InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
Forget Sergeant Pepper and his Lonely Hearts Club Band, who taught the band to play a mere 20 years ago today.
December 2022 sees the 35th anniversary of the first major self-spreading computer virus â the infamous CHRISTMA EXEC worm that temporarily crushed the major mainframe networks of the dayâŠ
⊠not by any deliberately coded side-effects such as file scrambling or data deletion, but simply by leeching too much network bandwidth for its own unauthorised purpose.
As a decoy to disguise the fact that it read in the 1980s IBM equivalents of your email address book (NAMES) and your known-hosts file (NETLOG) in order to find as many new recipients of the malware as possible to send itself to, the malware displayed this:
*
*
***
*****
*******
*********
************* A
*******
*********** VERY
***************
******************* HAPPY
***********
*************** CHRISTMAS
*******************
*********************** AND MY
***************
******************* BEST WISHES
***********************
*************************** FOR THE NEXT
******
****** YEAR
******
If youâre wondering why the virus is widely known as CHRISTMA EXEC, rather than by the full word CHRISTMASâŠ
âŠthatâs because filenames were limited to eight characters, which could be followed by a space and what we would today call an âextensionâ of EXEC in order to turn them into scripts that could be run directly by the user â executed, in technical jargon.
The virus itself was written in IBMâs powerful text-based scripting language REXX (the resoundingly named Restructured Extended Executor), so a non-programmer looking at the message would probably recognise it as âprogram codeâ, and therefore tend to ignore it as unimportant and irrelevant, for all that it might look interesting.
Except that the author of the virus found a cheerful way to embed an instructional lure right into the code itself, which starts with a remark (as in the C language, text between /* and */ in REXX programs is treated as a comment and ignored when the file gets used)âŠ
/*********************/
/* LET THIS EXEC */
/* */
/* RUN */
/* */
/* AND */
/* */
/* ENJOY */
/* */
/* YOURSELF! */
/*********************/
âŠand then offers the following cheery advice to non-techies:
/* browsing this file is no fun at all
just type CHRISTMAS from cms */
CMS is short for Conversational Monitor System, a command prompt environment on top of IBMâs venerable VM/370 operating system and its many variants, which offered individual users a real-time virtual machine that behaved like a computer all of their own, with its own disk space for storing personal files and programs.
Handily, the user didnât have to be taught to leave the final -S off the word CHRISTMAS, because CMS would automatically ignore any extra characters and hunt for CHRISTMA EXEC, which was the very script program that the user had just received without expecting it or asking for it.
As stated above, the code did indeed display the Christmas Tree ASCII art â or, more precisely, EBCDIC art, given that IBM famously had its own character encoding system known as Extended Binary Coded Decimal Interchange Code (pronounced ebb-si-dick).
But it also trawled through your NAMES and NETLOG files, which listed other users and computers you regularly contacted, and copied itself to all of them, so that for every user who innocently typed CHRISTMAS at the command promptâŠ
âŠa sea of copies of the virus (20? 50? 200?) would be distributed, potentially worldwide, and if any of those recipients (20? 50? 200?) innocently typed CHRISTMAS at the command promptâŠ
âŠa sea of copies of the virus would be distributed, and so on, and so on.
[This is j]ust like modern macro malware that says to the user, âHey, macros are disabled, but for your âextra safetyâ you need to turn them back on⊠why not click the button? Itâs much easier that way.â
35 years ago, malware writers had already figured out that if you ask users nicely to do something that is not at all in their interest, some of them, possibly many of them, will do it.
A Vulnerability Scanning Tool is one of the essential tools in IT departments Since vulnerabilities pop up every day and thus leaving a loophole for the organization.
The Vulnerability scanning tools help in detecting security loopholes in the application, operating systems, hardware, and network systems.
Hackers are actively looking for these loopholes to use them to their advantage. Vulnerabilities inside a network need to be identified and fixed immediately to leave your attackers at bay.
What does a Vulnerability Scanner do?
Vulnerability scanners are one right way to do this, with their continuous and automated scanning procedures they can scan the network for potential loopholes.
It is on your internet or any device, they would help the IT departments identify the vulnerability and fix it both manually and automatically.
Vulnerability scanning tools do have two different approaches for performing their routines, authenticated and unauthenticated scans.
In the latter case, a penetration tester will show the scan disguised as a hacker without him having trusted access to the corporate network.
What are the Three types of Vulnerability Scanners?
This type of scan will help organizations identify the loopholes which will allow hackers to penetrate the system without trusted permissions.
Following are the types of vulnerability scanners
Discovery Scanning
Full Scanning
Compliance Scanning
What is an example of a Vulnerability Scanner?
The best Web vulnerability scanner in the market should allow you to perform both authenticated and unauthenticated types of scans to nullify network vulnerabilities among other related vulnerability scanners online
In this article, weâll take a look at the top 10 best vulnerability scanning tools available in the market.
As organizations begin to address the risks of an increasingly complex digital landscape, they are recognizing that cybersecurity challenges are compounded by a lack of available talent and skills to mount a necessary defense. The digital skills shortage in the U.S. is at a critical point, highlighting a need for increased investment in workforce training. The Biden White House recently said that roughly 700,000 cyber-defense-related positions nationally are unfilled.
Clearly, CISOs and leaders across the C-suite are focused on the challenge, and many are investing heavily in shoring up gaps in their cybersecurity approach. In an age when a cyberattack can be an existential threat to any organization, cybersecurity engineers will serve as the first responders to such threats.
But organizations are struggling to fill these roles. Cyber professionals face ever-increasing pressure to keep up with more sophisticated and complex threats. The burnout in the profession is significant. Whatâs more, there hasnât been a good understanding of the variety of jobs that there are in cybersecurity, and the various skills that can be leveraged for those jobs.
What complicates the effort to fill these roles are the demands placed on them. A strong cybersecurity professional must have advanced skills and experience in the following: meeting the immediate needs of securing the enterprise while also satisfying regulators and compliance officials; keeping a close eye on protections for customers and their personal data; and, if an incident occurs, navigating those interactions and coordinating with law enforcement. These are skills rarely found together.
In fact, not only is there a challenge in filling day-to-day roles within the cybersecurity portfolio, there is also a leadership gap. Many highly skilled cybersecurity professionals avoid taking leadership positions in the field precisely because they do not feel prepared to take on these multivariate tasks.
The solution rests in a two-pronged approach.
#1. Leverage cybersecurity frameworks and automation.
Organizations need to reduce the demand on crisis cyber defense by deploying automated platforms and technologies, such as zero trust security, to screen out threats and examine their entire value chain â including suppliers, vendors and others who may be the source of the greatest potential risks. As part of this effort, trained cybersecurity professionals should be deployed during the software development lifecycle and across business processes so that security and protections can be embedded by design rather than bolted on later.
