Author: Sam Killingsworth

Categories
Social Engineering

The Power of Social Engineering: Building Resilience in the Digital Age

Understanding Social Engineering in the Digital Landscape

In an era dominated by technology, the threat landscape for cybersecurity has evolved, with social engineering emerging as a prominent threat. Social engineering involves manipulating individuals to divulge confidential information or perform actions that may compromise security. This article explores the intricacies of social engineering threats and provides insights into effective mitigation strategies.

Social engineering exploits human psychology rather than relying on technical vulnerabilities. Attackers use various tactics, such as phishing emails, pretexting, baiting, and quid pro quo, to deceive individuals into divulging sensitive information or performing actions that compromise security. These tactics often prey on trust, authority, fear, or urgency to achieve their malicious objectives.

The Multifaceted Nature of Social Engineering Attacks

Social engineering is not just limited to a single type. Various tactics have evolved, each with its distinct approach:

  • Phishing: Attackers create seemingly legitimate emails, messages, or websites to trick individuals into providing sensitive information. This can also be targeted towards C-suite level targets in what is known as Whaling.
  • Pretexting: The attacker creates a fabricated scenario to obtain information or access that would otherwise be denied.
  • Baiting: Malicious software or files are disguised as enticing items, luring individuals to download or click on them.
  • Quid Pro Quo: Attackers offer something in return for information, exploiting the natural tendency to reciprocate favors.
  • Tailgating: An attacker seeks physical entry into a restricted area by following someone who is authorized to enter.

By understanding these, we can strategize and create barriers against potential threats.

Key Principles to Foster Digital Resilience

Stay Informed

It’s vital to stay updated on the latest techniques and trends in the world of social engineering. Knowledge acts as our first line of defense. Employers should conduct regular training sessions to educate employees about social engineering tactics. They should also foster a culture of skepticism, encouraging individuals to verify requests before divulging information.

Creating a Robust Organizational Culture

A resilient organization is not just about advanced security software or robust firewalls; it’s about cultivating a culture of vigilance. This involves:

  • Open Communication: Encouraging employees to speak up about suspicious activities without fear of reprimand.
  • Regular Drills: Simulating social engineering attacks to ensure that employees can recognize and respond appropriately.
  • Rewarding Vigilance: Recognizing and rewarding those who successfully identify threats can boost morale and increase overall security consciousness.

The Role of Technology in Enhancing Security

While human awareness and training remain paramount, technology serves as the backbone in countering these threats:

  • Advanced Email Filtering: This helps in identifying and isolating phishing attempts.
  • Two-Factor Authentication (2FA): Adds an extra layer of protection even if login details are compromised.
  • Regular Software Updates: Ensuring that all software, especially security software, is up-to-date to counter any potential vulnerabilities.

Final Thoughts

Social engineering threats pose a significant challenge to cybersecurity by exploiting the human element to breach defenses. By fostering a security-conscious culture, implementing robust technical measures, and staying vigilant, organizations can mitigate the risks associated with social engineering and bolster their cybersecurity posture in an ever-evolving digital landscape. Building resilience is not an endpoint but a continuous journey of adaptation and learning.

Categories
General Cyber and IT Security

New Techniques Threat Actors Are Using To Steal Your Secrets

In a digital era where information is vital, understanding the new techniques that threat actors are using to steal your secrets is critical. As technological advancements surge forward, so do the methods employed by malicious agents seeking to exploit those technologies for their gain. Let’s explore these techniques to equip ourselves with knowledge that will serve as our first line of defense against these threat actors.

The Emergence of Deepfake Technology

In the realm of cybersecurity, the emergence of deepfake technology poses a significant and growing threat. Deepfakes, powered by artificial intelligence, allow threat actors to create realistic, manipulated content that can deceive individuals and organizations alike. With sophisticated AI algorithms, they can create incredibly realistic video and audio content, impersonating individuals to bypass security measures, manipulate public opinion, or commit fraud.

