Login
In brief Google has released a new open source software tool to help businesses better understand the risks to their software supply chains by aggregating security metadata into a queryable, standardized database.…
Scott Heider is a manager within the Cisco Security Visibility and Incident Command team that reports to the company’s Security & Trust Organization. Primarily tasked with helping to keep the integration of an acquired company’s solutions as efficient as possible, Heider and his team are typically brought into the process after a public announcement of the acquisition has already been made. This blog is the final in a series focused on M&A cybersecurity, following Dan Burke’s post on Making Merger and Acquisition Cybersecurity More Manageable.
Mergers and acquisitions (M&A) are complicated. Many factors are involved, ensuring cybersecurity across the entire ecosystem as an organization integrates a newly acquired company’s products and solutions—and personnel—into its workstreams.
Through decades of acquisitions, Cisco has gained expertise and experience to make its M&A efforts seamless and successful. This success is in large part to a variety of internal teams that keep cybersecurity top of mind throughout the implementation and integration process.
“Priority one for the team,” says Heider, “is to balance the enablement of business innovation with the protection of Cisco’s information and systems. Because Cisco is now the ultimate responsible party of that acquisition, we make sure that the acquisition adheres to a minimum level of security policy standards and guidelines.”
The team looks at the acquired company’s security posture and then partners with the company to educate and influence them to take necessary actions to achieve Cisco’s security baseline.
That process starts with assessing the acquired company’s infrastructure to identify and rate attack surfaces and threats. Heider asks questions that help identify issues around what he calls the four pillars of security, monitoring, and incident response:
The infrastructure that Heider’s team evaluates isn’t just the company’s servers and data center infrastructure. It can also include the systems the acquisition rents data center space to or public cloud infrastructure. Those considerations further complicate security and must be assessed for threats and vulnerabilities.
Once Heider’s team is activated, they partner with the acquired company and meet with them regularly to suggest areas where that acquisition can improve its security posture and reduce the overall risk to Cisco.
Identifying and addressing risk is critical for both sides of the table, however, not just for Cisco. “A lot of acquisitions don’t realize that when Cisco acquires a company, that organization suddenly has a bigger target on its back,” says Heider. “Threat actors will often look at who Cisco is acquiring, and they might know that that company’s security posture isn’t adequate—because a lot of times these acquisitions are just focused on their go-to-market strategy.”
Those security vulnerabilities can become easy entry points for threat actors to gain access to Cisco’s systems and data. That’s why Heider works so closely with acquisitions to gain visibility into the company’s environment to reduce those security threats. Some companies are more focused on security than others, and it’s up to Heider’s team to figure out what each acquisition needs.
“The acquisition might not have an established forensics program, for instance, and that’s where Cisco can come in and help out,” Heider says. “They might not have tools like Stealthwatch or NetFlow monitoring, or Firepower for IDS/IPS operations.”
When Heider’s team can bring in their established toolset and experienced personnel, “that’s where the relationship between my team and that acquisition grows because they see we can provide things that they just never thought about, or that they don’t have at their disposal,” he says.
One of the most important factors in a successful acquisition, according to Heider, is to develop a true partnership with the acquired company and work with the new personnel to reduce risk as efficiently as possible—but without major disruption.
Cisco acquires companies to expand its solution offerings to customers, so disrupting an acquisition’s infrastructure or workflow would only slow down its integration. “We don’t want to disrupt that acquisition’s processes. We don’t want to disrupt their people. We don’t want to disrupt the technology,” says Heider. “What we want to do is be a complement to that acquisition, – that approach is an evolution, not a revolution.”
The focus on evolution can sometimes result in a long process, but along the way, the teams come to trust each other and work together. “They know their environment better than we do. They often know what works—so we try to learn from them. And that’s where constant discussion, constant partnership with them helps them know that we are not a threat, we’re an ally,” says Heider. “My team can’t be everywhere. And that’s where we need these acquisitions to be the eyes and ears of specific areas of Cisco’s infrastructure.”
