Posts

The Importance of PAM and MFA in Cybersecurity

/0 Comments/in , , , , , , /by

As the digital landscape continues to evolve rapidly, so does the threat of cyber-attacks. In fact, according to a recent Cybersecurity Ventures report, cybercrime is predicted to cost the world $6 trillion annually by 2021. One of the most effective ways to protect your organization from these threats is by implementing robust security measures such as Privileged Access Management (PAM) and Multi-Factor Authentication (MFA). In this article, we’ll explore the importance of PAM and MFA, and how they can help safeguard your organization’s sensitive data and systems.

Cybercrime predicted to cost the world $6 trillion annually by 2021.

Understanding Privileged Access Management

Privileged Access Management is a critical component of any organization’s cybersecurity strategy. It involves the process of granting, monitoring, and controlling access to sensitive systems and data for users with elevated permissions, such as administrators and IT personnel.

A Forrester report found that 80% of security breaches involve privileged credentials. Consequently, implementing PAM can significantly reduce the risk of unauthorized access to your organization’s critical assets.

Key Benefits of PAM

  1. Reduced Risk of Unauthorized Access: By limiting the number of users with elevated permissions, PAM reduces the risk of unauthorized access to sensitive information and systems.
  2. Improved Compliance: PAM helps organizations meet regulatory requirements by providing a clear audit trail of privileged access activities.
  3. Enhanced Security: PAM solutions often include advanced security features, such as session monitoring and real-time alerts, which help detect and prevent malicious activities.

The Role of Multi-Factor Authentication in Cybersecurity

Multi-Factor Authentication is a security measure that requires users to provide two or more forms of identification to access a system or application. This additional layer of security makes it more difficult for attackers to gain unauthorized access to sensitive data and systems.

According to a Microsoft study, MFA can prevent 99.9% of account attacks. Therefore, implementing MFA is a crucial step in safeguarding your organization’s digital assets.

Types of MFA Factors

  1. Something You Know: This includes passwords, PINs, or security questions.
  2. Something You Have: This involves physical tokens, such as a smartphone or a hardware token.
  3. Something You Are: This includes biometric factors like fingerprints, facial recognition, or voice recognition.
MFA factors, something you know, something you have, something you are.

Combining PAM and MFA for Optimal Security

When PAM and MFA are implemented together, they provide a powerful defense against cyber threats. By limiting privileged access and requiring multiple forms of identification, organizations can significantly reduce the risk of unauthorized access to their sensitive data and systems.

Best Practices for Implementing PAM and MFA

  1. Conduct a Thorough Assessment: Identify all privileged accounts and access points within your organization to determine the appropriate PAM and MFA solutions.
  2. Implement the Principle of Least Privilege: Grant users the minimum level of access necessary to perform their job functions.
  3. Regularly Review and Update Access Controls: Continuously monitor and adjust access controls to ensure they remain effective and up-to-date.
  4. Educate and Train Users: Provide ongoing training and education to ensure users understand the importance of PAM and MFA and follow best practices for maintaining security.

Strengthening Your Organization’s Cybersecurity with PAM and MFA

In today’s rapidly evolving digital landscape, implementing robust security measures like Privileged Access Management and Multi-Factor Authentication is more critical than ever. By combining these two powerful tools, organizations can significantly reduce the risk of unauthorized access to their sensitive data and systems, ultimately protecting their valuable assets and reputation.

Ready to learn more about enhancing your organization’s cybersecurity strategy? Learn more here!

Sources:

Cybersecurity Ventures – Global Ransomware Damage Costs

Forrester – The Forrester Wave: Privileged Identity Management, Q4 2018

Microsoft – One Simple Action You Can Take to Prevent 99.9% of Account Attacks

The Importance of Privileged Access Management in Cloud Computing

/0 Comments/in , , , , , /by

As the world becomes more interconnected, cloud computing has emerged as an essential technology for businesses to keep up with the ever-evolving digital landscape. With its numerous benefits, such as cost reduction, flexibility, and scalability, it’s no surprise that the global cloud computing market is projected to reach a staggering $832.1 billion by 2025. However, as more and more organizations migrate their operations to the cloud, the issue of privileged access management (PAM) becomes increasingly critical.

In this blog post, we will discuss the importance of privileged access management in cloud computing, the risks associated with inadequate PAM, and the best practices for implementing an effective PAM strategy. So, let’s dive in!

Importance of PAM and cloud computing.

What is Privileged Access Management?

Privileged access management is a security approach that focuses on monitoring and controlling the access and permissions of privileged users. These users, such as system administrators and IT managers, have elevated permissions to access sensitive data, critical systems, and applications. In the context of cloud computing, PAM helps ensure that only authorized users can access and manage cloud-based resources.

