Tag: cybersecurity

Categories
AI Security

Tackling the Rise of Shadow AI in Modern Enterprises

Understanding the Shadow AI Phenomenon 

Shadow IT has been a persistent challenge for CIOs and CISOs. This term refers to technology utilized within an organization without the explicit approval of the IT or security departments. Recent data from Gartner indicates that in 2022, a staggering 41% of employees engaged in the acquisition, modification, or creation of technology outside the purview of IT. Projections suggest this figure could soar to 75% by 2027. The primary concern with shadow IT is straightforward: it’s nearly impossible to safeguard what remains unknown. 

In a parallel development, the AI landscape is witnessing a similar trend. Tools like ChatGPT and Google Gemini are becoming popular among employees for task execution. While innovation and adaptability are commendable, the unchecked use of these tools, without the knowledge of IT or security departments, poses significant information and compliance risks. 

Why Employees Gravitate Towards AI Tools 

Generative AI, machine learning, and expansive language models have transformed the way we work. These technologies offer: 

  • Enhanced Process Efficiencies: AI can automate repetitive tasks, streamline workflows, and reduce time to delivery. 
  • Boosted Personal Productivity: With AI’s assistance, employees can focus on more strategic tasks, fostering creativity and innovation. 
  • Improved Customer Engagement: AI-driven tools can personalize customer experiences, predict trends, and enhance overall satisfaction. 

Balancing Innovation with Security 

The challenge for organizational leaders is twofold: ensuring that employees can harness their preferred AI tools while simultaneously mitigating potential security threats. Here are some strategies: 

  1. Establish Policy
  • Identify Regulations: Many companies are subject to consumer privacy laws, determine what is permitted based on the client’s or customer’s location. 
  • Catalog Contracts: Often our clients have requirements in contracts that dictate how we can, or cannot, use AI in how data is processed. 
  1. Educate and Train
  • Awareness Campaigns: Launch initiatives to educate employees about the potential risks associated with unsanctioned AI tools and encourage collaboration on approved usage. 
  • Training Programs: Offer regular training sessions on the safe and responsible use of AI, including what types of data are permitted. 
  1. Implement Robust Security Protocols
  • Regular Audits: Conduct frequent IT audits to detect and address unauthorized AI tool usage. 
  • Advanced Threat Detection: Employ sophisticated AI-driven security solutions to identify and counteract potential threats. 
  1. 4. Promote Approved AI Tools
  • Internal AI Toolkits: Create a suite of organization-approved AI tools that employees can safely use. 
  • Feedback Mechanisms: Establish channels for employees to suggest new tools, fostering a culture of collaboration and trust. 

The Way Forward 

While the allure of AI is undeniable, it’s crucial for organizations to strike a balance between innovation and security. By understanding the motivations behind shadow AI, enterprises can create an environment where technology augments human capabilities without compromising safety. 

Conclusion 

The rise of shadow AI underscores the rapid evolution of technology in the workplace. By adopting a proactive approach, organizations can harness the power of AI while ensuring a secure and productive environment for all. 

Categories
General Cyber and IT Security

Decoding Digital Dangers: Common Cybersecurity Threats Explained – Part 2

Security should be a lifestyle and not just a “To-Do” list. As a Cybersecurity Professional myself, I cannot preach enough about the importance of Layered Security. No matter how big or small your environment, remember that even David took down a GIANT with a slingshot and pebble. Threats in our industry are diverse and dangerous. Staying ahead of the curve is no walk in the park and that is why a series of this magnitude is important for proactive reasoning.

In the first installment, we briefly covered threats such as Phishing (BEC Attacks), Malware Attacks, and Insider Threats. In this second installment, we will dive into Ransomware Attacks, Distributed Denial of Service attacks, and Zero-Day Exploits.

4. Ransomware Attacks:

Ransomware involves the encryption of a victim’s data by an attacker, who then demands a ransom in exchange for the decryption key. The impact of ransomware attacks ranges from financial loss to severe disruption of operations. This form of attack is huge in critical sectors such as healthcare, finance, and government.

Motions to Mitigate:

Mitigation against Ransomware attacks can consist of:

· Endpoint Security: Install and regularly update endpoint security software to detect and prevent malicious software from running on a user’s device.

o Some popular Endpoint Detection and Response solutions include Microsoft Defender for Endpoint, VMware’s Carbon Black, and CrowdStrike Falcon Platform.

o If Endpoint Security is something your company is interested in implementing, SecurIT360 would love to assist you on this journey through our SOC services.

· User Behavior Analytics: Using user behavior analytics tools to identify deviations from normal user behavior can help detect compromised accounts more efficiently.

o This can be achieved through SecurIT360’s 24/7/365 security operations center, which provides real-time monitoring through utilization of MDR and EDR solutions.

· Disable Unnecessary Services: Disabling or restricting services and features that are not essential for business operations can prevent Ransomware from exploiting these services.

· Network Segmentation: Segmenting your network to isolate critical systems and data from the rest of the network can help contain the spreading of ransomware.

