Copyright TechTarget - All rights reserved https://cyber.law.harvard.edu/rss/rss.html Techtarget Feed Generator en Fri, 05 Jun 2026 17:35:43 GMT https://www.techtarget.com/searchsecurity editor@techtarget.com <p>IoT endpoints are prime targets for attacks, with the soaring number of connected devices and often porous security controls creating plenty of opportunities for hackers.</p> <p>In its "The State of <a href="https://www.techtarget.com/iotagenda/definition/IoT-security-Internet-of-Things-security">IoT Security</a>, 2024" report, Forrester Research concluded that corporate <a href="https://www.techtarget.com/iotagenda/definition/IoT-device">IoT devices</a> were the most reported target for external attacks, meaning they were attacked more than any other enterprise asset, including corporate and employee-owned computers and mobile devices.</p> <p>According to cybersecurity software maker SonicWall's "2025 Cyber Threat Report," IoT attacks were up 124% in 2024. The worrisome statistics aren't surprising, given the <a href="https://www.techtarget.com/iotagenda/tip/Internet-of-Things-IOT-Seven-enterprise-risks-to-consider">challenges of securing an IoT ecosystem</a>.</p> <p>First, the IoT industry doesn't have a clear set of security standards to ensure developers and manufacturers incorporate consistent security across their products. Also, IT admins often find it challenging to keep track of and update devices that remain in the field for many years.</p> <p>In addition, many IoT devices lack built-in security features due to their embedded firmware or software limitations. They often come with default passwords that don't have to be reset when deployed.</p> <p>Meanwhile, hackers scan networks for devices and known vulnerabilities and increasingly use nonstandard ports to get network access. Once they have device access, it's easier to avoid detection through fileless malware or software memory.</p> <p>Let's examine what makes IoT devices vulnerable and how to mitigate attacks.</p> <section class="section main-article-chapter" data-menu-title="What is the IoT attack surface?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What is the IoT attack surface?</h2> <p>At its basic level, an <a href="https://www.techtarget.com/whatis/definition/attack-surface">attack surface</a> refers to the total number of potential entry points for unauthorized system access. An IoT attack surface includes all possible security vulnerabilities for IoT devices, their software and network connections.</p> <p>The growing concern around IoT device security includes the fact that threat actors can damage the network and software that support IoT devices and the devices themselves. Furthermore, IoT device adoption is advancing faster than the processes and protocols that <a href="https://www.techtarget.com/searchwindowsserver/tip/How-to-manage-Windows-Server-in-an-air-gapped-environment">provide secure, reliable connections</a>.</p> <p>Organizations can take steps to secure the IoT attack surface, but this requires the staff and technical expertise to establish policies that can proactively detect threats and reactively apply measures to reduce the size of the attack surface.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/tips_to_reduce_attack_surfaces-f.png"> <img data-src="https://www.techtarget.com/rms/onlineimages/tips_to_reduce_attack_surfaces-f_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/tips_to_reduce_attack_surfaces-f_mobile.png 960w,https://www.techtarget.com/rms/onlineimages/tips_to_reduce_attack_surfaces-f.png 1280w" alt="Graphic listing tips to reduce attack surfaces" height="269" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Here are six tips for reducing the attack surface and potential security risks. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> </section> <section class="section main-article-chapter" data-menu-title="Top IoT security risks to address"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Top IoT security risks to address</h2> <p>Here are the eight common IoT vulnerabilities and seven external threats that pose the most significant risks.</p> <h3>1. An expanding attack surface</h3> <p>One of the biggest threats to an organization's ability to secure its IoT environment is its sheer scale. Estimates on the actual number of connected devices in the world vary from one researcher to the next, but they are consistently in the billions and growing. For example, in its "State of IoT Summer 2024" report, IoT Analytics said that connected IoT devices numbered 16.6 billion at the end of 2023 -- up 15% over 2022. By the end of 2024, that number was 18.8 billion.</p> <p>Moreover, enterprise IoT spending is projected to grow at a 14% compound annual growth rate through 2030, according to IoT Analytics' "State of IoT Spring 2025" report, with that spending dramatically expanding the attack surface.</p> <p>Of course, an individual organization has far fewer devices to secure, but the number of connected endpoints adds up fast. Additionally, IoT devices are generally on 24/7, with many continuously connected.</p> <h3>2. Insecure hardware</h3> <p>A <a href="https://www.techtarget.com/searchsecurity/tip/Types-of-endpoint-security">single endpoint device can present a risk</a> to the security of the entire IoT ecosystem -- and, ultimately, the organization's IT environment. Devices often lack built-in security controls due to their limitations -- namely, their small computational capacity and low-power design.</p> <p>As a result, many devices can't support security features such as authentication, <a href="https://www.techtarget.com/searchsecurity/definition/encryption">encryption</a> and access control. Even when endpoint devices have security controls such as passwords, some organizations deploy them without using or enabling them. That leaves devices and the organization vulnerable to various attack types, including brute-force attacks.</p> <h3>3. Maintenance and update challenges</h3> <p>Challenges with adequately maintaining endpoint devices and updating software create further security vulnerabilities. There are a few contributing factors here. First, updates like a security patch to address a vulnerability that hackers could exploit might not be forthcoming from device vendors, particularly if the endpoint device is older. Second, connectivity limitations, along with a device's limited computation capacity and power supply, could make updating devices deployed in the field impossible.</p> <h3>4. Lack of visibility into the IoT environment</h3> <p>Even when updates are possible, organizations might not know whether they have devices to update. According to a 2024 survey by Starfleet Research, nearly half (46%) of security leaders reported difficulty in gaining IoT device visibility.</p> <h3>5. Shadow IoT</h3> <p>A related risk is shadow IoT -- that is, IoT endpoints deployed without IT's or the security department's official support or permission. These unsanctioned IoT devices could be personal items with an IP address, such as fitness trackers or digital assistants, but they could also be corporate and enterprise technologies, such as wireless printers. Either way, they create risks for the enterprise because they might not <a href="https://www.techtarget.com/searchsecurity/tip/IT-security-frameworks-and-standards-Choosing-the-right-one">meet an organization's security standards</a>, and even if they do, they might not be configured and deployed in ways that follow security best practices.</p> <p>Additionally, IT administrators and security teams generally lack knowledge of these deployments. They might not monitor them or their traffic, giving hackers a higher chance of successfully breaching them without being detected.</p> <h3>6. Poor asset management</h3> <p>Organizations face challenges not only in identifying all the IoT devices in their environment but also in effectively managing the devices they do have. <a href="https://www.techtarget.com/searchenterprisedesktop/tip/Patch-management-vs-vulnerability-management-Key-differences">Some fail to patch vulnerabilities</a> and update software when patches and updates are available. Others neglect to fix known misconfigurations in a timely manner, if at all, or implement adequate access controls. Organizations often fail to take such actions because the work it requires exceeds their capacity to do it.</p> <h3>7. Inadequate or nonexistent monitoring and incident response capabilities</h3> <p>Monitoring for unusual activities and traffic that could indicate attempted attacks has become a standard security practice to safeguard IT environments. The same goes for incident response capabilities. However, organizations don't always have those capabilities or the same level of maturity in their capabilities within the IoT environment for various reasons, such as resource constraints and the complexity of IoT environments.</p> <h3>8. Unencrypted data transmissions</h3> <p><a href="https://www.techtarget.com/iotagenda/tip/How-to-select-the-right-IoT-database-architecture">IoT devices collect vast amounts of data</a> as they measure and record everything from temperature readings to the speed of objects. They send much of this data to centralized locations -- usually in the cloud -- for processing, analysis and storage. They also frequently receive information back that tells the devices what actions to take. Studies have shown that a significant portion of this transmitted data is unencrypted.</p> <h3>9. IoT botnets</h3> <p>In addition to vulnerabilities, threats are coming from outside the IoT environment. One such threat is the botnet. Enterprise IT and security leaders have consistently listed this as a top threat following the major botnet attacks, such as Mirai, that arose nearly a decade ago.</p> <p>In these attacks, an attacker <a href="https://www.techtarget.com/searchsecurity/tip/How-to-protect-your-organization-from-IoT-malware">infects an IoT device with malware</a> through an unprotected port or phishing scam and co-opts it into an IoT botnet to initiate massive cyberattacks. Hackers can easily find malicious code on the internet that detects susceptible machines or hides code from detection before another code module signals devices to launch an attack or steal information.</p> <p>IoT botnets are frequently used for DDoS attacks to overwhelm a target's network traffic. Botnet orchestrators find IoT devices an attractive target because of weak security configurations and the number of devices that can be consigned to a botnet to target organizations.</p> <h3>10. DNS threats</h3> <p>Many organizations use IoT to collect data from older machines that lack the most recent security standards. When organizations combine legacy devices with IoT, it can expose the network to older device vulnerabilities. IoT device connections often rely on DNS, a decentralized naming system from the 1980s, which might not handle the scale of IoT deployments that can grow to thousands of devices. Hackers can use DNS vulnerabilities in <a href="https://www.techtarget.com/searchsecurity/tip/Types-of-DNS-attacks-and-how-to-prevent-them">DDoS attacks and DNS tunneling</a> to get data or introduce malware.</p> <h3>11. Malicious node injection</h3> <p>Hackers can also attack an IoT ecosystem by inserting or injecting fake nodes into the web of legitimate connecting nodes, thereby enabling hackers to alter and/or control the data flowing between the fake and legitimate nodes -- and, ultimately, all the nodes in the web.</p> <h3>12. IoT ransomware</h3> <p>As the number of insecure devices connected to corporate networks increases, so do IoT ransomware attacks. Hackers infect devices with malware to turn them into botnets that probe access points or search for valid credentials in device firmware that they can use to enter the network.</p> <p>With network access through an IoT device, attackers can exfiltrate data to the cloud and threaten to keep, delete or make the data public unless paid a ransom. Sometimes, payment isn't enough for an organization to get all its data back, and the ransomware automatically deletes the files, regardless.</p> <h3>13. Tampering with physical devices</h3> <p>Hackers tampering with physical devices presents another risk. This could mean that attackers physically access an IoT device to steal data, tamper with the device to install malware, access its ports and inner circuits to break into the organization's network, or destroy it altogether.</p> <h3>14. Firmware exploits/supply chain vulnerabilities</h3> <p>As <a href="https://www.techtarget.com/searchsecurity/tip/The-biggest-ransomware-attacks-in-history">headline-making attacks in recent years</a> have shown, hackers use vulnerabilities in the technology components and software that organizations buy to run their operations. Those same supply chain vulnerabilities exist in the IoT market, which leaves organizations reliant on their IoT vendors to identify the vulnerabilities and offer fixes. And when these vendors are not forthcoming -- or not responsive quickly enough -- organizations can fall victim to hackers whose MO is targeting known vulnerabilities in IoT equipment.</p> <h3>15. Vulnerabilities in the ecosystem</h3> <p>As IoT devices proliferated, so did their connections to the organization's infrastructure and the broader connected universe. That connectedness, which is the very nature of IoT, can amplify the potential risks associated with vulnerabilities anywhere in the ecosystem. For example, insecure interfaces such as APIs create an entry point for hackers who could use that foothold to access increasingly sensitive points within the ecosystem.</p> <div class="youtube-iframe-container"> <iframe id="ytplayer-0" src="https://www.youtube.com/embed/mLg95dLm-Gs?autoplay=0&amp;modestbranding=1&amp;rel=0&amp;widget_referrer=null&amp;enablejsapi=1&amp;origin=https://www.techtarget.com" type="text/html" height="360" width="640" frameborder="0"></iframe> </div> </section> <section class="section main-article-chapter" data-menu-title="How to defend against IoT security risks"> <h2 class="section-title"><i class="icon" data-icon="1"></i>How to defend against IoT security risks</h2> <p>IT teams must take a multilayered approach to IoT security risk mitigation and <a href="https://www.techtarget.com/searchsecurity/answer/What-are-the-cybersecurity-benefits-of-zero-trust">adopt a zero-trust approach to security</a>, whereby access is given to entities -- whether human users or IoT devices -- only after they verify their identities and enterprise-authorized rights to connect with the systems or data they are seeking to access.</p> <p>In addition to those overarching security strategies, organizations should have specific defenses to protect against the different types of IoT attacks. They should establish robust governance policies and practices to mitigate excessive risk.</p> <p>IoT security combines policy enforcement and software to detect and address any threats. Enterprise IT teams, in conjunction with security teams and the business departments that own IoT use cases, should do the following:</p> <ul class="default-list"> <li>Enact and enforce strong password policies for devices on the network.</li> <li>Use threat detection software to anticipate potential attacks and network monitoring tools to detect activities that could indicate a threat, attack attempt or actual attack.</li> <li>Have a comprehensive asset detection and management program to ensure better visibility into the endpoints deployed in their enterprise and what data is on their IoT devices.</li> <li>Conduct device vulnerability assessments.</li> <li>Disable unneeded services.</li> <li><a href="https://www.techtarget.com/searchdatabackup/tip/Backup-scheduling-best-practices-to-ensure-availability">Perform regular data backups</a>.</li> <li>Implement and practice disaster recovery procedures.</li> <li>Implement network segmentation.</li> <li>Install software that counters the various attack types, such as using DNS Security Extensions, a cryptographic security protocol that helps secure the DNS.</li> </ul> <p>Additionally, organizations should follow basic cybersecurity measures, such as authentication, regular updates and patches, and confirm that IoT devices meet security standards and protocols before they're added to the network.</p> <p>Data protection strategies are another way to boost IoT security. IT teams can help ensure data security by using visibility tools, data classification systems, data encryption measures, data privacy measurements and log management systems.</p> <p>For physical security measures, organizations should place devices in a tamper-resistant case and remove any device information manufacturers might include on the parts, such as model numbers or passwords. IoT designers should bury conductors in the multilayer circuit <a target="_blank" href="https://www.bytesnap.com/news-blog/introduction-iot-hardware-design/" rel="noopener">board</a> to prevent hackers from easily accessing them. If a hacker does tamper with a device, it should have a disable function, such as short-circuiting when opened.</p> <p><i>Mary K. Pratt is an award-winning freelance journalist with a focus on covering enterprise IT and cybersecurity management.</i></p> </section> Certain IoT security concerns, like botnets, are hard to forget, but others might not come to mind as easily, including DNS threats and physical device attacks. https://cdn.ttgtmedia.com/rms/onlineimages/iot_g1157534820.jpg https://www.techtarget.com/iotagenda/tip/5-IoT-security-threats-to-prioritize Wed, 02 Jul 2025 09:00:00 GMT <p>As smart contracts are increasingly used to secure digital assets, developers face an array of security threats. Recent high-profile attacks -- including Penpie's $27 million loss and Cetus' $223 million hack -- underscore the importance of proper coding to prevent vulnerabilities.</p> <p><a href="https://www.techtarget.com/searchcio/definition/smart-contract">Smart contracts</a> execute processes, transactions and other tasks when specific events, conditions and logic are met, depending on how they are programmed. They are deployed on a <a href="https://www.techtarget.com/searchcio/definition/blockchain">blockchain</a>, such as <a href="https://www.techtarget.com/whatis/definition/Ethereum">Ethereum</a> or other <a href="https://www.techtarget.com/searchcio/definition/distributed-ledger">distributed ledger</a> infrastructure, where they listen for events and updates from cryptographically secure data feeds called <i>oracles</i>.</p> <p>Many industries, including finance, healthcare and insurance, use smart contracts to control the flow of large amounts of valuable data and resources, such as transferring money, delivering services and unlocking protected content. This naturally makes them an attractive target to malicious actors.</p> <p>Security must be a top priority when designing and developing a smart contract. Once a smart contract is deployed to a blockchain, it is difficult or impossible to patch; it must be removed, recreated and redeployed. Plus, vulnerabilities in a smart contract will be accessible to anyone once the smart contract is on a blockchain.</p> <p>When deploying a smart contract written in Solidity on the popular smart contract platform Ethereum, development teams need to be especially aware of the following attack vectors and how to eliminate them.</p> <section class="section main-article-chapter" data-menu-title="1. Reentrancy attacks"> <h2 class="section-title"><i class="icon" data-icon="1"></i>1. Reentrancy attacks</h2> <p>Reentrancy attack vectors exist because Solidity smart contracts execute imperatively: Each line of code must execute before the next one starts. This means that when a contract makes an external call to a different contract, the calling contract's execution pauses until the call returns. This effectively gives the called contract temporary control over what happens next, creating the possibility of an infinite loop.</p> <p>For example, a malicious contract could make a recursive call back to the original contract to withdraw resources without waiting for the first call to complete, so the original contract can never update its balance before the function completes. Forms of reentrancy attacks include single-function, cross-function, cross-contract, cross-chain and read-only. GitHub <a target="_blank" href="https://github.com/pcaversaccio/reentrancy-attacks" rel="noopener">maintains</a> a list of exploits.</p> <p><b>Fix:</b> This vulnerability occurs when the code logic of a smart contract is flawed. Developers need to carefully design external calls and always check and update the contract's state, such as decreasing the ether balance before fulfilling requests to send funds. Adding a reentrancy guard can prevent more than one function from executing at a time by locking the contract. Various audit tools, such as Slither and Securify, can check for the presence of the different types of reentrancy vulnerabilities.</p> <p><b>Example:</b> In a <a target="_blank" href="https://www.halborn.com/blog/post/explained-the-penpie-hack-september-2024" rel="noopener">2024 reentrancy attack</a> on the Penpie decentralized finance (<a href="https://www.techtarget.com/whatis/definition/decentralized-finance-DeFi">DeFi</a>) protocol, attackers stole $27 million worth of ether, Ethereum's native cryptocurrency.</p> </section> <section class="section main-article-chapter" data-menu-title="2. Oracle manipulation and flash loan attacks"> <h2 class="section-title"><i class="icon" data-icon="1"></i>2. Oracle manipulation and flash loan attacks</h2> <p>Smart contracts access and consume external data from outside the blockchain using an oracle. This lets them interact with off-chain systems, such as stock markets. Incorrect or manipulated oracle data can erroneously trigger the execution of smart contracts; this is known as the <i>oracle issue</i>.</p> <p>Many DeFi applications have been exploited using this method, the favorite being a flash loan attack. Flash loans are essentially unsecured loans with no limit as to how much can be borrowed so long as the loan is repaid in the same transaction. Attacks use these loans to distort asset prices to generate profits while still abiding by a blockchain's rules.</p> <p><b>Fix:</b> Using a decentralized oracle, such as Chainlink or Tellor -- or even multiple oracles -- is the easiest way to ensure a contract receives accurate data. Such oracles make it harder and more expensive for an attacker to interfere with the data.</p> <p><b>Example:</b> The Abracadabra decentralized crypto-asset lending platform <a target="_blank" href="https://cryptodnes.bg/en/hacker-exploits-smart-contracts-vulnerability-steals-13-million-in-ethereum/" rel="noopener">experienced</a> a flash loan exploit in which attackers stole around $13 million in ether.</p> </section> <section class="section main-article-chapter" data-menu-title="3. Insecure randomness"> <h2 class="section-title"><i class="icon" data-icon="1"></i>3. Insecure randomness</h2> <p>Cryptographic algorithms rely on sources of <a href="https://www.techtarget.com/whatis/definition/random-numbers">random numbers</a> when generating keys and performing other actions for smart contracts. A fundamental principle of cryptography is that random numbers must be unpredictable, and while that sounds obvious, it's often quite challenging to achieve. If the sources of randomness are not strong and there is any predictability in the values that they generate, this could provide several opportunities for attacks to circumvent the cryptographic protections that are fundamental to the integrity of smart contracts.</p> <p><b>Fix:</b> Only use cryptography based on accepted standards for random number generation. NIST has an <a target="_blank" href="https://csrc.nist.gov/projects/random-bit-generation" rel="noopener">entire research project</a> and a suite of standards focused on random number generation.</p> <p><b>Example:</b> The $FFIST cryptocurrency token <a target="_blank" href="https://blog.solidityscan.com/ffist-hack-analysis-9cb695c0fad9" rel="noopener">suffered</a> an attack that resulted in a loss of around $110,000. The attack was traced back to a predictable source of randomness.</p> </section> <section class="section main-article-chapter" data-menu-title="4. Business logic errors"> <h2 class="section-title"><i class="icon" data-icon="1"></i>4. Business logic errors</h2> <p>A <i>business logic error</i> is a general term for a design error within a smart contract or between smart contracts. The design error causes the contract to behave differently than it was intended to behave. Attacks can take advantage of business logic errors to manipulate contracts and steal funds.</p> <p><b>Fix:</b> Developers should thoroughly test all contract code, including all combinations of business logic, and verify that the observed behavior exactly matches the intended behavior in each case. Consider using manual and/or automated processes and tools to analyze contract code for possible business logic errors.