Why is PAM Important in Cloud Computing?

The importance of PAM in cloud computing cannot be overstated. Here are some reasons why:

1. Increased Risk of Data Breaches

According to a recent study by IBM, the average cost of a data breach in 2020 was $3.86 million. With such high stakes, organizations must prioritize securing their cloud environments. PAM plays a crucial role in preventing unauthorized access to sensitive data and systems, reducing the risk of data breaches.

2. Compliance Requirements

Many industries are subject to strict regulatory requirements, such as the General Data Protection Regulation (GDPR) and the Health Insurance Portability and Accountability Act (HIPAA). These regulations often mandate that organizations implement robust access controls, including PAM, to protect sensitive information.

3. Insider Threats

Insider threats are a growing concern for organizations, with a recent study revealing that they account for 34% of all data breaches. PAM helps mitigate the risk of insider threats by ensuring that only authorized users have access to critical systems and data.

Several risks to inadequate PAM.

The Risks of Inadequate PAM in Cloud Computing

Inadequate PAM can lead to several risks in cloud computing, including:

  • Unauthorized access: Without proper PAM, unauthorized users can gain access to sensitive data, systems, and applications, increasing the risk of data breaches.
  • Privilege escalation: Attackers can exploit vulnerabilities in cloud environments to elevate their access privileges, allowing them to gain control over critical resources.
  • Misconfigurations: Poorly implemented PAM can lead to misconfigurations, which can expose sensitive data and systems to potential attackers.
  • Account takeover: Attackers can use phishing or other social engineering techniques to compromise privileged accounts, leading to devastating consequences for organizations.

Best Practices for Implementing PAM in Cloud Computing

To mitigate the risks associated with inadequate PAM, organizations should consider implementing the following best practices:

1. Implement the Principle of Least Privilege

The principle of least privilege (POLP) entails granting users the minimum level of access necessary to perform their job functions. By limiting users’ access to only what they need, organizations can significantly reduce the risk of unauthorized access and privilege escalation.

2. Use Multi-Factor Authentication

Multi-factor authentication (MFA) adds an extra layer of security by requiring users to provide additional verification, such as a fingerprint or a one-time code, in addition to their password. Implementing MFA for privileged accounts can help prevent unauthorized access due to compromised credentials.

3. Regularly Review and Update Access Controls

Organizations should regularly review and update their access controls to ensure that only authorized users have access to critical resources. This includes revoking access for users who no longer require it, such as employees who have left the company or changed roles.

4. Monitor and Audit Privileged Activity

Monitoring and auditing privileged activity can help organizations detect and respond to potential security incidents more quickly. By analyzing logs and other data, organizations can identify unusual activity patterns that may indicate a security breach or insider threat.

5. Invest in PAM Solutions

There are several PAM solutions available in the market that can help organizations automate and streamline their PAM processes. These solutions can provide centralized management, access control, and monitoring of privileged accounts in cloud environments.

Embracing Cloud Computing

As organizations continue to embrace cloud computing, the need for effective privileged access management becomes increasingly important. By implementing robust PAM strategies and best practices, organizations can protect their sensitive data, ensure compliance with industry regulations, and reduce the risk of data breaches and insider threats.

Are you interested in learning more about privileged access management and other essential cloud security strategies? Learn more here!

Sources:

PAM Best Practices: Secure Your Organization’s Privileged Access

/0 Comments/in , , , , , /by

As the digital landscape continues to evolve, organizations need to be increasingly vigilant when it comes to securing their privileged access. In fact, 80% of data breaches can be traced back to the misuse of privileged credentials. This alarming statistic highlights the importance of implementing a robust Privileged Access Management (PAM) solution. In this article, we will outline the best practices for PAM to help you safeguard your organization’s critical assets.

PAM best practices.

Understanding Privileged Access Management

Before diving into the best practices, it’s essential to understand what PAM is and why it matters. Privileged Access Management refers to the process of managing and securing access to an organization’s critical systems, applications, and data. This includes controlling who has access to these resources, as well as monitoring and auditing their activities.

By implementing a PAM solution, organizations can reduce the risk of unauthorized access, security breaches, and data leaks. This, in turn, helps to maintain the integrity and confidentiality of sensitive information.

PAM Best Practices for a Secure Organization

To ensure the effectiveness of your PAM solution, follow these best practices:

1. Identify and Inventory Privileged Accounts

The first step in implementing a PAM solution is identifying and inventorying all privileged accounts within your organization. This includes not only human users but also non-human entities such as applications and services that require elevated access.

To achieve this, conduct a thorough audit of your organization’s systems, applications, and data. Identify all accounts with administrative or elevated privileges, and maintain an up-to-date inventory of these accounts.