· Backup and Disaster Recovery: Regularly backing up critical data and systems to offline or secure locations is another helpful tip. Ensuring backups are not accessible from the network and testing data recovery procedures can go a long way when ensuring you can restore your systems in case of an attack.

· Patch and Update Software: Keeping operating systems, software, and applications up to date with the latest security patches will combat and address vulnerabilities that ransomware may exploit.

5. Denial of Service (DoS) and Distributed Denial of Service (DDoS) Attacks:

DoS and DDoS attacks aim to make a network, service, or system unavailable to its intended users. This type of attack is aimed to hinder the “A”, availability, within the CIA (Confidentiality, Integrity, and Availability) triad. This is achieved by overwhelming the target with a flood of internet traffic that the target was not built to withstand. In a DDoS attack, the attacker uses multiple compromised computers (Botnets) as sources of traffic, making these attacks particularly challenging to mitigate.

Motions to Mitigate:

A few ways to mitigate this are by implementing Distributed Traffic Filtering, Content Delivery Networks, and Geographic Blocking in your environment. Other forms of DOS/DDOS mitigation consist of:

· IP Reputation Lists: Utilize IP reputation lists and databases to block known malicious IP addresses and networks. This should be updated quarterly due to the frequency of IPs switching hands or ISPs (Internet Service Providers).

o We know that this can become quite a task but our Security Operations Center can help relieve this pressure through our managed firewall services.

· Network and Server Redundancy: Build redundancy into your network and server infrastructure to ensure that a failure in one component does not result in a complete service outage.

· Intrusion Prevention Systems (IPS)/Intrusion Detection Systems (IDS): Deploy IPS solutions to detect and block malicious traffic and behavior at the network level.

o The SecurIT360 SOC Team can assist with detecting malicious activity through our MDR solutions and blocking known malicious with some of our other managed services (EDR, Managed Firewalls, etc).

· Black Hole Routing (BGP Sink holing): Configure your network to use black hole routing to discard malicious traffic. BGP sink-holing can redirect DDoS traffic to a “black hole” where it is discarded.

6. Zero-Day Exploits:

A zero-day exploit targets a software vulnerability that is unknown to the software’s developer. The term “zero-day” refers to the fact that the developer has zero days to fix the vulnerability once it becomes known. This method is one of the most dangerous to defend which is why organizations need to have a more proactive approach rather than reactive when regarding this subject.

Motions to Mitigate:

· Advanced Threat Detection Solutions: Deploy advanced threat detection solutions that can identify zero-day attacks based on abnormal behavior and anomaly detection.

· Application Security Testing: Conduct regular security assessments, including penetration testing, to identify and address potential weaknesses in your applications and systems.

o If a Pentest is something your organization is interested in having conducted, contact SecurIT360’s Offsec Department to set up an engagement.

· Behavior-Based Analysis: Employ behavior-based analysis tools that can detect unusual or malicious behavior on endpoints and networks. Zero-day exploits often exhibit abnormal patterns.

o This can fall under the umbrella of EDR services. Detecting User/Behavior-Based Analytics to determine your environment’s baseline behaviors in comparison to anomalies is something SecurIT360’s SOC works with daily.

· Threat Intelligence Sharing: Participate in threat intelligence sharing communities and organizations to stay informed about the latest threats, including zero-day vulnerabilities.

· Sandboxing: Use sandboxing techniques to run potentially risky or untrusted code in an isolated environment, preventing it from affecting the rest of the system.

· Vulnerability Management: Proactively discover and mitigate weaknesses in your systems before attackers can exploit them. This includes software, hardware, and even human behaviors.

o SecurIT360’s ISSO department specializes in internal scan assessments.

o SecurIT360’s Security Operations Center services include External Scan Assessments monthly or per request.

As you can see, there are many threats in our industry and the need for persistent protection is constant. My goal for this second installment was to provide easily digestible information on some common threats Cybersecurity Professionals like myself witness on a day to day.

If you have enjoyed this second installment of the Decoding Digital Dangers: Common Cybersecurity Threats Explained series, be sure to go back and check out Part 1 as well.

Additionally, If your company needs expert cyber security and IT services for ongoing risk management and operational excellence, such as SOC services, please contact us here at SecurIT360 to be of assistance: Contact – SecurIT360.

Categories
AI Security

AI Security 101: Addressing Your Biggest Concerns

Understanding the Landscape of AI Security

In today’s digital age, Artificial Intelligence (AI) has become an integral part of our daily lives. From smart home devices to advanced medical diagnostics, AI is revolutionizing industries and improving user experiences. However, with the rapid adoption of AI technologies, security concerns have become paramount. As we integrate AI into critical systems, ensuring the safety and integrity of these systems is of utmost importance.

The Main Concerns in AI Security

1. Data Privacy and Protection

AI systems rely heavily on data. The quality and quantity of this data determine the efficiency of the AI model. However, this data often includes sensitive information, which, if mishandled, can lead to significant privacy breaches. Ensuring that data is minimized, collected, stored, and processed securely is crucial.

