Tuesday, April 28, 2026
Home Blog Page 140
AI cybersecurity guidance for small businesses

Know where your business is exposed, what matters most, and what to fix first.

CyberExperts gives small businesses AI-generated cyber checkups, practical recommendations, and recurring cyber hygiene monitoring — without enterprise consulting complexity.

Get an AI Cyber CheckupSee how it works
AI Cyber CheckupIdentify likely weak points and get a prioritized action plan.
Recurring MonitoringStay current with updated cyber hygiene guidance over time.
Built for SMBsPractical recommendations for real-world small business setups.

Most small businesses know cybersecurity matters. Very few know what to fix first.

CyberExperts turns cybersecurity confusion into a practical action plan. Instead of vague fear, generic checklists, or expensive consulting, you get AI-generated guidance focused on likely risks, weak spots, and the most important next steps.

How it works

1. Tell us about your businessShare your team size, tools, email setup, device practices, and current security habits.
2. CyberExperts analyzes your setupOur AI reviews likely weak points, common risks, and practical cyber hygiene gaps.
3. Get a prioritized action planReceive clear next steps in plain English — focused on what matters most.
4. Stay current with ongoing monitoringAdd recurring cyber hygiene monitoring if you want updated guidance over time.

Start with a checkup. Continue with monitoring.

AI Small Business Cyber Checkup

A one-time AI-generated assessment that identifies likely weaknesses, highlights the biggest issues, and gives you a practical action plan.

  • Likely weak points and avoidable risks
  • Top-priority recommendations
  • Plain-English next steps
Start Checkup

AI Cyber Hygiene Monitor

A recurring cyber hygiene subscription that updates your recommendations, flags likely weak spots, and helps you stay current over time.

  • Recurring reassessment
  • Updated recommendations
  • Refreshed priorities over time
See Monitoring

What CyberExperts does — and does not do

Done by AICyberExperts is built as an AI-delivered cybersecurity guidance product.
For small businessesDesigned for operators who want practical guidance without enterprise complexity.
Not a magic guaranteeIt helps identify likely risks and prioritize what to fix first.
Recurring option availableContinue with ongoing Cyber Hygiene Monitor updates over time.

See your biggest cybersecurity gaps in plain English.

Start with an AI Cyber Checkup and get a practical view of what to fix first.

Get an AI Cyber CheckupView Monitoring

IT Auditing – Planning the IT Audit

Joseph Ochieng
-
0
IT Auditing – Planning the IT Audit

Introduction to IT Auditing

The constant advancement of technology has dramatically changed how most organizations operate. The developments have seen pen and paper transactions replaced with computerized online data entry application, instead of keys and locks for filing cabinets, strong passwords and identification codes are being used to restrict access to electronic files. Implementation of innovative technology has magnificently improved business efficiency within most organizations, in terms of data processing and transmission capacity. Still, it has also created and introduced new vulnerabilities that need to be addressed and mitigated. Each vulnerability needs to be controlled, which implies the need for better ways of assessing the adequacy of each control hence new auditing methods. Reliance on computerized systems has made it imperative for the auditees to change the approach and methodology to auditing due to fear of a data integrity compromise, abuse of confidentiality policies, and so forth. Therefore, an independent audit is required to verify and prove that an adequate measure has been designed and implemented to minimize or eliminate exposure to various risks.

Definition and Objectives

IT auditing entails any activity done within the periphery of examining and evaluating an organization’s information technology policies, infrastructure, and operations. Information technology auditing can be defined as a process of collecting and evaluating evidence to determine whether a computer system maintains data integrity, safeguards assets, uses resources efficiently, and allows the attainment of organizational goals.

Objectives assessment and evaluation of the process that ensures:

  1. Safeguarding of assets such as data objects, resources to house and support information systems.
  2. Ensure that the following sets of data are maintained:
    • Efficiency
    • Confidentiality
    • Compliance
    • Availability
    • Integrity
    • Reliability of information

Phases of the Audit process

The auditing process involves these four significant steps.

1.  Planning

          A. Preliminary assessment and information gathering

Planning is a continuous process, although concentrated at the beginning of an audit. An initial assessment is carried out to determine the extent and type if subsequent testing. In a situation where the auditees find that the specific control procedures are ineffective, they may be forced to reevaluate their previous conclusions and other relevant decisions made based on those conclusions.

          B.  Understanding the organization

The IT auditor has the task of gathering knowledge and inputs on the following aspects of the object to be audited;

  • Organization’s operating environment and its function.
  • The criticality of the IT system, whether it is a mission-critical system or a support system
  • Structure of the organization
  • Nature of software and hardware in use
  • Nature and extent of the perils affecting the organization

The nature of the organization and the desired level of audit report much determine the extent of knowledge to be acquired about the organization. Information gathered should be used by the auditor to identify potential problems, formulate objectives of the study, and to define the scope of the work.

2.  Defining audit objectives and scope

The objectives and scope of an audit are defined from the risk assessment carried out by an auditee after exposure. Risk management is an integral part of securing your organization from hackers. It can be defined as a process of identifying, assessing, and taking necessary steps towards minimizing the risk to an acceptable level within a system. In any organization, the primary security goals are integrity, confidentiality, and availability.

The auditor has a broad platform of risk assessment methodologies to pick from, ranging from simple classification of low, medium, and high as per the judgment to complex and more enhanced scientific classification to come up with a numeric risk rating. After the assessment, procedures, practices, and organizational structures are put in place to reduce risk referred to as internal controls. Preliminary assessment of controls can be done based on having discussions with the management, filling questionnaires, available documentation, and/or preliminary survey of the application.

Some of the common objectives of IT audit include:

  • Review of security infrastructure and systems
  • Review of IT systems to gain assurance of the safety
  • Examine the development process and procedures involved at various stages of the system
  • Evaluation of the performance of a specific program or system

Audit objectives and scope are not limited to the aspects mentioned above. It should be able to cover all the critical areas of the security aspect, such as security settings, passwords, firewall security, user rights, physical access security, and so on.

The scope, on the other hand, should define the boundaries, limits, or the periphery of the audit. Coming up with scope for an audit is part of audit planning and covers aspects such as the extent of substantive assessment depending on the peril, control weakness, period of the audit, and the number of locations to be covered.

3.  Collection and evaluation of evidence

Substantial, reasonable, and relevant evidence should be obtained to second auditor’s judgment and conclusions on the organizations, function, activity, or program under audit. Techniques used for data collection should be carefully chosen, and the auditor should have a sound understanding of the procedure and method selected.

i.  Types of Audit Evidence

The three main types of audit evidence include:

  • Documentary audit evidence
  • Analysis
  • Observed process and existence of physical items

Physical verification implies the actual investigation or inspection of tangible assets by the auditor. The following methods can be used for the collection of audit evidence.

2.  Interviews – can be used to collect both quantitative and qualitative evidence during the collection work. Some of the persons to interview include systems analysts to better understand controls and functions within the security system, data entry personnel to determine the methodology they use to enter the data being detected by the system as incorrect, inaccurate, or malicious.

3.  Questionnaires – traditionally, questioners have been used to evaluate controls within the system being audited. In some cases, auditors have creatively used questioners to flag specific areas of the system weakness in the course of evidence collection. In preparing the questioners, questions should be as specific as possible, and the language used should be that which commensurate with the targeted person understanding.

4.  Flowcharts – are designed to show that controls are embedded in the system and their specific locations within the system. They are fundamental for comprehension, evaluation, and communication during the audit.

5.  Analytical procedures – show whether account balance is reasonable through comparisons and various relationships. The procedures should be done at the early stages of the audit to determine the accounts that will require further verification, those in which the evidence can be reduced and areas to concentrate investigations.

ii. Tools of evidence collection

An increase in the need for traceable documentation has opened up the field for various tools being used by auditors. Some of the commonly used software’s include;

Generalized Audit Software provides access to stored data and manipulates other stored media.

Industry-specific audit software – designed to give a high-level command that invokes basic audit operations essential for a particular industry

Utility Software – this software, unlike the other, automatically performs frequently functions such as sort, disc search, copy, disc format, etc.

Specialized Audit software – this software is used to perform a specific set of audit tasks.

Concurrent Auditing Tools – are used to collect data at the same time with applications simultaneously.

4.  Documentation and Reporting

Auditors are expected to properly document all the audit evidence, including the extent of planning, basis of the audit, operations carried out, and findings from the audit. The final document should contain planning and preparation of the audit, audit program, observations, reports, data, etc.

How to structure the report

The report should be complete, exact, objective, clear, timely, and precise as the subject allows. Your report can be generally structured under the following titles:

Introduction

Your report should start with a brief description of the specific audit being taken up. The overview may entail details of the system, such as the description of the software’s environment, resources required to run the system, and some details on the application being used. It is of significance to provide details on the volume of data and the extent of the complexity of processing. This is so that the reader can have a clear understanding of what the report is all about and stimulate them to appreciate the subsequent findings of the audit. You have to state the extent of the criticality of the system as most observations get their degree of seriousness from how criticality of the system has been defined.

Objectives, Scope, and Methodology

In this section, you need to explain the knowledge of the objectives, scope, and methodology of the audit. This is to enable readers to understand the specific purpose of the audit, understand challenges faced, and to be able to make sound judgments on the merits of the audit work done. In the objectives section, an auditor should explain aspects of performance examined in the audit. While in the scope section, the auditor is expected to describe the depth of the work or in-put made to achieve the audit’s objectives. Auditors should point out the specific organization audited, Hardwar ware and software used, geographic locations, the period covered by the audit, explain sources of the evidence presented, and finally to explain the quality of the challenges or defects with the evidence. The methodology should explain the know-how of techniques used to gather and analyze the identified risks.

Audit results

Findings

Auditors are to report significant findings concerning audit objectives. In doing so, the auditor should include sufficient, relevant, and competent information to facilitate an adequate understanding of the issues being reported. The information presented should also be precise to provide convincing to the readers. This can be achieved by providing elaborate background information about the audit.

Conclusions

Conclusions are deducted as per the previously defined audit’s objectives. The persuasiveness of evidence and the logic used to come up with the conclusions greatly determines the strength of the conclusions. It is advisable to avoid sweeping conclusions of risks and controls.

Recommendations

Where the report findings substantiate room for potential improvements, then the auditor should report recommendations. In cases of significant noncompliance with laws and regulations of the land or where there is considerable weakness in controls, then recommendations should be made that effective compliance and abidance by the law. Auditors should also address uncorrected findings and recommendations from past audits and how they affect the current audit and recommendations.

Constructive recommendations are those which aim at solving the identified cause of problems, feasible and directed towards relevant authority who can act. The recommendations should, therefore, be practical, achievable, and cost-effective.

Noteworthy Accomplishments

Noteworthy management accomplishments, as well as deficiencies identified within the scope of the audit, should be included as part of the report. It gives a balance or rather a fair representation of the situation that sounds logical and real.

Limitations

The audit report should mention the limitations and challenges faced by the audit.

Audit Methodology

     1.  IT Controls

Technological advancements have caused a rapid change in the capabilities of computer systems in the past several years. Some organizations have fully adopted the system, and all their data are computerized and made available exclusively through digital media. Due to this change in how most organizations manage their data, auditors to have to change their auditing techniques. The overall control objectives of the audit are not necessarily interfered with, except for their implementation. A change of implementation methodology implies a change in approach by the auditors in evaluating internal controls.

With the current IT infrastructure, both compliance and substantive testing are carried out while performing an IT Control Audit. Compliance testing is carried out to verify whether controls are being applied as per the auditees instructions or as per the description offered in the program documentation. It determines the compliance level of controls with management policies and procedures. Substantive audit, just as the name suggests, is a test carried out on a system to substantiate the adequacy of the laid controls in protecting the organization from malicious cyber activities. The tests should be carried out with a deeper understanding of the diversity of threats posed by a computerized environment such as; unauthorized access to valuable organization assets in terms of data or program, undetected misstatements, reduced accountability, unusual transactions, corrupted data files, inaccurate information and so on.

     2.  Audit of General Controls

Broadly explained, this cuts through performance monitoring of the system, job scheduling, media management, capacity planning, maintenance network monitoring, and administration audit.

     3.  Audit of Application Controls

Application controls are specific to a particular application and may have a significant impact on how an individual transaction is processed. They are measured put in place to verify and provide assurance that every transaction is legit, authorized, complete, and recorded. Before even proceeding to an in-depth evaluation of application controls, an auditor should first understand how the system operates. A brief description of the application is thus prepared before analysis indicating major transactions carried out, a description of transaction flow and main output, a brief description of major data files, and an approximate figure for transaction volumes.

For a systematic study, application control can be sub-divided into:

Input controls

Processing controls

Output controls

Standing data file controls

     4.  Network and Internet Controls

In most organizations, especially medium to large scale organizations, local or wide area networks are commonly used to connect users. This comes with various risks as it does not guarantee that the system will only be accessed by an authorized individual or user. The network should be designed for access by authorized users only. The security system in place should not be entirely on logical access. Because networks are used to transmit data that may be corrupted, lost or intercepted. Controls should be set to eliminate all these risks.

     5.  Interment Controls

The safest policy to connect your computers directly to the internet include:

  • Physical isolation of the machine from the core information.
  • All the unnecessary logical parts of the server should be closed down
  • Deny unknown identities access to the machine and re-writable directories or those which can be read by anonymous users.
  • Employ an experienced individual to be in charge of the internet machine.
  • Continuously monitor login attempts into the machine.
  • Limit user accounts as much as possible.

Appendix

This includes various checklists.

  1.  List of documents to aid in a sound understanding the system

Any audit commences with a piece of background information about the organization to understand its day to day activities and how IT impacts these activities. Below is an illustrative document that can be used for understanding the system.

No. List of Documents
1 Overview of the organizations’ background
2 An organizational chart
3 Personnel policy
4 Laws and regulations that influence or affect the organization such as the Income Tax Act
5 Applications and their details
6 Application and network architecture
7 IT department structure and description of their respective roles
8 Responsibilities if IT personnel concerning that particular application
No. List of Documents
9 Associated costs
10 Project management reports
11 Description of the used hardware
12 Description of software used, such as whether it is developed in-house or sourced from outside etc.
13 Details on database
14 Table listings, data flow diagrams, data dictionary
15 Description of relationships between database triggers and tables
16 Different interfaces
17 User, operations and system manuals
18 Reports on performance analysis
19 List of authorized users
20 Data and test results
21 Proposed security outline for the system
22 Past audit reports
23 Reports on internal audit
24 Feedback from users about the system
25 Peer review reports

2.  Criticality Assessment Tool

An organization may have more than one IT system at work. An auditor should be interested in the nature, scope, rigor, and extent of the audit relative to the criticality of the application. Forming criticality of a system is considered a subjective process.

3.  Collection of particular or specific information on IT systems

The audit team may decide to use a questionnaire in cases where information is gathered must be specific. The questionnaire is used at the time of conduct of the audit. The questions are precise and designed to fetch a specific response from the targeted persons.

4.  Risk assessment checklist

This is a list of questions asked regarding various aspects of IT systems to deduct thought about the risk levels within the system under audit. The list is prepared and organized by the auditor, depending on their understanding of the application and organization at large.

 

Top 12 Website Security Practices for 2023

George Mutune
-
0
Top 12 Website Security Practices for 2023

Website Security is important because hackers attack at least 50,000 websites every day. These are worrying numbers because almost every business has an online presence. The attacks target businesses of any size.  Approximately 43% of the attacks target small businesses. This means that everyone from the individual site owner to the large corporation is a target for hackers.

Websites contain a lot of sensitive information. They contain sensitive data like email addresses, names, dates of births, and credit card numbers. Today, protecting information privacy is enforced in most information compliance regulations.

Adopting website security best practices is a step towards complying with these regulations. Therefore, companies need to understand the top techniques for enhancing the security of their websites. But it is important to first understand the threats and risks to website availability, integrity, and confidentiality.

Website Security Risks

Common website security risks

1.  DDoS Attacks

Distributed Denial of Service (DDoS) is a type of cyber attack that is among the most prevalent threats to website security. In these attacks, hackers overload the traffic of a targeted website with spoofed IP addresses. The attacks prevent legitimate users from accessing the website’s resources and deny them essential services.

Simply put, hackers use DDoS attacks to bombard the target website with more traffic than it can handle.  This overloads the website’s resources with traffic and causes the site to become extremely slow or crash.

For example, The Bank of Spain got hit by a DDoS attack in 2018. As a result of the incident, the bank’s website was pulled offline, preventing users from accessing online services.

2.  Malware and viruses

Malware is a malicious computer program. Malware applications are one of the biggest threats to the security of a website.

Cyber adversaries create and release at least 230,000 samples of malware every day. The malware can be delivered using different means, such as through malware-laden ads and drive-by downloads.

Malware can be used for many malicious purposes. Some types of malware remotely monitor all website activities. It can acquire user data such as passwords. Malware poses a risk to both the website owner and the user.

The malware can spread to the web servers or the user’s individual computers.

3.  Spam

Fraudsters place spam messages on a website to lure users. The spams don’t necessarily harm the site. However, they can be annoying and cause security problems for the user.

For example, hackers target users with spam messages disguised as a promotion or offers. Curious users who click on the messages will get directed to external links. The spams can also contain malicious programs such that a user immediately downloads upon clicking.

4.  Registering for a WHOIS domain

All website owners must register their websites with a particular domain name. Domains require the owners to provide some personal information for identification purposes. The information is registered in the WHOIS databases. In addition to the personal information, website owners need to provide other types of information like the URL nameservers associated with the website.

Hackers or insiders can use the provided information to track the server’s location used to store the website’s information. Once located, the server can be used as a gateway for accessing and compromising the webserver.

5.  Search engine site blacklists

Some search engines like Google, Bing, among others, blacklist websites that lack proper security measures.

Being blacklisted does not translate as a security threat. Instead, the site performs lower in search engine optimizations and might not even come up in a search result.

This severely impacts the services provided through the website. For example, a business relying on its website to sell products and services through eCommerce might experience lower sales and reduced traffic if it is blacklisted.

A recent survey indicated the SEO rankings of at least 74% of attacked websites are negatively affected. As such, businesses need to implement the best website security practices to protect their sites’ SEO rankings.

Top Best Practices for Increasing Website Security

Website security threats can affect any business. With cyber-attacks growing in sophistication, speed, and intensity, companies need to focus more on when an attack can compromise their websites and not “if it will happen”.

An unsecured website is vulnerable to multiple attacks, threatening the integrity of the organization and the privacy and security of the users.

The following are the most effective practices to observe today.

1.  Use HTTPS protocols to increase website security

HTTPS protocol should be a priority for all website owners.

Not only is it vital for ensuring secure communication between a web server and a client, but it also improves the basic security standard for all websites.

First, it reassures users that all communications done through the website are secure. HTTPS protocol essentially tells the website visitors that the information they request or view from the webserver cannot be intercepted nor altered by third parties.

Second, web browsers like Google Chrome identify and mark all websites that lack HTTPS security protocols. Any time a visitor accesses the website, they receive a notification that it is not secure. Some visitors would be reluctant to continue accessing the services of a website marked as not secure. This can discourage new visitors from visiting the site resulting in decreased online interactions with customers.

Also, HTTPS security prevents hackers from accessing any of the codes used to develop the website. Attackers sometimes change the code of a website without HTTP security to monitor and access all the information visitors provide while interacting with the website. The information can include personal details like credit card information, passwords and usernames, and date of births.

