If an attacker breaches a transit agency’s systems, the impact could reach far beyond server downtime or leaked emails. Imagine an attack against a transportation authority that manages train and subway routes. The results could be terrible.

Between June of 2020 and June of 2021, the transportation industry witnessed a 186% increase in weekly ransomware attacks. In one event, attackers breached the New York Metropolitan Transportation Authority (MTA) systems. Thankfully, no one was harmed, but incidents like these are cause for concern. It’s clear that transport organizations require strong security to keep their systems and passengers safe.

Critical public infrastructure

According to the recent X-Force Threat Intelligence Index, ransomware was the top attack type globally in 2021 for the third year in a row.

The report states, “Malicious insiders emerged as the top attack type against transportation organizations in 2021, making up 29% of attacks on this industry. Ransomware, [remote access Trojans], data theft, credential harvesting and server access attacks all played a role against transportation in 2021 as well.” We’ll return to the theme of ‘malicious insiders’ later.

As part of critical public infrastructure, transportation is uniquely at risk. Most people and businesses depend on transport, whether it’s getting to work on time, sending goods or receiving medical supplies. If an attack disrupts transportation, entire supply chains could come crashing down. Traffic light or rail transit disruption could cause physical harm.

New rules for digital defense

In response to the growing threat, the Department of Homeland Security’s Transportation Security Administration (TSA) announced new cybersecurity requirements for surface transportation owners and operators.

The requirements are for higher risk freight railroads, passenger rail and rail transit. They require owners and operators to:

1. Designate a cybersecurity coordinator
2. Report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency within 24 hours
3. Develop and implement a cybersecurity incident response plan to reduce the risk of an operational disruption and
4. Complete a cybersecurity vulnerability assessment to identify potential gaps or vulnerabilities in their systems.

Motives behind cyberattacks

The motives driving attacks against transport agencies can vary. Intrusive actors may steal information or use ransomware for financial gain. Meanwhile, other attackers might receive support from foreign nations seeking to cause a disruptive or destructive effect to advance foreign policy goals. While any incident may result in systems disruption, foreign attacks may include a higher risk of equipment malfunctions and accidents.

Rogue foreign actors

In the New York MTA attack, the aggressors made no financial demands. Instead, the breach appears to have been part of a recent series of widespread intrusions by skilled attackers. According to FireEye, a private cybersecurity firm that helped find the breach, the intruders were likely backed by the Chinese government.

In late 2018, another attack resulted in a federal grand jury indictment of two men based in Iran. They were accused of holding the Colorado Department of Transportation (CDOT) computer system hostage as part of the SamSam malware scheme. Allegedly, the Iran-based attackers demanded a Bitcoin ransom to decrypt infected CDOT data. The incident caused 1,700 employee computer systems to shut down. It took six weeks and nearly $2 million to get the department’s systems back online.

In the end, the CDOT did not pay the ransom. The state had digital backups which enabled them to restore encrypted data. Also, segmented network operations helped prevent malware from spreading to other departments or agencies. That’s why servers controlling traffic lights or other road systems in Colorado did not feel the impact.

What should transport leaders do?

Given the widespread, ongoing threat against the transport industry, the TSA has developed a toolkit. If we dig into the directives for rail, public transportation and surface transportation, we find that cybersecurity coordination, reporting and response plans are critical. Vulnerability assessment is also a high priority, and the TSA recommends that agencies refer to the NIST Cybersecurity Framework as a guide.

Vulnerability assessment should include Internet of Things (IoT) security as more sensors and devices are deployed in the industry. In order to align the many moving parts and logistics of any transport system, IoT devices are essential. However, device connections are potential points of entry for attackers, and you should also assess this risk.

Transportation attack risk mitigation

Like any organization, transportation agencies are exposed to the threat of cyberattack, but the stakes may be higher. That’s one of the reasons Alejandro Mayorkas, secretary of Homeland Security, said that “ransomware now poses a national security threat.” While the TSA directives address incident response, where can one find advice about risk mitigation?

The X-Force Threat Intelligence Index not only examines the current risk landscape, but it also offers advice on how to reduce the risk of compromise. Some suggestions by the X-Force report to mitigate cyber risk include:

• Zero Trust: This approach assumes a breach has already occurred and aims to increase the difficulty for an intruder to move throughout a network. Zero trust understands where critical data resides and who has access to this data. Robust verification measures (multifactor authentication, least privilege, identity access management) are deployed throughout a network to ensure only the right people access that data in the right way. This is very important for transport, as nearly a third of agency attacks arise from malicious insiders.

• Security Automation: With international threats, diverse attack types and multiple layers requiring protection, security automation is essential. Machines complete tasks much faster than any human analyst or team. Automation also helps identify mechanisms for improving workflows.

• Extended detection & response (XDR): Detection and response technologies that combine several different solutions provide a significant advantage. XDR spots and removes attackers from a network before they reach the final stage of their attack, such as ransomware deployment or data theft.

Keeping transportation safe

Government agency efforts are helping to raise awareness and lower the chances of harm. Individual transport organizations have also taken on the responsibility of protecting their systems and traveler safety. The risk of attack against transport agencies will certainly continue, and passenger safety is of the utmost importance.

The post How dangerous is the cyberattack risk to transportation? appeared first on Security Intelligence.

Low-code and no-code solutions are awesome. Why? With limited or no programming experience, you can quickly create software using a visual dashboard. This amounts to huge time and money savings. But with all this software out there, security experts worry about the risks.