2. Adversarial Attacks

These are sophisticated attacks where malicious actors introduce slight alterations to the input data, causing the AI model to make incorrect predictions or classifications. Such attacks can have severe consequences, especially in critical systems like autonomous vehicles or medical diagnostics.

3. Model Robustness and Integrity

Ensuring that an AI model behaves predictably under various conditions is vital. Any unpredicted behavior can be exploited by attackers. Regular testing and validation of AI models can help in maintaining their robustness and integrity.

4. Ethical Concerns

As AI systems make more decisions on our behalf, ensuring that these decisions are ethical and unbiased becomes crucial. Addressing issues like algorithmic bias is essential to build trust in AI systems.

Best Practices in AI Security

1. Enable AI Usage

Establish controls with policies and procedures on when AI usage is permitted, how to onboard AI tools and when they can be used. Document all approved systems so there is a clear understanding of where your data is.

2. Secure Data Management

Always encrypt sensitive data, both at rest and in transit. Employ robust access controls and regularly audit who has access to the data, where the data resides and how long the data is stored. Ensure compliance with data protection regulations both contractually and regulatory.

3. Regularly Update and Patch Systems

Just like any other software, AI systems can have vulnerabilities. Regular updates and patches can help in fixing these vulnerabilities before they can be exploited.

4. Employ Defense-in-Depth Strategies

Instead of relying on a single security measure, use multiple layers of security. This ensures that even if one layer is breached, others can still provide protection.

5. Continuous Monitoring and Anomaly Detection

Monitor AI systems in real-time. Any deviations from normal behavior can be a sign of a potential security breach. Immediate action can prevent further damage.

6. Educate and Train Teams

Ensure that everyone involved in the development and deployment of AI systems is aware of the potential security threats and knows how to address them.

The Future of AI Security

As AI technologies continue to evolve, so will the security challenges associated with them. However, by being proactive and adopting a security-first approach, we can address these challenges effectively. Collaborative efforts between AI developers, security experts, and policymakers will be crucial in shaping a secure AI-driven future.

In conclusion, while AI offers immense potential, ensuring its security is paramount. By understanding the challenges and adopting best practices, we can harness the power of AI while ensuring the safety and privacy of users.

Categories
General Cyber and IT Security

Decoding Digital Dangers: Common Cybersecurity Threats Explained – Part 1

Have you heard the phrase “Don’t bring a knife to a gunfight”? Well, this phrase holds the same truth within the realms of modern cybersecurity. There are a wide range of dangers in our industry and one must know what they are, to properly prepare for the battle against these. The sheer volume of these risks alone should emphasize how critical it is to comprehend them while also developing mitigation solutions.

One might ask, well what are a few common threats that we as cybersecurity professionals should look out for in this constantly changing digital environment? This series was created to highlight just that. In this first installment, we will cover Phishing (BEC Attacks), Malware Attacks, and Insider Threats.

  1. Phishing Attacks:

Phishing attacks are the most common form of cybersecurity threats. This is where an attacker masquerades as a legitimate entity to “reel” victims into revealing sensitive data such as usernames, passwords, and credit card information. Phishing attacks often take the form of emails, website pop-ups, or text messages. Which stresses the importance of always verifying that you are communicating with whom the entity states they are.

Once a successful Phishing Attack has occurred this can lead to a Business Email Compromise or BEC for short. As Cybersecurity professionals we must empower ourselves against BECs. Implementing the following recommended strategies can assist in strengthening your cybersecurity posture:

Motions to Mitigate:

A few ways to stay proactive against Phishing attempts are:

  • User Education and Training: Provide regular cybersecurity training and awareness programs to educate users about the risks of phishing.
    • The SecurIT360 SOC Team can assist with this through our KnowBe4 managed services. Through this service, we can set up Phishing Simulations along with Awareness Training.
  • Email Filtering and Authentication: Implement email filtering solutions to block or flag potential phishing emails before they reach users. Configure email authentication protocols like DMARC (Domain-based Message Authentication, Reporting, and Conformance) to verify the authenticity of incoming emails.
  • Multi-Factor Authentication (MFA): Enforce MFA for email and other critical accounts. Even if a phishing attack results in stolen credentials, MFA can provide an additional layer of security.
    • SIEM and MDR services can even help to identify and respond to suspicious MFA activity. These services can collect and analyze logs from a variety of sources, including MFA devices, applications, and servers. This data can be used to identify patterns of behavior that may indicate an attack, such as MFA Bombing, logins sourced from known malicious IPs, and logins originating from non-approved countries.
    •  As a SecurIT360 SOC MDR client, we can add this particular log source type in our SIEM solution to best accommodate your environment’s real-time monitoring.
  • Phishing Simulations: Conduct phishing simulations and tests within your organization to assess user awareness and response. Use the results to tailor training and awareness efforts.

