Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

Best Practices

 

Black Hat insights: Deploying ‘human sensors’ to reinforce phishing email detection and response

By Byron V. Acohido

Human beings remain the prime target in the vast majority of malicious attempts to breach company networks.

Related: Stealth tactics leveraged to weaponize email

Cybersecurity awareness training is valuable and has its place. Yet as Black Hat USA 2021 returns today as a live event in Las Vegas, it remains so true that we can always be fooled — and that the prime vehicle for hornswoggling us remains phishing messages sent via business email.

Cofense, a Leesburg, VA-supplier of phishing detection and response solutions, has set out to take another human trait – our innate willingness to help out, if we can — and systematically leverage our better instincts to help fix this while combining advanced automation technology to stop phishing attacks fast.

I had a lively discussion about this with Rohyt Belani, co-founder and CEO of Cofense, which started out as PhishMe in 2011.

Inspired by Homeland Security’s see-something-say-something anti-terrorism initiative, as well as by crowd-sourcing services like Waze, Cofense has set out to squash those phishing messages that circumvent Security Email Gateways and fool even well-intentioned employees. It is doing this essentially by training and encouraging employees, not just to be on high alert for phishing ruses, but also to deliver useful reconnaissance from the combat zone.

Black Hat insights: WAFs are getting much more dynamic making them well-suited to protect SMBs

By Byron V. Acohido

A cornucopia of cybersecurity solutions went on public display today as Black Hat USA 2021 convened once more as a live event in Las Vegas.

Related: Kaseya hack raises more supply chain worries

For small- and mid-sized businesses (SMBs) cutting through the marketing hype can be daunting. That said, there is one venerable technology – web application firewalls (WAFs) – that is emerging as a perfect fit for SMBs in today’s environment, as all companies shift to a deeper reliance on cloud services and mobile apps.

I had the chance to get into the weeds of this trend with Venky Sundar, co-founder and chief marketing officer of Indusface, a Bengalura, India-based supplier of  cloud-hosted WAF services (Indusface has numerous enterprise deployments and also offers the same protections, cost-effectively, to SMBs.)

For a full drill down on our discussion, please give the accompanying podcast a listen. Here are the big takeaways:

WAF resurgence

Web apps and mobile apps are where they action is. SMBs must continually come up with cool new apps to stay competitive; it’s no surprise that this is also where threat actors are focusing their attention.

Criminal hacking rings are carrying out big sweeps, 24X7, hunting for well-known application vulnerabilities that they can manipulate to breach company networks. WAFs help companies keep track of these malicious probes by scanning incoming HTTPS traffic and taking note of parameters such as IP address, port routing, cookie data and incoming data.

The knock on WAFs for many years has been that while they are excellent at parsing HTTPS traffic, all too many companies choose not to instruct their WAFs to actually block any traffic that might be malicious.

Black Hat insights: Will Axis Security’s ZTNA solution hasten the sunsetting of VPNs, RDP?

By Byron V. Acohido

Company-supplied virtual private networks (VPNs) leave much to be desired, from a security standpoint.

Related: How ‘SASE’ is disrupting cloud security

This has long been the case. Then a global pandemic came along and laid bare just how brittle company VPNs truly are.

Criminal hackers recognized the golden opportunity presented by hundreds of millions employees suddenly using a company VPN to work from home and remotely connect to an array of business apps. Two sweeping trends resulted:  one bad, one good.

First, bad actors instantly began to hammer away at company VPNs; and attacks against instances of Remote Desktop Protocol (RDP) spiked dramatically, as well. VPNs and RDP both enable remote access that can put an intruder deep inside the firewall. And attempts to break into them have risen exponential over the past 17 months.

Conversely, Zero Trust has gained some material traction. As Black Hat USA 2021 convenes in Las Vegas this week, consensus is quickening around the wisdom of sunsetting legacy remote access tools, like VPNs and RDP, and replacing them with systems based on Zero Trust, i.e. trust no one, principles.

One start-up, Axis Security, couldn’t be more in the thick of these trends. Based in San Mateo, CA, Axis publicly announced its advanced Zero Trust access tool in March 2020, just as the global economy was slowing to a crawl.

“We came out of stealth mode right at the beginning of all the big shutdowns, and we got a number of customers, pretty fast, who were looking for solutions to remotely connect users to systems,” says Deena Thomchick, vice president of product marketing at Axis. “These were users who never had remote access before.”

NEW TECH: How the emailing of verified company logos actually stands to fortify cybersecurity

By Byron V. Acohido

Google’s addition to Gmail of something called Verified Mark Certificates (VMCs) is a very big deal in the arcane world of online marketing.

Related: Dangers of weaponized email

This happened rather quietly as Google announced the official launch of VMCs in a blog post on July 12. Henceforth companies will be able to insert their trademarked logos in Gmail’s avatar slot; many marketers can’t wait to distribute email carrying certified logos to billions of inboxes. They view logoed email as an inexpensive way to boost brand awareness and customer engagement on a global scale.

