CIO Agenda: Cloud, Cybersecurity, and AI Investments Ahead

Enterprises that employed “business composability” were more likely to succeed during the volatility caused by the pandemic, according to Gartner. That volatility is here to stay, so now is the time to get ready for it.
Nearly two years after a massive disruption hit enterprises, a few lessons are evident. Some organizations quickly adapted to the circumstances, recognized the opportunities available, and acted to capitalize on them. Other organizations were caught unprepared for the unexpected and struggled to keep going. Some of them shut down.

What separated the successful organizations from the organizations that subsisted or didn’t make it at all? One factor might be what Gartner is calling “business composability,” or “the mindset, technologies, and a set of operating capabilities that enable organizations to innovate and adapt quickly to changing business needs.” This composability was a major theme at the Gartner IT Symposium/Xpo Americas, and Gartner is promoting the concept of business composability as the way for businesses to thrive through disruption in 2022 and beyond.

“Business composability is an antidote to volatility,” says Monika Sinha, research VP at Gartner,. “Sixty-three percent of CIOs at organizations with high composability reported superior business performance, compared with peers or competitors in the past year. They are better able to pursue new value streams through technology, too.”

Sinha compares the concept of composability to the way toy Legos work. She told InformationWeek in an interview that composability is about creating flexible and adaptive organizations with departments that can be re-arranged to create new value streams. She says organizations should target the following three domains of business composability:

1. Composable thinking

“This is the ability to be dynamic in your thinking as an organization,” Sinha says. This kind of thinking recognizes that business conditions often change, and it empowers the teams closest to the action to respond to the new conditions. “Traditional business thinking views change as a risk, while composable thinking is the means to master the risk of accelerating change and to create new business value.”

2. Composable business architecture

This is the ability of organizations to create dynamic ways of working, Sinha says. For instance, during the pandemic, some retailers were able to pivot quickly to providing curbside pickup, and some healthcare providers pivoted to providing telehealth appointments.

“Organizations looked at different types of models in terms of delivery,” she says. “In these types of organizations, it is really about creating ‘agile’ at scale, and agile types of working in the organization.”

Sinha notes that digital business initiatives fail when business leaders commission projects from IT and then shirk accountability for the implementation of results, treating it as another IT project. “High-composability enterprises embrace distributed accountability for digital outcomes, reflecting a shift that most CIOs have been trying to make for several years, as well as create multidisciplinary teams that blend business and IT units to drive business results,” Sinha says.

3. Composable technology

This is the IT architecture or technology stack, says Sinha. Technology is a catalyst for business transformation and thinking, and developing a flexible and modular technology architecture enables bringing together the parts needed to support transformation.

Distributed cloud and artificial intelligence are the two main technologies that a majority of high-composability enterprises have already deployed or plan to deploy in 2022, according to Gartner’s CIO Agenda survey. Gartner notes that these technologies are a catalyst for business composability because they enable modular technology capabilities.

Tech investments for 2022

Another major technology at the top of the list of planned investments for 2022 is cyber and information security, with 66% of respondents saying they expect to increase associated investments in the next year.

“Many organizations were dabbling with composability before the pandemic,” Sinha says. “What we saw was that those that were composable came out ahead after the pandemic. The pandemic highlighted the importance and the value of composability”..[…] Read more »…..

 

Bridging the gender gap in cybersecurity

In a panel at the ISC2 Security Congress 2021, Sharon Smith, CISSP, Lori Ross O’Neil, CISSP, Aanchal Gupta and Meg West, M.S., CISSP, discussed the challenges and opportunities of being a woman in cybersecurity. From the factors that lead to women being underrepresented in cybersecurity to removing those barriers, the cybersecurity leaders discussed their ideas on how to bridge the gender gap in the field.

Contributing factors to the underrepresentation of women

Gupta believes that a cybersecurity awareness gap contributes to the underrepresentation of women in the field. With her background in software engineering, Gupta declined her first offer to pivot to cybersecurity, believing that she didn’t possess the correct qualifications. Once she entered the field, she realized the vastness of the cybersecurity space and how people with varied skillsets thrive in the industry. Helping women understand that they don’t need a cybersecurity or computer science degree to enter the field can attract more qualified women to the industry. Smith added that hiring managers should also be aware that qualified candidates exist outside of those majors.