The global low-code platform market revenue was valued at nearly $13 billion in 2020. The market is forecast to reach over $47 billion in 2025 and $65 billion in 2027 with a CAGR of 26.1%. Very few, if any, markets can expect to see such robust growth.

What is low- or no-code software? What’s driving the explosive growth in this sector? And what are the security risks?

What is low-code development?

Low-code platforms enable those with limited programming skills to become citizen developers. People can use intuitive graphical interfaces to create applications faster than conventional coding methods. This means non-technical staff can contribute.

At a recent VentureBeat Low-Code/No-Code Summit, brands of all sizes shared how they use low-code to improve and accelerate business processes. For example, no-code solutions can streamline application creation, enable real-time data analysis and automate manual, time-consuming workloads.

Low-code platforms popularity boom

It doesn’t take a master coder to understand the reasons why many companies choose to adopt low-code development. One survey showed that 41% of organizations are using a low- or no-code platform. Within these companies, 69% say professional IT staff use low-code tools. This means nearly a third of low-code users are non-IT team members busily creating software.

During 2020-2021, IT leaders have slashed development times. This increased demand for custom software led to the emergence of non-IT citizen developers. As a result, the low-code market expanded rapidly and will continue to grow by leaps and bounds. Gartner estimates that by 2024, low-code tools will be behind more than 65% of application development.

Starbucks embraced low-code

It’s not only bootstrap businesses that need low-code solutions. On the contrary, many of the biggest brands have pivoted to less technical solutions to meet their needs.

Starbucks chief digital and analytics officer Jonathan Francis says that he saw efficiency gains from low-code tools as the demand for remote solutions stretched IT to the limit. Low- and no-code platforms enabled Starbucks to digest a backlog of development tasks that normally would have taken far longer to finish.

“We need opportunities to scale quickly … You’ll never find enough data scientists,” Francis said. “We’re all competing for the same resources — we have limited budgets. So you have to start thinking about local solutions.”

Who’s guarding the gate?

While all this freewheeling app development may be great for innovation and productivity, the security officer is thinking, “If every Sally, Sam and Joe can conjure up apps across the enterprise, how am I going to secure it all?” Good question.

The good news is that security is built into many low-code platforms. Traditional application development doesn’t always take security into account. Or, someone puts it in place later. But with secure low-code platforms, governance and control are built-in before your people start tinkering. This means IT maintains and sets centralized control over access, automation and data assets.

Setting low-code rules

No matter how good the low-code tool is, there’s still a chance that employees will be tempted to create applications beyond the security radar. For this reason, built-in permissions go a long way in maintaining good governance.

It all begins with proper training for anyone who will dabble in low- or no-code projects. They need to understand that only approved low-code platforms are okay to use. Plus, educate and alert your people to the need for testing. At the end of the day, who gets access to what should be firmly established.

Now, let’s look at some other specific ways to manage low code security risks.

Play in the sandbox

If you put all your approved development resources in a sandbox, then citizen developers can play nice and avoid risk exposure. From there, clearly establish and manage data access and sharing.

Many low-code platforms provide this type of control at the virtual data layer. Some low-code platforms even come with regulation compliance built-in.

Runtime environment management

The runtime environment is where a certain program or application executes. It’s the hardware and software that supports the running of a certain codebase in real-time.

You can configure this to reveal data exposure and poorly applied security controls. These measures can help avoid business logic failure, such as posting sensitive data to a public location.

Other ways to harden low-code environments

Other ways to strengthen low-code environments include:

• Static code analysis: Perform static analysis on any low-code platform-generated code and test for common errors.
• Audit proprietary libraries and partners: Ask vendors about their security standards and examine proprietary libraries for potential risks. Does the vendor have a way to verify their security?
• Secure the API layer: Test API connections regularly with an API scanner.

Trust no one, secure everything

Placed in the hands of non-IT staff, low-code tools are used to create even more applications. This further supports the notion of a perimeter-less architecture. We are in the midst of a boom of applications, APIs, devices, users and environments. This makes securing your network more challenging than ever.

Low-code is only part of a larger, more complex security conundrum. As a response, many organizations are adopting a zero trust approach.

A zero trust security model ensures data and resources are closed off by default. Access is granted on a least-privilege basis. Zero trust requires each and every connection to be verified according to your policies. Zero trust tools then authenticate and authorize every device, network flow and connection using AI-assisted contextual analysis from as many data sources as possible.

Low-code can quickly reshape the technical prowess of any organization. It democratizes development, accelerates innovation and boosts productivity. But to fully leverage the advantages of low-code, it must be secure.

The post Low-code is easy, but is it secure? appeared first on Security Intelligence.

When you run a small business, outsourcing for services like IT and security makes a lot of sense. While you might not have the budget for a full-time professional on staff to do these jobs, you still need the services.

However, while it might be helpful to have a managed service provider handle your software and computing issues, cybersecurity for small and medium businesses (SMBs) also requires a personal, hands-on approach. While you can continue to outsource some areas of cybersecurity, every SMB needs to develop an internal cybersecurity program to address the small problems before they escalate into data breaches and other major cyber incidents.

Getting Started With a Cybersecurity Program 

You can’t put together a cybersecurity program without knowing what it entails. An information security program is a collection of policies and processes, as well as deploying tools to monitor and protect your company’s data and network assets, explained Patrick Keating, a 20-year security expert, to an (ISC)² Security Congress audience. Although monitoring and protection services may be something you outsource to a Managed Security Service Provider (MSSP) or to an experienced consultant, you are responsible for defining the processes and policies of your SMB cybersecurity program. You want a program that will “protect the confidentiality, integrity and availability of your company’s data,” Keating advised. 