2. Implement the Principle of Least Privilege (POLP)

The principle of least privilege dictates that users should only be granted the minimum level of access necessary to perform their job functions. By limiting the number of users with elevated privileges, you can significantly reduce the risk of unauthorized access and security breaches.

To implement POLP, review the access levels of all privileged accounts and restrict their permissions as needed. Additionally, ensure that new accounts are created with the least amount of privilege required for their role.

3. Use Multi-Factor Authentication (MFA)

According to a recent study, 99% of cyber attacks can be prevented by implementing multi-factor authentication. MFA requires users to provide two or more forms of identification before gaining access to privileged resources. This adds an extra layer of security and makes it more difficult for attackers to compromise accounts.

Implement MFA for all privileged accounts and consider extending this security measure to all users within your organization.

Use Multi-Factor Authentication.

4. Monitor and Audit Privileged Activities

Monitoring and auditing privileged activities are crucial for detecting potential security threats and ensuring compliance with industry regulations. By tracking user actions, you can identify unusual or suspicious behavior that may indicate a security breach.

Implement a PAM solution that provides comprehensive monitoring and auditing capabilities. This should include real-time monitoring, alerting, and reporting on all privileged activities.

5. Implement Session Management

Session management involves controlling and monitoring active sessions for privileged users. This includes limiting the duration of sessions, automatically terminating inactive sessions, and restricting concurrent sessions.

Implementing session management can help prevent unauthorized access by ensuring that privileged sessions are not left unattended or hijacked by attackers.

6. Regularly Review and Update Access Controls

As your organization grows and evolves, it’s essential to regularly review and update your access controls. This includes adding or removing privileges as needed and ensuring that access levels remain appropriate for each user’s role.

Conduct periodic access reviews to identify any discrepancies and make necessary adjustments to maintain a secure environment.

Strengthen Your Organization’s Security

Implementing a robust PAM solution is vital for protecting your organization’s sensitive data and assets. By following these best practices, you can significantly reduce the risk of security breaches and unauthorized access.

Ready to take your organization’s privileged access management to the next level? Learn more here!

Sources:

TechTarget – 7 privileged access management best practices

Ekran System – PAM Best Practices

CyberArk – Best Practices for Privileged Access Management

Is Your Company Ready for a Cyberattack?

/in , /by

Is Your Company Ready for a Cyberattack?

Can you ever be ready for a cyberattack—yes, you can!

Asking if you are ready for a cyberattack is like asking if you are ready for an accident. When an accident occurs, you can have insurance and the coverage you need to take care of the problem—with a cyberattack, if you have a cybersecurity partner on your side, you can do the same.

If you are not already prepared for a cyberattack, it is imperative you understand the serious and imminent dangers of an attack.

With global cybercrime damages predicted to cost up to $10.5 trillion annually by 2025, having a quality cybersecurity service is no longer an option, it’s a requirement. Hackers are coming at your company from all angles, intent on stealing (or holding hostage) your most valuable assets, and you need to be ready.

It’s no longer a matter of, “you should probably do something about that,” it’s a, “you NEED to make the necessary adjustments as soon as possible,” and here’s why.

Cybercrime costs organizations $2.9 million every minute, and major businesses lose $25 per minute as a result of data breaches. It takes 280 days to find and contain the average cyberattack, while the average attack costs $3.86 million. Companies in the United States have the highest average total cost at $8.64 million per breach, and it is estimated that half of all data breaches globally will occur in the United States by 2023. If you haven’t already, take a minute and look at one of the many cyber threat maps to see how many attacks are detected every second—there are hundreds of thousands every day!

That’s why you need to understand what kinds of threats you are up against and how your defenses will fare.

A cybersecurity partner can help ensure the safety of your company’s most critical assets. The reason to rely on a cybersecurity partner is because teams like ours are full of cybersecurity experts who have the extensive education and experience needed to combat various types of cyberattacks. If you have some kind of cybersecurity product installed to your network of devices, you are going to be able to prevent a good number of attacks, but without an expert who constantly reads reports and anticipates the different attacks, you are at risk. Experts don’t need to turn to an incident response manual every time there appears to be a threat. You need a team to be on constant lookout for things such as zero-day attacks and other unseen threats that may appear.

Attacks can come from your cloud, servers, firewalls, SDS systems, personal devices, and more.

With a threat detection solution—such as Security Information and Event Management (SIEM) continuously monitoring your environment—you’ll not only get preventative software, but real-time notifications on serious threats, not false positives. In addition, if an attack is detected, our team of experts will start working with you to find a solution within minutes of an attack.

Analysis finds that 80% of data breaches can be prevented with basic actions, such as vulnerability assessments, patching, and proper configurations.

Although the reality of cybersecurity threats and malicious attacks is challenging, CIT is here to help you realize your cybersecurity capabilities and risks and provide recommendations for improving your overall defense in-depth for the best possible cybersecurity outcomes.

