On February 19, ConnectWise reported two vulnerabilities in its ScreenConnect product, CVE-2024-1708 and 1709. The first is an authentication bypass vulnerability, and the second is a path traversal vulnerability. Both made it possible for attackers to bypass authentication processes and execute remote code.

While ConnectWise initially reported that the vulnerabilities had proof-of-concept but hadn’t been spotted in the wild, reports from customers quickly made it clear that hackers were actively exploring both flaws. As a result, the company created patches for both CVEs.

Despite these updates, however, malicious actors aren’t giving up just yet, with reports of new attack vectors still coming in more than a month after the initial issue was detected. Here’s what enterprises need to know about these remote access risks.

Opportunity knocks: Attackers go all-in on ScreenConnect

The first round of attacks reported for ScreenConnect was tied to malware delivery. One week after the vulnerability was reported, however, persistent phishing campaigns were discovered that targeted both the healthcare industry and cryptocurrency users.

By February 27, ransomware groups such as Black Basta and Bl00dy began exploiting these vulnerabilities. The following week saw patches from ScreenConnect to address these evolving issues, and for several weeks the volume of attacks declined.

On March 27, however, new ScreenConnect threats emerged. Both Chinese threat group UNC5274 and Initial Access Brokers began using F5 BIG-IP (CVE-2023-46747) and the ScreenConnect vulnerabilities to actively exploit organizations.

Put simply, the ubiquity and usability of ScreenConnect made it an ideal compromise point for both money-driven and nation-state threat actors. Even with patches in place, the number of insecure systems remains high enough that attack vectors continue to evolve.

Understanding the ScreenConnect compromises

So, what exactly are the ScreenConnect vulnerabilities? Let’s take a look at each.

CVE-2024-1708

This vulnerability was assigned a CVSS 3.1 score of 8.4 out of 10. It affects ScreenConnect version 23.9.7 and all prior versions. It is a path traversal vulnerability that allows attackers to remotely execute code.

Specifically, it allows attackers to write files within the App_Exntensions root directory rather than confining them to their correct extension subdirectory. While this exploit was problematic, its impact was limited since it required administrative credentials. In combination with CVE-2024-1709, however, this vulnerability became much more worrisome.

CVE-2024-1709

This vulnerability was assigned a CVSS 3.1 score of 10 out of 10, marking it “critical.” It is an authentication bypass exploit that relies on the text-based nature of the SetupWizard.aspx file.

Due to an odd .Net functionality, it is possible to input invalid URL components after a legitimate URL path and still have this data passed along to the application. In practice, this means that attackers can request /SetupWizard.aspx/anything and they can gain access to the ScreenConnect setup wizard on any ScreenConnect instance, even those that are already configured.

Once attackers access the Setup Wizard welcome screen, all they need to do is click “Next.” Even if they do not complete the setup process, clicking Next will create a new user and delete all other local users. With full admin access, attackers can easily create and upload malicious extensions to gain Remote Code Execution (RCE) access.

Problems, patches and persistence

ScreenConnect helps companies manage, monitor and troubleshoot remote devices. For example, if an employee working from home experiences issues with their company-issued smartphone, ScreenConnect lets IT staff log in remotely to diagnose and fix the issue.

Used maliciously, however, this same process can provide attackers with access to virtually all connected devices on a corporate network, both local and remote. As noted above, while CVE-2024-1708 was problematic because it let attackers remotely execute malicious code, the vulnerability began gaining traction when hackers realized they could combine CVE-2024-1709 with 1708 to wipe user databases, create their own profiles and take full administrative access.

As a result, both vulnerabilities quickly became popular paths for attackers to gain remote access. Given the massive number of devices that now make up connected corporate networks, full access combined with the ability to overwrite existing user databases made exploiting these vulnerabilities a worthwhile endeavor for attackers.

Once both vulnerabilities were patched, attack volumes dropped, as evidenced by the lack of new threat vectors reported between the end of February and the end of March. Now, attacks are on the rise again as malicious actors target companies that haven’t applied the ScreenConnect patches. In addition, attackers are leveraging new CVEs to compromise remote connections and gain network access.

For example, Chinese groups UNC5714 and UNC5724 have been spotted using a combination of CVEs, including CVE-2023-46747, which targets the F5 BIG-IP service, and CVE-2024-1709 to attack both government and defense agencies. In other words, while the initial threat of ScreenConnect attacks has largely passed, the long-term impact remains a concern as new vulnerabilities are combined with existing exploits to create more sophisticated attacks.

Staying safe from remote access risks

For customers using the cloud-based version of ScreenConnect, patches were automatically applied. For enterprises using on-prem deployments, however, patching must be handled manually. This is critical because CVE-2024-1709 is easy to exploit, allowing attackers access before companies have time to react.

It’s also worth noting that while these vulnerabilities represent one type of significant security risk, they’re not the only emerging issue. Consider the rise of dual-track exploits, which use multiple attack vectors simultaneously to overwhelm network defenses, such as the combination of F5 BIG-IP and ScreenConnect CVEs. Keyword logging tools like BunnyLoader, meanwhile, are seeing improvements that boost performance by 90%, making it easier for attackers to find what they’re looking for once they compromise defenses. As a result, companies can benefit from patch management solutions that automatically identify and apply new patches to existing tools.

Given the changeable nature of security threats, however, post-problem patching isn’t enough in isolation. Instead, companies must deploy tools capable of identifying vulnerabilities before attackers can exploit them. It’s also worth pairing detection tools with vulnerability management solutions that continually discover, analyze and remediate potential vulnerabilities.

This triple-layer approach offers the best chance against remote access risks. Scanning tools identify risks, vulnerability management tools close the gaps and patch management processes ensure that defenses are automatically kept up-to-date.

To learn how IBM X-Force can help you with anything regarding cybersecurity including incident response, threat intelligence, or offensive security services schedule a meeting here.

If you are experiencing cybersecurity issues or an incident, contact X-Force to help: US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.

The post Remote access risks on the rise with CVE-2024-1708 and CVE-2024-1709 appeared first on Security Intelligence.

The rise of artificial intelligence (AI), large language models (LLM) and IoT solutions has created a new security landscape. From generative AI tools that can be taught to create malicious code to the exploitation of connected devices as a way for attackers to move laterally across networks, enterprise IT teams find themselves constantly running to catch up. According to the Google Cloud Cybersecurity Forecast 2024 report, companies should anticipate a surge in attacks powered by generative AI tools and LLMs as these technologies become more widely available.