To successfully carry out this process, first, you need to know what your data assets are. Simply said, you can’t protect what you don’t know. Many organizations do not know how much data they accumulate on any given day, what types of data are on hand or where the data is stored. 

Next, you need to know what type of security is already in place and what type of technology you are using. How many devices are connected to the network, including IoT and personally owned devices, and how are they protected? For an SMB, it can even come down to knowing what operating systems are used across the company and if they are still under protection. As Keating pointed out, there are a lot of people who think that cybersecurity is simply adding anti-virus software to your computer and maybe your smartphone. While that’s one component of your security program, it’s just one step in the process.

This process can feel overwhelming, but with an expanding threat landscape and a growing number of data privacy regulations, protecting all of your assets is necessary. 

Small Business Cybersecurity Framework

According to Keating, the most organized method to begin building a small business cybersecurity program is to use a security framework. 

“Security frameworks consist of standards, guidelines, best practices that are collected and organized in such a way that’s easily achievable and a great way to communicate what you’re trying to do,” Keating says. 

Frameworks can help you identify where your company currently measures up in cybersecurity policies and the potential for where your organization can scale. The frameworks are written in plain language so even non-technical individuals can understand why cybersecurity is vital to business operations and how to implement a program.

Most business leaders, no matter the size of the organization, do not understand how big their security holes are or where the lapses in security standards are. For example, a financial services company might have a great incident response program in place, but may not have the correct detection tools in place, or could be unaware of what an anomaly within the organization looks like.

Several security frameworks you can reference to get you started include the National Institute of Standards and Technology (NIST) and the International Organization for Standardization (ISO) and the Center for Internet Security (CIS). The type of framework you follow will depend on the type of industry you are in and where your organization is on your cyber security journey.

Once the framework is in place, the next step is to find the gaps in your system. This process will pinpoint the vulnerabilities in your infrastructure. You may find patterns that occur where those gaps are identified, which brings your security system into a sharper image. This is a part of the process where outside help is needed, such as the MSSP or a Penetration Testing vendor. After you discover gaps, then you can decide on a direction for your security roadmap and build your program.

The Small Business Cybersecurity Program Structure

In order to create a successful cybersecurity program, everyone in your organization must be aware of the program. Additionally, you need to create buy-in from employees to adhere to the program. For that to happen, your employees need to understand what their role will be.

It is easiest to spell it out in a formal structure, like this:

• Purpose. What is the purpose behind your cybersecurity program? What are your valuable assets? Why do you need limits on data access? 
• Policy statements. Do you have written policies on topics such as remote work and personal device security behaviors, saving company data on non-company storage devices and the use of unapproved IT?
• Monitoring and Assessments. Who is responsible for working with MSSPs or other security vendors on governance, data monitoring and reporting and auditing? What level of these jobs do you want—or are you required to have for compliance and industry regulations—to deploy?
• Security awareness training. Security education is a key part of any cyber security program, and the more education you provide the better. Anyone who touches your data should be able to recognize a phishing email and know when to report suspicious situations.

“Hope is not a strategy,” said Keating. “You hope for the best, but plan for the worst.” This can be a guiding star for your cybersecurity program. No one wants to be the victim of a cyber incident, but when you build a small business cybersecurity program, you are investing in the security of your business and taking the necessary steps to best protect your most valuable assets. 

The post Starting From Scratch: How to Build a Small Business Cybersecurity Program appeared first on Security Intelligence.

The next stop on our journey focuses on those that you rely on: supply chains and third parties.  Working with external partners can be difficult. But, there is a silver lining. Recent attacks have resulted in an industry wake-up call when it comes to cybersecurity resilience.

You see, the purpose of using external partners is to take advantage of a capability that your organization did not have, or the vendor was just better at than you. In turn, there was an offering or efficiency incentive where, for an exchange, your organization could operate more productively. Call it the trade-off.

It’s no different than any sports team looking to make a trade. When an organization is looking to partner with an external group, it will perform:

• Risk analyses
• Cost/benefit studies
• Return on investment assessments.

In essence, the organization goes through a process to determine whether they will give up something of value today in return for some future benefit (e.g., contractually and confidentially sharing your intellectual property in exchange for some better performance). Call it the business case.

For many organizations, this arrangement has generally worked well for some time. However, cracks are beginning to show. Therefore, it is worth asking: is the risk worth the reward?

Inheriting the Vendor’s Cybersecurity Resilience Vulnerabilities

Working with external partners has become a riskier business. That is not to say organizations should cease these partnerships. Candidly, without external partners, it is quite possible most organizations would not be able to run, especially if they are heavily reliant on services and platforms (think ‘as-a-service’ models). Therefore, organizations need to be cognizant of the risks they take on, as the calculus has recently changed a bit. Namely, an organization is more likely to inherit the vulnerabilities of its external partners in the effort to transfer risk or offset inefficiencies.

Supply Chain Standards

There is a lot going on in the supply chain space these days in regards to working with partners. For example, the May 12 executive order 14208, Improving the Nation’s Cybersecurity, tasked NIST with identifying existing or developing new standards, tools, best practices and other guidelines to enhance software supply chain security.  Also in 2021, ISO reviewed and made current ISO 28001: Security management systems for the supply chain — Best practices for implementing supply chain security, assessments and plans — Requirements and guidance. And for some extremely detailed guidance, including some control mapping back to NIST SP 800-53, those concerned with supply chains can reference NIST SP 800-161 Supply Chain Risk Management Practices for Federal Information Systems and Organizations.