More importantly, an HTTPS protocol allows a website to enhance its SEO rankings. A search engine like Google uses HTTPS security measures to reward websites by ranking them higher in search results.

An organization can complement the HTTPS security measures by deploying a Secure Socket Layer (SSL) certificate. An SSL certificate encrypts all communication between a server and a website user. As such, it does not prevent hackers from distributing malware or from executing attacks. Instead, it encrypts information to ensure it is inaccessible in the event of a successful attack.

By implementing SSL security, user data remains protected against attacks like man in the middle (MITM) attacks. SSL certifications are especially required for websites handling a lot of personal data like eCommerce platforms.

However, all companies should secure their websites using HTTPS and SSL certifications irrespective of the services they provide through the sites.

2.  Make frequent software updates

Websites require the use of various software tools to run effectively. They include content management systems (CMSs), website plugins, WordPress software, among others.

Updating software tools is vital to ensuring website security.

Other than fixing glitches and bugs that inhibit a website’s performance, software updates also install the latest security measures and patches. Cyber adversaries can target outdated software tools to exploit their vulnerabilities, thus gaining an entry point for executing attacks on a website.

Besides, hackers also leverage technologies like artificial intelligence to automate cyber-attacks. This is by creating intelligent bots that continuously scan for vulnerable websites and execute attacks to exploit them.

Failing to implement the latest updates only provides hackers with more vulnerabilities to execute. This exposes a website to more security risks, jeopardizing the security and privacy of all services and information. Website owners should consider using automated solutions that check for and install software updates as soon as they are released. By doing so, businesses can ensure that all their website software tools are updated and do not contain exploitable vulnerabilities.

3.  Use sufficient password management

The need to adopt effective password management solutions cannot be stressed enough.

Despite passwords being the easiest way of maintaining website security, they also provide the highest security risks if not managed properly. A study showed that 25% of created passwords could be cracked in under three seconds is an eye-opener as to why website owners should take their password management practices seriously.

Any individual with basic skills can use hacking tools like John the Ripper to hack a password. Keeping this in mind, what are the recommended password security practices that can enable a business to enhance its website’s security?

First, frequently changing passwords is a top password security practice. Website administrators, for example, should periodically change their passwords to lower the risks of an adversary cracking the password. Also, it is essential to use strong passwords. The passwords should be complex enough not to be cracked, yet simple enough to memorize. However, creating complicated passwords with numerous letterings like alpha-numerals and special characters can be challenging to remember. That’s why a password manager tool like 1Password comes into play. The tools can allow the creation of long, complex passwords and securely store them for secure usage.

More importantly, a business should only use the services of a web hosting company that uses two-factor authentication or multi-factor authentication.

Such authentication schemes provide an additional security layer. Anyone can provide a valid username and password, but only the legitimate user can provide the required authenticators.

For example, before gaining access, a user can be required to provide a unique code that is only accessible to the legitimate user. A common example of two-factor authentication requires the input of a code that is sent by SMS to the user’s cell phone.  In this case, the user will need to know the username and password and have the cell phone in their possession. This is considered two-factor authentication because signing in requires both “something you know” and “something you have”. This prevents insiders with access to the passwords of their colleagues from using them for unauthorized activities that can compromise the website’s security.

4.  Secure personal devices

Many organizations concentrate on deploying recommended website security practices, forgetting that their personal devices can threaten their sites’ security.

Hackers often target personal computers to gain a foothold into a secured website. For instance, by stealing the FTP logins, cyber actors can use malware to inject malicious data and files into a website. Moreover, hackers deem it easier to execute website attacks by using personal computers as a gateway. Therefore, securing a personal computer should be a priority website security practice.

There are several ways through which businesses can secure any personal computers. They include the use of antivirus and antimalware products. Although some might question the viability of such products in countering current threats, they are essential. They protect a user in an online community by preventing the download or installation of malicious files. Also, they can promptly identify malware present in an inserted USB stick or hard drive, thus blocking them from accessing the computer. Using firewalls with strict firewall rules can block incoming malicious connections that hackers use to deliver malware. The security of a website is highly dependent on protected personal devices, and as such, website owners and administrators must ensure maximum protection.

5.  Ensure adequate access control measures

Access control is integral to the success of any security program. The same applies to website protection.

Businesses operating a website should define the access permissions for different users who can access the website. The need for strong access controls arises from the fact that human activities are the highest cause of cyber-attacks.

A recent research study that identified that 95% of cyber-attacks are due to human causes echoes this statement. Employees with access permissions to specific website areas can make errors that result in disastrous attacks. To address the risks, website owners need to deploy robust access control mechanisms.

Access controls enhance website security by limiting the number of individuals whose activities can result in errors. By identifying that not all employees should access a website, a business can create role-based access control policies. This would ensure that website access is limited to users with specific roles.

For example, there would be no need to allow a content creator to access the website’s coded part. Only a developer or a website administrator should access it. The same applies to all roles, including external developers, guest bloggers, consultants, or designers.

A least access privilege, commonly referred to as the principle of minimal privilege or least authority, is an essential control. It permits employees or outsourced labor only to access the part they need to get the job done. For an individual requiring specific access, applying the principle ensures that the person only accesses the part for the specified time and purpose. This eliminates the chance of an erroneous mistake that can lead to unwanted website security incidences.

6.  Change the default configuration settings

Changing the default security settings is a security practice that many companies tend to overlook.

As previously mentioned, cyber attackers often create bots designed to perform automated scans on vulnerable websites. The bots are also used to scan for websites that use software tools that contain default configuration security settings.

Default settings may not provide the security and protection needed to meet a given environment’s unique needs. As a result, programs using the default settings are highly vulnerable to attacks.

Attackers can use bots to identify websites that contain the same default settings such that they can be exploited using the same virus or malware. After deploying a website, businesses should ensure to change the default settings of, say, a content management site. Some of the settings to consider changing include but not limited to:

  • User controls
  • File permissions
  • Comments settings
  • Information visibility

7.  Make Frequent website backups

The basic premise for all security procedures is to stay prepared for the worst.

Companies should always be ready to be the victim of an attack. A website attack can lead to its compromise and subsequent unavailability, and obviously, no company would desire to be in such a situation.

Regularly backing up a website is not just a good idea, but it is an essential measure for preserving the privacy and security of any associated information. A website backup consists of a snapshot of all the essential site components. It allows a website owner to retain and restore critical data when an attack takes down a website.

Essential components to include in a website backup includes themes, plugins, databases, and essential files.

Furthermore, backups are vital to website security. They permit the restoration of a website’s clean version if a hack leads to loss and destruction or if a software update results in a crashed website.

Backups should be a top website security practice since they are both easy and essential to maintaining integrity, availability, and confidentiality.

Most website hosts provide organizations with simple ways through which they can create and manage their backups. They can use the panels provided for customer control to maintain the backups or use backup plugins located in tools such as WordPress.

8.  Use continuous monitoring

Website owners are unable to identify malware and viruses since they are capable of hiding and are elusive. This contributes to why malware programs are considered to be among the most prevalent threats to website security.

However, with continuous and consistent monitoring, businesses can identify activities that indicate the presence of malware or other illicit programs.

The following are some of the crucial signs that indicate website security issues requiring to be addressed:

  1. The login information of user accounts is done without their consent
  2. The website files are modified or deleted without the owner’s knowledge or consent
  3. If the website repeatedly freezes and crashes
  4. When search engine results indicate noticeable changes like warnings on harmful content or blacklisting
  5. If there is a rapid increase or drop in the website’s traffic

The presence of the above signs can signify that a website is infected. A business can opt for a manual monitoring process, where security personnel handles the responsibility of visually monitoring the website’s activities. But this can be ineffective. It can be impossible for human operators to monitor a website 24/7, resulting in some security incidences going unnoticed. As such, it is highly recommended to use automated monitoring processes.

An automated scanner is a more effective security solution since it can continuously monitor a website and still allow the website to operate normally. It also eliminates the high costs and inefficiencies involved in manual monitoring. In any case, some monitoring tools are designed to identify anomalous behavior and deploy corrective actions.

Many services can scan websites for common vulnerabilities. These services are useful because they can check to ensure that the website’s security precautions are properly implemented.

It is good to run a new vulnerability scan anytime that a change is done to the website. Changes can introduce new vulnerabilities, and a website scanner can help to identify them.

Some free online website security scanners can help detect security flaws. These scanners check for vulnerabilities and tell you if the site is susceptible to things like cross-site scripting and SQL injection attacks.

The free scanning services have value and are highly recommended.  However, paid versions of these tools do deeper and more comprehensive scans.

9.  Deploy firewalls for website security

Using firewalls is one of the most widely applied website security measures.

A firewall protects a website by blocking malicious connections that can compromise its security. Companies create and maintain security rules created to meet the security needs in the context of the companies’ services and environment.

For example, the firewall rules created for an eCommerce platform are different from those defined for a registration portal. There are two types of firewalls used to enhance website security. These are network and web application firewalls.

Network firewalls are usually used by organizations that manage their servers and by web hosting providers. The firewalls ensure website security by identifying and blocking malicious scripts between web servers running within a network.

On the other hand, web application firewalls are used to secure a specific website. A web application firewall prevents malicious scripts from accessing a web server, thus securing a website from being compromised. Blocking malicious traffic secures a website and saves the bandwidth and load time of the web hosting account.

10.  Validate all user input

Validating user input protects against attacks like SQL injection. An SQL injection attack is where a hacker enters SQL code into an input field on your website.  For example, your website may have a field where a user can sign up for an account.  Instead of entering a name, the hacker will enter a computer code that can trick your website into outputting your database’s contents. This might give the hacker information, including all of your users’ passwords, email addresses, and potentially even social security numbers and other data that may be stored.

It is relatively easy to guard against this potential vulnerability. The data that a user enters into your website must be validated to ensure that it is safe. This validation can be done at the client-side and the server-side.  Server-side validation is more secure because hackers have the ability to circumvent client-side validation.

Many websites were vulnerable to SQL injection attacks in earlier days of the internet. SQL injection attacks were commonplace because there was less of an emphasis on website security. But even today, these attacks are widely used because they still work.  Any website that does not validate all user input is at risk of being breached.

11.  Understand third party security issues

Virtually all websites depend on third parties. The third party might be the hosting company, the company that created the content management system (Ie. WordPress, Joomla, etc.), the companies that create plugins, or even the designer hired to help create the website.

Each of these third parties introduces risk and potential vulnerabilities to a website. For example, if the website is built using WordPress, it is susceptible to any vulnerabilities that WordPress may have. Any plugins or third-party code that is used in the website may also introduce attack vectors for hackers.

The website hosting company is a third-party risk. Hosting companies are often the target of cyberattacks that can affect all of the websites on their platform. Hosting companies are well aware of these risks, and they often take measures to ensure that their customers are not negatively affected by attacks. Despite these efforts, it is not uncommon for hosting companies to be taken down by malicious actors. A recent example includes an attack where hackers used ransomware to take down the entire web hosting infrastructure of web host company Managed.com.

12.  Create a website security blueprint

To sum up the top website security practices, it is essential to develop and maintain a plan for implementing them. More often than not, organizations follow a disorganized approach for managing website security processes, resulting in minimal accomplishment.

Therefore, before deploying any security measure, it is vital to develop an actionable and detailed website security plan. The plan should outline the objectives the organization wants to achieve by implementing security measures.

For instance, the main objective would be enhancing the website’s overall compliance or to enhance the security of the website. A website security blueprint should further identify the applications whose security requires prioritizing and the processes that will be applied in testing their security. Although the website security blueprints of different organizations can differ, the following six-step checklist can be applied.

  1. Gathering information on main security issues
  2. Planning a countering process
  3. Executing the plan to discover vulnerabilities, if any
  4. Document the results
  5. Address the identified security vulnerabilities by remediating appropriately
  6. Verify the website’s security

Computer Forensics – 7 Critical Processes

Joseph Ochieng
-
0
Computer Forensics – 7 Critical Processes

Introduction to Computer Forensics

 Computer Forensics is used to answer two of the most commonly asked questions about hacking attempts and data breaches:

  1. How did the attack happen?
  2. Is there a possibility of recurrence, and can such threats be prevented from ever happening again in the future? 

There are no specific answers to these questions as it depends on the level of severity or rather the complexity of the cyber-attack. The process of identifying how the attack happened and whether it can happen again in the future can take weeks or even months. For an in-depth analysis of the origin of the threat, several penetration tests have to be carried out through a systematic approach. 

In this regard, several lines of defense have to implemented to push the underlaid defense mechanism to their full breaking point. This is done by a tech expert to identify any hidden vulnerabilities within a system. Appropriate lines of codes have to be used to detect the threat. This is where the role of forensics comes into play. The analysis might start by examining any evidence left behind by the attacker. Any proof or remnant of the cyber-attack should be collected and carefully examined for any lead. It is from the findings that the forensics examiners and investigators can now answer questions such as “who initiated the attack? What leads to the attack? Where did the threat come from? When was the attack launched? And why was the system attacked?”. 

As we get deeper into the study, it is essential to keep in mind that the field of computer forensics as it relates to information technology is vast. It involves many minor branches of specialties. Some of these sub-specialties include database forensics, digital forensics, logical access forensics, mobile forensics, to name a few. 

In this article, we provide an overview or a brief introduction into the field of computer forensics by primarily focusing on what it is all about, what drives the need for computer forensics, steps on how to conduct detailed forensics, and other details that encompass computer forensics. 

 The Need for Computer Forensics 

The world has become a global village with the advent of the internet, digital life, and computer systems. Life might seem impossible without these technologies as they are elemental to everything we do. Information and other valuable data can be stored or transferred by electric devices such as thumb drives, internet, laptops, and other methods. Diverse variation and development of information storage and transfer capabilities have facilitated the development of forensic techniques, procedures, investigators, and forensics tools. 

In the recent past, we have witnessed and experienced a tremendous increase in crime rates involving computer use. Governments, large corporates, small business enterprises (SBE’s), and individuals are targets for malicious hackers who aim at stealing any valuable information they can prey easily access. The attack leads to massive financial loss in most cases. As a result, computer forensics’ in conjunction with a digital investigation, have merged as a proper channel to identify, collect, examine, analyze, and mitigate or report the given computer crimes. 

 What is Computer Forensics? 

Computer forensics is a combination of two terms: forensics, which refers to the scientific techniques or tests carried out in an attempt to detect a cyber-threat and computer, which is the medium used to convey data or information. In past studies, some scholars have defined forensics as the process of applying scientific techniques and skills during identification, examination, collection, and report of cyber-crime to the court. Dr. H. B Wolfe defined computer forensics’ as “a methodical series of techniques and procedures for gathering evidence, from computing equipment and various storage devices and digital media that can be represented in a court of law in a coherent and meaningful format.” The term forensics, as defined by Wolf, implies that forensics is a process that involves analysis and presentation of data collected. However, all types of data that can be used as evidence is critical. 

A formal definition of computer forensics is as follows:

“It is the discipline that combines the elements of law and computer science to collect and analyze data from computer systems, networks, wireless communications and storage devices in a way that is admissible as evidence in a court of law.”

 Motivations behind an attack 

Cyber Attack Motivation

 What data should you seek as an investigator? 

After an occurrence of cyber-attack, collecting all relevant evidence is of utmost significance in responding appropriately to the questions which were outlined above. A forensic examiner or investigator is primarily concerned with a specific piece of evidence, which is known as “latent data.” 

Latent data is also known as ambient data. In the cybersecurity world, ambient data is a type of data that is not easily accessible or visible at first glance at the scene of a Cyber-attack. In simple terms, latent data requires an extra mile from a security expert for it to be accessed as significant evidence. An expert has to engage themselves in much more in-depth investigations to unearth this type of data. Ambient data has many uses to it, and it is equally important just like other types of data except that it is implemented such that access to it has been minimal. 

Examples of ambient data include the following; 

  1. Information that cannot be readily viewed by the commonly used software applications
  2. Information or data that cannot be readily read by the operating system in place. 
  3. The information which is present in computer storage but not readily referenced in the file allocation tables
  4. Previously deleted data stored in:
    • Swap files
    • Memory dumps
    • Blank folders in the hard drive
    • Print spooler files
    • Slack space between the existing files and the temporary cache. 

 Importance of computer forensics 

To a business or corporation, in-depth forensics is paramount. For instance, there is a misleading assumption that implementing defense with routers, firewalls, antiviruses, etc. is sufficient and reliable enough to thwart off any cyber-attack. With the highly versatile technology which is subject to rapid advancements, a security professional should be aware that planting only firewalls as their defense line cannot prevent hackers from accessing their system. 

From a computer forensics point of view, the assumption is untrue since measures such as firewalls only give a scratch of the needed information in case of an attack. These specialized pieces of software can only provide information to a certain degree. Such a mechanism does not possess the deeper layer of data required to provide clues on what happened. To source these specific details, an organization is forced to implement security mechanisms along with the software mentioned above. Deploying this type of security model is known as “Defense in Depth.” 

In systems where defense in depth model is applied, there is a higher possibility that the data presented in case of an attack can be readily admissible in a court of law. After this, the perpetrators who launched the attack can face justice. 

Also, an enterprise or corporation can meet the legal requirements such as HIPPA by incorporating the tenets of a defense in depth. Federal mandates and legislations require that every type of data is stored and archived appropriately for auditing. An entity can suffer severe financial penalties for failing to meet the compliance measures put in place. 

 Computer Forensics Process 

While conducting forensics, it is vital to maintain a chain of custody of the evidence and latent data throughout the investigation. Therefore, take note that the steps outlined below are only general guidelines on how to conduct computer forensics in case of an attack. The specific sequencing of activities can vary depending on the nature of the threat. It is recommended to implement a dynamic method for forensic as each cyber-attack is unique. 

Work procedure can be sub-dived into five major categories:

Computer Forensics Steps

Identification 

This initial step in computer forensics is to understand and identify the scenario. This is where the investigator points out the specific reason for conducting forensic analysis. The investigator also identifies the nature of the incident, the parties involved, and the resources required to satisfy the needs of the case. 

Collection 

The collection of data is the most critical step in this chain of custody because the entire analysis is primarily dependent on the collected data as evidence from the crime scene. Collection is defined as the process of data acquisition while maintaining the transparency or integrity of the data. 

Timely execution of the collection process is key to maintaining the integrity and confidentiality of the data collected. This is because essential data such as latent data may get lost if not acted upon promptly. 

Evidence 

In this third step, the collected data is examined by following standard techniques, methodologies, tools, and procedures to extract meaningful information related to the case.

Analysis 

Since all the five steps are linked, analysis is the step where data analysis of the examined data is conducted. The investigator has the task of finding any evidence against the suspect. The techniques and tools should be legally justified as it helps to create and present the report to a court of law. 

Reporting 

This is the final and perhaps the most critical step. Here, the investigator is expected to logically document the process used to collect, examine, and analyze data. It also entails how the tools and procedures were selected. The primary aim of this step is to report and present the findings justified by the evidence. 

The above five steps can be subdivided into several smaller parts, where every subcategory has standard operating procedures that are specific to them. 