Training is another way Heider, and his team help acquisitions get up to speed on Cisco’s security standards. “Training is one of the top priorities within our commitments to both Cisco and the industry,” Heider says. “That includes training in Cisco technologies, but also making sure that these individuals are able to connect with other security professionals at conferences and other industry events.”
When asked what advice he has for enterprises that want to maintain security while acquiring other companies, Heider has a few recommendations.
Having the right security agents and clear visibility into endpoints is critical. As is inputting the data logs of those endpoints into a security event and incident management (SEIM) system. That way, explains Heider, you have visibility into your endpoints and can run plays against those logs to identify security threats. “We’ll reach out to the asset owner and say they might have malware on their system—which is something nobody wants to hear,” says Heider. “But that’s what the job entails.”
Often, end users don’t know that they’re clicking on something that could have malware on it. Heider says user education is almost as important as visibility into endpoints. “Cisco really believes in training our users to be custodians of security, because they’re safeguarding our assets and our customers’ data as well.”
End users should be educated about practices such as creating strong passwords and not reusing passwords across different applications. Multi-factor authentication is a good practice, and end users should become familiar with the guidelines around it.
Updating software and systems is a never-ending job, but it’s crucial for keeping infrastructure operating. Sometimes, updating a system can weaken security and create vulnerabilities. Enterprises must maintain a balance between enabling business innovation and keeping systems and data secure. Patching systems can be challenging but neglecting the task can also allow threat actors into a vulnerable system.
Heider says public cloud operations can be beneficial because you’re transferring ownership liability operations to a third party, like Amazon Web Services or Google Cloud platform. “The only caveat,” he says, “is to make sure you understand that environment before you go and put your customer’s data on it. You might make one false click and expose your certificates to the Internet.”
Heider says that while a big part of his job is helping acquisitions uplevel their security domain to meet baseline security requirements, there’s always the goal to do even better. “We don’t want to be just that baseline,” he says. His team has learned from acquisitions in the past and taken some of those functionalities and technologies back to the product groups to make improvements across Cisco’s solutions portfolio.
“We’re customer zero – Cisco is Cisco’s premier customer,” says Heider, “because we will take a product or technology into our environment, identify any gaps, and then circle back to product engineering to improve upon it for us and our customers.”
Managing Cybersecurity Risk in M&A
Demonstrating Trust and Transparency in Mergers and Acquisitions
When It Comes to M&A, Security Is a Journey
Making Merger and Acquisition Cybersecurity More Manageable
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
Next time you're tempted to hold off on installing software updates, remember why these updates are necessary in the first place
The post 5 reasons to keep your software and devices up to date appeared first on WeLiveSecurity
Sponsored Post Where do the world's cyber security professionals get an opportunity to mingle and swap tips with their global peers while engaging in interactive, hands-on learning exercises that will help them stop cyber criminals in their tracks?…
Webinar Linux has come a long way from the early days of 1991 when the Linux kernel grew out of a student project.…
At least one affiliate of the high-profile ransomware-as-a-service (RaaS) group BlackByte is using a custom tool to exfiltrate files from a victim's network, a key step in the fast-growing business of double-extortion.…
Iran's Atomic Energy Organization has laughed off claims that the email systems of a subsidiary were compromised, revealing important operational data about a nuclear power plant.…
Aussie breachapalooza! That what it feels like this week between Optus (ok, it was weeks ago but it's still in the news), Vinomofo, My Deal and the mother of all of them (at least as far as media interest goes), Medibank. That last one totally smashed my week out with unprecedented press enquiries, so is it any wonder I totally missed the Microsoft one? I read through that last one live in this week's video and as you'll hear, a breach of any kind is never a good look but what stands out for me about this one isn't the breach itself, rather the marketing effort SOCRadar has made around it. As I say in the video, it just feels... icky. See if you agree.