Let’s discuss!

Combatting Business Email Compromise Risks 

/in /by

Combatting Business Email Compromise Risks 

An old scam that keeps reinventing itself with new victims. Don’t become one! 

You’ve probably heard the classic business email compromise (BEC) scam about Nigerian princes who want to deposit money in people’s bank accounts—but first need their prey to send them money to make it all work to plan. It’s an oldie but goodie. Unfortunately, it’s also one that keeps reinventing itself along with another batch of unwitting victims. In fact, it happens so often, BEC scams currently outdo ransomware as the most damaging cyberattack in the world. 

In fact, according to the FBI’s Internet Crime Complaint Center (IC3), in 2020, losses from BEC exceeded $1.8 billion—that’s a fourfold increase since 2016! The number of BEC incidents also rose by 61% between 2016 and 2020. Using tactics that play off real-time world events, such as COVID-19 or the trust of established interpersonal relationships, criminal elements have managed to stay ahead of the good guys with increased sophistication and swiftness. 

  • Healthcare provides bilked by criminals posing as trusted vendors with access to much-needed personal protection equipment 
  • A large social media firm handed over personal payroll information about employees to an individual they thought was their CEO 
  • A non-profit organization was fooled into transferring a large loan to a business partner right into the hands of the threat actor  

To protect yourself and your business from these types of attacks, employee education is essential. For example, if someone in your accounts payable department receives an email from a business partner requesting you alter established wire transfer information, be sure your staff are trained to recognize the request as a red flag and confirm directly with their point of contact details of the change. It seems second nature, but when people are busy and working against deadlines, it’s easy to miss a well-disguised ruse.   

From a defense in-depth perspective, it’s also essential to ensure you have a layer of threat detection in place to help identify malicious behavior, alert of the threat, and inform the correct response and remediation measures. This would include: 

Monitoring for anomalous behavior, both on-premises and in the cloud  

BEC threats rely on looking like normal user activity. With an increase in remote work, companies are relying more on cloud services like Microsoft® Office 365® which puts data into a complex environment that’s often under-protected. Once threat actors can get access to Office 365, getting to the juicy data is just a few clicks away. Traditional perimeter security tools, such as firewalls, aren’t able to monitor suspicious activity in cloud-hosted applications like Office 365, SharePoint, or OneDrive. The same applies to monitoring of your endpoints for suspicious activity. If a threat actor slips past perimeter defense and acquires user credentials, it will be difficult to identify threats that appear as typical activity. 

Having enough IT Security staff 

When something nefarious goes down, you need to know immediately. Too many businesses lack the ability to dedicate staff to 24/7 monitoring of their environment. If an alert goes off at 1 a.m., the time lost until someone sees it and makes sense of it could be the difference between defense of the business or catastrophic damage. Managed threat detection and response can be a force multiplier if you are unable to monitor your environment 24/7. 

While there are many aspects to improving your defense in-depth, the following from the FBI act as good and effective tips to share with employees to help elevate everyone’s awareness of how to avoid business email compromise attacks. 

  • Be skeptical—Last-minute changes in wiring instructions or recipient account information must be verified. 
  • Don’t click it—Verify any changes and information via the contact on file—do not contact the vendor through the number provided in the email. 
  • Double check that URL—Ensure the URL in the email is associated with the business it claims to be from.
  • Spelling counts—Be alert to misspelled hyperlinks in the actual domain name.
  • It’s a match—Verify the email address used to send emails, especially when using a mobile or handheld device, by ensuring the sender’s email address appears to match who it’s coming from. 
  • Pay attention—Often there are clues with business email compromise, e.g.:
    • An employee who does not normally interact with the CEO receives an urgent request from them 
    • Data shows an employee is in one location at 1 p.m. but halfway around the globe 10 minutes later
    • Active activity from an employee who is supposed to be on leave 
  • If you see something, say something—If something looks awry, report it to your managed service provider or IT Security supervisor. And if you have been a victim of BEC, file a detailed complaint with IC3.

To learn more about business email compromise threats and defense against them, CIT can provide you with guidance, education, and technology to strengthen your security posture. Give us a call and let’s discuss.

What is CMMC?

/in /by

What is CMMC?

The Cybersecurity Maturity Model Certification (CMMC) is a program developed by the Department of Defense (DoD) to help measure the cybersecurity maturity level of contractors across the defense industrial base (DIB), which includes over 300,000 companies. The CMMC is the DoD’s response to significant increase in compromises of sensitive data located on contractors’ information systems.

When did it go into effect?

September 2020.  Many companies have already been required to meet certain requirements outlined by the DoD to meet CMMC requirements.  The expectation is that CMMC will be a requirement of all new DoD requests for proposals beginning in 2026.