 Computer Forensics Team 

The Forensics Team is expected to follow a given structure while executing their documentation process. The contents of their documents are required to be preserved, verified, and appropriately documented. A forensic team must have in-depth know-how of every investigation. This should be right from the beginning of the project and should cut through the scope, dimensions, and the various methods used for the investigation process. The methods used should be proper and legal such as the legal obtaining and collection of proper bit-stream “hash encrypted” copies of evidence. The linear nature of investigation should be primarily based on proper documentation and concrete supporting evidence to avoid unexpected results that technology might yield.

In addition to law enforcement and security firms, every organization should develop the capacity to solve their basic issues and investigations internally. In the case where it is not possible to form a competent investigative team within the organization, then you can hire experts from small computer investigation firms to aid with investigations. An organization can also create their own investigative firm to supply computer forensic services. To do so, the following key people form part of your investigation team.

Investigators 

This is a group of individuals who tackle and solve the case. The size or number depends entirely on the size of the firm. They are mandated with the task to apply techniques and use relevant techniques to find tangible evidence against the suspected intruder. They can work parallel with law enforcement agencies as they are expected to act promptly upon the occurrence of a suspicious activity, which may lead to an attack. 

Photographer 

He or she is vital for recording events as they unfold during the investigations. Their job is to take photographs. 

Incident Handlers or the first respondents 

The primary role of incident handlers is to monitor and act upon the occurrence of any computer security incidence. They check for malicious activities such as those related to breaching network policy, hijacking of server, RAT, installation of malicious codes or injection of code. 

IT engineers and technicians

This group is responsible for the day-to-day operation of the firm. They are technicians and engineers to manage the forensics lab. It should consist of IT support, desktop support personnel, network administrator, and security engineers. 

The key roles of this personnel are to ensure flawless operation of organizational functions, maintain the required back up, troubleshoot for any problem, and continuously monitor the system. 

Attorney

The whole essence of carrying out the investigations is to document and finally report the issue to a court of law, implying that the presence of an attorney as part of your firm is mandatory. 

 Computer forensics rules 

Below is a list of some of the rules that should be kept in mind while conducting an investigation. 

     1. Eliminate every possibility of investigating the original evidence

Produce several exact copies of the initially collected evidence to reduce the chances of examining the original. Create duplicates; this is the first and the most fundamental of all the rules and should be prioritized first before carrying out any further investigations. Make the exact copies of the original to maintain the integrity of the outcome. 

     2. Only proceed if it is within your knowledge. 

In the case where you stumble on a roadblock while conducting investigations, only proceed if you can understand the solution from your knowledge or experience. You can consult from other experienced guides to get help with that particular issue. This is to protect data from any damage. Do not take the task as a challenge, but rather as an opportunity to learn and enhance your expertise level. 

     3. Stick to boundaries and rules of evidence 

The rule of evidence must be adhered to for the given data to be valid as evidence in court. 

     1. Document 

Record the behavior and any changes that may occur to the evidence. An investigator is expected to document the result, nature, and the reasons why the transition occurred with the evidence. For instance, rebooting a machine may lead to alterations in its temporary files, and an investigator should note this. 

     2. Abide with the legal authorities 

Before the onset of any investigation activity, ensure that you acquire written permission on the details and scope of your investigation. During the investigation, several duplicates and copies must be produced, and without an official or legally written permission, then this would be termed as a breach of IT security policy

     3. Prepare to testify

After completing the documentation, the evidence is taken to court. You should make yourself prepared to testify in court so as not to lose the case. 

     4. Use a traceable path

Your method should be trackable. Avoid trial and error methods. Trial and error methods are not convincible. Ensure to note down each step and be consistent in your actions. 

     5. Be efficient

Be efficient in minimizing the chances of data loss. Some data, such as latent data, are highly volatile and may quickly disappear if not collected in time. Artificial intelligence can be used to speed up the process but do not end up in a rush situation. The human workforce should increase as necessary. And as a rule, always start with volatile data as you collect evidence. 

     6. Do not quit before collecting evidence

Investigations cannot proceed without data to use as evidence. Hence you should not shut down the system before collecting all the evidence. Also, shutdown or rebooting of the system leads to loss of volatile data, so avoid this at all costs.

     7. No running programs on the attacked system 

Running a different program may trigger another program or activity within the system, which may lead to unbearable consequences. 

 Types of evidence 

Evidence is the primary support for a claim in court. It can be classified using many types of different characteristics. Below is a look into some of the four major types of evidence; 

     1. Real/tangible evidence: As the name suggests, real evidence consists of tangible/physical material e.g., hard-drive, flash drive, etc. Apart from the material, a human also might be real evidence, e.g. an eye witness. 

 

     2. Original evidence:  This is the evidence of a statement made by a person other than the testifying witness. It is offered to prove that the statement was made rather than to prove its truth. This is generally an out of court statement.

 

     3. Hearsay evidence: It is also referred to as out of court statement. It is made in court, to prove the truth of the matter declared. 

 

     4. Testimony: When a witness takes oath in a court and give his/her statement in front of the court. Evidence should be admissible, accurate, and authentic; otherwise, it can be challenged while presenting the case in the court. 

 Conclusion 

This is the end of this mini-course, but certainly not the end of knowledge and skills. Technology is rapidly changing with time. With the presence of several storage media, it is an individual, organization, or institution’s effort to understand the media so as investigate whenever needed. While conducting forensics, maintain the highest level of integrity at every stage as much as possible as it is crucial for the success of the investigations. 

19 Social Media Security Best Practices

George Mutune
-
0
19 Social Media Security Best Practices

Social Media Security has quickly become one of the most important issues facing business and individuals. Unlike a few years ago, social networking has asserted itself as one of the primary means for communication. Large corporations and individual users alike prefer the channel for various reasons. The most common ones are the ability to communicate with millions of users at a go, connecting to people from any part of the world, and facilitating the sharing of all types of media. Such include pictures, videos, text messages, and voice and video calls.

Despite its popularity, social media poses security risks due to the rising number of hackers and sophistication of attacks. Security threats are rife, and as such, social media users need to be aware of the best practices required to secure their social media accounts.

Common security risks affecting social media

Third-party applications

Social media companies are aware of the cybersecurity risks they face. They, therefore, frequently assess their systems and applications for vulnerabilities and implements the best measures for enhancing their security. Due to this, cybercriminals use third-party apps to hack their victims. This is demonstrated by Twitters’ security breach, where attackers exploited a security flaw in Twitter Counter (an application used to analyze Twitter activities). They were able to hack the Twitter accounts of Amnesty International and Forbes.[1]

Malware attacks

Cyber adversaries are persistent in their efforts to create smart and stealth malware programs. They use malicious scripts to hack the social media accounts of unsuspecting victims. By tricking their targets into installing the malware, attackers can easily monitor their activities. The approach allows them to access sensitive information like usernames and passwords.

Unsecured mobile devices

The majority of social media users install applications, such as Facebook and Instagram, in their devices for quick and easier access. Besides, smartphones are easily portable, and this makes them useful for social media usage. If a mobile device connected to social media accounts falls in the wrong hands, it can easily compromise a user’s privacy or security, resulting in identity theft, where malicious individuals use compromised accounts to promote their gains.

Imposters

Internet con artists are excellent at creating imposter accounts. Current technology makes it easy to create a replica social media account. To lower suspicion, they can wait for long periods, monitoring the original accounts to ensure they have similar activity history. As a result, targeted users can fall prey and provide highly sensitive information. Rival businesses can use the same tactic to tarnish the name and reputation of their competitors. Also, hackers can use imposter accounts to gain access to social media accounts used for corporate activities.

Unattended accounts

In some cases, individual users or companies create social media accounts and stop monitoring them after using them for a while. Cyber attackers target such accounts since they are aware that no one is watching them. They do not even need to hack them as they can use an imposter account to post fraudulent messages. Unmonitored accounts are a huge risk since they can enable hackers to disseminate false information or send malicious links to followers.

Staying secure

There are many other types of social media security threats. Although the parent companies invest heavily in maintaining secure systems and social media applications, users also have a massive responsibility to keep their social media accounts safe. Here are the top tips for enhancing social media security.

Social Media Security Tips for individual users

1. Monitor your inbox

For many years, hackers have used email messages to conduct phishing attacks. These are attacks where a cyber adversary uses different techniques to trick victims into installing malware or divulging confidential information. The methods can include appealing to the victim’s interests. Social media has, however, made it easier for hackers to carry out phishing campaigns. At a single glance at the user’s profile and account activities, they can create convincing messages to trick victims into clicking a malicious link or downloading an attachment with malware. Therefore, monitor the messages, links, or attachments sent to the inbox. Phishing attacks are usually sent by unknown people and will mostly request for personal information.

2. Utilize password protection

When creating any social media account, the process includes a requirement to create a unique username and password. Password protection is, in fact, one of the easiest ways of keeping a social media account secure. All social media platforms require users to provide a password to gain access. Creating a unique password is nevertheless different from maintaining best password security practices. Recommended practices for enhancing password security consist of creating strong passwords. Strong passwords can prevent a brute-force attack attempt. Also, periodically changing a password can minimize the possibility of its compromise. Furthermore, it is always essential to log out of a social media account once accessed through another person’s device. Most browsers or applications retain passwords where anyone can sign in.

3. Use multi-factor authentication

Many social media platforms support two-factor or multi-factor authentication schemes. They provide additional security to password protection. Enabling multi-factor authentication requires a user to provide a correct password and a second item to verify authenticity. For example, two-factor authentication may send a code to the provided phone number or email address when signing in. Failing to give the sent code, even with a correct password, denies access. Since only the legitimate account owners can access the authentication items, a malicious user can’t gain access. However, not all social media platforms enable multi-factor authentication in their default security settings. The account owner must hence allow the option in the privacy and security settings. Applying multi-factor authentication is an effective way of enhancing social media security and preventing unauthorized individuals from accessing the account.

4. Set up hard to guess security answers

When creating a social media account like Facebook, users must provide the phone number or email address for resetting passwords, in case they forget. Malicious individuals may have access to the email accounts or phone numbers and use them to rest the passwords. As such, they can sign in as the real owner and use the account to post harmful content or target followers with phishing messages. Using security answers can enhance social media security since resetting passwords might require one to provide answers to the security questions. Providing the wrong answer prevents a password reset, and this strengthens social media security. However, just like multi-factor authentication, the security questions to be used during password reset must be enabled in the security and privacy settings.

5. Manage the privacy settings

As previously stated, social media users have a huge responsibility in ensuring their personal security and that of their accounts. Due to this, they should proactively manage their privacy settings to determine who can see their posts or timeline activities. Maintaining privacy settings protects a user from social media phishers. To create a successful phishing message, an attacker must identify the interests of the target. Enabling privacy settings such as followers or friends can view the timeline history can prevent phishing attacks, thus enhancing social media security.

In that light, it is also advisable to be careful with the messages a user posts on social media. The primary intent of hackers is to access personal information such as social security numbers, credit card numbers, home addresses, and user passwords. Posting such information on a public platform like Facebook only simplifies a cyber adversary’s work. The more a user posts personal information on social media, the easier it is for a hacker to steal the user’s identity.

6. Secure mobile devices and computer

Sometimes, all a cyber actor requires to compromise social media security is a vulnerable computer. Cybercriminals exploit computer or mobile device vulnerabilities to install malware programs. Through the malware, a hacker can remotely monitor all activities, including the social media usage patterns of a particular victim. This can provide a cybercriminal with the necessary information for accessing the victim’s social media accounts.

There are multiple measures one can implement to ensure computer and mobile devices security. Using antivirus solutions can detect malware programs present on the computer. Also, acquiring updates whenever they become available, especially for social media applications, installs the latest security updates. As a result, it becomes difficult for a cybercriminal to exploit security vulnerabilities.

7. Who are your followers and friends on social media?

Verifying requests sent by new friends or followers can go a long way in enhancing social media security. The main aim of social media is to connect people from different parts of the world. As a result, hackers utilize such opportunities to create fake social media profiles and sending requests to hundreds of users as it increases the possibility of finding an easy target. It is prudent to verify the social media profile to determine its authenticity. It is relatively easy since a legitimate profile should contain a history of the owner’s activities. Such include sharing photos and comments on their posts from other friends. A profile with hard to verify information can be a cybercriminal using a fake account. Delete such requests and take the extra step of blocking or reporting them for further investigations.

Social Media Security Tips for Businesses

Businesses are heavy users of social media. They use different sites like Facebook, Instagram, and Twitter, to advertise products and interact with customers. The heavy usage is due to the various advantages, which include responding to user queries in real-time, promoting products in different parts of the globe, and maintaining business image and reputation. Since social media acts as the face of an organization, companies must ensure their social media accounts are secure. The following are the top social media security tips businesses can use.

1. Perform frequent audits

Due to emerging technology and hacking tactics, the threats impacting social media security change constantly. Cybercriminals are always devising new strategies, viruses, or scams that they can use to compromise social media accounts which businesses operate. Therefore, a company aiming to keep ahead of cyber actors should enforce regular audits of all implemented security measures. A quarterly or semi-annual audit is sufficient, and a review on the following should guide a comprehensive inspection:

2. Social media policy

Businesses enforce social media policies uniquely tailored to meet their communication needs. As such, the businesses should review the policies to accommodate changes in social media usage and security practices. A frequent review can ensure that social media security documentations remain useful in securing their accounts.

3. Publishing and access privileges

Auditing publishing and access permissions can enable an organization to protect its social media accounts. Permissions review is necessary since it identifies users with the rights to publish content on the platforms. Some users might have changed their roles or had their access revoked. As such, auditing ensures that only users with the necessary permissions can access or publish on social media.

4. Privacy settings

Social media sites tend to update their respective privacy settings. The updates can impact the security of an account since it will be using the old privacy settings before they were updated. Businesses should ensure that they frequently audit their security settings to ensure they are in tandem with the new updates.

5. Keep track of recent threats

The IT department of any company should track new risks and working solutions. Tracking emerging threats enables a business to implement sufficient measures for responding to them or preventing them entirely.

6.Implement a system for approving new posts

All businesses dread any incidence that can damage their reputation. A malicious individual with the correct login information can access the account and post information that can ruin the company’s reputation. Notwithstanding, an employee with good intentions can use the same platform to post sensitive business information about the business. Such information can include unreleased products or services that have not yet been unveiled. Moreover, a user can also use a work social media account to post personal information. Whereas this does not pose any significant risk to the account’s security, it demonstrates a business’s inability to control information flow, thus affecting its reputation and customer base.

Every organization should, therefore, implement a system that it can use to approve any posted information. Such information can include designating a group of individuals who approve different types of information. For example, an employee from the marketing and finance departments can approve any information originating from their respective sections. In a recent case, a marketing contractor working for Z-Burger posted a graphic image of a killed journalist on the company’s Twitter handle[2]. The contractor had publishing rights, but the company lacked a system for approving new posts.

7. Monitor all social media accounts

As mentioned earlier, unmonitored accounts are one of the biggest threats to social media security. Hackers target unattended accounts since they are easy to hack or impersonate. Monitoring all social media channels is hence a security necessity that a company should consider observing. Monitoring should include accounts used every day, and those that were opened but used for a short while or not used at all. As a result, it can be possible to detect any cyber actor who manages to hack and use the accounts. However, monitoring the accounts usage patterns alone is not enough. It is also vital to monitor the originality and authenticity of all posted information. To achieve this, a business can cross-reference its posts with the company’s content calendar.

Besides, following up on everything can enable a business to maintain sufficient social media security. Social media platforms are designed such that any information communicated through them appears to be from the owner or authorized users. However, this is not always the case. Digging into all activities, even those that look legitimate can uncover risks that can cause security issues in social media usage and access. Some content can be crafted to stray from the intended information. This can be due to human error, or due to unauthorized access. Also, monitoring should include watching out for employees who make inappropriate comments or mentions about the business’s brand, negative conversations regarding the business, and imposter accounts.

8. Designate a social media officer

Creating a role that establishes the position of an employee responsible for controlling social media accounts can enhance their security. It can also bolster the efforts put in place for mitigating risks and threats. The person who fills such a role should be responsible for developing and owning social media security policies. Other vital roles can include monitoring the company’s social media presence and determining individuals with permissions to access or post on the accounts. This is particularly important since unauthorized posts or access can compromise the security and integrity of the account in question.

To ensure the employees responsible for securing an organization’s social media accounts discharges the role effectively, they require to collaborate with the IT department. A good relationship will be valuable in facilitating sufficient risk mitigation and prevention. Also, the social media officer needs to closely work with all departments that require the accounts to fulfill their obligations. Such may include marketing. As a result, the officer can approve or decline to authorize posts depending on how they impact the organization’s strategies, objectives, or regulations.

9. Restrict the use of social media

According to a survey done by PriceWaterhouseCoopers, organizational employees have higher possibilities of causing social media security risks compared to hackers. Employees can make errors when posting on a business’s timeline, which can result in security risks. As a result, restricting the use of social media is one of the best ways of keeping the company’s social media accounts secure. For example, a business may task different teams with roles such as messaging customers through social media, creating new posts, or providing customer services. However, not everyone requires the permissions to post; neither should all team members have access to login passwords.

As such, minimizing the number of employees capable of posting should be a top priority in managing social media security. Once a business identifies employees with permissions for posting, it should consider using software solutions that can provide direct access without requiring a password or username. This would eliminate the need for continually changing login credentials once an employee leaves the business or the permissions are revoked.

10. Train best social media security practices

Adopting the most potent social media security policies can be useless if the employees are ignorant of best usage practices. Whereas such a policy needs to be simple and easy to understand, training staff provides them with an opportunity of actually learning how to enforce it. Training sessions also enable staff to understand social media security threats and their responsibilities in preventing them. Moreover, training sessions provide a business with the time to review implemented policies and updating them accordingly.

11. Maintain social media policy

Any business using or planning to use social media must develop a comprehensive policy to ensure its security. An effective policy should contain guidelines for preventing negative PR or legal struggles, and more importantly, mitigating security threats. Some of the guidelines to include in the policy are:

  1. The team members or departments with access to company social media accounts
  2. Guidelines for working password management strategies
  3. How employees can identify social media threats, attacks, scams, and how to report them
  4. Rules governing the use of personal social media for work reasons
  5. Guidelines for talking about the business’s brand on social media
  6. Invest in automated security technologies

Monitoring social media activities using human operators can be challenging since they can make errors or be unable to ensure round the clock monitoring. Subsequently, some threats can go unnoticed, resulting in disastrous security breaches. An automated solution can prevent that from happening since it doesn’t make errors, nor will it leave the system unmonitored. Automated security monitoring can alert of offensive posts that can harm a business’s reputation. Also, it can detect links or attachments used for phishing campaigns, fraudulent accounts attempting to impersonate a company or scams that target the business’ customers. As a result, a business can enjoy enhanced social media security.

  1. https://techcrunch.com/2017/03/15/twitter-counter-hacked/
  2. https://www.washingtonpost.com/news/local/wp/2018/07/25/z-burger-hamburger-chain-apologizes-over-callous-misuse-of-images-in-twitter-ad/?noredirect=on&utm_term=.4db4fd615913

 

Cyber Threat Analysis – A Complete Guide

Joseph Ochieng
-
0
Cyber Threat Analysis – A Complete Guide

Cyber threat analysis is the process of assessing the cyber activities and capabilities of unknown intelligence entities or criminals. A cybersecurity threat or “cyber threat” can be defined as a malicious act that seeks to disrupt digital life.  This act could be the disruption of a communication pathway, the damage of data, or stealing data.