</p> <p><b>Example:</b> The SIR.trading DeFi protocol <a target="_blank" href="https://en.cryptonomist.ch/2025/03/31/sir-trading-hacker-steals-the-entire-tvl-of-355000-by-exploiting-a-vulnerability-in-ethereums-transient-storage/" rel="noopener">experienced a logic flaw attack</a> in March 2025 that resulted in the theft of around $355,000.</p> </section> <section class="section main-article-chapter" data-menu-title="5. Force-feeding attacks"> <h2 class="section-title"><i class="icon" data-icon="1"></i>5. Force-feeding attacks</h2> <p>Force-feeding attacks take advantage of the fact that developers cannot prevent a smart contract from receiving ether. This makes it easy to transfer ether to any contract -- force-feeding it -- to change the balance of ether it holds and thereby manipulate any function logic that solely relies on the expected balance for internal accounting, such as paying out a reward if a balance increases above a certain level.</p> <p><b>Fix:</b> It is impossible to stop contract balance manipulation in this way. Never use a contract's balance as a check or guard within a function because the actual ether balance might be higher than the balance expected by the contract's internal code.</p> <figure class="main-article-image half-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/top_smart_contract_vulnerabilities-h.png"> <img data-src="https://www.techtarget.com/rms/onlineimages/top_smart_contract_vulnerabilities-h_half_column_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/top_smart_contract_vulnerabilities-h_half_column_mobile.png 960w,https://www.techtarget.com/rms/onlineimages/top_smart_contract_vulnerabilities-h.png 1280w" alt="Graphic listing the 12 top smart contract vulnerabilities." height="355" width="279"> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> </section> <section class="section main-article-chapter" data-menu-title="6. Lack of input validation"> <h2 class="section-title"><i class="icon" data-icon="1"></i>6. Lack of input validation</h2> <p>All software needs to validate inputs; this has been a core principle of software development for decades. It is dangerous for software developers to assume that all inputs to software will be as expected. Attackers can craft inputs that cause crashes, potentially temporarily disrupting access to smart contracts, or that cause software to act in unexpected ways. More concerning is the use of inputs to alter data or change the software itself, both of which can be used to manipulate smart contracts.</p> <p><b>Fix:</b> Developers should ensure all input is carefully validated as being exactly as expected before use. Add double-checks to the contract just in case an unexpected input somehow manages to pass validation and be processed. For more information, see the Solidity <a target="_blank" href="https://docs.soliditylang.org/en/v0.8.30/control-structures.html#error-handling-assert-require-revert-and-exceptions" rel="noopener">documentation</a> on error handling.</p> <p><b>Example:</b> The Onyx DeFi protocol faced a $3.8 million loss following an attack on an input validation vulnerability.</p> </section> <section class="section main-article-chapter" data-menu-title="7. Denial of service"> <h2 class="section-title"><i class="icon" data-icon="1"></i>7. Denial of service</h2> <p>Like any online service, smart contracts are vulnerable to <a href="https://www.techtarget.com/searchsecurity/definition/denial-of-service">DoS attacks</a>. By overloading services, such as authentication, an attacker can block other contracts from executing or generate unexpected contract reverts, for example, where unused gas is returned and all state is reverted to the state before the transaction began to execute. This can result in auction results or values used in financial transactions being manipulated to the attacker's advantage.</p> <p><b>Fix:</b> Making these attacks costly for attackers is the best way to deter them. Time-lock puzzles and gas fees are just some of the ways of increasing an attacker's costs. Ensuring calls are only made to trusted contracts also reduces the likelihood of a DoS attack causing serious problems.</p> <p><b>Example:</b> This is not an example of an attack, but in April 2025, the Ethereum Improvement Proposal 7907 upgrade was approved to help prevent contracts from falling victim to DoS attacks through gas metering.</p> </section> <section class="section main-article-chapter" data-menu-title="8. Integer underflows and overflows"> <h2 class="section-title"><i class="icon" data-icon="1"></i>8. Integer underflows and overflows</h2> <p>Integer underflows and overflows occur when the result of an arithmetic operation falls outside the fixed-size range of values: zero to 255 in the case of integer type uint8. Values higher than 255 overflow and are reset to zero, while values lower than zero reset to 255. This causes unexpected changes to a contract's state variables and logic, triggering invalid operations.</p> <p><b>Fix:</b> Since version 0.8.0 was released at the end of 2020, the Solidity compiler no longer allows code that could result in integer underflows and overflows. Check any contracts compiled with earlier versions for functions involving arithmetic operations or use a library, such as SafeMath, to check for underflow and overflow issues.</p> <p><b>Example:</b> The Cetus decentralized exchange <a target="_blank" href="https://cointelegraph.com/news/dedaub-cetus-hack-post-mortem" rel="noopener">hack in May 2025</a>, which cost an estimated $223 million in losses, was the result of a missed code overflow check.</p> </section> <section class="section main-article-chapter" data-menu-title="9. Access control vulnerabilities"> <h2 class="section-title"><i class="icon" data-icon="1"></i>9. Access control vulnerabilities</h2> <p>Blockchains are accessible to anyone. Never save confidential or sensitive information to a blockchain unless it is <a href="https://www.techtarget.com/searchsecurity/definition/encryption">encrypted</a>. State variables and functions within a smart contract can also be visible and accessible to other smart contracts, which leaves them open to possible misuse or abuse.</p> <p><b>Fix:</b> Developers should always implement proper access controls following the <a href="https://www.techtarget.com/searchsecurity/definition/principle-of-least-privilege-POLP">principle of least privilege</a> by using Solidity's <a target="_blank" href="https://docs.soliditylang.org/en/v0.8.30/contracts.html#state-variable-visibility" rel="noopener">state variable and function visibility specifiers</a> to assign the minimum level of visibility as is necessary and no more.</p> <p><b>Example:</b> The KiloEx decentralized exchange suffered an approximate <a target="_blank" href="https://egamers.io/kiloex-suspends-operations-after-7m-exploit-linked-to-smart-contract-vulnerability/" rel="noopener">$7 million loss</a> due to a lack of access controls in a smart contract.</p> </section> <section class="section main-article-chapter" data-menu-title="10. Gas griefing"> <h2 class="section-title"><i class="icon" data-icon="1"></i>10. Gas griefing</h2> <p>To perform a transaction or execute a smart contract on the Ethereum blockchain platform, users must pay a gas fee. It is paid to incentivize validators (miners) to commit the resources needed to verify transactions. The price of gas is determined by supply, demand and network capacity at the time of the transaction.</p> <p>Gas griefing occurs when a user sends the amount of gas required to execute the target smart contract but not enough to execute subcalls -- calls it makes to other contracts. If the contract does not check if the required gas to execute a subcall is available, the subcall will not execute as expected. This can have a significant effect on the application's logic.</p> <p><b>Fix:</b> No effective technique to prevent gas griefing exists. Developers should code contracts so they set the amount of gas to be sent, not the user. A rise in gas costs, however, could mean that the transaction fails.</p> </section> <section class="section main-article-chapter" data-menu-title="11. Transaction order dependence attacks (frontrunning)"> <h2 class="section-title"><i class="icon" data-icon="1"></i>11. Transaction order dependence attacks (frontrunning)</h2> <p>Smart contracts are publicly visible from the moment they are submitted to the network as a pending transaction. This enables a miner of a block to select the transaction with the highest gas fees. For example, users can include a priority fee -- a tip -- to incentivize miners to prioritize their transaction ahead of other transactions in the same block. However, this also enables attackers to watch for opportunities where they can front-run profitable contracts by submitting an identical contract, but with a higher gas fee, so their contract is processed first. Because these attacks have to be implemented in fractions of a second, they are usually performed by bots or miners themselves.</p> <p><b>Fix:</b> These attacks are tricky to avoid. One option is to only accept transactions with a gas price below a predetermined threshold. Or, use a commit-and-reveal scheme that involves a user first submitting a solution hash instead of the cleartext solution so it can't be viewed by potential frontrunners until it is too late. Various smart contract audit tools can detect if code introduces frontrunning vulnerabilities.</p> </section> <section class="section main-article-chapter" data-menu-title="12. Timestamp dependence"> <h2 class="section-title"><i class="icon" data-icon="1"></i>12. Timestamp dependence</h2> <p>The node that executes the smart contract generates timestamp values. Due to the distributed nature of the Ethereum platform, it is almost impossible to guarantee that the time on every node is correctly synchronized. A node can then manipulate the timestamp value it uses to craft a logic attack against any contract that relies on the block.timestamp variable to execute time-critical operations.</p> <p><b>Fix:</b> To avoid this vulnerability, developers should not use the block.timestamp function as a control or logic check, or as a source of randomness.</p> </section> <section class="section main-article-chapter" data-menu-title="Keeping smart contracts vulnerability-free"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Keeping smart contracts vulnerability-free</h2> <p>For smart contracts to be smart and secure, development teams must build in security from the start and rigorously test their logic and code execution.</p> <p>Contract code is difficult to patch after it is deployed. Getting security right the first time is imperative. Always follow <a href="https://www.techtarget.com/searchsecurity/tip/Smart-contract-benefits-and-best-practices-for-security">smart contract security best practices</a>. Unless the development team includes dedicated smart contract security specialists who can <a href="https://www.techtarget.com/searchsecurity/tip/How-to-conduct-a-smart-contract-audit-and-why-its-needed">audit smart contract code</a> for logic flaws and other vulnerabilities by unit testing each function, use an auditing service specializing in smart contracts to identify any security issues.</p> <p><i>Karen Scarfone is a general cybersecurity expert who helps organizations communicate their technical information through written content. She co-authored the Cybersecurity Framework (CSF) 2.0 and was formerly a senior computer scientist for NIST.</i></p> </section> Smart contracts execute tasks automatically when specific events occur, and they often handle large data and resource flows. This makes them particularly attractive to attackers. https://cdn.ttgtmedia.com/rms/onlineimages/security_g1141232392.jpg https://www.techtarget.com/searchsecurity/tip/Smart-contract-vulnerabilities-and-how-to-mitigate-them Thu, 26 Jun 2025 00:00:00 GMT <p>Years ago, when users required access to a specific system, application or other corporate resource, they were provided a username and password tied to the access level they needed.</p> <p>While this was a viable option when the number of IT services was small, it didn't take long before the number of accounts a user had to manage reached a dozen or more. To keep track of all these account usernames and passwords, many end users resorted to writing down their account information on sticky notes that they stuck to their monitors for all to see. Understandably, this type of password management is a big no-no by anyone's security standards. Thus, IT needed a way to better manage the growing number of user accounts. The answer was identity and access management (<a href="https://www.techtarget.com/searchsecurity/definition/identity-access-management-IAM-system">IAM</a>).</p> <p>In a nutshell, IAM is a framework of processes, policies and systems that manage <a href="https://www.techtarget.com/whatis/definition/digital-identity">digital identities</a> in a secure, streamlined manner. Here's a rundown of the top seven identity and access management benefits for users, security admins and enterprises.</p> <section class="section main-article-chapter" data-menu-title="1. Simplify the lives of end users"> <h2 class="section-title"><i class="icon" data-icon="1"></i>1. Simplify the lives of end users</h2> <p>IAM systems enable users -- employees, third parties, contractors, guests, customers, vendors and partners -- to access corporate systems, regardless of where they are, what time it is and, often, what devices they are using.</p> <p>Rather than requiring users to manage dozens of accounts for various corporate applications or resources, IT administrators can use IAM systems to create a unique digital identity for each user that includes a single set of credentials.</p> <p>If employees are locked out of their accounts and waiting hours for help to reset their passwords or gain access, it can equate to thousands of dollars in lost productivity.</p> <p>With an authentication method called single sign-on (<a href="https://www.techtarget.com/searchsecurity/definition/single-sign-on">SSO</a>), users can access cloud-based, SaaS, web-based and virtual applications with their unique identity. From productivity applications such as Microsoft 365 or Salesforce to collaboration applications such as Zoom or file-sharing services, SSO helps ease the friction of authentication processes and improves UX.</p> </section> <section class="section main-article-chapter" data-menu-title="2. Curb problematic password issues"> <h2 class="section-title"><i class="icon" data-icon="1"></i>2. Curb problematic password issues</h2> <p>Beyond enabling easier sign-in processes and boosting productivity, IAM systems prevent users from resorting to sticking passwords on their monitors.</p> <p>Speaking of passwords on sticky notes, compromised user credentials are one of the most common causes of data breaches today. Many IAM systems offer password management features that help security admins enforce <a href="https://www.techtarget.com/searchsecurity/answer/Minimum-password-length-best-practices-Are-14-character-passwords-necessary">password best practices</a>, such as minimum character lengths, frequent password updates and strong authentication measures such as multifactor authentication, biometrics or role-based access.</p> </section> <section class="section main-article-chapter" data-menu-title="3. Simplify the lives of security teams"> <h2 class="section-title"><i class="icon" data-icon="1"></i>3. Simplify the lives of security teams</h2> <p>Outside of securing an enterprise, one of the biggest identity and access management benefits is that IAM systems improve the efficiency and effectiveness of security teams. IT administrators can use IAM to grant access rights based on predefined user roles. This not only lowers the chances of granting authorized access rights to users who should not have them, but it also significantly reduces user <a href="https://www.techtarget.com/searchhrsoftware/definition/employee-onboarding-and-offboarding">onboarding and offboarding</a> times.</p> <figure class="main-article-image half-col" data-img-fullsize="https://www.techtarget.com/rms/onlineImages/security-6_key_benefits_IAM-h.png"> <img data-src="https://www.techtarget.com/rms/onlineImages/security-6_key_benefits_IAM-h_half_column_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineImages/security-6_key_benefits_IAM-h_half_column_mobile.png 960w,https://www.techtarget.com/rms/onlineImages/security-6_key_benefits_IAM-h.png 1280w" alt="List of IAM key benefits" height="324" width="279"> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p><a href="https://www.techtarget.com/searchsecurity/definition/privileged-access-management-PAM">Privileged user access management</a> is a major component here. To prevent resources from being accessed, security admins can apply the <a href="https://www.techtarget.com/searchsecurity/definition/principle-of-least-privilege-POLP">principle of least privilege</a> to user roles. This ensures employees, contractors, guests and partners can be quickly and easily set up with only the access needed to complete their job role.</p> <p>SSO capabilities are generally only used for one enterprise and its associated IT systems. <a href="https://www.techtarget.com/searchsecurity/definition/federated-identity-management">Federated identity management</a>, of which SSO is a subset, links user identities across multiple organizations. With federated identity management, companies and partners can reduce overhead costs by sharing a single application for all user identities.</p> </section> <section class="section main-article-chapter" data-menu-title="4. Improve security companywide"> <h2 class="section-title"><i class="icon" data-icon="1"></i>4. Improve security companywide</h2> <p>With IAM systems, security admins can enforce security policies across all company systems, platforms, applications and devices. This is imperative to enforcing authentication and other security measures, as well as preventing privilege creep.</p> <p>With companywide IAM policies, it is easier to identify violations, remove inappropriate access privileges and revoke access when needed. They also limit potential internal threats, since employees only have access to the systems they need to perform their specific job duties and cannot escalate privileges without approval or a role change.</p> <p>Many modern IAM systems use automation, <a href="https://www.techtarget.com/searchsecurity/feature/5-IAM-trends-shaping-the-future-of-security">AI and machine learning</a>, along with identity analytics capabilities that identify and automatically block anomalous activity.</p> <p>Using an IAM system also enables IT departments to demonstrate where and how user credentials are used and helps admins identify what data may have been accessed and compromised when a data breach occurs.</p> <p>IAM systems work on both employee- and company-owned devices and across the cloud. They are also becoming integral to IoT systems, as connected devices increasingly access corporate systems. IAM is key to assigning unique identities to connected devices, monitoring the data they access and enforcing security policies in IoT environments.</p> </section> <section class="section main-article-chapter" data-menu-title="5. Maintain and prove regulatory compliance"> <h2 class="section-title"><i class="icon" data-icon="1"></i>5. Maintain and prove regulatory compliance</h2> <p>Many regulations, including the Sarbanes-Oxley Act, HIPAA, PCI DSS and GDPR, have data security, privacy and protection mandates that directly relate to IAM. <a href="https://www.techtarget.com/searchsecurity/tip/Identity-management-compliance-How-IAM-systems-support-compliance">To prove compliance</a>, organizations must understand and be able to verify protections for their data, including who has access to it, how that access is protected, processes for revoking access and how passwords are managed.</p> <p>During a compliance audit, IAM systems also help IT admins prove where and how user credentials are used and demonstrate that corporate information is protected with the proper controls.</p> </section> <section class="section main-article-chapter" data-menu-title="6. Reduce management and IT costs"> <h2 class="section-title"><i class="icon" data-icon="1"></i>6. Reduce management and IT costs</h2> <p>Because IAM systems simplify management for help desk employees and administrators, the time that was once spent on mundane tasks such as helping users locked out of their accounts can now be spent on more high-priority tasks.</p> <p>Beyond helping prevent data breaches, consolidating user accounts into single identities can eliminate other enterprise expenditures. For example, using federated identities can save costs associated with managing identities across multiple -- often legacy -- applications.</p> </section> <section class="section main-article-chapter" data-menu-title="7. Reduce human error"> <h2 class="section-title"><i class="icon" data-icon="1"></i>7. Reduce human error</h2> <p>While access provisioning can be handled manually, IAM systems provide a level of control and accuracy that is difficult for humans on their own to match. A busy IT admin, for example, might grant too much access to a new hire or to someone who's moving into a new role, either because the admin is hastily working through a too-long to-do list or the hiring manager provided inadequate information about <a href="https://www.techtarget.com/searchsecurity/tip/User-provisioning-and-deprovisioning-Why-it-matters-for-IAM">what the appropriate access should be</a>.</p> <p>A well-defined IAM process can reduce errors and guesswork. From a cybersecurity perspective, this matters. When cybercriminals encounter an overprivileged account, a simple breach can turn into a significant cyberattack. An IAM tool should be able to ensure that a person's privileges are limited to only the data and applications they need to perform their specific duties.</p> <p><b>Editor's note:</b><i> This article was updated in 2025 to contribute additional information. </i></p> </section> Identity and access management benefits users, security and IT admins, and it also improves an organization's security posture. Read up on seven key advantages of IAM. https://cdn.ttgtmedia.com/visuals/searchServerVirtualization/security_compliance/servervirtualization_article_020.jpg https://www.techtarget.com/searchsecurity/answer/What-are-the-key-identify-and-access-management-benefits Fri, 07 Feb 2025 09:00:00 GMT <p>Risk assessments and threat modeling enable organizations to learn how exposed they are to a successful attack. Both approaches are important, but understanding the differences between risk assessments and threat modeling requires companies know what constitutes a risk and what constitutes a threat. And that requires a definition of vulnerability.</p> <p>A <i>security vulnerability</i> is some form of fault, weakness or flaw in a system. It could exist within the IT infrastructure, hardware or software, or it could exist in a process, such as patching, or the manner in which a control has been implemented or deployed within a system. To exploit a vulnerability, a <i>threat</i> must be present. That threat could take many shapes -- for example, malware or a malicious insider -- but as long as it hinders the ability of the system to keep data safe or to work as designed, it's a threat.</p> <p>To that end, vulnerabilities expose a system to threats. <i>Risk</i>, on the other hand, represents the potential financial loss and damage that could result if the threat takes place. The more vulnerabilities that exist in a system, the greater number of possible threats and the higher the risk.</p> <p>Let's take a look at <a href="https://www.techtarget.com/searchsecurity/definition/risk-assessment">risk assessments</a> and <a href="https://www.techtarget.com/searchsecurity/definition/threat-modeling">threat modeling</a>, which both identify and rank threats, but do so with different goals in mind.</p> <section class="section main-article-chapter" data-menu-title="What is a risk assessment?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What is a risk assessment?</h2> <p>Risk assessment is a critical part of <a href="https://www.techtarget.com/searchsecurity/definition/What-is-risk-management-and-why-is-it-important">risk management</a>. These assessments, which should be performed periodically, let senior management understand the dangers they face, determine which risks are acceptable and take steps to mitigate those risks deemed the most critical.</p> <p>The first step is to classify the organization's information assets -- or those assets within a chosen scope -- and determine their value. The next step is to identify risks -- the vulnerabilities and potential threats to those assets. All risks should be assessed, even those that fall outside of a direct cybersecurity breach, such as business continuity risk, equipment failure or employee skill shortages -- anything that could halt or interrupt operations.