Login
If you’ve ever watched a thriller or horror movie, you’re probably familiar with the scene where someone is trying to keep a monster or attacker out so they barricade the doors and lock the windows and feel safe for 10 seconds…until someone remembers that the cellar door is unlocked and they discover the threat is already inside. That’s a pretty good metaphor for cybersecurity. IT security professionals scramble to protect and secure everything they’re aware of—but the one thing they’re not aware of is the Achilles heel that can bring everything crumbling down. That is why comprehensive visibility is crucial for effective cybersecurity.
You Can’t Protect What You Can’t See
As illustrated in the example above, you can have the best security possible protecting the attack vectors and assets you’re aware of, but that won’t do you any good if an attacker discovers an attack vector or asset you aren’t aware of and haven’t protected. It may not seem like a fair fight, but an attacker only needs one vulnerability to exploit. The burden is on the IT security team to make sure that everything is secured.
That’s easier said than done in today’s network environments. When you’re trying to keep a monster out of the house, you’re at least only dealing with a static and manageable number of doors and windows. In a dynamic, hybrid cloud, DevOps-driven, software-defined environment running containerized applications, the entire ecosystem can change in the blink of an eye and the number of assets to protect can increase exponentially. Employees have installed unauthorized routers and wireless access points and connected to unsanctioned web-based services that expose the network and sensitive data to unnecessary risk since the dawn of networking, but the advent of IoT (internet-of-things) has created an explosion in the volume of rogue devices.
Organizations need a tool that provides visibility of all IT assets—both known and unknown—including endpoints, cloud platforms, containers, mobile devices, OT and IoT equipment across hybrid and multi-cloud environment. It’s urgent for IT and cybersecurity teams to have comprehensive visibility and the ability to assess their security and compliance posture and respond in real-time to address challenges as they arise.
Vulnerability and Patch Management Can’t Replace Visibility
Since the dawn of cybersecurity, vulnerability and patch management have formed the backbone of effective protection. It makes sense. If you can proactively discover vulnerabilities in the hardware and software you use and deploy patches to fix the flaws or take steps to mitigate the risk, you should be able to prevent almost any attack.
Vulnerability and patch management are still important elements of effective cybersecurity, but comprehensive visibility is crucial. Finding and patching vulnerabilities without visibility provides a false sense of security. The assumption is that the environment is secure if all of the discovered vulnerabilities have been patched, but the reality is that only the vulnerabilities of the hardware and software you’re aware of have been patched. If you aren’t confident that you have an accurate, real-time inventory of your hardware and software assets, you’re not really secure.
Continuous Visibility Leads to Better Cybersecurity
Ideally, organizations need to have visibility of all IT assets—both known and unknown—throughout the entire IT infrastructure, spanning local networks and hybrid cloud environments. Imagine how much better your security and compliance posture would be if you actually knew—with confidence—what is on your global hybrid-IT environment at any given moment rather than relying on periodic asset scans that are already obsolete. What would it be like to have a single source of truth that enables you to identify issues and respond in real-time?
Visibility alone is not enough, though. It’s also crucial to have the right tools to do something with the information. Beyond visibility, you also need workflows to seamlessly connect to vulnerability and compliance solutions. For example, IT and cybersecurity teams should be able to add unmanaged devices and begin a scan, or tag unmanaged devices to initiate cloud agent installation to enable more comprehensive compliance checks.
Thankfully, the same platforms and technologies that make network visibility more complex and challenging also provide the power, scalability, and accessibility to deliver comprehensive, continuous visibility and tools and platforms that make it easier to run compliance and vulnerability programs. With the appropriate sensors placed strategically throughout the network and on devices, you can actively and continuously collect the necessary data.
The data can be stored in the cloud where the relevant IT, security and compliance information can be analyzed, categorized, enriched, and correlated. Because the data is stored and analyzed in the cloud, it has the flexibility and scalability to address spikes in assets resulting from high demand on containerized applications. It also simplifies and streamlines the ability to search for any asset and quickly determine its security posture.
With the right platform and tools, organizations have access to clean, reliable data—providing continuous visibility and relevant context to enable effective business decisions. It is also crucial for IT and cybersecurity teams to be able to quickly and easily find what they need. The information has to be available and accessible in seconds rather than minutes or hours or days so threats and issues can be addressed with urgency.
Knowledge Is Power
You can’t protect what you can’t see…or what you don’t know about. Don’t be the guy who thinks he is safe in the house while the monster crawls through an unlocked window at the back of the house. Effective cybersecurity is about knowing—with confidence and accuracy—what devices and assets are connected to your network and having the information and tools necessary to respond to threats in real-time.
Without comprehensive visibility, there will always be the chance that your false sense of security could be shattered at any time as attackers discover the vulnerable assets you aren’t aware of and exploit them to gain access to your network and data. Start with visibility. It is the foundation of effective cybersecurity, and it is absolutely essential.
About the Author: Shiva Mandalam is Vice President, Asset Management & Secure Access Controls at Qualys.
Copyright 2010 Respective Author at Infosec IslandWhen the news media reports on data breaches and other forms of cybercrime, the center of the story is usually a major software company, financial institution, or retailer. But in reality, these types of attacks are merely part of the damage that global hackers cause on a daily basis.