Hackers target enterprises, governments, institutions, or even individuals with valuable information. Threats posed by cyber-attacks include denial of service attacks (DoS), computer viruses, malware, phishing emails, and others. The attacks target anyone with an online presence.  Cyber-attacks can lead to electrical blackouts, breaches of government security details, failure of military equipment, disruption of computer networks, paralyzation of phone networks, unavailability of confidential data and it may affect the functioning of human life.

Cyber-threats increase day-after-day as the technological advancement in artificial intelligence or intelligent systems facilitate the need for better skills to by-pass highly secure systems. For these reasons, organization leaders must complete a thorough and detailed cyber threat analysis to know the extent of exposure of their business or enterprises to cyber-attacks.

The main objective of cyber threat analysis is to produce findings used to aid in initialization or support of counter-intelligence investigations. Then action is taken to eliminate the threat from the given organizations, business, or government system. In cyber threat analysis, the know-how on external and internal information vulnerabilities relating to a particular business model is matched against the actual or real-world cyber-attacks. This type of approach to countering cyber-attack is a desirable transition from a reactive security state to an efficient, proactive state.

The final output from a threat assessment should provide the best practices on how to utilize the protective controls to promote integrity, availability, and confidentiality, without affecting the functionality and usability conditions.

Components of the Cyber Threat Analysis Process

Components of Cyber Threat Analysis

1. Scope

The scope of the cyber threat analysis states what will be included and excluded from the analysis. Included items are those items that should be protected from the threat.

The first step in any cyber threat analysis should be to identify every susceptible item that must be protected from access by malicious third parties. After this, the level of sensitivity and the desired degree of protection of the item is drafted and extensively defined by the analysis drafters.

2. Collection of Data

In every well-structured organization, there are procedures and policies to guide how people, machines and other components of an organization are expected to operate. All these need to be clearly stated out for compliance purposes.

In reality, close to 25% of organizations fail to meet the minimum security standards put in place. The Senior VP of Hewlett Packard, Art Gilland, stated that most organizations fail to meet the required security standards because they are in a rush to meet a policy. Organizations tend to “check boxes” for compliance instead of implementing protective measures to the levels defined by the scope of the threat and the exposed item.

In the Collection of Data stage, the first step is to collect information about the actual cyber-attack or threat incidents. Examples could be phishing email header and content, uncovered hostile command and control infrastructure of IP addresses and domain names, URLs to malicious links, and so on. One must distinguish between real potential attacks and threats that are not real but are perceived threats. The scope should help filter out percieved threats in order to ensure that the focus is on the targeted threats that exist in reality.

In order, to transform data into intelligence, an information technology analyst must be granted unrestricted system access. Research can be sourced from many places including internet searches, intrusion incidents, firewall logs, digital forensic analysis, reverse engineering of malware, digital forensic analysis, detection system logs, honeypots etc.

Corporate procedures and policies should be analyzed and a thorough investigation should be done to determine whether they meet the compliance standards or level in the organization.

3. Vulnerability Analysis of Acceptable Risks

In this phase, the analysts test what has already been gathered in order to determine the extent of current exposure. The existing security defense is tested to determine whether it has the capability to neutralize information threats in terms of integrity, availability and confidentiality. This stage should double check whether the current policies, security measures and policies are adequate protective measures. Penetration tests are also done as part of vulnerability analysis in an attempt to identify vunerabillites.

Fig. 2

When a cyber-attack encircles the rings of protection

Circles of Protection - Cyber Threats

Threat analysis is a continuous process and not an occasional or a one-time event. It is an ongoing process that  ensure that all safeguards work properly. Risk evaluation should be incorporated as an integral part of an organization so that it becomes part of the overall life cycle. This helps in identifying risks that might have not yet reached their full blown stage, where they cause maximum damage and loss to the organization.

4. Mitigation and Anticipation

After completion of all other previous steps, a highly qualified analyst can then use the corpus of threat data identified to determine preventive measures. The analyst has the task to catigorize the threat data into groups, allocate each pattern to specific threat actors, and implement mitigation measures. Subsiquently, the analyst must anticipate the occurrence of similar attack in the future.

 

Methodology

Threat models and metrics included in this section are meant to aid in characterization of specific threats hence fulfilling the elementary purpose of threat analysis.

1. Threat Metrics

Understanding how anomalies and trends occur can be used to facilitate the threat analysis process when an accurate measurement of events is done. It can also underline the ability of certain type of threats. This is done by joining the missing dots between the experienced threats and the possible consequences. In short, qualitative threat measurement techniques and process should give precise results concerning risk management. Defining and applying threat measures of acceptable quality is a practice that does not have maturity and consistency in its nature of execution.

Metric can be defined as a unit of measure. On the other hand, measure is a definition for a given hallmark of performance. For instance, if a threat is perfectly measured in a consistent way, with the help of a good metric that is clear and unambiguous as well, then the analysist is most likely to upgrade his ability to understand that threat, affect, control and defend against it for a given period of time. Decision making as per the correct interpolation is much simpler if the nebulosity is not extremely dark.

An ideal example of an appropriate quantitative portrayal in cyberspace is the number of intrusions or attacks per month. When these figures are taken for a long stretch of time, they can reveal the capability and intent of the adversary. This gives an analyst the task to properly calculate all the possible risks and further allocate resources required to sort it out.

2. Threat Models

A threat model is basically a well-organized representation of all the necessary information that affects the security of a system, application or network server. This can be simply termed as the view of an information technology via a security glass. capturing, organizing and analyzing all the gathered information in an understandable and logical order is known as threat modelling. To do this sufficiently, a combination of metrics known as measurement framework is preferred instead of a stand-alone metric. This is because of the incapability of the latter to encapsulate behavioral characteristics of the complex actors or systems.

In addition to the definition given at the beginning, a threat can be considered as a malevolent actor with specific personal, political or social goal intended to oppose an accepted social norm, a private enterprise or an established government. The actor in this case is can be an organization, institution or an individual with self-centered interests to satisfy. A model on the hand, is a simplified representation of something. Therefore, a threat model is a combination of the two definitions, in that, it gives prominence to details relevant to the threat.

Using consistent threat model in threat analysis promotes consistency as well as reduce the detrimental effects of personal bias and preconceived opinions and notion. As time goes by, data acquired continues to pile up while index of success rate also intensifies. Due to such reasons, inter alia is strongly advised to keep clear a trackable record of data stored in a continuous manner. Properly documented data acts as reference database that can in turn be used by other cyber-security experts.

Threat Modeling Process

Sample No. 1

Risk assessment and threat modelling process takes place in three major steps:

  1. Assess risk – determine the amount you are to lose from the assessment
  2. Determine potential threats – state out various things that your system does that can possibly be attacked including what libraries and frameworks do for you.
  3. Mitigate threats – make sure that the parts of your code that are susceptible to attack are well protected.

Threat Modelling Process

Sample No. 2

Below is an overview of the threat modeling process

  1. Identify assets – point out each and every asset that must be protected.
  2. Come up with an architecture overview – use tables and relatively simple diagrams to document the architecture of your system. Other components to be included include trust boundaries, data flow and subsystems.
  3. Breakdown the application – breakdown the architecture of your application including the underlying host infrastructure design so as to come up with a security profile for the system. The primary objective creating a security profile is to uncover each and every vulnerability in the system’s design, configuration or implementation.
  4. Identify the risk – having the attackers goal in mind as well as know-how on the architecture and potential vulnerabilities of your system, distinctively identify the risks that could definitely affect the system or application.
  5. Logically document the threats in an organized manner – use a common threat template to capture the attributes specific to each and every threat.
  6. Rate the threat – arrange the threats in order of the potential damage that they are capable of causing to the system such that the most significant threats come first.

The Generic Threat Matrix

In this method, an analyst uses necessary threat attributes to characterize the type of risk based on the overall nature of the threat. By using this kind of characterization, an analyst is able to fully describe the threats without conforming to the preconceived notion. To get this better, we can define matrix as a framework or a model used to organize a set of other related metrics into the desired structure. The matrix is graduated into levels of magnitude where, each level corresponds to a unique threat.

1. Threat Attributes

Threat attribute is an independent feature of a threat and are of two dominant groups;

Commitment Attribute Group

A commitment is a pledge that confines an individual to some course of action. Applying the same, attributes in commitment group are attested to the unconditional willingness of the threat to attain its specific goal. For a higher level of commitment, the threats virtually stop at no obstacle to achieve their aim. Attributes are classified into 3 groups:

  • Stealth (Question: Does the organization have any verified information concerning the threat?)
  • Time (Question: how much time is the threat willing to invest?)
  • Intensity (Question: To what extent is the threat willing to go?)

Resource Attribute Group

The attributes in this category shows the amount of resources that a threat can deploy. Unlike in commitment attribute group, here, a higher value of magnitude denotes that the threat is more sophisticated hence it can easily attain its goal easily.

Resource family is also made up of three attributes:

  • Access (Question: How efficient is the ability of the threat actor to compromise the system?)
  • Technical Personnel (Question: How many individuals is the threat using to further its ends?)
  • Knowledge (Question: What level of skill drives the threat engine?)

Threat Matrix

Threat Matrix

2. Attack Vectors

This is the path or route used by a threat to gain access to a system, network or a device, primarily, to launch a cyber-attack, plant a malware, gather relevant information, etc. Attack vectors are as follows:

  • Mobile devices
  • Unsecured wireless networks
  • Phishing attacks
  • Removable media
  • Malicious web content
  • Malware and viruses

3. Target Characteristics

The rate at which targets are hit by threats vary because some are more vulnerable and attractive than others. The frequency of attack on a target is also a significant information to be expressed in metrics.

4. Attack Trees

Attack trees concept is a structured and hierarchical way to logically collect and document the anticipated or likely attacks on a given system. The tree decomposes the threat agents depending on the type of attack each agent utilizes.

Fig 3

Creating attack trees

Pros of attack trees

  1. It provides a direct and transparent mode for analysis of attack agents
  2. The model encourages the use of deductions or conclusions which can be harnessed for quality output.
  3. They are highly flexible, hence can cover the entire spectrum of threats and attack agents in the entire platform.
  4. It is compatible with other models and data from attack trees can be used in analysis using a different model.
  5. Attack Frequency

This is an indicatory metric that can be used in conjunction to data corresponding to the degree of an attack. The idea of pairing vulnerability index and frequency metric can also be considered while using attack tree model for threat analysis.

Cyber Threat Analysis Position

The Threat Analyst Position and Assessment Abilities

A threat analyst is responsible for the determination of the level of risk within their organization based on both risk and vulnerability assessment. The threat analyst defines what security measures need to be enforced and which ones are ineffective and should be discarded. The measures should not be exaggerated as this may lead to overprotective controls that result in higher initial installation cost and unecessarily high maintenance costs.

Threats and the nature of attacks continue to evolve with technological advancement. Millions are spent on inovation and training. Becoming a strong technical expert is the only way to combat the rapidly mutating cyber-attacks. Continuous practice and constant learning using books, blogs, and journals is required master your security skills in information technology. Hard work is required to becoming an elite analyst who can effectively deal with encountered security issues.

The data used in analysis is usually outsourced from intelligent products which require technical skills for interpretation. The threat analyst must possess skills to read and interpret data from security events. The analyst should have technical writing skills to prepare a report of their findings. These capabilities are often less of a science and more of an art.

Conclusion

Cyber threat analysis is a continuous process that should be carried out frequently to ensure that security measures work effectively as per the intention. This is because of the rapidly changing technology and other factors that affect cyberspace such as political factors, social factors and so on and so forth. Organization that do not perform threat and risk analysis are left open to attack by cyber pests which can lead damage of their business forever. In cybersecurity hemisphere, nothing is more detrimental than the feeling of being vulnerable as it leaves you with no option but to trust that your lucky star will magically extend its reach to patch up every loop-hole in the system that threats infiltrate through.

 

Top 10 Cloud Security Best Practices

George Mutune
-
0
Top 10 Cloud Security Best Practices

These 10 esential cloud security best practices are essential for any organization that is moving to the cloud.  Overlooking any of these practices could lead to a security disaster.

Cloud computing has indeed revolutionized the business and technological landscapes. Today, it is unheard of that any serious company would prefer onsite IT infrastructure to cloud services. Simply defined, cloud computing is a technology consisting of networked remote servers. Service providers use the network to provide cloud consumers with data storage units and computational software programs for processing and managing data. An internet connection provides access to cloud technologies, meaning that users can access them from their workplaces or the comfort of their houses.

Currently, at least 90% of organizations use different cloud services, whereas experts indicate that companies will run 60% of their operations in the cloud by the end of 2019.1 This shows that cloud technology is already mainstream. However, cloud services are online-based, and this has caught the attention of all hackers. Increased dependence on cloud services to store and manage sensitive data is enough motivation for attackers. All companies and users, therefore, need to understand the best security practices to ensure they adequately protect their cloud environments. Here are the top ten internationally accepted cloud security practices.

Cloud Security Best Practices #1:  Securely manage your data

Data security should be the topmost concern of all cloud users. To achieve optimum data protection, first, identify data with the most classified information. Highly sensitive data require stronger security. Some would, however, prefer applying high-level security to all cloud data. This might not be sufficient due to factors like data size and format, i.e., audio, visual, print, etc. Besides, information like patents and intellectual property cannot be secured the same way as business ledgers. Or personally identifiable information, for that matter. Some types of data must be protected at all costs due to their value and importance to the organization. A data classification software can assist in determining the data requiring stronger security.

Then, implement a comprehensive security solution. It should be capable of locating sensitive information in the company’s network, databases, endpoints, and cloud storage units. The solution should provide security but not at the expense of flexibility and data access. As much as this is true, the data access and storage procedures should be a priority. A Cloud 2019 Adoption and Risk Adoption Report by McAfee shows that 21% of data managed in the cloud has sensitive content.2 All cloud service providers, including Office 365 and Salesforce, don’t guarantee the data will be 100% secure. It is hence, essential to continually review and update access permissions associated with the data. Some instances might require a business to remove or quarantine highly sensitive data.

Also, a company must enforce strict data sharing policies. In 2019, there has been a 50% increase in the sensitive data shared through the cloud.3 The risks of malicious insiders or hackers accessing and stealing or corrupting cloud data are too high. In spite of whether a company has applied powerful mitigation strategies, it must establish sufficient access controls for any data stored and accessed through the cloud. For instance, users requiring to edit data might be fewer than those needing to view it. As such, access controls should be tailored to suit the permissions for each employee.

More importantly, banking on the cloud provider’s data encryption techniques would be a grave mistake. Although the offered encryptions prevent unauthorized users from accessing the data, the service providers can access the encryption keys and decrypt it at any time. As such, full access control means deploying stringent encryptions and using adequate public key infrastructures.

Cloud Security Best Practices #2:  Implement endpoint security

Using the services or applications of a particular cloud provider doesn’t disregard the need for using robust endpoint security. Endpoint protection means securing end-user devices, such as laptops, desktops, and mobile devices. Companies need to protect endpoints to their corporate networks and for devices used to access their cloud accounts. This is because they serve as access points to all cloud processes, and malicious actors can exploit them at any time. Enhancing endpoint security allows a company to prevent risky activities that can provide entry points. Besides, enforcing endpoint protection and compliance as per existing data security regulations enables a business to maintain stronger control.

Notwithstanding, endpoint protection affects cloud security due to the growing access points to a cloud. Increasingly, organizations improve their operations by incorporating practices for accessing data more fluidly. For example, they implement BYOD (Bring Your Own Device) policies where employees can use their personal devices to access and modify cloud data. The devices require adequate endpoint security such that they can’t provide hackers with easy targets for stealing or corrupting data. Such include using VPNs when accessing cloud accounts via a public Wi-Fi network.

Furthermore, cyber adversaries nowadays prefer to breach a network or data security through endpoints. This is unlike in the past, where most breaches were done through a network. As a result, depending on a centralized network security solution may be insufficient. The increased used of the Internet of Things in managing cloud activities comes with increased risks since they also grow the possible entry points. A growing reference for breaching security through endpoints requires more focus on endpoint security.

But what are the various solutions that can enable a cloud user to maintain optimum security? The first and most basic is using password protection. All users need to secure their devices with strong passwords to prevent malicious users from accessing. Also, employees should avoid sharing the devices used for work reasons. An innocent user can accidentally delete all data stored in the cloud. More so, all devices should contain malware scanning tools to scan USB sticks or hard drives before they connect to a corporate network. This lowers the risks of a hackler introducing malware through endpoints.

Cloud Security Best Practices #3:  Carefully choose the cloud vendors

All cloud service providers try their best to enforce cloud security measures to attract more customers. Some vendors may even contain better security compared to the one which in-house staff maintains. However, some may claim to have the best protection as a marketing tag while in the real sense, they have poor security schemes. To this end, Chief Information Security Officers (CISOs) of every organization have the responsibility of assisting their employers in using the most secure vendors. Some companies may even need to use vendors that implement security policies to mitigate industry-specific threats.

To choose the most secure cloud providers, organizations can use various factors to assess their security capabilities. Such include evaluating their levels of compliance with various information compliance standards. Different regulations, including GDPR and HIPAA, advocate for organizations to implement different requirements, all aimed at achieving data security. To ensure cloud service providers are fully compliant, a business should require them to produce compliance certifications. Certification means the providers satisfy all requirements of a compliance audit. Also, cloud vendors should demonstrate they can ensure 24/7 data and network availability. Data drives critical operations; thus, cloud providers should maintain multiple backups.

Additionally, a company should only subscribe to a cloud provider that conducts regular risk assessments. Assessing their servers and IT infrastructure for security risks enables cloud providers to apply mitigation strategies before hackers can exploit them. Risk assessment and management is a crucial cybersecurity operation that every cloud provider should observe. Lastly, an organization needs to use the services of a cloud vendor that indicates the customer’s responsibility in matters of security. Cloud security is a collaborative process where both the providers and the customers must play their roles to ensure optimum safety. For instance, a cloud provider should install timely patches to prevent attacks such as zero-day attacks. Customers, on the other hand, should develop security policies governing access, sharing, and modification of cloud data.

Cloud Security Best Practices #4:  Monitor and prevent

As previously mentioned, the consumers and cloud service providers have different roles when securing cloud activities. They also share the responsibilities for monitoring and responding to suspicious cloud security problems. The cloud vendors monitor the security of infrastructures they use to provide services to cloud consumers. On the other hand, the customer monitors the applications and systems various users use to access the services. Also, service providers tend to provide customers with monitoring information relating to the services they use. Relying on the monitoring information can enable a company to implement measures for detecting incidences of unauthorized access. They can also use the information to monitor for unexpected behavioral changes in regards to a user’s interaction with cloud data and applications.

It is also vital that a company implements additional monitoring that fully integrates with cloud automation. Cloud providers implement automation schemes such as autoscaling to provide users with round the clock access to more resources as per their needs. Implementing integrative monitoring provides 100% visibility onto all cloud resources. As a result, consumers can quickly detect unusual occurrences and address them to prevent security problems.