</p> <blockquote class="main-article-pullquote"> <div class="main-article-pullquote-inner"> <figure> All risks should be assessed, even those that fall outside of a direct cybersecurity breach, such as business continuity risk, equipment failure or employee skill shortages -- anything that could halt or interrupt operations. </figure> <i class="icon" data-icon="z"></i> </div> </blockquote> <p>After that information is collected, perform a <a href="https://www.techtarget.com/searchsecurity/definition/risk-analysis">risk analysis</a>. Examine each asset to measure how exposed it is. Consider the likelihood it might be attacked and, if so, what kind of damage could occur. Prioritize the most important assets.</p> <p>Now it's time for risk evaluation. With this step, senior management can implement a risk treatment plan -- appropriate to the organization and the regulatory environment in which it operates -- designed to reduce risks to an acceptable level.</p> <p>Note that no two companies have the same risks or <a href="https://www.techtarget.com/searchsecurity/definition/What-is-risk-appetite">risk appetite</a>. That said, a number of frameworks and guides are available that can help companies conduct a comprehensive risk assessment, including the following:</p> <ul class="default-list"> <li>NIST <a href="https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/final" target="_blank" rel="noopener">Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy</a>.</li> <li>NIST Special Publication 800-30 Rev. 1 <a href="https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final" target="_blank" rel="noopener">Guide for Conducting Risk Assessments</a>.</li> <li>ISO/IEC 27005:2022 <a href="https://www.iso.org/standard/80585.html" target="_blank" rel="noopener">Information security, cybersecurity and privacy protection -- Guidance on managing information security risks</a>.</li> <li><a href="https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=6795">OCTAVE</a>, The Operationally Critical Threat, Asset, and Vulnerability Evaluation Implementation Guide.</li> </ul> <p>The European Union Agency for Cybersecurity also publishes a <a href="https://www.enisa.europa.eu/publications/compendium-of-risk-management-frameworks" target="_blank" rel="noopener">free compendium</a> of risk management frameworks.</p> <p>While a risk assessment estimates how likely a threat may endanger an asset and the extent and cost of the damage should an attack occur, it doesn't explore how threats manifest themselves or how assets can be attacked.</p> <p>Risk equals probability times impact. To know the probability of an attack, you have to be aware of threats that may affect or target the asset. That's where threat modeling comes in.</p> </section> <section class="section main-article-chapter" data-menu-title="What is threat modeling?"> <h2 class="section-title"><i class="icon" data-icon="1"></i>What is threat modeling?</h2> <p>Threat modeling, like risk assessment, identifies and classifies assets, their potential vulnerabilities and threats, and prioritizes each threat. But while risk assessments only determine whether countermeasures are needed, threat modeling goes a step further and defines those countermeasures. Threat modeling "thinks like an attacker," and, as a result, focuses on the attacks that are the most likely to occur.</p> <p><a href="https://www.techtarget.com/searchsecurity/feature/Get-started-Threat-modeling-with-the-Mitre-ATTCK-framework">Understanding the tactics, techniques and procedures</a> of adversaries enables companies to combat threats more effectively by incorporating the most appropriate countermeasures into their system architectures and codebases. The more value attackers attach to an asset, the greater lengths they will go -- the work factor -- to take control of the asset.</p> <p>Companies can take advantage of a variety of <a href="https://www.techtarget.com/whatis/definition/threat-intelligence-cyber-threat-intelligence">cyber threat intelligence</a> reports to determine which attackers are likely to target certain assets. These resources also highlight how these attacks may occur. Armed with this information, companies can focus on the most vulnerable assets and address the most dangerous threats.</p> <p>The following are the most common stages in threat modeling:</p> <ul class="default-list"> <li>Establish the scope of the threat model.</li> <li>Determine the threats.</li> <li>Rank each threat.</li> <li>Select and implement mitigations -- the choices are <i>avoid</i>, <i>transfer</i>, <i>reduce</i> and <i>accept</i>.</li> <li>Document all findings and mitigation actions.</li> </ul> <p>Consider this example: Accessing a user's profile (asset) requires authentication. But password authentication is subject to <a href="https://www.techtarget.com/searchsecurity/definition/brute-force-cracking">brute-force attacks</a> (vulnerability) -- and plenty of cracking tools, such as <a href="https://www.techtarget.com/searchsecurity/tutorial/How-to-use-the-Hydra-password-cracking-tool">THC Hydra</a> and Ncrack, are available to hackers (threat). To ward off these types of attack, employ strong passwords and limit logins (mitigation). Multifactor authentication is another useful tool. The controls' effectiveness can be validated during penetration testing and other security reviews.</p> <p>Popular threat modeling methodologies and frameworks include Damage, Reproducibility, Exploitability, Affected users, Discoverability, NIST's Guide to Data-Centric System Threat Modeling, Process of Attack Simulation and Threat Analysis, Microsoft's Spoofing, Tampering, Repudiation, Information disclosure, Denial of service and Elevation of privilege, the European Union's OCTAVE initiative and the open source Threat and Risk Identification and Knowledge-based Engineering.</p> <p>A threat modeling exercise should be performed every time a new system or application is designed. It helps establish the security controls needed so that every component is built to withstand an attack.</p> </section> <section class="section main-article-chapter" data-menu-title="Risk assessment vs. threat modeling"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Risk assessment vs. threat modeling</h2> <p>When examining risk assessment vs. threat modeling, you'll find plenty of overlap. Each is a preventative and proactive exercise that addresses potential risks. A risk assessment, however, usually embraces a larger scope than threat modeling. Risk assessments should be held periodically or whenever there is a significant change in the IT environment or threat landscape. The initial risk assessment also provides a baseline against which to monitor progress in risk reduction and the effectiveness of investments in security.</p> <p>Threat modeling is more specific and detailed. A risk assessment considers possible countermeasures; threat modeling defines and implements them. <a href="https://www.techtarget.com/searchsecurity/tip/Top-threat-modeling-tools-plus-features-to-look-for">Threat modeling identifies vulnerabilities</a>, as well as potential risks and mitigation steps, by using scenarios that target system entry points and data, both at rest and in transit. One of the long-term benefits of threat modeling is fewer successful attacks, and thus fewer redesigns and updates to systems and applications to fix security flaws.</p> <p>Every organization needs an information security management framework in place so it has a register of information assets and owners, a defined level <a href="https://www.techtarget.com/searchcio/feature/Risk-appetite-vs-risk-tolerance-How-are-they-different">of acceptable security risk</a> and a mitigation plan that ensures risks sit within acceptable tolerance levels.</p> <p>Risk assessments versus threat modeling is not an either/or. They play complementary roles and each helps organizations protect activities and projects from unacceptable risks.</p> </section> Risk assessments and threat modeling each address potential risks. But they play distinct roles in how they help companies protect systems and data. https://cdn.ttgtmedia.com/rms/onlineimages/security_a254815015.jpg https://www.techtarget.com/searchsecurity/tip/Risk-assessment-vs-threat-modeling-Whats-the-difference Thu, 15 Jun 2023 09:12:00 GMT <p>DC Health Link's data breach was caused by a misconfigured server, according to a prepared statement by an executive for the health insurance exchange at a House Oversight Committee hearing on Wednesday.</p> <p>DC Health Link, a health insurance exchange program based in Washington, D.C., <a href="https://www.techtarget.com/searchsecurity/news/365532552/DC-Health-Link-confirms-breach-but-questions-remain">confirmed it suffered</a> a data breach last month after a user on dark web hacking forum BreachForums offered to sell stolen data representing 170,000 individuals.</p> <p>The user who originally posted the data, "IntelBroker," was permanently banned from BreachForums following the listing. However, on March 13, another user in apparent possession of the data under the alias "Denfur" claimed to be friends with IntelBroker and said the origin of the breach was an "open, exposed database."</p> <p>On March 15, BreachForums' alleged founder <a href="https://www.techtarget.com/searchsecurity/news/365532545/FBI-arrests-suspected-BreachForums-owner-in-New-York">was arrested</a> in New York, and the forum was voluntarily shuttered days after due to law enforcement concerns. No definitive connection to DC Health Link was established.</p> <p>Mila Kofman, executive director of the District of Columbia Health Benefit Exchange Authority, which operates the exchange, participated in a <a href="https://www.youtube.com/watch?v=Ihw5wBp55Ug" target="_blank" rel="noopener">hearing on Wednesday</a>. The hearing was held by the U.S. House Oversight and Accountability Subcommittee on Cybersecurity, Information Technology, and Government Innovation as well as the Committee on House Administration's Subcommittee on Oversight.</p> <p>During her <a href="https://oversight.house.gov/wp-content/uploads/2023/04/Mila-Kofman-Written-Testimony-April-19-2023.pdf" target="_blank" rel="noopener">opening statements</a>, Kofman confirmed DC Health Link detected the breach on March 6 and that the cause of the breach was a misconfigured server.</p> <p>"Let me be clear at the outset: The cause of this breach was human mistake," Kofman said. "With respect to the 'root cause' -- the problem here related to the configurations on a server used for generating and storing automated jobs and weekly reports. The server was misconfigured to allow access to the reports on the server without proper authentication. Based on our investigation to date, we believe the misconfiguration was not intentional but human mistake."</p> <p>As part of the breach, the threat actor stole two "reports" representing sensitive data belonging to "56,415 current and past customers, including members of Congress, their families and staff," Kofman said. Among the victims were 17 House members, 43 of their dependents, 585 House staff members and 231 of their dependents. Personal information included names, dates of birth and social security numbers.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/mila_kofman_dc_health_benefit_exchange_authority-f.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/mila_kofman_dc_health_benefit_exchange_authority-f_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/mila_kofman_dc_health_benefit_exchange_authority-f_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/mila_kofman_dc_health_benefit_exchange_authority-f.jpg 1280w" alt="Mila Kofman, executive director of the District of Columbia Health Benefit Exchange Authority, speaks at a House Oversight Committee meeting Wednesday." data-credit="YouTube" height="315" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Mila Kofman, executive director of the District of Columbia Health Benefit Exchange Authority, apologized to members of Congress Wednesday for the </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>According to the exchange's <a href="https://hbx.dc.gov/page/about-dc-health-benefit-exchange-authority-hbx" target="_blank" rel="noopener">website</a>, approximately 100,000 individuals have private health insurance through the public-private exchange, including D.C.-area residents and "approximately 11,000 designated Congressional staff and members of Congress."</p> <p>TechTarget Editorial asked DC Health Link about the discrepancy between the alleged 170,000-person listing and Kofman's 56,415 figure, but a spokesperson for the exchange declined to elaborate.</p> <p>Kofman apologized directly to the committees during her opening remarks.</p> <blockquote class="main-article-pullquote"> <div class="main-article-pullquote-inner"> <figure> Let me be clear at the outset: The cause of this breach was human mistake. </figure> <figcaption> <strong>Mila Kofman</strong>Executive director, District of Columbia Health Benefit Exchange Authority </figcaption> <i class="icon" data-icon="z"></i> </div> </blockquote> <p>"In addition to saying how sorry I am that we failed to prevent the theft of two reports which had sensitive personal information of our customers, I want you to know that we have not and will not fail in our response. And we are working hard to make sure this never happens again," she said.</p> <p>DC Health Link engaged incident response firm and Google subsidiary Mandiant as part of its investigation. Kofman added that the Health Benefit Exchange Authority also engaged the FBI Cyber Security Task Force shortly after the breach. It further briefed law enforcement, CISA, both the U.S. Senate and House of Representatives, and more.</p> <p>"We asked law enforcement for help immediately and shared information as we uncovered it," she said. "Mandiant quickly worked alongside our team to identify the root cause of the breach, which we immediately eliminated. In addition to addressing this issue, we initiated a comprehensive review of our entire system and security, and we will be making enhancements across the board and can keep you updated on that progress."</p> <p><i>Alexander Culafi is a writer, journalist and podcaster based in Boston.</i></p> Mila Kofman, executive director of the District of Columbia Health Benefit Exchange Authority, blames "human error" for the DC Health Link breach. https://cdn.ttgtmedia.com/rms/onlineimages/ransom_g1249114648.jpg https://www.techtarget.com/searchsecurity/news/365535577/DC-Health-Link-breach-caused-by-misconfigured-server Thu, 20 Apr 2023 10:02:00 GMT <p>Securing the U.S. elections may seem solely like a technology challenge on the surface. However, as the November election rapidly approaches and with early voting underway, election security truly boils down to the core fundamental challenge of protecting our nation and maintaining confidence in our democratic processes. <a href="https://www.techtarget.com/searchsecurity/news/252487241/Matt-Blaze-warns-of-election-security-challenges-amid-COVID-19">Election security</a> is a bipartisan issue and must continue to be prioritized by our leaders to provide the resources necessary to enable effective security and maintain public confidence now and into the future.</p> <p>Significant cybersecurity focus continues to be on the security of the <a href="https://www.techtarget.com/searchsecurity/news/252501364/Chaos-in-Maricopa-County-The-election-audit-explained">voting machine</a>. The outcomes of the <a href="https://www.techtarget.com/searchsecurity/news/252468837/2020-election-security-to-face-same-vulnerabilities-as-in-2016">Voting Machine Hacking Village</a> at DEF CON usually make headlines and are a stern reminder that more progress needs to be made on this front. This is a central element of maintaining the <a href="https://www.techtarget.com/searchunifiedcommunications/news/252494506/Facebook-places-indefinite-ban-on-President-Trump">integrity of election results</a> and generally gets most of the buzz and attention. It can also be easier to understand, quantify and remediate. However, another looming threat continues to grow and put the security of elections at risk in a different way.</p> <section class="section main-article-chapter" data-menu-title="The risk of disinformation campaigns"> <h2 class="section-title"><i class="icon" data-icon="1"></i>The risk of disinformation campaigns</h2> <p>Disinformation campaigns are becoming more prevalent and they can have perilous consequences if proactive steps are not taken to quell the deceptive messages. A <a href="https://www.isaca.org/go/election-security-2020" target="_blank" rel="nofollow noopener">2020 Election Security Study</a> from global nonpartisan technology association ISACA found that 73% of tech professionals believe that misinformation and disinformation pose the greatest risk to election integrity. It ranks ahead of tampering with tabulation of voter results (64%) or hacking or tampering with voting machines (62%).</p> <p>Disinformation campaigns are more sophisticated than ever before and the threats they pose can be more difficult to identify, quantify and mitigate in a timely manner than a software security flaw. In order for cybersecurity professionals, private companies and the government to combat information threats, it is important to understand the key differences between misinformation and disinformation. According to the Cybersecurity &amp; Infrastructure Security Agency (CISA), the key distinctions are:</p> <ul class="default-list"> <li><em>Misinformation</em> is information that is false, but not created or shared with the intention of causing harm.</li> <li><em>Disinformation</em> is false information that is deliberately created to mislead, harm or manipulate a person, social group, organization or country.</li> </ul> <p>The major social media platforms continue to take steps to <a href="https://about.fb.com/news/2020/09/removing-coordinated-inauthentic-behavior-russia/" target="_blank" rel="nofollow noopener">ban accounts or remove messages</a> associated with disinformation campaigns, but doing so before many people are exposed to the falsehoods is incredibly difficult. Understanding the impact, reach and effect of these messages can also be subjective. Critics cite that <a href="https://www.nytimes.com/2020/09/04/technology/facebooks-political-ads-block-election.html" target="_blank" rel="nofollow noopener">not enough is done</a> and the actions taken are not quick enough.</p> <p>ISACA's study shows these sort of misinformation/disinformation campaigns adversely affect public perception about election security, which in turn erodes confidence in our democratic processes and benefits America's adversaries.</p> <p>While securing voting machines and the technical security controls of the election infrastructure may be left to cybersecurity professionals, combating misinformation and disinformation is something we all can play an active role in. Just this month, CISA published a <a href="https://www.cisa.gov/publication/election-disinformation-toolkit" target="_blank" rel="nofollow noopener">disinformation toolkit</a> and <a href="https://www.cisa.gov/publication/election-infographic-products" target="_blank" rel="nofollow noopener">election infographics</a> to support election officials. Each one of us can stop disinformation and contribute to election security and confidence by taking the following steps:</p> <ul class="default-list"> <li>Get your election information from trusted sources, such as state and local election authority websites</li> <li>Do not act on a single piece of information</li> <li>Check if social media accounts are verified before viewing their content</li> <li>Have a voting plan</li> <li>Limit what you share or reshare online</li> <li>Do not post personal ballot information online</li> <li>Report disinformation</li> <li>Direct others to official government election websites rather than other sources</li> </ul> <p>We all need to do our part to protect our democracy because bad actors and <a href="https://www.techtarget.com/searchsecurity/definition/advanced-persistent-threat-APT">advanced persistent threats</a> are only going to find new ways to adversely affect and divide the country. We should never take for granted the freedoms and secure elections we have lived with our entire lives. Democracy is fragile and must be protected with endless rigor.&nbsp;</p> <p><strong>About the author</strong></p> <p><em>Jason Yakencheck is the past president of the </em><a href="https://www.isaca.org/" target="_blank" rel="nofollow noopener"><em>ISACA</em></a><em> Greater Washington, D.C. chapter.&nbsp;He is actively engaged with ISACA Global to support cybersecurity initiatives.&nbsp;He leads complex cybersecurity projects, performs C-suite advisory and leads secure cloud architecture and application migration. Yakencheck&nbsp;holds the CISSP-ISSAP, CISM, CISA and PMP certifications.</em></p> </section> As the 2020 election approaches, more focus needs to be on overcoming disinformation campaigns that manipulate voters as they vote early or head to the polls on Election Day. https://cdn.ttgtmedia.com/visuals/ComputerWeekly/Hero%20Images/vote-election-getty.jpg https://www.techtarget.com/searchsecurity/post/Combating-disinformation-campaigns-ahead-of-2020-election Mon, 19 Oct 2020 15:23:00 GMT <p>Security should always be on your mind when online. Whether at a larger organizational level or at an individual level, you should always have at least some way to keep your data safe. And the more data you must protect, the more important the <a href="https://searchsecurity.techtarget.com/answer/How-to-protect-personal-data">act of data protection</a> becomes. You should be asking yourself how you can keep that data safe and secure, especially if that information can be used against you.</p> <p>Personal data normally refers to <a href="https://searchdatamanagement.techtarget.com/answer/What-is-included-in-the-GDPR-definition-of-personal-data">data that can identify a person</a>, such as credit card information, bank account information, Social Security number (SSN) or other sensitive data. The act of data protection includes actions such as safeguarding important information from corruption, compromise or loss. A large part of data protection is ensuring that data can be restored quickly after a situation like data loss or <a href="https://searchsqlserver.techtarget.com/definition/data-corruption">corruption</a>. Other key components of data protection include actions such as protecting and safeguarding data from compromise in the first place.</p> <p>To accomplish this, you should always <a href="https://searchsecurity.techtarget.com/feature/How-information-sharing-can-reduce-cybersecurity-vulnerabilities">know who you're sharing information with</a>, maintain the appropriate security on your devices, and know how to appropriately dispose of your data once you no longer need it.</p> <h3>Where does personal data exist?</h3> <p>Your personal data can exist offline in physical spaces such as personal financial documents and records, or online in a digital context. Keeping offline personal data safe is relatively simple and comes down to common sense a lot of the time. For example, you'd want to keep documents, or anything with personal information on it, locked someplace safe and out of view. Keep your wallet or purse in a safe place at work. Don't keep your SSN in your wallet or purse. Before giving your information out to anyone, ask why they need it and how it will be kept safe. Shred anything with personal data on it that you don't need anymore, like insurance forms, checks or bank statements. Keeping offline personal data safe relates to being mindful of where your personal information is and how you share it.</p> <p>Online personal information can be a little more complicated when it comes to keeping it safe. Digital personal information could exist on smartphones, desktops, laptops and other online devices. You may have granted businesses access to your data, so they could be holding personal information in a <a href="https://searchcloudcomputing.techtarget.com/feature/On-premises-vs-cloud-Whats-more-cost-effective-for-your-apps">server on-premises or use a cloud storage service</a>. In these cases, it is good to inquire how they secure your data, since it will differ per company. In addition, regulations such as <a href="https://whatis.techtarget.com/definition/General-Data-Protection-Regulation-GDPR">GDPR</a> and California Consumer Privacy Act (CCPA) have made it easier to request to see what personal data an organization holds about you, and to request the deletion of said data.</p> <h3>Tips for protecting against data security threats</h3> <p>Data security can take many forms when defending against the seemingly limitless threats. Often, the answer to <a href="https://searchsecurity.techtarget.com/tip/6-cybersecurity-strategies-to-solidify-personal-data-protection">how to protect personal information</a> from data breaches comes down to common sense; however, some technical concepts around security may be harder to understand. Here are 10 tips that can help you gain a better understanding of some basic and more complicated approaches you can take to personal information security.