Additional helpful articles for improving awareness of BEC attacks/Phishing:

  1. Malware Attacks: 

Malware, short for malicious software, refers to any software designed to damage or disrupt a computer system. Types of malware include viruses, worms, Trojans, spyware, and adware. Malware attacks typically involve the installation of this malicious software onto a victim’s device without their knowledge, leading to data loss or theft. Another way Malware can be downloaded unknowingly is by clicking unfamiliar links such as from a Phishing email. This illustrates how some of these attacks can be combined to get what the Threat Actor is after.

Motions to Mitigate:

Malware can be a pest but implementing the following can assist in reducing the appearance in your environment:

  • Application Whitelisting: Implement application whitelisting, which allows only authorized and known applications to run on endpoints. This can prevent unapproved applications, including malware, from executing.
  • Network Monitoring and Alerting: Implementing network monitoring tools to detect unusual network traffic and behaviors that may indicate a malware infection can be helpful.
    • The SecurIT360 SOC Team can assist with this through our 24/7/365 operations of real-time monitoring and utilization of MDR and EDR solutions.
      • Through our EDR services, we can detect User Behavior Analytics to assist with determining baseline behaviors in comparison to anomalies.
  1. Insider Threats: 

Insider threats involve cybersecurity threats that originate from within an organization. These can be intentional – for instance, a disgruntled employee causing harm – or unintentional, such as an employee unknowingly clicking on a phishing link or accidentally uploading sensitive login credentials of your company’s own infrastructure on a site like GitHub (In reference to: https://www.vice.com/en/article/m7gb43/microsoft-employees-exposed-login-credentials-azure-github

Motions to Mitigate:

  • Least Privilege Access: Limit user and system access to only the resources and data required for their tasks. This principle minimizes the potential impact of a ransomware infection.
    • A great way to test your current Access Controls is by performing a Pentest. It is recommended to get a Penetration Test done once to twice a year at a minimum. If a Pentest is something your organization is interested in having conducted, contact SecurIT360’s Offsec Department to set up an engagement.
  • Data Loss Prevention (DLP): Use DLP solutions to monitor and prevent the unauthorized transfer or leakage of sensitive data. This can help prevent both accidental and intentional data breaches.
  • Secure Offboarding: Ensure that when employees leave the organization, their access is immediately revoked. This includes disabling accounts, collecting company-owned devices, and updating access control lists.
  • Data Access Auditing: Implement auditing and logging for data access to track who accessed sensitive data and when.
  • Secure Mobile Device Management (MDM): Manage and secure mobile devices that employees use for work, including the ability to remotely wipe devices in case of loss or theft.

All mitigation strategies require a comprehensive approach that includes a combination of technology, user education, and proactive security measures. By implementing these practices, your organization can significantly reduce its vulnerabilities and minimize potential damage.

One takeaway is the mantra of the “12 P’s”:

“Positive Proper Preparation Prevents Piss Poor Performance; Piss Poor Performance Promotes Pain” and we don’t want your organization to experience the pain of improper preparation.

Understanding the common cybersecurity threats listed in this first installment is the initial step toward strengthening your cybersecurity defenses. Your organization’s defenses should mimic that of an Onion. An onion has many layers to it and your defense should follow this same blueprint. We recommend investing in regular staff training and maintaining a culture of cybersecurity awareness to protect against these threats along with utilizing robust cybersecurity solutions. For instance, utilizing a Cybersecurity Framework could be essential to your business long term.

To get more information on implementing the best Cybersecurity Framework for your environment, check out: The Building Blocks of Cyber Defense: Why Your Business Needs a Cybersecurity Framework – SecurIT360

If your company needs expert cyber security and IT services for ongoing risk management and operational excellence, such as SOC services, please contact us here at SecurIT360 to be of assistance: Contact – SecurIT360.

Additionally, be sure to be on the lookout for the second installment of this Decoding Digital Dangers: Common Cybersecurity Threats Explained series releasing in the coming weeks.

Categories
Compliance > Privacy

Data Privacy Laws and Cybersecurity: Navigating The 2023 Shift

Introduction

In 2023, the United States is witnessing a pivotal transformation in its data privacy laws, heralding a new era in legal frameworks and cybersecurity strategies. This shift, significant in its scope and impact, demands a reevaluation of how organizations approach data privacy and security compliance.

Recent Developments in Data Privacy Laws
  1. New State Laws and Amendments:
    • California Privacy Rights Act (CPRA): Enhancing CCPA with GDPR-like rights from January 1, 2023.
    • Colorado Privacy Act (CPA): Introducing data security mandates, effective July 1, 2023.
    • Connecticut Data Privacy Act (CDPA): Emphasizing data minimization and security from July 1, 2023.
    • Utah Consumer Privacy Act (UCPA): Prioritizing data security, effective December 31, 2023.
    • Virginia Consumer Data Privacy Act (VCDPA): Revising data processing rights from January 1, 2023.
  1. Emerging Trends:
    • Scope Consistency: These laws primarily target businesses within state borders or those engaging with state residents.
    • Consumer Rights Expansion: A growing trend towards empowering consumers with data access, deletion, and opt-out options.
Implications for Cybersecurity
  1. Enhanced Data Security: The evolving landscape necessitates robust cybersecurity measures to safeguard personal data.
  2. Risk Assessment and Compliance: Regular assessments for high-risk data processing underscore the need for continuous compliance.
  3. Legal and Financial Stakes: Non-compliance risks substantial legal and financial repercussions, with penalties reaching $50,000 per violation in some states.
  4. Diverse Regulatory Landscape: The variance in state laws presents a significant challenge for multi-state operations, requiring adaptable compliance strategies.
  5. Evolving Future Trends: With impending legislation in states like Maine and Massachusetts, the regulatory environment will grow, demanding agile cybersecurity responses.