Deepfakes open new avenues for social engineering attacks. Threat actors can use manipulated videos or audio recordings to impersonate trusted figures, such as CEOs or government officials, leading to misinformation, reputational damage, or even financial loss. The ability to create realistic content makes it challenging for individuals to discern between authentic and manipulated information.

Deepfake technology can be utilized in business email compromise attacks where threat actors impersonate high-ranking executives or colleagues. Additionally, voice phishing (vishing) attacks can leverage deepfake-generated voices to trick individuals into divulging sensitive information over the phone. The combination of realistic voices and manipulated content enhances the success rate of such attacks.

Rise of Cryptojacking

Cryptojacking has rapidly gained momentum as a preferred technique of many cyber criminals. Cryptojacking is a form of cyber-attack where malicious actors hijack computing resources, such as computers, servers, or mobile devices, to mine cryptocurrencies. Unlike traditional cyber-attacks that focus on data theft or ransom, cryptojacking operates in the background, leveraging the victim’s processing power to mine digital currencies.

Threat actors employ various methods to deliver cryptojacking payloads. This can include malicious websites that run in-browser mining scripts, phishing emails with infected attachments, or exploiting vulnerabilities in software and hardware. Once executed, the cryptojacking code operates quietly, siphoning off computing resources to mine cryptocurrencies without the user’s awareness. In recent years, threat actors have organized cryptojacking campaigns using botnets—networks of compromised devices under the control of a single entity. These large-scale operations enable attackers to amass significant mining power, intensifying the impact on targeted systems.

Cloudjacking

As organizations transition their data and operations to the cloud, a new form of attack has taken center stage – Cloudjacking. Threat actors exploit inadequately secured cloud configurations to gain unauthorized access to data, disrupt services, or even hold the data hostage for ransom. Given the sensitive nature of the information usually stored in the cloud, this technique poses a severe threat to businesses and individuals alike.

Cloudjacking attacks can be mitigated in several ways.

  • Implement Robust Access Controls: Organizations should enforce strong authentication mechanisms, regularly review, update access permissions, and adopt the principle of least privilege.
  • Regular Security Audits: Conducting regular security audits and vulnerability assessments of cloud environments can help identify and address potential weaknesses before they are exploited.
  • Implement Multi-Factor Authentication (MFA): Implementing MFA on cloud resources can help to prevent most attacks by threat actors to access a business cloud environment.
  • Educate and Train Personnel: Employee awareness and training programs are crucial for preventing phishing attacks and ensuring that cloud security best practices are followed.

The Growing Threat of Ransomware

Ransomware is a type of malicious software designed to encrypt files or systems, rendering them inaccessible. The attackers then demand a ransom, usually in cryptocurrency, in exchange for providing the decryption key. This digital extortion tactic has become increasingly sophisticated, with ransomware attacks evolving in both scale and complexity. Today’s iterations of ransomware are becoming more potent, with threat actors increasingly targeting large organizations and critical infrastructure. The potential for massive disruption and financial gain ensures that ransomware remains a popular method for stealing secrets and causing havoc. Best practices to mitigate ransomware include:

  • Regularly backing up critical data and ensuring that backups are stored securely and can be quickly restored in the event of an attack.
  • Educating employees about phishing threats, social engineering tactics, and the importance of maintaining a vigilant cybersecurity posture.
  • Keeping software, operating systems, and security solutions up-to-date to address vulnerabilities that could be exploited by ransomware.
  • Implementing network segmentation to limit the lateral movement of ransomware within a network, preventing widespread damage.

Defending Against These Threats

Understanding these techniques is only the first step; defending against these threats is the next. It requires implementing robust cybersecurity measures, including secure cloud configurations, multi-factor authentication, data encryption, regular system updates, and comprehensive employee training programs. Being proactive rather than reactive in cybersecurity is paramount to securing your secrets in the digital landscape.

Categories
General Cyber and IT Security Uncategorized

Understanding DNSSEC and DNS Security

In our increasingly interconnected world, where the digital landscape expands every day, safeguarding our online presence has become vital. One fundamental yet often overlooked aspect of online security is Domain Name System (DNS) security. DNS is the backbone of the internet, responsible for translating domain names into IP addresses that computers can understand. To protect this system from threats, DNS security extensions (DNSSEC) plays a pivotal role.