Besides, as with all other operations, collaboration is critical. Cloud vendors monitor IT infrastructure used to provide services and computation resources. Such include entire SaaS applications, networks, IaaS like storage units, and virtual machines. The service providers may detect activities that could adversely impact a consumer’s cloud data or applications. In effect, the provider may need to inform a customer of the activities so that they can coordinate an adequate response.
Similarly, a cloud user may detect other activities that they cannot address without the input of the service provers. Responding to any security event requires both providers and consumers to share the responsibilities. Effective collaboration means understanding the limits of a cloud provider in monitoring and responding to security incidences, such that a provider cannot be caught unawares.

Cloud Security Best Practices #5:  Conduct due diligence

Cloud consumers need to understand the applications and networks of their cloud providers fully. Understanding them can enable a company to provide resiliency, security, and functionality for systems and applications deployed in the cloud. As such, they must perform due diligence across all lifecycles of deployed systems or applications. During the planning phase of a cloud migration, companies should select suitable cloud applications or service providers to move to. Benchmarking on other organizations that use the services of a particular cloud provider can provide valuable information. First-time cloud deployments can use the information to determine if a service provider implements security policies that meet their needs.

Also, a cloud consumer should always use the provider’s guidance and documented best practices for using applications and provided services. For example, developing a cloud-based application should follow the cloud service provider’s guidelines and security practices. Also, when migrating to an already implemented cloud system or application, reviewing its documentation and collaborating with the vendor can provide insightful information on how to securely use it.

More importantly, cloud providers abstract service to optimize resource usage and access. Abstracted services might resemble physical applications, networks, and hardware. Consumers need to understand that abstracted services or resources have different security practices or policies compared to those implemented on physical resources. Before subscribing to their usage, organizations can observe security by reviewing and understanding security approaches implemented on the virtual resources. These should guide the processes through which users access them.

Besides, deploying or developing applications for cloud use must need companies to enforce policies to ensure users operate them securely. In contrast to physical resources like disks, networking devices, and servers, cloud consumers use software to interact with virtualized resources. Software security practices like patch management and vulnerability testing should, therefore, guide all cloud-access activities.

Cloud Security Best Practices #6:  Implement intrusion detection and prevention systems

A survey from CloudPassage indicates that intrusion prevention and detection systems are the third most effective solutions for cloud security.4 The systems monitor cloud and corporate networks for intrusion signs and prevent unauthorized access. Additionally, they immediately alert a security administrator of the attempts, thus allowing the deployment of mitigation solutions. More so, intrusion detection and prevention systems are capable of implementing responses to intrusion attempts. Such responses include preventing and blocking access from the source of the attempted intrusion.

Also, an organization can consider implementing artificially intelligent prevention and detection systems. Artificial intelligence learns the behaviors of all user-activities accessing a particular cloud environment. For example, it builds knowledge of the types of data an employee uses frequently and the types of cloud resources the employee requests. Hence, whenever a new user performs unusual activities, the system flags him down as a malicious entity, preventing him from accessing any more requests. As such, the intrusion risks of a malicious insider assuming the identity of a legitimate user are minimized.

Furthermore, intrusion detection and prevention systems minimize the number of generated false positives. These are false alerts that a system raises as intrusion alerts. False positives can be due to the assignment of new roles to a user, which can lead to an intrusion prevention and detection system alerting as suspicious activities. False positives can cause a company to invest in unnecessary measures as the alerts turn out to be false security alerts.

Cloud Security Best Practices #7:  Define cloud usage policies for all employees

Although organizations implement a corporate strategy for securely using cloud accounts, employees tend to utilize the clouds without adhering to the implemented strategies. For example, they might fail to inform the relevant stakeholders when they transfer or modify cloud data. Therefore, monitoring their usage activities is a crucial aspect of maintaining cloud security. Monitoring provides a clear picture of the services or resources a particular employee accesses and their usage patterns. Users with suspicious cloud usage activities can be denied access to ensure they don’t introduce security risks to cloud data and applications.

To determine the risk levels a particular user poses to cloud security, an organization can assess the network firewalls, logs captured in the security information and event management system, and web proxies. Then, the assessment results can enable security personnel to obtain the value of the risk levels towards organizational security. The obtained values can help determine whether a particular user should have complete or partial access to an organization’s cloud accounts.

Furthermore, cloud consumers must understand that that shadow usage not only refers to unauthorized access to cloud services using endpoints, but it also entails moving data from trusted environments to unmanaged devices. Such practices endanger data security and threaten to impact data availability, integrity, and confidentiality. As such, a data officer should authorize data movement within the cloud and keep track of the data accessed from a particular endpoint.

#8:  Maintain a safe list

Most employees within an organization use cloud services to meet the company’s goals and objectives. However, a few employees often use organizational clouds for their gains. Using cloud services for dubious services places a company danger of the cloud’s security being compromised or facing legal tussles due to compliance issues. As such, a business should develop and maintain a safe list for all the services employees can access through their cloud accounts. Enforcing the list and ensuring employees are aware of minimizes issues arising from compliance penalties or insecure practices.

In any case, establishing a safe list enables an organization to specify the data each employee can access. It also ensures an employee understands the data permitted to be processed through the cloud. Creating such awareness leads to effective data management as all users are aware of the data they can use or share through cloud platforms. Similarly, a safe list provides all cloud users with a list of applications they can use in a cloud environment. Lastly, a safe list provides a clear outline of the security practices to observe when interacting with cloud data or applications.

#9:  Trust users, but verify

Cloud consumers should adopt additional verification procedures to supplement other security practices like password protection. Verification schemes protect a cloud environment from malicious activities perpetrated by malicious users assuming the identity of the legitimate users. An effective verification scheme is the use of two-factor or multi-factor authentication. The authentication mechanisms require cloud users to provide additional items of proof that they have authorized access to cloud data. Such items can include a code sent to a trusted mobile number or the answer to a security question only known to the user. Such provide a strengthened cloud security posture.

In addition to the different authentication mechanisms, a company must ensure that authenticated users have the authority to access and interact with cloud data. Whereas an employee might pass a verification process, he might lack the permissions to access particular types of data and cloud applications. Several access controls can be used, including least privilege access, role-based access, among others. Organizations should control data access to eliminate risks associated with unauthorized access. Investigations should be conducted on attempted unauthorized access by tracking the endpoint used in the attempted intrusion.

#10:  Regulatory compliance boosts security

A cloud consumer has a role in ensuring full componence with information security regulations. Although many businesses adhere to compliance regulations to avoid non-compliance fines, the security requirements recommended by various standards enhance security. Therefore, implementing the guidelines is an effective way of tackling security issues. More importantly, companies require to understand that the compliance regulations designed for cloud providers differ from those meant for consumers. As such, they shouldn’t fail to adhere to recommended security practices with the notion that cloud providers have already complied.

Moreover, outsourcing compliance responsibilities is not recommended, despite the business functions shifted to the cloud. Also, identifying a cloud provider with a platform that facilitates compliance is a plus for cloud security. This allows a business to fully comply with regulations such as HIPAA, GDPR, PCI DSS, among others. Understanding the compliance aspects can facilitate optimum security of a particular company. Lastly, automating compliance can eliminate the problems associated with tracking new or updated compliances. Automating compliance processes ascertains a cloud consumer keeps track of all regulations such that it covers all security aspects. Various companies develop automated compliance software programs designed to meet all organizational needs. All the recommended practices can assist cloud consumers in achieving maximum security.

1 https://hostingtribunal.com/blog/cloud-computing-statistics/

2 https://www.mcafee.com/enterprise/en-us/solutions/lp/cloud-adoption-risk.html?_ga=2.224418842.1031089963.1568031446-47850940.1568031446

3 https://securingtomorrow.mcafee.com/business/cloud-security/top-19-cloud-security-best-practices/

4 https://www.esecurityplanet.com/network-security/intrusion-prevention-systems.html

23 Top Cybersecurity Frameworks

George Mutune
-
0
23 Top Cybersecurity Frameworks

Many organizations consider cybersecurity to be a priority. The need to implement effective cybersecurity frameworks grows every day. Cybercriminals continuously derive more sophisticated techniques for executing attacks.

This has led to the development of various cybersecurity frameworks meant to assist organizations in achieving robust cybersecurity programs. Therefore, businesses should understand the top cybersecurity frameworks for enhancing their security postures.

Cybersecurity frameworks refer to defined structures containing processes, practices, and technologies which companies can use to secure network and computer systems from security threats. Businesses should understand cybersecurity frameworks for enhancing organizational security. The top cybersecurity frameworks are as discussed below:

1. ISO IEC 27001/ISO 2700212

ISO 27001 Framework

The ISO 27001 cybersecurity framework consists of international standards which recommend the requirements for managing information security management systems (ISMS). ISO 27001 observes a risk-based process that requires businesses to put in place measures for detecting security threats that impact their information systems.

To address the identified threats, ISO 27001 standards recommend various controls. An organization should select proper controls that can mitigate security risks to ensure it remains protected from attacks. In total, ISO 27001 advocates 114 controls, which are categorized into 14 different categories.Some of the categories include information security policies containing two controls; information security organization with seven controls that detail the responsibilities for various tasks; human resource security category with six controls for enabling employees to understand their responsibility in maintaining information security.

On the other hand, the ISO 27002 framework comprises international standards that detail the controls that an organization should use to manage information systems’ security. The ISO 27002 is designed for use alongside ISO 27001, and most organizations use both to demonstrate their commitment to complying with various requirements required by different regulations. Some of the information security controls recommended in the ISO 27002 standard include policies for enhancing information security, controls such as asset inventory for managing IT assets, access controls for various business requirements, managing user access, and operations security controls.

2. NIST Cybersecurity Framework3

NIST Cybersecurity Framework

The NIST Cybersecurity Framework was developed to respond to the presidential Executive Order 13636. The executive order purpose to enhance the security of the country’s critical infrastructure, thus protecting them from internal and external attacks.

Although the framework’s design aims to secure critical infrastructures, private organizations implement it to strengthen their cyber defenses. In particular, NIST CSF describes five functions that manage the risks to data and information security. The functions are identify, protect, detect, respond, and recover.

The identify function guides organizations in detecting security risks to asset management, business environment, and IT governance through comprehensive risk assessment and management processes. The detect function defines security controls for protecting data and information systems. These include access control, training and awareness, data security, information protection procedures, and maintaining protective technologies. Detect provides guidelines for detecting anomalies in security, monitoring systems, and networks to uncover security incidences, among others. The response function includes recommendations for planning responses to security events, mitigation procedures, communication processes during a response, and activities for improving security resiliency. Lastly, the recovery function provides guidelines that a company can use to recover from attacks.

3. IASME Governance4

IASME governance refers to cybersecurity standards designed to enable small and medium-sized enterprises to realize adequate information assurance. The IASME governance outlines a criterion in which a business can be certified as having implemented the relevant cybersecurity measures.

The standard enables companies to demonstrate to new or existing customers their readiness to protect business or personal data. In short, it is used to accredit a business’s cybersecurity posture.

The IASME governance accreditation is similar to that of an ISO 27001 certification. However, implementing and maintaining the standard comes with reduced costs, administrative overheads, and complexities. IASME standards certification includes free cybersecurity insurance for businesses operating within the UK.

4. SOC 25

AICPA-SOC2 Framework

The American Institute of Certified Public Accountants (AICPA) developed the SOC 2 framework. The framework’s purpose to enable organizations that collect and store personal customer information in cloud services to maintain proper security.

The framework also provides SaaS companies with guidelines and requirements for mitigating data breach risks and strengthening their cybersecurity postures. Also, the SOC 2 framework details the security requirements to which vendors and third parties must conform. The requirements guide them in conducting both external and internal threat analyses to identify potential cybersecurity threats.

SOC 2 contains 61 compliance requirements, which makes it among the most challenging frameworks to implement. The requirements include guidelines for destroying confidential information, monitoring systems for security anomalies, procedures for responding to security events, internal communication guidelines, among others.

5. CIS v76

cis framework

The body responsible for developing and maintaining the CIS v7 framework is the Center for Information Security (CIS). CIS v7 lists 20 actionable cybersecurity requirements meant for enhancing the security standards of all organizations.

Most companies perceive the security requirements as best practices since the CIS has a credible reputation for developing baseline security programs.

The framework categorizes the information security controls into three implementation groups. Implementation group 1 is for businesses that have limited cybersecurity expertise and resources. Implementation group 2 is for all organizations with moderate technical experience and resources in implementing the sub controls, whereas implementation group 3 targets companies with vast cybersecurity expertise and resources.

CIS v7 stands out from the rest since it enables organizations to create budget-friendly cybersecurity programs. It also allows them to prioritize cybersecurity efforts.

6. NIST 800-53 Cybersecurity Framework7

NIST SP 800-53

The National Institute of Standards and Technology created the NIST 800-53 publication for enabling federal agencies to realize effective cybersecurity practices.

The framework focuses on information security requirements designed to enable federal agencies to secure information and information systems. Besides, NIST 800-53 provides governmental organizations with the requirements to comply with FISMA (Federal Information Security Management Act) requirements. NIST 800-53 is unique as it contains more than 900 security requirements, making it among the most complicated frameworks for organizations to implement.

The requirements recommended in the framework include controls for enhancing physical security, penetration testing, guidelines for implementing security assessments, and authorization policies or procedures, among others. NIST 800-53 is a useful framework for organizations maintaining federal information systems, companies with systems that interact with federal information systems, or institutions seeking FISMA compliance.

7. COBIT8

COBIT Cybersecurity Framework

COBIT (Control Objectives for Information and Related Technologies) is a cybersecurity framework that integrates a business’s best aspects to its IT security, governance, and management. ISACA (Information Systems Audit and Control Association) developed and maintains the framework.

The COBIT cybersecurity framework is useful for companies aiming at improving production quality and, at the same time, adhere to enhanced security practices.

The factors that led to creating the framework are the necessity to meet all stakeholder cybersecurity expectations, end-to-end procedure controls for enterprises, and the need to develop a single but integrated security framework.

8. COSO9

COSO Cybersecurity Framework

COSO (Committee of Sponsoring Organizations) is a framework that allows organizations to identify and manage cybersecurity risks.

The core points behind the framework’s development include monitoring, auditing, reporting, controlling, among others. Also, the framework consists of 17 requirements, which are categorized into five different categories. The categories are control environment, risk assessments, control activities, information and communication, and monitoring and controlling.

All of the framework’s components collaborate to establish sound processes for identifying and managing risks. Using the framework routinely identifies and assesses security risks at all organizational levels, thus improving its cybersecurity strategies.

Also, the framework recommends communication processes for communicating information risks and security objectives up or down in an organization. The framework further allows for continuous monitoring of security events to permit prompt responses.

9. TC CYBER10

TC Cyber Framework

The TC CYBER (Technical Committee on Cyber Security) framework was developed to improve the telecommunication standards across countries located within the European zones.

The framework recommends a set of requirements for improving privacy awareness for individuals or organizations.

It focuses on ensuring that organizations and individuals can enjoy high privacy levels when using various telecommunication channels. Moreover, the framework recommends measures for enhancing communication security.

Although the framework specifically addresses telecommunication privacy and security in European zones, other countries worldwide also use it.

10. HITRUST CSF11

Hitrust CSF Cybersecurity Framework

HITRUST (Health Information Trust Alliance) cybersecurity framework addresses the various measures for enhancing security.

The framework was developed to cater to the security issues organizations within the health industry face when managing IT security. This is through providing such institutions with efficient, comprehensive, and flexible approaches to managing risks and meeting various compliance regulations.

In particular, the framework integrates various compliance regulations for securing personal information. Such include Singapore’s Personal Data Protection Act and interprets relevant requirement recites from the General Data Protection Regulation.

The HITRUST cybersecurity framework is regularly revised to ensure it includes data protection requirements specific to the HIPPA regulation.

11. CISQ12

CISQ Framework

CISQ (Consortium for IT Software Quality) provides security standards that developers should maintain when developing software applications.

Additionally, developers use the CISQ standards to measure the size and quality of a software program. CISQ standards enable software developers to assess the risks and vulnerabilities present in a completed application or one under development. As a result, they can efficiently address all threats to ensure users access and use secure software applications.

The vulnerabilities and exploits which the Open Web Application Security Project (OWASP), SANS Institute, and CWE (Common Weaknesses Enumeration) identify form the basis upon which the CISQ standards are developed and maintained.

12. Ten Steps to Cybersecurity13

The Ten Steps to Cybersecurity is an initiative by the UK’s Department for Business. It provides business executives with a cybersecurity overview. The framework recognizes the importance of providing executives with knowledge of cybersecurity issues that impact business development or growth and the various measures to mitigate such problems.

This is to enable them to make better-informed management decisions about organizational cybersecurity. The framework uses broad descriptions but with lesser technicalities to explain the various cyber risks, defenses, mitigation measures, and solutions, thus enabling a business to employ a company-wide approach for enhancing cybersecurity.

13. FedRAMP14

fedramp cyber framework

FedRAMP (Federal Risk and Authorization Management Program) is a framework designed for government agencies. The framework provides standardized guidelines that can enable federal agencies to evaluate cyber threats and risks to the different infrastructure platforms and cloud-based services and software solutions.

Furthermore, the framework permits the reuse of existing security packages and assessments across various governmental agencies.

The framework is also based on the continuous monitoring of IT infrastructure and cloud products to facilitate a real-time cybersecurity program. More importantly, FedRAMP focuses on shifting from tedious, tethered, and insecure IT to more secure mobile and quick IT. The aim is to ensure federal agencies have access to modern and reliable technologies without compromising their security.

To achieve the desired security levels, FedRAMP collaborates with cloud and cybersecurity experts to maintain other security frameworks. These include NSA, DoD, NIST, GSA, OMB, and other private sector groups.

The main goals of FedRAMP are to accelerate cloud migrations by reusing authorizations and assessments, enhance confidence in cloud security, ensure that federal agencies consistently apply recommended security practices, and increase automation for continuous monitoring.

14. HIPAA15

HIPPA Compliance

HIPAA (Health Insurance Portability and Accountability Act) contains various guidelines for enabling organizations to implement sufficient controls for securing employee or customer health information.

HIPAA standards also require healthcare organizations to comply since they collect and store health information for all patients. The standards comprise different security requirements that need organizations to demonstrate a clear understanding of how to implement and use them.

Such requirements include training employees at all levels on the best practices for collecting and storing health data. Besides, HIPAA requires companies to create and maintain appropriate procedures for conducting risk assessments. The process should also include methods for managing identified risks.

15. GDPR16

GDPR Framework

GDPR (General Data Protection Regulation) is one of the latest frameworks enacted to secure personally identifiable information belonging to European citizens.

The regulation framework provides a set of mandatory security requirements that organizations in different parts of the world must implement. As such, it is a global framework that protects the data of all EU citizens. Non-compliance leads to huge penalties, and this has caused most companies to comply with the requirements.

GDPR requirements include implementing suitable controls for restricting unauthorized access to stored data. These are access control measures such as least privilege and role-based access controls and multi-factor authentication schemes. Organizations or websites must also acquire a data owner’s consent before using data for reasons such as marketing or advertising. Data breaches that result from a company’s inability to implement security controls amount to non-compliance.

16. FISMA17

FISMA Compliance

FISMA (Federal Information Systems Management Act) is a cybersecurity framework designed for federal agencies. The compliance standard outlines a set of security requirements that government agencies can use to enhance their cybersecurity posture.