The result is a hard truth for network protectors: keeping pace isn’t possible. While attackers benefit from a scattershot approach that uses anything and everything to compromise business networks, companies are better served staying on the security straight and narrow. This creates an imbalance. Even as malicious actors push the envelope, defenders must stay the course.

But it’s not all bad news. With a back-to-basics approach, enterprises can reduce risks, mitigate impacts and develop improved threat intelligence. Here’s how.

What’s new is old again

Attack vectors are evolving. For example, connected IoT environments create new openings for malicious actors: if they can infiltrate a single device, they may be able to gain unfettered network access. As noted by ZDNET, meanwhile, LLMs are now being used to improve phishing campaigns by removing grammatical errors and adding cultural context, while generative AI solutions create legitimate-looking content, such as invoices or email directives that prompt action from business users.

For enterprises, this makes it easy to miss the forest for the trees. Legitimate concerns over the rise of AI threats and the expansion of IoT risk can create a kind of hyperfocus for security teams, one that leaves networks unintentionally vulnerable.

While there might be more attack paths, these paths ultimately lead to the same places: enterprise applications, networks and databases. Consider some predicted cybersecurity trends for 2024, which include AI-crafted phishing emails, “doppelganger” users and convincing deepfakes.

Despite the differences in approach, these new attacks still have familiar targets. As a result, businesses are best served by getting back to basics.

Focus on what matters

Value for attackers comes from stealing information, compromising operations or holding data hostage.

This creates a funnel effect. At the top are attack vectors, everything from AI to scam calls to vulnerability exploits to macro malware. As attacks move toward the network, the funnel begins to narrow. While multiple compromise pathways exist — such as public clouds, user devices and Internet-facing applications — they are far less numerous than their attack vector counterparts.

At the bottom of the funnel is protected data. This data might exist in on-site or off-site storage databases, in public clouds or within applications, but again, it represents a shrinking of the overall attack funnel. As a result, businesses aren’t required to meet every new attack toe-to-toe. Instead, security teams should focus on the shared end goal of disparate attack vectors: data.

Effectively addressing new attack vectors means prioritizing familiar operations such as identifying critical data, tracking indicators of attack (IoAs) and adopting zero trust models.

Back to basics

Consider an enterprise under threat from an AI-assisted attack. Using generative tools and LLMs, hackers have created code that’s hard to spot and designed to target specific data sets. At first glance, this scenario can seem overwhelming: How can companies hope to combat threats they can’t predict?

Simple: Start with the basics.

First, identify key data. Given the sheer amount of information now generated and collected by enterprises, it’s impossible to protect every piece of data simultaneously. By identifying essential digital assets — such as financial, intellectual property or personnel data — businesses can focus their protective efforts.

Next is tracking IoAs. By implementing processes that help pinpoint common attack characteristics, teams are better prepared to respond when threats emerge. Common IoAs may include sudden upticks in specific data access requests, performance problems in widely used applications with no identifiable cause or an increased number of failed login attempts. Armed with this information, teams can better predict likely attack paths.

Finally, zero trust models can help provide a protective bulwark if attackers manage to compromise login and password data. By adopting an always-verify approach that uses a combination of behavioral and geographic data paired with strong authentication processes, businesses frustrate attackers at the final hurdle.

Function over form: Implementing new tools

While focusing on the outcome rather than the input of new attack vectors, enterprises can reduce security risk. But there’s also a case for implementing new tools such as AI and LLMs to help bolster cybersecurity efforts.

Consider generative AI tools. In the same ways they can help attackers create code that’s hard to detect and difficult to counter, GenAI can assist cybersecurity teams in analyzing and identifying common attack patterns, helping businesses focus their efforts on likely avenues of compromise. However, it’s worth noting that this identification isn’t effective if companies don’t have the endpoint visibility to understand where attacks are coming from and what systems are at risk.

In other words, implementing new tools isn’t a cure-all — they’re only effective when paired with solid security hygiene.

For better security, work smarter, not harder

Just as attackers can leverage new technologies to increase compromise efficacy, companies can leverage AI security to help defend against potential threats.

Malicious actors, however, can act with impunity. If AI-enhanced malware or LLM-reviewed phishing emails don’t work, they can simply return to the drawing board. For cybersecurity professionals, however, failure means compromised systems at best and stolen or ransomed data at worst.

The result? Security success depends on working smarter, not harder. This starts by getting back to basics: pinpointing critical data, tracking attacks and implementing tools that verify all users. It improves with the targeted use of AI. By leveraging solutions such as the IBM Security QRadar Suite, which features advanced AI threat intelligence, or the IBM Security Guardian, which offers built-in AI outlier detection, businesses are better prepared to counter current threats and reduce the risk of future compromise.

The post Back to basics: Better security in the AI era appeared first on Security Intelligence.

According to the IBM Cost of a Data Breach Report 2023, the global average cost of a data breach in 2023 was $4.45 million, 15% more than in 2020. In response, 51% of organizations plan to increase cybersecurity spending this year.

For the financial industry, however, global statistics don’t tell the whole story. Finance firms lose approximately $5.9 million per data breach, 28% higher than the global average. In addition, evolving regulatory concerns play a role in how financial companies respond to cyberattacks and where they’re investing to reduce total risk.

By the numbers: The true cost of a data breach for financial companies

When it comes to calculating the true cost of a data breach for financial firms, monetary loss is just the beginning.

Consider common threat vectors. While 48% of financial attacks start with malicious actors, human error accounts for 33%. Phishing and compromised credentials take the top spots for initial attack vectors at 16% and 15%, respectively. If attackers are successful, they often have access to millions of transaction and client records — the average cost for breaches of 50 million records or more now tops $300 million.

It’s not all bad news, however. In terms of detecting and containing data breaches, finance organizations are ahead of the curve. Globally, companies take 204 days to identify and 73 days to contain a breach. In the financial industry, breaches are identified in 177 days and contained in 56 days on average.

Where are financial firms investing in cybersecurity?

More than half of organizations will increase their cybersecurity investments this year.