All these information security and cybersecurity frameworks and standards can help improve your organizational resilience. Instead of doing deep dives into these documents, let us focus on some key considerations to help minimize your organization’s risk.

Trust and Verify for Cybersecurity Resilience

In an ideal world, you would have the opportunity to validate your vendors’ security reports (such as penetration test results and SOC II reports, business continuity plans, disaster recovery strategies, crisis management protocol and independent certifications and confirmation of testing).

News flash: do not expect you will get all this information. Look at this from the perspective of the vendor: wouldn’t it be a risk to share all this information with all its customers? Indeed, it would. So, how do you balance this conundrum?

Well, the first thing you should do is to start splitting off your vendors into two groups. How you label them is strictly up to you, but think in terms of major and non-major as reference points. That’s not necessarily in the sense that they are major or non-major to you and your organization. You will see in a moment a non-major vendor may be critical to your cybersecurity resilience. Concurrently, a major vendor may not be critical at all to your operations.

Building Confidence Through Evidence, Artifacts and Confirmation

Think of a major vendor as a very large one, likely to have hundreds, thousands or more customers. These types of organizations likely have tremendous resources (and leverage), so verifying information may be limited. But that is not necessarily an impediment. You may not get access to specific reports. Instead, you may have attestations or certified documents from independent assessors attesting that the major vendor is up to snuff. If you are lucky, you may even get some blacked-out report results. The point is to get some type of evidence or artifact that gives you the confidence that the major vendor can manage a disruption well.

Also, you must absolutely keep this in mind: make sure you review your contracts and service-level agreements. Your vendor keeping their lights on does not necessarily translate to the vendor keeping your lights on. Many of these arrangements have shared responsibilities.

Non-Major Vendors Are Still Important

On the flip side, a non-major vendor may not have the resources of a multinational enterprise. That makes them no less important to your operations.  For example, a regional player could be crucial to you delivering your products and services. If you lose them, you cannot serve your customer base. Or, they are highly specialized. This example is a perfect case of why you should be identifying dependencies, not only for assets, but also for processes and product and service delivery.

For non-major vendors, you may have some leverage in extracting security- and resilience-related information. You are more likely to be able to demand evidence of testing, proof of remediation and contingency plans. The threat of walking away for another service provider certainly can stimulate cooperation. But, that is not an excuse to bully them. Remember, the end state is no different than that of a major provider. You need something tangible to gain your confidence.

Vendors as Partners in Cybersecurity Resilience

As you inherit the vulnerabilities of your supply chain and third parties, the relationship is likely to shift away from being transactional to something that resembles more like a partnership. That’s why you need confidence in that partnership. If confidence is lacking, it may be time to look for a new partner. Keep in mind that an external vendor nowadays can, and likely will, increase your risk profile.  Choose wisely and, like all things with cybersecurity resilience, still be prepared to weather a storm.

Next step: the data life cycle, from creation to usage and handling to destruction.

The post A Journey in Organizational Resilience: Supply Chain and Third Parties appeared first on Security Intelligence.

The year 2021 is finally here, bringing with it the promise of a brighter future — but a long road ahead. In this piece, we’ll dive into five cybersecurity trends that pose significant potential risk in 2021 and offer practical advice to help entities reduce overall risk.

The first quarter of 2021 represents a cybersecurity crossroads. Business owners may be shifting staff back into the office and managing the risks and rewards of remote work at the same time. For malicious actors, this opens a door. From common compromise vectors to new threats, attackers are always looking for ways to escape IT notice, evade defense measures and exploit emerging weaknesses.

Setting the Stage: Cybersecurity Trends in 2020

Some of the threats in 2020 weren’t new. According to data from IBM Security X-Force, for example, one in four attacks remediated as of September 2020 were linked to good old ransomware.

Working from home, meanwhile, offered another approach vector for threat actors and new information security threats emerged. From privileged credential compromise to the use of mixed personal and professional networks, attackers wasted no time in hopping over the lower bars for entry.

IT teams, meanwhile, worked hard to defend potential weak points and cut down on emerging risks by improving identity and access management (IAM), enhancing data encryption and switching to managed services.

Last year’s cybersecurity trends are important to 2021 because they set the stage. Both companies and cyber criminals know the ‘new normal’ of IT at a distance well. So what happens next?

Work-from-home Attacks

The first major cybersecurity trend of 2021 stems from 2020. While WFH isn’t a new threat this year, it’s only a matter of time before attackers compromise multiple, insecure home networks at the same time to manufacture a massive-scale breach of critical systems and services. It makes sense. With many staff using home broadband connections for both personal use and their jobs, the corporate attack surface has increased by a lot.

Solving this problem means doubling down on IAM with tools capable of intelligently analyzing user activity, resource requests and corporate connective habits to allow streamlined sign-in when it’s safe to do so — and require extra authentication if potential problems are detected.

Brute Force Frustrations

Brute-force efforts are also back in fashion. The attackers behind this and other cybersecurity trends recognize the potential of distributed denial-of-service (DDoS) in bringing down corporate networks. The second half of 2020 saw a 12% uptick in DDoS attack efforts, especially those using the simple services delivery protocol (SSDP) and the simple network management protocol (SNMP).

By using botnet swarms, attackers were able to amplify IP requests and overwhelm enterprise networks, in turn slowing response times or entirely sidelining services. SNMP exploits are even more worrisome since this protocol connects and manages common corporate devices, including modems, printers, switches, routers and servers. Compromise of SNMP services puts attackers largely beyond the reach of firewalls and exposes all enterprise services to risk.

To combat DDoS-driven threats in 2021, enterprises need agile, adaptable tools capable of detecting, isolating and remediating distributed attacks as they occur.