How DNS Works

DNS Attacks

DNS spoofing and DNS cache poisoning are malicious techniques aimed at manipulating the Domain Name System (DNS) to redirect users to fraudulent websites or compromise network security. DNS spoofing involves forging DNS responses to trick a user’s device into believing it has received legitimate information when, in reality, it’s been directed to a malicious site. This can lead to various security breaches, including phishing attacks. On the other hand, DNS cache poisoning involves corrupting a DNS server’s cache with fraudulent data. Once the cache is poisoned, the server can distribute this tainted information to users, redirecting them to attacker-controlled websites. Both DNS spoofing and cache poisoning are serious threats to the integrity of the DNS infrastructure that highlight the importance of DNSSEC.

DNSSEC

DNSSEC is a suite of extensions to DNS that adds an extra layer of security by digitally signing DNS data. This verification process ensures that the data retrieved from DNS servers is authentic and hasn’t been tampered with by malicious actors. Here’s how it works:

  1. Signing Zone Data: DNSSEC involves signing zone data with cryptographic signatures. Each DNS record in a zone is signed using a private key.
  2. Public Key Distribution: The public key for each zone is published in a DNS record called the Delegation Signer (DS) record. This record is stored in the parent zone, creating a chain of trust. The public key is paired with a private key which is typically stored offline. This creates a digital signature which is published to DNS.
  3. Authentication: When a user’s device queries a DNS server for a domain, the server provides not only the requested data but also the corresponding digital signature. The user’s device uses the public key stored in the DS record to verify the signature’s authenticity.
  4. Validation: If the signature is valid, the DNSSEC client trusts the data it received, knowing it hasn’t been altered during transmission.

How DNSSEC Works:

Benefits of DNSSEC:

  1. Data Integrity: DNSSEC ensures that the DNS data remains unchanged, preventing attackers from redirecting users to malicious websites.
  2. Authentication: It guarantees that the data comes from a legitimate source, reducing the risk of DNS spoofing attacks.
  3. Trust Chain: By establishing a trust chain through DS records, DNSSEC enhances the security of the entire DNS hierarchy.

Challenges with DNSSEC:

While DNSSEC offers robust security, its adoption faces some challenges:

  1. Complex Implementation: DNSSEC implementation can be complex and may require significant effort. However, other DNS providers may offer to enable DNSSEC as part of your DNS package.
  2. Compatibility: Not all DNS servers and clients support DNSSEC, which can lead to compatibility issues.
  3. Key Management: Managing cryptographic keys can be challenging and requires careful consideration.
  4. Increased Packet Size: DNSSEC can result in larger DNS responses, which may impact network performance.

Other DNS Security Options:

DNSSEC is a cornerstone of DNS security, but several other extensions complement it:

  1. DNS-based Authentication of Named Entities (DANE): DANE allows domain owners to associate their TLS certificates with DNS records, improving the security of encrypted connections.
  2. Response Policy Zones (RPZ): RPZ enables DNS servers to block or redirect requests to known malicious domains.
  3. DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT): These protocols encrypt DNS traffic, preventing eavesdropping and manipulation.

In conclusion, DNSSEC is an essential component of our digital defense. DNSSEC provides a robust framework for ensuring the integrity and authenticity of DNS data. The benefits of a more secure and trustworthy internet make the adoption of DNS security extensions a worthy investment in our digital future.

 

Categories
General Cyber and IT Security

Public Wi-Fi: The Double-Edged Sword of Connectivity and Cybersecurity

The appeal of free public Wi-Fi is inescapable in today’s digital world. The ability to connect, work, and socialize from any location – be it a local café, an airport lounge, or a hotel lobby – is a convenience that many have come to rely on. However, this convenience is not without its risks. As the digital landscape evolves, so do the threats associated with public Wi-Fi networks. Public Wi-Fi has become a staple in our daily lives. With the surge in remote work and the digital nomad lifestyle, the need to stay connected while on the move has never been greater. Yet, a staggering 56% of individuals connect to public Wi-Fi networks without a password, as reported by Forbes Advisor. This seemingly harmless act can expose users to a myriad of cyber threats. 

