Saturday, April 1, 2023

Block ransomware with endpoint security best practices

endpoint security

NetworkTigers discussing best practices for endpoint security.

2022 was a banner year for ransomware, further enforcing that endpoint security plays a crucial role in your network’s safety. The year, from professional sports leagues and educational institutions to microchip manufacturers and federal governments, demonstrated that many of the world’s largest organizations were not adequately protected from attack and that ransomware purveyors were becoming bolder and more brazen when it came to their targets and their strategies. 

The effects and disruption caused by ransomware escalated to the extent that the FBI and CISA issued multiple statements containing steps for supply chain vendors and other organizations to follow to slow the avalanche of attacks. According to IDC, a third of all global organizations have suffered a ransomware attack leading to a 13% increase since 2021.

As we forge into 2023, it’s become clear that ransomware will continue to be an existential cyber threat. However, this doesn’t mean that you are powerless against it. One of the best ways to safeguard your system against a ransomware attack is to employ endpoint security and strictly adhere to the following best practices. 

Regularly check every endpoint to ensure that it is protected and current

A missed update or accidental misconfiguration can be all an attacker needs to initiate an attack against your network. Ensure that all security options are engaged and endpoints use the most current software to maintain optimum security. Whether manually or automatically, regular scans of all endpoints are critical.

Enable and require multi-factor authentication

Even though hackers are becoming adept at circumventing MFA in some cases, this additional level of security is still recommended, as it places another obstacle between an attacker and your system. 

Enable all security features

Endpoint security solutions are loaded with options. Ensure all your features are enabled to limit what types of threats may slip through the cracks, especially those that specifically detect behavior indicative of a ransomware attack. 

Regularly review your exclusions

While exclusions are intended to prevent your security solution from using resources to scan trustworthy file types, they can add up and become messy enough even to include some malicious file types that accidentally end up on the list. Regularly check this list to ensure it doesn’t get sloppy and make your exclusions as specific as possible to keep sneaky malware at bay.

Maintain excellent IT hygiene

Keeping your IT neat, tidy and current is paramount regardless of what you are protecting. Good hygiene requires consistently updating, streamlining, backing up, refreshing, scanning and monitoring your systems to promote speedy operation and airtight security. From configuration errors to components that no longer receive manufacturer support, even minor missteps can spell doom if an opportunistic hacker discovers them.

Limit data access

Be sure to adhere to a data access hierarchy. This can be done via MFA or by restricting access based on department. Adhering to this can prevent lateral movement in your system, even if a hacker gains a degree of penetration.

Data encryption

A VPN is a great way to encrypt data and keep your traffic confidential. From specific files to physical hard drives and cloud drives, encrypt critical data so that even if access is gained, it will be useless to an attacker. This is a fundamental tenet to stick to in today’s world of remote workforces, as opportunities for thieves to make off with employee laptops, drives or other endpoint devices have increased.

Enable automatic updating and patching on all devices and apps

Automatic patching pushes updates into your network as they are made available, thereby keeping your endpoint security refreshed. With threat actors continually scanning for vulnerabilities, an automatic update may make the difference between your network’s safety and an intrusion initiated just moments before you could install a patch that would have prevented it manually.

Maintain a strict Bring Your Own Device (BYOD) policy

Employees using personal devices to access company networks or drives is a Pandora’s box of security issues. However, many organizations allow this as it prevents them from issuing hardware to their staff and makes remote employees more inclined to engage with work. A BYOD policy should be in place that heavily restricts what devices can connect to the company network, what apps they are allowed to use, and what websites can and cannot be visited. Organizations dealing with especially critical or dangerous data should provide devices to their workers with these restrictions in place.

Employ Advanced Endpoint Protection (AEP)

While antivirus software and firewalls remain foundational endpoint security components, modern threats can sometimes slip by these measures. Traditional methods excel at blocking known threats, from popular Trojans to spyware. AEP uses artificial intelligence and machine learning to identify unknown threats, protecting your network from fileless malware, script-based attacks and zero-day threats that have yet to become publicized. As threat actors themselves leverage machine learning against their victims, 2023 is predicted to be the year that sees dueling AIs duke it out over everything from network control to physical battlefield supremacy.

Continually reinforce the importance of awareness

Regardless of the technology, it would seem that the human element will continue to be a weak spot when it comes to endpoint security for the foreseeable future. Attackers know this; many have turned to social engineering instead of password cracking to persuade victims to simply hand over the keys. From regular newsletters highlighting current threats to meetings that refresh employees on how to identify scammers, the importance of vigilance can’t be overstated.

Look to the future

In addition to awareness, staff should also be updated on the cutting edge of the cyber threat landscape. Policies should allow workers to positively identify the sender of messages that purport to be from coworkers or superiors to avoid spear phishing schemes. As deepfake technology enables threat actors to create convincing video messages and audio calls, workforces must understand what is around the bend before it falls into their lap.

Cybersecurity news weekly roundup March 6, 2023

roundup march 6

SAN MATEO, CA, March 6, 2023 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Brought to you by NetworkTigers.

CISA: beware of Royal ransomware, operated by former Conti gang members

CISA has issued a warning regarding the capabilities of Royal ransomware. According to the agency, “after gaining access to victims’ networks, Royal actors disable antivirus software and exfiltrate large amounts of data before ultimately deploying the ransomware and encrypting the systems.” The operators of Royal are believed to be Conti Team One, an offshoot of the highly capable Conti Russian ransomware gang that was dismantled last year. Royal can infect Windows or Linux systems and attackers can choose what percentage of files to encrypt, lowering chances of detection. Read more.

