01
Sep
Business Email Compromise – When the criminal’s reading your email.
cybersecurity Tag
22
Apr
Can today’s business leader explain what a vulnerability assessment actually is?
Like trying to explain what water tastes like, or defining the word “the”, we’ve found that while today’s business leader is quite familiar with the term “vulnerability assessment” few can explain what a vulnerability assessment actually is.
Even more, ask three IT professionals what a vulnerability assessment is and you’re likely to get three different answers.
So what is a vulnerability assessment? How often should you have one? How much should you expect to pay? And what’s the difference between a vulnerability assessment and a penetration test? .
Defining a vulnerability assessment as “the process of defining, identifying, classifying, and prioritizing vulnerabilities in computer systems,applications, and network infrastructures”, our friends at TechTarget have published an excellent article defining the process and detailing some of the finer points. Below is a summary of TechTarget’s publication, and a few of their highlighted best practices. (For a deeper dive into the process, check out www.techtarget.com/searchsecurity/definition/vulnerability-assessment-vulnerability-analysis)
As explained by Linda-Rosencrance of TechTarget, a vulnerability assessment can provide an organization with the necessary knowledge to understand and react to threats within its environment. Organizations of any size, or even individuals who face an increased risk of cyber attacks, can benefit from some form of vulnerability assessment, but large enterprises and high-target organizations (eg. insurance agencies, financial institutions, accounting firms, medical offices, law firms) that are subject to attacks will benefit most from a vulnerability analysis as they provide an organization details on any security weaknesses in its environment and direction on how to assess the risks associated with those weaknesses.
The process offers an organization a better understanding of its technology assets, security flaws and overall risk, thereby reducing the likelihood that a cybercriminal will breach its systems and catch the business off-guard.
Types of vulnerability assessments
· Network-based scans: Used to identify possible network security attacks. This type of scan can also detect vulnerable systems on wired or wireless networks.
· Host-based scans: Used to locate and identify vulnerabilities in servers, workstations or other network hosts.This type of scan usually examines ports and services that may also be visible to network-based scans. However, it offers greater visibility into the configuration settings and patch history of scanned systems, even legacy systems.
· Wireless network scans: Focus on points of attack within the organization’s wireless network infrastructure. In addition to identifying rogue access points, a wireless network scan can also validate that a company’s network is securely configured.
· Application scans: Test websites to detect known software vulnerabilities and incorrect configurations in network or web applications.
· Database scans: Identify weak points in a database to prevent malicious attacks, such as SQL injection attacks.
Vulnerability assessment vs. pen test
A vulnerability assessment often includes a penetration testing component to identify vulnerabilities in an organization’s personnel, procedures or processes. These vulnerabilities might not normally be detectable with network or system scans. The process is sometimes referred to as vulnerability assessment/penetration testing, or VAPT.
However, penetration testing is not sufficient as a complete vulnerability assessment and is, in fact, a separate process.
A vulnerability assessment aims to uncover vulnerabilities in a network and recommend the appropriate mitigation or remediation to reduce or remove the risks. It uses automated network security scanning tools, and lists the results in an assessment report. However, it does so without evaluating specific attack goals or scenarios. Organizations should employ vulnerability testing on a regular basis to ensure the security of their networks, particularly when changes are made. For example, testing should be done when services are added, new equipment is installed or ports are opened.
Penetration testing, in contrast, involves identifying vulnerabilities and attempting to exploit them in order to attack. Although sometimes carried out in concert with vulnerability assessments, the primary aim of penetration testing is to check whether a vulnerability really exists and infiltrate the organization. In addition, penetration testing tries to prove that exploiting a vulnerability can damage the application or network.
Finally, while a vulnerability assessment is usually automated to cover a wide variety of unpatched vulnerabilities, penetration testing generally combines automated and manual techniques to help testers delve further into the vulnerabilities and exploit them to gain access to the network in a controlled environment.
For more information or to discuss how a vulnerability assessment can help your organization just complete the form below or set a time to connect.
Portions of this article were written by Linda-Rosencrance and published by TechTarget at www.TechTarget.com/searchsecurity/definition/vulnerability-assessment-vulnerability-analysis
05
Apr
As the business community faces down cyber threats, one medical office is defending itself with a Zero Trust approach to cybersecurity
Physicians have always been at the front of the line when it came to technology integration. Among the first to realize the benefits wearing a pager, having a cell phone, using a tablet, and essentially digitizing their business, doctors and researchers are typical early adopters of mobile, Cloud and IOT systems.