What companies are included?

The certification is applicable to contractors who work directly with DoD, and to subcontractors who contract with primary contractors to provide fulfilment and execution of those contracts. 

As mentioned above, all contracts with the DoD will include CMMC requirements by 2026.  It is worth noting that the DoD has indicated they intend to issue contract opportunities at all levels of the maturity model, meaning that there will be some number of requests issued that will require only a low level of certification.

What are the levels of CMMC?

The levels of CMMC can be directly related to the security maturity of organizations.   They are accumulative meaning, as organizations implement stronger controls, they can achieve a higher level.  The level of maturity may be a differentiator for retaining or gaining new contracts with the DoD

  • CMMC level 1: Preformed – Creation requirements.  Processes are informal
  • CMMC level 2: Documented meaning a security program exists, is documented, and understood throughout the organization.
  • CMMC level 3: Managed.  Tools and processes are in place, consistent and followed by all within the organization
  • CMMC levels 4: Reviewed.  Tools and processes are reviewed periodically and updates as opportunities are identified from review.
  • CMMC level 5: Continuous improvement throughout the organization.  Organization has implemented all requirements.

What is included in the review?

The CMMC includes the following cybersecurity domains, all of which need to have at least Basic Cybersecurity milestones to be CMMC compliant:

  • Access control 
  • Asset Management
  • Awareness and training 
  • Audit and accountability 
  • Configuration management 
  • Identification and authentication 
  • Incident Response 
  • Maintenance 
  • Media protection 
  • Physical protection 
  • Personnel security 
  • Recovery
  • Risk management
  • Security assessment 
  • Situational awareness
  • System and communications protection 
  • System and information integrity

Still have questions?

CIT is a Registered Provider Organization (RPO). RPO’s are the “implementors” and consulting organizations that help companies achieve the various levels of certification.

Not All MFA is Created Equal: Advantages and Disadvantages of Common Forms of MFA

/in , /by

Not All MFA is Created Equal: Advantages and Disadvantages of Common Forms of MFA

If you’ve spoken to anyone in the cybersecurity industry in the past few years, you’ve probably heard at least once “multi-factor authentication (MFA) is one of the best things you can do to protect yourself and your organization.” But what, you may be asking, does that specifically entail? MFA comes in all different shapes and sizes and like anything else in the cybersecurity and technical worlds, there is a fair amount of nuance in the available technologies. There are many things to consider when attempting to determine what type of MFA is best for you and your organization, including security, ease of implementation, ease of use, cost, etc. Let the below information serve as a high-level overview of those considerations for the four most common forms of MFA: SMS OTP, software TOTP, hardware TOTP, and push OTP.

SMS One-Time Password (OTP) 

  • Description: a random, numerical password, usually six digits, sent via SMS message to a designated mobile device. The password can only be used once.
  • Advantages: easy to implement and better than no MFA at all. It can also be free or inexpensive to set up (disregarding the cost of the mobile phone).  
  • Disadvantages: requires the user to own a mobile phone that can receive SMS text messages. One of the least secure forms of MFA (see Vulnerabilities).
  • Vulnerabilities: susceptible to SMS intercept attacks, wherein the text message is “intercepted” by a cyber attacker who receives the text message instead. SMS intercept attacks can be accomplished in a variety of ways, including SIM-swap scams, mobile number port-out scams, and SMS-stealing malware. Several high-profile security breaches have occurred over the past few years that were the result of SMS intercept attacks, including the 2018 data breach at Reddit and the 2019 compromise of Twitter CEO Jack Dorsey’s Twitter account.
  • Other info: SMS OTP was deprecated by the National Institute of Standards and Technology (NIST) in 2016.

Software Time-based One-Time Password (TOTP)

  • Description: a random, numerical password, usually six digits, generated via an authenticator app installed on the associated mobile device. The code regenerates at regular intervals, usually every 30 seconds, and each code may only be used once. There are a variety of authenticator apps available, including Google Authenticator, Duo Mobile, Authy, etc.
  • Advantages: more secure than SMS OTP and fairly easy to deploy, though not as easy as SMS OTP. It is can also be free or inexpensive to set up (disregarding the cost of the smartphone).
  • Disadvantages: requires the user to own a smartphone and install a mobile app. The security of software TOTP is heavily dependent on the authenticator app being used, as well as the parameters specified by the authenticating server. TOTP relies on a shared secret key that is portable, often shared via a QR code, which makes it susceptible to cloning.