However, there is a fascinating back story about how Google’s introduction of VMCs – to meet advertising and marketing imperatives — could ultimately foster a profound advance in email security. Over the long term, VMCs, and the underlying Brand Indicators for Message Identification (BIMI) standards, could very well give rise to a bulwark against email spoofing and phishing.

I had a chance to sit down with Dean Coclin, senior director of business development at DigiCert, to get into the weeds of this quirky, potentially profound, security development. DigiCert is a Lehi, Utah-based Certificate Authority (CA) and supplier of Public Key Infrastructure services.

Coclin and I worked through how a huge email security breakthrough could serendipitously arrive as a collateral benefit of VMCs. Here are the main takeaways from our discussion:

MY TAKE: A path for SMBs to achieve security maturity: start small controlling privileged accounts

By Byron V. Acohido

The challenge of embracing digital transformation while also quelling the accompanying cyber risks has never been greater for small- and mid-sized businesses.

Related: How ‘PAM’ improves authentication

SMBs today face a daunting balancing act. To boost productivity, they must leverage cloud infrastructure and participate in agile software development. But this also opens up a sprawling array of fresh security gaps that threat actors are proactively probing and exploiting.

Somehow SMBs must keep pace competitively, while also tamping down the rising risk of suffering a catastrophic network breach.

There’s a glut of innovative security solutions, to be sure, and no shortage of security frameworks designed to help companies mitigate cyber risks. Leading-edge cybersecurity systems in service today apply machine learning in some amazing ways to help large enterprises identify and instantly respond to cyber threats.

However, this is overkill for many, if not most, SMBs. Day in and day out their core security struggle boils down to making it harder for intruders to attain and manipulate remote access. And it doesn’t take enterprise-grade security systems to accomplish this.

I’ve had several discussions about this with Maurice Côté, vice president of business solutions at Devolutions, a Montreal, Canada-based supplier of remote desktop management services. We talked about how Devolutions has been guiding its SMB customers

GUEST ESSAY: A full checklist on how to spot pharming attacks — and avoid becoming a victim

By Peter Baltazar

Cybercriminals use various techniques for conducting cyberattacks. One such popular way to infiltrate a system is Pharming. It is an online scam attack quite similar to Phishing.

Related: Credential stuffing explained

The term Pharming is a combination of two words Phishing and Farming. It is a type of social engineering cyberattack in which the website’s traffic is manipulated to steal confidential credentials from the users. Cybercriminals design a fake website, basically the clone of an official one, and use various means to redirect users to the phony webpage when visiting any other legit site.

Primarily the Pharming attack is planned to gain sensitive data like login credentials, personally identifiable information (PII), social security numbers, bank details, and more. The attackers can also use it for installing malware programs on the victim’s system.

Pharming vs phishing

Though Pharming and Phishing share almost similar goals, the approach to conduct Pharming is entirely different from Phishing. Unlike Phishing, Pharming is more focused on sabotaging the system rather than manipulating the victims. However, we will later know how Phishing plays a vital role in conducting Pharming.

The Pharming attacks are carried out by modifying the settings on the victim’s system or compromising the DNS server. Manipulating the Domain Name Service (DNS) protocol and rerouting the victim from its intended web address to the fake web address can be done in the following two ways:

•Changing the Local Host file. In this method of manipulating DNS, the attackers infiltrate the victim’s device and change the local host file. A local host file is a directory of IP addresses. The modified local host file would redirect users to the fake website whenever they try to open the legit site the next time. The phony website is designed similar to the one victims intended to visit so that the users are not alarmed.

To modify the local host file, the attacker primarily uses the Phishing technique so … more

ROUNDTABLE: Experts react to DHS assigning TSA to keep track of cyber attacks on pipelines

By Byron V. Acohido

The same federal agency that makes you take your shoes off and examines your belongings before boarding a flight will begin monitoring cyber incidents at pipeline companies.

Related: DHS begins 60-day cybersecurity sprints

The Department of Homeland Security on Thursday issued a directive requiring all pipeline companies to report cyber incidents to DHS’s Transportation Security Administration (TSA.)

This, of course, follows a devastating ransomware attack that resulted in a shutdown of Colonial Pipeline.

It can be argued that this is one small step toward the true level of federal oversight needed to protect critical infrastructure in modern times. I covered the aviation industry in the 1980s and 1990s when safety regulations proved their value by compelling aircraft manufacturers and air carriers to comply with certain standards, at a time when aircraft fleets were aging and new fly-by-wire technology introduced complex risks.

We’re a long way from having regulatory frameworks for data privacy and network security needed for critical infrastructure — akin to what we have to keep aviation and ground transportation safe and secure. However, the trajectory of ransomware attacks, supply chain corruption, denial of service attacks and cyber espionage is undeniable.

It seems clear we’re going to need more regulations to help guide the private sector into doing the right things. The discussion is just getting started, as you can see by this roundtable of comments from industry experts:

Edgard Capdevielle, CEO, Nozomi Networks

Most critical infrastructure sectors don’t have mandatory cyber standards, and until now that included oil and gas. The requirement for mandatory breach reporting will help shine a light on the extent of the problem in this sector.  Cybersecurity is a team sport.