2023 marks a watershed moment in U.S. data privacy law with profound cybersecurity implications. For organizations, the focus must shift to robust security measures, vigilant risk assessments, and a proactive stance on compliance. As the legal landscape evolves, staying informed and adaptable is crucial for effectively navigating these changes.

[For detailed insights on the evolving privacy laws, visit Reuters]

(https://www.reuters.com/legal/legalindustry/new-era-privacy-laws-takes-shape-united-states-2023-11-15/)

Categories
Computer & Network Security

Securing Windows: Common Misconfigurations That Give Attackers The Advantage

Introduction

In the ever-evolving landscape of cybersecurity, securing your Windows environment is paramount to safeguarding your organization and data. However, even with its built-in security features, Windows can fall victim to common misconfigurations that leave it susceptible to exploitation by determined attackers. In this article, we delve into some of the most common misconfigurations that threaten the security of your Windows systems. From non-unique passwords to inadequate endpoint protection and unrestricted PowerShell, we’ll shed light on the vulnerabilities that cybercriminals exploit to gain unauthorized access, elevate their privileges, move laterally, and take over entire networks.

Common Misconfigurations

To ensure Windows systems are hardened against attacks, it is crucial to be aware of the common misconfigurations that can inadvertently expose your environment to potential threats. In this section, we will explore the top misconfigurations that can compromise your system’s integrity and provide an open invitation to threat actors. Each misconfiguration represents a potential point of exploitation. By understanding these misconfigurations and taking proactive steps to address them, you can fortify your Windows security posture and thwart the advances of malicious adversaries. Let’s dive in and unravel these vulnerabilities to strengthen our defenses and ensure the safety of our organizations and data.

1. Non-Unique Local Admin Passwords

Meme: "Generic local admin What could possibly go wrong" - All Templates - Meme-arsenal.com

Using non-unique local admin passwords makes it easier for threat actors to gain unauthorized access and move laterally in your environment.

Using the same password for all the local admin accounts in the environment is a serious risk because of how easy it can be for threat actors to obtain the password and/or the password hash. The risk here is that if a threat actor is able to obtain the password (or even the password hash!), they can then use that to pivot to other machines in the network that are also using the same account and password. This can result in devastating effects, because if a threat actor compromises Sally in Accounting’s PC, obtains the password, and then uses that to pivot to the Accounting database server where all the PCI data is stored, now you have a very serious security incident on your hands.

  • Mitigation: The good news is that you can completely eliminate this risk by making all local administrative accounts have a unique password. What’s even better is you can do this for FREE with Windows LAPS. LAPS is really great, easy to implement, and is a great control if you currently don’t have anything similar in place. You can read more about that here: Windows LAPS overview

2. Lack of Patching 3rd Party Software

You said patching was complete Test determines that was a lie - Maury Povich Lie Detector Test | Make a Meme

Neglecting to promptly apply patches and updates to third-party software exposes your system to vulnerabilities that threat actors can exploit. These vulnerabilities are commonly used to execute arbitrary, malicious code that can allow a threat actor an initial foothold or elevate their privileges in your environment.

Third-party software is ripe for attack because threat actors realize it’s harder to patch than Microsoft Windows systems themselves. There’s more manual effort and additional tools required to ensure these software applications are kept up to date. A common example is when programs such as Adobe Reader are installed. Adobe can be configured to update automatically, but this can often be overlooked. This results in Adobe Reader (which is commonly exploited) going unpatched for months or years at a time.

  • Mitigation: The best way to mitigate this risk is to first develop an inventory of the software in your environment. Keep that inventory up to date, then implement a process to check that software for updates. Sometimes this is a manual effort, however, there are commercial tools that can be used to update these software applications. I don’t want to recommend commercial solutions in this blog post, but if you do a Google search for: “3rd party patch management software” you will find unlimited results. Do some research, demo the products, pick one, and get to patching.

3. Poor Firewall Configuration

Say firewall problem one more time - Meme - MemesHappen

Improperly configured firewalls create security gaps that allow unauthorized network connections and can compromise system integrity. This misconfiguration often arises from allowing unnecessary inbound and outbound connections or mismanaging firewall rules. Threat actors can exploit these openings allowing them to move laterally in the environment, download additional malicious payloads, and more.

Another common misconfiguration during security assessments and penetration tests is having the Windows firewall disabled. Doing so allows for unrestricted network communication both to/from the internet and to/from other devices on the network. Without a firewall in place, there’s not much that’s going to stop a threat actor from moving laterally in the environment if they can communicate with the device and have valid credentials.