Below are a few attack vectors that cyber criminals can use to access users’ digital information using public Wi-Fi.

  • Evil Twin (Rogue Access Point) – Cybercriminals often set up counterfeit Wi-Fi networks with an SSID (Service Set Identifier) resembling legitimate ones. Unsuspecting users, thinking they’re connecting to a genuine network, inadvertently expose their data to these rogue hotspots. After a user connects to an Evil Twin, all data sent over the network can be seen by the attacker.
  • Man-in-the-Middle (MITM) Attacks – In these attacks a threat actor, who is on the same public network you connect to, intercepts packets sent between your computer and the internet. Similar to eavesdropping, this allows attackers to view and manipulate data.
  • Session Hijacking and Sidejacking – This occurs when the attacker is able to steal a legitimate session ID from a user to “hijack” the user’s session. For instance, a user may log into their bank account on public Wi-Fi. Simultaneously, the attacker will capture the information in the session cookie and use it to impersonate the user after they are done with their banking activity.
  • Login Page Phishing – Some public Wi-Fi login pages may prompt users to enter information to securely login. This may be leveraged by attackers using a phishing attack to obtain credentials. For example, an attacker may redirect a user attempting to access a public Wi-Fi point to a phishing page requesting the user login through Facebook. If the user enters their Facebook credentials, they are passed to the attacker who can then use them.
  • Unencrypted Public Wi-Fi – By default most access points are set up with WPA2 encryption enabled. However, if encryption is disabled on the Wi-Fi access point, information sent over the network can be viewed by attackers connected to the network.
  • Malware Distribution – Attackers can use public Wi-Fi to prompt a user to download or install a malicious program that may log keystrokes, or enable remote access to a user’s computer.

Public Wi-Fi Best Practices

In most cases, the most secure action would be to avoid public Wi-Fi. A low-cost solution would be to connect to a personal mobile hotspot. However, if one must connect to a public hot spot here are some best practices.

  • Ensure that you are connecting to a legitimate Wi-Fi access point. Usually, this can be confirmed by asking an employee what the SSID for their Wi-Fi is.
  • When connecting to a public Wi-Fi access point, use a VPN to encrypt your data in transit over the network.
  • Disable auto-connecting to Wi-Fi networks.
  • Avoid accessing your personal financial information or work information while using un-trusted public Wi-Fi.
  • Only access HTTPS site to ensure an SSL/TLS connection with the webpage.
  • Enable anti-virus and anti-malware software on your computer.
Categories
Penetration Testing

What to Expect During Your Upcoming External Penetration Test

External Penetration Test

Background

Customers often have questions about their upcoming external network penetration test. Many times our analysts are asked: What systems will be affected? Will this disrupt my business? What information do you need? This blog article aims to answer those questions and alleviate any potential client concerns.

Before the Pentest

Prior to starting an external penetration test, SecurIT360 analysts perform several checks with customers. First, we will confirm customer access to the SecurIT360 share file platform. This platform is used to communicate findings and share sensitive data securely. All information sent over this platform is only accessible by SecurIT360 staff and the client representative. Repeat clients should be familiar with this platform and will likely be asked to confirm their access, while new clients will have an account created for them.

Another step that typically occurs during the week before an external penetration test is confirmation of the client’s public IP ranges and cloud resources. This ensures that our analysts target the correct assets. The customer can provide the IP ranges listed in CIDR notation or with their corresponding subnet masks.

During the Pentest

On each day of the penetration test, an analyst will reach out to the client representative in an email that details the work to be done that day. The typical process for an external penetration test at SecurIT360 occurs in three steps: recon, attacking, and reporting. During the recon and attacking phases, the analyst will remind you to contact them if you receive any alerts from your Security Operations Center (SOC) or Managed Security Services Provider (MSSP). This gauges their responsiveness to the attempts made by the analyst to access your network or systems.