BlackLotus malware has been updated to bypass security patches

The BlackLotus UEFI bootkit has been updated with Secure Boot bypass capabilities, meaning that even fully patched Windows 11 systems can be infected with the malware. BlackLotus emerged last year with features that make it undetectable by antivirus program and is remarkable for being the “first public example of UEFI malware that can avoid the Secure Boot mechanism, thus being able to disable security protections that come with the operating system.” Microsoft addressed the vulnerability to BlackLotus last summer, but their efforts have not been enough to close the security gap. Read more.

“Decider” is a free tool created by CISA to help MITRE ATT&CK mapping

“Decider” is an open-source tool released by CISA designed to assist security pros in generating reports via the MITRE ATT&CK framework. By adopting and standardizing this framework, organizations can more easily and effectively share findings related to cyberattacks and threat actor behavior. According to CISA, “Decider helps make mapping quick and accurate through guided questions, a powerful search and filter function, and a cart functionality that lets users export results to commonly used formats.” It can be downloaded from CISA’s GitHUB and the organization encourages users to submit feedback and feature suggestions for the software. Read more.

CISA: ZK Java Framework RCE flaw being exploited by hackers

CISA reports that it has added CVE-2022-36537 to its Known Exploited Vulnerabilities Catalog, as the remote code execution flaw within ZK Framework has been observed being exploited in the wild. The flaw allows threat actors to view and retrieve file contents “by sending a specially crafted POST request to the AuUploader component.” Federal agencies have until March 30th to apply the security updates needed to patch the vulnerability. According to the agency, “this type of vulnerability is a frequent attack vector for malicious cyber actors and poses a significant risk to the federal enterprise.” Read more.

An employee’s compromised home computer led to the LastPass hack

The recent hack of LastPass has been deemed to have stemmed from an attack on an employee’s home computer. An attacker accessed the device via a vulnerability in a media software package. The hacker then installed keylogger malware which they used to capture the login credentials that the employee used to access the engineer’s LastPass corporate vault. While unconfirmed, it is believed that the compromised software was Plex, as the platform also reported a breach not long after LastPass revealed theirs. Read more.

US Marshalls Service hit with ransomware attack

The US Marshalls Service has been hit with a ransomware attack that “compromised some of its most sensitive information, including law enforcement materials, and the personal information of employees and potential targets of federal investigations.” The impacted system was not connected to other parts of the network. However, its compromise still allowed threat actors to access law enforcement information regarding cases, the personal information of employees and targets of federal investigations. Upon discovery of the attack on February 17th, the affected system was quarantined and a forensic investigation was immediately initiated. Read more.

New EX-22 tool makes exfiltration a “cakewalk” for ransomware attackers

Exfiltrator-22, or EX-22, is a new post-exploitation framework spotted in the wild. Designed to operate under the radar within enterprise networks, security firm CYFIRMA said EX-22 “comes with a wide range of capabilities, making post-exploitation a cakewalk.” The malware is advertised as undetectable on Telegram and YouTube and is available for $1,000 monthly via subscription. EX-22 is still receiving tweaks and signals that post-exploitation-framework-as-a-service (PEFaaS) models are the latest methods in which threat actors work to make hacks as easy as possible. Read more.

New ChromeLoader malware campaign targets Nintendo Switch and Steam users

Malicious software has been observed masquerading as VHD files that contain hacks or cracks for Nintendo Switch and Steam games. The malware, a versatile threat called ChromeLoader, is primarily used to compromise web browsers to direct users to malicious sites or carry out click fraud using browser extensions. However, it has also been modified to steal data and even launch ransomware. Steam and Nintendo Switch users are urged not to download game cheats and only click links from reputable sources. Read more.

More cybersecurity news

Can refurbished network equipment fill the global chip shortage gap?

Network switch

While some experts predict relief may be around the corner, the global chip shortage is still plaguing network administrators. Thankfully, refurbished network equipment can be purchased at discount rates without sacrificing the quality needed to maintain efficient work and tight security. Buying gear from an experienced refurbished or used reseller can be a component of an overall strategy that allows you to keep your network current despite current market challenges. 

How did the chip shortage happen?

It’s easy to place all the blame for semiconductor supply issues on the pandemic-related work restrictions, but the problem is not quite so simple. Several simultaneous stresses, including skyrocketing demand for electronics, weather-related plant closures, and product hoarding, have merged to create the ongoing situation.

When will the chip shortage end?

Unfortunately, even the most optimistic predictions don’t foresee the semiconductor market stabilizing any time soon or even this year. Continued geopolitical issues such as trade tensions between China and the US and Russia’s invasion of Ukraine (a major supplier of the raw materials needed to build chips) continue to throw wrenches into the works of an industry that experts don’t see regaining its balance in the short term. Even though the US government is making significant efforts to put the country in a more self-sustaining position regarding semiconductor manufacturing, the high-tech facilities being built in Texas, Ohio, Arizona, and New Mexico aren’t expected to open until 2024 at the earliest.

The chip shortage’s effects on cybersecurity

While physical products may be sluggish to get into the hands of consumers, technological advancement has not slowed.

Cybersecurity incidents and concerns rose at unprecedented rates during the pandemic as personnel thinned, networks became flooded with work-from-home devices, and criminals seized opportunities to take advantage of the ensuing chaos and fear.