On the morning of August 4, 2022, Advanced, a supplier for the UKâs National Health Service (NHS), was hit by a major cyberattack. Key services including NHS 111 (the NHSâs 24/7 health helpline) and urgent treatment centers were taken offline, causing widespread disruption. This attack served as a brutal reminder of what can happen without a standardized set of controls in place. To protect themselves, organizations should look to ISO 27001.
ISO 27001 is an internationally recognized Information Security Management System standard. It was first published in 2005 to help businesses implement and maintain a solid information security framework for managing risks such as cyberattacks, data leaks and theft. As of October 25, 2022, it has been updated in several important ways.
The standard is made up of a set of clauses (clauses 4 through 10) that define the management system, and Annex A which defines a set of controls. The clauses include risk management, scope and information security policy, while Annex Aâs controls include patch management, antivirus and access control. Itâs worth noting that not all of the controls are mandatory; businesses can choose to use those that suit them best.
Why is ISO 27001 being updated?
Itâs been nine years since the standard was last updated, and in that time, the technology world has changed in profound ways. New technologies have grown to dominate the industry, and this has certainly left its mark on the cybersecurity landscape.Â
With these changes in mind, the standard has been reviewed and revised to reflect the state of cyber- and information security today. We have already seen ISO 27002 (the guidance on applying the Annex A controls) updated. The number of controls has been reduced from 114 to 93, a process that combined several previously existing controls and added 11 new ones.
Many of the new controls were geared to bring the standard in line with modern technology. There is now, for example, a new control for cloud technology. When the controls were first created in 2013, cloud was still emerging. Today, cloud technology is a dominant force across the tech sector. The new controls thus help bring the standard up to date.
In October, ISO 27001 was updated and brought in line with the new version of ISO 27002. Businesses can now achieve compliance with the updated 2022 controls, certifying themselves as meeting this new standard, rather than the now-outdated list from 2013.
How can ISO 27001 certification benefit your business?
Implementing ISO 27001 brings a host of information security advantages that benefit companies from the outset.
Companies that have invested time in achieving ISO 27001 certification will be recognized by their customers as organizations that take information security seriously. Companies that are focused on the needs of their customers should want to address the general feeling of insecurity in their usersâ minds.
Moreover, as part of the increasingly rigorous due-diligence processes that many companies are now undertaking, ISO 27001 is becoming mandatory. Therefore, organizations will benefit from taking the initiative early to avoid missing out commercially.
In the case of cyber-defense, prevention is always better than cure. Attacks mean disruption, which almost always proves costly for an organization, in regard to both reputation and finances. Therefore, we might view ISO 27001 as a form of cyber-insurance, where the correct steps are taken preemptively to save organizations money in the long term.
Thereâs also the matter of education. Often, an organizationâs weakest point, and thus the point most often targeted, is the user. Compromised user credentials can lead to data breaches and compromised services. If users were more aware of the nature of the threats they face, the likelihood of their credentials being compromised would decrease significantly. ISO 27001 offers clear and cogent steps to educate users on the risks they face.
Ultimately, whatever causes a business to choose implementation of ISO 27001, the key to getting the most out of it is ingraining its processes and procedures in their everyday activity.
Overcoming the challenge of ISO 27001 certification
A lot of companies have already implemented many controls from ISO 27001, including access control, backup procedures and training. It might seem at first glance that, as a result, theyâve already achieved a higher standard of cybersecurity across their organization. However, what they continue to lack is a comprehensive management system to actually manage the organizationâs information security, ensuring that it is aligned with business objectives, tied into a continuous improvement cycle, and part of business-as-usual activities.
While the benefits of ISO 27001 may be obvious to many in the tech industry, overcoming obstacles to certification is far from straightforward. Here are some steps to take to tackle two of the biggest issues that drag on organizations seeking ISO 27001 certification:
Resources â time, money, and manpower: Businesses will be asking themselves: How can we find the extra budget and dedicate the finite time of our employees to a project that could last six to nine months? The key here is to place trust in the industry experts within your business. They are the people who will be implementing the standard day-by-day, and they should be placed at the wheel.
Lack of in-house knowledge: How can businesses that have no prior experience implementing the standard get it right? In this case, we advise bringing in third-party expertise. External specialists have done this all before: They have already made the mistakes and learned from them, meaning they can come into your organization directly focused on implementing what works. In the long run, getting it right from the outset is a more cost-effective strategy because it will achieve certification in a shorter time.
Next steps toward a successful future
While making this all a reality for your business can seem daunting, with the right plan in place, businesses can rapidly benefit from all that ISO 27001 certification has to offer.
Itâs also important to recognize that this October was not the cutoff point for businesses to achieve certification for the new version of the standard. Businesses will have a few months before certification bodies will be ready to offer certification, and there will likely then be a two-year transition period after the new standardâs publication before ISO 27001:2013 is fully retired.
Ultimately, itâs vital to remember that while implementation comes with challenges, ISO 27001 compliance is invaluable for businesses that want to build their reputations as trusted and secure partners in todayâs hyper-connected world.
The associated risk management programs are also constantly evolving, and thatâs likely due to outside influences such as client contract requirements, board requests and/or specific security incidents that require security teams to rethink and strengthen their strategy. Not surprisingly, CISOâs today face several dilemmas: How do I define the business impact of a cyber event? How much will it cost to protect our companyâs most valuable assets? Which investments will make the business most secure? How do we avoid getting sidetracked by the latest cyber breach headline?
A mature risk analysis program can be thought of as a pyramid. Customer-driven framework compliance forms the base (PCI/ISO frameworks required for revenue generation); then incident-driven infrastructure security in the middle (system-focused security based on known common threats and vulnerabilities); with analysis-driven comprehensive coverage at the pinnacle (identification of assets, valuations, and assessment of threat/vulnerability risk).
How do you kickstart that program? Here are five steps that Iâve found effective for getting risk analysis off the ground.
Determine enterprise-specific assets
The first step is determining what is critical to protect. Unlike accounting assets (e.g., servers, laptops, etc.), in cybersecurity terms this would include things that are typically of broader business value. Often the quickest path is to talk with the leads for different departments. You need to understand what data is critical to the functioning of each group, what information they hold that would be valuable to competitors (pricing, customers, etc.) and what information disclosures would hurt customer relationships (contract data, for instance).
Also assess whether each department handles trade secrets, or holds patents, trademarks, and copyrights. Finally, assess who handles personally identifiable information (PII) and whether the group and its data are subject to regulatory requirements such as GDPR, PCI DSS, CCPA, Sarbanes Oxley, etc.
When making these assessments, keep three factors in mind: what needs to be safe and canât be stolen, what must remain accessible for continued function of a given department or the organization, and what data/information must be reliable (i.e., that which canât be altered without your knowledge) for people to do their jobs.
Value the assets
Once youâve identified these assets, the next step is to attach a value. Again, I make three recommendations: keep it simple, make (informed) assumptions, and err on the side of overestimating. The reason for these recommendations is that completing a full asset valuation for an enterprise would take years and wouldnât ever be finished (because assets constantly change).