For financial firms, top areas of investment include security AI, automation and incident response (IR). In 2023, 39% of financial organizations reported “extensive use” of security AI and automation, which led to $850,000 in savings compared to the global average cost of a breach. When it comes to IR teams and testing, meanwhile, firms with robust incident response frameworks saved an average of $2 million.

How can the financial industry defend critical data?

The financial industry faces unique challenges when it comes to effective data protection. One of the most prevalent is the need to identify and incorporate global regulations into everyday banking practices. This could include client data privacy obligations under legislation such as CCPA in California and GDPR in Europe, along with fraud reduction efforts governed by FINRA and FinTECH. In addition, new regulations, such as the EU’s Digital Finance Strategy, are emerging to govern growing cryptocurrency markets.

It’s also worth noting that financial firms face steep fines for failing to meet regulatory requirements. Consider that in 2022, the U.S. Securities and Exchange Commission (SEC) fined more than a dozen banks almost $2 billion for cybersecurity shortcomings.

To help combat emerging threats and ensure compliance with evolving legislation, finance firms can benefit from a multi-pronged approach that includes the following elements.

DevSecOps integration

A DevSecOps approach to security makes it possible for firms to integrate protection at application, tool and platform levels for increased control. Here, success depends on both comprehensive integration and regular testing.

Robust data discovery

82% of data breaches include data in cloud environments. By implementing robust data discovery tools, financial organizations can identify where they’re at risk — and what they can do about it.

Security AI and automation deployment

AI and automation can reduce IT staff workloads and streamline data-intensive processes. Deploying AI tools can also lower total security costs and deliver faster data breach identification.

Attacker perspective adoption

Knowledge is power — and knowing what attackers will do before they do it offers a decisive advantage for financial organizations. By using attack surface management tools and adversary simulation techniques, companies can better understand the attack perspective to pinpoint likely avenues of compromise.

When it comes to financial industry cybersecurity, it’s not just about the up-front costs of a data breach. Instead, it’s about creating reliable and repeatable processes capable of addressing current threats, incorporating new regulatory expectations and laying the groundwork for ongoing defense.

Get the full IBM Cost of a Data Breach Report 2023 here.

The post Cost of a data breach 2023: Financial industry impacts appeared first on Security Intelligence.

In 2022, 10.7% of observed cyberattacks targeted the energy industry, according to the X-Force Threat Intelligence Index 2023.

This puts energy in fourth place overall — the same as the year prior and behind manufacturing, finance and insurance and professional and business services. The report notes that this reduction in total cyberattacks may be partly tied to pushback from highly public breaches in 2021, such as the Colonial Pipeline attack.

Despite the overall drop in threats, however, the industry remains at risk. Consider the recent ransomware attack on Ohio-based Encino Energy, which saw 400 GB of data exposed. The oil producer says that the attack did not impact its operations. However, there’s no word on whether or not they paid the ransom.

To help organizations better navigate the coming year, we’re taking a look back at 2022. What threats were prevalent? How effective were defenses? What’s next for energy cybersecurity?

What were the top energy industry threats in 2022?

The biggest threat to energy organizations in 2022 was the exploitation of public-facing applications, accounting for 40% of all infections. Spear phishing and external remote services each accounted for 20% of cases and botnets were responsible for 19%. Ransomware and BEC both came in at 15%.

Data theft and extortion were the most commonly cited outcomes of these attacks at 23%, with credential harvesting at 15%. Regionally, North America took the top spot with 46% of all attacks, followed by Europe and Latin America at 23% and just under 5% in Asia, the Middle East and Africa.

How effective are current energy defenses?

Current energy defenses are hit or miss.

Here’s why: In cases where companies were able to detect cyber threats, they were able to take action. The Colonial Pipeline attack is a good example. After uncovering evidence of the threat, the company moved quickly to address it. But this move also meant a sudden shutdown of operations, which in turn raised fears of potential energy shortages.

It’s also worth noting that while industrial control system (ICS) attacks on energy companies were lower than expected in 2022 as companies made efforts to detect and deflect these attacks, ransomware volumes rose significantly. What’s more, attacked organizations often do not disclose whether they paid ransom demands as a solution to cybersecurity issues. This means there’s no guarantee that they resolved these threats — only temporarily silenced them.

Where are compliance regulations impacting energy cybersecurity?

Compliance in the energy sector is evolving.

In general, energy organizations are subject to guidelines and recommendations regarding cybersecurity rather than specific regulations. For example, the Cybersecurity Risk Information Sharing Program (CRISP) is a public-private partnership that’s partially funded by the Department of Energy (DOE) and is managed by the Electricity Information Sharing and Analysis Center (E-ISAC). The program encourages sharing threat data across energy industry organizations to help improve overall industry protection.

There are also new federal guidelines on the horizon. As noted by Utility Dive, the new White House national cybersecurity strategy asks energy companies to build proactive rather than reactive security solutions to create “a new generation of interconnected hardware and software systems.”

While this is good news overall for the sector, it may come with some growing pains. For example, many energy companies still rely on legacy ICS and SCADA solutions to connect and manage key operational components. These solutions were never designed to interface with modern applications and services, meaning the implementation of security-by-design may require the complete removal and replacement of these systems, a process that some energy experts warn could drive up prices overall.

It’s also worth noting that the new directive does not cover all energy and utility sector businesses,  such as petroleum refining or water treatment. This means that while new legislative efforts are a good start, they do leave industry gaps.

How common is the CISO role in energy?

As of December 2021, 45% of companies in the U.S. didn’t employ a chief information security officer (CISO), even though 58% feel it’s important to have someone in this role.

Energy is in a similar position. As organizations recognize the key role of security in business operations and industry reputation, CISOs are becoming more common. However, the position is by no means universal. CISOs in the energy sector also face the ongoing challenge of fighting for a seat at the boardroom table. This can be problematic. If efforts at proactive security are not part of strategy discussions up-front, they are often far less effective overall.

Put simply, while both the number and impact of energy CISOs are rising, there’s still room for improvement.

2023: What comes next for energy?

In 2023, energy companies can expect more of the same: More ransomware, more botnets and more data exfiltration.

They should also prepare for a rise in machine learning and artificial intelligence-based attacks as these technologies become more mainstream and play a more prominent role in threat actor operations.

Regardless of the vectors themselves, however, the strategy for energy industry security success remains the same: Better tools for more visibility, underpinned by a seat at the table for CISOs to help them design, implement and manage effective security programs.