Most people can afford to wait when purchasing game consoles, musical instruments, and even automobiles. However, the hardware that keeps networks moving and cybercriminals at bay is not a luxury. Those waiting to update older or no longer supported routers, firewalls, and other devices could not do so as hardware supplies dwindled, and restock was few and far between. With criminals continually scanning for weak spots more than ever before, network and IT teams cannot afford to continue using equipment not up to the task of providing modern security.

How refurbished network equipment can fill the gap

The used equipment market has remained largely unaffected by the chip shortage. Network administrators who aren’t dedicated to grabbing only the latest and greatest gear will find the market flooded with pristine equipment left over from those who are. While enterprise organizations needing company-wide overhauls may experience challenges when finding exactly what they’re looking for at scale, small business owners will find no difficulty getting most of the parts they need from an experienced reseller

Why buy refurbished network equipment?

  • Less expensive. Refurbished and used gear is deeply discounted compared to brand-new options. Working with a quality secondary market reseller can avoid many headaches related to inflation-based price hikes. 
  • Real-world tested. An added cost-saving benefit is that older gear has been circulating long enough for administrators to understand its quirks, shortcomings, and best use cases. Manufacturers will have issued patches and updates to address any issues that may be present, making last year’s gear sometimes safer than today’s.
  • Warranty. Reputable resellers provide buyers with a warranty on their purchases. Some offer limited guarantees about defects and functionality; others may even allow you to extend your contract under special circumstances.
  • Communication. Manufacturers offer customer service, but major companies are generally not renowned for personable correspondence. Quality resellers are often staffed by people with network administrator experience who understand the demands of their customers and are empathetic to their needs. A bonus to corresponding with a reseller is that they can recommend products from any maker. Even the most generous company support representative is inclined only to recommend products built by their employer.  
  • You can extend the life of your tech. Upgrading incrementally instead of skipping generations and jumping to the newest equipment allows for a more gradual network transition. Installing a new component in one area often requires installing one elsewhere to maintain compliance and seamless integration. You can minimize this by purchasing refurbished gear that doesn’t require as much modernization.
  • It’s better for the environment. Using refurbished gear is that it keeps it out of the landfill longer and results in less packaging to throw away.

Additional ways to cope with the chip shortage

  • Optimize what you have. Many network devices are not implemented to capacity. Consolidating port usage and re-cabling can free up space, allow you to operate more efficiently, and let you put off new purchases until necessary.
  • Use the cloud. While far from novel in 2023, moving to the cloud remains a viable way to limit your equipment requirements. However, the cloud is not for everyone, and careful considerations must be made to ensure that the costs and changes required for the transition won’t negatively affect your operations.
  • Build based on what you can get. Design your network based on what’s available instead of your preference. Creative problem-solving can help you navigate supply issues and prepare you for future scenarios in which you must adapt.
  • Plan ahead. With restocks taking weeks or even months to appear, assuming you can order what you need when you need it is no longer a viable strategy. Take a hard look at your equipment and determine what components will reach the end of their usable life first. You can place orders for gear near retirement so that you can swap it out as needed without downtime.

What is the average cost of IT equipment for businesses?

cost of it equipment

There’s no simple answer to what the cost of IT equipment should be for your business. Every company has unique needs, and the amount of money you should budget for IT may vary depending on the complexity and size of your company. If you spend too little, you might risk not having the strong infrastructure you need to be successful, and if you spend too much, you may be wasting resources that should be allocated to other areas of your business. Read on to discover what the average company spends on IT, and to create a realistic budget for your business.

What is the average cost of IT equipment for business?

The amount of money you allocate to IT equipment depends on various factors, including your business type, specific needs, type of IT (external vs. internal), and industry. However, it’s crucial to know the averages of other companies for comparison. According to a study conducted by Deloitte, the average company spends 3.28% of its revenue on technology. 

The construction industry spends the least – 1.51% while securities and financial firms spend the most –  7.16%. When creating your budget, it’s essential to consider your business size, since bigger enterprises with over $2 billion in revenue allocate a smaller percentage on IT. When it comes to installing and maintaining your network, some providers charge a range of $1500-$2000 which usually includes a router. 

Setting up a server costs $100-$150, but it depends on what should be done. The cost of installing and maintaining one network also varies depending on your location. To get the best value for your money, choose a provider who can help you develop a network you can expand, upgrade and improve easily according to your needs. 

These numbers serve as a baseline you can use to compare against your spending. They can help you analyze your current IT budget to see if it’s too low or too high so that you customize it to your business needs.  

5 things to consider when preparing your IT budget

If your budget is too lean, your organization may not operate efficiently as it should be, and if your current spendings are too heavy, you could be crippling growth in other areas of your organization. Here are tips to consider when preparing your IT budget:

Set aside money for software and hardware renewals

When budgeting for IT, track software expiry dates and hardware warranties. Usually, computer and server hardware have a warranty of 3-5 years. Conversely, some software have an expiry date. For instance, Microsoft provides updates and support for up to 10 years after the initial release date. 

After software and hardware expire, you’ll have to buy extended support from the manufacturer or troubleshoot any technical issues yourself. Over time, these options may cost more, so it’s better to upgrade your software or hardware. Make room in your budget for renewals one year before these products expire.

These will give you enough time to compare prices and look for new programs and devices so that you make informed decisions. 

Tailor IT budget allocations

At the beginning of each financial year, every company allocates its budget for different projects and departments. The same applies to IT. ideally, you should set aside money for major components, such as cybersecurity – costs related to data protection such as security training, incident response, and threat prevention strategies. 