As a hybrid offline and online war wages on in Ukraine, Viktor Zhora, who leads the country's cybersecurity agency, has had a front-row seat of it all.…
ESET Research spots a new version of Android malware known as FurBall that APT-C-50 is using in its wider Domestic Kitten campaign
The post APT‑C‑50 updates FurBall Android malware – Week in security with Tony Anscombe appeared first on WeLiveSecurity
I’m sure you’ve seen them — emails or messages that sound alarming and ask you to act quickly. We live in a digital world that produces hundreds of messages and alerts every day. It’s often hard to determine the validity of a suspicious message or phishing email. Whether you are an administrator, or an end-user, it can be overwhelming to accurately identify a malicious message. When in doubt, here are some questions you should ask yourself:
Is the message from a legitimate sender?
Do I normally receive messages from this person?
If there’s a link, can I tell where it’s sending me?
Attackers continue to evolve their methods, and they’re highly educated on the defenses they come up against in the wild. They’ll craft messages that do not involve any traditional indicators of compromise, such as domains, IP address, or URL links. They’ll also start their attacks by sending messages as an initial lure to establish trust, before sending an email with altered invoice or one claiming to be a helpless employee attempting to get their payroll fixed.
Phishing is a socially-based attack type, one where the threat actors focus on human behavior. When these attacks target organizations, there are multiple levels of attack at play. One that focuses on behavioral patterns and workflow, and the other centers on the victim’s emotional boundaries, such as targeting their desire to help others. You see this pattern frequently in Business Email Compromise (BEC) attacks.
Below, we’ve placed an example of a lure, which will test the victim to see if there is a means to quickly establish trust. Here, the threat actor is pretending to be the Chief Financial Officer (CFO) of the victim’s organization. If the lure is successful, then the threat actor will progress the attack, and often request sensitive records or wire transfers. Notice that in the email headers, the person pretending to be the CFO is using a Gmail account, one that was likely created just for this attack. The message is brief, stresses importance and urgency, and requests assistance, playing on the victim’s workflow and desire to help an executive or someone with authority.
The example below is a simplified one, to be sure, but the elements are legitimate. Daily, emails like this hit the inboxes of organizations globally, and the attackers only need to locate a single victim to make their efforts payout.
In the FBI / IC3 2021 Internet Crime Report, there were nearly 20,000 Business Email Compromise complaints filed, with an adjusted loss of nearly 2.4 billion dollars. While spoofing the identity of an executive is certainly one way to conduct a BEC attack, the FBI says that threat actors have started leveraging the normality of hybrid-work to target meeting platforms to establish trust and conduct their crimes. When successful, the funds from the fraudulent wire transfers are moved to crypto wallets and the funds dispersed, making recovery harder.
So as an end user what can you do to protect your organization? Be mindful anytime you receive an urgent call to action, especially when the subject involves money. If your workflow means that you regularly receive these types of requests from the specific individual, verify their identity and the validity of the request using another channel of communication, such as in person or via phone. If you do validate their identity via the phone, take care to avoid calling any numbers listed in the email.
Cisco Secure Email helps stop these types of attacks by tracking user relationships and threat techniques. These techniques often include account takeover, spoofing and many more. Using an intent-based approach allows Secure Email to detect and classify business email compromises and other attacks, so administrators are empowered to take a risk-based approach to stopping these threats.
Find out more about how Cisco Secure Email can help keep your organization safe from phishing.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
URSNIF, the malware also known as Gozi that attempts to steal online banking credentials from victims' Windows PCs, is evolving to support extortionware.…
A hospital network in Wisconsin and Illinois fears visitor tracking code on its websites may have transmitted personal information on as many as 3 million patients to Meta, Google, and other third parties.…
pic-1200
Sponsored Post Shifting workloads and applications to the cloud is on every forward-thinking CIO's wish list. It is also their worst nightmare. If they get it right, they've helped to transform and modernize their organization's operations and everyone's happy. If they get it wrong, it's a different story, made much worse if a seriously expensive data breach is involved.…
On October 10, 2022, there were 576,562 LinkedIn accounts that listed their current employer as Apple Inc. The next day, half of those profiles no longer existed. A similarly dramatic drop in the number of LinkedIn profiles claiming employment at Amazon comes as LinkedIn is struggling to combat a significant uptick in the creation of fake employee accounts that pair AI-generated profile photos with text lifted from legitimate users.