Hardware Time-based One-Time Password (TOTP)

  • Description: a random, numerical password, usually six digits, generated via a hardware token, like a key fob or smart card, with a digital display. The code regenerates at regular intervals, usually every 30 seconds, and each code may only be used once.
  • Advantages: very secure, as most hardware tokens are difficult to compromise remotely. The use of hardware tokens does not require users to own a mobile device or smartphone or install an authenticator app.
  • Disadvantages: can be very expensive (~$15+ per token). Hardware tokens can be difficult to deploy, as they are set up using NFC, which can be temperamental to use. The hardware tokens, which can be quite small, can be easily lost. Additionally, some hardware tokens, such as Yubikeys, require a physical connection to the device attempting the authentication and are thus not compatible with devices that do not have the token’s connection type (i.e., USB-A, USB-C, Lightning, etc.). Hardware tokens with more than one connection type are available, but they tend to be more expensive.

Other info: Push One-Time Password (OTP)

  • Description: a push notification is sent to the user’s device via an installed mobile app, giving the user the option to approve or deny the authentication request. The push notification usually includes the context of the authentication request, such as the IP address and corresponding location from which the login request originated.
  • Advantages: very secure, as the authentication communication is out-of-band and encrypted. Unlike TOTP, push OTP links a single device to the user’s identity, so it is not susceptible to cloning. It is easy to deploy and extremely easy to use, requiring only the click of a button to approve the request. It can be free or inexpensive (disregarding the cost of the smartphone).
  • Disadvantages: possible for users to accidentally approve fraudulent requests. It requires the user to own a smartphone and download a mobile app. Push OTP requires that the smartphone have an internet connection and it is a relatively new technology that is still not widely supported.
  • Other info: often used as a replacement for passwords. The push notification does not usually carry the OTP, but upon approval by the user, a unique OTP is generated internally on the device and sent back to the authenticating server to verify it.

Why should an organization consider using a security framework?

/in , /by
NIST framework

Why should an organization consider using a security framework?

Historically, organizations have invested significant amounts of time and budgets into their current security posture.  Up until recently, that posture was largely designed to protect the traditional office space.  With more people working remotely than ever, that security posture and program may not fit with the new requirements of protecting employees that may be working anywhere at any time. 

A security framework is designed to help organizations:

  • Understand their current cybersecurity posture
  • Define or update a cybersecurity program
  • Help communicate requirements and future state with stakeholders
  • Identify opportunities or needs for new or revised standards
  • Assists in prioritizing potential projects to help reduce risk to the company
  • Enables investment decisions to address gaps

What is NIST?

The National Institute of Standards and Technology developed its cybersecurity framework to strengthen the security of United States critical infrastructure.  Like most security frameworks, NIST can be applied to any sized organization in any industry.  The NIST framework includes five cores. 

Those are:  Identify, Protect, Detect, Response, and Recover.



Identify

Naturally, most security programs begin with the Identify stage.

  • Identify can include the review Inventory of assets, data, Users, Systems, and the boundaries of where all those items can be located.  After which, most will complete assessments, which may include gap analyses, a self-assessment or questionnaire, a review of the technical infrastructure, as well as potentially reviewing those of their supply chain vendors and partners. 
  • Assessments are performed to help define risks allowing the organization or that of its partners, to develop the appropriate security controls to address those risks.
  • Identify also includes the traditional governance process of building or revising security policies and procedures, change management processes, vendor management processes, and so on.

Protect

Once the identify process has been completed building a security program begins with defining and applying security controls to help mitigate the risks as well as help build processes to protect the organizations’ assets and people.

  • The Protect core focuses on building administrative and technical controls to protect data, identifiable information, and all company assets.
  • Some tools that assist with this function include building out Identity Management, applying a least privileged access model to limit users’ access to only what they need to complete their daily tasks.  Applying multifactor authentication (MFA) on external-facing systems, limiting access to management interfaces, continuously reviewing and remediating vulnerabilities.
  • Building out a cybersecurity training program that should include training of current threats and should include frequent phishing simulations.
  • An example of administrative controls can include ensuring no one user can approve a wire transfer without a second person’s confirmation.
  • Physical controls can include physical access management through locked doors, badging as well as the use of security cameras.

Detect Icon

Detect

As organizations continue to mature Detection and response capabilities become a priority.  The detection core is designed to help build a formal detection process for the various threats organizations face every day. 

  • Advanced Detection tools help gather information from disparate systems across the network, from Cloud environments, 3rd party threat intelligence, and system vulnerabilities.  Correlate that information providing event alerts and insights on a variety of threats.  Such as external attacks on systems, anomalous user behavior as well as helping with Data Loss Prevention.  Common detection tools include SIEM solutions, Endpoint Detection, and Response tools.

Respond Icon

Response

As organizations mature their detection capabilities the next step would be to respond to detected threats.

