This is the other main way to look up contacts on social media, and for most people it’s also the strongest common link between accounts. If you use a school or work email, there’s also a good chance it also contains part or all of your real name (like “first.lastname@school.edu”). 
  • Your social media: We share a ton on social media, and even if you’re careful about not sharing your real name or location, other information like where you go to school/work, what groups you’re a member of, who your friends are, and what you’re interested in can all help paint a picture of who you are. 
  • Your location: Previous and current home addresses are often used to verify identity even though many can be found online, so we’re going to use some free “data scraping” tools in our research to see what information is accessible. These sites collect public information like birth, death, and marriage records and make them searchable. There’s a good chance that there’s more than one person with your name unless it’s very unique, so these sites will usually let you add more information like a city, state or ZIP code to narrow down results. 
  • Your selfies and avatars: Sometimes getting access to private photos (especially sexytime pics) is the end goal of doxxing, but it can also be one of the ways to link different accounts. For example: Do you have your Facebook photos linked to your Tinder profile? Someone could use a reverse image search or site like TinEye.com to see where else you’ve shared the same pic. Newer sites like pimeyes.com even provide “fuzzy” search tools, where one photo of a person’s face can be used as a search for other, DIFFERENT photos of that person.  

DEEPER DIVE: EMAIL ADDRESSES AND USER ACCOUNTS 

Email addresses are an especially juicy target for someone trying to locate you, because most people only use one personal and maaaybe a second school or work email account. Those accounts are tied to all our other online identities and often double as our username for logging in.  

  • If you already use a password manager, you’re ahead of the game! Review the current accounts and credentials that you’ve already added. Depending on the tool you use, this may also notify you of reused or breached passwords that have appeared in previous hacks. And, if you’re not using a password manager, now would be an excellent time to check some of the available options and set one up! This way you can add your collected credentials and update weak or reused passwords as you go. 
  • Speaking of breached passwords, HaveIBeenPwned lets you search an email or phone number to see if it appears in their breached data database. And don’t be surprised if one (or several) of your accounts show up here – with more than 11 BILLION accounts currently collected, the odds are likely you’ll find something. Note it for now and update the password and enable strong authentication (more on this later). 
  • You can enter a username or email address on NameChk.com, and it will quickly search a bunch of different services and show you where that username has been registered. 
  • You can search your email inbox for common new account subject lines to find them manually. Try searching combinations of keywords: “confirm”, “activate”, “verify”, “subscription”, “account”, etc. (And if you’ve never checked out Google’s search operators, you can get even more specific about what to include or exclude. 
  • Check what information is publicly visible on these collected sites. Do you have a wishlist on Amazon? An “anonymous” Reddit account with the same username as your Pinterest? An abandoned MySpace or Tumblr with outdated privacy settings? See if you can disable or restrict public viewing — some sites like Facebook make it easy to change privacy on old posts. 
  • Facebook, LinkedIn and other social networks often have a “View As” option that lets you see your profile as a stranger, a friend of a friend, or a direct friend. Look at each of these views and consider if you want that information public and searchable. Sometimes these settings can be sneaky! On one review after I set all my pictures on Facebook to private, I tested visiting my page as a stranger and realized that my “featured” pics had been set to public without my noticing.

When you finish this process, you will likely have dozens or even hundreds of “breadcrumbs” between your account list and search results. Read through your list again, and we’re going to sort it into three categories: 

  • Critical: This is for accounts with the most private or potentially damaging information in them – services like your online patient portal for the doctor with your medical information, or financial accounts that may include your banking information or social security number. As these represent the greatest risk if compromised, they’re at the top of the list to fix. 
  • Wanted: This is for everything else that you want to keep but isn’t nearly as sensitive as the first category. News site logins, loyalty club websites and special interest forums may all be accounts you want to maintain, so they’ll also be in the queue behind our top priorities. 
  • Unwanted: As mentioned previously, you’ll likely unearth some forgotten or abandoned accounts that you no longer need. If you never need to log into that account again, take the time to cancel or delete it. If your data is no longer stored by a service it becomes much more difficult for an attacker to find it! You may also discover a surprising amount of your information is available through people search services and data brokers that you don’t want shared, and we’ll start working on next.

Great job! You’ve already got a much better idea of what people can learn about you than most folks ever do, and are well on your way to cleaning up your online footprint. In our next step, we’ll start locking down everything that you want to keep! 

P.S. If you’re enjoying this process and value keeping people safe online, please check out our open roles at Cisco Secure 

We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn

❌