</p> <p><strong>1. Passwords</strong>. Weak passwords can be guessed, and even strong passwords can be figured out through methods such as <a href="https://searchsecurity.techtarget.com/definition/brute-force-cracking">brute force attacks</a>. Creating a strong password will at least make it harder for a hacker to guess them. However, you should have a different password set for each application you use, and you should not write those passwords down. A password manager may be able to help in remembering them.</p> <p>Ways to prevent something like a brute force attack are mostly on the developer side. Approaches such as limiting failed login attempts, using <a href="https://searchsecurity.techtarget.com/definition/CAPTCHA">CAPTCHA</a>, monitoring server <a href="https://searchitoperations.techtarget.com/definition/log-management">logs</a>, or using <a href="https://searchsecurity.techtarget.com/definition/multifactor-authentication-MFA">multifactor authentication</a><u>,</u> which can help avoid these attacks. So, the next time you get an image asking you to identify all the busses in a sectioned-out photo and a box to click to say you are not a robot, that's what that CAPTCHA is for.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/security-prevent_computer_security_threats.png"> <img data-src="https://www.techtarget.com/rms/onlineimages/security-prevent_computer_security_threats_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/security-prevent_computer_security_threats_mobile.png 960w,https://www.techtarget.com/rms/onlineimages/security-prevent_computer_security_threats.png 1280w" alt="Prevent computer security threats" height="355" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>Four ways to prevent computer security threats include using firewalls, antivirus software, antispyware software and strong passwords. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p><strong>2. App privacy settings</strong>. Even though application security can apply to desktop devices, the term is used mostly in reference to mobile apps. Some <a href="https://www.computerweekly.com/feature/Facebooks-privacy-U-turn-how-Zuckerberg-backtracked-on-promises-to-protect-personal-data">apps request more privileges than they really need</a> in the name of data collection. These permissions allow them to access numerous data sources on the device, possibly including contacts, browsing history and&nbsp;<a href="https://searchmobilecomputing.techtarget.com/definition/geolocation">geolocation</a>. If you want to limit this access, you should be able to do so in your phone settings.</p> <p><strong>3. Firewalls and antivirus</strong>. A <a href="https://searchsecurity.techtarget.com/definition/firewall">firewall</a> is a software or <a href="https://whatis.techtarget.com/definition/firmware">firmware&nbsp;</a>that prevents unauthorized access to a network. Many devices come with one built-in and are widely considered an essential component of network security. A firewall helps keep personal data secure by inspecting incoming and outgoing traffic, using a set of rules to identify and block threats.&nbsp;Firewalls are used both in personal and enterprise settings. Firewalls also perform important logging and audit functions to keep a record of events. Different types of firewalls include packet-filtering, stateful inspection, proxy and next-generation firewalls.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/security-firewall_types.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/security-firewall_types_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/security-firewall_types_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/security-firewall_types.jpg 1280w" alt="Types of firewalls" height="660" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>A breakdown of the types of firewalls available and their respective advantages and disadvantages. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>Antivirus software is a security software program designed to prevent, detect and remove&nbsp;<a href="https://searchsecurity.techtarget.com/definition/malware">malware</a>&nbsp;infections. Antivirus software can be used on individual computing devices, networks and IT systems to protect personal data. Originally, antivirus software was designed to detect and remove&nbsp;<u>viruses</u>&nbsp;from computers, but it can also protect against a wide variety of threats, such as spyware, botnets, <a href="https://searchsecurity.techtarget.com/definition/ransomware">ransomware</a>, <a href="https://searchsecurity.techtarget.com/definition/keylogger">keyloggers</a> and other malicious software.</p> <p><strong>4. Backup data</strong>. Backing up your data refers to copying the physical and virtual files or databases to a secondary location for preservation in case of equipment failure or attack. Backing up data is considered pivotal to disaster recovery plans. Additionally, it's the best option for recovering from ransomware attacks or from major data losses. Personal data that is important should be backed up to a separate drive, device or location. Backups essentially capture and synchronize a point in time that you can use to return data to its previous state. If you have personal data that regularly changes, then you should regularly back up devices that have the personal data on them.</p> <p><strong>5. Anti-theft</strong>. Anti-theft refers to data protection and theft prevention when data is in transit or at rest -- when it's in use or not. Protecting data that's at rest normally involves just managing who has access to that data, along with basic security protections such as the use of firewalls, <a href="https://searchsecurity.techtarget.com/definition/encryption">encryption</a> and threat monitoring. Protecting data in use or transit can involve basic security precautions and more complicated precautions. Anti-theft software is more commonly used in enterprise scenarios, but some examples for personal use include McAfee Total Protection or Absolute Home &amp; Office.</p> <p><strong>6. Bluetooth vulnerabilities</strong>. Bluetooth devices can also leave personal data vulnerable. Personal data could be accessed through Bluetooth in several ways. <a href="https://searchmobilecomputing.techtarget.com/definition/bluesnarfing">Bluesnarfing</a> is when a hacker pairs with a Bluetooth device without the user's knowledge to compromise personal data. Hackers could also eavesdrop on calls by accessing the mobile device or a Bluetooth headset in use. <a href="https://searchsecurity.techtarget.com/definition/denial-of-service">Denial of service attacks</a> can also be a worry when it comes to Bluetooth devices. It's recommended to keep Bluetooth off when not in use to avoid risking compromising personal data. In addition, users shouldn't accept pairing requests from unknown devices.</p> <p><strong>7. OS updates</strong>. You should always keep your devices updated to ensure they have the latest performance and security updates. This goes for the operating system on a desktop or the OS on a mobile device. Mobile device OSes tend to get updated often, so it's important to check every so now and then for those updates.</p> <p><strong>8. Public Wi-Fi</strong>. Even though it may be hard while traveling, you shouldn't connect to unsecured Wi-Fi networks. Aside from Wi-Fi network security lacking in most cases, some of them may not even be real. If you go to a public spot and see "Free Public Wi-Fi" show up on your phone, the unsecured wireless network may actually be from a nearby laptop or smartphone that is attempting to connect to other devices to steal personal information. Ideally, you should only connect to known, trusted <a href="https://searchmobilecomputing.techtarget.com/definition/service-set-identifier">SSIDs</a> and authenticated access points. Use 4G or LTE on your device when you can if you're out and about, or even a Wi-Fi hotspot aggregator.</p> <p><strong>9. Secure personal info offline</strong>. One of the simplest ways to secure personal information is to secure personal data on a device that doesn't connect to the internet. For example, physical data can be kept in a location out of view in your home or in a safe. If it's digitalized data, then keeping that data in a separate <a href="https://searchstorage.techtarget.com/definition/hard-disk-drive">external hard drive</a> will keep it offline when it is not actively connected to a computer at least. You can then store that hard drive in a secure physical location of your choosing.</p> <p><strong>10. Stay alert to hoaxes and impersonators</strong>. There's no shortage of scams and impersonators, especially on the internet. For example, virus hoaxes can give you a false warning about a computer&nbsp;<a href="https://searchsecurity.techtarget.com/definition/virus">virus</a>. In this example, a warning may arrive in an email with a message about a virus, prompting you to click a link that takes you to a website that will end up harming your computer. Other scams may try to steal enough of your personal information so they can steal your identity, which can affect numerous things such as your credit report.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineImages/security-identity_theft_protection.jpg"> <img data-src="https://www.techtarget.com/rms/onlineImages/security-identity_theft_protection_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineImages/security-identity_theft_protection_mobile.jpg 960w,https://www.techtarget.com/rms/onlineImages/security-identity_theft_protection.jpg 1280w" alt="Prevent identity theft" height="274" width="559"> <figcaption> <i class="icon pictures" data-icon="z"></i>A list of tips to keep your identity from being stolen. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>Sometimes an entity may pose to be someone they're not to <a href="https://searchsecurity.techtarget.com/definition/phishing">phish</a> for your personal information. These impersonators compose an official-looking email from a company, then notify you have been charged for something you have not bought, or have signed in from another location -- among other things -- then bring you to a fake site to sign in so they can gain your username and password information.</p> <p>One easy way to tell if an email is a phishing scheme is by the sender. Smartphones may simplify the email to just say something like "Apple," for example, but when you tap on the email address itself, it will show a different email address. Often it's something unreadable. To keep your online privacy and data safe, it's best not to respond to emails like this, or to simply delete them.</p> <h3>How to safely dispose of personal data</h3> <p>Deleting a file does not remove it from storage media -- in most cases at least. It actually marks that piece of storage space as available to write over. One of the most <a href="https://privacyrights.org/resources/disposing-records-containing-personal-information" target="_blank" rel="noopener">time-tested methods</a> for dealing with unwanted personal data is by overwriting that data with meaningless <a href="https://whatis.techtarget.com/definition/binary">binary</a>. This process should be relatively easy, but it's not 100% secure either. With the right tools, data can still be retrieved from an overwritten disk.&nbsp;</p> <p>You could also physically destroy the device the data is on. This method is effective, but you have to be sure you're safe while doing it. You could also give your device to a data destruction service that will go through the process of data destruction for you. Disk wipes are yet another option. You can wipe all the data on a disk with a free disk <a href="https://whatis.techtarget.com/definition/wipe">wipe</a> software.&nbsp;</p> It's impossible to ignore the importance of security when dealing with personal information. Follow these tips to help keep your data safe and secure. https://www.techtarget.com/whatis/10-Tips-to-Keep-Personal-Data-Safe-and-Secure Wed, 14 Oct 2020 10:17:00 GMT <p>Identity and access management (<a href="https://searchsecurity.techtarget.com/definition/identity-access-management-IAM-system">IAM</a>) allows the "right users" to access the "right technology" (applications, databases, networks, etc.) at the "right time." But what's the best way for interviewees to prove to hiring managers that they are the "right fit" for these openings?</p> <p>A broad spectrum of jobs is available in IAM at organizations of all types, including enterprises, small to medium-sized businesses, and third-party service providers. Titles frequently listed on job boards include IAM system architect, IAM system engineer, IAM <a href="https://searchsecurity.techtarget.com/definition/access-control">access control</a> specialist, IAM administrator and IAM consultant.</p> <p>Depending on the company and the position, some IAM jobs are more customer-facing than others. Some may focus more on soft skills, such as collaboration and communication, while other positions are more engineering-oriented and focus more on hard skills.</p> <h3>Entry-Level Questions</h3> <p>In the IAM field, as with other security disciplines, filling jobs with professionals with the <a href="https://searchsecurity.techtarget.com/opinion/The-must-have-skills-for-cybersecurity-arent-what-you-think">right mix of skills</a> isn't easy, explained Lance Peterman, president of IDPro, a professional development organization. So, organizations looking to fill IAM positions "have to get creative with respect to hiring," he said. For a new graduate or someone switching fields, "we often look at job candidates' willingness and ability to quickly pick up concepts, particularly technical concepts."&nbsp;&nbsp;&nbsp;</p> <p>Interview questions for entry-level IAM jobs often touch on security fundamentals, safeguards and controls as well as the <a href="https://www.techtarget.com/searchsecurity/tip/Top-4-essential-identity-and-access-management-best-practices">basics of identity protection</a>, access management, cloud computing and <a href="https://searchsecurity.techtarget.com/definition/cryptography">cryptography</a>. Desirable skills for entry-level candidates or career-changers include experience with identity directories, databases, authentication and authorization models and scripting. If the IAM job is focused on cybersecurity, interview questions may relate to the trade-offs between security and productivity.</p> <p>Knowing the vocabulary of IAM is also helpful for recent graduates and career-changers. They might read up on the major components of IAM -- including the provisioning and <a href="https://searchsecurity.techtarget.com/definition/Deprovisioning">deprovisioning</a> of identities, <a href="https://www.techtarget.com/searchsecurity/tip/Federate-and-secure-identities-with-enterprise-BYOI">securing and authentication of user identities</a>, and authorization to access resources or perform specific actions. Other terminology worth brushing up on includes&nbsp;privileged identity management, authorization and access control, federation,&nbsp;role-based access control&nbsp;(<a href="https://searchsecurity.techtarget.com/definition/role-based-access-control-RBAC">RBAC</a>) and state transfer. Related terms might include load balancer (for cloud-oriented questions) or spot instances (for interviews related to infrastructure.</p> <p>Be prepared for open-ended questions. There is often more than one correct answer. Plus, these questions invite follow-up.</p> <h4>1. What can you tell me about yourself?</h4> <p>Whether you're a recent graduate, a career-changer or a seasoned IAM professional, most interviewers will ask you some form of this question. This open-ended question gives interviewers a chance to try to peel back the onion to learn more about your skills and experience --- and get a sense if you can be a fit for their organization.</p> <h4>2. Why is IAM important?</h4> <p>You might explain that <a href="https://searchcompliance.techtarget.com/tip/Biometric-data-privacy-ethical-questions-complicate-modern-IAM">as security threats rise</a> and user privacy preferences become more difficult to control, IAM is becoming more essential to organizations of all sizes and in all industries. IAM is crucial at a time when passwords can be hacked in minutes, corporate data breaches occur frequently, and criminals have infiltrated many organizations and government agencies. Only one set of credentials needs to be hacked for a bad actor to infiltrate an enterprise network.</p> <h3>Interview Tips</h3> <p>Being enthusiastic and understanding why IAM is such an important element of information security (<a href="https://searchsecurity.techtarget.com/definition/information-security-infosec">infosec</a>) are essential. Be prepared for basic and more complex questions that look at your experience, technical and non-technical skills, and the kind of person you are. Here are some examples.</p> <h4>3. Do you have experience implementing&nbsp;IAM solutions and products such as single sign-on (SSO), two-factor authentication (2FA) and multifactor authentication (MFA)?&nbsp;</h4> <p>A&nbsp;<a href="https://www.computerweekly.com/news/252482336/IT-Priorities-2020-Compliance-and-risk-are-top-security-concerns">Computer Weekly/TechTarget IT Priorities&nbsp;study</a> conducted pre-Coronavirus found that&nbsp;IAM would be increasingly important during 2020, with multifactor authentication the most popular identity-related security initiative planned by the surveyed buyers, cited by 48%. Access management, which 34% planned to deploy, and single sign-on, which was of interest to 30%, were also significant initiatives.</p> <p>The study also showed that privileged identity management or privileged account management --- other important words in the IAM lexicon --- is becoming mainstream.</p> <h4>4. Which users have you worked with? Have you managed customer identity in addition to employee and other internal staff identities?</h4> <p>The users IAM professionals deal with vary depending on the company and the job, from customers and privileged accounts to service accounts, internal employees, business partners and more.</p> <h4>5. What is your experience with identity directory services such as Active Directory?</h4> <p>Most IAM projects involve working with Active Directory or other types of repositories that comply with Lightweight Directory Access Protocol (<a href="https://searchmobilecomputing.techtarget.com/definition/LDAP">LDAP</a>). According to a <a href="https://www.avatier.com/blog/killer-skills-for-identity-and-access-management-project/" target="_blank" rel="noopener">blog posting by Avatier</a>, LDAP skills are needed throughout an IAM project for data conversions, QA testing, directory consolidation and other tasks. "Being able to write scripts that push and pull data between databases and the target LDAP directory provides a great deal of power that can be leveraged to accelerate project work," the Avatier blog states.</p> <h4>6. What is your experience with IAM in the cloud?</h4> <p>The cloud platform that a company uses would likely be included in the job description, IDPro's Peterman explained. Among entry-level professionals and career changers, "employers are looking for some exposure to the cloud," he noted. "If you have experience using one type of cloud, you can probably learn another," he said.</p> <p>Entry-level candidates and career changers might be asked the following:</p> <ul class="default-list"> <li>How much experience do you have promoting code in the cloud?</li> <li>What technologies and tools have you worked with?</li> <li>What are some of the pluses and minus you have encountered with these tools and cloud providers?</li> <li>What is your experience with virtual machines?</li> <li>What is your experience with containers?</li> </ul> <p>Interviewees at a higher technical experience level might be asked for details about specific cloud platform. For example, interviewees familiar with <a href="https://searchaws.techtarget.com/definition/Amazon-Web-Services-AWS-Identity-and-Access-Management-IAM">Amazon Web Service (AWS) IAM</a> might be asked about its key features, how it works, its key benefits, its permissions and its policies. Be familiar with Amazon's best practices such as <a href="https://searchaws.techtarget.com/definition/AWS-Multi-Factor-Authentication-AWS-MFA">AWS Multi-Factor Authentication (MFA</a>), which is designed to provide an additional layer of protection on top of the username and password.</p> <p>According to online tutorial site GoLinuxCloud, key points about AWS IAM <a href="https://www.golinuxcloud.com/amazon-aws-interview-questions-answers-experienced/" target="_blank" rel="noopener">include the following</a>:</p> <ul class="default-list"> <li>A new user in IAM does not have any permission.</li> <li>AWS IAM assigns an Access Key and a Secret Access Key to a new user.</li> <li>An Access Key cannot be used to log in to AWS Console.</li> <li>We use Access Key to access AWS via an API or command-line interface.</li> <li>IAM is a universal application. It is common across all the regions in AWS.</li> </ul> <h4>7. What are your favorite IAM tools and solutions?</h4> <p>According to web infrastructure and security company Cloudflare, IAM <a href="https://searchsecurity.techtarget.com/feature/8-leading-identity-and-access-management-products-for-2020">may be a single product</a> or a mix of processes, software,&nbsp;cloud services and hardware that give administrators visibility and control over the organizational data that individual users can&nbsp;access.</p> <div class="extra-info"> <div class="extra-info-inner"> <h4>Preparing for a Video Interview</h4> <p>It's likely that at least one of your interviews will be via video conference software. Here are eight tips to <a href="https://whatis.techtarget.com/8-Tips-to-Prepare-for-a-Video-Conference-Interview">preparing for a video job interview</a>.</p> </div> </div> <h3>Cryptography Questions</h3> <p>Some security experts consider cryptography a separate field from IAM. However, some IAM professionals may have to address cryptography issues or work with those who do. So, depending on the job, the interview may include some cryptography questions.</p> <h4>8. What is cryptography?</h4> <p>Kaspersky Lab defines cryptography as "the study of secure communications techniques that allow only the sender and intended recipient of a message to view its contents." Cryptography refers to secure information and communication techniques derived from mathematical concepts and a set of rule-based calculations called algorithms, to convert plaintext into&nbsp;<a href="https://whatis.techtarget.com/definition/ciphertext">ciphertext</a>&nbsp;(a process called&nbsp;encryption), then back again (known as decryption).</p> <h4>9. What is the goal of cryptography?</h4> <p>Cryptography helps keep information confidential; if a transmission or storage medium has been compromised, any encrypted information is practically useless to unauthorized persons without the keys for decryption. Second, by using <a href="https://searchsqlserver.techtarget.com/definition/hashing">hashing algorithms</a> and message digests, cryptography helps ensure the integrity (or accuracy) of information. In addition, through digital signatures, digital certificates or a public key infrastructure (<a href="https://searchsecurity.techtarget.com/definition/PKI">PKI</a>), cryptography can be used for authentication (and non-repudiation) services.</p> <h4>10. Why is cryptography important?</h4> <p>Cryptography can prevent hackers from stealing data. Data needs to be secured because the leaking of sensitive information can put businesses, government institutions, financial institutions and individuals at risk. &nbsp;</p> <h4>11. What is the most interesting/rewarding project or initiative in which you've been involved?</h4> <p>This question gives interviewees a chance to discuss projects that used skills useful to the position for which they are applying. Interviewees might discuss what made the project interesting to them, how they worked with others, and what they learned. More experienced candidates might talk about the project's management and technical complexities. New graduates can discuss key elements of projects they worked on at universities, training programs and internships.</p> <p>On the flip side, a posting on Glassdoor noted that one company asked a candidate for an IAM team lead: "What kinds of projects would you shy away from?" Be careful with this one. Be positive, and don't say anything bad about your former employer.</p> <p>Follow-ons to the question about interesting and rewarding projects might be:</p> <p>What is your ideal next step? What type of projects or initiatives would you like to work on? What skills would you like to add?</p> <h4>12. Are you a team player? Discuss how you have engaged with other departments, such as legal and compliance. How do you manage the internal&nbsp;relationships?