  • Mitigation: Implement a hardened firewall configuration and manage it centrally. You can do this for free with Group Policy, or you can use commercial tools to assist in this. There really should be no reason that workstations and laptops, and servers need to have open multi-direction communication. The hard part here is mapping your network and determining which connections are required for things like remote management and support. However, doing so and implementing strong firewall configurations will pay huge dividends. Imagine if a threat actor does gain access to a workstation on the domain, but because of your hardened firewall configuration, they literally cannot go anywhere else in the environment, EVEN if they get another set of credentials. This talk by Jessica Payne is a wonderful example of how to configure the Windows Firewall to thwart attackers.

4. Insecurely Installed Software

 

Installing software from untrusted sources or failing to validate software integrity can introduce malware or compromise system integrity. However, that’s not the only risk here. Many times, software will install itself and configure unnecessary and overly permissive rights on the system.

A common example of this is when software installs to C:\Program Files\SuperCoolSoftware and at the end of the installation it configures the permissions on the SuperCoolSoftware folder such that “Everyone” is able to modify any file, folder, or subfolder within the SuperCoolSoftware directory. This hinders the integrity of not only the software but also the operating system itself. Many times, this is abused to elevate privileges or execute malicious code.

  • Mitigation: Regularly review your Windows endpoints for this misconfiguration by checking the permissions that are configured after the software has been installed or updated. This commonly affects the C:\Program Files and C:\Program Files (x86) folders, but this can pop up in many other places. You can use PowerShell’s Get-ACL cmdlet, icacls.exe in a cmd prompt, or even the Sysinternals tool AccessChk.

5. Weak Endpoint Protection

Weak endpoint protection, such as outdated antivirus software or disabled security features, exposes systems to various malware attacks and compromises. While this misconfiguration often arises from neglecting to update antivirus definitions, disabling real-time scanning, or using outdated security software versions. This is also a result of not using an enterprise-grade endpoint protection product.

The fact of the matter is that traditional antivirus is no longer acceptable or suitable for enterprise use. It’s trivial to bypass antivirus signatures and even heuristic detections. Due to the increased ease of obfuscation and the ability to eliminate known signatures in malicious payloads, antivirus alone is not enough.

  • Mitigation: Consider investing in a true endpoint protection product that goes beyond traditional signature-based detection. The advanced endpoint protection products on the market today can scan memory regions for malicious content and can scrutinize API calls that are commonly used by malware. Furthermore, these products have enhanced telemetry gathering capabilities, such that even if an alert does not immediately fire, an analyst can dig into the suspicious events and look deeper into what was potentially happening on a given system. Lastly, these endpoint protection products can orchestrate various security tasks, such as disconnecting the machine from the network so it cannot be used to infect other machines, isolating an attack.

6. Insecure Services & Tasks

Misconfigured or unnecessary services and tasks on Windows systems can provide threat actors with the ability to elevate their privileges or execute code as SYSTEM, which is an account that has some of the most permissions on a Windows system. There’s a variety of ways tasks and services can become misconfigured, and we talk a lot about those here: Hidden Danger: How To Identify and Mitigate Insecure…

This misconfiguration typically occurs as a result of insecurely installed software, which we discussed earlier in this article, and we often see it happen as a result of an error in configuration by IT admins. Many times services and tasks are configured to run with a domain account because the software that’s running the service needs domain permissions. More often than not, the domain accounts configured to run these services and tasks have elevated permissions in the domain, such as Domain Admin rights. If a threat actor is able to hijack the service/task then they could execute code or use it to elevate their privileges in the domain.

  • Mitigation: Review all tasks and services for insecure configurations such as unquoted paths, and insecure service binaries, and check the permissions of domain accounts that are used. Implement least privilege for domain accounts that are used in services and tasks to reduce the risk they present if abused. It’s also a good idea to monitor when services and tasks are modified, especially those that execute with elevated privileges.

7. Unrestricted PowerShell

Just a friendly reminder.... CMD != Powershell

Allowing unrestricted usage of PowerShell, a powerful scripting language and automation framework in Windows, can introduce significant security risks. This misconfiguration typically occurs when system administrators or users have unrestricted access to execute any PowerShell command or script. Threat actors can leverage this unrestricted access to execute malicious scripts, download and execute payloads, or perform unauthorized actions on the system.

There are numerous ways threat actors can abuse PowerShell for their nefarious deeds, such as using PowerShell version 2 to avoid logging and security measures such as Windows Antimalware Scanning Interface (AMSI). PowerShell is also commonly used by threat actors to download additional malware. This is commonly done using what’s called encoded commands, which are base64 encoded blobs that contain code to download and execute a secondary malicious payload. Despite strong security controls to prevent and detect PowerShell abuse, it’s still heavily utilized by threat actors, including ransomware groups.