The security standards aim to ascertain that federal agencies implement adequate measures to protect critical information systems from different types of attacks. Moreover, the framework requires vendors or third-parties interacting with a government agency to conform to the stipulated security recommendations.

The security standard’s main aim is to enable federal agencies to develop and maintain highly effective cybersecurity programs. To achieve this, the standard consists of a comprehensive cybersecurity framework with nine steps for securing government operations and IT assets. These are:

  1. Categorizing information to security levels

  2. Identify minimum security controls for protecting information

  3. Refine the controls by using risk assessments

  4. Document the controls and develop a security plan

  5. Implement required controls

  6. Evaluate the effectiveness of implemented controls

  7. Determine security risks to federal systems or data

  8. Authorize the use of secure information systems

  9. Continuous monitoring of implemented controls.

17. NY DFS18

NYDFS Cyber Framework

NY DFS (New York Department of Financial Services) is a cybersecurity framework covering all institutions operating under DFS registrations, charters, or licenses.

The framework consists of several cybersecurity requirements that can enhance financial organizations’ security postures and the third parties they interact with for different businesses.

Among others, NY DFS requires organizations to identify security threats that can affect their networks or information systems. Also, the framework necessitates companies to adopt sufficient security infrastructure for protecting all IT assets from the identified risks. Notwithstanding, organizations covered by the NY DFS must implement systems for detecting cybersecurity events.

18. NERC CIP19

NERC Cyber Framework

NERC CIP (North American Electric Reliability Corporation Critical Infrastructure Protection) is a cybersecurity framework that contains standards for protecting critical infrastructures and assets.

In total, the framework has nine standards comprising of 45 requirements. For example, the sabotage reporting standard requires an electric organization to report unusual occurrences and security disturbances to relevant bodies.

The critical cyber asset identification standard makes it mandatory for an entity to document all cyber assets considered critical. Also, personnel and training standard requires employees with access to critical cyber assets to complete security and awareness training. Other standards included in the NERC CIP framework are electronic security perimeter, incident response, managing systems security, and maintaining recovery plans.

19. SCAP20

SCAP Protocol

SCAP, or Security Content Automation Protocol, is a regulation standard containing security specifications for standardizing the communication of security products and tools.

The specification aims to standardize the processes through which security software programs communicate security issues, configuration information, and vulnerabilities. Through the standardized specifications, SCAP intends to enable a company to measure, express, and organize security data using universal criteria and formats.

The security software can allow a business to maintain enterprise security by utilizing processes such as verifying and installing security patches automatically. Others are testing and verifying the security configurations of implemented systems and investigating incidences that can compromise the system or network security.

20. ANSI21

ANSI Framework Seal

The ANSI (American National Standards Institute) framework contains standards, information, and technical reports which outline procedures for implementing and maintaining Industrial Automation and Control Systems (IACS).

The framework applies to all organizations that implement or manage IACS systems. The framework consists of four categories as defined by ANSI.

The first category contains foundational information like security models, terminologies, and concepts. The second category addresses the aspects involved in creating and maintaining IACS cybersecurity programs. The third and fourth categories outline requirements for secure system integration and security requirements for product development.

21. NIST SP 800-1222

NIST Framework

The framework provides an overview of control and computer security within an organization.

Also, NIST SP 800-12 focuses on the different security controls an organization can implement to strengthen cybersecurity defense. Although most of the control and security requirements were designed for federal and governmental agencies, they are highly applicable to private organizations seeking to enhance their cybersecurity programs.

NIST SP 800-12 enables companies to maintain policies and programs for securing sensitive IT infrastructure and data.

22. NIST SP 800-1423

NIST Framework

NIST SP 800-14 is a unique publication that provides detailed descriptions of commonly used security principles. The publication enables organizations to understand all that needs to be included in cybersecurity policies.

As a result, businesses ensure to develop holistic cybersecurity programs and policies covering essential data and systems. Besides, the publications outline specific measures that companies should use to strengthen already implemented security policies. In total, the NIST SP 800-14 framework describes eight security principles with a total of 14 cybersecurity practices.

23. NIST SP 800-2624

NIST Framework

Whereas the NIST SP 800-14 framework discusses the various security principles used to secure information and IT assets, NIST SP 800-26 provides guidelines for managing IT security.

Implementing security policies alone cannot enable a company to realize optimum cybersecurity since they require frequent assessments and evaluations. For example, the publication contains descriptions for conducting risk assessments and practices for managing identified risks.

It is an instrumental framework that ensures organizations maintain effective cybersecurity policies. A combination of different NIST publications can ensure businesses maintain adequate cybersecurity programs.

1 https://www.iso.org/isoiec-27001-information-security.html

2 https://www.iso27001security.com/html/27002.html

3 https://www.nist.gov/cyberframework

4 https://www.iasme.co.uk/audited-iasme-governance/

5 https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/aicpasoc2report.html

6 https://www.cisecurity.org/controls/

7 https://nvd.nist.gov/800-53

8 http://www.isaca.org/cobit/pages/default.aspx

9 https://www.coso.org/Pages/default.aspx

10 https://www.etsi.org/cyber-security/tc-cyber-roadmap

11 https://hitrustalliance.net/hitrust-csf/

12 https://www.it-cisq.org/

13 https://www.ncsc.gov.uk/collection/10-steps-to-cyber-security

14 https://www.fedramp.gov/

15 https://www.hhs.gov/hipaa/index.html

16 https://gdpr-info.eu/

17 https://www.dhs.gov/cisa/federal-information-security-modernization-act

18 https://www.dfs.ny.gov/docs/legal/regulations/adoptions/dfsrf500txt.pdf

19 https://www.nerc.com/pa/Stand/Reliability%20Standards/CIP-013-1.pdf

20 https://www.open-scap.org/features/standards/

21 https://www.ansi.org/

22 https://csrc.nist.gov/CSRC/media/Publications/sp/800-12/rev-1/draft/documents/sp800_12_r1_draft.pdf

23 https://ws680.nist.gov/publication/get_pdf.cfm?pub_id=890092

24 https://csrc.nist.gov/publications/detail/sp/800-26/archive/2001-11-01

Ten Essential Cybersecurity Controls

George Mutune
-
0
Ten Essential Cybersecurity Controls

Cybersecurity controls are essential because hackers constantly innovate smarter ways of executing attacks, aided by technological advancements. In response, organizations have to implement the best safeguards to strengthen their security postures. Developing a holistic approach entails adhering to international standards, complying with various regulations, and deploying defense-in-depth strategies.

Cybersecurity controls are the countermeasures that companies implement to detect, prevent, reduce, or counteract security risks. They are the measures that a business deploys to manage threats targeting computer systems and networks. The controls keep on changing to adapt to an evolving cyber environment. As such, every organization requires to understand the best controls suitable for addressing their security concerns. But first, it is essential to understand the appropriate controls to ensure effectiveness.

The following guideline enables businesses to determine adequate cybersecurity controls.

1.  Assess the size of the organization

First, the size of the organization should be assessed. The details concerning interconnected systems, employee numbers, network size, etc., should be reviewed. Assessing the size of an organization will assist in decision-making related to financial planning. The assessment will also help identify controls that should be implemented to mitigate existing challenges.

2.  Determine the scope of IT infrastructure

A company must identify the IT components that are within the scope of cybersecurity controls. Considering all IT elements, regardless of whether they are contracted or owned, ensures adequate controls implementation. In this context, IT infrastructure consists of applications, information systems, network devices, servers, cloud applications, among others. An assessment would sufficiently guide a company to list all assets within the scope of cybersecurity controls.

3.  Determine the security levels of IT assets and information systems

Companies need to identify information systems and IT elements requiring higher levels of security. They should also be able to assign value to various types of information and assets. For instance, personally identifiable information regarding employees or customers might need higher levels of protection. Besides, confidential information such as intellectual properties or competition strategies might need adequate security to prevent attempted breaches. In particular, assessing security levels should relate to integrity, availability, and confidentiality of critical IT systems and information.

A scale of very low, low, medium, and high, with high representing assets requiring the highest security levels, can enable organizations to distribute cybersecurity controls as per need. This not only ensures efficiency in mitigating security challenges; it also assists in budget planning. More finances can be allocated in areas requiring more controls.

4.  Confirm investments in cybersecurity

Before planning for the acquisition and implementation of cybersecurity controls, security managers and professionals should confirm cybersecurity investment levels. This is by assessing expenditures allocated to IT security and data protection. Additionally, a company should factor in financials to intangible controls such as training employees.

10 Essential Security controls

In this section, organizations will understand the various controls used to alleviate cybersecurity risks and prevent data breaches. The controls also focus on responding to the attempted cybercrimes to prevent a recurrence of the same. Besides, nowadays, every business should anticipate a cyber-attack at any time. The controls, therefore, establish mechanisms for detecting, responding, and recovering from cyber incidents.

1.  Maintain a comprehensive incidence response plan

Incident Response Plan

Hacking and penetration methods have grown to unprecedented heights. Using available technology like artificial intelligence, cyber adversaries can commit stealth cybercrimes. As such, businesses should always expect attempted intrusions at any moment. For this reason, every organization should implement and continuously update a plan for responding to cyber incidences. The program should also consist of measures for recovering from the attack.

Therefore, to actively monitor, detect, and respond to security threats, companies should consider implementing solutions such as security information management systems. Such systems allow security teams to keep track of all activities at the system or network level. In addition to that, organizations should assign responsibilities to security teams. Every individual needs to be aware of their role in responding to cybersecurity incidents.

Notwithstanding, a company should assign individuals with the legal obligation to report any attempted breaches. Other than shielding the organization from legal proceedings for failing to report an incident, reporting invites forensic experts to develop a robust response plan to an incident.

Furthermore, businesses lacking the capacity to handle cybersecurity incidences should maintain a documented plan for engaging external professionals. This should include the personnel discharged to assist with the response and strategies for allocating required resources. All this is to ensure a smooth operation between the organization and outsourced assistance.

2.  Patch management lifecycle

Cybersecurity Controls Patching

As is the norm today, every business depends on technology to accomplish its objectives. Some organizations are so reliant on IT support that its absence would cause many losses. Due to this, companies implement varying technologies from different vendors, thus providing a criminal with increased entry points. Besides, some items, either hardware or software, may contain security vulnerabilities. Hackers usually exploit the vulnerabilities to gain system access and to execute attacks. It is hence necessary for an organization to observe a strict patch management lifecycle.

Most vendors release patch updates for firmware and software regularly. This is to address security defects and existing or emerging vulnerabilities. Hence, businesses should ensure to install new patch updates as soon as vendors release them. Timely installation prevents zero-day attacks, where hackers exploit vulnerabilities before vendors can notice them.

The patch management method depends on an organization’s scope of IT infrastructure. Large organizations can find it difficult and expensive to manually keep track of vulnerabilities present in devices spread across the network. To counter this, such companies can adopt effective practices for reducing risks. For example, implementing an automated patch management system can identify vulnerabilities as soon as they emerge and available patches for mitigating them. On the other hand, smaller organizations should apply automatic updates for all software products. Systems automatically install updates as soon as they become available.

3.  Apply antivirus solutions

Antivirus Cybersecurity Controls

Antivirus solutions consist of one of the most readily available security controls. Almost all operating systems come installed with antivirus products. Antivirus products like Malwarebytes, McAfee, or Windows Security Center provide sufficient measures for detecting and eliminating malware threats. Cyber actors trick system users into installing different malware families, including spyware, ransomware, worms, and trojan horses. All types of programs developed to harm a system fall into one of the various malware families.

Once an organization implements an effective antivirus product, it denies hackers the ability to execute attacks through malicious programs. Antiviruses continuously scan a system for harmful programs and eliminates them before they can cause any damages. However, a business must implement all updates to ensure the implemented security software contains an updated threat database. Cybercriminals create new malware every day, and rolling out updates ascertains the ability of antivirus solutions to protect a system.

4.  Implement perimeter defense

Firewall Cybersecurity Controls

Perimeter defenses allow an organization to protect networks from attacks executed through the internet. Conventional network security controls include firewalls. Firewalls identify suspicious traffic flowing into a network and blocks it from entering. Also, firewalls defend a network from external intrusions attempted through compromising network security. To counter online threats, businesses should establish dedicated firewalls in the boundaries connecting a corporate network to the internet. The firewalls can be a combination of both hardware and software solutions.

Besides, businesses should ensure to activate and accurately configure firewalls pre-installed in operating systems. The configuration metrics include applications allowed to access the corporate networks and those restricted to private networks only. On the alternative, if the available firewall seems inadequate compared to the security environment, then a business can choose to implement alternative firewalls.

Notwithstanding, Domain Name System (DNS) provides organizations with the ability to prevent malicious web domains from connecting to their networks. DNS solutions ensure the security of all devices connected to the corporate network. More so, DNS firewall solutions aids in filtering contents and allows network admins to restrict aces to websites deemed malicious.

Another necessary perimeter defense is using secure connectivity. A company should establish reliable connectivity processes for all concerned online services. For instance, since most businesses today allow employees to work remotely, they should offer them virtual private networks (VPNs). VPNs hide all online user activities such that attackers cannot execute sniffing or eavesdropping attacks. Moreover, most home networks lack the necessary security, and VPNs protect a company from attacks leveraging insecure networks.

Also, perimeter defenses include separating public Wi-Fi from the corporate network. Organizations often provide employees and customers public Wi-Fi, which is, in most cases, insecure. Separating it from the corporate network ensures that malicious individuals cannot use it to compromise the corporate network’s security. Corporate networks contain confidential resources that companies must protect from unauthorized access.

Lastly, businesses with points of sales should conform to the guidelines stipulated by the PCI DSS (Payment Card Industry Data Security Standard) standards. The standards recommend appropriate controls for securing credit card information belonging to a customer. Besides, the standards allow an organization to prevent hackers from compromising PoS terminals and online financial systems. Among other controls, a company can isolate PoS terminals from public and corporate networks.

5.  Secure mobile devices

Mobile security controls

Internet of Things and mobile devices enable organizations to enhance work processes and increase productivity. This has seen many organizations adopt them on large scales. The companies either own the devices, or they maintain policies that allow employees to use their own. Either way, a business must develop appropriate measures for safeguarding company data processed through or communicated the devices.

An essential control includes isolating sensitive company data from personal data. An organization must ensure to provide employees with work accounts such as emails and customized applications. Other solutions, such as applying secure folders or locker functions, can enable employees to protect organizational information, thus achieving information security. Moreover, a company must enforce isolation in a manner that balances both its security and business needs. For instance, ensuring employees use encrypted networks to communicate and share information can achieve both.

Additionally, organizations use mobile devices due to the availability of simple applications capable of completing complex tasks. However, all applications introduce their unique sets of risks. This expands the risk and threat surface. A key control for minimizing the risks requires employees to install applications from trusted stores. Downloading applications from third-party sites may cause users to install apps laden with malware through reverse engineering techniques.

Also, organizations owning sophisticated IT processes should consider implementing solutions that can facilitate enhanced mobile device administration. An example is an Enterprise Mobility Management (EMM) system. Through EMMS, companies can realize enhanced business features and, at the same time, centrally manage mobile devices. EMM solutions may differ in their features, but they provide functions for managing, auditing, and supporting the use of mobile devices. Capabilities may include the ability to wipe the data of stolen or compromised devices remotely.

Besides, cyber actors may execute attacks based on the mobile connectivity of organizational devices. Therefore, companies should enforce policies that ensure users disable automatic connectivity. Hackers use open networks to lure unsuspecting users and install malware on their devices once they connect. Furthermore, businesses should restrict near-field communication (NFC) protocols such as Bluetooth. Cybercriminals can compromise such networks easily; hence, employees should avoid using them to share confidential information.

6.  Emphasize employee training and awareness

Training employees on cybersecurity basics can protect organizations from disastrous attacks. It is one of the most crucial control since attackers use system user ignorance to execute attacks. For instance, phishing attacks’ success largely depends on a user’s inability to identify phishing emails. Employee security training provides the first line of defense since practical skills lead to enhanced security posture. To implement an efficient training and awareness program, businesses should focus on easily achievable measures such as the one listed below:

  1. Acquisition and use of approved software programs from legitimate vendors
  2. Efficient password management policies, including secure creation, storage, and sharing
  3. Ability to detect malicious links and attachments contained in spear-phishing emails
  4. Appropriate internet usage, including the list of websites to avoid when connected to the company network
  5. Secure use of social media sites to prevent attacks executed through angler phishing attacks
  6. Proper security configurations

IT vendors create products using default configurations. All software and hardware products retail using default settings, most of which may not provide the required security levels. Default configurations are a considerable security problem for enterprises since they contain insufficient security configurations for preventing attacks. For example, software developers often use the same default password for all products. Attackers can easily guess default configurations, which only simplify their hacktivist and intrusive attempts.

As a result, companies should ascertain to replace or default configurations with more secure ones. Different businesses have different security needs meaning that the implemented settings may not meet all the security expectations. Organizations must then rest administrative passwords and secure all applications using powerful and hard-to-guess passwords. At the same time, a business should review device settings to eliminate defaults, which seem to be insecure. An organization must ensure to enable all necessary security measures and disable unneeded functionalities.

7.  Implement power user authentications

One of the leading causes of security incidences among organizations is insider threats. These are threats resulting from employees helping hackers achieve their malicious intent or users committing cybercrimes for their benefits. To accomplish these, malicious users may steal other users’ login credentials and use their accounts to facilitate cybercrimes. This is to cover their traces and pin the crimes on innocent employees. An effective control for mitigating insider threats is implementing strong user authentications.

User authentications are the processes for verifying the legitimacy of a system user. For a user to be authenticated, he has to provide accurate information, including usernames and passwords. A major way of implementing strong user authentication is implementing two-factor or multi-factor authentication. The strategies require users to provide a combination of accurate authenticators. The combination must include a username, a password, and a physical token or code. Multi-factor authentication provides additional security since a user must provide a token or code generated automatically once a user initiates a login session.

Also, securing critical systems using powerful passwords is an effective user authentication method. System administrators should regularly change the passwords to eliminate the possibility of the passwords falling into the wrong hands. Whereas some security protocols require admins to change passwords at the sign of attempted security incidences, it is more effective to stick to a regular password management schedule. Password management policies should take into account factors like password length and reusability.

8.  Observe strict access controls

Access control measures build on the security which the user authentication provides. Access control differs in that they are the strategies organizations use to provide authenticated users access to IT resources. A primary function of access controls determines which user can access which resource and at what level. There exist different control measures, and it is the company’s responsibility to choose one that meets its security concerns.

An example is role-based access control. Companies can use the strategy to provide users access depending on their assigned roles. In such a case, a user in the marketing department cannot access resources reserved for users in finance. Role-based access allows network admins to track user activities since it is possible to identify events that led to a security incidence.

A least-privilege access control also allows an organization to protect sensitive resources from unauthorized control. Least-privilege access provides users with the resources they need to accomplish different tasks. For example, a CEO has more access compared to a department manager. It not only prevents unauthorized access, but it has other benefits such as minimizing resource wastage.

Moreover, restricting access to administrative accounts enhances security by preventing unauthorized users from making system changes. Companies should limit administrative accounts to system admins only. Besides, the accounts should only be used for administrative functions. Restricting user-level functions reduces the possibility that employees can use them for activities other than those concerned with administrative processes. Also, to achieve transparency and accountability, businesses should provide employees with their own accounts and enforce password security options.