</h4> <p>Collaboration and communication skills are crucial. Being a team player is important whether you're a recent grad, a career-changer or a seasoned IAM professional. Even those in the early stages of building their resumes should be able to address this question. "Many new graduates come from [IT-related programs] that generally have team-based projects," said Darren Yamaki, director of identity and access management at the University of Southern California.</p> <h4>13. What role have you played in ensuring compliance with government relations?</h4> <p>This question might be worded differently for new graduates or career changers, who may not have been directly involved in compliance; the question for newcomers might be "why is compliance important in IAM?" Experienced IAM professionals are more likely to have had a <a href="https://searchsecurity.techtarget.com/tip/Identity-management-compliance-How-IAM-systems-support-compliance">direct role in compliance</a> and interviewers will ask about how it applied to their jobs.</p> <p>Compliance is important because U.S., worldwide and industry-specific data security and privacy laws <a href="https://www.computerweekly.com/feature/IAM-is-the-future-for-managing-data-security">contain specific IAM mandates</a>. For example,&nbsp;HIPAA's&nbsp;Security and Privacy Rules define access control measures for health information. Depending on their business, organizations might have to comply with regulations such as the Family Educational Rights and Privacy Act, GDPR, the Gramm-Leach-Bliley Act, PCI DSS and the Sarbanes-Oxley Act.</p> <p>A related term is <a href="https://searchsecurity.techtarget.com/definition/identity-governance">identity governance</a>. A blog posting by Secret Double Octopus <a href="https://doubleoctopus.com/security-wiki/identity-and-access-management/identity-governance/" target="_blank" rel="noopener">defines</a> identity governance as a subcategory of IAM that "emerged from the needs of organizations to comply with new regulatory requirements such as the Sarbanes-Oxley Act (SOX) and the Health Insurance Portability and Accountability Act (HIPAA). IG provides organizations with better visibility to identities and access privileges, and better controls to detect and prevent inappropriate access."</p> <h4>14. What is the biggest challenge you have faced? What is the biggest mistake you have made?</h4> <p>A variation on this question is "what is the hardest part of your job?". It's important to discuss obstacles, how you handled them, what you learned from them and what you might do differently next time.</p> <h4>15. How are changes in technology, from AI to IoT, affecting your job?</h4> <p>More senior employees might be asked about how <a href="https://searchenterpriseai.techtarget.com/definition/AI-Artificial-Intelligence">AI</a>, automation and the internet of things are <a href="https://internetofthingsagenda.techtarget.com/feature/IoT-biometrics-play-a-greater-role-in-workplaces">changing the way they work</a> and what IAM challenges these technologies are posing, USC's Yamaki suggested. He added that new graduates might be asked how they stay on top of developments in the field -- for example, what journals or websites do they read.</p> <p>In addition to the above questions, Henry Bagdasarian, founder and chief identity officer of the Identity Management Institute, a cybersecurity training and certification group, offers the following IAM interview questions.</p> <ul class="default-list"> <li>Do you have experience managing third-party service providers?</li> <li>Have you been involved in the vendor selection process?</li> <li>Have you performed&nbsp;access re-certification? What tools have you used, or what is your strategy?</li> <li>Have you supported&nbsp;internal and external audits?</li> <li>How do you manage&nbsp;client requests for information? What is the most efficient&nbsp;method to support RFI?</li> <li>Do you have experience&nbsp;with <a href="https://searchmobilecomputing.techtarget.com/tip/Pros-cons-of-cloud-based-IAM-from-Google-IBM-Amazon">IAM product design</a>?</li> <li>Have you developed IAM policies and procedures?</li> <li>Have you been involved in IAM request for proposal projects?</li> </ul> <p>Don't forget to come up with questions of your own and anticipate follow-up questions. Before the interview, do some research on the company and the IAM field.</p> <p>Most of these questions can be modified based on the interviewees' experience and the nature of the job. IAM career expects recommend tailoring questions based on the specific interview and your background.</p> <p>Remember, the interviewer's goal is to see how you think, whether through your answers to questions or through role-playing or other problem-solving task. Examples on Glassdoor include the following:</p> <h4>16. How do you get a computer's IP address?</h4> <p>An interviewee at WellCare answered the question about obtaining a computer's IP address. One answer that Glassdoor provided: "Go to Start--cmd --systeminfo or Start--Powershell--systeminfo".</p> <h4>17. How do you give a user access to a server using Active Directory? How do you disable a user in Active Directory?</h4> <p>WellCare posed these two questions to IAM interviewees, according to Glassdoor. To grant a user access, browse the server in Active Directory and find out associated Access groups in the Server properties. Then add the user to the desired group, which grants access to that server, according to <a href="https://docs.microsoft.com/en-us/windows-server/manage/windows-admin-center/configure/user-access-control">Microsoft’s documentation website</a>. To disable a user in <a href="https://searchwindowsserver.techtarget.com/definition/Active-Directory">Active Directory</a>, find the user in the correct organizational unit (OU) and then right click and select "Disable Account"; the user account will now be disabled and you will see a down pointing arrow next to the account name, according to <a href="https://blog.netwrix.com/2018/07/30/how-to-lock-unlock-enable-and-disable-ad-accounts-with-powershell/" target="_blank" rel="noopener">Netwrix Blog</a>.</p> <p>Be prepared as much as possible but be yourself. Job candidates, particularly new graduates or career-changers should focus on their strengths and ways to get up to speed on skills they need to learn. "In IT, in general, often job posts will aim for the stars but settle for the moon," Peterman said.</p> Before going into an infosec job interview, make sure to go through these IAM questions and answers to help you prepare. https://www.techtarget.com/whatis/17-IAM-Interview-Questions-and-Answers Fri, 02 Oct 2020 11:21:00 GMT <p>It's important to find the silver lining in any negative situation -- and this continues to ring true during a global pandemic. As we approach the always-competitive U.S. election in November, politics aside, there is a silver lining there, too. This year, even with COVID-19 concerns increasing the adoption of mail-in voting and chief election officials across the country reflecting on the impacts of the <a href="https://www.techtarget.com/searchsecurity/news/450415262/FBI-investigating-Trump-campaign-ties-to-Russia-DNC-breach">Russian interference from the 2016 election</a> (among other considerations), the silver lining may be that the voting process is being scrutinized like never before.</p> <p>During the Black Hat 2020 virtual conference, keynote speaker Matt Blaze <a href="https://www.techtarget.com/searchsecurity/news/252487241/Matt-Blaze-warns-of-election-security-challenges-amid-COVID-19">analyzed the security weaknesses</a> in our current voting process and urged the infosec community -- namely pentesters -- and election commissions to work together. His point: Testers can play an invaluable role in securing the voting process as their methodology of exploring and identifying every possible option for exploitation and simulating crisis scenarios is the perfect complement to shore up possible vulnerabilities and security gaps.</p> <p>Given the regulatory nature of elections, it may be difficult for government and private sectors to work in tandem, especially at this late stage of the election cycle. However, this summer, Election Systems &amp; Software, the top U.S. manufacturer of voting technology, announced that it would allow outside <a href="https://www.techtarget.com/searchsecurity/news/252487307/Voting-vendor-ESS-unveils-vulnerability-disclosure-program">security experts to test its systems</a> -- a first for the security industry. Until further collaboration occurs, pentesters may still be at arm's length. But that doesn't mean there aren't key insights into election security vulnerabilities that security professionals can learn from. Pulling from past and present experiences in the pentesting space, I will explore three election security vulnerabilities and share actionable remediation considerations that the security industry can apply to their own work.</p> <section class="section main-article-chapter" data-menu-title="Election security vulnerability #1: Software implementation opens the door to more remote breaches"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Election security vulnerability #1: Software implementation opens the door to more remote breaches</h2> <p>Remediation considerations: Perform <a href="https://www.techtarget.com/searchsecurity/feature/How-security-testing-could-change-after-COVID-19">regular security testing</a> earlier in the software development lifecycle (SDLC) and implement automated testing suites prior to deployment.</p> <p>Software is used in nearly everything we do, and voting is no exception. And while we can't rule out physical hardware cyberattacks, attacking software is an easier and more common way for a bad actor to compromise the election, as a software breach is typically attempted remotely through the introduction of a virus or malware.</p> <p>Look to <a href="https://www.politico.com/news/2020/08/31/election-security-hole-406471" target="_blank" rel="nofollow noopener">electronic pollbooks</a> for a relevant case study. Many polling locations across the country use laptops and tablets, with a pollbook vendor's software installed, to sign voters in. While compromised electronic pollbooks won't change the vote, cyberattacks against the devices could cause delays that prevent people from voting. This example demonstrates the critical role of software in the election process, but software is also prevalent in voter registration, voting machines, creating ballots, and counting and tabulators.</p> <p>What does the pollbook case tell security professionals in the business environment? In two words: shift left. It's up to the product development and IT teams to set the software development requirements and be proactive in implementing enough integrity checks to ensure there isn't any tampering or malware detected in the ecosystem, and that audits and analysis can occur.</p> <p>These automated test fields should be considered early in the SDLC, to ensure the vulnerabilities are not occurring in the source code, or when designing the software. Automated testing suites not only are a necessary component of software design but are also key to testing systems prior to deployment, or in this case voting security, election day. Setting more regular testing milestones and thorough requirements will allow for timely alerts and generate audit trails to understand when and where a virus was introduced.</p> </section> <section class="section main-article-chapter" data-menu-title="Election security vulnerability #2: External partner organizations provide new attack surfaces"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Election security vulnerability #2: External partner organizations provide new attack surfaces</h2> <p>Remediation considerations: Set and enforce minimum security requirements for all partners.</p> <p>Headlines across the United States have reported on the <a href="https://www.intelligence.senate.gov/sites/default/files/documents/Report_Volume1.pdf" target="_blank" rel="nofollow noopener">Senate Select Committee on Intelligence Report</a> of Russia's attempts to access election infrastructure in 2016. Based on the information released to date, the Nation State attackers hacked the voter registration process by accessing the network through third-party organizations -- private technology firms responsible for manufacturing and administering election-related software and hardware, such as voter registration software and electronic polling stations. It's realistic that most partner organizations are connected to the internet and attackers can use this as an entry point to perform malicious activities, such as injecting malware.</p> <p>Bad actors accessing security weaknesses from the outside, through vulnerabilities over the internet, is a common cause of security incidents. Take the infamous 2013 Target breach as an example. Adversaries accessed Target's point-of-sale system through its HVAC vendor, which did not have minimum security requirements in place. Or, the latest <a href="https://www.grocerydive.com/news/instacart-boosts-security-for-shoppers-after-breach/583982/" target="_blank" rel="nofollow noopener">Instacart</a> incident in which employees of a third-party tech support vendor had access to more shopper profiles than necessary.</p> <p>To ensure an adversary does not enter the network through a third-party partner, there cannot be any weak links. CISOs must ensure all partner organizations have minimum security requirements as outlined by their regulatory bodies -- and seek out partners that go beyond the regulatory requirements and address security in a proactive fashion. Minimum security requirements typically include multiple layers of protection, such as building behavioral analysis capabilities in an application that can set alerts if compromised, performing regular code review and penetration testing, doing threat modeling to ensure assets are protected across different trust boundaries, among others.</p> </section> <section class="section main-article-chapter" data-menu-title="Election security vulnerability #3: Existing security controls not working as they are intended"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Election security vulnerability #3: Existing security controls not working as they are intended</h2> <p>Remediation considerations: Implement a defense-in-depth strategy and perform adversarial simulations.</p> <p>Under the direction of the chief election official, every election commission has some form of security strategy and threat detection tools (firewalls, intrusion detection, etc.) -- but how do they know these are working properly? This is where a Defense-in-Depth strategy becomes critical, particularly in crisis situations, for any organization. Defense-in-Depth provides multiple layers of security, so, if one tool fails or is tampered with, there are backup measures to protect the integrity of the process as a whole.</p> <p>To ensure the efficacy of detective controls and incident response teams, adversarial simulations are key. If controls are not configured properly, you won't know until it's too late and a breach has already occurred. Simulations can also put incident response teams to the test to see if they are detecting malicious activity performed by pentesters and red teams.</p> <p>When working with and building an infrastructure where the overall integrity of the system is of utmost importance, pentesting becomes critical. Testers aim to make the system misbehave and put themselves into the shoes of a bad actor. The financial industry should be looked to as an example of security sophistication. Security of banks and other financial institutions is evaluated under a microscope and they are required to adhere to strict regulations, such as more frequent and thorough testing to find and remediate vulnerabilities faster. Voting systems themselves are a key part of the democratic process and warrant the same amount of scrutiny that our financial infrastructure receives.</p> </section> <section class="section main-article-chapter" data-menu-title="Everyone involved needs to work together for election security"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Everyone involved needs to work together for election security</h2> <p>My final piece of advice: Infosec professionals, chief election officers and election commissions need to work closer together to reinstate confidence in the election process. But, in order for the infosec community to get involved, we have to be given the opportunity to do so. In a <a href="https://www.netspi.com/agentofinfluence/episode007?fbclid=IwAR0LBWfRxA2U4SCdaw8IGEGjJG6WRiAVV-mR-GKuB-nqYVqnEtdHX4PX064" target="_blank" rel="nofollow noopener">recent conversation</a> I had with Cassio Goldschmidt, Head of Information Security at ServiceTitan, he explained Brazil's election security process. The Brazilian government hosts an event to test their electronic voting systems, making it a collaborative and open effort to create a trustworthy voting infrastructure, which in essence, is a country-wide pentesting investment. Other countries and businesses could learn from this model.</p> <p>While the increased scrutiny of the voting process may be a silver lining of the pandemic, there is always room for improvement. We must continue to use our cybersecurity knowledge in our own security practices but also challenge and scrutinize the voting process to create a secure foundation for elections with integrity.</p> <p><strong>About the author</strong><br><em>Nabil Hannan is a managing director at&nbsp;<a href="http://netspi.com/" target="_blank" rel="nofollow noopener">NetSPI</a>.&nbsp;He leads the company's consulting practice, focusing on helping clients solve their cybersecurity assessment and threat and vulnerability management needs. Nabil has over 13 years of experience in cybersecurity consulting from his tenure at Cigital/Synopsys Software Integrity Group, where he built and improved effective software security projects, such as risk analysis, pentesting, secure code review and vulnerability remediation.</em></p> </section> Election security remains top of mind for many right now, with Nabil Hannan discussing vulnerabilities like remote breaches, new attack surfaces and poor current controls. https://cdn.ttgtmedia.com/visuals/search400/iseries_security_plan/search400_article_031.jpg https://www.techtarget.com/searchsecurity/post/3-common-election-security-vulnerabilities-pros-should-know Thu, 01 Oct 2020 15:41:00 GMT <p>The sting of the COVID-19 global pandemic forcing many into remote work -- combined with <a href="https://www.techtarget.com/searchmobilecomputing/feature/The-future-of-BYOD-Trends-and-predictions">the trend of BYOD in the enterprise</a> -- is changing the dynamic of the mobile device convergence.</p> <p>The concept of digital and <a href="https://searchconvergedinfrastructure.techtarget.com/definition/convergence">technological convergence</a>, combining the computing power of a desktop, a smartphone and a tablet into one device, goes all the way back to the mid-2000s. In the past decade, the idea of device convergence has gained steam, especially with mobile devices that support voice, video and text communications for enterprise users.</p> <p>Despite the <a href="https://www.techtarget.com/searchhrsoftware/news/252486366/Full-time-remote-work-trend-has-its-doubters">WFH stipulations</a>, employees are still expected to be available 24/7, which puts pressure on employees to always have a work endpoint nearby and available.</p> <h3>Remote work and its devices are here to stay</h3> <p>An incredible 42% of the U.S. labor force is now working from home due to the coronavirus crisis, according to Stanford University economist Nicholas Bloom. Global Workplace Analytics, a consultancy firm, expects that 25% to 30% of the workforce will be working at home on multiple days per week by the end of 2021, even in a scenario where the COVID-19 pandemic has already ended.</p> <p>The portability of mobile device convergence enables remote employees to work in a remote workspace in ways that corporate desktops just can't match, such as providing a desktop-style interface and keyboard for applications on a tablet-style device.</p> <p>The headlong <a href="https://www.techtarget.com/searchmobilecomputing/Guide-to-telecommuting-during-the-coronavirus-pandemic">shift to teleworking</a> in response to COVID-19 has forced administrators to accept the use of mobile devices during remote work. Some organizations might typically block mobile devices from secure corporate systems. But, with the increased reliance on these devices, especially if users don't have access to their usual endpoints, blocking mobile access isn't always realistic.</p> <h3>Mobile device convergence on the market</h3> <p>Plenty of new converged devices are pushing the concept forward, including the Microsoft Surface Pro X. This device combines access to the familiar desktop office applications with the sleek, touch screen capabilities of a tablet. Microsoft has just introduced <a href="https://www.techtarget.com/searchmobilecomputing/tip/Surface-Duo-brings-a-Windows-Surface-Android-partnership">Surface Duo</a> as well, which is a double-screen device that takes advantage of the Google Android mobile OS in concert with Microsoft 365 applications.</p> <figure class="main-article-image full-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/Surface_Duo.jpg"> <img data-src="https://www.techtarget.com/rms/onlineimages/Surface_Duo_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/Surface_Duo_mobile.jpg 960w,https://www.techtarget.com/rms/onlineimages/Surface_Duo.jpg 1280w" alt="Microsoft Surface Duo" height="560" width="560"> <figcaption> <i class="icon pictures" data-icon="z"></i>The Surface Duo is set for release in September 2020, and it carries a $1,400 price tag. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>Organizations that deploy Microsoft Surface and Surface Pro devices to their users range from the mining company Newmont, the Australian Cricket union organization and the low-cost airline Norwegian Air. Norwegian Air, for example, is using Surface Pro tablets to function as electronic flight bags, replacing traditional paperwork that flight attendants must do. <a href="https://www.techtarget.com/searchnetworking/opinion/4G-LTE-or-5G-could-be-your-branch-office-backup-internet-connection">4G LTE Advanced wireless</a> technology can connect at numerous airports across the world, so flight crews can conduct flight management tasks, share critical documentation and communicate more efficiently.&nbsp;</p> <p>Apple's latest iPad tablets also come with powerful features that follow the trend of mobile device convergence, including support for keyboard data entry and the ability to write directly on the screen of the tablet with a finger or a stylus. Even <a href="https://www.techtarget.com/searchmobilecomputing/news/252487976/OnwardMobility-leans-on-nostalgia-in-new-BlackBerry">Blackberry may be getting back into the mobile device convergence game</a> with a new QWERTY keyboard-equipped device on the horizon.</p> <h3>Securing remote and personal converged devices</h3> <p>This increased use of mobile devices has a massive effect on the way IT admins handle remote endpoint security. If nobody is going into an office, that means laptops, tablets and smartphones are plugging into home internet connections rather than a corporate network. On top of this, mobile device convergence will require a mix of mobile and desktop application deployment to fit the hybrid device users' needs.</p> <p>A worker may want the traditional Microsoft Office desktop applications, but the traditional mobile versions of other applications. IT administrators will must find ways to ensure these converged mobile devices have access to stable versions of business and custom line-of-business applications as well.</p> <blockquote class="main-article-pullquote"> <div class="main-article-pullquote-inner"> <figure> The Microsoft Intelligent Security Association said in April 2020 that 60% of endpoints are mobile devices that are woefully under-protected. </figure> <i class="icon" data-icon="z"></i> </div> </blockquote> <p>Even before COVID-19 spawned the push towards WFH, a December 2019 SANS Institute survey on endpoint security found that 56.3% of the employee-owned mobile devices connecting to the corporate network were not centrally managed or part of a security program. Prior to the massive disruptions of the coronavirus, converged mobile devices were not subject to many of the same layers of security that corporate desktops or laptops would be. The Microsoft Intelligent Security Association said in April 2020 that 60% of endpoints are mobile devices that are <a href="https://www.techtarget.com/searchmobilecomputing/tip/4-types-of-mobile-security-models-and-how-they-work">woefully under-protected</a>. Remote workers sometimes have to share sensitive files, which offers a prime opportunity for hackers to <a href="https://www.techtarget.com/searchmobilecomputing/tip/How-mobile-threat-defense-tools-can-help-mobile-admins">intercept data midstream</a>.