As attacks on the healthcare industry make weekly news, personal information (PII) floods the black market, and steep fines take their toll,doctors and practice administrators wonder what they can do differently.
A holistic strategy, a Zero Trust approach to cybersecurity means that you:
1) Verify Explicitly
2) Use Least Privilege
3) Assume Breach
Want to learn more? Complete the form and download the business case.
30
Mar
As cyberattacks on midsize firms prove inevitable, are you ready to be hit?
A strong defensive posture minimizes exposure, limits collateral damage and protects client privacy.
We’ve been providing IT consulting and technology services to the mid-size business community since 1999, and from basic firewalls to advanced breach detection systems we absolutely guarantee there’s no shortage of security products designed to protect the enterprise.
But third party/supply chain attacks have changed this game. Drastically. And, from the most basic user training videos, to a 24×7 monitored security and information management (SEIM) system, there’s not one thing a business can do to protect data when its business management system, ERP or CRM is breached. Bottom line – every business on the planet relies on third-party software and there’s simply no safe place to hide. Boo!
Since shutting down shop isn’t an option, we must, as always, take up this threat and face it head on!
As we wrote in an post about Zero Trust Cybersecurity, you can only worry about what’s within your control. Since fully defending against this attack isn’t possible, we can only protect our organizations and prepare to be attacked.
1. Deploy a multi-layered detection and response approach. Multisyllable marketing jargon aside – as quickly as possible, you need to know you’ve been breached, and you need a post-attack response plan (or plans). “Honeytokens” or virtual trip wires setup to alert organizations of suspicious activity in their network are a great tool. If a being breached is bad, not learning about it till days or weeks after it happens is worse and not knowing what to do next can be catastrophic. www.upguard.com/blog/how-to-prevent-supply-chain-attacks
2. Include threat hunting as regularly scheduled IT maintenance. As described by our partners at SentinolneOne, threat hunting is quite a different activity from incident response (IR). While IR methodologies aim to determine what happened after a data breach, a threat hunting team searches for attacks that have slipped through your defensive layers to help you find adversaries hiding in your network before they can execute an attack or fulfill their goals.
3. Work with a SIEM solution that offers automated remediation actions. A security information and event management (or SIEM) is a cybersecurity solution that collects and converges data from different parts of your IT environment with the intent of monitoring your firm’s security levels. Providing advanced visibility and insight into your users, endpoints, traffic, activity, and more, a SIEM enables you to maintain oversight into your network and beyond the perimeter as your company scales.
4. Log capture and file retention for critical infrastructure. As detailed in this whitepaper from the National Institute for Standards & Technology (NIST) nvlpubs.nist, log management is essential to ensuring that computer security records are stored in sufficient detail for an appropriate period of time. Routine log analysis is beneficial for identifying security incidents, policy violations, fraudulent activity, and operational problems.
5. Encryption for all data. In cryptography, encryption is the process of encoding information or sensitive data so only authorized parties can access it. While encryption can’t prevent criminal activity or third-party attacks, it does deny intelligible content to the interceptor. For more on encryption, we recommend this article published by UpGuard www.upguard.com/blog/encryption.
6. Use two-factor/multi-factor authentication. With two-factor authentication enabled, criminals who do gain access to user login credentials aren’t automatically granted entry. A key element to a Zero-Trust Security framework, multi-factor authentication requires users validate their identity to provide that extra layer of security.
Above all, at OWG we believe cybersecurity will always come down to your corporate culture and your posture – on your toes, knees bent, arms ready. Stay sharp, be prepared and have your plan in place and you’ll have an advantage and typically able to weather the storm. The complacent or unprepared will get swallowed.
For more information, or to set a time to speak, drop your name and email below and we’ll reach out.
18
Mar
Confusion about Zero Trust is making it harder to implement
As we detailed in our business case exploring the Zero Trust, at its core, ZT is a concept and shift in how organizations approach the idea of security and data privacy.
It’s not one product or piece of software, rather an approach that assumes breach and secures your organization by requiring users prove they are who they say they are and be granted gated access accordingly.