  • Mitigation: The best defense against PowerShell abuse, like everything else, is layered controls. Eliminate PowerShell version 2 in your environment, then implement logging and monitoring. Start with ScriptBlock and Module logging, and make sure those logs make it to your SIEM or your MSP for monitoring and alerting. Many times, malicious PowerShell stands out like a sore thumb and can be a great way to detect an attack early on in the chain. Implementing Constrained Language Mode and Application Control can also be strong defenses against PowerShell abuse. Constrained Language Mode (CLM) can be used to restrict what cmdlets and elements of PowerShell can be used. Application Control can be used to limit which users have access to PowerShell.

Conclusion

While common misconfigurations can pose severe risks to Windows systems, the power to defend and protect your systems, networks, and data lies in your hands. By addressing these common misconfigurations you can proactively fortify your defenses. With a commitment to ongoing vigilance, education, and adopting a security-first mindset, you can confidently navigate the ever-changing cybersecurity landscape and empower yourself as a formidable defender of your Windows environment.

Resources

Categories
General Cyber and IT Security

Cybersecurity Tips For International Travel

International travel presents unique challenges to securing devices and information. This is particularly true when traveling to destinations that are considered to be high cyber risk countries such as China or Russia. 

Here are some precautions to take when traveling to these countries that will improve the security of your devices and data.  

Before you travel, you should first consider your company policies and procedures. Your device may have Mobile Device Management which can allow for a remote wipe of data if your device is lost or stolen. It may also specify an application whitelist or limit the device’s use when traveling.

Your company may also have a regularly scheduled backup for data and files to a secure server. If they do not, ensure that you back up all your device information before traveling internationally.

Another important consideration is to update your anti-malware and anti-virus before leaving the country. This guarantees that your device can defend against the most recent exploits. 

Finally, make sure your hard drives and data storage devices are encrypted, and be sure to verify the local laws of the country that you are visiting. Some countries, like China, do not allow encrypted devices and your device may be seized.  

When traveling internationally it is imperative that you always maintain physical control of your devices. Thieves often target foreigners for their devices and may extract sensitive data or personal information.

Another important reminder is to never connect a device to an insecure or untrusted connection. A simple act like plugging your phone into an unknown USB charger or outlet may install malware or extract data.

Avoid connecting to public Wi-Fi networks and turn off automatic connections for Wi-Fi and Bluetooth. 

When using your device in a foreign country establish a secured Virtual Private Network or VPN connection to a server in the United States. A VPN creates an encrypted tunnel to transfer your information and data. Still, you should assume any communications made in high cyber risk countries may be monitored.  

After returning home from your international travel, it is critical to not introduce any devices back into your home or work network. Doing this may introduce malware into the network. Instead, immediately format and update your devices along with your anti-virus and anti-malware programs.

It is also good practice to change the passwords of any devices that were brought with you during your travel. If any of your credentials were compromised while traveling, changing your password when you return may prevent escalation of any cyber threats.

Finally, monitor your financial accounts when returning to ensure that no credit card or account information was compromised.  


Sources:

https://www.securit360.com/blog/hitlist-international-travel/ 
https://tech.rochester.edu/security/international-travel-guidelines/ 
https://www.fcc.gov/consumers/guides/cybersecurity-tips-international-travelers 

Categories
Computer & Network Security

Understanding the Cybersecurity Maturity Model Certification (CMMC) and its Benefits to You

Cybersecurity Maturity Model Certification

In today’s evolving threat landscape, organizations are often required to remain compliant with government and industry-based regulations, standards, and policies pertaining to data security and privacy. Therefore, attaining an industry-wide certification for your corporate cybersecurity posture is critical to maintaining a good reputation as well as assuring the confidentiality, integrity, and availability of critical and sensitive information within your computing infrastructure.

It is estimated that cybercrime causes global damages of over $600 billion per annum, thus it is now more important than ever for organizations to protect their information supply chain infrastructure, especially supply chains that process controlled unclassified information (CUI). For organizations looking to conduct business with the U.S. Department of Defense (DOD), there are special cybersecurity regulations that must shape handling of DOD-developed digital assets, and the Cybersecurity Maturity Model Certification (CMMC) is a prime example.

The CMMC consists of five maturity levels, which is used as a guide to protect DOD critical data from a range of cyber-threats, including sophisticated threats posed by advanced persistent threats (APTs). The CMMC framework aligns your organization’s cybersecurity response with security control-measures deemed sufficient by the DoD to protect sensitive information against emerging cyber threats, thus allowing Defense Industrial Base (DIB) companies to provide reassurance to the U.S. government that all CUIs are being monitored and secured with at least the basic controls that are recognized by the CMMC maturity levels.

The Importance of CMMC

Being CMMC-compliant not only protects your reputation, but it also mitigates against the financial burden of a breach. The CMMC framework allows you to leverage new operations and applications with the confidence that they are secured by your existing cybersecurity measures.

In terms of the industry-specific benefits, CMMC compliance will reassure clients that you are adhering to the latest cybersecurity recommendations, which will help you win new contracts and gain a competitive advantage over your competitors. Software vendors will be able to reassure enterprise clients that their security framework meets DOD guidelines, and the same applies if you operate in industries with a complex supply chain.