</p> <p>Using auxiliary devices with mobile converged devices helps organizations save on storage by passing extremely sensitive data between devices using zip drives or other portable storage mechanisms. IT admins should keep in mind that zip drives can transfer viruses between multiple machines, so consider adding some external device scanning security measures.</p> <figure class="main-article-image half-col" data-img-fullsize="https://www.techtarget.com/rms/onlineImages/security-twofactor_authentication.jpg"> <img data-src="https://www.techtarget.com/rms/onlineImages/security-twofactor_authentication_half_column_mobile.jpg" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineImages/security-twofactor_authentication_half_column_mobile.jpg 960w,https://www.techtarget.com/rms/onlineImages/security-twofactor_authentication.jpg 1280w" alt="Two-factor authentication explained" height="355" width="279"> <figcaption> <i class="icon pictures" data-icon="z"></i>Three different methods of authentication that can make up two-factor authentication. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>The combination of the BYOD craze, the mandated requirement to WFH and the task of securing multiple endpoints for a newly distributed workforce can leave IT administrators with a headache. Many employees are now expected to run a VPN on any converged mobile device they use for work. For additional security measures, network administrators should enforce powerful endpoint encryption whenever possible and require employees to use <a href="https://www.techtarget.com/searchsecurity/definition/multifactor-authentication-MFA">multifactor authentication</a> and strong passwords.</p> <p>With the <a href="https://www.wi-fi.org/discover-wi-fi/wi-fi-certified-6" target="_blank" rel="noopener">advent</a> of Wi-Fi 6 and 5G, connectivity for converged mobile devices will improve. This will aid both the IT administrators and device users, providing more accurate visibility of the wireless LAN networks and cellular connections. Business endpoints that are connected to a strong network at all times -- even when users are away from Wi-Fi -- allow IT administrators to closely monitor the devices and users to access corporate data from any location.</p> The trend of mobile device convergence, adding more functionality to smaller hybrid devices, is growing in intensity with the COVID-19 pandemic, and IT must be prepared for it. https://cdn.ttgtmedia.com/visuals/searchWindowsServer/op_systems_microsoft_apps/windowsserver_article_011.jpg https://www.techtarget.com/searchmobilecomputing/tip/Mobile-device-convergence-brings-security-challenges Mon, 31 Aug 2020 16:04:00 GMT <p>A <a href="https://www.techtarget.com/searchsecurity/post/How-to-build-a-security-champions-program">security champions</a> program is critical to maintaining an organization's security culture, but during the COVID-19 shutdown, teams could find themselves working with one hand tied virtually behind their backs. <a href="https://www.techtarget.com/searchmobilecomputing/Guide-to-telecommuting-during-the-coronavirus-pandemic">Telework arrangements</a>, online meetings, collaboration software and extensive smartphone use can keep an organization running, but they can't recreate the casual interactions that are an underrated element of getting work done -- and an important part of how security champions carry their message.</p> <p>"Security champion," after all, isn't necessarily a designated job title. They are often volunteers who help spread the word about an organization's security message while staying alert to potential issues as they crop up. They don't have to solely be security pros, either. In fact, the nature of their mission requires that they have other areas of expertise, but they have an interest in security and in ensuring that the organization's software and applications provide necessary controls and protections. In many organizations, a lot of their interactions are informal. These kinds of interactions give security champions the opportunity to bring up an issue, ask about how something similar has been dealt with in the past or pass along ideas on what to do next.</p> <p>When interactions are moved exclusively online, a lot of that can get lost. You don't schedule a Zoom meeting or go on Slack to ask about weekend activities, how someone's kids are doing or where to find a reliable plumber. But, the casual camaraderie of such exchanges gives security champions the opportunity to raise a subject that colleagues might not be concerned with at the time. Those conversations help keep <a href="https://www.techtarget.com/searchsecurity/tip/4-tips-to-ensure-secure-remote-working-during-COVID-19-pandemic">security concerns front and center</a> in an organization.</p> <section class="section main-article-chapter" data-menu-title="Informal communication often lost by WFH"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Informal communication often lost by WFH</h2> <p>How has the pandemic changed these exchanges? It's hard to measure the impact several months of shutdowns have had on the work security champions do. The progression of such programs isn't linear, moving along some chartable line of success or failure rates, so it's not something anyone has reliable data on, at least not yet. But the changes have had some obvious impacts. At Denim Group, for instance, we've noticed that the traditional communications channels have deepened -- developers and security pros who were already using, say, Slack, have made greater use of those channels. But the informal channels of communication have, in some cases, been forgotten.</p> <p>And that's where security champions can step up their game with a focused effort to put collaboration tools to use. The pandemic shutdown led to employees communicating via Zoom, Slack or other tools that they were familiar with, but may not have actively used. Groups within an organization, such as the management team or developer team, are mining those channels within their own fields, but there's an opportunity for security teams -- and security champions -- to use those channels as well. With regard to software, developers are the center of gravity, so security people should follow them to their meeting places. It's a practice that has been recommended for as long as collaboration tools have existed. If you want to talk with developers, use the tools they're using. The shutdown has opened the door to making more use of them.</p> <p>Collaboration tools can also be employed to keep up the kinds of casual office interactions that have been missing, which can help when an issue arises. In the office, it's fairly easy to approach someone you say hello to each day, even if you don't typically discuss work matters. In the remote environments, however, you may not have encountered them at all for three months. Using <a href="https://www.techtarget.com/searchunifiedcommunications/feature/Supporting-a-dispersed-workforce-with-communications-technology">communications tools to keep contact</a> with them fairly regularly could make raising a security topic easier.</p> </section> <section class="section main-article-chapter" data-menu-title="Online impact of security champions"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Online impact of security champions</h2> <p>The goal of security champion programs has been to push security knowledge and awareness out to developers and others in an organization, and to make it local, with a comparatively informal approach -- as opposed to inflexible, company-wide programs -- that can match the cultural and practical needs of developer groups within an organization. That approach may be more important now than ever with people working remotely and limiting themselves to their own respective bubbles.</p> <p>Traditional, formal approaches to security awareness can be somewhat stilted. They are even less effective in a world where workers are scattered and forced to rely on online tools. Making use of those tools to bring the security message to them in the online places where they congregate can have a great impact.</p> <p><strong>About the author</strong><br><em>A globally recognized application security expert, Dan Cornell holds over 20 years of experience architecting, developing and securing web-based software systems. As Chief Technology Officer and Principal at </em><a href="https://www.denimgroup.com/" target="_blank" rel="nofollow noopener"><em>Denim Group, Ltd</em></a><em>., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. Cornell is an active member of the development community and a sought-after speaker on topics of web application security, speaking at international conferences including TEDx, RSA Security Conference, OWASP AppSec USA, and EU and Black Hat Arsenal.</em></p> </section> By effectively using collaboration tools, security champions can still spread a company's security message even as most offices stay closed and employees work remotely. https://cdn.ttgtmedia.com/visuals/search400/iseries_systems_manage/search400_article_034.jpg https://www.techtarget.com/searchsecurity/post/How-security-champions-can-help-despite-working-remotely Thu, 13 Aug 2020 11:00:00 GMT <p>There's a reason why a computer virus is called a "virus," as they have many similarities to medical viruses. Notably, as medical viruses can have a severe impact on your personal health, a computer virus can severely impact the health of your business. In today's digital world, a <a href="https://www.techtarget.com/searchsecurity/definition/virus">computer virus</a>, a "wormable" remote code execution vulnerability designed to persistently replicate and spread to infect programs and files, can begin causing damage in minutes. Sound familiar? According to the CDC, the virus that causes COVID-19 spreads very easily and sustainably, meaning it spreads from person-to-person without stopping.</p> <p>With COVID-19 top of mind and making headlines across the globe, CISOs should now take the time to make observations about viruses outside of the technology industry and see how they apply to cybersecurity strategies. So, what exactly can security teams learn from studying medical viruses to ensure the health of a business' systems and applications? Here are three key considerations.</p> <section class="section main-article-chapter" data-menu-title="Think of security testing like a doctor's visit"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Think of security testing like a doctor's visit</h2> <p>The more comprehensive testing you receive, the more insight you will get on your health and the quicker you can address any issues. When it comes to medical viruses, a doctor's visit can include different layers of testing. If you're not feeling well a doctor can perform a variety of exams to pinpoint the issue at hand: physical observations, evaluating symptoms, swabs, blood tests. Coincidentally, with security and <a href="https://www.techtarget.com/searchsecurity/definition/vulnerability-assessment-vulnerability-analysis">vulnerability testing</a>, the diagnosis can depend on the depth of the exam.</p> <p>Remediation is not possible without first discovering the potential gaps in your system. Or, if you have already experienced a breach, discovery is critical for analyzing how a virus or cyber attacker got there in the first place to ensure it does not happen again. There are multiple types of security testing: tool-based scanning, manual penetration tests and secure code review are some of the most popular. Each layer provides additional insights and increases the scope of coverage. For example, a <a href="https://www.techtarget.com/searchsecurity/definition/penetration-testing">penetration test</a> can identify vulnerabilities, but code review can dig even deeper to locate errors in software code, the foundation of a secure application. Both tests done together will produce a more robust report. As with a medical exam, multiple tests will give you more thorough diagnosis on your health risks.</p> </section> <section class="section main-article-chapter" data-menu-title="Not all computer viruses act immediately"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Not all computer viruses act immediately</h2> <p>Many viruses can hide symptoms and be contagious for long periods of time before causing any visible damage -- a computer virus operates similarly. Virally distributing malware can keep symptoms hidden until the exploit payload is executed, causing damage to computer systems. Similarly, COVID-19 symptoms can occur up to 14 days after exposure (not to mention <a href="https://www.usnews.com/news/health-news/articles/2020-05-28/studies-detail-rates-of-asymptomatic-cases-of-coronavirus" target="_blank" rel="nofollow noopener">recent studies</a> indicate that there are a significant number of people who have COVID-19 without showing any symptoms).</p> <p>In the cybersecurity world, these 14 days of asymptomatic infection would be classified as "dwell time," or the number of days an attacker is present in a network before they are detected. According to the 2020 M-Trends Report from FireEye, Inc., the 2019 median dwell time was 56 days -- down 22 days from 2018. While businesses are detecting and removing cyber attackers faster, the opportunity to reduce <a href="https://www.computerweekly.com/opinion/Security-Think-Tank-Reducing-cyber-attacker-dwell-time-is-critical">dwell time is evergreen</a>. As it is important to have proactive scanning and testing measures in place to identify vulnerabilities attackers can exploit to deploy and spread computer viruses, health experts suggest it is critical to broaden COVID-19 testing measures to isolate positive cases and prevent infection.</p> </section> <section class="section main-article-chapter" data-menu-title="Cybersecurity maturity"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Cybersecurity maturity</h2> <p>While a person's health is strengthened through ongoing personalized care and risk reduction, the health of a computer system also depends on program maturity to prevent vulnerabilities. Cybersecurity maturity is a relatively simple concept when you compare it to human health. When evaluating the health of a person, healthcare professionals recognize that each person has unique needs based on such factors as their age, lifestyle and gender. Based on the data available about what similar individuals are doing to stay healthy, doctors can effectively adjust their approach and medical advice.</p> <p>This mentality should translate to cybersecurity for viruses and other common vulnerabilities. Understanding the current level of maturity, tracking progress and developing a data-driven plan to <a href="https://www.techtarget.com/searchcio/post/Ensuring-your-cybersecurity-teams-are-helping-the-business">evolve your security program</a> is key to the success of any business' security efforts. For application security, the core criteria for maturity includes coverage, compliance, remediation and <a href="https://www.techtarget.com/searchsecurity/post/Standardize-cybersecurity-terms-to-get-everyone-correct-service">risk prevention</a>. In other words, the more mature a business is, the better suited it is for risk prevention. And take heed -- the more a person pays attention to preventative health measures throughout their life, the better suited they are to fight off health issues as they age.</p> </section> <section class="section main-article-chapter" data-menu-title="Always be prepared as viruses change over time"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Always be prepared as viruses change over time</h2> <p>A final observation: Public health experts continue to caution that COVID-19 is evolving and security experts continue to caution that cyber attacks continue to evolve. Security experts have been given the opportunity to observe and learn from the medical community during the pandemic. By looking at medical viruses, security experts can explore the impact of key strategies to avoid breaches, such as <a href="https://www.techtarget.com/searchsecurity/definition/malware">malware attacks</a> (computer viruses, worms, trojans).</p> <p>Evaluating the breadth and depth of testing efforts, reducing dwell time and understanding and tracking program maturity that can help boost your overall security posture and health of your business.</p> <p><strong>About the author</strong><br><em>Nabil Hannan is a managing director at&nbsp;<a href="http://netspi.com/" target="_blank" rel="nofollow noopener">NetSPI</a>.&nbsp;He leads the company's consulting practice, focusing on helping clients solve their cybersecurity assessment and threat and vulnerability management needs. Nabil has over 13 years of experience in cybersecurity consulting from his tenure at Cigital/Synopsys Software Integrity Group, where he built and improved effective software security projects, such as risk analysis, pentesting, secure code review, vulnerability remediation among others.</em></p> </section> Nabil Hannan examines key similarities between medical and computer viruses that cybersecurity teams can use to keep businesses protected effectively. https://cdn.ttgtmedia.com/visuals/searchHealthIT/electronic_IT_compliance/healthit_article_006.jpg https://www.techtarget.com/searchsecurity/post/What-cybersecurity-teams-can-learn-from-COVID-19 Wed, 12 Aug 2020 10:30:00 GMT <p>Having employees connect remotely to your corporate network is not new. Most companies use cloud-based software-as-a-service (SaaS) applications and have some virtual private network (VPN) or remote desktop capabilities to enable field sales staff or roaming users to connect to essential applications and data. However, few -- if any -- companies were prepared for our current reality. Companies had to make an overnight shift to a largely remote workforce -- never mind doing so securely.</p> <p>When the year started, employees showed up at the office and sat down at their desks and connected to the internal network from a company-issued PC or laptop. They sat comfortably behind network defenses such as a firewall, intrusion detection and spam filters. If any security issues arose, IT was usually in the same office.</p> <p>Now, with the COVID-19 pandemic and the <a href="https://www.techtarget.com/searchmobilecomputing/Guide-to-telecommuting-during-the-coronavirus-pandemic">shift to working from home</a>, we're faced with a new reality: Most office employees will continue working from home for the foreseeable future. Some may have a company laptop, but many are getting their work done from their personal PC. They are connected to their home Wi-Fi router and accessing company resources and data across the public internet.</p> <p>What does that mean? It means that the attack surface has expanded exponentially, and that corporate resources and data are exposed to devices and networks that are less secure and almost entirely outside the control of the IT security teams. At the same time, attackers aren't unaware of this shift to working from home, and they are honing their attacks to take advantage of the opportunities this scenario presents.</p> <h3>Home network cybersecurity</h3> <p>Companies have a lot of people now working from home full time -- people who are not technical and who are not used to being responsible for their own technology and security. Attackers are increasingly targeting weaknesses in <a href="https://www.techtarget.com/searchnetworking/tip/How-to-secure-your-home-Wi-Fi-network-in-7-steps">home network environments</a> and exploiting the chaos and complexity of users working from home.</p> <p>There are three primary security issues with working remotely around home networks and personal cybersecurity in a work-from-home scenario:</p> <ul class="default-list"> <li>the computer being used;</li> <li>the network they're connecting to; and</li> <li>the security awareness and savvy of the user.</li> </ul> <p>As mentioned, many remote workers are getting their jobs done on personal PCs. SaaS applications tend to be generally secure, and any connection to internal resources should be encrypted over a VPN connection, but the device itself still poses some risk. There is a chance the device is already compromised. For instance, if other family members use the computer or trusts other devices on a shared home network, the PC is at greater risk of malware infection.</p> <p>The network itself is also a risk. Many home Wi-Fi routers are notoriously weak and prone to exploit. <a href="https://www.thezdi.com/blog/2020/6/24/zdi-20-709-heap-overflow-in-the-netgear-nighthawk-r6700-router">Critical vulnerabilities have been discovered</a> in common home Wi-Fi routers that could allow a successful attacker to remotely execute arbitrary code on the home network. Attacks have been discovered during the quarantine that redirect users to malicious websites that install <a href="https://www.techtarget.com/searchsecurity/definition/malware">malware</a> on the user's system and steal user credentials.&nbsp;</p> <p>It doesn't help that many people never patch or update these devices, and they often contain default login credentials that an attacker can easily obtain. If attackers are able to compromise or gain access to the router on the home network, they will be able to view or capture traffic on the network and may be able to compromise or infect the devices connected to it.</p> <p>The users themselves are perhaps one of the biggest security issues with working remotely, though. The COVID-19 quarantine and shift to working from home has created a fair amount of chaos and confusion that attackers are leveraging for <a href="https://www.techtarget.com/searchcio/feature/The-constant-threat-of-social-engineering-attacks">phishing attacks</a>. Emails that appear to be from the company or about official business related to COVID-19 are likely to catch the attention of remote workers who are anxious for information and status updates and may be less cautious than they would normally be.</p> <section class="section main-article-chapter" data-menu-title="Keeping company data secure during remote access"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Keeping company data secure during remote access</h2> <p>As companies embrace the work-from-home model, there are many factors to consider when it comes to company data and resources and <a href="https://www.techtarget.com/searchstorage/tip/Prevent-the-storage-and-data-security-risks-of-remote-work">enabling secure access</a> to them remotely. You should consider this from the perspective of both access to data and access to facilities of hardware.</p> <p>Data is the lifeblood of the business and workers need access to get their jobs done no matter where they are. For organizations that have adopted SaaS platforms and applications such as Salesforce or Office 365, that data already lives in the cloud and users can continue to connect to and access it just as if they were in the office. If essential data is stored on internal servers within the company network, users need a way to securely connect to and access those resources -- such as with a VPN connection.</p> <p>The other side of the equation is the hardware being used to access systems and data. In an office environment, most workers use company-issued desktop or laptop PCs that the company's IT team manages. Company-issued equipment already has the necessary configuration and tools in place to meet established security policies, so there may be less to be concerned about if a user is <a href="https://www.techtarget.com/searchenterprisedesktop/feature/7-essential-remote-worker-security-policies-for-IT-departments">connecting remotely using a company-issued laptop</a>. Remote workers who connect to platforms and data -- whether SaaS applications or internal company resources -- pose a greater risk because the IT team doesn't have visibility of or control over how the device is configured or secured.</p> <p>Perhaps the most important security issue with working remotely is a lack of visibility. IT teams were <a href="https://www.techtarget.com/searchnetworking/tip/Home-SD-WAN-will-redefine-next-generation-WAN">forced to change network parameters</a> and add VPN connections to allow remote access overnight. It is unlikely that sufficient testing was done to ensure the configuration is secure, which is why it is even more crucial to capture and analyze log data to identify and plug any holes and monitor for attacks taking place.</p> </section> <section class="section main-article-chapter" data-menu-title="Keeping data and employees secure"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Keeping data and employees secure</h2> <p>Companies should start with clear expectations and communication. Remind remote workers of company security policies and basic cybersecurity best practices, and make sure they are informed about potential or emerging threats so they know what to look for.