Jay Pinho is a developer who is working on a product that tracks company data, including hiring. Pinho has been using LinkedIn to monitor daily employee headcounts at several dozen large organizations, and last week he noticed that two of them had far fewer people claiming to work for them than they did just 24 hours previously.
Pinho’s screenshot below shows the daily count of employees as displayed on Amazon’s LinkedIn homepage. Pinho said his scraper shows that the number of LinkedIn profiles claiming current roles at Amazon fell from roughly 1.25 million to 838,601 in just one day, a 33 percent drop:
The number of LinkedIn profiles claiming current positions at Amazon fell 33 percent overnight. Image: twitter.com/jaypinho
As stated above, the number of LinkedIn profiles that claimed to work at Apple fell by approximately 50 percent on Oct. 10, according to Pinho’s analysis:
Image: twitter.com/jaypinho
Neither Amazon or Apple responded to requests for comment. LinkedIn declined to answer questions about the account purges, saying only that the company is constantly working to keep the platform free of fake accounts. In June, LinkedIn acknowledged it was seeing a rise in fraudulent activity happening on the platform.
KrebsOnSecurity hired Menlo Park, Calif.-based SignalHire to check Pinho’s numbers. SignalHire keeps track of active and former profiles on LinkedIn, and during the Oct 9-11 timeframe SignalHire said it saw somewhat smaller but still unprecedented drops in active profiles tied to Amazon and Apple.
“The drop in the percentage of 7-10 percent [of all profiles], as it happened [during] this time, is not something that happened before,” SignalHire’s Anastacia Brown told KrebsOnSecurity.
Brown said the normal daily variation in profile numbers for these companies is plus or minus one percent.
“That’s definitely the first huge drop that happened throughout the time we’ve collected the profiles,” she said.
In late September 2022, KrebsOnSecurity warned about the proliferation of fake LinkedIn profiles for Chief Information Security Officer (CISO) roles at some of the world’s largest corporations. A follow-up story on Oct. 5 showed how the phony profile problem has affected virtually all executive roles at corporations, and how these fake profiles are creating an identity crisis for the businesses networking site and the companies that rely on it to hire and screen prospective employees.
A day after that second story ran, KrebsOnSecurity heard from a recruiter who noticed the number of LinkedIn profiles that claimed virtually any role in network security had dropped seven percent overnight. LinkedIn declined to comment about that earlier account purge, saying only that, “We’re constantly working at taking down fake accounts.”
A “swarm” of LinkedIn AI-generated bot accounts flagged by a LinkedIn group administrator recently.
It’s unclear whether LinkedIn is responsible for this latest account purge, or if individually affected companies are starting to take action on their own. The timing, however, argues for the former, as the account purges for Apple and Amazon employees tracked by Pinho appeared to happen within the same 24 hour period.
It’s also unclear who or what is behind the recent proliferation of fake executive profiles on LinkedIn. Cybersecurity firm Mandiant (recently acquired by Google) told Bloomberg that hackers working for the North Korean government have been copying resumes and profiles from leading job listing platforms LinkedIn and Indeed, as part of an elaborate scheme to land jobs at cryptocurrency firms.
On this point, Pinho said he noticed an account purge in early September that targeted fake profiles tied to jobs at cryptocurrency exchange Binance. Up until Sept. 3, there were 7,846 profiles claiming current executive roles at Binance. The next day, that number stood at 6,102, a 23 percent drop (by some accounts that 6,102 head count is still wildly inflated).
Fake profiles also may be tied to so-called “pig butchering” scams, wherein people are lured by flirtatious strangers online into investing in cryptocurrency trading platforms that eventually seize any funds when victims try to cash out.
In addition, identity thieves have been known to masquerade on LinkedIn as job recruiters, collecting personal and financial information from people who fall for employment scams.