Efficient risk analysis requires a more practical approach that uses broad categories, which can then be prioritized to understand where deeper analysis is needed. For instance, you might use the following categories, and assign values based on informed assumptions:
Competitive advantage â the items/processes/data that are unique to your company and based on experience. These are items that would be of value to a competitor to build on. To determine value, consider the cost of growing a legitimate competitor in your dominant market from scratch, including technology and overhead.
Client relationships â what directly impacts customer relationships, and therefore revenue. This includes âavailabilityâ impacts from outages, SLAs, etc. Value determination will likely be your annual EBIT goal, and impact could be adjusted by a Single Loss Exposure.
Third-party partnerships â relating to your ability to initiate, maintain or grow partner networks, such as contractors, ISPs or other providers. When valuing, consider the employee labor cost needed to recruit and maintain those partners.
Financial performance â items that impact your companyâs ability to achieve financial goals. Again, valuation might equate to annual EBIT.
Employee relations â the assets that impact your ability to recruit and retain employees. Valuation should consider the volume of potential losses and associated backfill needs, including base salaries, bonuses, benefit equivalencies, etc.
Determine relevant threats, assess vulnerability, and identify exposures
When it comes to analyzing risk from threats, vulnerabilities and exposures, start with the common security triad model for information security. The three pillars â Confidentiality, Integrity and Availability (CIA) â help guide and focus security teams as they assess the different ways to address each concern.
Confidentiality touches on data security and privacy; it entails not only keeping data safe, but also making sure only those who need access, have it.
Integrity reflects the need to make sure data is trustworthy and tamper-free. While data accuracy can be compromised by simple mistakes, what the security team is more concerned with is intentional compromise thatâs designed to harm the organization.
Availability is just what it sounds like â making sure that information can be accessed where and when needed. Availability is an aspect of the triad where security teams need to coordinate closely with IT on backup, redundancy, failover, etc. That said, it also involves everything from secure remote access to timely patches and updates to preventing acts of sabotage like denial of service or ransomware attacks.
In undertaking this part of the risk assessment, youâre using this security triad to determine threats, and then identifying exposure and assessing vulnerability to better estimate both the potential impact and probability of occurrence. Once these determinations are made, youâre ready for the next step.
Define risk
AV = assigned Asset Value (quantitative/qualitative) as identified above. EF = the Exposure Factor, a subjective assessment of the potential percentage loss to the asset if a specific threat is realized. For example, an asset may be degraded by half, giving an EF of 0.50.
From this we can calculate the Single Loss Expectancy (SLE) â the monetary value from one-time risk to an asset â by multiplying AV and EF. As an example, if the asset value is $1M, and the exposure factor from a threat is a 50% loss (0.50) then the SLE will be $500,000.
Risk definition also takes this one step further by using this SLE and multiplying it by a potential Annualized Rate of Occurrence (ARO) to come up with the Annualized Loss Expectancy (ALE). This helps us understand the potential risk over time.
When working through these figures, itâs important to recognize that potential loss and probability of occurrence are hard to define, and thus the potential for error is high. Thatâs why I encourage keeping it simple and overestimating when valuing assets â the goal is to broadly assess the likelihood and impact of risk so that we can better focus resources, not to get the equations themselves perfectly accurate.
Implement and monitor safeguards (controls)
Now that we have a better handle on the organizational risks, the final steps are more familiar territory for many security teams: implementing and monitoring the necessary and appropriate controls.
Youâre likely already very familiar with these controls. They are the countermeasures â policies, procedures, plans, devices, etc. â to mitigate risk.
Controls fall into three categories: preventative (before an event), detective (during) and corrective (after). The goal is to try to stop an event before it happens, quickly react once it does, and efficiently get the organization back on its feet afterward.
Implementing and monitoring controls are where the rubber hits the road from a security standpoint. And thatâs the whole point of the risk analysis, so that security professionals can best focus efforts where and how appropriate to mitigate overall organizational risk.
In an increasingly technologically-based world, being certain of precisely who you are speaking to or doing business with can be tricky. Identity verification is an important step in most online transactions that concern money or sensitive information and services, but it can also be used during recruitment processes as a part of a background check.
This article will explain what an identity verification service is, why they are useful, and how they work.
What is an Identity Verification Service?
An identity verification service is a process by which the information and identity provided by an individual is investigated and found to be true or false. These comprehensive online services are based on the traditional identity verification processes used in banks and other financial institutions when new accounts are opened.
Technological services are more robust and comprehensive in their verification methods, however. The point of this process is to check and verify that the person applying for an account or service is being honest and upfront about who they are.
Using an identity verification service enables you to confirm that you are performing a background check on, or providing a service to, a person who is identifying themselves correctly. This ensures that the information you receive from a check is correct and connected to the person you are dealing with.
There are other reasons to use such a service, however. For example, if you run a business with an online component identity verification at login, itâs important for data protection purposes.
Identity verification is also an important part of risk management for most businesses and can help you to avoid fines and legal issues, reduce the risk of fraud, and help you to meet regulatory requirements while showing due diligence.
How Do Identity Verification Services Work?
Digital identity verification services collect and verify personal data and information, usually at the point of account access or onboarding to a new service, by checking it against reputable sources. There are different approaches to this process:
Data-oriented digital verification
Traditional, document-based digital identity verification
In most cases, data-based identity verification is sufficient, especially for platforms such as online shopping or online lottery ticket purchases. In these cases, the service provider or business may request information such as your date of birth, full name, or national ID/social security number.Â
For financial services, such as banking or personal loan applications, however, digital document-based verification is usually required. In these cases, the institution or business you are dealing with may request copies or pictures of official documents, such as your driverâs license or birth certificate.
Whichever method of identity verification a company or institution undertakes, the process of verification is the same. The documents or data provided will be checked against trusted sources to ensure that all details match perfectly. When there are no issues, this is a very quick process that should take no more than a few minutes.
What Happens When An Identity Check Fails?
So, what happens when the identity verification process fails? What are the secondary processes, and what are the repercussions when information is found to be false? There are a number of potential issues that can cause queries or failures in the identity verification process. The most common are:
Typos or spelling errors.
Out-of-date documentation.
Obscured or damaged documentation.
Poor image quality regarding documentation.
In most cases, the first reaction of a company will be to query the details that do not match or request that documentation be re-sent. If all is in order, they may proceed to a positive verification, but it is also common for companies to ask for secondary or supporting information or documents in these cases.
If issues cannot be resolved and it is impossible to verify the identity of a person, there are two possibilities. Firstly, and in most cases, services will be denied to the applicant on the basis of failed identity verification.
In some cases, however, more robust action may be taken. For example, trying to open a bank account under a false name is a legal offense and financial institutions may see fit to hand information over to the authorities.Â
What’s Amazon Rekognition Identity Verification | Amazon Web Services
The 2022 database is said to contain WhatsApp user data from 84 countries with Egypt having the largest chunk of stolen phone numbers.
In what is becoming a rather common trend, a threat actor is claiming to sell 487 million WhatsApp usersâ mobile phone numbers on a popular hacking community forum which surfaced as an alternative to popular and now-sized Raidforums.