</p> <p>Ensure that operating systems and applications are fully patched and updated -- even on personal computers -- and require a VPN connection for access to any internal resources or data. It is also more important than ever to be vigilant in monitoring usage of user credentials and access to company assets and data. Make sure you have the tools and expertise in place to identify anomalous or suspicious behavior quickly and take action to stop any malicious activity.</p> <p><strong>About the author</strong><br> <em>Rohit Dhamankar is vice president of threat intelligence at&nbsp;</em><a href="https://www.alertlogic.com/" target="_blank" rel="noopener"><em>Alert Logic</em></a><em>. Dhamankar has over 15 years of security industry experience across product strategy, threat research, product management and development, technical sales and customer solutions. Prior to Alert Logic, Dhamankar served as vice president of product at Infocyte and founded consulting firm Durvaankur security consulting. He holds two Master of Science degrees, one in physics from the Indian Institute of Technology in Kanpur, India, and one in electrical and computer engineering from the University of Texas.</em></p> </section> With companies continuing work from home for the foreseeable future, Rohit Dhamankar offers home security advice to help security teams and employees address security issues with working remotely. https://cdn.ttgtmedia.com/visuals/digdeeper/1.jpg https://www.techtarget.com/searchsecurity/feature/Keeping-employees-data-secure-as-everyone-works-from-home Fri, 31 Jul 2020 09:38:00 GMT <p>What do NVIDIA's Jensen Huang, Salesforce's Marc Benioff and Microsoft's Satya Nadella have in common? They were all deemed the greatest business leaders of 2019, according to Harvard Business Review's "The CEO 100" list. But another commonality they share is that each have had mentors to help guide them through their careers in technology and get them to where they are today.</p> <p><a href="https://www.techtarget.com/searchcio/answer/How-can-CIOs-improve-their-IT-mentorship-programs">Mentorship is critical</a> in every industry but given the immense opportunity for career growth in the cybersecurity industry today, having the right guidance is a must. The industry faces many challenges from a staffing perspective -- from the <a href="https://www.techtarget.com/searchsecurity/feature/Varied-options-to-solving-the-cybersecurity-skills-shortage">skills shortage</a> to employee burnout -- making the role of a mentor that much more important as others navigate these challenges. While mentorship is often considered subjective, there are a few best practices to follow to ensure you're establishing a solid foundation in the mutually beneficial relationship, not only to help new talent navigate the industry, but also to help strengthen the industry as a whole. First, let's explore what to look for when hiring new <a href="https://www.techtarget.com/searchsecurity/definition/cybersecurity">cybersecurity</a> talent.</p> <h3>Recruiting cybersecurity talent</h3> <p>During the entry-level hiring process, look for candidates who have an entrepreneurial spirit, who don't sit but rather have taken on projects outside of school, like personal research or blogging. Typically, if candidates have their own initiatives beyond regular coursework, they will have a sense of curiosity and a passion for problem solving.</p> <p>Ask questions to understand how <em>clever</em> they are, versus how <em>smart</em> they are. Give candidates a problem, but do not focus on whether they answer it correctly. A great example of an interview question for vetting cleverness and creativity is the <a href="https://www.youtube.com/watch?v=h2vkrxvh76c" target="_blank" rel="noopener">6s Challenge</a>. Pay attention to the thought process. Do they talk the room through the process? Are they taking notes, collaborating with others in the room or using the whiteboard to reach a solution? I have hired people in the past who failed to solve a problem but impressed me with the approach they took.</p> <h3>Keeping and mentoring this new talent</h3> <p>So, your organization has hired entrepreneurial talent with clever minds. Now, how do you ensure that these self-starters excel in, and are happy, in their role? Here are four pieces of advice for cybersecurity mentorship success.</p> <h4>Formalize a mentorship program</h4> <p>An effective means to ensure every employee has a mentor is to formalize a <a href="https://www.techtarget.com/searchhrsoftware/feature/How-to-start-an-inclusive-mentoring-program">career mentorship program at your organization</a>. Structurally, it is important that the mentor is <em>not</em> the manager, but someone at the organization who can share career advice more broadly. I encourage you to put in place a mentoring program goal -- not to keep people in a particular role or at a particular organization, but to support them with wide-ranging career advice. Formalizing the mentorship program also ensures availability. Senior leaders may push off meetings if they are not planned for, so set specific dates and times that you meet and agree upon a cadence. A first step? In your first meeting, establish what both of you would like to get out of the relationship.</p> <h4>Understand that it's a mentor:mentor relationship</h4> <p>Mentor relationships are <em>not</em> one-sided and should be viewed as a mentor:mentor relationship versus mentor:mentee. Leaders will <em>always </em>learn from the newer talent and vice versa. Notably, being a mentor helps you be a better people leader. The conversations will allow the technology and business leadership teams to have direct insight into what's important to the next generation of employees, including what motivates them or what work they find most interesting. The mentorship role ultimately allows managers to better understand the mindset of the people who work for them.</p> <h4>Put in the time</h4> <p>Energy is perhaps the most important characteristic of a successful mentor. While time is a limited resource, to establish a strong relationship, putting in the energy and being proactive is essential. Actively reach out to build professional and personal connections with new talent. When meeting, avoid other distractions and find value in the time you're giving them. Prepare questions, set goals and ultimately create a purpose for each interaction.</p> <p>Be available and put your own interests aside to put the mentee first. To achieve this, communicate without bias. For example, if someone is unhappy in their current role, help them discover a better fit -- don't get hung up on trying to fix the current role. Rather, focus on a solution that matches your mentee's goals and be open to the consideration that the company may not be the right fit for them. When they are struggling to solve a problem, work through the solution with them.</p> <h4>Guide those interested in joining the cybersecurity workforce</h4> <p>The biggest piece of advice I can give to those who are interested in <a href="https://www.techtarget.com/searchsecurity/feature/Why-COVID-19-wont-stop-cybersecurity-jobs-and-recruitment">joining the cybersecurity workforce</a> is to not limit themselves to a particular training/schooling curriculum or focus area. Versatility should not be underrated. I coach my mentees to earn the characteristic of versatility by learning the basics first, the skills that will allow a later pivot to different verticals and technologies in cybersecurity. Those individuals who dive deep into the basic building blocks will be able to quickly learn and adapt to new programming language and strategies, for example, and apply them to any situation.</p> <p>For people looking to make a career change, welcome them with open arms. They likely will have unique perspectives to bring to the table. Encourage them to find an area of security that's interesting to them -- an area where they will excel. For example, a former investment banker may want to begin reading up on the cybersecurity challenges that financial services organizations face today. Encouraging others to explore a career in cybersecurity will help close the skills shortage gap and boost the workforce. Plus, getting started in security does not have to have barriers: a multitude of courses are available, including these eight Ivy League schools offering <a href="https://www.freecodecamp.org/news/ivy-league-free-online-courses-a0d7ae675869/" target="_blank" rel="noopener">free online courses</a>.</p> <h3>Mentoring serves the entire cybersecurity industry</h3> <p>A final word: While mentorships are critical to the growth of <a href="https://www.techtarget.com/searchsecurity/post/Best-practices-for-ethically-teaching-cybersecurity-skills">new cybersecurity professionals</a>, those professional relationships also support and grow the entire industry. I would like to thank the mentors in my life for taking mentorship seriously, having an open mind to learn from me as I learned from them, and being available to guide me to the role I'm in today. Thank you, John Wyatt, Bill Balicki, Drew Kilbourne, Stuart Dross, Jason Rouse, John Steven, Sammy Migues and Gary McGraw.</p> <p><strong>About the author</strong><br><em>Nabil Hannan is a managing director at </em><a href="http://netspi.com/" target="_blank" rel="noopener">NetSPI</a><em>. </em><em>He leads the company's consulting practice, focusing on helping clients solve their cybersecurity assessment and threat and vulnerability management needs. Nabil has over 13 years of experience in cybersecurity consulting from his tenure at Cigital/Synopsys Software Integrity Group, where he built and improved effective software security projects, such as risk analysis, pentesting, secure code review, vulnerability remediation among others.</em></p> Cybersecurity mentorships provide a great opportunity for those just entering the industry who want a successful start. Having the right guidance is a must. https://cdn.ttgtmedia.com/visuals/digdeeper/2.jpg https://www.techtarget.com/searchsecurity/feature/Invest-in-new-security-talent-with-cybersecurity-mentorships Tue, 16 Jun 2020 12:05:00 GMT <p>In early May, hackers infiltrated the Baltimore, Md., computer network. The <a href="https://www.techtarget.com/searchsecurity/tip/How-to-remove-ransomware-step-by-step">ransomware attack</a> ended normal business operations, interrupted critical city services, cost the city millions and inconvenienced hundreds of thousands of residents.</p> <p>Baltimore joined the list of <a href="https://www.techtarget.com/searchsecurity/news/252464320/Ransomware-attacks-on-local-and-state-governments-increasing">other cities that have fallen victim</a> to serious <a href="https://www.techtarget.com/searchsecurity/definition/ransomware">ransomware</a> threats that affect business and commerce. While ransomware attacks have many variations, they generally make victims' data unrecoverable due to strong encryption enabled by cyberattackers who then demand payment to decrypt the data.</p> <p>While Baltimore may be typical of many ransomware attacks against government and businesses, it is atypical in other ways. The city said the attack was facilitated by the use of <a href="https://www.techtarget.com/searchsecurity/news/252448889/WannaMine-cryptojacker-targets-unpatched-EternalBlue-flaw">EternalBlue</a>, a cyberweapon developed by the U.S. <a href="https://www.techtarget.com/searchsecurity/definition/National-Security-Agency">National Security Agency (NSA)</a>. The capability behind <a href="https://www.techtarget.com/searchsecurity/opinion/How-intelligence-data-leaks-caused-collateral-damage-for-infosec">EternalBlue was allegedly stolen from or leaked by</a> an NSA employee and later released in April 2017 by a group called the <a href="https://www.techtarget.com/searchsecurity/news/450423563/Who-are-the-Shadow-Brokers-Signs-point-to-an-intelligence-insider">Shadow Brokers</a>.</p> <p>Fingerprints of EternalBlue's use by cybercriminals actually showed up as early as 14 months before the Shadow Brokers dumped the files. The NSA <a href="https://www.baltimoresun.com/politics/bs-md-ci-eternalblue-ruppersberger-20190531-story.html">disputes Baltimore's claim</a> that EternalBlue is involved in the attack. But the NSA's objection doesn't change the basic problem -- that cyberweapons were either stolen or released, and U.S. government tools were subsequently used to attack businesses and individuals. Baltimore refused to pay the ransom, and the city's government <a href="https://www.smartcitiesworld.net/news/news/baltimore-calls-for-federal-emergency-declaration-after-cyber-attack-4246" target="_blank" rel="noopener">asked</a> for millions of dollars in relief from the federal government, which ultimately means from the taxpayers.&nbsp;</p> <h3>Who's to blame for cyberweapons in the wild?</h3> <p>While EternalBlue is high-profile and serious, it is just one of many tools and exploits believed to have been released into the wild due to the NSA breach, and many organizations around the world have suffered from the impact.</p> <blockquote class="main-article-pullquote"> <div class="main-article-pullquote-inner"> <figure> We the people keep wringing our hands after attacks, and we are still months, years or even decades behind on systems upgrades and security remediation. </figure> <i class="icon" data-icon="z"></i> </div> </blockquote> <p>Beyond the cyberattackers who facilitate the breach, whose fault is a ransomware attack? Is it the fault of the software company that puts out vulnerable software? The EternalBlue exploit is very effective, but only if the victim <a href="https://www.techtarget.com/searchsecurity/news/450420393/Researchers-port-EternalBlue-exploit-to-Windows-10">fails to patch the software vulnerability</a> that allows its execution. After all, Microsoft released a <a href="https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/ms17-010" target="_blank" rel="noopener">patch</a> for the previously unknown vulnerability long before the Baltimore attack. Baltimore and many other breach victims could have patched their systems. Patching would have avoided the ransomware attack entirely.</p> <p>Does responsibility fall to the government agency that knew the software was vulnerable, built an exploit, then failed to warn the public? More controversially, does the blame fall to the victim who, after being warned, didn't <a href="https://www.techtarget.com/searchsecurity/tip/Perfecting-the-patch-management-process-within-enterprises">patch the systems</a> to block the exploit? Considering user license agreements, and without evidence the software maker knew or should have known about the vulnerability, it's difficult to hold software makers responsible.</p> <p>If the U.S. government released these tools even unintentionally, and knew the vulnerabilities existed long enough for them to be exploited, you could argue the government should hold the responsibility. On the other hand, those who were ultimately impacted could have prevented the ransomware attack by patching their systems.</p> <p>There's plenty of responsibility to go around, but the core responsibility in the case of EternalBlue keeps coming back to the NSA. To allow these tools into the wild by any means is equivalent to releasing biological or nuclear secrets. The level of damage that can be done with these tools can't be understated. Cyberweapons have been used by foreign bad actors to devastate individuals, businesses and other organizations with life-critical missions, including hospitals and police departments, for example.</p> <p>The need to be able to take action against our enemies is vital to the NSA. The need for secrecy and keeping access to cyberweapons private is core to mission success. The problem begins when that secrecy fails, tools get into the wild and are used to victimize innocent individuals and companies.</p> <h3>Patch management -- an obvious fix</h3> <p>Organizations must immediately get real about <a href="https://www.techtarget.com/searchsecurity/feature/Read-this-roundup-before-investing-in-a-patch-management-tool">managing patching</a> for known critical vulnerabilities as soon as possible. An estimated 70% to 80% of all breaches can be prevented by software patching. Before an organization moves on to invest in advanced technology, it makes sense to close the vulnerabilities hackers use to attack. Software vendors need to act more ethically and quickly when they become aware of serious vulnerabilities. Time is critical, and time from <a href="https://www.techtarget.com/searchsecurity/feature/Seven-criteria-for-buying-vulnerability-management-tools">vulnerability discovery</a> to actual exploit narrows with every passing day.</p> <p>In April 2019, the U.S. Department of Homeland Security's <a href="https://www.dhs.gov/topic/cybersecurity" target="_blank" rel="noopener">Cybersecurity and Infrastructure Security Agency</a> released new requirements for remediating critical and high vulnerabilities. DHS's Operational Directive (BOD) 19-02 states that vulnerability remediation requirements for internet-accessible systems, to enhance federal agencies' coordinated approach to ensuring effective and timely remediation of critical and high vulnerabilities in information systems.</p> <p>This directive was driven by the fact that DHS clearly understands the immense security gains of patching. Patching is not simple or easy and often requires overtime or additional staffing. But what it requires most is commitment and no interference from executives and others who are unwilling to allow outages to complete the critical patching services.</p> <p>The U.S. government needs to understand the tools being created are dangerous in the wrong hands and should be protected as secret deadly weapons. Criminal penalties and career punishments for releasing or abetting these tools getting out should be severe and unwavering.</p> <h3>What's the plan?</h3> <p>We the people keep wringing our hands after attacks, and we are still months, years or even decades behind on systems upgrades and security remediation. Chief information security officers should be obligated to report to the CEO and board of directors, not the CIOs who may not want to tell the entire and accurate story of an organizations security posture. If we hope have any chance of defending ourselves and avoiding potentially global outages that directly impact human survivability, we need to get serious and do it now.</p> Cyberattackers are to blame for ransomware attacks, but what about companies that release flawed software or don't install patches? Our expert looks at where the buck stops. https://cdn.ttgtmedia.com/visuals/searchWindowsServer/server_management/windowsserver_article_012.jpg https://www.techtarget.com/searchsecurity/opinion/Whos-to-blame-for-ransomware-attacks-beyond-the-attackers Mon, 08 Jul 2019 15:17:00 GMT <p>The Internet Message Access Protocol, first specified in the 1980s, enables remote users to view and manage messages stored on mail servers. While IMAP has become less important as enterprises and users move to webmail services to manage email directories and messages, it is still widely deployed and used -- often behind <a href="https://www.techtarget.com/searchsecurity/feature/The-five-different-types-of-firewalls">firewalls</a> and gateways. This means that managing IMAP security issues continues to be a challenge for many users and organizations.</p> <p>Like so many other protocol specifications for internet applications that originated when the internet was largely an academic and research network, IMAP security was left as an exercise for the implementers. And like those other protocols, fully-compliant IMAP implementations expose all users by permitting remote users to authenticate themselves with plaintext user ID and passwords.</p> <p>Most IMAP security issues have been addressed in the decades since the protocol was first documented as a proposed experimental specification. But IMAP continues to be an <a href="https://searchcloudsecurity.techtarget.com/tip/The-problems-with-cloud-based-email-security">email security</a> trouble spot because it is so widely implemented and deployed in so many different environments, and as a part of so many different platforms.</p> <section class="section main-article-chapter" data-menu-title="IMAP security issues"> <h2 class="section-title"><i class="icon" data-icon="1"></i>IMAP security issues</h2> <p>The top IMAP security issue is due to the fact that it was designed to accept <a href="https://www.techtarget.com/searchsecurity/tip/Key-customer-identity-access-management-features-to-consider">plaintext login credentials</a>. While this is not the only issue, it is probably the most intransigent challenge to defenders.</p> <p>Another IMAP security vulnerability has to do with a lack of support for strong authentication, in particular the enforcement of multifactor authentication (MFA) for third-party email clients when logging into IMAP services hosted on cloud services. A recent example is the <a href="https://www.techtarget.com/searchsecurity/answer/What-is-a-password-spraying-attack-and-how-does-it-work">password spraying attacks</a> against Microsoft Office 365: While Office 365 can be configured to <a href="https://www.techtarget.com/searchsecurity/tip/Traditional-MFA-isnt-enough-phishing-resistant-MFA-is-key">require a second factor</a> to authenticate remote users, that authentication step could be bypassed by accessing IMAP services from a third-party email client.</p> <p>Security professionals have long been aware of the dangers of application protocols that permit plaintext credentials, and the default configuration for IMAP software has long been to enable <a href="https://www.techtarget.com/searchsecurity/definition/Transport-Layer-Security-TLS">TLS</a> encryption of credentials. However, there is still no mechanism in the IMAP protocol for requiring the use of MFA.</p> <figure class="main-article-image half-col" data-img-fullsize="https://www.techtarget.com/rms/onlineimages/security-email_holes.png"> <img data-src="https://www.techtarget.com/rms/onlineimages/security-email_holes_half_column_mobile.png" class="lazy" data-srcset="https://www.techtarget.com/rms/onlineimages/security-email_holes_half_column_mobile.png 960w,https://www.techtarget.com/rms/onlineimages/security-email_holes.png 1280w" alt="IMAP enables successful attacks" data-credit="TechTarget" height="276" width="279"> <figcaption> <i class="icon pictures" data-icon="z"></i>Improperly configured IMAP services can lead to successful attacks. </figcaption> <div class="main-article-image-enlarge"> <i class="icon" data-icon="w"></i> </div> </figure> <p>Similarly, third-party IMAP clients don't always support Office 365 sign-on policies that would shut down remote users who attempt to sign on too many times, which opens the door to attackers attempting brute-force attacks on accounts.</p> <p>The most obvious IMAP protocol vulnerability -- transmitting credentials as well as email interactions in plain text -- has largely been addressed through the use of implicit TLS for all email protocols. The IMAP over TLS protocol, spelled out in <a href="https://tools.ietf.org/html/rfc8314" target="_blank" rel="noopener">RFC 8314</a>, clarifies that all legacy email protocols, including <a href="https://www.techtarget.com/whatis/definition/SMTP-Simple-Mail-Transfer-Protocol">SMTP</a> and <a href="https://www.techtarget.com/whatis/definition/POP3-Post-Office-Protocol-3">POP</a>, should by default use TLS for encryption of user mail sessions, or at least implement opportunistic encryption through the <a href="https://www.techtarget.com/searchsecurity/news/252443899/EFFs-STARTTLS-Everywhere-aims-to-protect-email-in-transit">STARTTLS protocol</a>. However, requiring TLS by itself is not enough to prevent the IMAP password spraying attacks.</p> </section> <section class="section main-article-chapter" data-menu-title="Tightening IMAP security"> <h2 class="section-title"><i class="icon" data-icon="1"></i>Tightening IMAP security</h2> <p>Knowing that there are issues is the first step to strengthening IMAP security. Protecting vulnerable systems must begin with identifying all the places where the vulnerable protocols are deployed, followed closely by making sure that all protocol services are properly configured to enforce encryption either through STARTTLS or IMAP over TLS.</p> <p>The original <a href="https://www.techtarget.com/searchsecurity/answer/How-does-port-swapping-work-to-bypass-two-factor-authentication">default port</a> for IMAP is port 143 for requests from clients, but port 993 is specified for IMAP over TLS; reconfiguring all clients and servers to use port 993 can help eliminate plaintext connections. Firewalls and other gateway systems can also be configured to block connections on the unsecured port 143.</p> <p>Other ways to secure IMAP should address the different ways that IMAP servers are accessed. For example, some tactics include:</p> <ul class="default-list"> <li>Use firewall rules to prevent direct remote access to IMAP servers.