Women looking to transition into cybersecurity mid-career can frame the change as adding cyber to their profession. O’Neil’s passion is bringing cybersecurity to other disciplines — someone with an accounting or chemistry background can benefit from cybersecurity coursework in order to do their jobs safely and securely. Certifications are a great way to enter the industry, as well as seeking out online communities and information can help entering the field by immersing oneself in the cybersecurity sphere.

How do we remove barriers from cybersecurity

Although the number of women in cybersecurity has increased over the past years, there is still a ways to go to achieve equal gender representation in the field. “We should get ahead of this problem by engaging with women and other underrepresented groups early on,” said Gupta. Reaching young people with capture-the-flag style exercises, coding programs and cybersecurity information provides industry exposure at an early age and allows them to imagine what a career in cybersecurity might look like.

Breaking down self-imposed barriers, changing a broken hiring system that relies on AI searching for keywords to select candidates and more men stepping up as allies in the field are all ideas suggested by Smith to bridge the gender gap in cybersecurity. Looking for opportunities to educate women and other underrepresented groups on cybersecurity roles can increase the amount of those groups in the field.

All women on the panel shared experiences when they were affected by sexism in the industry. West began as an associate in cybersecurity at a Fortune 100 company as the youngest and only female employee on the team. On one of her first days on the job, one of her coworkers told her that the only reason she got the job was to fill a diversity quota. West took this comment as a challenge — within about 3 years, she was promoted from being a cybersecurity associate to the Global Incident Response Manager at the age of 24. She created the role and advocated for her promotion with statistics of her accomplishments. “Just because an opportunity does not exist, that doesn’t mean I can’t create it myself,” said West..[…] Read more »….

 

How gamification boosts security awareness training effectiveness

Ransomware and its partner in crime phishing are very much in the spotlight of late. According to the Phishing Activity Trends Report by APWG, the quantity of phishing doubled in 2020 and continues to rise.

In response, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has launched a campaign to address ransomware. It takes a two-pronged approach: improving security readiness and raising awareness. Its campaign encourages organizations to implement best practices, tools and resources to mitigate the risk of falling victim to ransomware.

“Anyone can be the victim of ransomware, and so everyone should take steps to protect their systems,” said Director of CISA Brandon Wales.

But protection doesn’t just mean buying new security systems and implementing better processes and policies. The CISA campaign emphasizes training as an integral part of anti-ransomware and anti-phishing success.

Employee security awareness training

“The greatest technology in the world won’t do you much good if your users are not well educated on security and don’t know what to do and not do,” said Greg Schulz, an analyst at Server StorageIO Group. “Too many security issues are attributed to humans falling prey to social engineering.”

But the effectiveness of security training varies significantly depending on the approach. According to a report by Computer Economics, Security Training Adoption and Best Practices 2021, the security training given to staff in some cases only goes as far as insisting all users sign off on reading organizational security policies and procedures. How much of it are they likely to retain?

“All it takes is one weak link among the workforce, and state-of-the-art security technology is breached,” said Frank Scavo, President of Computer Economics. “The goal of security training should be to erect a human firewall of informed and ever-vigilant users: an army of personnel with high awareness of social engineering methods provides an extra safeguard against attack.”

Lunch-and-learn anti-phishing awareness briefings are a little better than only making employees read policy. Lunch-and-learns may earn a small improvement in the reduction of phishing success, but not nearly enough. Similarly, traditional classroom and textbook learning has only a modest effect on the number of phishing victims.

What it takes is a multi-faceted response to phishing and ransomware via interactive learning. The introduction of gamification, in particular, to the field of security awareness training has been shown to boost results.

Gamification of cybersecurity training

“People can easily tune out when subjected to static security awareness training,” said Schulz. “But make it an interactive learning experience or game, and people are more likely to engage while being entertained and educated on the do’s and don’ts of modern IT security threat risks.”

What exactly is gamification? Gabe Zichermann, author of “The Gamification Revolution,” defined it as “taking what’s fun about games and applying it to situations that maybe aren’t so fun.”

Gamification is essentially about finding ways to engage people emotionally to motivate them to behave in a particular way or decide to forward a specific goal. In training, it’s used to make learning a lot more fun.

Effective gamification techniques applied to security training use quizzes, interactive videos, cartoons and short films with characters and plots that entertain while getting across the important facts about phishing and other scams — and how to avoid them.