The post 2022 industry threat recap: Energy appeared first on Security Intelligence.

On February 14, 2023, a Russian national and owner of Moscow cybersecurity firm M-13 was found guilty of wire fraud, securities fraud and conspiracy to obtain unauthorized access to computers.

Vladislav Klyushin was charged along with four other men — Ivan Yermakov, Nikolai Rumiantcev, Mikhail Irzak and Igor Sladkov. However, Klyushin was the only one arrested and extradited to the United States, while the others remain at large.

The Kremlin-connected businessman’s scheme focused on insider trading. By obtaining and using information not known to the general public, it’s estimated that Klyushin and his co-conspirators made more than $80 million.

But how exactly did this happen? How did the group break digital locks to capture critical information and gain a stock market advantage? Here’s a look at how malicious actors started insider trading, and what it means for organizations.

How did threat actors make this happen?

This insider attack effort began in 2018 when authorities say Ivan Yermakov — an employee of M-13 and a Russian intelligence agent charged with interfering in the 2016 U.S. election — hacked into the computer systems of two vendors used by large companies to file reports with the Securities and Exchange Commission (SEC).

Using the information in reports not yet available to the public, Klyushin and his associates made stock purchases that generated ongoing revenue and minimized potential losses. For example, if quarterly reports showed an uptick in corporate profitability, malicious actors bought stock at a lower price and reaped the benefits as share prices increased once reports went public. This information also helped them avoid the natural downturns that come with stock market investing. If annual reports highlighted revenue loss leading to staff cuts, attackers could cut their losses by selling early at higher prices.

The group placed trades both for themselves and took a cut of the profits to place similar trades for clients.

What do these insider issues mean for organizations?

For organizations, this insider attack highlights three critical issues: Third-party risk, financial damage and the misuse of specialized knowledge.

Third-party risk

The insider trading group didn’t go after corporate systems to obtain internal data. Instead, they targeted trusted third parties used by organizations to help complete and file quarterly and annual reports. What’s more, they didn’t take this data to destroy or sell it. Instead, they used it to generate returns on publicly traded markets.

This creates a new concern for businesses, where multiple degrees of separation exist between stolen data and significant outcomes. Consider a scenario where attackers breach an SEC-filing organization while avoiding detection. Malicious actors could spend months quietly viewing quarterly and annual reports, then using that data to generate steady gains in the stock market. If attackers are careful, they could make it seem as though these transactions were merely smart investment strategies rather than the result of stolen data.

Financial damage

While low-volume, individual stock trades using insider knowledge pose minimal risk to organizations, larger-scale efforts could have serious financial consequences.

Consider a company reporting a less-than-stellar fourth quarter to the SEC. If attackers compromise this information and use it to inform trades worth millions or tens of millions, the resulting panic and share sell-off could cause stock prices to artificially plummet ahead of revenue announcements. Once SEC reports are published, stocks may sink even further as worries about the company’s financial state intensify.

In the best-case scenario, enterprises see their stock value suddenly drop and then slowly climb back toward the mean. In the worst-case scenario, sudden sell-offs could lead to staff cuts, reputation damage and even business closure.

Specialized knowledge

There’s also an additional concern around the use of specialized knowledge to empower these attacks.

Klyushin and his accomplices weren’t simply criminals. They were criminals with in-depth cybersecurity knowledge thanks to their work in the IT security sector. This experience gave them access to both specialized knowledge and a greater understanding of standard security policies. For example, they could access those used to govern relationships with third parties. Equipped with this information, attackers were better able to circumvent detection tools and access data unnoticed.

Where can companies improve protective processes?

When it comes to improving defense against potential insider trading, it all starts and ends with third parties. A three-pronged approach can help reduce total risk.

First, companies need to vet both current and prospective vendors and partners. This vetting includes an assessment of existing security controls and policies, an examination of any past breaches and their cause and the creation of service-level agreements that lay out vendor and client responsibilities in the event of a breach.

Next is threat assessment: Understanding where current vendor policies and frameworks may put companies at risk. For example, organizations must ensure that data at rest, in transit and in use is effectively encrypted. Otherwise, they may open themselves up to potential compromise. Partner security practices also play a role in this assessment. Do vendor staff have the training to recognize and respond to potential threat vectors?

Finally, companies must deploy tools capable of monitoring security risk at all points along the digital value chain. This approach provides the visibility needed to identify potential threats and take action before a compromise occurs.

Brokering bad

By stealing data and acting as brokers for bad-faith actors, Russian threat actors were able to not only compromise the financial data of large enterprises but leverage this information to line their pockets and those of their associates.

This move away from more traditional smash-and-grab tactics speaks to an evolving threat landscape, one that focuses on quietly leveraging stolen data rather than trying to sell it for profit or hold it for ransom.

The result is a renewed need for corporate focus on third-party protection: Better vendor evaluations, improved threat assessments and increased visibility of third-party services can help companies close the door on insider trading.

The post Locks, stocks and brokers: Hackers and insider trading appeared first on Security Intelligence.

Security information and event management (SIEM) frameworks are essential for enterprises to monitor, manage and mitigate the impact of evolving cyberattacks. As the number of threats and the financial impact of breaches increase, these frameworks are even more crucial.

Consider ransomware. Since 2020, more than 130 different strains of these encryption and extortion efforts have been identified. According to the US Cybersecurity and Infrastructure Security Agency (CISA), ransomware incidents have been detected across 14 of 16 critical infrastructure sectors, such as Emergency Services, Food and Agriculture, and Energy. Today, ransomware is present in 10% of all breaches.

Not surprisingly, costs are also on the rise. According to the 2022 Cost of a Data Breach report, the average global cost to detect, mitigate and remediate an attack is $4.35 million. US firms pay more than twice that amount, at $9.44 million per breach.

SIEM implementation allows companies to reduce the cost and impact of these threats. In this piece, we’ll break down the six basic tenants of SIEM and look at six times companies skipped one (or more) steps — and paid the price.

The six tenants of effective SIEM

Solid SIEM deployments depend on six tenants:

Identifying insider threats

By pinpointing potential insider threats before they occur, organizations can reduce their risk of compromise. While 63% of these threats are caused by negligence rather than malice, the result is the same: data at risk. As a result, companies need to identify these threats ASAP.

Detecting advanced threats

Detecting advanced threats as early as possible in their lifecycle helps companies make informed response decisions.