  • Building out response processes and procedures is also a core capability of NIST. Cybersecurity Incident Response plan is a common 1st step in building out and formalizing response capabilities.  Understanding that over 94% of organizations had a security event in 2020, building a plan to respond is crucial to help the organization better understand their capabilities and outline how communications flow.
  • Once an Incident Response Plan has been developed working through a variety of tabletop exercises will help organizations validate and test their plan and capabilities.
  • Tools such as Endpoint Detection and Response are absolutely critical tools that need to be budgeted and deployed for every organization regardless of industry or size. 
  • EDR tools have the capability of detecting, shutting down malicious processes, quarantining, ability to remove the malicious file as well as potentially providing valuable logging capabilities for forensic investigation in some cases.

Recover Icon

Recover

Developing and implementation of a Disaster Plan is the final pillar of the NIST Framework.

  • In the event that all of the other tools and processes don’t stop an event from happening, having a well-documented and tested disaster plan is also needed for every organization.
  • Deployment of backup solutions that validate backups, replicates to the cloud, are configured properly, and tested is a requirement for every organization that has any sort of business-critical data, even if that data is stored in the cloud.

Regardless of whether or not compliance is a requirement for your organization, a security framework such as NIST can help provide a solid foundation, through the general guidance, for maturing your security posture.

Comparing Zix Layered Protection With a Recent Breach

/0 Comments/in , , /by

Reflecting on the recent SolarWinds breach and exploitation of the Microsoft Exchange 0-day, the associated threat actors started from the beginning of the Cyber Threat Cycle. They needed to run reconnaissance to identify the right target and instigate the initial attack.

This is key to the first part of Zix Layered Protection. Preventing the initial attack takes the least amount of resources and can save the organization the biggest headache. Further, many fail to realize that the majority of successful attacks are rooted in well-established techniques. Similar to the principles of their security counterparts, threat actors balance sophisticated techniques with ease of use. If there is an easy way to infiltrate a target, they will always go that route. The SolarWinds breach was years in the making, as sophisticated as the technique was to drop malware into the SolarWinds Orion system, the breach was almost certainly started with an email. We can make this assumption given the evidence that has been discovered.

Inside the SolarWinds breach

Reconnaissance and attacking the target

There are numerous ways to collect reconnaissance from a target to determine the right attack, and in the SolarWinds case it would appear that email was a primary research tool and ultimately the attack vector.

Points of evidence:

  • According to the SEC filing, email was a primary attack vector during the initial SolarWinds attack and APT29 are known to launch phishing attack campaigns as a tactical strategy.
  • During the Malwarebytes breach, their investigation uncovered that the, “attackers leveraged a dormant email protection product within their own O365 tenant.”
  • Microsoft reported to Crowdstrike that a reseller account was being used to read emails that were linked to Crowdstrike.

Infiltrating the target and evading detection

With a spear phishing attack the technique most likely to have been used to initially compromise SolarWinds, there was still no guarantee that the threat actors would be able to move within the environment without the right privileges and ensuring that their activities were going undetected.

Yet according to published details:

  • Hackers gained privileged access to restricted systems
  • Hackers were communicating via Command and Control infrastructure
  • Hackers were altering file systems to prevent detection

Considering these key points, an effective advanced email threat prevention and encryption solution must be part of the layered security framework.

Read more about the cyber threat cycle

Break the Cyber Threat Cycle Part II

/in , , /by
The cyber threat cycle

Start out with Part I of this series

Prevent the initial reconnaissance and attack with an effective advanced threat protection and email encryption solution coupled with enforcing multi-factor authentication for user logins.

97% of users are still not able to detect a sophisticated phishing attack. SolarWinds is just another reminder that email continues to be core to the Cyber Threat Cycle. It is the most difficult to secure and the easiest to exploit. While security organizations validly discuss new attack techniques and the potential of these being used, there is a never-ending list of evidence that:

  • Email is a treasure trove of reconnaissance information
  • Email attacks are very cheap for the threat actor to execute
  • Employees are no more effective at detecting a phishing attack intended to steal their credentials or malware intended to compromise their endpoint today than they were years ago.

Detect the presence of a threat actor with a security audit or monitoring solution

Highly effective email defense with a better than 99.9% effectiveness rating against phishing and malware will close 95% of your prevention gap. We are aware that threat actors will figure out other ways to get into your network, so developing approaches to protect other vectors will be necessary. However, you can quickly close this gap while evaluating other tools by leveraging a security auditing service. Particularly a solution that focuses on:

  • Identifying weaknesses in user login and authentication
  • Identifying suspicious behavior related to mailbox rules and email communication

As the SolarWinds breach proved, the threat actors needed to gain access to secured development environments. In that context, monitoring for weaknesses in simple policies like regularly changing passwords, or where a user may be logging into a system from a remote location, can be a clear indication that someone not employed by the organization has made it into your network.