In “The Forrester Wave: Security Awareness and Training Solutions, Q1 2020,” Jinan Budge, an analyst at Forrester Research, said, “Successful vendors deliver the ABCs of security: awareness, behavior and culture. Look for providers that truly understand how training contributes to your overall security culture and don’t just check the training requirement box.”

Later in the same report, she added: “Choose vendors that create positive content with inclusive, clear and compelling images and that engage users with alternative content types like gamification, microlearning and virtual reality (VR). Some vendors offer true gamification that involves teams, competition and advanced graphic design, engaging discerning audiences on a deeper level than multiple-choice tests or phishing simulations.”..[…] Read more »….

 

Why Detection-As-Code Is the Future of Threat Detection

As security moves to the cloud, manual threat detection processes are unable to keep pace. This article will discuss how detection engineering can advance security operations just as DevOps improved the app development world. We’ll explore detection-as-code (DaC) and innumerate several compelling benefits of this trending approach to threat detection.

What is detection-as-code?

Detection-as-code is a systematic, flexible, and comprehensive approach to threat detection powered by software; the same way infrastructure as code (IaC) and configuration-as-code are about machine-readable definition files and descriptive models for composing infrastructure at scale.

It is a structured approach to analyzing security log data used to identify attacker behaviors. Using software engineering best practices to write expressive detections and automate responses, security teams can build scalable processes to identify sophisticated threats across rapidly expanding environments.

Done right, detection engineering — the set of practices and systems to deliver modern and effective threat detection — can advance security operations just as DevOps improved the app development world.

Similar to a change CI/CD workflow, a detection engineering workflow might include the following steps:

  • Observe a suspicious or malicious behavior
  • Model it in code
  • Write various test cases
  • Commit to version control
  • Deploy to staging, then production
  • Tune and update

You can see that the detection engineering CI/CD workflow is not so much about treating detections as code but about improving detection engineering to be an authentic engineering practice; one that is built on modern software development principles.

The concept of detection-as-code grew out of security’s need for automated, systematic, repeatable, predictable, and shareable approaches. It is essential because threat detection was not previously fully developed as a systematic discipline with effective automation and predictably good results.

Threat detection programs that are precisely adjusted for particular environments and systems have the most potent effect. By using detections as well-written code that can be tested, checked into source control, and code-reviewed by peers, security teams can produce higher-quality alerts that reduce burnout and quickly flag questionable activity.

What are the benefits of detection-as-code?

The benefits of detection-as-code include the ability to:

  1. Build custom, flexible detections using a programming language
  2. Adopt a Test-Driven Development (TDD) approach
  3. Incorporate with version control systems
  4. Automate workflows
  5. Reuse code

Writing detections in a universally recognized, flexible, and expressive language like Python offers several advantages. Instead of using domain-specific languages with too many limitations, you can write more custom and complex detections to fit the precise needs of your enterprise. These language rules are also often more readable and easy to understand. This characteristic can be crucial as complexity increases.

An additional benefit of using expressive language is the ability to use a rich set of built-in or third-party libraries developed or familiar by security practitioners for communicating with APIs, which improves the effectiveness of the detection.

Quality assurance for detection code can illuminate detection blind spots, test for false positives, and promote detection efficacy. A TDD approach enables security teams to anticipate an attacker’s approach, document what they learn, and create a library of insights into the attacker’s strategy.

Over and above code correctness, a TDD approach improves the quality of detection code and enables more modular, extensible, and flexible detections. Engineers can easily modify their code without fear of breaking alerts or weakening security.

When writing or modifying detections, version control allows practitioners to revert to previous states swiftly. It also confirms that security teams are using the most updated detection. Additionally, version control can provide needed meaning for specific detections that trigger an alert or help identify changes in detections.

Over time, detections must change as new or additional data enters the system. Change control is an essential process to help teams adjust detections as needed. An effective change control process will also ensure that all changes are documented and reviewed.

Security teams that have been waiting to shift security left will benefit from a CI/CD pipeline. Starting security operations earlier in the delivery process helps to achieve these two goals:

  • Eliminate silos between teams that work together on a shared platform and code-review each other’s work.
  • Provide automated testing and delivery systems for your security detections. Security teams remain agile by focusing on building precision detections.

Finally, DaC promotes code reusability across broad sets of detections. As security detection engineers write detections over time, they start to identify patterns as they emerge. Engineers can reuse existing code to meet similar needs across different detections without starting completely over.