Securing the cloud

As hybrid and multi-cloud deployments become increasingly common, cloud security is paramount to keep attackers at bay.

Uncovering data exfiltration

The sooner companies can detect data exfiltration — even if it’s seemingly benign — the better.

Managing compliance

With regulations rapidly evolving, managing compliance frameworks is critical to keep data secure and reduce the risk of non-conformance.

Monitoring OT and IoT security

The Internet of Things (IoT) is going mainstream, while operational technology (OT) is getting connected. Effectively monitoring both OT and IoT is a must-have SIEM segment.

Six times skipping SIEM steps saw attackers slip through

Attackers are always looking for any opportunity — big or small — to compromise corporate networks. As a result, skipping out on even one SIEM step can lead to security problems.

Here’s a look at six times things didn’t go well for security.

Dallas Police Department: The call is coming from inside the house

It was an unfortunate case of accidental insider threat. In March and April 2021, the Dallas Police Department lost more than 8.7 million files — amounting to more than 23 terabytes of data — when an employee deleted the files.

This information included video, audio, photo and text evidence for police cases, in turn potentially impacting more than 17,500 cases being handled by the Dallas County District Attorney’s Office. While experts tried to recover the lost data, they could only restore three terabytes.

In part, the issue stemmed from a lack of training. The employee had minimal knowledge of handling and moving cloud files, but the DPD also lacked a robust backup policy.

Defense Industrial Base (DIB) organization: APT pupil

In November 2021 and January 2022, a DIB sector organization saw its network compromised by multiple advanced persistent threats (APTs). Ensuing CISA investigations found that multiple threat actors gained access to the organization’s IT environments and that some had used APTs to achieve long-term persistence. In addition, attackers extracted sensitive data from the organization without its knowledge.

It’s a classic case of lacking APT detection capabilities leading to IT blind spots. If companies can’t see what’s coming — and detect what’s already happening — the results can be disastrous.

Uber: When it rains, it pours

Ride-sharing service Uber saw an attacker rain on its cloud parade in September 2022, when a malicious actor gained full access to the company’s cloud-based storage systems containing customer and financial data.

According to researchers, the supposed threat actor — who self-identified as an 18-year-old — tricked an Uber employee into providing cloud credentials. This allowed the attacker full access to the company’s Amazon and Google cloud databases.

It’s a reminder that all it takes is one. One attacker looking for publicity or hoping to cause havoc; one employee who provides access credentials or clicks a malicious link.

Multiple anesthesia practices: Mama said knock you out

Data exfiltration is a dangerous game, especially when it comes to healthcare. As noted by SC Magazine, 13 anesthesia practices across the United States found themselves victimized by attackers in July 2022.

Malicious actors could compromise and extract the protected health information (PHI) of more than 380,000 patients, but details were scarce on exactly how the attack occurred or how long the attackers had access.

After the fact, the covered entities involved in the incident say they improved their security controls. The problem? Those involved needed to act sooner as part of SIEM efforts, not after the exfiltration.

Amazon: How the cookie crumbles

Fail to comply, and face the consequences. That’s what happened to online retail giant Amazon when it ran afoul of GDPR in Luxembourg. While the company has been quiet about the issue, it appears that in the summer of 2021, officials in Luxembourg fined Amazon more than $850 million for compliance breaches related to cookie consent.

While Amazon is appealing the fine by arguing that no data was breached, compliance isn’t just about keeping the doors closed — it’s about following the rules wherever you operate.

Oldsmar, Florida water treatment plant: Would I lye to you?

Operational technology is essential for critical infrastructure functions but often poses a security risk. With many of these solutions never designed to interact with Internet-enabled services, moves to more modern frameworks can create security weak points.

Take the incident in Oldsmar, Florida, when an employee of the city’s water treatment plant noticed the cursor on his screening moving without his input. An attacker had breached network systems, taken control of the employee’s computer and increased the concentration of sodium hydroxide, or lye, in the water by 100 times — enough to cause serious illness or death.

While the threat actor quickly left and the employee fixed the lye levels, it’s a stark reminder that just because these technologies have historically been passed over for attack efforts, they’re not immune to compromise.

Security, step by step

Extensive SIEM is critical to defending against familiar and emerging cyberattacks, but it’s not enough to simply go through the motions.

To ensure they don’t skip steps, businesses are best served by partnering with SIEM experts to ensure their security frameworks are capable of frustrating attack efforts no matter where, when or how they occur.

The post Now you SIEM, now you don’t — six failures of cybersecurity appeared first on Security Intelligence.

2021 was a banner year for cyber attacks. Compared to 2020, last year saw a 50% increase in attacks per week on corporate networks, even as the total cost of managing a cyber attack rose by 10%, according to IBM’s Cost of a Data Breach Report 2021. Add in the ongoing shift to hybrid work at scale and of course, there would be concern about the cyber resilience landscape in 2022.

It begs the question: is the new year destined to see the same risks causing even bigger problems for enterprises? That’s one option, but, thankfully, it’s not the only one. With the right approach, businesses can take proactive steps to reduce their total risk.

Make employees a priority

Staff plays a critical role in effective cyber resilience. Knowledgeable employees can help spot potential attacks and stop them in their tracks. However, they can also make matters worse by mistake.

Consider that more than 50% of employees want to work from home “all or most of the time” even after pandemic pressures subside. This creates a challenge. While remote work is at least as (if not more) efficient than its in-office counterpart, at-a-distance operations increase the risk of attacks that may go unnoticed and unreported until it’s too late.

As a result, employee education and training are essential to boost baseline cyber resilience. In practice, this means setting up a regular schedule that sees staff trained both in groups and as individuals to recognize, respond to and report suspicious behavior.

Take a hard look at current networks

The speed of many remote work transitions had left enterprise networks held together with digital duct tape and good luck. Everything works, but for how long?

As a holdover from the initial push of pandemic response, it’s easy to pass over these network configurations in favor of more obvious threats. Consider the widespread use of virtual private networks (VPNs) a stopgap-turned-standard to manage remote connections. While VPNs offer some measure of protection, they also present the dual problem of massively increased attack surfaces combined with overall performance degradation as more high-bandwidth connective and collaborative services are delivered over VPNs.