You should also invest in cutting-edge technologies such as cloud services and business intelligence software. Upgrade costs for your current IT infrastructure, support, and basic maintenance should also be included in your budget, as well as costs for implementing disaster recovery and backup data plans. You can adjust the percentage of your budget allocated to every component depending on your organization’s priorities. 

Define your operational expenses

When creating your budget, remember to allocate money for maintaining your infrastructure, such as system updates, cybersecurity, and data backups. Utility costs, such as cooling and electricity are also associated with running your IT systems. These monthly fees add up to a significant portion, so ensure you’ve accurate expense projections.

If you work with a managed IT services provider, expect to pay a monthly fee for security services and system maintenance. If you’ve an in-house team, include in your budget the wages for your technicians and the cost of conducting any training they may require. 

Get a risk assessment

It’s crucial to identify potential risks to your data and systems if you want to create the most realistic budget. IT risks include spam and ransomware attacks, software and hardware failure, human error, and natural disasters. You can perform a risk assessment internally or hire a third party to conduct it to help you plan for these emergencies.

Once you’ve collected data about all the potential risks that could damage your enterprise, you can perform a risk analysis to establish the probability of any of these events happening, so that you prepare and budget accordingly.

Determine your IT needs

To do this effectively, send out a survey to your employees to find out the types of IT they need to be efficient and productive in their roles. Ask them the equipment they use the most, those they think should be omitted or scaled down completely, plus the ones they can’t perform their duties without. 

Evaluate the needs of your company and then decide whether it makes more sense to run your business efficiently by outsourcing IT support to a managed services provider or keeping an internal IT department.

Create an IT budget that works for you

If you need help creating a realistic IT budget, NetworkTigers can analyze your business needs and develop one that’s tailored to your needs. Contact us today to find out how we can customize our IT solutions to suit your company’s needs. 

Cybersecurity news weekly roundup February 27, 2023

roundup february 27

SAN MATEO, CA, February 27, 2023 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Brought to you by NetworkTigers.

Mining malware delivered via pirated copies of Apple’s Final Cut Pro

Torrented versions of Apple’s Final Cut Pro video editing software have been found to hide the XMRig cryptocurrency mining malware. Researchers have determined that the hidden malware is an upgraded version with features making it especially difficult to detect, such as its use of the Invisible Internet Protocol (i2p). “I2p is a private network layer that offers users a similar kind of anonymity as that offered by The Onion Router (Tor) network.” Researchers have determined that the person responsible for uploading the weaponized version of the software has a history of providing Apple products harboring the same cryptominer. Read more.

S1deload Stealer takes over Facebook and YouTube accounts, mines for crypto

S1deload Stealer is a new malware that hijacks victims’ Facebook or YouTube account after they click a malicious link that leads to an executable file. Once it is installed, the malware can perform several functions. Aside from exfiltrating login credentials, S1deload Stealer can mine for BEAM cryptocurrency or artificially boost the victim’s post count. It can also scan the victim’s account to see if they are an admin on a Facebook page or group that can be used as a platform to spam further links and ensnare more victims. Read more.

Lazarus Group believed to be using new WinorDLL64 backdoor exploit

Researchers believe that North Korean hacking collective Lazarus Group is exfiltrating data from victims using WinorDLL64, “a fully-featured implant that can exfiltrate, overwrite, and delete files; execute PowerShell commands; and obtain comprehensive information about the underlying machine.” Victims thus far have been highly targeted, with WinorDLL64 being used against targets in North America, the Middle East and Central Europe. Lazarus is being implicated in the hacks because of similarities shared between the group’s previous tools and the new malware’s code and behavior. Read more.

Hackers are mimicking ChatGPT to spread credential stealing Fobo trojan

With the popularity of ChatGPT has come scam attempts. Criminals are using social media accounts to create fake content that either purports to come from ChatGPT’s developers or from communities that are fans of the AI chatbot. Posts feature content about ChatGPT and include a link that leads victims to a perfectly crafted fraudulent landing page where a click of the “download” button will result in the installation of a trojan that scans for social media or email login credentials. Read more.

Fortinet FortiNAC exploit created, users urged to upgrade ASAP

Horizon3 security researchers have created a proof-of-concept exploit for vulnerability CVE-2022-39952 in Fortinet’s FortiNAC that allows for remote code execution. The exploit requires the writing of “a cron job to /etc/cron.d/ that triggers every minute to initiate a root reverse shell to the attacker.” Code for the proof-of-concept exploit is available on GitHub where it can potentially be weaponized by threat actors or used by administrators to create better network defenses. FortiNAC users are urged to upgrade to version 9.4.1 or later, 9.2.6 or above, 9.1.8 or newer and 7.2.0 or later, as these are not affected by the flaw. Read more.

Apple reports three new iPhone, iPad and Mac OS vulnerabilities

Three new vulnerabilities have been reported by Apple that affect MacOS, iOS and iPadOS. The vulnerabilities have been added to a security advisory detailed last month and can allow an attacker to install applications on the compromised device or erase its content completely. One flaw is a “race condition in the Crash Reporter component (CVE-2023-23520) that could enable a malicious actor to read arbitrary files as root.” The other two flaws (CVE-2023-23530 and CVE-2023-23531) exist within the Foundation framework. The flaws have been patched in the latest OS versions and all Apple users are urged to update immediately. Read more.