Reusability is an essential part of detection engineering that allows teams to share functions across different detections or change and adjust detections for particular use-cases…[…] Read more »

 

9 best practices for network security

Network security is the practice of protecting the network and data to maintain the integrity, confidentiality and accessibility of the computer systems in the network. It covers a multitude of technologies, devices and processes, and makes use of both software- and hardware-based technologies.

Each organization, no matter what industry they belong to or what their infrastructure size is, requires comprehensive network security solutions to protect it from various cyberthreats happening in the wild today.

Network security layers

When we talk about network security, we need to consider layers of protection:

Physical network security

Physical network security controls deal with preventing unauthorized persons from gaining physical access to the office and network devices, such as firewalls and routers. Physical locks, ID verification and biometric authentication are few measures in place to take care of such issues.

Technical network security

Technical security controls deal with the devices in the network and data stored and in transit. Also, technical security needs to protect data and systems from unauthorized personnel and malicious activities from employees.

Administrative network security

Administrative security controls deal with security policies and compliance processes on user behavior. It also includes user authentication, their privilege level and implementing changes to the existing infrastructure.

Network security best practices

Now we have a basic understanding and overview of network security, let’s focus on some of the network security best practices you should be following.

1. Perform a network audit

The first step to secure a network is to perform a thorough audit to identify the weakness in the network posture and design. Performing a network audit identifies and assesses:

  • Presence of security vulnerabilities
  • Unused or unnecessary applications
  • Open ports
  • Anti-virus/anti-malware and malicious traffic detection software
  • Backups

In addition, third-party vendor assessments should be conducted to identify additional security gaps.

2. Deploy network and security devices

Every organization should have a firewall and a web application firewall (WAF) for protecting their website from various web-based attacks and to ensure safe storage of their data. To maintain the optimum security of the organization and monitor traffic, various additional systems should be used, such as intrusion detection and prevention (IDS/IPS) systems, security information and event management (SIEM) systems and data loss prevention (DLP) software.

3. Disable file sharing features

Though file sharing sounds like a convenient method for exchanging files, it’s advisable to enable file sharing only on a few independent and private servers. File sharing should be disabled on all employee devices.

4. Update antivirus and anti-malware software

Businesses purchase desktop computers and laptops with the latest version of antivirus and anti-malware software but fail to keep it updated with new rules and updates. By ensuring that antivirus and anti-malware are up to date, one can be assured that the device is running antivirus with the latest bug fixes and security updates.

5. Secure your routers

A security breach or a security event can take place simply by hitting the reset button on the network router. Thus it is paramount to consider moving routers to a more secure location such as a locked room or closet. Also, video surveillance equipment and CCTV can be installed in the server or network room. In addition, the router should be configured to change default passwords and network names, which attackers can easily find online.

6. Use a private IP address

To avoid unauthorized users or devices from accessing the critical devices and servers in the network, private IP addresses should be assigned to them. This practice enables the IT administrator to easily tap on all unauthorized attempts by the users or devices connecting to your network for any suspicious activity.

7. Establish a network security maintenance system

A proper network security maintenance system should be established which involves processes such as :

  1. Perform regular backups
  2. Updating the software
  3. Schedule change in network name and passwords

Once a network security maintenance system is established, document it and circulate it to your team…[…] Read more »….

 

5 minutes with Vishal Jain – Navigating cybersecurity in a hybrid work environment

Are you ready for hybrid work? Though the hybrid office will create great opportunities for employees and employers alike, it will create some cybersecurity challenges for security and IT operations. Here, Vishal Jain, Co-Founder and CTO at Valtix, a Santa Clara, Calif.-based provider of cloud native network security services, speaks to Security magazine about the many ways to develop a sustainable cybersecurity program for the new hybrid workforce.

Security: What is your background and current role? 

Jain: I am the co-founder and CTO of Valtix. My background is primarily building products and technology at the intersection of networking, security and cloud; built Content Delivery Networks (CDNs) during early days of Akamai and just finished doing Software Defined Networking (SDN) in a startup which built ACI for Cisco.

 

Security: There’s a consensus that for many of us, the reality will be a hybrid workplace. What does the hybrid workforce mean for cybersecurity teams?