Town and city governments are becoming a more common target for online criminals. For example, a small city in Florida, Riviera Beach, had their office computers hacked and ended up paying $600,000 to try to reverse the damage. Hackers saw this as a successful breach and are now inspired to look at more public institutions that could be vulnerable.
Why are cities and towns so susceptible to hacking, how are these attacks carried out, and what steps should administrators take to protect citizen data?
How Hackers Choose Targets
While some cybercriminals seek out exploits for the sole purpose of causing destruction or frustration, the majority of hackers are looking to make money. Their aim is to locate organizations with poor security practices so that they can infiltrate their networks and online systems. Sometimes hackers will actually hide inside of a local network or database for an extended period of time without the organization realizing it.
Hackers usually cash in through one of two ways. The first way is to try to steal data, like email addresses, passwords, and credit card numbers, from an internal system and then sell that information on the dark web. The alternative is a ransomware attack, in which the hacker holds computer systems hostage and unusable until the organization pays for them to be released.
City and town governments are becoming a common target for hackers because they often rely on outdated legacy software or else have built tools internally that may not be fully secure. These organizations rarely have a dedicated cybersecurity team or extensive testing procedures.
The Basics of Ransomware
Ransomware attacks, like the one which struck the city government of Riviera Beach, can begin with one simple click of a dangerous link. Hackers will often launch targeted phishing scams at an organization's members via emails that are designed to look legitimate.
When a link within one of these emails is clicked, the hacker will attempt to hijack the user's local system. If successful, their next move will be to seek out other nodes on the network. Then they will deploy a piece of malware that will lock all internal users from accessing the systems.
At this point, the town or city employees will usually see a message posted on their screen demanding a ransom payment. Some forms of ransomware will actually encrypt all individual files on an operating system so that the users have no way of opening or copying them.
Ways to Defend Yourself
Cybersecurity threats should be taken seriously by all members of an organization. The first step to stopping hackers is promoting awareness of potential attacks. This can be done through regular training sessions. Additionally, an organization’s IT department should evaluate the following areas immediately.
Looking Ahead
Local governments need to maintain a robust risk management approach while preparing for potential attacks from hackers. Most security experts agree that the Riviera Beach group actually did the wrong thing by paying out the hacker ransomware. This is because there's no guarantee that the payment will result in the unlocking of all systems and data.
During a ransomware attack, an organization needs to act swiftly. When the first piece of malware is detected, the infected hardware should be immediately shut down and disconnected from the local network to limit the spread of the virus. Any affected machine should then have its hard drive wiped and restored to a previous backup from before the attack began.
Preparing for different forms of cyberattack is a critical activity within a disaster recovery plan. Every organization should have their plan defined with various team members assigned to roles and responsibilities. Cities and towns should also consider investing in penetration testing from outside groups and also explore the increasingly popular zero-trust security strategy as a way to harden the network. During a penetration test, experts explore potential gaps in your security approach and report the issues to you directly, allowing you to fix problems before hackers exploit them.
Final Thoughts
With ransomware attacks, a hacker looks to infiltrate an organization's network and hold their hardware and data files hostage until they receive a large payment. City and town government offices are becoming a common target for these instances of cybercrime due to their immature security systems and reliance on legacy software.
The only way to stop the trend of ransomware is for municipal organizations to build a reputation of having strong security defenses. This starts at the employee level, with people being trained to look for danger online and learning how to keep their own hardware and software safe.
About the author: A former defense contractor for the US Navy, Sam Bocetta turned to freelance journalism in retirement, focusing his writing on US diplomacy and national security, as well as technology trends in cyberwarfare, cyberdefense, and cryptography.
Copyright 2010 Respective Author at Infosec Island
Traditional security solutions were designed to identify threats at the perimeter of the enterprise, which was primarily defined by the network. Whether called firewall, intrusion detection system, or intrusion prevention system, these tools delivered “network-centric” solutions. However, much like a sentry guarding the castle, they generally emphasized identification and were not meant to investigate activity that might have gotten past their surveillance.
Modern threats targeting public clouds (PaaS or IaaS platforms) require a different level of insight and action. Since executables come and go instantaneously, network addresses and ports are recycled seemingly at random, and even the fundamental way traffic flows have changed, compared to the traditional data center. To operate successfully in modern IT infrastructures, we must reset how we think about security in cloud.
Surprisingly, many organizations continue to use network-based security and rely on available network traffic data as their security approach. It’s important for decision makers to understand the limitations inherent in this kind of approach so they don’t operate on a false sense of security.
To help security professionals understand the new world of security in the cloud, below are five specific use cases where network-centric security is inadequate to handle the challenges of security in modern cloud environments:
1. Network-based detection tends to garner false positives
Nothing has confounded network security as much as the demise of static IP addresses and endpoints in the cloud. Endpoints used to be physical; now they are virtual and exist as containers. In the cloud, everything is dynamic and transient; nothing is persistent. IP addresses and port numbers are recycled rapidly and continuously, making it impossible to identify and track over time which application generated a connection just by looking at network logs. Attempting to detect risks, and threats using network activity creates too many irrelevant alerts and false positives.