Fileless Frameworks

Fileless malware and ransomware attacks will continue to plague entities in 2021. These threats are designed to bypass familiar detection controls and infiltrate key systems by ‘living off the land’ — using approved platforms or software tools that already exist within corporate networks.

This approach allows attackers to get around common detection methods that scan for malicious file attachments or catalog the creation of new files. What’s more, the use of existing system tools means malicious actors don’t have to design their own attack framework. That decreases the time required for malware development. Attackers in 2021 are likely to use fileless malware to compromise service providers rather than specific groups. Afterward, they can use their existing infrastructure to attack downstream clients.

As with many of the other cybersecurity trends listed here, vigilance is key. Enterprises can defend against fileless threats with a Q1 cybersecurity hygiene housecleaning. This focuses on getting software and systems up to date, ensuring security tools are working as intended and deploying effective access controls — such as multifactor authentication (MFA) — to reduce potential risk.

Older Cybersecurity Trends Still Matter

Even as attackers develop new types of threats, old ones such as ransomware, Trojans and botnets are also still around. To face these familiar threats head-on — and emerge relatively unscathed — enterprises must ensure staff have the tools and training they need to spot these attacks ASAP. This starts with training around common compromise vectors such as malicious email attachments and links. It also includes ongoing efforts that help monitor email accounts, remind staff of security standards and notify them automatically if potential threats are detected.

Front Line Phishing

The biggest news story for 2021 is, of course, the COVID-19 vaccine. People are searching for vaccination information, from the current state of the disease to when and where the vaccine is given out to who has been approved to get it. That’s going to affect 2021’s cybersecurity trends. As a result, companies must be prepared for an uptick in related phishing campaigns. These are very dangerous because they interest readers right away.

Attacks taking advantage of this have already been detected. The United Kingdom’s National Health Service recently sent out warnings about fake vaccination appointment emails. IBM X-Force identified a supply-side attack looking to compromise the vaccine cold chain.

The reason for this uptick is simple. Despite how often people talk about them and the continued efforts of enterprise IT, phishing scams still work. They’re even more worrisome during WFH. Workers at home are getting a ton of emails even as pandemic pressures put increasing stress on their personal and work lives. The result isn’t surprising: people fall for phishing.

Combating this common compromise starts with improved identity management. By ensuring only the right people have the right access to the right resources at the right time, entities can lower the risk of getting hooked. It’s also critical to create a culture of second opinions around safety. If staff see something that looks suspicious, they need to say something — and need to be supported in this effort. Bottom line? When it comes to fighting phish, slow and steady wins the race.

Proven Tools for Today’s Cybersecurity Trends

As organizations take their first steps toward a new normal, malicious actors are ramping up their efforts. To combat today’s cybersecurity trends, both emerging compromise vectors and familiar threat frameworks, employers need a plan of attack that combines next year’s tools with tried-and-true best practices.

The post Cybersecurity Trends and Emerging Threats in 2021 appeared first on Security Intelligence.

Shipping and logistics is, in many ways, the backbone of our lives and businesses. What business doesn’t benefit from fresh food or a timely delivery? Unfortunately, this industry is open to cyberattacks just like anyone else. Luckily, groups in the trucking and logistics industry aren’t powerless to address these challenges. Check out how you can begin to take a strategic approach to security on the road. 

Recent Cyberattacks on the Logistics Sector

Trucking and logistics companies suffered their fair share of cyber attacks in 2020. In October 2020, a U.S. flatbed trucking group said ransomware had affected one of its operating companies. They made this announcement after the Conti ransomware group posted files from what it claimed was the operating company to the dark web.

A trucking and freight transportation logistics company suffered a Hades malware infection in December 2020. In response, the company was forced to take all of its IT systems offline while it dealt with the attack.

The COVID-19 vaccine supply chain has also been attacked, this time using the venerable method of phishing emails. A threat actor broke into a German biomedical company critical to the COVID-19 cold chain. From there, they launched phishing emails to its partners involved with transporting the vaccine. 

So, what’s going on in the trucking and logistics industry that’s fueling these attacks?

Cybersecurity Challenges Abound

Trucking and logistics groups are grappling with several digital challenges at once. One of the most important of those is balancing defense with modern tools. Most businesses in this sector use sensors and other Internet of things (IoT) devices to help them monitor and manage their supply chain operations.

On the one hand, these tools yield useful connections. On the other, they complicate things by adding smart products into the network that often lack security by design. Malicious actors could abuse software flaws within those devices to disrupt business.

The supply chain itself is also at risk. Like businesses in other industries, many logistics and trucking entities grant network access to their vendors, partners and suppliers. This decision promotes connectivity and efficiency, thereby helping these groups keep their schedules. But, it also expands the attack surface. This access makes it possible for a malicious actor to compromise one of those third parties. From there, they can misuse their network access to breach their trucking and logistics partner.

The Human Element

Lastly, many trucking and logistics entities lack the know-how to defend themselves against these types of digital threats. In a 2019 report, for instance, Eye for Transport (EFT) found that fewer than half (43%) of trucking and logistics organizations had a chief information security officer (CISO). That didn’t bother most respondents, however, only 21% of them told EFT they felt they needed a CISO’s expertise.

These findings underscore two problems. First, not having a CISO means a company probably doesn’t have a formal plan in place for addressing threats either. Second, in the view that they don’t need a CISO, most entities implicitly ignore the importance of a good defense. If you don’t believe you need expert guidance in the first place, you won’t get an expert to deal with it. But not taking any meaningful approach to their defense isn’t a solution. It leaves every window and door open to malicious actors.