Although it’s a daunting task to consider moving away from VPNs to more robust security frameworks such as zero trust, taking a hard look at current networks is critical to help spot potential issues before attackers exploit them.

Break systems to boost cyber resilience

Speaking of less-than-ideal systems, 2022 is a great time to start breaking them to see what happens. Why? Because if IT teams don’t, attackers will. Look at Log4j attacks, which continue to evolve as new vulnerabilities are discovered. Rather than waiting for malicious actors to do the work, it’s worth breaking what you have to see where fixes make sense.

If you have the staff in-house, red team exercises can help pinpoint potential problems. If not — or if you’re looking for an outside viewpoint — professional penetration testing can help shed light on issues that might otherwise hide in plain sight.

By finding out exactly what happens when systems are under attack, enterprises can rebuild better solutions capable of addressing these concerns.

Forsake low-value frameworks

Not every security tool and technology offers equal value.

Consider legacy solutions such as static firewalls and authentication frameworks that rely on single knowledge factors or insecure SMS codes. While these systems provide ease of use, this benefit extends to users and attackers alike. Poorly-chosen passwords can be easily guessed, while SMS codes can be caught en route to users.

Solutions such as next-generation firewalls can help. These are capable of moving past port and protocol inspection to offer deep-packet analysis and application-level evaluation. The adoption of multifactor authentication (MFA) frameworks, meanwhile, can help protect both local and remote office endpoints.

Retake control of your cyber resilience narrative

The teamwork nature of threat efforts — from as-a-service malware tools to dark web markets that include ‘customer service’ for would-be threat buyers — often puts them ahead of the curve. The result? Reactivity becomes the cornerstone of infosec. In turn, that puts teams on their back foot when it comes to handling cyber threats.

In 2022, companies can take control by rewriting infosec narratives with a proactive approach to cyber resilience. This starts with prevention. Every attack found and removed before it reaches corporate networks means less work for IT teams and less risk for enterprises. Automation also plays a critical role. By deploying solutions capable of containing and analyzing detected threats by themselves, businesses can gain critical insight into attacker efforts.

Last but not least, examine your approach to incident response (IR). While the ‘response’ aspect of IR is reactive, the narrative surrounding it doesn’t have to be. By shifting the focus from one of inevitability around systems being compromised to one of opportunity — that attacks afford the benefit of incident insight — teams can rewrite their security story.

Shake up the status quo

If it’s not broken, don’t fix it.

While this is great advice for day-to-day, it applies less to cyber resilience. Attackers are betting on the elements of stealth and surprise to obfuscate their efforts. As a result, it’s worth shaking up the security status quo by exploring new tools and technologies such as AI-driven, automated endpoint defense and advanced threat hunting solutions capable of taking the fight to attackers, rather than waiting for them to come to you.

New year, new you

Don’t let cyber resilience in 2022 stay static. Instead, adopt resilience resolutions that focus on pinpointing potential problems, leaving low-value frameworks behind and creating value with new security narratives.

The post New year, same risks? Six cyber resilience resolutions for a safer 2022 appeared first on Security Intelligence.

When it comes to ransomware, it’s a matter of when not if.

The data tells the tale. Both the volume and types of ransomware attacks are on the rise. Plus, attackers aren’t just after enterprises. They now target businesses of all shapes and sizes. That way, they increase their chances of breaching security perimeters and convincing businesses to pay up.

But it’s not all bad news. With the right approach, businesses can largely avoid the damage and downtime from these attacks. The answer? Adopting an active recovery strategy that views both attacks and response as ongoing. That way, enterprises can mitigate the impact of these attacks and reduce their total severity.

Here’s a look at the current realities of ransom attacks, and five steps to help put active ransomware recovery first.

The state of ransomware

Recent research shows a 1,070% increase in ransomware attacks between June 2020 and July 2021. According to the IBM X-Force definitive guide to ransomware, the variety of these attacks is rapidly increasing. Some can target over 150 file types. The list is constantly expanding as attackers look for new openings.

Attackers are also changing their approach to leverage current conditions and compel quick action. For example, early 2021 saw a rise in COVID-19 vaccine-related ransomware attacks. The recent Colonial Pipeline breach caused a suspension of operations.

The harsh truths of ransomware often leave IT teams feeling frustrated. If attacks are bound to happen and attackers are always evolving their methods, it’s tempting for people to give up. Enterprises resign themselves to responsive frameworks. They try to avoid the brunt of the impact rather than minimize the damage.

Taking action with active ransomware recovery

Ransomware is much like home break-ins. If attackers are determined enough, they’ll find a way. But this doesn’t mean that homeowners should simply resign themselves to break-ins. Instead, there are active steps they can take to reduce the chances of being targeted. Even if bad actors decide it’s worth the risk, cameras and alarm systems can minimize the impact.

The same approach applies to ransomware recovery. You can’t prevent every breach and account for every new attack vector. But, it’s possible to deter most attacks and mitigate the impact of those that get through by taking preemptive, protective steps.

Here are five ways to empower an active ransomware recovery strategy.

Adopt zero trust

Zero trust models leverage a ‘never trust, always verify’ approach to reduce ransomware risk. For example, you might require all users to verify who they are using tools such as multifactor authentication or via behavioral pattern analysis. That way, enterprises can limit the number of viable attack approaches open to attackers. Since ransomware payloads require system access to be deployed, narrowing the parameters for permission makes this occurrence far less likely.

Build in robust backups

Backups offer a proven way to access data in the event of loss, corruption or service interruption. In addition, cloud-based backup solutions are becoming faster and more reliable. Therefore, they can also play a role in active ransomware recovery. It’s important to create secure, geographically disparate backups. That way, enterprises can ensure that even if they’re unable to remove ransomware encryption or attackers go back on promises to deliver decryption keys, their most important data remains accessible on-demand.

Address emerging trends in ransomware

Attackers have the advantage when it comes to designing new threat vectors. After all, casing corporate systems lets them build new frameworks better designed to circumvent current protections. Consider the recent rise of Yanluowang ransomware, a double extortion attack that both encrypts stolen data and threatens to leak it to the public. Using a mix of open source and honest tools, Yanluowang is quickly becoming a ransomware-type of concern.

Security tools, meanwhile, often remain static. That’s even more likely if they’re part of legacy systems with limited interoperability. Here, solutions such as secure access service edge offer a way to deliver agile, cloud-based security across large-scale network environments. That, in turn, can help companies stay ahead of the curve.