Jain: The pandemic has accelerated trends that had already begun before 2019. We’ve just hit an inflection point on the rate of change – taking on much more change in a much shorter period of time. The pandemic is an inflection point for cloud tech adoption. I think about this in three intersections of work, apps, infrastructure, and security:

  1. Work and Apps: A major portion of the workforce will continue to work remotely, communicating using collaboration tools like Zoom, WebEx, etc. Post-pandemic, video meetings would be the new norm compared to the old model where in-person meeting was the norm. The defaults have changed. Similarly, the expectation now is that any app is accessible anywhere from any device.
  2. Apps and Infrastructure: Default is cloud. This also means that expectation on various infrastructure is now towards speed, agility, being infinite and elastic and being delivered as a service.
  3. Infrastructure and Security: This is very important for cybersecurity teams, how do they take a discipline like security from a static environment (traditional enterprise) and apply it to a dynamic environment like cloud.

Security: What solutions will be necessary for enterprise security to implement as we move towards this new work environment?

Jain: In this new work environment where any app is accessible anywhere from any device, enterprise security needs to focus on security of users accessing those apps and security of those apps themselves. User-side security and securing access to the cloud is a well-understood problem now, plenty of innovation and investments have been made here. For security of apps, we need to look back at intersections 2 and 3, mentioned previously.

Enterprises need to understand security disciplines but implementation of these is very different in this new work environment. Security solutions need to evolve to address security & ops challenges. On the security side, definition of visibility has to expand. On the operational side of security, solutions need to be cloud-native, elastic, and infinitely scalable so that enterprises can focus on applications, not the infrastructure.

Security: What are some of the challenges that will need to be overcome as part of a hybrid workplace?

Jain: Engineering teams typically have experiences working across distributed teams so engineering and the product side of things are not super challenging as part of a hybrid workplace. On the other hand, selling becomes very different, getting both customers and the sales team used to this different world is a challenge enterprises need to focus on. Habits and culture are always the hardest part to change. This is true in security too. There is a tendency to bring in old solutions to secure this new world. Security practitioners could try to bring in the same tech and product he/she has been using for 10 years but deep down they know it’s a bad fit…[…] Read more »….

 

What types of cybersecurity skills can you learn in a cyber range?

What is a cyber range?

A cyber range is an environment designed to provide hands-on learning for cybersecurity concepts. This typically involves a virtual environment designed to support a certain exercise and a set of guided instructions for completing the exercise.

A cyber range is a valuable tool because it provides experience with using cybersecurity tools and techniques. Instead of learning concepts from a book or reading a description about using a particular tool or handling a certain scenario, a cyber range allows students to do it themselves.

What skills can you learn in a cyber range?

A cyber range can teach any cybersecurity skill that can be learned through hands-on experience. This covers many crucial skill sets within the cybersecurity space.

SIEM, IDS/IPS and firewall management

Deploying certain cybersecurity solutions — such as SIEM, IDS/IPS and a firewall — is essential to network cyber defense. However, these solutions only operate at peak effectiveness if configured properly; if improperly configured, they can place the organization at risk.

A cyber range can walk through the steps of properly configuring the most common solutions. These include deployment locations, configuration settings and the rules and policies used to identify and block potentially malicious content.

Incident response

After a cybersecurity incident has occurred, incident response teams need to know how to investigate the incident, extract crucial indicators of compromise and develop and execute a strategy for remediation. Accomplishing this requires an in-depth knowledge of the target system and the tools required for effective incident response.

A cyber range can help to teach the necessary processes and skills through hands-on simulation of common types of incidents. This helps an incident responder to learn where and how to look for critical data and how to best remediate certain types of threats.

Operating system management: Linux and Windows

Each operating system has its own collection of configuration settings that need to be properly set to optimize security and efficiency. A failure to properly set these can leave a system vulnerable to exploitation.

A cyber range can walk an analyst through the configuration of each of these settings and demonstrate the benefits of configuring them correctly and the repercussions of incorrect configurations. Additionally, it can provide knowledge and experience with using the built-in management tools provided with each operating system.

Endpoint controls and protection

As cyber threats grow more sophisticated and remote work becomes more common, understanding how to effectively secure and monitor the endpoint is of increasing importance. A cyber range can help to teach the required skills by demonstrating the use of endpoint security solutions and explaining how to identify and respond to potential security incidents based upon operating system and application log files.