9.  Maintain secure portable devices

Portable devices like USB sticks, SD cards, and hard drives enable users to quickly and conveniently transfer data. Also, some businesses use such media to create and store backups. However, the portable devices have a small physical size such that unauthorized individuals can steal and access confidential information. They introduce significant security challenges in regards to data breaches and integrity or availability preservation.

Although more secure options like cloud technologies provide safer storage, it is almost impossible to restrict their usage. As such, organizations should use portable devices with powerful encryptions. The encryptions protect stored data in the event the media falls into authorized hands. More so, organizations should include asset control procedures that guide the use and disposal of such devices.

10.  Securely encrypt and back up data

Data backups and encryption are useful controls that preserve the availability and integrity of data. Although organizations can implement the best security practices, cyberattacks still occur, leading to data theft or data corruption. Backing up data every day prevents such misfortunes and ensures the availability of data to facilitate business continuity.

However, malicious individuals still attempt to access backup data. Companies can protect the data by enforcing encryptions and using multiple external locations to store the data. Cloud technologies, for example, provide a practical choice for storing backup data. Organizations can secure cloud backups using strong passwords and other access control measures.

Before a backup process, a business should identify essential business data and the frequency with which the information changes. This is to inform the data backup lifecycle. Besides, separating sensitive data from public data saves on the costs and time used to create and maintain the backups. Lastly, businesses should develop and continuously update the procedures for accessing and restoring backup data.

Compliance Regulations and the Future of Cybersecurity

George Mutune
-
0
Compliance Regulations and the Future of Cybersecurity

Compliance regulations provide organizations with acceptable standards for developing strong cybersecurity programs. Compliance is an important tenet underlying the development and maintenance of information security programs. Different regulations have emerged over the years to address increasing security challenges.

Today, cyber actors are relentless in innovating new security risks, malware, trojans, and programs for compromising organizational security. Also, emerging technologies have always brought along unprecedented security risks. For example, the use of virtual currencies like Bitcoins, Monero, Ethereum, etc., have caused crypto-jacking attacks to rise, edging out attacks like ransomware attacks, which have been dominant for years.

It is, therefore, vital for organizations to understand the current and the future of cybersecurity and how they can best protect themselves from emerging threats. A primary response has been the establishment of international and local regulatory bodies to develop security standards to enable companies to harden their security postures.

A common feature of compliance is that regulations, standards, policies, and legislations are directly influenced by evolving cybersecurity environments. Many organizations thus find it a challenge to maintain acceptable compliance postures.

Current Compliance Regulations

Compliance regulations provide organizations with directives for safeguarding their data and IT systems, and for addressing existing privacy and security concerns. Also, compliance regulations ensure that companies fulfill their obligations to prevent accidental breaches and attacks caused by negligence or the implementation of insufficient security programs.

Most regulations compel organizations to secure their systems through implementing a variety of basic security measures such as firewalls, adequate risk assessments, data encryption technologies, and training employees on secure use and handling of sensitive information.

Whereas some regulations are voluntary, others are mandatory. Consequently, organizations should demonstrate they not only understand them, but they also implement and maintain them accordingly. They should, at any time, produce evidence they are compliant.

Benefits of Compliance Regulations

  1. Business opportunities: compliance regulations are meant to enable companies to secure their systems and observe best practices for protecting data. Potential customers often incline towards businesses that fully comply with existing laws.
  2. Reduced risk: the guidelines and recommendations provided in compliance regulations allows companies to reduce cyber threats as they are tested and accepted internationally.
  3. Avoiding fines and penalties: most compliance regulations are mandatory, and non-compliance leads to hefty penalties. Some, such as the GDPR, may fine organizations millions of dollars. Complying protects a business from such fines, and this is an advantage as far as its finances are concerned.
  4. The rule of law: compliance regulations ensure that all businesses abide by the same rules. Compliance levels the field as enterprises can adopt equal security measures and be assured of adequate security.
  5. Increased efficiency and improved economies of scale: compliance regulations are developed to provide businesses with cost-friendly yet effective security practices. At minimal costs, a business can deploy working security solutions and enjoy the same protection as a fortune 100 company.

Existing Compliance Regulations and Requirements

  1. HIPAA

HIPAA (Health Insurance Portability and Accountability Act) is a regulation for securing the health data in organizations across all industries. Organizations often collect and store health data of their employees while healthcare institutions interact with patient data daily. Health information is highly sensitive and not subject to disclosure to unauthorized parties. As such, protective measures for securing it must be implemented.

HIPAA compliance regulation contains a set of requirements that each organization must demonstrate a full understanding. HIPAA also requires businesses to implement training programs to equip employees with security and awareness skills. Training staff ensures they are aware of their security responsibilities when accessing information systems that house sensitive health data.

Also, HIPAA requires companies to develop and maintain processes for detecting and preventing instances of security violations. Also, to be HIPAA compliant, an organization should, at all times, conduct risk analysis and assessments to identify security vulnerabilities in their systems.

Implementing steps for managing and reducing identified risks should follow to ascertain information systems and infrastructures are no longer at risk. More so, HIPAA dictates that organizations should create sanction policies for dealing with non-compliant staff members.

  1. FISMA

The Federal Information Systems Management Act (FISMA) was developed to enable federal agencies to secure their information systems. The regulation applies to all partners or contractors that conduct any business with the federal agencies.

The main focus of FISMA regulation is to enable federal agencies to develop awareness and security training programs. The training programs aim to ensure that all users interacting with federal information systems are aware of the security guidelines and practices to adhere to. FISMA requires personnel working either in federal agencies or with the agencies, i.e., contractors, business partners, etc., to participate in the training programs to understand underlying security guidelines and procedures.

Anyone accessing information or the federal information systems information must prove to have completed the training course and fully understands the course material. The personnel must also demonstrate an ability to put into practice the acquired skills and competently apply best practices to secure federal information.

  1. PCI-DSS

Payment Card Industry Data Security Standard (PCI-DSS) is a compliance regulation designed for organizations that deal with credit cards. The compliance standard provides businesses with security guidelines to implement to secure a customer’s financial information.

PCI-DSS impacts businesses that process credit cards which require owners to input sensitive information in online platforms such as eCommerce websites. As a result, there is always a risk that cybercriminals may compromise such platforms, thus providing them with access to sensitive information. PCI-DSS compliant organizations have to implement all the security measures recommended to safeguard such client information.

Some of the requirements of the standard include installing firewalls and configuring them to ensure a business protects the data and information of the cardholder. Also, PCI-DSS guides an organization on how to reset the default security parameters and system passwords of vendor-supplied systems. This is to ensure that new passwords are hard to crack and the security parameters are configured to meet the security needs of the organization.

Also, PCI-DSS regulation tasks organizations with the responsibilities of implementing security measures for encrypting card information relayed over public and insecure networks. Other requirements include adopting access control strategies to restrict unauthorized access to card information and regularly testing the security of systems and processes.

  1. GDPR

General Data Protection Regulation (GDPR) has become immensely popular since it was implemented in 2018. The regulation requires organizations to implement sufficient security protocols for securing personally identifiable information belonging to individuals from European Union zones.

GDPR provision applies to all organizations in the world as long as they handle and process data belonging to an EU citizen. The regulation has compelled many organizations to comply to avoid the hefty fines that come along with non-compliance. Additionally, a company can be fined if insufficient security processes cause a data breach leading to loss or disclosure of personally identifiable information. Google was fined €44 million due to using user data to promote ads.[1]

GDPR requires companies to notify data owners of any intent of using their data for any reason. An organization must obtain the explicit consent of the data owner or risk being fined heavily. Also, GDPR encourages businesses to implement and maintain mechanisms for securing personal data. These include encryption, password protection, and access control measures. The regulation contains other requirements that purpose to boost data security.

  1. NIST 800-53

The NIST (National Institute of Standards and Technology) publication 800-53 provides federal agencies with guidelines for securing their information systems. Additionally, organizations in the private sector use the same guidelines to harden their cyber defenses. The NIST 800-53 framework provides federal agencies and respective contractors with guidelines they can implement to ensure they comply with FISMA compliance regulations.

The guidelines comprise of various controls which can aid in developing secure information systems that are resilient to cyber-attacks. Some of the proposed measures include the management, technical, and operational safeguards which, when implemented, can preserve the availability, confidentiality, and integrity of information and information management systems.

Besides, NIST 800-53 provides security guidelines based on the security control baseline concept. The concept applies to identifying controls that meet the security needs of an organization. The baselines provide federal agencies and private organizations with considerations such as functional and operational needs, which also include common threats to organizational information systems.

The NIST regulation further observes a tailoring process in which an organization can use to identify the controls that provide security according to the requirements of their information systems. Some of the security controls recommended in the compliance regulation include access control, awareness and training, audit and accountability, configuration management, contingency planning, incident response, personnel security, identification and authentication, and system and communications protection.

Balancing Compliance Regulations and Cybersecurity

Compliance regulations play an integral role in fostering cybersecurity. However, as witnessed with the recent enactment of GDPR (General Data Protection Regulation), many businesses have channeled resources and time in complying with the regulation rather than focusing on proper security guidelines. What’s worse, most regulations become outdated quickly, meaning that organizations will always struggle to be compliant with new standards and regulations.

It is also important to note that cybercriminals have access to the regulations. They will always find a way to work around them to compromise the security guidelines contained in the guidelines. Essentially, companies exhaust finances, human resources, and time on compliance regulations with inherent vulnerabilities instead of focusing on fool-proof cyber defenses.

But what can be done to address such issues in compliance regulations? Well, businesses have the responsibility of investing in the latest defensive trends to counter new threats and attacks. Maintaining multiple regulations to remain compliant without addressing cybersecurity defense can be detrimental to their security. To balance the two areas, that regulations and security, companies should invest in technologies that can achieve both purposes.

An ideal example of an approach that can be explored to resolve this issue is artificial intelligence. AI systems are often used to understand vast quantities of information such as those contained in multiple regulatory compliances. Depending on the security needs of a company, this technology can ensure that it is always compliant with existing and emerging regulations. At the same time, AI has proved useful in developing cybersecurity tools like antivirus solutions and intelligent firewalls and intrusion prevention and detection systems. AI not only allows a company to kill two birds with one stone, but it also provides solutions to other challenges. Such include reducing the cost and labor needed to achieve full compliance and strong cybersecurity.

The Future of Cybersecurity

Recent cyberattacks have resulted in large-scale damages and widespread destruction. In 2017, WannaCry, one of the most significant ransomware attacks to date, hit many countries around the globe. United Kingdom’s National Health was the most affected as the attack crippled healthcare services across major healthcare facilities for close to a week. NotPetya ransomware attack followed in the same period. The incident targeted power and energy companies in Ukraine and oil companies in Russia, causing huge losses and damages.

Such attacks demonstrate why researchers and governments are continuously working towards realizing better defensive strategies to stay a step ahead. However, although a lot is being done to provide working mitigations to rampant cybercrimes, the cyber threat environment will keep changing as new technologies emerge. These will be leveraged in both fighting cybercrimes and in developing more sophisticated attacking patterns.

The entry of 5G Network

Many countries are set to roll out 5G network connectivity and infrastructure convergence. Top among them include South Korea, China, and the United States. Huawei has already released smart TVs in Chinese markets that use 5G networks. Whereas the new network contains many benefits, most of which rely on its super-fast speed, 5G networks are poised to have the biggest challenges in cybersecurity landscapes. 5G networks not only provide faster internet speeds, but they are designed to connect billions of new devices every year in the future.

The devices will utilize the internet to run critical infrastructure and applications using internet speeds that are at least 1000 times faster compared to current internet speeds.[2] As a result, new architectures will emerge, and they will be used to connect whole geographic locations and communities, industries, and critical infrastructures. At the same time, the 5G networks will significantly alter cyber threat landscapes. Most of the attacks perpetrated today are financially motivated but without causing real and physical damages to infrastructures or locations.

With 5G networks, cyber-attacks might cause severe physical destruction that might destabilize a country’s economy or cause wanton loss of life. Worse still, such attacks will be executed using the same quick 5G speeds, such that it will almost be impossible to detect and prevent them before they occur.

Moreover, 5G networks will enable cyber adversaries to discover vulnerabilities and exploit them to execute attacks instantly. Now, despite this being similar to the techniques used today, the main difference is that entire enterprise, critical infrastructures such as road networks for autonomous and self-driving vehicles, and other infrastructures needed to run a smart city will be connected. The destruction that such attacks will cause if successful can only be imagined. Some examples of such attacks are already happening today.

For instance, the Department of Homeland Security hacked into the systems of a Boeing 787 passenger aircraft in 2016. The plane was parked in Atlantic City, and the hack was done remotely without relying on insider help. Also, a ransomware attack targeting the City of Baltimore locked out over 10000 employees from their workstations.[3] Such attacks might not have caused any destruction on the victims. That would, however, not be the case had they locked out 10000 self-driving cars from accessing critical infrastructure systems. They would be unable to communicate with each other and from accessing navigational systems, meaning that they would cause massive accidents or massive traffic congestions.

In the coming future, 5G networks will lead to the development of smart cities and infrastructures. These will result in an emergence of interconnected critical systems at an entirely new scale, including automated waste and water systems, driverless vehicles depending on intelligent transport systems, automated emergency services, and workers. They will all interdepend on each other.

As much as these 5G enabled solutions will be highly connected, they will likely to be highly vulnerable. During the 2017 WannaCry attack, the ransomware took several days for it to spread globally. 5G networks will enable such networks to spread at a speed of light. 5G networks will revolutionize the world immensely but also potentially drive cybercrimes to real-world scenarios, resulting in consequences yet to be known.

Artificial Intelligence

The need for developing real-time detection and preventive measures, especially with the adoption of 5G networks, cannot be underscored. Artificial intelligence technologies provide crucial components required for the world to realize a global immunity and security as far as cyber-attacks are concerned. Artificial intelligence is already being used to innovate and develop cybersecurity solutions that can operate at a pace and scale that can secure digital prosperity in the future. AI-powered security solutions will be leveraged to achieve top-notch efficiencies in detecting and responding to cyber-attacks, provide real-time mitigation measures to cyber threats and instant situational awareness, and automate processes for risk assessments, threat detection, and mitigation, and so on.

However, many reports today indicate that cybercriminal communities are seizing and exploiting artificial intelligence security solutions as soon as they are developed. This poses new challenges in the race for developing working solutions to global cyber threat landscapes. Cyber actors using artificial intelligence to execute different crimes might instantly bypass industrial technical controls developed over several decades. For example, in the financial industry, criminals may soon develop intelligent malware programs capable of capturing and exploiting voice synthesis solutions. This will allow the mimicking of the human behavior captured in biometric data such that criminals can bypass the implemented authentication procedures for securing individual bank accounts.

Besides, using artificial intelligence for criminal activities will most likely lead to the emergence of new breeds of cyber-attacks and attack cycles. Malicious actors will target and deploy such breaches where they will cause the highest impacts, and using means which industries across the divide never thought would be possible. To mention just a few, artificially intelligent attacks might be used in biotech industries to steal or manipulate DNA codes. They might also be used to destabilize the mobility of unmanned vehicles, and in healthcare systems, where smart ransomware programs will be timed to execute when systems are most vulnerable, thus causing the highest impact.

Biometric Security

Combating the emerging cybersecurity trends will most likely cause biometrics to be among the most used strategies for security. Currently, biometrics are playing a central role in securing devices like laptops and smartphones, or for physical security where iris and fingerprint scans are used to secure sensitive and classified areas.

Biometrics will continue being used in the future to develop next-generation authentication mechanisms. Adopting such measures will necessitate the acquisition of enormous data volumes of individuals and their activities. Fingerprint, iris scans, and voice recognition security will not be adequate, and biometrics will include other details such as body movement and walking styles. This will only cause cybercriminals to, however, target new generation biometrics data. Rather than focusing on targeting data like personally identifiable information, including contact details, social security numbers, or official names, attacks will focus on acquiring data used in biometrics security.

What Next? New Measures and Compliance Regulations

So, the main question is what’s next for cybersecurity in the future? First, it is essential to note that cybercriminals have been executing low-risk attacks where there are high-rewards and minimal or zero attribution. This has caused organizations to mostly depend on traditional responses as most have provided practical solutions so far. In the coming years, emerging and transformative technologies will significantly alter the cyber threat landscapes.

Understanding how to best secure against the expected rise of new generation cyber-attacks and threats will first require we understand the extents to which cyber landscapes will change and the transformation of risk environments. Such an urgent and critical analysis can only be accomplished through persistent research for evidence-backed results. The expertise which security professionals, academic giants, and policy makers possess will be integral to developing exceptional measures for curbing future cybercrime activities.

Ultimately, new compliance regulations are necessary as a result of the changing cybersecurity landscape. At the same time, the responsibility for complying will increase as a result of the new laws and regulations as well as user demands and public opinion. Organizations will remain challenged to incorporate the new requirements into their business processes, including their communications, employees, tools, and infrastructure.

  1. https://www.bbc.com/news/technology-46944696
  2. https://www.statista.com/statistics/471264/iot-number-of-connected-devices-worldwide/
  3. https://www.npr.org/2019/05/21/725118702/ransomware-cyberattacks-on-baltimore-put-city-services-offline?t=1561030041838

Smart City Security

Oliviah Nelson
-
0
Smart City Security

Smart cities are the future of technology. We are quickly becoming dependent on computers to run cities.

Smart city technology addresses issues like energy, transportation, and utilities. This technology works to reduce resource consumption and waste to reduce costs. The smart city aims to enhance the quality of living of the people who live in it through the use of intelligent technology.

Importance of Security in Smart City

Security is an essential aspect of the success of a smart city. Security can be a challenge due to the involvement of many technologies and the interconnections of different networks and components. The smart city will always experience different types of cyber-attacks. Some of these attacks include phishing, malicious code, website intrusions, DDOS, and social engineering.

To secure the smart city, engineers and architects must introduce security starting at the conceptual stage. Security is essential during every step of the development lifecycle. Vulnerabilities must be addressed at every level to mitigate the severe consequences that can put the whole smart city at risk.

When adequate security controls are present, the technology that the smart city supports will run normally, and the people will continue to enjoy the services that come from the smart city.

Attackers can cause grave damage and can go as far as causing loss of life. An attack on traffic lights systems, food distribution systems, hospital systems, and transport systems may cause irreparable harm.

The security challenge for smart cities

One of the security challenges that smart cities face is the security of sensor hubs. The sensors monitor things like weather, air quality, traffic, radiation, and water levels. They can be used to automatically inform vital services like traffic and street lights, security systems, and emergency alerts. If sensors are left unpatched hackers might gain access and manipulate critical data.

An example of this is a recent attack on a commercial irrigation system in Israel. Hackers were able to turn the water system on and off remotely. Attacks such as these are a great danger to the smart city water system and could result in the emptying of the water reservoir overnight.

Bugs pose a significant security threat to smart cities. They open vulnerabilities that can be used by hackers to access Smart city systems. Bugs can allow attackers to insert malicious software commands that enable a hacker to gain unauthorized access.

Another security concern is internet openness that most smart cities utilize. The Internet can pose threats to anything connected to it if it is not adequately secured.

Authentication bypassing may also be a challenge. This attack allows hackers to get into internal administrative areas of the smart city that should not be accessible to them without having to enter a password.