As explained in a recent article from WIRED, “What is Zero Trust” the approach eliminates the old moat & castle networking model and instead of trusting particular devices and assuming what’s inside your walls are safe, a Zero Trust methodology uses verification, network segmentation and least privilege to protect the enterprise.
Under the old model, all the computers, servers, and other devices physically in an office building were on the same network and trusted each other. Your work computer could connect to the printer on your floor or find team documents on a shared server. Tools like firewalls and antivirus were set up to view anything outside the organization as bad;everything inside the network didn’t merit much scrutiny.
However, the explosion of mobile devices, cloud services,and remote/hybrid work have radically challenged those assumptions. Organizations can’t physically control every device its employees use anymore. And even if they could, once an attacker slipped by perimeter defenses, the network would instantly grant them a lot of trust and freedom. “Outside bad, inside good.”
“Zero Trust is a concept, not an action.”
Ken Westin, Security Researcher
Instead of trusting particular devices or connections from certain places, Zero Trust demands that people prove they are who they claim and should therefore be granted access. Typically, that means logging into a corporate account with biometrics or a hardware security key in addition to usernames and passwords to make it harder for attackers to impersonate users. And even once someone gets through, it’s on a need-to-know or need-to-access basis. If you don’t invoice contractors as part of your job, your corporate account shouldn’t tie into the billing platform.
Zero Trust isn’t a single piece of software you can install or a box you can check, but a philosophy, a set of concepts, a mantra,a mindset.
You still must implement things like device and software inventory, network segmentation, access controls.
Confusion about the real meaning and purpose of Zero Trust makes it harder for people to implement the ideas in practice. Proponents are largely in agreement about the overall goals and purpose behind the phrase, but busy executives or IT admins with other things to worry about can easily be led astray and end up implementing security protections that simply reinforce old approaches rather than ushering in something new.
Here at OWG, we work with our partner clients and help them engineer a true Zero Trust methodology throughout their IT ecosystem. If you have questions or would like to see if we can help your organization better protect its most critical data, email partnerwithus@overwatchgrp.com or click here to set a time to speak.i
08
Mar
As organizations across the country begin to adopt the Zero Trust approach, federal agencies will do the same.
As part of a new cybersecurity strategy released Wednesday, the administration outlines its vision for moving government agencies towards a “zero trust” architecture — a cybersecurity model where users and devices are only given permissions to access network resources necessary for the task at hand and are authenticated on a case-by-case basis.
The key document was published as a memorandum from the Office of Management and Budget (OMB), the administration’s policy arm, and addressed to the heads of all executive departments and agencies.
According to the memorandum, shifting towards a zero trust architecture will require the implementation of stronger enterprise identity and access controls, including more widespread use of multi-factor authentication — specifically hardware-based authentication tokens like access cards, rather than push notifications or SMS. Agencies were also instructed to aim for a complete inventory of every device authorized and operated for official business, to be monitored according to specifications set by the Cybersecurity and Infrastructure Security Agency (CISA).
“In the face of increasingly sophisticated cyber threats, the Administration is taking decisive action to bolster the Federal Government’s cyber defenses,” said acting OMB director Shalanda Young in a statement. “This zero trust strategy is about ensuring the Federal Government leads by example, and it marks another key milestone in our efforts to repel attacks from those who would do the United States harm.”
The White House’s announcement cited the Log4j security vulnerability as “the latest evidence that adversaries will continue to find new opportunities to get their foot in the door.” The vulnerability, one of the most serious and widespread cybersecurity threats for years, first began to be exploited in December 2021. At the time, government agencies were instructed by CISA to immediately patch vulnerable assets or take other mitigation measures. The FTC also subsequently warned companies in the private sector to remediate the vulnerability to avoid potential legal action for putting consumers at risk.
“As our adversaries continue to pursue innovative ways to breach our infrastructure, we must continue to fundamentally transform our approach to federal cybersecurity,” said CISA director Jen Easterly. “Zero trust is a key element of this effort to modernize and strengthen our defenses. CISA will continue to provide technical support and operational expertise to agencies as we strive to achieve a shared baseline of maturity.”
An initial draft of the strategy was released in September 2021 for public comment and since then has been shaped by input from the cybersecurity industry as well as other fields of the public and private sector.
With the final strategy now released, government agencies have been issued 30 days to designate a strategy implementation lead within their organization and 60 days to submit an implementation plan to the OMB.
Drop your name and email to learn more, or tag my calendar to setup a conversation.