Nicholas Weaver, a researcher for the International Computer Science Institute at University of California, Berkeley, suggested another explanation for the recent glut of phony LinkedIn profiles: Someone may be setting up a mass network of accounts in order to more fully scrape profile information from the entire platform.
“Even with just a standard LinkedIn account, there’s a pretty good amount of profile information just in the default two-hop networks,” Weaver said. “We don’t know the purpose of these bots, but we know creating bots isn’t free and creating hundreds of thousands of bots would require a lot of resources.”
In response to last week’s story about the explosion of phony accounts on LinkedIn, the company said it was exploring new ways to protect members, such as expanding email domain verification. Under such a scheme, LinkedIn users would be able to publicly attest that their profile is accurate by verifying that they can respond to email at the domain associated with their current employer.
LinkedIn claims that its security systems detect and block approximately 96 percent of fake accounts. And despite the recent purges, LinkedIn may be telling the truth, Weaver said.
“There’s no way you can test for that,” he said. “Because technically, it may be that there were actually 100 million bots trying to sign up at LinkedIn as employees at Amazon.”
Weaver said the apparent mass account purge at LinkedIn underscores the size of the bot problem, and could present a “real and material change” for LinkedIn.
“It may mean the statistics they’ve been reporting about usage and active accounts are off by quite a bit,” Weaver said.
The concept of zero trust is not a new one, and some may even argue that the term is overused. In reality, however, its criticality is growing with each passing day. Why? Because many of today’s attacks begin with the user. According to Verizon’s Data Breach Investigations Report, 82% of breaches involve the human element — whether it’s stolen credentials, phishing, misuse or error.
Additionally, today’s businesses are hyper-connected, meaning that — in addition to your employees — customers, partners and suppliers are all part of your ecosystem. Couple that with hybrid work, IoT, the move to the cloud, and more emboldened attackers, and organizational risk increases exponentially.
Adopting a zero trust model can dramatically reduce this risk by eliminating implicit trust. It has become so crucial, in fact, that several governments including the U.S., UK and Australia have released mandates and guidance for how organizations should deploy zero trust to improve national security.
However, because zero trust is more of a concept than a technology, and so many vendors use the term, organizations struggle with the best way to implement it. At Cisco, we believe you should take a holistic approach to zero trust, starting with what you have and adding on as you identify gaps in your defenses. And while layers of protection are necessary for powerful security, so is ease of use.
Zero trust plays a major role in building security resilience, or the ability to withstand unpredictable threats or changes and emerge stronger. Through zero trust, the identity and security posture of users, devices and applications are continuously checked and verified to prevent network intrusions — and to also limit impact if an unauthorized entity does gain access.
Organizations with high zero trust maturity are twice as likely to achieve business resilience.
– Cisco’s Guide to Zero Trust Maturity
Eliminating trust, however, doesn’t really conjure up images of user-friendly technology. No matter how necessary they are for the business, employees are unlikely to embrace security measures that make their jobs more cumbersome and time-consuming. Instead, they want fast, consistent access to any application no matter where they are or which device they are using.
That’s why Cisco is taking a different approach to zero trust — one that removes friction for the user. For example, with Cisco Secure Access by Duo, organizations can provide those connecting to their network with several quick, easy authentication options. This way, they can put in place multi-factor authentication (MFA) that frustrates attackers, not users.
Cisco Secure Access by Duo is a key pillar of zero trust security, providing industry-leading features for secure access, authentication and device monitoring. Duo is customizable, straightforward to use, and simple to set up. It enables the use of modern authentication methods including biometrics, passwordless and single sign-on (SSO) to help organizations advance zero trust without sacrificing user experience. Duo also provides the flexibility organizations need to enable secure remote access with or without a VPN connection.
During Cisco’s own roll-out of Duo to over 100,000 people, less than 1% of users contacted the help desk for assistance. On an annual basis, Duo is saving Cisco $3.4 million in employee productivity and $500,000 in IT help desk support costs. Furthermore, 86,000 potential compromises are averted by Duo each month.