Furthermore, we know in every case of a major breach, when the threat actor has infiltrated the business, they must communicate to something on the outside to retrieve further instructions, files, or exfiltrate internal intelligence. Monitoring for email forwarding rules or activity such as immediately deleting sent messages on an automated basis should set off a red alert.

Therefore a security audit or monitoring tool to detect internal suspicious behavior is a must for the layered protection strategy.

Zix Layered Protection

Act on any suspicious behavior through containment and remediation to prevent attacker success.

As you put in place the two main components to prevent and detect malicious behavior, the third motion must be in response to what may have failed. As we’ve indicated, businesses can implement every security solution pitched to them by the hundreds of security vendors available, but Zix Layered Protection is intended to keeping your security as simple as possible while maximizing your time and investment. To complete this goal, the response to the potential breach must be immediate. The goal should be to maintain business productivity even in the face of an attack. Most growing businesses may not have the time or expertise to immediately triage the incident, but they can begin their response and remediation process at no risk. Those tasks at a minimum should be:

  • Immediately remove any malicious email that may have landed within the targeted employee’s inbox.
  • Scan the targeted employee’s login activity and require any vulnerable passwords to be changed immediately (enforce MFA if disabled).
  • Immediately clear their file systems and provide the targeted employee with a clean working copy of their data.

Zix Layered Protection enables organizations to maintain productivity through Zix Backup and Recovery services. Coupled with message retraction and account lock-down, latent threats can be rapidly eliminated.

How does Zix Layered Protection break the Cyber Threat Cycle?

Zix Secure Cloud turns a complex plan into a simple operational model.

Zix Secure Cloud turns a complex plan into a simple operational model

Protect

Advanced Email Encryption

The gold standard of encryption secures the email channel so that threat actors cannot hijack the SMTP conversation via a man-in-the-middle attack. With Zix’s Best Method of Delivery regardless of who the organization communicates with, business insights are fully protected from inbox to inbox.

Advanced Email Threat Protection

Today’s top attack technique continues to be advanced phishing and malware-based attacks. Zix Advanced Email Threat Protection is rated one of the most effective solution in 3rd party testing:

  • Phishing Detection Rate: 99.9%
  • Threat (Malware, ransomware, etc.) Detection Rate: 100%
  • Accuracy Rate: 99.994%

With Zix acting as the first layer of defense the initial compromise is mitigated exponentially.

Azure AD Multi-factor Authentication

Relying on users to detect a phishing URL is a recipe for allowing cybercriminal access to their endpoint. By enforcing multi-factor authentication that is built into every M365 bundle, security teams can close this gap and solve the protection need.

Detect

Security Audit (Detect & Alert)

While the protection components exponentially reduce the attack surface, the risk for internal negligence does exist. Continuous monitoring and detection within Zix Security Audit adds a layer of scanning that quickly identifies suspicious activity that bypassed the security gateway. With compromised credentials being the key to establishing a foothold, being able to detect suspicious user activity such as low-end employees having administrative access, or Finance employees suspiciously forwarding work email to a personal email address becomes essential to containing the threat.

Advanced Email Threat Protection Threat Analyst Support

Combined with insights from the Zix Security Audit, customers can work directly with Zix Phenomenal Care and Threat Analyst to immediately develop and implement a mitigation strategy to stop subsequent attacks. This is a unique value-add that is essential to making Zix Layered Protection effective.

Respond

Security Audit (Detect & Alert)

Integrated within the Security Audit are actionable response steps to stop threat actors in their tracks such as locking the user out of the environment.

Advanced Email Threat Protection (Message Retraction)

An additional response step to take once a threat is discovered is to remove any existence of malicious email that may have been launched internally from the compromised account. Message retraction provides the ability to immediately reduce the risk to anyone else that may have been targeted.

Backup & Recovery

Any response goal must keep employee productivity in mind. With Zix Backup and Recovery services, even if the attacker’s goal was to corrupt corporate data or hold the data for ransom, the business has peace of mind knowing that they have a clean copy of their data to keep their business going.

Advanced Email Encryption (DLP)

Insight into what the attacker may have been after can provide an advantage to keeping this data secure. With Data Loss Prevention policies within Zix Advanced Email Encryption, security personnel are notified if key information is attempted to be extracted via email.

Enabled by Zix Secure Cloud

Enabled by Zix Secure Cloud

Zix Secure Cloud plus Azure AD Multi-factor Authentication encompasses layered protection. With these foundational pieces in place, growing businesses can focus on their productivity without being exposed to significant gaps. We recognize that the threat landscape is constantly changing and no growing business should stand still, as their business matures so will the threats targeting them. With assistance from our security partners, we can help guide you through your maturity path while keeping the strategy simple and straightforward.