</li> <li><a href="https://www.techtarget.com/searchmobilecomputing/tip/How-to-manage-multi-factor-authentication-for-Office-365">Enable multifactor authentication</a> as broadly and widely as possible for remote access.</li> <li>Use zero trust models to restrict users from accessing IMAP services without MFA.</li> <li>Reconfigure email and other services to disable unauthenticated remote access.</li> <li>As an extreme measure, disable end-user access to legacy email services entirely and require they access email remotely through HTTPS services.</li> </ul> <p>While it may not yet be practical to eliminate all legacy email protocol services, it is possible to <a href="https://www.techtarget.com/searchsecurity/answer/What-are-the-most-important-email-security-protocols">secure these services against the most common vulnerabilities</a> and the attacks that take advantage of them.</p> </section> Legacy email protocols like IMAP are prime targets for hackers. Fix IMAP security with better configuration, more encryption and multifactor authentication mandates. https://cdn.ttgtmedia.com/visuals/searchSoftwareQuality/security_testing/softwarequality_article_015.jpg https://www.techtarget.com/searchsecurity/tip/Where-does-IMAP-security-fall-short-and-how-can-it-be-fixed Thu, 27 Jun 2019 14:51:00 GMT <p><strong>VirusTotal introduced an enterprise version that provides a faster malware search feature and uses N-gram content searches to identify threats. What is an N-gram content search and why is it so important?</strong></p> <p>The practice of identifying threats and sharing information about those threats with defenders was an extension of signature techniques that have long been used to defend against viruses and malware. While this was an extremely effective way to identify malware, it has since been updated with behavioral heuristics, anomaly detection and other updates. Using this practice at scale and allowing enterprise defenders to access underlying data may not have been common in the past, but recent <a href="https://www.techtarget.com/searchsecurity/news/252449632/Alphabets-Chronicle-launches-VirusTotal-Enterprise">developments by VirusTotal</a> have introduced an enterprise version that gives large organizations another option for investigating incidents.</p> <p>VirusTotal contains <a href="https://www.techtarget.com/searchsecurity/definition/malware">malware</a> submissions and other related data which could include files, emails, IP addresses and URLs from researchers, defenders and attackers, each with their own reasons for using the service. One of the many new features introduced in the enterprise version is an N-gram content search. Most enterprises use VirusTotal to see if a particular file was detected by any of the included anti-malware engines. With the enterprise version, customers can keep their submissions and information private from other VirusTotal users.</p> <p>An <a href="https://venturebeat.com/2018/09/27/alphabets-chronicle-launches-virustotal-enterprise-with-private-graph-and-100-times-faster-malware-search/">N-gram content search</a> occurs when a string or multiple strings of characters are searched at the same time in a particular order to determine if a file is related to other files or malware. The strings could be specific functions in the malware that the malware author could have changed enough in the layout to change the malware's overall detection signature.</p> <p>By searching for multiple specific signatures within a file, related malware can be identified without having a specific signature for the malware and, as VirusTotal notes, improved search speed. For example, an enterprise customer could submit a file of interest to see if it's been detected or is related to a previously detected malware -- this could help prioritize future analysis on the malware.</p> <p><strong>Ask the expert:<br> </strong><em>Have a question about enterprise threats?&nbsp;</em><a href="mailto:editor@searchsecurity.com?subject=Question%20for%20Nick%20Lewis"><em>Send it via email</em></a><em> today. (All questions are anonymous.)</em></p> Detected malware can now efficiently be tracked due to VirusTotal's enterprise version of its software. Discover what N-gram is and how it can be used with Nick Lewis. https://cdn.ttgtmedia.com/visuals/searchExchange/exchange_server_security/exchange_article_020.jpg https://www.techtarget.com/searchsecurity/answer/Why-is-the-N-gram-content-search-key-for-threat-detection Wed, 20 Feb 2019 11:02:00 GMT <p><strong>A researcher recently discovered an info-stealer -- dubbed Vidar -- that is a part of a multi-payload and ongoing </strong><a href="https://www.techtarget.com/searchsecurity/definition/malvertisement-malicious-advertisement-or-malvertising"><strong>malvertising attack</strong></a><strong> that also distributes </strong><a href="https://www.techtarget.com/searchsecurity/answer/GandCrab-ransomware-How-does-it-differ-from-previous-versions"><strong>GandCrab ransomware</strong></a><strong>. How does this double attack work? Who is a target for the attack and how can it be mitigated?</strong></p> <p><a href="https://www.techtarget.com/searchsecurity/definition/malware">Malware</a> infections haven't changed much over time, even taking into consideration the introduction of fileless malware, in which the software needs to get the endpoint to run malicious code in order for it to proceed to the next step in the attack. The next step can take many different forms, including downloading the next-stage malware or even multiple pieces of malicious code, depending on the attacker and the malware used.</p> <p>Security controls may also be disabled. Malware attacks run the gamut -- from ransomware and information stealers to password stealers or a <a href="https://www.techtarget.com/searchsecurity/definition/distributed-denial-of-service-attack">DDoS bot</a>. Furthermore, these functionalities can be split into pieces, allowing the hacker to generate new versions or update individual components without affecting how the other malicious code operates.</p> <p>For enterprises with low risk tolerances, running any unapproved code -- much less malicious code -- is cause for alarm. When an attack like this occurs, it must be <a href="https://www.techtarget.com/searchsecurity/feature/Inside-Master134-Ad-networks-blind-eye-threatens-enterprises">thoroughly investigated</a> to determine what happened on the endpoint and what vulnerabilities were created as a result.</p> <p>A recent malvertising attack campaign -- in which an online advertisement could infect a viewer's computer with malware -- launched a two-pronged intrusion, using <a href="https://fumik0.com/2018/12/24/lets-dig-into-vidar-an-arkei-copycat-forked-stealer-in-depth-analysis/">Vidar</a> as an information stealer and <a href="https://blog.malwarebytes.com/threat-analysis/2019/01/vidar-gandcrab-stealer-and-ransomware-combo-observed-in-the-wild/" target="_blank" rel="noopener">GandCrab</a> as ransomware. The campaign used both pieces of malware in a bid to potentially monetize access to the endpoint.</p> <p>Malvertising attack software has been found on Torrent and streaming video sites.&nbsp; The Vidar software is engineered to exclude endpoints located in Russia, Belarus, Uzbekistan, Kazakhstan and Azerbaijan.</p> <p><a href="https://www.techtarget.com/searchsecurity/feature/Inside-Master134-More-ad-networks-tied-to-malvertising-campaign">Malvertising attack</a> mitigation calls for the implementation of standard endpoint security protocols. In addition, the website Malwarebytes released indicators that compromised companies should be aware of as they move to deal with the prospect of double attacks.</p> The Vidar malvertising attack was part of a two-pronged intrusion that included the installation of ransomware in endpoints. How can enterprises protect themselves? https://cdn.ttgtmedia.com/visuals/searchExchange/exchange_server_security/exchange_article_018.jpg https://www.techtarget.com/searchsecurity/answer/How-do-I-stop-the-Vidar-malvertising-attack Mon, 18 Feb 2019 11:57:00 GMT <p><b>The U.S. Department of Defense approved the use of Android devices that utilize Samsung's Knox platform. My organization has been wary of allowing Androids on the corporate network, pushing users toward iPhones and BlackBerrys instead. Could you explain what Knox does to improve Android device security, and whether it may be a viable enterprise device platform, as well?</b></p> <p>Although the&nbsp;security of the open source Android OS&nbsp;is considered by many to be as robust as Apple's iOS and the BlackBerry OS, devices running Android have generally been shunned by enterprises due to&nbsp;concerns&nbsp;over the number of malicious Android apps and the ease with which hackers have been able to distribute them due to lax submission policies on&nbsp;<a href="https://www.techtarget.com/searchmobilecomputing/definition/Google-Play-Android-Market">Google Play</a>.</p> <p>Samsung aimed to change that mindset with its Android-based Knox platform, a locked-down version of Android that enables work and personal data to safely coexist on the same device, while also retaining full compatibility with the Android ecosystem.</p> <p>In 2013, the Samsung Knox platform was approved for use within the U.S. Department of Defense by the Defense Information Systems Agency. It was later approved for use within the National Security Agency and certified by government agencies in China, France and other nations. Knox has proven to be a popular solution for network administrators trying to control employee-owned devices in both enterprise and government agencies.</p> <p>One of today's top BYOD concerns is data leakage caused by the mixing of professional and personal data and apps. Administrators have been reluctant to use&nbsp;<a href="https://www.techtarget.com/searchmobilecomputing/definition/remote-wipe">remote wipe</a>&nbsp;tools on lost devices; they typically erase the user's personal data, photos, music and other files, as well as corporate information.</p> <p>Enterprise data stored on Android devices is also under threat from malicious apps downloaded by users via third-party app marketplaces. The Samsung Knox platform tackles these problems by using partitions -- called&nbsp;<i>containers</i>&nbsp;-- to isolate enterprise apps and to encrypt enterprise data both&nbsp;<a href="https://www.techtarget.com/searchstorage/definition/data-at-rest">at rest</a>&nbsp;and in motion. Therefore, administrators have no access to personal apps and data, as they remain outside the isolated business environment, and a remote wipe only erases the business partition.</p> <h3>Knox platform security features</h3> <p>Aside from the device's container model, the Samsung Knox platform includes a number of features designed to ensure a higher level of security.</p> <ul class="default-list"> <li>Customizable Secure Boot, which ensures that only verified and authorized software can run on the device.</li> <li>ARM's <a href="https://www.techtarget.com/searchsecurity/answer/How-have-ARM-TrustZone-flaws-affected-Android-encryption">TrustZone-based</a> Integrity Measurement Architecture, which provides continuous integrity monitoring of the Linux kernel, and which can disable and power down the device if it detects kernel or boot loader violations.</li> <li>Security Enhancements for Android, which enforce the separation of information based on confidentiality and integrity requirements by isolating applications and data into different domains. This reduces the threat of tampering and bypassing application security mechanisms, while minimizing the damage that a malicious application can cause.</li> </ul> <p>Also, an on-demand&nbsp;<a href="https://www.techtarget.com/whatis/definition/FIPS-Federal-Information-Processing-Standards">Federal Information Processing Standards</a>&nbsp;(FIPS)-certified VPN client can be configured and provisioned on a per application basis.</p> <p>In addition, recent updates to the Samsung Knox platform have added new features, such as enhanced kernel security with control flow protection, which encrypts return addresses in the stack; the Secure Folder feature, which creates a separate encrypted folder for users' sensitive data and apps; and VPN support for IPv6 networks.</p> <p>The Android OS itself has also received a number of enhancements recently; Android Nougat security features include the addition of file-level encryption, seamless updates and enhanced protection for the Linux kernel.</p> <div class="articleVideoLeft"> <video id="singlePlayer-0" class="video-js" data-account="1367663370" data-player="241dc03c-5fb7-411b-a162-bdf807c489ba" data-embed="default" data-video-id="4365417587001" controls=""></video> <script src="//players.brightcove.net/1367663370/241dc03c-5fb7-411b-a162-bdf807c489ba_default/index.min.js"></script> </div> <p>Over the years, the Samsung Knox platform has also received fixes for some notable bugs and vulnerabilities. For example, in 2016, security researchers at Tel Aviv University <a href="https://arxiv.org/pdf/1605.08567.pdf" target="_blank">discovered several vulnerabilities</a> in older versions of the platform, including weak encryption key generation for eCryptfs and a shared certificate store bug that enabled man-in-the-middle attacks on Knox's VPN traffic. The vulnerabilities were addressed in newer versions of the platform.</p> <p>As a platform, Android already owns the largest share of the smart device market, and the introduction of Samsung Knox helped&nbsp;boost Android device security for enterprises.</p> <p>The Samsung Knox platform is compatible with multiple enterprise&nbsp;<a href="https://www.techtarget.com/searchmobilecomputing/definition/mobile-device-management">mobile device management</a> products, and any Android apps that will run in the secure work partition must come from an app store curated by Samsung. While such enterprise apps will need to be checked and signed off on by Samsung, developers will not need to write their own enterprise features, such as FIPS-compliant VPN, on-device encryption or enterprise single sign-on, as Knox provides these.</p> <p>The dual-persona platform became popular with both security teams and employees, as personal applications and data are kept private from network administrators; approximately two years after its launch, Knox had more than 4 million users. The Samsung Knox platform was also designed to be easy for users to handle; it does not leverage virtualization, and users can switch between personal and work use, with no reboot or wait time, simply by pressing an icon.</p> Application security expert Michael Cobb discusses the Samsung Knox platform and its ability to improve Android device security in the enterprise. https://cdn.ttgtmedia.com/visuals/searchSecurity/enterprise_network_security/security_article_017.jpg https://www.techtarget.com/searchsecurity/answer/Samsung-KNOX-platform-Is-the-Android-security-issue-solved Fri, 28 Jul 2017 08:26:00 GMT <p>The inability of many online services to keep their users' passwords secure from cybercriminals, combined with the inherent weaknesses of passwords as a <a href="https://www.techtarget.com/searchsecurity/answer/How-does-a-universal-second-factor-device-secure-Facebook-users">means of authentication</a>, are forcing governments and the IT industry to establish a viable, long-term replacement. The U.S. Commission on Enhancing National Cybersecurity hopes to see "no major breaches by 2021 in which identity -- especially the use of passwords -- is the primary vector of attack." This is an ambitious goal as 63% of all successful data breaches can be tracked back to inadequate passwords according to Verizon's 2016 Data Breach Investigations Report, and it will require the development and broad adoption of identity authentication technologies. Until recently, the IT industry has struggled to bring about such technologies, but new developments such as the <a href="https://www.techtarget.com/searchsecurity/opinion/4-identity-predictions-for-2023">FIDO authentication standard</a> have started to change that.</p> <p>Usability and deployability are the reasons passwords have lasted so long, but requiring users to remember longer, more complex passwords isn't practical given that the average Briton in 2012 had over 25 online accounts, with 25-34-year olds having over 40, according to <a href="https://www.experianplc.com/media/news/2012/illegal-web-trade-in-personal-information-soars/" target="_blank" rel="noopener">research</a> done by Experian plc, the U.K. credit reference agency. Although strong authentication products have been around for years, concerns over cost, lack of interoperability, vendor lock-in, and inconvenience to users have prevented them from becoming widely deployed. Ideas such as using image recognition -- where users recognize pictures rather than enter passwords -- only offer minor security benefits over passwords, while those offering significant security benefits like <a href="https://www.techtarget.com/whatis/definition/iris-recognition">iris recognition</a> have usually been too costly to deploy or problematical to use.</p> <p>To address the lack of interoperability among strong authentication technologies, leading companies such as PayPal, Lenovo and Nok Nok Labs formed the <a href="https://www.techtarget.com/searchsecurity/definition/FIDO-Fast-Identity-Online">Fast IDentity Online</a> (FIDO) Alliance in July 2012 with the aim of defining a set of open standards and specifications for how <a href="https://www.techtarget.com/searchsecurity/definition/multifactor-authentication-MFA">multifactor authentication</a> should work that balance security with usability, privacy and interoperability. Work done by Google, Yubico and NXP on an open standard for a strong second-factor device was incorporated into the <a href="https://fidoalliance.org/" target="_blank" rel="noopener">FIDO Alliance</a> in 2013 and version 1.0 of the FIDO standard was published at the end of 2014. So what is FIDO, how does it work, and can it remove our reliance on passwords?</p> <p>FIDO is a device-centric model but is not designed for any specific type of authentication technology. It separates the authentication server from the specific authentication model. This means the authentication method or provider can be changed without impacting the application. It provides two ways to authenticate users: Passwordless UX, which uses the Universal Authentication Framework (UAF) protocol and Second Factor UX, which uses the Universal 2nd Factor (U2F) protocol (UX stands for "<a href="https://www.techtarget.com/searchcio/definition/UX-user-experience">user experience</a>"). In future versions, FIDO expects the two standards to further evolve and harmonize.</p> <p>With Passwordless UX, users register their device with an online service by selecting a local authentication mechanism. This can be a <a href="https://www.techtarget.com/searchsecurity/definition/biometric-authentication">biometric</a> such as swiping a finger, taking a selfie or speaking into a microphone. Once registered, users repeat the process whenever they need to authenticate to the service, so no password is necessary. A service can also require multiple authentication mechanisms such as a biometric (for example, a fingerprint or voice scan) and knowledge (for example, a password or PIN). The presence of high quality cameras, microphones, and fingerprint readers in many of today's devices means it's now easier than ever to implement biometric authentication that establishes trust between two parties.</p> <p>Second Factor UX involves using a password or PIN in conjunction with a FIDO-compliant hardware device to support two-factor authentication: knowledge of the PIN or password being the first factor, and ownership of the device being the second factor. The user is prompted to insert and touch their personal U2F device during login. The user's FIDO-enabled device creates a new key pair, and the public key is shared with the online service and associated with the user's account. The service can then authenticate the user by requesting that the registered device sign a challenge with the private key. Removable USB tokens are proving popular but other options include <a href="https://www.techtarget.com/whatis/definition/trusted-platform-module-TPM">Trusted Platform Modules</a>, embedded Secure Elements, <a href="https://www.techtarget.com/searchsecurity/definition/smart-card">smart cards</a>, <a href="https://www.computerweekly.com/news/4500246790/Researchers-raise-privacy-concerns-about-Bluetooth-Low-Energy-devices">Bluetooth Low Energy</a>, and Near Field Communication (NFC) chips. A hacker would need to steal both a user's credentials and their U2F device to compromise an account or application log-in.</p> <p>FIDO UAF authentication credentials are never shared with an online service provider, only the public keys paired to the user's device. This removes the threat of a breach of a user's accounts or personal data if a service provider is compromised. Likewise, biometric measurements used in FIDO authentication never leave the user's device. There is also no information emitted by the device that can be used by different online services to collaborate and track a user across the Internet, even though the same device can be used to log in to any number of services.</p> <p>FIDO is fast becoming the global de facto standard for authentication. The FIDO Alliance now has more than 250 members from across the world, including technology companies, device manufacturers, major banks and health firms, all major payment card networks, several governments and dozens of security and biometrics vendors. President Barack Obama's Commission on Enhancing National Cybersecurity report specifically noted the role the FIDO Alliance will play in achieving its goal. The U.K. government's new National Cyber Security Strategy also intends to invest in FIDO authentication.</p> <p>Google Chrome was the first Web browser to implement support for Second Factor UX, but by early 2017 all the major browsers will provide support. For users, this means instead of typing in a six-digit passcode received via SMS to login to an online service, users can simply insert a FIDO-compliant USB key into their computer and tap it when asked to do so by the browser. Google analyzed its two-year deployment of U2F Security Keys and <a href="https://fidoalliance.org/case-study-series-google-security-keys-work/" target="_blank" rel="noopener">reported</a> support costs had dropped. The keys replaced one-time passwords (OTP) as a means of authenticating its employees, which Google estimated has saved thousands of hours per year. There were also zero authentication failures, compared to a 3% failure rate for OTP-based authentications.</p> <p>FIDO brings substantial gains to users and businesses, which explains its rapid adoption where other initiatives have failed to displace the password. As more users discover the advantages of being free from passwords and the added security FIDO authentication provides, online services left relying on passwords may well begin to lose out. If FIDO reduces the number of abandoned online and mobile shopping carts due to account login difficulties, retailers will easily recoup any costs involved in updating their sites to be FIDO compliant. PayPal, Alibaba, and Alipay all offer secure payments based on FIDO authentication and major cloud services such as Dropbox, GitHub, Dashlane, and Salesforce.com all now support U2F.</p> <p>The forthcoming FIDO 2.0 features native platform support as well as device-to-device authentication using FIDO's public key cryptography, which should benefit many IoT devices. The Client-to-Authenticator Protocol (CTAP) should also be released in 2017. This will enable browsers and operating systems to talk to external authenticators like USB <a href="https://www.techtarget.com/searchsecurity/definition/key-fob">key fobs</a>, NFC- and Bluetooth-enabled devices and remove the requirement for users to re-register on every device they use. There is also work on a standard for mobile wallet providers and payment application developers to support Consumer Device Cardholder Verification Methods (CDCVM) so on-device FIDO Certified authenticators such as fingerprint or selfie biometrics can be used to verify a user's presence when making an in-store or in-app mobile payment.</p> <p>Over the years, cybercriminals have made huge profits due to the ineffectiveness of password-based authentication, but FIDO authentication makes credential theft far more difficult and expensive, without compromising convenience for security. Hopefully it will help end the role of the password as the primary authentication factor.</p> The FIDO authentication standard could eventually bypass passwords, or at least augment them, as government and industry turns to more effective authentication technologies. https://cdn.ttgtmedia.com/visuals/searchWinDevelopment/NET_app_testing_security/windevelopment_article_011.jpg https://www.techtarget.com/searchsecurity/tip/FIDO-authentication-standard-could-signal-the-passing-of-passwords Tue, 03 Jan 2017 11:26:00 GMT 60 webmaster@techtarget.com