HardBit ransomware demands insurance details to determine ransom price

Operators of HardBit ransomware are taking a novel approach to ransom negotiations: demanding insurance details from victims to calculate a payment that their insurer will be able to cover. Framing insurance providers as the real villain in this scenario, HardBit tells victims that insurers do not negotiate on behalf of their customers and that disclosing information to them is the only way to retrieve files. HardBit encrypts target data quickly and is difficult for administrators to recover files from because it adds itself to the Windows Startup folder to establish persistence, disables Windows Defender features and opens victims’ files to overwrite their content with encrypted data. Read more.

MyloBot botnet spreading to more than 50,000 devices by the day

Devices in the US, India, Iran and Indonesia are falling victim to the MyloBot botnet at the rate of over 50,000 machines a day according to findings from researchers at BitSight. MyloBot is uniquely dangerous because it remains inactive for 14 days after taking hold to avoid detection. It can also download and execute any payload once installed, allowing it to launch any type of malware an attacker chooses to deploy. in 2022, for example, MyloBot was observed sending extortion emails from compromised endpoints. Read more.

Earth Kitsune espionage group deploys new WhiskerSpy backdoor

Cyber espionage group Earth Kitsune has been observed orchestrating a social engineering campaign using a new backdoor called WhiskySpy. Earth Kitsune baits users into visiting pro-North Korea websites compromised with WhiskySpy, the backdoor is only installed on the victims’ machines with IP addresses specific to certain regions in Japan, Brazil and China. Another unusual campaign characteristic is targeting vulnerable individuals instead of companies or organizations. Read more.

More cybersecurity news

How to practice safe data and avoid security threats

safe data

NetworkTigers on how to practice safe data and avoid security threats.

Your data security is crucial to the well-being of your organization because you may suffer financial and reputational damages if compromised. Data security breaches can cause unexpected downtime and a loss of client trust and impact your organization negatively. Implementing data security best practices gives your business a multi-faceted approach to dealing with new threats and reducing the potential of zero-day attacks.

What is data security?

Data security is the process of protecting sensitive business information from risk. This includes protecting your information from attacks that corrupt or modify your data and attacks that can encrypt data like ransomware. Proper data security also requires real-time monitoring and reacting quickly to suspicious events to make your information resilient to fraudulent activity. 

Some industries, such as healthcare organizations and financial institutions, must implement tight data security policies to comply with data protection regulations. But even if your business is not subject to a compliance or regulation standard, the survival of your organization depends on data security, which can affect your company’s valuable assets and confidential information belonging to customers.

Why is data security important?

According to a Cost of Data Breach Study conducted by Ponemon Institute and IBM, the average cost of security threats reached $4.35 million in 2022. Over 25,000 user accounts were hacked, which means apart from financial losses, most data incidents lead to reputational damage and loss of client trust.

Fines and lawsuits related to security threats are also rising, with many countries requiring businesses to implement more stringent regulations to safeguard private data. While you can implement security measures to defend against threats, there is no easy solution to data security.

However, your IT personnel can improve security by identifying data protection challenges. It’s also essential to analyze the cost of your current security measures, their impact on data security, and the expected ROI from additional investments.

5 data security best practices for your business

Your workforce records, financial records, and business secrets all need protection. Data breaches highlight weak security policies and information vulnerability in small and large companies. Here are ways to mitigate risks and position your company for security success.

Implement a zero-trust architecture

Traditionally, network security has been thought of as bad actors outside versus good actors inside. However, with access to networks by laptops, desktops, and smartphones plus the rise of the cloud, it’s no longer feasible to have that kind of separation. 

Instead, businesses should implement a zero-trust architecture, a network-wide suspicion of devices or people outside or inside the perimeter. Rather than giving each vendor or employee complete network access, begin with minimal permissions that require authentication on all network planes.

This makes lateral movement difficult should bad actors have a key or gain access through the door as it establishes more layered security. 

Use endpoint protection, antivirus and anti-malware

Companies should ensure endpoints like mobile phones, cloud systems, and employee workstations have adequate protection because malware is the most common vector of modern cyber threats. The primary measure is antivirus software. However, it’s not enough to mitigate zero-day malware and file-less attacks. 

Endpoint protection platforms take a comprehensive approach to endpoint security. The platforms offer endpoint detection and response (EDR) functionalities that help your IT department identify threats on endpoints as they occur, evaluate them, and respond by locking down impacted endpoints.

Have strong authentication methods

Enforce multi-factor authentication when external or internal users request personal or confidential information. Businesses should put in place robust authentication methods like OAuth for web-based servers. Additionally, companies should have a well-designed authorization framework that ensures all users have access rights to use a service or perform certain functions.

Automated tools and periodic reviews should be used to clear permissions and remove authorization for people who no longer require them. 

Conduct data security audits

Organizations should conduct security audits every few months to identify vulnerabilities and gaps across the organizations’ security posture. While you can run a security audit in-house, performing the audit through a third-party expert, for instance, in a penetrating testing model, is recommended. When the audit exposes threats, set aside resources and time to address them.

Encrypt your data

Data encryption involves converting data from plain text (a readable format) to cipher text (an unreadable encoded format). The data can be processed or read after decrypting the encrypted data. Remember that you don’t have to share the decryption key in public-key cryptography techniques since the recipient and sender have their own key. Data encryption is crucial for most security strategies as it prevents criminals from accessing private data. 

How NetworkTigers can help enhance data security

NetworkTigers security solutions protect your information wherever it lives, whether in hybrid environments, in the cloud, or on-premises. If you want to learn more about how we can prevent threats and improve data security in your organization, Call us today.

How do you detect cyber risks before they cause downtime?

cyber risk

NetworkTIgers on detecting cyber risks before they cause downtime.