The 2022 database is said to contain WhatsApp user data from 84 countries with Egypt having the largest chunk of stolen phone numbers (45 million), Italy with 35 million, and the US with 32 million.
The complete list of countries is included in the original report by Cybernews which also contains the exact amount of numbers up for sale. According to the threat actor, they are willing to sell the US dataset for $7000, the UK one for $2500, and the German one for $2000.Â
Upon being requested, the threat actor also shared a sample of data with researchers who then confirmed that the numbers included in the sample were in fact WhatsApp users. The exact sample contained 1097 UK and 817 US mobile numbers.
The seller did not reveal their process for obtaining the database and simply said they âused their strategyâ to collect the data. Whatever the method used, the damage that can be caused by this leakage should not be taken lightly.
Such data is readily bought by attackers to use for smishing and vishing attacks. It is advised that you cautiously interact with unknown calls, unsolicited calls, and messages. Impersonation and fraud are also common worries associated with mobile number leakage.
Meta has refused to comment on this for now, while in their report, Cybernews speculates that this information could have been obtained by harvesting information at scale, also known as scraping, which violates WhatsAppâs Terms of Service.
However, Hackread.com can confirm that, at the time of writing, the listing was deleted from the hacker forum. Another listing was published in which another threat actor is claiming to sell details of WhatsApp users.
The Cybersecurity and Infrastructure Security Agency (CISA) is an agency of the United States Department of Homeland Security. CISA is in charge of enhancing cybersecurity and infrastructure protection at all levels of government, coordinating cybersecurity initiatives with American U.S. states, and enhancing defenses against cyberattacks.
To assist businesses in enhancing their security capabilities, CISA offers free cybersecurity products and services.
Cyber Hygiene Vulnerability Scanning
You can register for this service by emailing vulnerability@cisa.dhs.gov. Scanning will start within 3 days, and youâll begin receiving reports within two weeks. Once initiated, this service is mostly automated and requires little direct interaction.
Cybersecurity Evaluation Tool (CSET)
This tool provides organizations with a structured and repeatable approach to assessing the security posture of their cyber systems and networks. It includes both high-level and detailed questions related to all industrial control and IT systems.
Checklist for implementing cybersecurity measures
This document outlines four goals for your organization:
Reducing the likelihood of a damaging cyber incident
Detecting malicious activity quickly
Responding effectively to confirmed incidents
Maximizing resilience.
Known Exploited Vulnerabilities (KEV) Catalog
The KEV Catalog enables you to identify known software security flaws. You can search for software used by your organization and, if itâs found, update it to the most recent version in accordance with the vendorâs instructions.
Malcolm network traffic analysis tool suite
Malcolm is comprised of several widely used open source tools, making it an attractive alternative to security solutions requiring paid licenses.
The tool accepts network traffic data in the form of full packet capture (PCAP) files and Zeek logs. Visibility into network communications is provided through two interfaces: OpenSearch Dashboards, a data visualization plugin with dozens of prebuilt dashboards providing an at-a-glance overview of network protocols; and Arkime, a tool for finding and identifying the network sessions comprising suspected security incidents. All communications with Malcolm, both from the user interface and from remote log forwarders, are secured with industry standard encryption protocols.
Malcolm operates as a cluster of Docker containers, isolated sandboxes which each serve a dedicated function of the system.
ust under two months ago, some worrying bug news broke: a pair of zero-day vulnerabilities were announced in Microsoft Exchange.
As we advised at the time, these vulnerabilities, officially designated CVE-2022-41040 and CVE-2022-41082:
[were] two zero-days that [could] be chained together, with the first bug used remotely to open enough of a hole to trigger the second bug, which potentially allows remote code execution (RCE) on the Exchange server itself.
The first vulnerability was reminiscent of the troublesome and widely-abused ProxyShell security hole from back in August 2021, because it relied on dangerous behaviour in Exchangeâs Autodiscover feature, described by Microsoft as a protocol that is âused by Outlook and EAS [Exchange ActiveSync] clients to find and connect to mailboxes in Exchangeâ.
Fortunately, the Autodiscover misfeature that could be exploited in the ProxyShell attack by any remote user, whether logged-in or not, was patched more than a year ago.
Unfortunately, the ProxyShell patches didnât do enough to close off the exploit to authenticated users, leading to the new CVE-2022-40140 zero-day, which was soon laconically, if misleadingly, dubbed ProxyNotShell.
Did you know that not one of the top 50 undergraduate computer science programs in the U.S. requires a course in code or application security for majors? Yet the threatscape is only expanding.
A recent report by Security Journey reveals the gap left by academia when developers are being trained to write code, and the ways in which the current state of security awareness can evolve into continuous, programmatic, and more effective education. Other key suggestions from the discussion include:
Investment should be driven down from the top of organizations
Training must be relevant to each professional
Collaboration between industry and academia is needed
In this Help Net Security video, Jason Hong, Professor at Carnegie Mellon University, discusses the steps both industry and academia can take to improve application security knowledge and secure coding education.
Phishing scams that try to trick you into putting your real password into a fake site have been around for decades.
As regular Naked Security readers will know, precautions such as using a password manager and turning on two-factor authentication (2FA) can help to protect you against phishing mishaps, because:
Password managers associate usernames and passwords with specific web pages. This makes it hard for password managers to betray you to bogus websites by mistake, because they canât put in anything for you automatically if theyâre faced with a website theyâve never seen before. Even if the fake site is a pixel-perfect copy of the original, with a server name thatâs close enough be almost indistinguishable to the human eye, the password manager wonât be fooled because itâs typically looking out for the URL, the whole URL, and nothing but the URL.
With 2FA turned on, your password alone is usually not enough to log in. The codes used by 2FA system typically work once only, whether theyâre sent to your phone via SMS, generated by a mobile app, or computed by a secure hardware dongle or keyfob that you carry separately from your computer. Knowing (or stealing, buying or guessing) only your password is no longer enough for a cybercriminal to falsely âproveâ they are you.
Unfortunately, these precautions canât immunise you completely against phishing attacks, and cybercriminals are getting better and better at tricking innocent users into handing over both their passwords and their 2FA codes at the same time, as part of the same attackâŠ
âŠat which point the crooks immediately try to use the combination of username + password + one-time code they just got hold of, in the hope of logging in quickly enough to get into your account before you realise thereâs anything phishy going on.
Even worse, the crooks will often aim to create what we like to call a âsoft dismountâ, meaning that they create a believable visual conclusion to their phishing expedition.
This often makes it look as though the activity that you just âapprovedâ by entering your password and 2FA code (such as contesting a complaint or cancelling an order) has completed correctly, and therefore no further action is necessary on your part.
Thus the attackers not only get into your account, but also leave you feeling unsuspicious and unlikely to follow up to see if your account really has been hijacked.
The short but winding road
Hereâs a Facebook scam we received recently that tries to lead you down exactly that path, with differing levels of believability at each stage.