Penetration testing

This testing enables an organization to achieve a realistic view of its current exposure to cyber threats by undergoing an assessment that mimics the tools and techniques used by a real attacker. To become an effective penetration tester, it is necessary to have a solid understanding of the platforms under test, the techniques for evaluating their security and the tools used to do so.

A cyber range can provide the hands-on skills required to learn penetration testing. Vulnerable systems set up on virtual machines provide targets, and the cyber range exercises walk through the steps of exploiting them. This provides experience in selecting tools, configuring them properly, interpreting the results and selecting the next steps for the assessment.

Network management

Computer networks can be complex and need to be carefully designed to be both functional and secure. Additionally, these networks need to be managed by a professional to optimize their efficiency and correct any issues.

A cyber range can provide a student with experience in diagnosing network issues and correcting them. This includes demonstrating the use of tools for collecting data, analyzing it and developing and implementing strategies for fixing issues.

Malware analysis

Malware is an ever-growing threat to organizational cybersecurity. The number of new malware variants grows each year, and cybercriminals are increasingly using customized malware for each attack campaign. This makes the ability to analyze malware essential to an organization’s incident response processes and the ability to ensure that the full scope of a cybersecurity incident is identified and remediated.

Malware analysis is best taught in a hands-on environment, where the student is capable of seeing the code under test and learning the steps necessary to overcome common protections. A cyber range can allow a student to walk through basic malware analysis processes (searching for strings, identifying important functions, use of a debugging tool and so on) and learn how to overcome common malware protections in a safe environment.

Threat hunting

Cyber threats are growing more sophisticated, and cyberattacks are increasingly able to slip past traditional cybersecurity defenses like antivirus software. Identifying and protecting against these threats requires proactive searches for overlooked threats within an organization’s environment. Accomplishing this requires in-depth knowledge of potential sources of information on a system that could reveal these resident threats and how to interpret this data.

A cyber range can help an organization to build threat hunting capabilities. Demonstrations of the use of common threat hunting tools build familiarity and experience in using them.

Exploration of common sources of data for use in threat hunting and experience in interpreting this data can help future threat hunters to learn to differentiate false positives from true threats.

Computer forensics

Computer forensics expertise is a rare but widely needed skill. To be effective at incident response, an organization needs cybersecurity professionals capable of determining the scope and impacts of an attack so that it can be properly remediated. This requires expertise in computer forensics…[…] Read more »….

 

Social Engineering: Life Blood of Data Exploitation (Phishing)

What do Jeffrey Dahmer, Ted Bundy, Wayne Gacy, Dennis Rader, and Frank Abigail all have in common, aside from the obvious fact that they are all criminals?  They are also all master manipulators that utilize the art of social engineering to outwit their unsuspecting victims into providing them with the object or objects that they desire.  They appear as angels of light but are no more than ravenous wolves in sheep’s clothing. There are six components of an information system: Humans, Hardware, Software, Data, Network Communication, and Policies; with the human being the weakest link of the six.

By Zachery S. Mitcham, MSA, CCISO, CSIH, VP and Chief Information Security Officer, SURGE Professional Services-Group
Social engineering is the art of utilizing deception to manipulate a subject into providing the manipulator with the object or objects they are seeking to obtain. Pretexting is often used in order to present a false perception of having creditability via sources universally known to be valid. It is a dangerous combination to be gullible and greedy. Social engineers prey on the gullible and greedy using the full range of human emotions to exploit their weaknesses via various scams, of which the most popular being phishing.  They have the uncanny ability to influence their victim to comply with their demands.

Phishing is an age-old process of scamming a victim out of something by utilizing bait that appears to be legitimate. Prior to the age of computing, phishing was conducted mainly through chain mail but has evolved over the years in cyberspace via electronic mail. One of the most popular phishing scams is the Nigerian 419 scam, which is named after the Nigerian criminal code that addresses the crime.

Information security professionals normally eliminate the idea of social norms when investigating cybercrime.  Otherwise, you will be led into morose mole tunnels going nowhere. They understand that the social engineering cybercriminal capitalizes on unsuspecting targets of opportunity. Implicit biases can lead to the demise of the possessor. Human behavior can work to your disadvantage if left unchecked. You profile one while unwittingly becoming a victim of the transgressions of another. These inherent and natural tendencies can lead to breaches of security. The most successful cybersecurity investigators have a thorough understanding of the sophisticated criminal mind.