Cyber risks and the consequences of ransomware attacks and phishing campaigns are draining organizations’ finances, creating downtime and eroding the public trust in their ability to protect sensitive personal, health, or financial data. 

From 2021 to 2022, the average cost of a cyberattack has risen from $10,000 to $18,000. This skyrocketing expense makes hack prevention a priority, as it was already determined in 2019 that 60% of small businesses are forced to close after a cyberattack.

Most business owners don’t fully appreciate the costs of hack recovery, resulting in many companies lagging in their online defenses.

Monitor your network for cyber risks

Your network should be under constant surveillance. Continuous cybersecurity monitoring that uses automation to regularly scan your system and alert your company’s response team to any abnormalities can help mitigate cyber risks before they become full-scale attacks.

A properly configured monitoring system should prioritize alerts to ensure that IT administrators can focus on critical threats as they arise and not get bogged down with anomalies that may not be as important. 

Security researchers estimate that about 60% of all breaches occur via a third-party vendor. You can’t take charge of a vendor’s protocols. Still, automated monitoring of a third party’s IT deployments can give you insight into how they manage their risk and allow you to make decisions that can accommodate their security posture and keep you safe.

Monitoring is also becoming increasingly required for security compliance and can accommodate scaling as your business grows and its data footprint expands.

Keep up with cyber threat intelligence

More than ever in our digital age, knowledge is power, and keeping up with cyber risks, news and updates is essential.

Cybersecurity scanning logs should be analyzed and studied to maintain a clear understanding of the types of threats that your system encounters. This data can be used to conceptualize and predict trends to better prepare for future attacks.

An appreciation of current security threats, combined with information gleaned from monitoring, can help IT administrators better prioritize alerts they receive and accurately identify false alarms.

A holistic, detailed picture of cyber threat intelligence also allows IT professionals to explain an organization’s cybersecurity issues more clearly to the decision-makers responsible for allocating finances. Breaking down how your security is performing and presenting what threats may be looming to board members unfamiliar with the field sets the stage for a companywide understanding of cybersecurity that will likely prove helpful when assessing your security budget.

Use a firewall

Despite their long existence, firewalls have maintained their status as integral network security components.

A firewall analyzes your network’s incoming and outgoing traffic, allowing administrators to filter out hackers before they are allowed access and examine traffic for any evidence of potential threats.

This means a firewall can act as a defensive measure against cyber risks and an analytical tool to gather data to reinforce your overall cyber threat intelligence further.

Network security tests that can identify cyber risks

Several tests and scans can be performed that look into your security environment and alert you of any vulnerabilities waiting to be exploited.

Cybersecurity audit

Performed by a third party, a cybersecurity audit takes a deep dive into an organization’s security policies to determine where lapses may occur within their hardware and software. An audit also ensures that processes adhere to regulations and comply with best practices.

It is recommended that a cybersecurity audit be performed on an annual basis for most companies. However, especially vulnerable or important organizations, those dealing with healthcare, for example, perform them more frequently.

Vulnerability scan

A vulnerability scan is an automated task highlighting weaknesses that may allow a breach to occur. 

While this scan covers several potential dangers, the most pressing threats it’s designed to identify are:

  • Remote code execution vulnerabilities may allow hackers to run code within your system.
  • Path traversal vulnerabilities that let hackers access unauthorized files.
  • Arbitrary file reading lets an unauthorized user read or write content within your system.
  • Arbitrary code execution is the ability of a hacker to run commands on a vulnerable device.

Security scan

Misconfigurations within systems can leave databases exposed to public view and create less-than-optimal system designs that are full of opportunities for exploitation. A security scan looks for misconfigurations regarding default account settings, unencrypted files, systems that need patching, outdated apps and insufficient firewall protections.

Misconfigurations are typically the result of human error. Regular security scans can help tidy up messy environments and tighten processes so that there are fewer opportunities for a criminal to take advantage of a developer’s mistake.

Penetration testing

Penetration testing combines both manual and automated tests to accurately simulate an attack and provide an in-depth look at vulnerabilities present within a network or application. 

Ethical hackers undertake penetration testing with the knowledge and experience required to think as a criminal might. Penetration testing also employs teams that attack from various angles to think outside the box and find unexpected weaknesses.

Application security testing helps to mitigate cyber risks

As the use of the cloud continues to grow, so does our dependence on the security of software designed to keep us connected. The programs have become increasingly complex and further embedded into critical business operations and data sharing. Thankfully, several application security tests can be performed to help determine how secure web-based tools actually are.

These tests allow software development teams to inspect apps for weak points fully.

Dynamic Application Security Test (DAST)

Dynamic Application Security Testing analyzes a web application by simulating attacks. In the same way a hacker would, a DAST scanner approaches an app from the outside with no insight into its inner workings or architecture and attempts to pry its way into it. When the scan is complete, a data set is compiled that identifies vulnerabilities and cyber risks.

A DAST scan has the benefit of working entirely independently of the application being tested but cannot determine the exact location of the program’s vulnerability due to not having access to the program’s source code.

DAST scanning has become imperative. The use of open-source libraries in cloud app development speeds up the build process but also opens the possibility of widespread attacks due to vulnerabilities that may be present within them.

Static Application Security Test (SAST)

Static Application Security Testing, an essential tool for organizations that build and distribute software products, approaches an application from the inside by scanning its source code and identifying root cyber risks. It is especially useful in cases where a developer may not realize that their coding habits are creating potential exploits, as it can identify any code that goes against best security practices.