The scammers:
Pretend that your own Facebook page violates Facebookâs terms of use. The crooks warn that this could to your account being shut down. As you know, the brouhaha currently erupting on and around Twitter has turned issues such as account verification, suspension and reinstatement into noisy controversies. As a result, social media users are understandably concerned about protecting their accounts in general, whether theyâre specifically concerned about Twitter or not:
APIs are a powerful tool for organizations to build innovative products and services. Research has shown that over 90% of developers use APIs and 56% have reported that APIs help them to develop better products. However, this increase in demand means there is also an increase in risk.
API security is not a new problem. Itâs something that organizations have been trying to tackle for years. But as cloud computing becomes ubiquitous, we are seeing an explosion in demand for secure APIs that provide reliable access to information from different sources over different networks (and even in real time). This means that there are many more potential points of entry for malicious actors looking to exploit vulnerabilities in your infrastructure or steal sensitive data through unconventional methods.
This article highlights and expands on 7 API security related statistics you should be aware of: 41% of organizations suffered API security incidents in the past year
91% of IT professionals believe API security should be considered a priority – This report shows that 91% of IT experts believe that API security should be prioritized especially because over 70% of corporate firms are expected to employ more than 50 APIs. 8 out of 10 IT administrators desire more authority over the APIs used by their company
Given that weâre getting into peak retail season, youâll find cybersecurity warnings with a âBlack Fridayâ theme all over the internetâŠ
âŠincluding, of course, right here on Naked Security!
As regular readers will know, however, weâre not terribly keen on online tips that are specific to Black Friday, because cybersecurity matters 365-and-a-quarter days a year.
Donât take cybersecurity seriously only when itâs Thanksgiving, Hannukah, Kwanzaa, Christmas or any other gift-giving holiday, or only for the New Year Sales, the Spring Sales, the Summer sales or any other seasonal discount opportunity.
As we said when retail season kicked off earlier this month in many parts of the world:
The best reason for improving your cybersecurity in the leadup to Black Friday is that it means you will be improving your cybersecurity for the rest of the year, and will encourage you to keep on improving through 2023 and beyond.
Having said that, this article is about a PayPal-branded scam that was reported to us earlier this week by a regular reader who thought it would be worth warning others about, especially for those with PayPal accounts who may be more inclined to use them at this time of year than any other.
The good thing about this scam is that you should spot it for what it is: made-up nonsense.
The bad thing about this scam is that itâs astonishingly easy for criminals to set up, and it carefully avoids sending spoofed emails or tricking you to visit bogus websites, because the crooks use a PayPal service to generate their initial contact via official PayPal servers.
Here goes.
Spoofing explained
A spoofed email is one that insists itâs from a well-known company or domain, typically by putting a believable email address in the From: line, and by including logos, taglines or other contact details copied from the brand itâs trying to impersonate.
Remember that the name and email address shown in an email next to the word From are actually just part of the message itself, so the sender can put almost anything they like in there, regardless of where they really sent the message from.
A spoofed website is one that copies the look and feel of the real thing, often simply by ripping off the exact web content and images from the original site to make it look as pixel-perfect as possible.
Scam sites may also try to make the domain name that you see in the address bar look at least vaguely realistic, for example by putting the spoofed brand at the left-hand end of the web address, so that you might see something like paypal.com.bogus.example, in the hope that you wonât check the right-hand end of the name, which actually determines who owns the site.
Other scammers try to acquire lookalike names, for example by replacing W (one W-for-Whisky character) with VV (two V-for Victor characters), or by using I (writing an upper case I-for-India character) in place of l (a lower case L-for-Lima).
But spoofing tricks of this sort can often be spotted fairly easily, for example by:
Learning how to examine the so-called headers of an email message, which shows which server a message actually came from, rather than the server that the sender claimed they sent it from.
Setting up an email filter that automatically scans for scamminess in both the headers and the body of every email message that anyone tries to send you.
Browsing via a network or endpoint firewall that blocks outbound web requests to fake sites and discards inbound web replies that include risky content.
Using a password manager that ties usernames and passwords to specific websites, and thus canât be fooled by fake content or lookalike names.
Email scammers therefore often go out of their way to ensure that their first contact with potential victims involves messages that really do come from genuine sites or online services, and that link to servers that really are run by those same legitimate sitesâŠ
âŠas long as the scammers can come up with some way of maintaining contact after that initial message, in order to keep the scam going.
Facebook parent Meta has disciplined or fired at least 25 workers for allegedly hacking into user accounts. Some of the workers were contract security guards, weâre told.
Wait ⊠disciplined or fired? How were they not all fired? And prosecuted? And how come security guards have access to Facebookâs internal account-recovery tools?
All these questions and more will be asked in todayâs SB Blogwatch. Please tell me itâs the weekend tomorrow.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Hello there.
The online world has never been risk-free and in 2022 the risks posed by cybercriminals are a threat to all internet users. As scams and phishing methods become more complex there is a greater need for the individual to adopt a range of best practices to protect their personal information.
Cybercriminals can target both individuals and businesses using a wide range of methods: malware can be activated by clicking on malicious links; personal details can be harvested simply by visiting unsecure sites.
Whether you like to surf the internet for fun and recreation, use it as a platform for online trading, or buy a range of products and services, staying safe online should always be a priority. It is a sobering fact that thousands of pieces of malware are created every day.
Stay safer online by following these three top tips.
Be vigilant when trading
Millions of people around the world now regularly trade online and increasingly that trade is in cryptocurrencies such as Bitcoin. With a wide range of cryptocurrencies now available, it is more important than ever to check that the site you trade on is secure.
As a rule, you should only trade on sites that feature the padlock icon in their web address, such as can be seen at OKX. This padlock icon proves that the site is secure and uses SSL encryption to ensure that any financial or personal information is transmitted safely.
It is also good practice to look at reviews from trading platforms. Customer experiences of using these sites can be a valuable source of information on the security of a platform. When trading online or undertaking any type of internet purchasing activity, it is also important to remember not to use unsecured networks.
Surfing in coffee shops and shopping malls can be an attractive proposition but should be avoided whenever any transactions are taking place; otherwise, a cybercriminal could easily pose as a contact from a website you have visited â leaving you open to phishing attacks in the future.
Use strong passwords
Whilst most people realize the value of having strong passwords across all the sites they use, it is still surprising how many people do not adhere to this best practice. Many consumers use the same passwords across numerous platforms and sites or use exceptionally weak passwords that can be cracked with a minimum amount of effort.
Today, search engines can suggest strong passwords and store them securely. This method can make consumers safer online whilst also freeing the need to memorize complex passwords. Put simply, if you use weak or repetitive passwords across sites, you are making it easy for a cybercriminal to harvest your personal details or hack your accounts.
Stay up to date
Another common practice that tends to be overlooked by millions of web visitors is to keep applications and devices up to date with the latest firmware. It is vitally important to check for system and firmware updates on a regular basis. Whilst many updates offer stability improvements or bug fixes, they often contain the latest security updates that keep devices and applications more secure.