Another benefit of being CMMC-complaint relates to managing risks across your supply chain. If you know of other organizations in your supply chain that are not yet CMMC-compliant or are not prioritizing cybersecurity, you can recommend that they get an audit. This allows for better protection across your whole supply chain, instead of just your organization.

The main goal is to document all processes and constantly improve them, so there is no “weakest link” left within the supply chain. Having a common understanding of how every element of your supply chain operates from a cybersecurity perspective is hugely reassuring, as you can use this knowledge to maintain DOD contracts, expand your client network, and benefit from the subsidized nature of CMMC audits.

Particulars of the CMMC Framework

The CMMC framework consists of 171 practices mapped across five different levels of maturity. The more practices your organization implements, the better you become at protecting all unclassified data within your infrastructure. For the majority of subcontractors of DOD, the first level of the CMMC framework is what you can expect to be recognized when you invest in an audit from a trusted vendor. This level contains all of the common cybersecurity practices.

As you begin to approach the higher levels of the CMMC model, the processes become more documented and proactive. The main aim is to actively manage, review, and optimize cybersecurity processes to protect all of your devices and data points from the growing sophistication of APTs and their growing attraction to supply chain attacks.

Differences Between Each Level of the CMMC Framework

As mentioned earlier, level 1 CMMC states that organizations follow basic cyber hygiene. This is essential to assuring confidence in your supply chains, or to assuring DOD, that you follow basic cybersecurity practices on (at least) an ad hoc basis. The processes are not documented or actively expanded upon by your IT department, but your employees do adopt the recommended processes as and where possible.

Level 2 CMMC measures involve documenting any cybersecurity processes, so that there is proof that people are trained to implement DOD’s best practices for protecting CUI across your organization’s network.

A level 3 compliant subcontractor would have gone one step further than those in level 1 or 2, as their cybersecurity practices adhere to the NIST 800-171 framework. This model contains various security measures that must be undertaken for you to achieve the best protection for all of the CUI you store and manage. For example, instead of simply implementing security measures from a selective standpoint, you will roll the measures out to any section of your infrastructure that may store/move CUI, to enhance your protection from APTs.

If your organization has maturity level 3 CMMC, all of your cybersecurity practices are documented, assessed, and rolled out to the whole organization, while being reviewed on an ad hoc basis.

Furthermore, a level 4 compliance posture differentiates good cyber hygiene from proactive cyber hygiene: the risk from APT actors is managed in real-time with a “constant improvement mindset.” This maturity level combines all of the processes contained in levels 1–3 while using a forward-thinking approach, surrounding the developing sophistication of APTs and the tactics, techniques, and procedures (TTPs) they implement.

Lastly, level 5 maturity will require your organization to implement all of the previous levels of the CMMC framework while leveraging the controls and procedures to ultimately lower the risk and burden caused by APTs on your CUI—essentially before the risk to your reputation or finances becomes anything more than minimal.

Required IT Controls for Each CMMC Level of Certification

Each level of the CMMC framework implies a different (and more managed) level of IT control. As a guide, here is what you may be expected to implement depending on your industry:

  • Level 1 maturity can include staff updating passwords, updating/patching critical applications, and installing antivirus or other free/low-cost cybersecurity tools.
  • Level 2 maturity ensures that procedures to protect CUI are documented and actively encouraged by your IT department. Best practices may be taught via security awareness training.
  • Level 3 IT controls may include multi-factor authentication (MFA), meaning the NIST 800-171 framework is adhered to. Your organization will identify and implement cybersecurity controls across all data points that may contain CUI.

An organization with level 4 compliance can be expected to implement forward-thinking measures, such as cybersecurity controls on emerging technology, mobiles, or IoT. These are areas of your infrastructure that may have previously been under-prioritized from a cybersecurity standpoint.

Lastly, to become a level 5 compliant entity, your IT department must implement 24-hour controls, to minimize the impact of any form of cyber-threats. For example, a security operations center (SOC) may be created, leveraging both human and automated mechanisms, to actively manage threats. With this type of dualistic data security and privacy countermeasure, security goals remain dynamically-aligned with the needs and objectives of your organization.

Conclusion

Being able to certify your cybersecurity posture is now more important than ever, and the newly implemented CMMC framework offers this opportunity for DOD subcontractors and other eligible organizations to do this. With 5 different levels of maturity, the CMMC model can help your organization to understand what is required of your IT department, and it can help your team proactively manage, detect, and improve against the TTPs of APTs.

Becoming CMMC certified at any level provides immense reassurance to your clients, contractors, and anyone you interact with, as it shows you are fully compliant as an organization with what the DOD recommends. Not only will CMMC certification serve as a route to gain a competitive advantage in your industry, but it can also help you to obtain knowledge about your entire supply chain.

You can use this framework to identify any existing weak links and recommend procedures to implement to further minimize the threats against your organization and anyone else you work with within your industry. If you would like to find out more about the CMMC framework, and how to become certified, contact SecurIT360 today to see how we can help you obtain the audit you need to gain a competitive advantage in your industry.