Create an IR framework

When attacks do happen, end-to-end incident response (IR) frameworks can reduce the time required to find out what’s happened, pinpoint problem locations and fix threats. However, 63% of C-suite executives surveyed and 67% of small businesses asked said they didn’t have a response plan in place.

Here, the active recovery goal is speed. You can achieve it by creating IR teams for this specific purpose, drawn from your IT staff. Each of them should have specific tasks to complete in the event of an attack. It’s also good to have backup employees in case primary team members can’t come in. Paired with regular practice that puts response speed and accuracy first, teams can refine processes until they’re largely muscle memory. That, in turn, cuts down on the impact of potential panic that often sets in when teams detect ransomware attacks. Data bears out the benefits of these plans: Companies with tested IR plans spent $3.29 million repairing breaches, while those without plans in place spent $5.29 million.

Put people first

People — including staff, stakeholders and customers — are the ones affected by ransomware in the end. As a result, active recovery plans must put accessibility of data and reliability of services first, even during a ransomware attack.

In practice, this means using new tools. Those might be AI-driven threat detection or next-generation firewalls. Today’s firewalls are capable of assessing and analyzing threats in real-time while still allowing trusted users to access critical data. In effect, active recovery means keeping the lights on whenever possible — even when ransomware attacks occur. It does so by creating logically segmented networks equipped with real-time security and monitoring controls.

Embracing active ransomware recovery

Ransomware attackers want victims to have to play catch-up when attacks occur. To fight back, use an active ransomware recovery strategy. Include zero trust, robust backups, emerging trends and IR frameworks and put your people on the front line. That way, it’s possible for enterprises to minimize downtime, mitigate damage and make malicious actors’ work much more difficult.

The post Active ransomware recovery: Five steps for success appeared first on Security Intelligence.

The past two years have delivered major disruptions for supply chains. The pandemic pushed supply chain attack issues front-and-center, with disruptions up 67% in 2020 and problems expected to persist as global markets adjust to ‘new normal’ operations.

Increasing reliance on digital supply solutions, however, has also set the stage for increasing supply chain attacks. These attacks are expected to increase four-fold in 2021.

Here’s what enterprises need to know about supply chain threats. Check out the current state of supply chain security, plus what steps you can take to reduce total risk.

What Is a Supply Chain Attack?

A supply chain attack occurs when threat actors compromise enterprise networks using connected applications or services owned or used by outside partners, such as suppliers. Sometimes, experts also refer to these as third-party or value-chain attacks.

For threat actors, the appeal of supply chain attacks is trust. Applications and services used by enterprises have often been trusted and vetted by security teams. So, they often have access to sensitive or valuable internal data. If attackers can move sideways from connected supply chain apps into the larger enterprise network itself, they could steal, encrypt or destroy critical data and cost companies millions in both repair costs and reputation damage.

As networks grow, this problem compounds. Third-party suppliers are often using software from other business partners, who in turn have their own outside app connections. Therefore, a supply chain attack may start several companies removed from the intended target, making it harder to spot.

A successful supply chain attack can be a major blow. When networking tools supplier Solar Winds was compromised in late 2020, more than 18,000 companies worldwide were affected.

The State of Supply Chain Cybersecurity in 2021

As noted above, supply chain attacks will increase in 2021. Part of this expansion comes from increased application environment complexity: companies embrace the need for agile and adaptable supply chains that are resistant to future disruptions. After all, broadening the number of connected apps and services helps enterprises better navigate changing market conditions. It also creates a larger attack surface for threat actors. If a vulnerability does crop up, it also makes it more difficult to find and remove supply chain threats before they become bigger issues.

Notable 2021 Supply Chain Attacks

Supply chain attacks are off to a strong start in 2021. For example, in April 2021 DevOps tool provider Codecov disclosed that their Bash script uploader was compromised by malicious actors. This allowed the attackers to capture information stored by Codecov customers in continuous information (CI) environments. Third-party investigators also found that attackers might have been able to “raid additional resources” and gained access to user credentials, which could, in turn, lead to even larger breaches.

In July 2021, the REvil gang compromised software supplier Kaseya’s network management package and used this software as a way to spread ransomware across Kaseya’s customers. According to NPR, more than 200 U.S. companies found their networks paralyzed by ransomware attacks after the Kaseya compromise.

Worth noting? Recent research from the European Union Agency for Cybersecurity found that 66% of attacks focused on supplier code. This meant even strong internal defenses may not be enough to mitigate the impact of supply chain attacks.

Common Supply Chain Attack Methods

The goal of supply chain attackers is to compromise trusted services. From there, they can gain access to more valuable corporate resources. One common compromise approach is phishing. Successful phishing attacks can reveal account and password data, in turn allowing attackers to examine source code without triggering network defenses. Malware is also commonly used to infiltrate networks and exfiltrate key source code, which attackers can then modify and re-insert.

Some of the most common supply chain threat vectors include:

• Third-party software providers
• Data storage solutions
• Development or testing platforms
• Website building services.

In each case, these software solutions and services require access to critical aspects of enterprise infrastructure. That opens up a potential pathway for malicious actors.

Best Practices for Supply Chain Security

When it comes to supply chain attacks, attackers are always looking for the weakest link. As a result, even robust enterprise defenses may not be enough to protect key assets. After all, the trusted nature of these third-party apps means they’re often not subject to the same scrutiny. This creates an opening for attackers: If they go far enough back along the supply chain, chances are they’ll find a vulnerability they can exploit and start moving upward toward critical apps.

To help reduce the risk of supply chain threats, security best practices are critical. These include:

1) Assessing current strategies – Better supply chain security starts with current strategies: Are they effective at mitigating supply chain threats? Do they align with compliance requirements? Can they adapt to evolving risk realities?

2) Testing, testing, testing – Regular penetration testing and vulnerability scans can help identify potential supply chain security weak points. From there, you can close down potential compromise pathways.

3) Identification and encryption – By identifying and encrypting highly sensitive data in their environment, enterprises can reduce the reach of supply chain attacks that do occur. Even if malicious actors gain access, they won’t be able to leverage protected assets.

4) Third-party risk management – The supply chain software landscape is more complex today than ever before. Therefore, companies must conduct an in-depth analysis of supplier security practices. They need to break down internal operational silos to ensure all departments are on the same page when it comes to protection.