Running software or operating systems that do not have the latest patches leaves them far more vulnerable to attack, so make a point of checking for updates across your devices on a regular basis to ensure that you benefit from the latest security features.
In summary, follow the above advice to avoid falling victim to one (or more) of the 300,000 pieces of malware that are created every day.
The most prominent CMS today is WordPress which is being used by over 455 million across the globe.
As the internet becomes increasingly integral to daily life, website security is more important than ever. Hackers can gain access to sensitive information, like credit card numbers and social security numbers, through websites with weak security. This can lead to identity theft and financial fraud.
Your websiteâs CMS (content management system) works as the backbone of your entire setup. The most prominent CMS today is WordPress which is being used by over 455 million across the globe. Naturally, WordPress is a lucrative target for cybercriminals and highlights the fact why WordPress security should never be ignored.
WordPress or another other CMS, while 100% security may be a myth, there are a few things you can do to ensure your website is secure from external and internal threats.
Secure Hosting
A website is a powerful tool that can help businesses of all sizes reach new customers and grow. However, a website is only as secure as the hosting provider that it uses. Thatâs why itâs important to choose a secure website hosting provider when setting up your website. Here are two things to look for in a secure website hosting provider:
1. Industry-Leading Security Measures: A good web hosting provider will have industry-leading security measures in place to protect your website from hackers and other online threats. This includes things like firewalls, DDoS protection, and malware scanning.
2. Regular Backups: In the event that your website is hacked or compromised, regular backups will ensure that you can quickly restore your site to its previous state. A good web hosting provider will perform regular backups of your site automatically.
Strengthening Login Credentials
According to studies, around 8 percent of hacked WordPress websites are due to weak passwords. However, as the largest self-hosted blogging tool in the world, WordPress has a responsibility to its users to keep their information safe. One way it does this is by natively offering two-factor authentication (2FA).
Two-factor authentication is an extra layer of security that requires not only a username and password but also something that the user has on them, like a phone. This makes it much harder for someone to hack into a WordPress account, even if they have the login credentials.
WordPress offers 2FA through several different methods, including SMS text messages, email, and authenticator apps. Which method you choose is up to you, but we recommend using an authenticator app like Authy or Google Authenticator.
Updated Plugins
The reason why WordPress powers millions of websites and blogs is its user-friendliness and free plugins. Although WordPress is good at adding new features and constantly issues security patches, zero-day vulnerabilities can be a calamity.
Therefore, always keep your plugins up to date because newer versions of plugins often fix security vulnerabilities that older versions had. Outdated plugins can cause compatibility issues with other plugins or with WordPress itself.
Additionally, newer versions of plugins usually have new features and improvements that can make your site run better. So next time you see a plugin update available, donât ignore it â go ahead and update!
Hiding WordPress Login URL
There are a few reasons webmasters might want to change the default WordPress login URL. By doing so, you can help keep your site more secure from hackers and bots who try to gain access by brute force. Additionally, it can also deter casual users from trying to snoop around areas of your site they shouldnât be.
If youâre running a membership site or online community, you may also want to change the login URL to something more branded and memorable for your users. By making it easy for them to find and login, you can reduce frustration and increase adoption.
Whatever your reason for wanting to change the WordPress login URL, itâs actually quite easy to do. There are a few different methods you can use, including plugins and editing code directly.
Login Limit Plugin
As a website owner, itâs important to make sure that your site is secure. One way to do this is by using a WordPress login limit plugin. This type of plugin will help to protect your site by limiting the number of failed login attempts.
There are many benefits of using a WordPress login limit plugin. By limiting the number of failed login attempts, you can help to prevent hackers from gaining access to your site. Additionally, this plugin can also help to improve the security of your password.
If youâre looking for a way to improve the security of your website, then we recommend that you consider using a WordPress login limit plugin.
Security Plugins
Using a security plugin is a must. There are many security plugins available for WordPress, but not all of them are created equal. Do some research and find a plugin that suits your needs. (We recommend looking into Wordfence or Sucuri.)
Once youâve found a plugin, install it and activate it. Follow the instructions on the pluginâs settings page to configure it properly.
Most security plugins will offer features like blocking IP addresses, two-factor authentication, malware scanning, and more. Choose the features that are most important to you and make sure theyâre enabled.
Keep your security plugin up to date by installing new versions when theyâre released.
For starters, be sure to create a separate user account for the person to whom youâre granting access. That way, if their account is ever compromised, your main admin account will remain safe.
Next, be sure to set strong passwords for both your main admin account and the new user account. Use a combination of letters, numbers, and symbols to make it as difficult as possible for hackers to guess.
Take Away
Malicious actors are continuously coming up with new ways to use a companyâs online presence against them, while cyber security specialists are always coming up with new ways to resist them.
This is the never-ending cycle of cybersecurity, and weâre all trapped in its center. Your WordPress site is just like any other website on the internet when it comes to cyber-attacks. However, by following the above-recommended tips and hacks, you can secure your WordPress website from cyber criminals or at least reduce the risk of being attacked.Â
As the internet becomes increasingly integral to daily life, website security is more important than ever. Hackers can gain access to sensitive information, like credit card numbers and social security numbers, through websites with weak security. This can lead to identity theft and financial fraud.
Your websiteâs CMS (content management system) works as the backbone of your entire setup. The most prominent CMS today is WordPress which is being used by over 455 million across the globe. Naturally, WordPress is a lucrative target for cybercriminals and highlights the fact why WordPress security should never be ignored.
WordPress or another other CMS, while 100% security may be a myth, there are a few things you can do to ensure your website is secure from external and internal threats.
Secure Hosting
A website is a powerful tool that can help businesses of all sizes reach new customers and grow. However, a website is only as secure as the hosting provider that it uses. Thatâs why itâs important to choose a secure website hosting provider when setting up your website. Here are two things to look for in a secure website hosting provider:
1. Industry-Leading Security Measures: A good web hosting provider will have industry-leading security measures in place to protect your website from hackers and other online threats. This includes things like firewalls, DDoS protection, and malware scanning.
2. Regular Backups: In the event that your website is hacked or compromised, regular backups will ensure that you can quickly restore your site to its previous state. A good web hosting provider will perform regular backups of your site automatically.
Strengthening Login Credentials
According to studies, around 8 percent of hacked WordPress websites are due to weak passwords. However, as the largest self-hosted blogging tool in the world, WordPress has a responsibility to its users to keep their information safe. One way it does this is by natively offering two-factor authentication (2FA).
Two-factor authentication is an extra layer of security that requires not only a username and password but also something that the user has on them, like a phone. This makes it much harder for someone to hack into a WordPress account, even if they have the login credentials.
WordPress offers 2FA through several different methods, including SMS text messages, email, and authenticator apps. Which method you choose is up to you, but we recommend using an authenticator app like Authy or Google Authenticator.