Best Practices for Cybersecurity in Logistics

Taking a strategic approach means researching vendors that take a serious approach to the security of their smart products. You’ll know they’re serious if they release firmware updates remotely and allow customers to change the default admin credentials. You should also consider using network segmentation to isolate IoT devices. Doing so will help to prevent a potential compromise of one of these smart products from spreading to the rest of the IT network.

Moving on to supply chain security, entities need to carefully choose their vendors and build an inventory of their selected partners. They can then use service-level agreements to require that vendors complete a risk assessment in order to maintain their business partnership. With those results in hand, trucking and logistics entities can remediate certain weaknesses by drawing on the strength of their connections with their vendors, suppliers and partners. This will enable them to implement data encryption and other security best practices as well as to formulate an incident response plan if and when a supply chain security incident occurs.

Finally, trucking and logistics organizations can accomplish all of these suggestions and more by working with a trusted managed security services provider. Doing so will not only guide your cybersecurity program, but will also help to build a positive security culture within the workplace. You might not have a CISO, but with the right provider, you’ll have the security expertise your business needs to adapt to the changing threat landscape and minimize digital security risk going forward.

The post Cybersecurity Gaps and Opportunities in the Logistics Industry appeared first on Security Intelligence.

Just as mainframes are seeing a resurgence in usage, a recent poll revealed that multiple factors are converging to make it harder to secure the mission-critical data they contain and, increasingly, share with cloud-based systems and applications. Respondents cited new types of attacks as a top challenge and indicated that simple security measures are not yet widely adopted.

Even as a large and growing number of organizations point to security as a top benefit of the mainframe over other platforms — thanks in part to the sweeping encryption IBM enabled in the z14 and newest z15 systems — the poll of mainframe/IBM Z users uncovered a disconnect between that belief and the reality those organizations face in securing mainframe environments.

What Are the Top Challenges in Securing Mainframe Environments?

The poll, conducted for IBM in late summer 2019 by Enterprise Management Associates, found that the top challenge in securing mainframe environments is the ability to stay up to date on new types of attacks aimed at mainframes. While 35 percent of respondents indicated that was the top challenge, another 29 percent said that having adequate, mainframe-specific tools to optimize security was the biggest challenge. These results are different sides of the same coin.

The top-ranked mainframe security challenge response comes at a time when black-hat hackers are becoming increasingly sophisticated in targeting mainframe vulnerabilities for exploitation and data theft, thanks to a greater level of education becoming available at conferences such as Black Hat and DEF CON, via pen testing services, and on the dark web.

At the same time, those charged with securing mainframe environments don’t see the same level of support for monitoring and detecting threats in that environment using advanced security tools compared to what’s available to secure distributed and cloud environments.

To put it more succinctly, for mainframe security practitioners, it’s like bringing a knife to a gun fight. And the number of fighters organizations can bring to the brawl is shrinking as skilled mainframe security practitioners hang up their hats.

How Can Companies Mature Their Mainframe Security Strategies?

Another factor making it harder to secure mainframe environments, according to the polling data, is the lack of access control. For example, using multifactor authentication (MFA) is a relatively quick and easy way to eliminate a large percentage of attacks — especially the high-volume/low-sophistication kind.

Despite a significant increase in the number of affordable tokens and third-party authenticators available for the mainframe enterprise platform, almost half of the respondents indicated that they either don’t use MFA or only require a few highly privileged users to use a second factor. Only easily stolen user IDs and passwords stand between these organizations’ crown jewels and attackers. At the same time, only 79 percent of respondents indicated that their organizations use a robust password management system — a simple fix for a potentially big problem.

Another way to reduce the attack surface used in more mature mainframe security programs is through an automated data minimization program. However, only 20 percent of respondents reported that their organizations had a robust, automated data minimization program in place, while 16 percent had either no formal program or relied on manually monitored policy and/or execution.

Despite these challenges, organizations can keep more black-hat hackers at bay and improve the security of their mainframe environments by leveraging the growing number of automated and better-integrated security tools — especially encryption and data protection, multifactor authentication, and more robust password management.

The post Are Cybercriminals Winning the Mainframe Security Cat-and-Mouse Game? appeared first on Security Intelligence.

Mainframes remain the backbone of the world’s transaction processing infrastructure, from financial data, to business logic, to customer data and more. Because of their significance in this process, mainframes once sat in a secured, physical data center, separated from the rest of the company’s user devices and sometimes excluded from certain parts of the day-to-day security program.

This model is changing, with data center consolidation, hybrid cloud models and new designs that allow mainframes to operate in traditional data center environments. With this change comes the perfect time to reevaluate security processes for the mainframe.

Think the Mainframe Will Secure Itself? Think Again

Mainframes contain their own security controls, such as encryption, multifactor authentication (MFA), more stringent access controls and other advanced security protections to monitor access and performance and ensure resilience. All digital equipment, however, is essentially at risk of compromise, especially when new models (hybrid cloud) that rely on existing IT infrastructure are being integrated physically and digitally. So, how do businesses bring the mainframe into their overall security posture for a comprehensive view of risk?

During the past five years, security researchers have developed tools and presented talks demonstrating how attackers could potentially compromise a mainframe. The research and tools have revealed that mainframes should be considered in the same security scope as all other valued assets — if not more — and, as such, should receive more attention from the security organization. The investment clients put into these machines should warrant the same level of investment in security. Security should include a proper testing program to ensure that these valued assets are not exposed beyond the expected risk level, are patched, and are not easy to penetrate and harm.