SAST scanning is meant to be run early in the development timeline. It compliments DAST scanning, as it can identify issues that DAST cannot and vice versa. Unlike a DAST scan, it can also pinpoint the exact location of a vulnerability. This makes it easy to close security gaps as work is being done.

Runtime Application Self Protection (RASP)

Runtime application self-protection protects an application by taking advantage of insight into its internal data. This allows it to pick up on threats at runtime that other security scans or features may not be able to detect.

When a threat is detected, RASP can block an attack and perform other actions that may include booting a user from the application, issuing them a warning, alerting security administrators or even shutting the program down entirely.

RASP is designed to pick up the slack left by application security testing and firewalls by analyzing real-time data to block threats that other means aren’t designed to identify accurately. Because RASP focuses on a single application’s behavior, it can understand better what may or may not pose a threat and act accordingly.

Cybersecurity news weekly roundup February 20, 2023

Roundup February 20

SAN MATEO, CA, February 20, 2023 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Brought to you by NetworkTigers.

FBI investigating hack attempt against computer system

A hacking attempt has reportedly targeted the FBI. The cyberattack reportedly involved the agency’s New York Field Office and set its sites on a computer system used to investigate child predators. Information regarding what systems have been affected and what sort of attack was waged has not yet been officially disclosed, although the “isolated incident” is said to be “contained.” Read more.

GoDaddy targeted by hackers in “multi-year campaign”

Web host GoDaddy has disclosed that it experienced a data breach in which malware had been installed on its servers and the source code was stolen. GoDaddy suffered additional breaches in 2020 and 2021 and the company now believes that all three are part of a multi-year campaign carried out by a currently unknown threat actor. According to GoDaddy, evidence suggests that the campaign also targeted other hosting platforms as hackers engaged in phishing scams and other malicious activity. GoDaddy is working with international authorities to determine the cause of the breach and who is responsible. Read more.

CISA’s ESXi recovery script rendered useless after ESXiArgs ransomware update

A script issued by CISA last week designed to defend VMWare ESXi systems from a current wave of targeted attacks has only enjoyed a few days of effectiveness, as an ESXArgs ransomware variant modified to render it useless has been deployed and observed in the wild. The script exploited flaws within the ransomware, allowing victims to recover their data without ever having to pay a ransom or communicate with threat actors. The new ESXArg variant, however, has sealed up the cracks. Victims can tell which variant they have been attacked with because the older one that CISA provided a remedy for lists a Bitcoin address in its ransom note, whereas the new variant does not. Read more.

New Havoc command and control framework spotted in the wild

According to observations by security researchers, hackers are ditching paid options Cobalt Strike and Brute Ratel in favor of Havoc, a new open-source command and control framework. Havoc is modular, allowing threat actors to use it to perform a wide range of malicious functions. It is cross-platform and can bypass Microsoft Defender even on current Windows 11 devices. A currently unknown threat actor recently deployed Havoc against an undisclosed government organization and signals hackers seeking alternatives to well-known and more easily defended penetration tools. Read more.

Clop ransomware gang exploits zero-day flaw in GoAnywhere MFT, data on one million patients exposed

The Clop ransomware gang has claimed credit for exploiting a zero-day flaw found in Fortra’s widely used GoAnywhere MFT file transfer software. Clop has claimed that it used the exploit to steal data from 130 organizations. While this number has yet to be confirmed, Community Health Systems (CHS), one of the US’ largest healthcare providers, has stated that data belonging to up to one million patients has been exposed and potentially stolen in the attack. Researchers expect more organizations to report breaches as the extent of Clop’s damage comes into focus. Fortra has released an emergency patch for GoAnywhere and CISA has mandated that all federal agencies update by March 3rd. Read more.

North Korean M2RAT steals data from wireless devices connected to infected Windows computers

M2RAT is a new malware strain researchers have observed being used by RedEyes, a North Korean cyber espionage collective believed to be backed by the country’s government. M2RAT leaves “very few operational traces” on targeted Windows computers and has been distributed via phishing attacks that force a victim to download a JPEG laced with malicious code. M2RAT acts “as a basic remote access trojan that performs keylogging, data theft, command execution, and taking screenshots from the desktop.” M2RAT also scans for any wireless phones or tablets connected to the computer and then copies content to the machine, where it can be exfiltrated. Read more.

Researchers uncover stealthy new Beep malware

Security experts have reported a new malware called Beep that appears to be specifically designed to feature “as many anti-debugging and anti-VM (anti-sandbox) techniques” as developers could fit into it. Made up of a dropper, a PowerShell script and an information-stealing payload, Beep has also been observed to have several unfinished features, which implies that it is a work in progress. After Beep embeds itself into a system, it can also be used to deliver ransomware. Read more.

New MortalKombat ransomware beating up US financial targets

A new ransomware called MortalKombat has been identified targeting US victims. MortalKombat is based on the Xorist commodity ransomware, a foundation that threat actors can customize to suit their needs. It has been observed being launched along with the Lapels clipper, devised to steal crypto. The ransomware is said to be unsophisticated, lacking some fine tuning that prevents it from becoming unstable. It is unclear if MortalKombat is being launched by a lone actor or being sold to hacker groups. Read more.

CISA: North Korean hackers set sights on healthcare sector

According to CISA and the FBI, North Korean cyber operations are heavily targeting the healthcare industry in continued efforts to fund espionage with illegally acquired funds. A joint advisory issued by the two agencies, alongside the US Department of Health and Human Services and South Korean intelligence agencies, did not specify that a new push or campaign had been identified. However, guidance tips regarding attacks from state-sponsored actors have been updated, which may indicate that North Korean hackers are continuing to advance and diversify their attacks against targets they deem lucrative. Read more.