It’s important to understand that we do not perform any attacks designed to harm your systems. In fact, we take every precaution to avoid negatively impacting any services or systems in scope. Password sprays are done in intervals and are designed not to lock accounts. On occasion, password policies or an incorrect login attempt by an employee may result in a locked account. If your organization has a password policy that locks user accounts after a predetermined number of incorrect attempts within a certain time frame, it is important to communicate this to the Securit360 team. At any time, the client may email the analyst to pause or stop the attacking process.

A common concern from customers is that an external penetration test may throttle internet bandwidth or disrupt payment systems. This is simply not the case with our external process. The external attack process at SecurIT360 is specifically designed to not interfere with daily operations or cause a Denial of Service. If an analyst is able to pivot into the internal environment, the analyst will stop, and the customer is alerted. Likewise, if a critical vulnerability is discovered during the testing process, the client is alerted immediately to correct the vulnerability.

Reporting & Follow up

Depending on the scope of the network and the number of findings, the analyst will typically issue a draft report the week following a penetration test. We then ask the client to review the report and communicate any questions or concerns back to the analyst. When all the client’s concerns have been addressed, a final report is issued.

Often, clients will seek help remediating issues discovered during testing. Following a penetration test, our team will work with yours to understand and mitigate vulnerabilities. We will also issue an attestation form that states the work that SecurIT360 performed without detailing the vulnerabilities found on your network. These attestation forms are often required for compliance.

Closing

The goal of an external penetration test is to identify gaps in your external network, demonstrate the risk they present, and help inform you how to best close those gaps. Our mission as the Offensive Security Team at SecurIT360 is to find the holes before the bad actors do and help you secure your network. If you have any further questions about our external penetration testing process, please reach out to our team, and we would be happy to answer.

Categories
General Cyber and IT Security

Cybersecurity Tips For International Travel

International travel presents unique challenges to securing devices and information. This is particularly true when traveling to destinations that are considered to be high cyber risk countries such as China or Russia. 

Here are some precautions to take when traveling to these countries that will improve the security of your devices and data.  

Before you travel, you should first consider your company policies and procedures. Your device may have Mobile Device Management which can allow for a remote wipe of data if your device is lost or stolen. It may also specify an application whitelist or limit the device’s use when traveling.

Your company may also have a regularly scheduled backup for data and files to a secure server. If they do not, ensure that you back up all your device information before traveling internationally.

Another important consideration is to update your anti-malware and anti-virus before leaving the country. This guarantees that your device can defend against the most recent exploits. 

Finally, make sure your hard drives and data storage devices are encrypted, and be sure to verify the local laws of the country that you are visiting. Some countries, like China, do not allow encrypted devices and your device may be seized.  

When traveling internationally it is imperative that you always maintain physical control of your devices. Thieves often target foreigners for their devices and may extract sensitive data or personal information.

Another important reminder is to never connect a device to an insecure or untrusted connection. A simple act like plugging your phone into an unknown USB charger or outlet may install malware or extract data.

Avoid connecting to public Wi-Fi networks and turn off automatic connections for Wi-Fi and Bluetooth. 

When using your device in a foreign country establish a secured Virtual Private Network or VPN connection to a server in the United States. A VPN creates an encrypted tunnel to transfer your information and data. Still, you should assume any communications made in high cyber risk countries may be monitored.  

After returning home from your international travel, it is critical to not introduce any devices back into your home or work network. Doing this may introduce malware into the network. Instead, immediately format and update your devices along with your anti-virus and anti-malware programs.

It is also good practice to change the passwords of any devices that were brought with you during your travel. If any of your credentials were compromised while traveling, changing your password when you return may prevent escalation of any cyber threats.

Finally, monitor your financial accounts when returning to ensure that no credit card or account information was compromised.  


Sources:

https://www.securit360.com/blog/hitlist-international-travel/ 
https://tech.rochester.edu/security/international-travel-guidelines/ 
https://www.fcc.gov/consumers/guides/cybersecurity-tips-international-travelers