Victims of social engineering often feel sad and embarrassed. They are reluctant to report the crime depending on its magnitude. And the CISO to comes the rescue! In order to get to the root cause of the to determine the damage caused to the enterprise, the CISO must put the victim at ease by letting them know that they are not alone in their unwitting entanglement.

These are some tips that can assist you with an anti-social engineering strategy for your enterprise: Employ Sociological education tools by developing a comprehensive Information Security Awareness and Training program addressing all six basic components that make up the information system. The majority of security threats that exist on the network are a direct result of insider threats caused by humans, no matter if they are unintentional or deliberate. The most effective way an organization can mitigate the damaged caused by insider threats is to develop effective security awareness and training program that is ongoing and mandatory.

Deploy enterprise technological tools that protect your human capital against themselves.

Digital Rights Management (DRM) and Data Loss Prevention (DLP) serve as effective defensive tools that protect from the exfiltration enterprise data in the event that it falls into the wrong hands...[…] Read more »…..

This article first appeared in CISO MAG.

<Link to CISO MAG site: www.cisomag.com>

How to find weak passwords in your organization’s Active Directory

Introduction

Confidentiality is a fundamental information security principle. According to ISO 27001, it is defined as ensuring that information is not made available or disclosed to unauthorized individuals, entities or processes. There are several security controls designed specifically to enforce confidentiality requirements, but one of the oldest and best known is the use of passwords.

In fact, aside from being used since ancient times by the military, passwords were adopted quite early in the world of electronic information. The first recorded case dates to the early 1960s by an operating system created at MIT. Today, the use of passwords is commonplace in most people’s daily lives, either to protect personal devices such as computers and smartphones or to prevent unwanted access to corporate systems.

With such an ancient security control, it’s only natural to expect it has evolved to the point where passwords are a completely effective and secure practice. The hard truth is that even today, the practice of stealing passwords as a way to gain illegitimate access is one of the main techniques used by cybercriminals. Recent statistics, such as Verizon’s 2020 Data Breach Investigations Report leave no space to doubt: 37% of hacking-related breaches are tied to passwords that were either stolen or used in gaining unauthorized access.

For instance, in a quite recent case, Nippon Telegraph & Telephone (NTT) — a Fortune 500 company — disclosed a security breach in its internal network, where cybercriminals stole data on at least 621 customers. According to NTT, crackers breached several layers of its IT infrastructure and reached an internal Active Directory (AD) to steal data, including legitimate accounts and passwords. This lead to unauthorized access to a construction information management server.

Figure 1: Diagram of the NTT breach (source: NTT)

As with other directory services, Microsoft Active Directory remains a prime target for cybercriminals, since it is used by many businesses to centralize accounts and passwords for both users and administrators. Well, there’s no point in making cybercrime any easier, so today we are going to discuss how to find weak passwords in Microsoft Active Directory.

Active Directory: Password policy versus weak passwords

First, there is a point that needs to be clear: Active Directory indeed allows the implementation of a GPO (Group Policy Object) defining rules for password complexity, including items such as minimum number of characters, mandatory use of specials characters, uppercase and lowercase letters, maximum password age and even preventing a user from reusing previous passwords. Even so, it is still important to know how to find weak passwords, since the GPO may (for example) not have been applied to all Organizational Units (OUs).

But this is not the only problem. Even with the implementation of a good password policy, the rules apply only to items such as size, complexity and history, which is not a guarantee of strong passwords. For example, users tend to use passwords that are easy to memorize, such as Password2020! — which, although it technically meets the rules described above, cannot be considered safe and can be easily guessed by a cybercriminal.

Finding weak passwords in Active Directory can be simpler than you think. The first step is to know what you are looking for when auditing password quality. For this example, we will look for weak, duplicate, default or even empty passwords using the DSInternals PowerShell Module, which can be downloaded for free here.

DSInternals is an extremely interesting tool for Microsoft Administrators and has specific functionality for password auditing in Active Directory. It has the ability to discover accounts that share the same passwords or that have passwords available in public databases (such as the famous HaveIBeenPwned) or in a custom dictionary that you can create yourself to include terms more closely related to your organization.