2. Network data doesn’t associate cloud sessions to actual users
The common DevOps practice of using service and root accounts has been a double-edged sword. On one hand, it removes administrative roadblocks for developers and accelerates even further the pace of software delivery in cloud environments. On
the other hand, it also makes it easier to initiate attacks from these “privileged” accounts and gives attackers another place to hide. By co-opting a user or service account, cybercriminals can evade identity-aware network defenses. Even correlating traffic with Active Directory can fail to provide insights into the true user. The only way to get to the true user of an application is to correlate and stitch SSH sessions, which is simply not possible with network only information.
3. The network attack surface is no longer the only target for cyber attacks
Illicit activities have moved beyond the network attack surface in the cloud. Here are four common attack scenarios that involve configuration and workloads (VMs or containers) in public clouds, but will not appear in network logs:
4. When it comes to container traffic, network-based security is blind
Network logs capture network activities from one endpoint (physical or virtual server, VM, user, or generically an “instance”) to another along with many attributes of the communication. Network logs have no visibility inside an instance. In a typical modern micro-services architecture, multiple containers will run inside the same instance and their communication will not show up on any network logs. The same applies to all traffic within a workload. Containerized clouds are where cryptocurrency mining attacks often start, and network-based security has no ability to detect the intrusion.
5. Harmful activity at the storage layer is not detected
In cloud environments, the separation of compute and storage resources into two layers creates new direct paths to the data. If the storage layer is not configured properly, hackers can target APIs and conduct successful attacks without being detected by network-based security. On AWS specifically, S3 bucket misconfigurations common and have left large volumes of data exposed. Data leaks due to open buckets will not appear on network logs unless you have more granular information that can detect that abnormal activity is taking place.
Focusing exclusively on network connections is not enough to secure cloud environments. Servers and endpoints don’t yield any better results as they come and go too fast for an endpoint-only strategy to succeed. So, what can you do? Take a different approach altogether. Collect data at the VM and container level, organize that data into logical units that give security insights, and then analyze the situation in real-time. In other words, go deep vertically when collecting data from workloads, but analyze the information horizontally across your entire cloud. This is how you can focus on the application’s behaviors and not on network 5-tuples or single machines.
About the author: Sanjay Kalra is co-founder and CPO at Lacework, leading the company’s product strategy, drawing on more than 20 years of success and innovation in the cloud, networking, analytics, and security industries.
Copyright 2010 Respective Author at Infosec IslandOver 1 million South Korea-issued Card Present records have been posted for sale on the dark web since the end of May, Gemini Advisory says.
The security firm could not pinpoint the exact compromised point of purchase (CPP), but believes the records may have been obtained either from a breached company operating several different businesses or from a compromised point-of-sale (POS) integrator.
Amid an increase in attacks targeting brick-and-mortar and e-commerce businesses in the Asia Pacific (APAC) region, South Korea emerges as the largest victim of Card Present (CP) data theft by a wide margin, Gemini Advisory says.
Although EMV chips have been used in the country since 2015 and compliance is mandatory since July 2018, CP fraud still frequently occurs, especially due to poor merchant implementation.
In May 2019, Gemini Advisory found 42,000 compromised South Korea-issued CP records posted for sale on the dark web, with a 448% spike in June, when 230,000 records were observed. In July, there were 890,000 records posted, marking a 2,019% increase from May.
Overall, more than 1 million compromised South Korea-issued CP records have been posted for sale on the dark web since May 29, 2019.
The security firm also identified 3.7% US-issued cards, with a credit union that primarily serves the US Air Force emerging as one of the most impacted US financial institutions (the Air Force maintains multiple air bases in South Korea).
“Through an in-depth analysis of the compromised cards, analysts determined that many of them belong to US cardholders visiting South Korea. Since South Korea has received just over 1 million US travelers in the past 12 months, this should account for the high level of US payment records,” Gemini Advisory says.
The median price per record is $40, significantly higher than the $24 median price of South Korean CP records across the dark web overall, the security firm notes. While 2018 marked a relatively large supply of such records, but a low demand, 2019 saw lower supply, but a growing demand.
“The demand continued to increase while the supply remained stagnant until the recent spike in South Korean records from June until the present. This sudden influx in card supply may be highly priced in an attempt to capitalize on the growing demand,” Gemini Advisory notes.
The security firm says attempts to explore potential CPPs were not fruitful, as there were too many possible businesses affected by this breach. The most likely scenarios suggest that either a large business was compromised, or that a POS integrator was breached, impacting multiple merchants.
“South Korea’s high CP fraud rates indicate a weakness in the country’s payment security that fraudsters are motivated to exploit. As this global trend towards increasingly targeting non-Western countries continues, Gemini Advisory assesses with a moderate degree of confidence that both the supply and demand for South Korean-issued CP records in the dark web will likely increase,” the security firm concludes.
Related: A Crash-Course in Card Shops
Related: Payment Card Data Stolen From AeroGrow Website
Copyright 2010 Respective Author at Infosec Island
FreshRSS