Updated Plugins
The reason why WordPress powers millions of websites and blogs is its user-friendliness and free plugins. Although WordPress is good at adding new features and constantly issues security patches, zero-day vulnerabilities can be a calamity.
Therefore, always keep your plugins up to date because newer versions of plugins often fix security vulnerabilities that older versions had. Outdated plugins can cause compatibility issues with other plugins or with WordPress itself.
Additionally, newer versions of plugins usually have new features and improvements that can make your site run better. So next time you see a plugin update available, donât ignore it â go ahead and update!
Hiding WordPress Login URL
There are a few reasons webmasters might want to change the default WordPress login URL. By doing so, you can help keep your site more secure from hackers and bots who try to gain access by brute force. Additionally, it can also deter casual users from trying to snoop around areas of your site they shouldnât be.
If youâre running a membership site or online community, you may also want to change the login URL to something more branded and memorable for your users. By making it easy for them to find and login, you can reduce frustration and increase adoption.
Whatever your reason for wanting to change the WordPress login URL, itâs actually quite easy to do. There are a few different methods you can use, including plugins and editing code directly.
Login Limit Plugin
As a website owner, itâs important to make sure that your site is secure. One way to do this is by using a WordPress login limit plugin. This type of plugin will help to protect your site by limiting the number of failed login attempts.
There are many benefits of using a WordPress login limit plugin. By limiting the number of failed login attempts, you can help to prevent hackers from gaining access to your site. Additionally, this plugin can also help to improve the security of your password.
If youâre looking for a way to improve the security of your website, then we recommend that you consider using a WordPress login limit plugin.
Security Plugins
Using a security plugin is a must. There are many security plugins available for WordPress, but not all of them are created equal. Do some research and find a plugin that suits your needs. (We recommend looking into Wordfence or Sucuri.)
Once youâve found a plugin, install it and activate it. Follow the instructions on the pluginâs settings page to configure it properly.
Most security plugins will offer features like blocking IP addresses, two-factor authentication, malware scanning, and more. Choose the features that are most important to you and make sure theyâre enabled.
Keep your security plugin up to date by installing new versions when theyâre released.
For starters, be sure to create a separate user account for the person to whom youâre granting access. That way, if their account is ever compromised, your main admin account will remain safe.
Next, be sure to set strong passwords for both your main admin account and the new user account. Use a combination of letters, numbers, and symbols to make it as difficult as possible for hackers to guess.
Take Away
Malicious actors are continuously coming up with new ways to use a companyâs online presence against them, while cyber security specialists are always coming up with new ways to resist them.
This is the never-ending cycle of cybersecurity, and weâre all trapped in its center. Your WordPress site is just like any other website on the internet when it comes to cyber-attacks. However, by following the above-recommended tips and hacks, you can secure your WordPress website from cyber criminals or at least reduce the risk of being attacked.Â
If youâre like most modern organizations, you rely on third-parties to help you run and grow your business. Yet the vendors, partners and suppliers that make up your supply chain are also a significant component of your cloud environment attack surface. While you canât (and shouldnât) cut third-parties off completely, you can (and should) enforce the principle of least privilege when providing them with permissions into your single and multicloud environment. Read on to learn how to implement this essential modern security practice and tips for getting started.
Why are Third Parties So Risky for Your Cloud Environment?
Third parties, including suppliers, contractors, vendors, partners and even your cloud provider are a fundamental part of your organizationâs business ecosystem. They help with any and all aspects of business growth, from engineering and IT to marketing and business development, and legal and strategy. Many of these third parties have other third parties they work with to help run their own businesses, and so on. This natural business reality creates a supply chain of companies and networks interlinked in various ways.
But all this help has a dark side: third parties and supply chains create considerable vulnerabilities in your cloud environment. According to IBMâs 2022 Cost of a Data Breach Report, 19% of breaches were caused by a supply chain compromise. The average total cost of a third-party breach was $4.46M, which is 2.5% higher than the average cost of a breach. In addition, identifying and containing third-party breaches took an average of 26 days longer compared to the global average for other kinds of breaches.
The vulnerability of third parties arises from the different security hygiene practices and controls each business in your ecosystem employs. In many cases, their standards are less stringent than your own, creating inconsistency and an increase in their relative security vulnerability.
In May 2021, U.S. President Biden dedicated an entire section in his monumental CyberSecurity Executive Order to the hardening of the supply chain and mitigation of risks of vendor attacks. The order states that âthe development of commercial software often lacks transparency, sufficient focus on the ability of the software to resist attack, and adequate controls to prevent tampering by malicious actors.â In short, the order notes that since it is easier for an attacker to breach, third-party software is more susceptible to exploitation.
Third-party vulnerabilities are not just software-related. Security practices that are different, mismatched and/or below your organizationâs standard also create vulnerabilities. For example, some third parties may not practice password hygiene. In other cases, they may be reusing credentials or accidentally misconfiguring their environments.
Once they gain access to your supplier, attackers may find it easier to access your environments as well. Unlike malicious attackers, for which organizations are on the alert, organizations tend to treat third-parties as trusted entities. As such, third-parties are granted access and control over sensitive resources. Sometimes, this access is required for them to perform their work. Too often, though, permissions are intentionally or unintentionally over-privileged â due to manual errors, oversight or not knowing better. As a result, attackers that access your vendors can exploit this trust and breach your environments as well. Overprivileged permissions put your critical systems and data at risk, and can disrupt your compliance with regulations.
Third Parties in the Cloud: Why the Risk is Different from On-Premises
In the cloud, excessive trust of third parties and supply chain actors is riskier than on-premises environments â not just because oneâs guard is down but due to the nature of cloud architecture and how it differs from on-premises.
On-premises, local servers and components enabled delineating network borders and implementing security controls to protect those borders, like firewalls. But in the cloud, infrastructure is distributed and resides on public infrastructure, making surrounding it with security controls impossible. This means that previously used security tactics and solutions, like third-party PAMs, are no longer helpful.
In addition, the distributed nature of the cloud, alongside the workforceâs reliance on cloud-based resources for their work (e.g, on SaaS apps), has changed connectivity needs. Businesses going through cloudification now rely on identities and credentials as the main means for providing access to company resources, making identity the new security perimeter.
Itâs not only human users that require identities for access. The cloud has transformed many architectures from monoliths to microservices to support more development agility. These cloud services now also need digital identities as their main means for resource access. In some cases even your cloud provider can be a third party with access, often authorized, to your environment. Still, maintaining a list of CSP-managed accounts can be a difficult task.
Identities: A Complicated Security Affair
In the cloud, IT, DevOps, Security and DevSecOps are now managing thousands of new digital organizational identities, each with a complex sub-set of permissions that determines which resources they can access and the actions they can take on those resources. In the recent 2022 Trends in Security Digital Identities survey, by the independent group Identity Defined Security Alliance (IDSA), 52% of identity and security professionals identified cloud adoption as the driver of the growth of organizational identities.
Managing and monitoring these identities and their permissions is extremely complicated. The combination of the high volumes of identities and the intricacies of their permissions makes it almost impossible to avoid oversights and manual errors.