Cyberattack on New Jersey hospital exposes data of 617,000 patients

New Jersey’s CentraState Medical Center fell victim to a late December cyberattack that caused procedure cancellations, a switch to paper record keeping and disruption of medical and hospital services. CentraState has not revealed what type of attack they succumbed to, as details about the incident have been minimal. No payment information was compromised in the attack. However, they did reveal that 617,000 patients had their “name, address, date of birth, Social Security numbers, health insurance information, medical record numbers, patient account numbers, doctor notes, information on care received at CentraState and prescription information” exposed. Read more.

Killnet hackers disrupt Turkey-Syria relief efforts with NATO DDoS attack

A DDoS attack against NATO impacted the organization’s ability to communicate with military aircraft providing aid to Turkey and Syria as the countries grapple with the aftermath of an earthquake that reportedly killed more than 28,000 people. Pro-Moscow hacker collective Killnet, having targeted numerous countries supporting Ukraine, has claimed credit for “carrying out strikes” against NATO but has not officially made any other statements. Most security professionals describe Killnet’s DDoS attacks as a nuisance and most of their victims are back up and running within hours. Read more.

More cybersecurity news

What is WiFi 6 and why do businesses need it?

WiFi 6

NetworkTigers discusses WiFi 6 and why businesses need it.

WiFi 6 or, as it’s known in the tech community, 802.11ax is the next generation of wireless connectivity. WiFi 6 does more than upgrade your service to faster browsing speeds. It can also improve network security, expand device connectivity, and streamline access points. 

WiFi 6 does more than its recent predecessor, 5G. It offers all of these benefits at a lower price point as well. This new frontier of internet access is expected to become the gold standard across both business and personal use. 

Understanding WiFi 6: How and why is it faster?

WiFi Alliance is an international tech-industry group that advocates for and oversees WiFi expansions and implementations. Think of your internet connection as a fleet of trucks, advises Kevin Robinson, marketing leader for WiFi Alliance. These trucks are your internet-capable devices, whether laptops, cell phones, streaming services, Smart Home devices, or more. These devices travel along the highway, or WiFi connection, with goods for your customers or data deliverables. Upgrading WiFi connectivity is essentially an expansion of your MU-MIMO, an abbreviation of “multi-user, multiple input, multiple outputs.” Current iterations of WiFi can already handle multiple users at once. However, WiFi 6 greatly expands MU-MIMO capabilities. For instance, if existing 5G connections allow you to send four trucks out on the highway to four customers, “with WiFi 6, you now have eight trucks,” explains Robinson. 

Extending the highway metaphor, developers realized that with current WiFi technology, more lanes were already accessible than could be accessed. WiFi 6 makes full use of the highway, adding more delivery trucks onto the road that can now head to multiple locations. They won’t get bogged down in traffic because the lanes they need already exist. WiFi 6 runs along existing frequency channels as WiFi 5, meaning 2.4 GHz and 5 GHz, but floods those connections with more data. Speeds are estimated to reach up to 11 Gbps with WiFi 6, a vast improvement from current WiFi 5 capabilities of 1Gbps. 

The other significant development within WiFi 6 is OFDMA, a new technology for “orthogonal frequency division multiple access.” This means allowing one single transmission to deliver data to multiple devices simultaneously. Robinson continues to explain the product using the metaphor of trucking, saying, “With OFDMA, the network can look at a truck, see ‘I’m only allocating 75 percent of that truck, and this other customer is kind of on the way,’” and then load up the extra space in the truck with goods meant for the second customer. 

More devices increased security with WiFi 6

Because of these MU-MIMO upgrades, more devices should be able to access the internet simultaneously without delays or lag times. This improvement is significant as more employees continue to work from home or at cafés, where slow or faulty internet is a primary concern for multiple devices working online simultaneously. Frequency overpopulation may not entirely become a problem of the past, but multiple-device access should become more agile and realistic than it is for many individual networks. 

Equally importantly, WiFi 6 is designed to be more secure than its predecessors. Since 5G is a cellular network, many employees still need to access sensitive data through a VPN designed to reach their corporate intranet securely whenever they leave the workspace. WiFi 6, on the other hand, is intended to be part of a secure corporate LAN for seamless integration. Upgrading to WiFi 6 may enhance security procedures or even replace the need for some corporate VPNs. 

WPA3 security protocols are also set to come standard with WiFi 6 devices. WPA3 technology restricts hackers’ ability to guess access codes or passwords continuously. Some iterations of WPA3 even limit or reduce specific data’s usefulness if it is accessed via an unknown source. WPA3 represents one of the most significant breakthroughs in network encoding in recent years and is on track to be required, and not optional, for WiFi 6-certified routers.

Accessing WiFi 6: Making necessary upgrades

Wireless data traffic requirements have been increasing throughout the past few years and are projected to increase by a whopping 47% CAGR over the next five years. WiFi 6 is designed to meet and beat that demand by offering increased reliability and improved customer access and speed, all at a lower price. WiFi technology is forecasted to add around $850 billion in economic value by 2025 to the US economy. 

To access WiFi 6, you need to upgrade your physical devices, not just your software. To access WPA3 standard protocols, look for certified WiFi 6 routers. WiFi 6 is still in the early days of its roll-out, only available on certain high-end smartphones and laptops. However, as access expands, businesses should look to upgrade. WiFi 6 is the way of the future; luckily, it’s an IT department’s dream.