Also, SQL injection is a growing concern. Attackers send data between the application and the database. With this, hackers force the device to perform actions that compromise the security of the smart city. Furthermore, there are IoT crawlers like Shodan and Censys that causes security risk to smart city components.

Social engineering attacks are a significant threat to smart cities. Social engineering attacks are the main challenge to the Internet of Things – the components used by the smart city. Attackers deceive a user into performing an action that that will cause a breach in a system’s information security.

The effects of social engineering attacks can also result in physical impacts like:

  • Disruption and damage of train and tram signaling system, causing accidents.
  • Water system damage causing water wastage
  • Nuclear power plant damage
  • Manufacturing plants destruction

Phishing attacks have increased in smart cities. Phishing attacks target email users to capture the user’s credentials. Hackers can use the information gained to access smart city systems for malicious purposes. The techniques and technologies behind phishing will continue to evolve. These technologies can manipulate things like tire pressure alerts, gas leakage, etc.

Ways to make smart city secure

There are significant challenges in securing a Smart city.  However, the implementation of proper measures can successfully mitigate risk.

Security practices

Smart cities are made up of a plethora of devices that often have different manufacturers. Therefore, patch management is challenging. Each manufacturer must make sure that the products are secure and that software patches are issued promptly. But it is the user’s responsibility to make sure they are practicing good security hygiene.

A smart city should have controls and standard operating procedures for when a security breach happens. The procedures should identify the breach, contain the attack, and restore the systems.

Common issues

Basic security steps can be taken to avoid common security pitfalls. Users should update default passwords so that they are unique and complex. Policies should be enforced to ensure that passwords are strong. The establishment of security operations centers is required to monitor security, mitigate vulnerabilities, and respond to attacks.

Software updates on time

All software used in a smart city should be kept up-to-date. There should be a system administrator who his responsibilities are to make sure that all software is well updated so that hackers don’t exploit known vulnerabilities. All firewalls and antiviruses should be updated frequently.

Proper security framework

It is challenging to keep track of all components of a smart city due to its complexity. There may be thousands of connected devices deployed over many square miles. But the task can be accomplished using a proper framework.

A useful framework will include automated checks for software updates and security patches.

Security Best Practices

The use of security best practices by the smart city’s security team is essential. These are:

  1. Implementation of IT address restrictions for who can connect to the smart city devices. The smart city network should be secure, even when the system is on the public internet.
  2. Scanning application tools will assist in locating vulnerabilities of the smart city.
  3. The use of heightened network security rules to prevent access to sensitive systems and safe password practices.
  4. Strong access controls should be in place.
  5. Disable any or unnecessary systems or anything that is not currently used. Disable remote administration features and ports for hackers not to access them.
  6. Scan network activities and identifying suspicious internet traffic with the use of security incident and event management tools will help in countering any attack.

The use of ethical hackers for penetration testing

An ethical hacker will play a significant role in securing the smart city. He or she is tasked to test the security of the smart city to ensure that it is intact and no hacker can use hacking methods to get into the smart city. He can research all the new technologies that are coming up and make sure that the smart city is upgraded to fit to what is in the market.

Cyber-crime laws

Heavy penalties should be put in place to deter attacks on the smart city.

Conclusion

As the world continues to be more interconnected, security threats become greater. To make matters worse, criminals and hackers are increasing their skills and leveraging new technologies.

Therefore, smart city security should be a priority, and security specialists should be involved early in the design process.  Also, the standardization of IoT devices is critical.

There is a need for everyone who is involved in a smart city and IoT to work together and take responsibility for security-related issues. Working together and having a unity of purpose towards the realization of secure IoT will help be a great stride towards a better future that is protected from unauthorized access.

 

Cybersecurity Laws – A Complete Overview

Oliviah Nelson
-
5
Cybersecurity Laws – A Complete Overview

Technology has grown exponentially over the past two decades. As time goes by, we continuously benefit from and increase our dependence on technology. Web applications, drones, mobile applications, industrial automation, machine learning applications, and other technologies have changed our lives. But there are immense dangers that these technologies bring us. Therefore, our governments have introduced cybersecurity laws.

The Scale of the cyber threat

The United States government spends approximately 19 billion dollars every year on cybersecurity. But cyber-attacks continue to increase every year rapidly.
There are three main threats cybersecurity efforts attempt to mitigate:
Cybercrime: includes single or colluded acts to target systems for financial gain or to cause disruption.
Cyber-attacks: often involves politically motivated information gathering
Cyber-terrorists: are intended to undermine electronic systems to cause panic or fear.
With this in mind, cybersecurity laws are designed to provide protection and counter cyber-attacks. Virtually all organizations today have an online component, so cybersecurity laws apply to nearly every business.

What do cybersecurity laws cover?

Cybersecurity laws and regulations tend to cover the most common matters that arise from cyber threats. These matters include a focus on criminal activity, corporate governance, insurance matters, and law enforcement jurisdiction.

Cybersecurity Laws of the Past

In the previous century, cybersecurity laws did not hold much weight. The type of cyber-crime being committed at that time was not as damaging as it is today. The laws of the time were comparable to copyright protection or laws about software piracy.
But now the threat has elevated and much more severe cyber-crimes the norm. These crimes range from the deployment of ransomware to actual treason. Now, serious action must be taken to counter and deter such crimes. The increased threat has led to increased legislative action.

Current Cybersecurity Laws

Fines as significant as five million dollars and lengthy jail terms have been put in place to curb such activities. The institution of such penalties for cyber-crimes may still not be enough given the damage hackers can cause.
Before 2015, the federal government of the United States was unaware of several attempted data breaches on private institutions. All this changed with the Cybersecurity Act of 2015. After numerous attempts, Congress passed legislation that allowed companies in the U.S to share personal information related to cybersecurity with the government. The government could use this information as evidence to prosecute crimes.

Difficulty in Prosecution

In the past, cybersecurity crimes were difficult to prosecute for the following reasons:

Area of jurisdiction

One of the reasons prosecutors had trouble was a result of Jurisdiction. Many times the person committing the crime was outside of the country or legal jurisdiction of the court. This is why the United States is focused on the international stage and establishing allies in the cyber world.

Many cybercrimes go unreported.

A majority of cyber-crimes do not get prosecuted because they do not report the crime to the authorities. Small, medium, and even large organizations have failed to disclose breaches because of the negative impact and loss of trust that would occur.

Evidence collection was quite difficult.

Digital Forensics has evolved dramatically in recent years.  Best practices and strict processes have been developed to identify and preserve evidence that can be used to prosecute cyber-criminals.  But in the not-so-distant past, it was challenging to prosecute cyber-criminals because few people had the expertise needed to gather and preserve the evidence.

Cyber-criminals use advanced methods to cover their tracks.

The use of TOR and VPNs allows hackers to operate with a certain degree of anonymity.  Beyond this, hackers work tirelessly to cover their tracks. Cyber-criminals are on the cutting edge of research, and they continuously work to be more challenging to identify, track, and apprehend.

What sorts of activities are criminalized by law?

Cybersecurity laws and regulations affect the crimes in the various sectors where they are committed. The sectors include federal law or county law.
Activities that are made criminal by cybersecurity laws include:

  • Computer hacking
  • Economic espionage
  • Corporate espionage
  • Identity theft
  • Breaking into computer systems, accessing unauthorized data, modifying or deleting the data
  • Stealing confidential information
  • Unauthorized publication or use of communications
  • Criminal infringement of copyright
  • Spreading of fake news
  • Sexual exploitation of children
  • Defacing internet websites
  • Flooding websites with increased volumes of irrelevant internet traffic make sites unavailable to the actual users who are supposed to be viewing them.

The various categories of the law have also criminalized numerous other crimes committed over the internet.

Ways in which cybersecurity laws are enforced

The United States addresses cybersecurity through sector-specific initiatives, general regulation, and private sector involvement. At the national or federal level, cybersecurity standards are executed using a variety of methods.

Major US Federal Cybersecurity Laws

Health Insurance Portability and Accountability Act (HIPAA) (1996)

HIPAA was enacted in 1996 and signed by President Bill Clinton.

Before HIPAA, there was no standard method for safeguarding the protected personal information (PPI) that organizations in the healthcare industry stored. There were no security best practices in place.  One of the reasons that there were no standards related to cybersecurity in the healthcare industry was that health records were traditionally stored as paper records.

Just before the introduction of HIPAA, the healthcare industry was scrambling to move away from paper records to become more efficient.  The need to become more efficient drove the need to access and transfer patient information quickly.

Since there was an urgency to convert to electronic healthcare records, many companies were founded to capitalize on the need and profit from it.  Security for most of these companies was merely an afterthought.  The government quickly saw the need to create regulations in an attempt to enforce security standards.
The primary objectives of HIPAA include

  •  Modernize how healthcare information is stored and processed
  •  Ensure that private personal information is protected adequately by hospitals, insurance companies, and other health-related organizations
  • Address limitations on healthcare insurance

Gramm-Leach-Bliley Act (GLBA) (1999)

The Gramm-Leach-Bliley was signed into law in 1999.  This law is also known as the Financial Services Modernization Act of 1999.
The main thing that GLBA did was to repeal a portion of an outdated law from 1933.  This 1933 law was called the Glass–Steagall Act.  The Glass–Steagall Act prevented companies from doing combined business in banking, securities, and insurance.  A bank was also not allowed to sell insurance or securities.
Along with the above, GLBA also requires financial institutions to disclose how they store and protect their customers’ private information.  The GLBA introduced Safeguard Rules that must be followed.  These safeguard rules are explicitly defined in the law. Among other things, the safeguard rules include:

  • Conduct background checks on employees who are going to have access to customer information
  • Required that new employees sign a confidentiality pledge
  • Limit access to private information on a “Need to Know” basis
  • Require strong passwords that are changed frequently.
  • Require computer screens to lock after they are inactive after a specific duration
  • Enact security policies for devices and data encryption.
  • Conduct initial and periodic security training for employees and regularly remind the employees of the policy.
  • Develop policies for remote work security.
  • Develop policies to enforce security violations through discipline.
  • Take steps to secure data at rest and data in transit. Also, control access to this data.
  • Dispose of information securely.

Homeland Security Act (2002)

The Homeland Security Act was signed into law by George W. Bush in 2002. This act included the Federal Information Security Management Act (FISMA).

The United States introduced the Homeland Security Act following several terrorist attacks in the United States.  These terrorist acts include the World Trade Center bombing and mailing of anthrax spores to some news outlets and some government officials.

The Homeland Security Act established the Department of Homeland Security (DHS). Beyond this, the act also had other purposes, including FISMA cybersecurity-related regulations. FISMA included the implementation of the National Institute of Standards and Technology (NIST). NIST became responsible for developing standards, guidelines, and methods for cybersecurity protections.

The National Institute of Standards and Technology( NIST) outlines nine steps toward compliance with FISMA:

  1. Categorize the information to be protected.
  2. Select minimum baseline controls.
  3. Refine controls using a risk assessment procedure.
  4. Document the controls in the system security plan.
  5. Implement security controls for inappropriate information systems.
  6. Assess the effectiveness of the security controls after implementation.
  7. Determine agency-level risk to the mission or business case.
  8. Authorize the information system for processing.
  9. Monitor the security controls continuously.

Are These Laws Enough?

The three regulations outlined above cover mandates for healthcare organizations, financial institutions, and federal agencies. But many other industries do not have applicable cybersecurity laws. 
Some argue that the need for additional government intervention is not necessary. It is in the best interest of any business to secure data and sensitive information.  The importance is so high that companies and organizations spend massive capital amounts on this effort.

Others that it is the government’s responsibility to protect its citizens. This responsibility requires the introduction and enforcement of laws to ensure that the citizens are protected.
Data breaches and successful attacks continue to occur to organizations despite the best efforts to maintain compliance with laws, standards, and best practices. Even so, the presence of effective laws can certainly help toward the objective of keeping data safe.

 

DMARC policy: an effective remedy for BEC attacks

Gracy Williams
-
0
DMARC policy: an effective remedy for BEC attacks

 

 

Business email compromise (BEC) or email account compromise (EAC) are a huge concern for most of the organizations these days. These attacks are designed to trick people into thinking that the email that they are receiving is from a person belonging to a senior position such as the Chief financial officer, CEO or a partner in the organization. The email is forged with the content that requests the employees to wire money to fraudulent locations. It can be in the form of:

  1. Fake name in the ‘From’: The ‘From’ field in the email consists of the spoofed name of the executive.
  2. Incorrect ‘Reply-to’: Here, attackers use the real name and email address of the impersonated person. However, the ‘reply-to’ field consists the email address of attacker.
  3. ‘Reply-to’ is missing: The name and the email address belongs to the impersonated executive. However, there is no email address in the ‘reply-to’ thus making it difficult to communicate with the ‘executive’.
  4. Identical Domain: Here, attacker not only impersonates the executive but also, uses a ‘From’ address that is identical to the original one.

In the year 2013, BEC scams began with hacking or spoofing of email accounts of chief financial officers or chief executive officers. Fraudulent emails requesting wire payments to fraudulent locations were sent to employees. BEC attacks result in the compromise of personal emails, vendor emails, spoofed lawyer email accounts. It can be in the form of:

  1. Bogus Invoice: In this type of BEC attack, attackers pretend to be the suppliers requesting for fund transfers as payments to an account owned by fraudsters.
  2. CEO Fraud: Attackers pose as the CEO or any executive and send an email to employees in finance, requesting them to transfer money to the account they control.
  3. Account Compromise: A high-level employee’s email account is hacked and used to request invoice payments to vendors listed in their email contacts. Payments are sent to fraudulent accounts.
  4. Attorney Impersonation: Attackers pretend to be a lawyer or from the law firm who oversees crucial and confidential matters.
  5. Data Theft: Employees under HR or bookkeeping are targeted to obtain personally identifiable information (PII) of employees and executives to be used for future attacks.

A close up of a logo Description automatically generated

Source: Statista

The market for BEC attacks has expanded very fast within a period of few years. According to FBI’s latest report on BEC frauds, losses due to BEC scams have reached $12.5 Billion worldwide. Between October 2013 and December 2016, financial losses due to BEC had cost organizations $5.3 billion globally. In May 2018, the FBI’s Internet Crime Report indicated more than $675 million losses due to BEC in the year 2017. Complaints related to BEC rose up to 351,937 with a 14.3% increase from the year 2017 to 2018. Losses due to BEC attacks increased by 90.8% from $1,418.7 million to $2,706.4 million during 2018.

So, why are BEC attacks so popular?

Unlike phishing or ransomware attack, there are no malicious URLs or attachments in these emails. BEC is a form of social engineering attack that is designed to psychologically trick employees with the help of impersonated identities that are already known to them. This includes ordering employees to perform their daily tasks or sending emails that are written in an authoritative manner thus, making it difficult for victims to question the legitimacy of the email and follow what is being narrated to them via forged email. In short, attackers do not have to put in much effort other than using their brains to manipulate victims.

With this emerging trend of deploying BEC attacks, it becomes extremely important to employ security measures to safeguard your organization and its employees against such cyber-threats.

How can you protect your organization against BEC attacks?

Limited authority: It is imported limit the authority to people who check payments and those who approve or process wire transfer.

Train your employees: One of the effective ways of safeguarding against BEC attacks is by providing cyber awareness training. The training helps employees in gaining awareness about BEC attack as well as about the methodologies and strategies used by attackers to trick them.

A screenshot of a computer Description automatically generated

Policy-based protection: This can be considered as the most effective preventive measure against BEC attacks. This helps in examining the sender reputation and sender-recipient relationship that can detect different forms and types of BEC attacks. Policy or authentication-based protection helps in authenticating your email domain. With the help of SPF and DKIM, the authenticity of an email can be easily established. SPF is an email authentication technology that specifies the sender who can send an email on domain’s behalf. DKIM allows the transmission of an email in a manner that it can be verified by the email provider. A more powerful authentication tool is DMARC that adds on to the protection provided by SPF and DKIM.

Setting up DMARC policy helps in allowing sender to indicate that their email is protected by either DKIM and SPF or both. DMARC records consists of these policies and helps in defining DMARC rulesets. It ensures that spoofed emails are not delivered to your email domain. With the help of products such as KDMARC, DMARC records can be generated and analysed for effective protection of the email domain.

The main source of communication within an organization is email. Conducting businesses, sending proposals, major decisions and deal closure are all done through emails. It is, therefore, extremely important to secure your email domain by implementing security measures that can effectively block malicious emails.

The Security Downside of SMS-based Multi Factor Authentication (MFA)

George Mutune
-
0
The Security Downside of SMS-based Multi Factor Authentication (MFA)

MFA is not always secure.

Multifactor authentication (MFA) is thought to be an effective technique for identifying legitimate system users before granting access. MFA is a security mechanism that requires users to provide at least two types of correct authentication alongside valid credentials.

This means that a user has to provide a correct username and password. Then the user must provide another form of proof like a verification code or use a physical object which only a legitimate user can possess.

Some forms of MFA are vulnerable to security threats and may not serve the intended purpose of providing access only to authorized users. Such include using text messages for MFA verification.

SMS and MFA

The use of SMS in MFA is one of the most popularly used means for authenticating users. Industry leaders like Google and Microsoft often send verification codes using phone numbers linked to different accounts. Upon submitting the correct code, a user is granted access.

However, what many individuals may be unaware of are the severe security threats of using SMS-based MFA. For example, a leading communications company based in San Diego, Voxox, failed to secure a database housing over ten million messages with a password. The database was leaked, and anyone could access real-time messages with two-factor verification codes for Google, Microsoft, and Huawei IDs[1]. Imagine a malicious individual with access to such a database.

SIM Swap Attacks

Also, an SMS-based MFA is insecure due to the ease with which a SIM Swap attack can be executed. A SIM Swap attack does not require one to possess any expertise as an individual with the necessary information can do it with ease. In a country like the U.S., a social security number of the targeted SIM holder can be used to request a SIM Swap with one phone call to the carrier. The new SIM can be used to request authentication codes providing an attacker direct access to all accounts.

Network Security Flaws

The SS7 network used by most carriers for text or call management has numerous security flaws that can be easily exploited. SS7 networks can be breached, allowing a hacker to intercept any message sent to or from your device. SS7 portals, for instance, can allow a hacker to forward all intercepted messages to online devices before rerouting them to the original destinations. As such, it is possible to intercept and use a verification code even before the owner can use it.

Forensic expert Jonathan Zdziarski argues that using text messages isn’t the best MFA approach. He stated that “mobile phone as a means of authentication can be socially engineered out of your control”[2]. This and other vulnerabilities has led the National Institute of Standards and Technology (NIST) to discourage companies from using MFA based on text messages. Rather than using SMS messages, NIST and leading organizations advocating for the use of other more secure means like dedicated MFA apps such as RSA SecurID and Google Authenticator and dedicated secure devices e.g. dongle.

[1] https://techcrunch.com/2018/11/15/millions-sms-text-messages-leaked-two-factor-codes/

[2] https://medium.com/@powerb91/text-message-based-two-factor-authentication-is-a-weak-form-of-security-choose-a-more-robust-64fbb89e52f7

1...139140141...149Page 140 of 149

CyberExperts is your cybersecurity news and education website. We provide you with the latest breaking news and videos in the cybersecurity industry.

Contact us: [email protected]

© Copyright - CyberExperts.com