Once installed, the password audit module in DSInternals Active Directory is quite simple to use. Just follow the syntax below:

Test-PasswordQuality [-Account] <DSAccount> [-SkipDuplicatePasswordTest] [-IncludeDisabledAccounts] 

[-WeakPasswords <String[]>] [-WeakPasswordsFile <String>] [-WeakPasswordHashesFile <String>] [-WeakPasswordHashesSortedFile <String>] [<CommonParameters>]

The Test-PasswordQuality cmdlet receives the output from the Get-ADDBAccount and Get-ADReplAccount cmdlets, so that offline (ntds.dit) and online (DCSync) password analyses can be done. A good option to obtain a list of leaked passwords is to use the ones provided by HaveIBeenPwned, which are fully supported in DSInternals. In this case, be sure to download the list marked “NTLM (sorted by hash)”..[…] Read more »….

 

How Object Storage Is Taking Storage Virtualization to the Next Level

We live in an increasingly virtual world. Because of that, many organizations not only virtualize their servers, they also explore the benefits of virtualized storage.

Gaining popularity 10-15 years ago, storage virtualization is the process of sharing storage resources by bringing physical storage from different devices together in a centralized pool of available storage capacity. The strategy is designed to help organizations improve agility and performance while reducing hardware and resource costs. However, this effort, at least to date, has not been as seamless or effective as server virtualization.

That is starting to change with the rise of object storage – an increasingly popular approach that manages data storage by arranging it into discrete and unique units, called objects. These objects are managed within a single pool of storage instead of a legacy LUN/volume block store structure. The objects are also bundled with associated metadata to form a centralized storage pool.

Object storage truly takes storage virtualization to the next level. I like to call it storage virtualization 2.0 because it makes it easier to deploy increased storage capacity through inline deduplication, compression, and encryption. It also enables enterprises to effortlessly reallocate storage where needed while eliminating the layers of management complexity inherent in storage virtualization. As a result, administrators do not need to worry about allocating a given capacity to a given server with object storage. Why? Because all servers have equal access to the object storage pool.

One key benefit is that organizations no longer need a crystal ball to predict their utilization requirements. Instead, they can add the exact amount of storage they need, anytime and in any granularity, to meet their storage requirements. And they can continue to grow their storage pool with zero disruption and no application downtime.

Greater security

Perhaps the most significant benefit of storage virtualization 2.0 is that it can do a much better job of protecting and securing your data than legacy iterations of storage virtualization.

Yes, with legacy storage solutions, you can take snapshots of your data. But the problem is that these snapshots are not immutable. And that fact should have you concerned. Why? Because, although you may have a snapshot when data changes or is overwritten, there is no way to recapture the original.

So, once you do any kind of update, you have no way to return to the original data. Quite simply, you are losing the old data snapshots in favor of the new. While there are some exceptions, this is the case with the majority of legacy storage solutions.

With object storage, however, your data snapshots are indeed immutable. Because of that, organizations can now capture and back up their data in near real-time—and do it cost-effectively. An immutable storage snapshot protects your information continuously by taking snapshots every 90 seconds so that even in the case of data loss or a cyber breach, you will always have a backup. All your data will be protected.

Taming the data deluge

Storage virtualization 2.0 is also more effective than the original storage virtualization when it comes to taming the data tsunami. Specifically, it can help manage the massive volumes of data—such as digital content, connected services, and cloud-based apps—that companies must now deal with. Most of this new content and data is unstructured, and organizations are discovering that their traditional storage solutions are not up to managing it all.

It’s a real problem. Unstructured data eats up a vast amount of a typical organization’s storage capacity. IDC estimates that 80% of data will be unstructured in five years. For the most part, this data takes up primary, tier-one storage on virtual machines, which can be a very costly proposition.

It doesn’t have to be this way. Organizations can offload much of this unstructured data via storage virtualization 2.0, with immutable snapshots and centralized pooling capabilities.

The net effect is that by moving the unstructured data to object storage, organizations won’t have it stored on VMs and won’t need to backup in a traditional sense. With object storage taking immutable snaps and replicating to another offsite cluster, it will eliminate 80% of an organization’s backup requirements/window.

This dramatically lowers costs. Because instead of having 80% of storage in primary, tier-one environments, everything is now stored and protected on object storage.

All of this also dramatically reduces the recovery time of both unstructured data from days and weeks to less than a minute, regardless of whether it’s TB or PB of data. And because the network no longer moves the data around from point to point, it’s much less congested. What’s more, the probability of having failed data backups goes away, because there are no more backups in the traditional sense.

The need for a new approach

As storage needs increase, organizations need more than just virtualization..[…] Read more »