So why have companies put the security of their mainframes on a different track than they do for other assets? The answer is threefold. First, mainframes were historically physically isolated in what was considered a “secured” space with layers of security controls, so companies assumed they would not be tampered with. They simply stood up the mainframe and let it run because of their reliability.

Second, mainframes are typically excluded from security testing because they almost always run production operations. Since they are often the heart of the business, companies are concerned testing will interrupt the flow of business. This also extends to their elongated patching cycles.

Finally, there is limited mainframe testing expertise in the industry nowadays because mainframes haven’t been part of traditional security assessment programs.

Top 5 Mainframe Security Gaps, According to a Penetration Tester

Our team at X-Force Red, IBM Security’s team of veteran hackers, has specific expertise in mainframe testing. I recently interviewed our X-Force Red mainframe hacker, David Bryan, to surface the top five security gaps from his testing of mainframes. Here’s what he shared:

1. Password Policies

When mainframes first came into existence, they only allowed eight-character passwords, which left ample opportunity for users to create weak passwords. While they may have appeared more secure in the past, nowadays eight-character passwords are easily guessable and crackable. Our hackers can crack even long and complex passwords in less than a day. If attackers crack just one password of a user who can access the mainframe, they could log in to all the mainframe systems and others. Not to mention, security policies for active directory, such as Windows authentication, usually mirror the mainframe policies for passwords. That means if the mainframe password criteria matches the active directory password, we’re giving attackers two high-value targets to compromise: active directory and the mainframe.

David remembers performing a test for a retail company in which its Windows domain passwords were synchronized with a mainframe. He dumped the active directory domain database and cracked 70 percent of the 32,000 accounts in under 30 minutes because the system was synchronized with a mainframe.

Fast-forward to today’s mainframes. Given the security knowledge we now have, these assets should never be left with weak passwords. Moreover, they should be a prime part of the infrastructure and stringent access controls must be applied, minimizing privileged user accounts, monitoring their activity and applying MFA. Any mainframes where these cannot be applied should be protected with compensating controls and brought up to the same level of risk the organization expects for a production asset.

2. Data Left Behind

Because mainframes were once typically set-up-and-forget systems, they often contain sensitive data files that should have been deleted after the deployment phase ended. Certain data should not be written to a space that just any user can access.

We had one mainframe hacker who logged into the mainframe as an unprivileged user and immediately saw a highly sensitive file that contained information she could have used to compromise high-privileged users in the company’s environment. Files, such as lists of usernames and passwords and confidential client information, should not remain on the mainframe, where they are exposed to any type of user who gains physical or remote access.

3. Overprivileged Users

Often, companies provide users with significantly more access to mainframes than they should be given. They do not do it with malicious intent; they simply do not have the expertise or time to identify which roles should receive higher privileges and how to manage such accounts.

If attackers were to compromise just one of those users, they would not need to work much more to escalate their access level. They could instantly access sensitive data in the mainframe and/or compromise another user with higher privileges, such as a system administrator, and perform all kinds of attacks — from extracting data to pivoting and accessing the entire environment.

4. Unencrypted Protocols

When it comes to mainframes, David has seen unencrypted network communication between web servers and mainframes using the Telnet protocol TN3270, which is not encrypted by default. That means any data traversing that protocol on the network can be viewed and recorded by potential adversaries.

While there are ways to apply encryption around it, not many companies do so because it has not been a standard practice in most security programs. Unencrypted TN3270 elevates the risk of an Address Resolution Protocol (ARP)-spoofing attack. Followed by a man-in-the-middle (MitM) attack, which can enable an attacker to decode the data in transit or become part of a user session, attackers could then retrieve the user’s username and password and log in to the mainframe as that user.

5. Insecure Applications

Many applications are written with unintentional security flaws, such as logic flaws, cross-site scripting (XSS), code flaws and others. Mainframe application flaws are no exception. If applications are not built and deployed securely, they can expose the entire mainframe environment to an attacker. To keep track of mainframe security, it is essential to include these assets in security maintenance that oversees vulnerability management, patching and testing.

At a basic level, companies should make sure access to their mainframes requires strong passwords. They should also enable encryption and ensure that their applications have gone through a secure-by-design build phase. That means testing applications as they are being designed and implementing a security plan during the development phase and post-deployment. This strategy ensures that risks are identified prior to the launch of an actual attack, avoiding a real-time scramble for a solution.

It is also crucial for companies to perform penetration testing against their mainframes. Manual penetration testing identifies and helps fix flaws exposing the mainframe hardware and software, which includes the vulnerabilities mentioned above.

Learn more about X-Force Red’s mainframe testing services and download the new white paper.

The post Top Five Security Focus Areas for Mainframes appeared first on Security Intelligence.

With the widespread adoption of new technology that combines multifactor authentication (MFA) with a seamless user experience, it’s now time for organizations to strengthen their security posture by integrating mainframe into their seamless, user-centric authentication programs.

Some IT managers may shudder at the thought. After all, the mainframe typically holds the organization’s crown jewels. Mainframe security has traditionally been tightly controlled and limited to a small number of authorized users. But in today’s free-flowing environment, expanding access to sensitive corporate assets, applications, infrastructure and intelligence to a broader community of employees, partners and customers is critical to innovation and growth.

Privileged users and customers routinely access account data and conduct transactions that require mainframe access. After all, it’s still the system of record for an incredible amount of financial, travel, retail and governmental transactions. The challenge today is to provide convenience while assuring higher levels of security.