This extreme difficulty in avoiding permissions error has dangerous security implications. Verizonâs 2022 Data Breach Investigations Report (DBIR) finds that credentials are the number one organizational security weakness. When it comes to third-parties, the same research finds that the use of stolen credentials and ransomware are the top two âaction varietiesâ leading to incidents. Per Ermetic research, ransomware potential is the cause of misconfigured identities, publicly exposed machines, risky third-party identities and risky access keys. In other words, third-party credentials are a focus point of violation for attacking companies and breaching their data. Protecting third-party credentials needs to be part of everyoneâs security strategy.
Third-Parties: A Global Necessity and Pain
Businesses operating in a legacy-security mindset tend to block any risk or threat. But modern security strategies require security teams to act as business enablers. This means security needs to be maintained without slowing down business productivity and performance. Overcoming the third-party business vs. security dilemma is challenging, since while the supply chain is an inherent risk, it is also essential to a businessâs success. Shutting down third-party operations is equivalent to shutting down business operations.
But the risk speaks for itself: third-party access in the cloud requires a dedicated security approach to permissions management. Fortunately, the principle of least-privilege is the modern security practice that can answer identity-management complexity â including that of third parties â in the cloud. By minimizing user and service permissions to only those deemed necessary for business operations, organizations can reduce their blast radius and attack surface in case of an attack. When it comes to third parties, the principle of least privilege â including its implementation via tools like Just in Time access â enables providing third parties only with the necessary access for the business while minimizing the risk these entities pose.
Implementing the Principle of Least Privilege for Third Parties in the Cloud
Letâs look into the various options for managing the risk of third-party permissions with least privilege.
Solution #1: Manual Maintenance
To secure third-party access to resources, IT and security need to find a way to keep track of all identities and their permissions. Some businesses rely on manual tracking in spreadsheets or other similar means. This quickly turns into long lists of identity names, the resources they have access to and their permissions.
However, manual maintenance in spreadsheets or by other means cannot capture the complexity of permissions management requirements. Many identities have access to a large number of resources, each with different authorization requirements. These all need to be meticulously tracked â spreadsheets are not equipped for presenting this information in a consumable fashion.
In addition, permissions can be inherited. This means that if service A has permissions to control service B, and service B has permissions for service C, service A will have permissions for service C. This creates a complex chain of permissions that is hard to create and visualize manually.
Excessive permissions derive from a complex chain of permissions that is hard to determine, visually present and keep up with manually
Finally, permissions need to be continuously monitored. Creating a one-time picture of permissions does not reflect the mercurial nature of the cloud or legitimate needs that come up requiring elevated or expanded permissions be granted for a certain amount of time.
Scanning and reviewing all these permissions takes time and concentration, which many IT and security teams donât have. In addition, understanding the complexity, depth and how permissions are intertwined requires cloud security expertise, which not all security and IT teams have or have had time to develop. Even if they did, is this the best use of their time?
Hereâs an example of one JSON permissions doc. Imagine having to comb through thousands of these and identifying any errors or issues:
Typical JSON permissions document â where lie the risky permissions?
Solution #2: Automation and Least Privilege to Reduce Third-Party Risk
Constantly updating manual spreadsheets while also being able to pinpoint any excessive or toxic permissions requires painstaking tracking, which resembles the type of analysis a machine would perform, not a human. The required level of detail, the scope of data and the speed of decision-making required when managing and monitoring the principle of least privilege screams âautomation.â Doing so in a multicloud, let alone single cloud, environment is daunting. Here are six tips for ensuring your automated mechanism can protect you from third-party risk with least privilege:
Tip #1: Monitor for Excessive Third-Party Permissions
As weâve established, permissions in the cloud are convoluted by nature. An automated, multicloud monitoring mechanism will check third-party credentials for excessive permissions or toxic combinations and identify if these permissions violate the principle of least privilege by providing them with the unnecessary ability to access sensitive data and modify infrastructure. This information will be visualized by its risk severity, and any attacker reconnaissance capabilities will be highlighted. The evaluation of severity will take into account any risk offsetting covered by other policy definitions, including network related, along the permissions chain.
Tip #2: Monitor with Care and Context
Modern security strategies are business enablers and growth enthusiasts. Therefore, security controls need to be applied in a contextual manner. Rather than blocking any potentially vulnerable activity, actions need to be implemented intelligently. With permissions, it is essential to provide context of permissions scope. Not all third-party capabilities are dangerous for the business. Excessive permissions, i.e., those that exceed the principle of least-privilege, are the ones that should be mitigated. Automated security controls provide mechanisms for marking accounts and services as trusted, reducing false alerts.
Tip #3: Auto-Remediate Third-Party Vulnerabilities
Engineering, IT and security teams are busy and have alert fatigue. A helpful automated solution does not just highlight the problem but also helps solve it. Instead of adding more tasks to the teamsâ full plate, take care to choose a solution that can provide a recommended substitute policy and auto-remediate into your organizationâs workflows, and even shift left with optimized policies through infrastructure as code, while leaving more advanced issues to human judgment.
Tip #4: Set Permissions Guardrails
Guardrails limit the actions an identity can perform. This helps minimize the blast radius by capping the potential of what a user or principal can do. Determining automated guardrails are especially important with third-parties, since it is often easier for IT teams to provide them with excessive access or accepting the cloud vendorâs default configurations rather than having to go into the weeds and figuring out how to limit their permissions to the resources they actually need.
Tip #5: Ensure Ease of Use
Automation should support you, not make your daily flow more difficult. A helpful automated solution will integrate with the security and engineering teamsâ workflows. This can be done through easy to understand dashboards, clear instructions, integrations into the CI/CD cycle and integrations with tools like Slack or PagerDuty.
Tip #6: Deliver JIT Access
JIT (Just-in-Time) access is a security principle that provides access to users for a limited period of time and then revokes it. JIT is useful for when users need permissive entitlements to complete a certain task, such as when developers need to fix a bug in production.
A secure automated solution will support JIT access for third-parties as well. That way, if your vendor needs to access a sensitive environment for an important work-related issue, you can provide them with such access without leaving attackers with a permanent window of opportunity for reconnaissance.
Conclusion
From a business perspective, third parties are as much a part of your business as any internal department. But from a security perspective, these entities need to be approached intentionally and with strategic caution. Third parties carry huge risks since their security practices are beyond your control.
The answer to managing these vulnerabilities is through an automated security solution that enforces least privilege and JIT access. Automated permissions management and monitoring reduces access risk by assigning third-parties, including developers, with only the access they need. This is the best way to balance and ensure business continuity and security in your cloud.
“By implementing sound #management of our #risks and the threats and opportunities that flow from them we will be in a stronger position to deliver our organisational objectives, provide improved services to the community, achieve better value for money and demonstrate compliance with the Local Audit and Accounts Regulations. #Riskmanagement will therefore be at the heart of our good management practice and corporate governance arrangements.”