5) Zero trust frameworks – By moving to an ‘always verify, never trust’ framework, enterprises can create a functional front line of defense. Zero trust requires even familiar apps and services to pass authentication checks before gaining network access.

The right security tools also play a role in reducing supply chain attack risk. Here, enterprises are often best-served by solutions that leverage blockchain for secure transactions, artificial intelligence for improved threat detection and cloud-based threat analysis for rapid risk assessment.

Solving for Supply Chain Attacks

Bottom line? It all comes down to trust.

Supply chain applications are necessary for enterprises to deliver services at scale. However, the same trust that reduces complexity also increases total risk. To mitigate the impact of supply chain attacks, enterprises must take control of third-party connections using both tools and tactics designed to detect unexpected actions, discover malicious code and deny access to potential threats.

The post Supply Chain Attack: What It Is (and What to Do About It) appeared first on Security Intelligence.

Evolving threats put applications at risk. Robust web application security can help prevent compromise before it happens. Not sure where to start? Our protective primer has you covered.

What Is Web Application Security?

Web application security focuses on the reduction of threats through the identification, analysis and remediation of potential weaknesses or vulnerabilities. While the bulk of this process occurs in design and development phases, it’s also an ongoing endeavor that follows applications throughout their lifecycles to reduce overall risk.

Why Does This Matter?

Because all applications are at risk. According to a 2021 research report, 100% of commercial applications studied contained at least one at-risk open-source component. Even more worrisome was that 85% included “critical” weak points that could provide entry paths for threat actors.

The speed and scope of development make this issue worse. To keep pace with rivals and deliver improved customer service, many enterprises now rely on a mix of third-party developers and readily available, cost-effective open-source components. The result is a fragmented application landscape that often puts speed over safety.

Web app security is also critical because the sheer volume and variety of applications deployed by businesses make it challenging to monitor risk at scale well. When it comes to volume, enterprises deployed an average of 175 apps in 2020, while smaller companies used 73. In terms of variety, 94% of enterprises now use apps in the cloud. Add in the recent shift to remote work and the scope of applications expands even further, moving out of offices and into employees’ homes.

This landscape offers an unmatched bounty for attackers: With so many apps in so many locations — and most using at least one open-source component — it’s possible for them to find multiple entry points that provide both vertical and lateral network movement. What’s more, the lack of insight into disparate environments often leaves companies in the dark when it comes to who’s accessing their apps, why and for what purpose.

The State of Web App Security in 2021

According to The State of Application Security, 2021 report from Forrester, applications remain a key attack vector. Other issues such as stolen credentials and DDOS attacks are on the rise. However, applications are still the primary source of compromise.

As noted above, the state of web app security in 2021 has also been influenced by rapidly changing crisis conditions. Many companies with no history of remote work — and no plans to make the move — suddenly found themselves faced with full in-office shutdowns and no idea of when they might be coming back.

This led to a focus on function over security form. That extends from home office access to critical IT services to the use of virtual private networks and non-approved app ‘workarounds’. In general, enterprises found themselves dealing with more complex application landscapes. At the same time, they were largely lacking the infrastructure to manage and monitor these applications at scale.

It’s fair to say that the state of web application security in 2021 remains in flux. To keep some order, CWE has listed 25 of the most common application vulnerabilities this year. Here’s a look at the top 10:

• Out-of-bounds write (up one spot from 2020)
• Cross-site scripting (down one spot)
• Out-of-bounds read (up one spot)
• Improper input validation (down one spot)
• OS command injection (up five spots)
• SLQ injection (no change)
• Use after free (up one spot)
• Path traversal (up four spots)
• Cross-site request forgery (no change)
• Unrestricted upload of file (up five spots).

Also worth mentioning is threat number 11 on the list — missing authentication for critical functions — which rose 13 spots from 2020.

Types of Testing

Web application security testing forms the front line of app defense. Common types of testing include:

1) Static application security testing (SAST): SAST allows developers to scan source code for potential vulnerabilities. They can carry it out manually or via automation. It’s one of the first testing approaches enterprises use, owing to its speed and simplicity. SAST provides real-time analysis as developers create code, enabling them to identify and remediate issues before apps move into production.

2) Dynamic application security testing (DAST): DAST, meanwhile, takes an outside-in approach by attempting to find and exploit front-end vulnerabilities using test attacks. DAST scanners operate outside of applications and can help deliver results right away without the need to access source code. It’s worth noting, however, that DAST tests aren’t able to pinpoint the exact location of code risks.

3) Penetration testing: Also called pen testing, this approach is often used to pinpoint openings in critical apps. Pen testers are often security experts from either inside or outside the system tasked with acting like attackers. To do so, they use popular tools and techniques in an attempt to compromise apps and access key data. While enterprises know when these pen tests are taking place, they’re not given any details on the specifics of the attack, in turn creating a more realistic setting. While it’s possible to conduct pen testing in-house, this can lead to potential bias on the part of testers who are familiar with existing structures and may assume rather than test. Reputable third parties, meanwhile, will often provide more robust attack frameworks.

4) Runtime application self-protection (RASP): RASP is built directly into software. If RASP tools detect potential threats as apps are called and executed, they can both shut down open sessions and notify staff for follow-up.

Exploring Web Application Security Solutions

While there’s no one-size-fits-all answer when it comes to cloud application security and web application security solutions, enterprises are often best-served by tools that include key components such as:

• Defense by design

The best defensive approaches unify people, processes and tech to ensure security is an integral part of every step in the development lifecycle.

• Shift-left solutions

Shift-left processes move defense earlier in the development process and make it possible for staff to address common issues without expensive escalation. The result is a better defense that can both reduce costs and improve compliance.

• Process automation

From SAST to DAST to RASP, automation is critical to ensure app vulnerabilities are quickly identified and remediated. Best-of-breed solutions should include robust security integration and automation across the entire development pipeline.

• Component-based protection

Apps don’t exist alone. Along with processes that help pinpoint issues in development and design, enterprises need solutions that include offensive security frameworks, comprehensive data protection and proactive cloud application monitoring to deliver complete visibility.

Bottom line? Robust web application security is critical for enterprises to reduce risk and proactively improve their application landscape.

The post What is Web Application Security? A Protective Primer for Security Professionals appeared first on Security Intelligence.