The explosion in the use of application programming interfaces (APIs) has also fueled programmatic access to mainframe data. For example, paying for a purchase from an e-commerce site through automatic funds transfer from a bank account likely involves a transaction with the bank’s mainframe. Businesses need to make this process simple to maximize the returns from self-service and online sales.

Looking Beyond Passwords for Mainframe Security

Password security alone isn’t enough. Years of warnings about the exploitability of passwords have failed to change the behavior of many users. In April, the U.K.’s National Cyber Security Centre reported findings from an analysis of over a half-billion compromised passwords in the HaveIBeenPwned database. The study revealed that the password 123456 was used 23 million times, followed by 123456789, with more than 7 million occurrences. Altogether, five passwords comprised about 8 percent of the database.

This, combined with people’s tendency to recycle passwords across multiple sites, makes single-factor authentication a nonstarter where critical data is involved. Nevertheless, businesses have been reluctant to put up new barriers for fear of reducing productivity and driving away customers. A survey conducted last year by Experian found that many business leaders are willing to accept the risk of higher fraud losses from the use of weak authentication protocols to avoid disrupting the user experience.

But they don’t need to make that trade-off. Use of multifactor authentication is growing thanks to technologies that are removing the inconvenience or expense that limited adoption in the past. With the arrival of robust and flexible MFA solutions for mainframe security, organizations can now share critical data more freely and satisfy the growing body regulations that requires enhanced access controls.

MFA combines two or more authentication factors — such as a password and PIN, a code delivered via text message, a physical token, and/or a fingerprint scan — to verify a user’s identify. Multifactor authentication has been shown to dramatically reduce the risk of breaches, yet many organizations are still reluctant to impose the additional overhead on customers.

Embrace a Smarter Approach to Multifactor Authentication

There is growing evidence that strong security now correlates positively with customer satisfaction. One recent study found that 70 percent of consumers feel secure purchasing items from a physical store, but only 56 percent fully trust online purchases. IBM’s “Future of Identity Study 2018” revealed growing consumer comfort levels with MFA, indicating that security is now at least as important as convenience.

MFA is more than a point product. It’s part of a trusted authentication journey, and companies that can confidently enable expanded access to mainframe data can participate more fully in the benefits of digital transformation. An advanced MFA solution for mainframe security extends tried-and-true tools such as Resource Access Control Facility (RACF) with advanced techniques such as risk-based authentication. Integration with access management tools and authentication-as-a-service platforms for cloud access make MFA an authentication-anywhere solution. Native support for factors such as multiprotocol hardware devices and Lightweight Directory Access Protocol (LDAP) further enhance this capability. The result is lower ownership cost, fewer help desk calls, improved integration with legacy apps and a better user experience overall.

The post Innovation or Security? With Multifactor Authentication for the Mainframe, You Can Have Both appeared first on Security Intelligence.

Chief information security officers (CISOs) are the ultimate gatekeepers of the flow of sensitive data inside and outside the organization. While protecting data and identities is of paramount importance, there’s mounting pressure on the CISO to do so without adding more friction to the user experience.

This challenge is in plain sight when a user, internal or external, attempts to gain access to data, resources or applications. Traditionally, this has been accomplished through simple username/password systems, but compliance mandates built to protect privacy and increasingly sophisticated cyberthreats demand stronger, multifactor authentication.

Despite the Benefits of Pervasive MFA, Companies Are Slow to Adopt

Multifactor authentication (MFA) is the practice of requiring a user to supply two or more factors to gain access to systems, applications and data. Beyond a password and personal identification number (PIN), factors can include tokens, one-time passwords and biometrics. In other words, MFA solves the problem of a threat actor being able to gain unfettered access with just a single stolen credential.

Despite the obvious benefits of multifactor authentication, organizations tend to leverage this technology on a selective basis. What is preventing more pervasive MFA use? When asked why their organization hasn’t deployed multifactor authentication more extensively, according to an Enterprise Strategy Group (ESG) survey, more than half of respondents cited the need to determine what actually requires at least a second level of authentication (30 percent) and/or the fact that not all IT or physical assets require that level of protection (27 percent) — both of which can be attributed to aligning MFA with the appropriate use cases and requirements.

Source: Enterprise Strategy Group InstaGraphic

Multifactor Authentication Is More Than a Bolt-On Feature

There has been a historic bias — which is not a great way to make security decisions — against MFA. Business and IT executives have not supported broader use of multifactor authentication and employees have resisted it, so organizations are very careful about any new MFA initiatives. However, modern, enterprisewide MFA solutions, including mainframe security, can be deployed effectively and with minimal friction to the user experience.

For example, you could optimize multifactor authentication for the platform or system of record where critical data and applications reside and add MFA to more users that access systems like the mainframe — which is more than you think. The investment made in native mainframe security access control systems can be leveraged to help provide flexibility so that the right level and kind of additional factors can be used for the right type of user and access.

MFA is not a one-size-fits-all proposition. MFA solutions are considered as part of the overall experience and should not be an afterthought that is bolted on after the fact.

How Does Multifactor Authentication Fit Into Your Security Strategy?

Progressive organizations are implementing security processes and technologies that accommodate the insatiable demand for more access without adding unacceptable risk. One example is an identity governance program with risk-based scoring that determines what kind of access a user should be granted depending on a variety of conditions. Enterprise MFA solutions should have the flexibility to serve up the right kind of additional factors determined by the risk score. This is just one example of how multifactor authentication will help drive an “authentication everywhere” strategy that accommodates all systems, users and conditions.

The post CISOs Still Aren’t Adopting Enterprisewide Multifactor Authentication — What’s the Holdup? appeared first on Security Intelligence.