La-Z-Boy, one of the world’s leading residential furniture producers, also wanted to defend its employees against cybersecurity breaches through MFA and zero trust. It needed a data security solution that worked agnostically, could grow with the company, and that was easy to roll out and implement.
“When COVID first hit and people were sent home to work remotely, we started seeing more hacking activity…” said Craig Vincent, director of IT infrastructure and operations at La-Z-Boy. “We were looking for opportunities to secure our environment with a second factor…. We knew that even post-pandemic we would need a hybrid solution.”
“It was very quick and easy to see where Duo fit into our environment quite well, and worked with any application or legacy app, while deploying quickly.” – Craig Vincent, Director of IT Infrastructure and Operations, La-Z-Boy
Today, Duo helps La-Z-Boy maintain a zero trust framework, stay compliant, and get clear visibility into what is connecting to its network and VPN. Zero trust helps La-Z-Boy secure its organization against threats such as phishing, stolen credentials and out-of-date devices that may be vulnerable to known exploits and malware.
As mentioned, zero trust is a framework, not a single product or technology. For zero trust to be truly effective, it must do four things:
Many technology companies may offer a single component of zero trust, or one aspect of protection, but Cisco’s robust networking and security expertise enables us to provide a holistic zero trust solution. Not only can we support all the steps above, but we can do so across your whole IT ecosystem.
Modern organizations are operating multi-environment ecosystems that include a mix of on-premises and cloud technologies from various vendors. Zero trust solutions should be able to protect across all this infrastructure, no matter which providers are in use. Protections should also extend from the network and cloud to users, devices, applications and data. With Cisco’s extensive security portfolio, operating on multiple clouds and platforms, zero trust controls can be embedded at every layer.
Depending on where you are in your security journey, embedding zero trust at every layer of your infrastructure may sound like a lofty endeavor. That’s why we meet customers where they are on their path to zero trust. Whether your first priority is to meet regulatory requirements, secure hybrid work, protect the cloud, or something else, we have the expertise to help you get started. We provide clear guidance and technologies for zero trust security mapped to established frameworks from organizations like CISA and NIST.
Much of our Cisco Secure portfolio can be used to build a successful zero trust framework, but some examples of what we offer include:
All of our technologies and services are backed by the unparalleled intelligence of Cisco Talos — so you always have up-to-date protection as you build your zero trust architecture. Additionally, our open, integrated security platform — Cisco SecureX — makes it simple to expand and scale your security controls, knowing they will work with your other technologies for more unified defenses.
As Italy’s leading insurance company, Sara Assicurazioni requires complete visibility into its extended network, including a multi-cloud architecture and hybrid workforce. The company has adopted a comprehensive zero trust strategy through Cisco Secure.
“Our decentralized users, endpoints, and cloud-based servers and workloads contribute to a large attack surface,” says Paolo Perrucci, director of information and communications technology architectures and operations at Sara Assicurazioni. “With Cisco, we have the right level of visibility on this surface.”
“The main reason we chose Cisco is that only Cisco can offer a global security solution rather than covering one specific point…. Thanks to Cisco Secure, I’m quite confident that our security posture is now many times better because we are leveraging more scalable, state-of-the-art security solutions.” – Luigi Vassallo, COO & CTO, Sara Assicurazioni
To learn more, explore our zero trust page and sign up for one of our free zero trust workshops.
Watch video: How Cisco implemented zero trust in just five months
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
Microsoft has confirmed one of its own misconfigured cloud systems led to customer information being exposed to the internet, though it disputes the extent of the leak.…
APT-C-50’s Domestic Kitten campaign continues, targeting Iranian citizens with a new version of the FurBall malware masquerading as an Android translation app
The post Domestic Kitten campaign spying on Iranian citizens with new FurBall malware appeared first on WeLiveSecurity
The Biden administration is pushing ahead with its drive to add cyber security labeling to consumer Internet of Things (IoT) devices, and may join other nations in adopting the scheme pioneered by Singapore.…
FreshRSS 