Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

Imminent threats

 

GUEST ESSAY: Why Microsoft Exchange users ‘must have’ robust data recovery policies, practices

By Bharat Bhushan

Cloud hosted email services have come into wide use as the go-to communication and collaboration work tools for businesses far and wide.

Related: Weaponized email endures as top threat

Digital native companies start from day one relying entirely on Microsoft Office 365 or Google’s G Suite and most established companies are in some stage of migrating to, or adjusting for, Office 365 or G Suite.

That said, Microsoft Exchange on-premises email servers – technology that once, not too long ago, dominated this space – remain in pervasive business use today.

In 2021, on-premises Microsoft Exchange Server mailboxes commanded a 43 percent global market share as compared to 57 percent for cloud Exchange mailboxes, according to this report from Statista. Some 11,800 computer software companies, 10,000 IT services vendors, 5,500 health care organizations and 3,200 financial services firms continue to maintain on-premises Exchange email servers, according to this report from Enlyft

What’s more, many of the organizations migrating to cloud IT infrastructure services are patching together hybrid email systems, part on-premises and part cloud-hosted.

SHARED INTEL: Log4j vulnerability presents a gaping attack vector companies must heed in 2022

By Byron V. Acohido

As we close out 2021, a gargantuan open-source vulnerability has reared its ugly head.

Related: The case for ‘SBOM’

This flaw in the Apache Log4J logging library is already being aggressively probed and exploited by threat actors — and it is sure to become a major headache for security teams in 2022.

“This vulnerability is so dangerous because of its massive scale. Java is used on over 3 billion devices, and a large number of those use Log4j,” says Forrester cybersecurity analyst Allie Mellen, adding that crypto miners and botnet operators are already making hay.

“We can expect more devastating attacks, like ransomware, leveraging this vulnerability in the future,” Mellen adds. “This vulnerability will be used for months if not years to attack enterprises, which is why security teams must strike while the iron is hot.”

This Log4j vulnerability was disclosed to Apache on Nov. 24 by the Alibaba Cloud Security team. Then on Dec. 9, the vulnerability, formally designated CVE-2021-44228, was disclosed on Twitter; meanwhile a  proof-of-concept exploit got posted on GitHub.

This flaw in an open-source web server software used far and wide  puts open-source risks in the spotlight – yet again. Companies will have to deal with Log4J in much the same manner as they were compelled to react to the open source flaws Heartbleed and Shellshock in 2014.

GUEST ESSAY: The shock waves of mental illness have begun exacerbating cybersecurity exposures

By Nitin Chopra

Mental health at work is undergoing a rapid transformation. Even before the COVID-19 pandemic, which has caused an increase in feelings of loneliness and isolation, workers’ mental health was under pressure.

Related: Capital One hacker demonstrated ‘erratic behavior’

According to a recent workforce health survey, 40% of workers experienced mental health issues this past year, double the year before. We are in the midst of a workplace mental health crisis that’s affecting individual employees and entire companies.

While it’s obvious people are not getting the mental health care they need and deserve, and we must do better as a nation, there is an overlooked aspect of this crisis affecting businesses.

The vulnerabilities and challenges associated with declining worker mental health is causing cybersecurity risks to increase, especially from insider threats.

Mental health cyber risks

Many organizations categorize employee mental health and a human resources concern, yet mounting evidence proves that the effects of mental health go much deeper. Declining workplace mental health is affecting cybersecurity in various ways. When an employee is struggling, they may reach a tipping point and become an insider threat. According to Verizon, 22 percent of all security incidents involve insiders.

MY TAKE: For better or worse, machine-to-machine code connections now form much of the castle wall

By Byron V. Acohido

Managing permissions is proving to be a huge security blind spot for many companies.

Related: President Biden’s cybersecurity order sets the stage

What’s happening is that businesses are scaling up their adoption of multi-cloud and hybrid-cloud infrastructures. And in doing so, they’re embracing agile software deployments, which requires authentication and access privileges to be dispensed, on the fly, for each human-to-machine and machine-to-machine coding connection.

This frenetic activity brings us cool new digital services, alright. But the flip side is that companies have conceded to a dramatic expansion of their cloud attack surface – and left it wide open to threat actors.

“The explosion in the number of human and non-human identities in the public cloud has become a security risk that businesses simply can’t ignore,” observes Eric Kedrosky, CISO at Sonrai Security.

I’ve had a couple of deep discussions with Kedrosky about this. Based in New York City, Sonrai is a leading innovator in a nascent security discipline, referred to as Cloud Infrastructure Entitlement Management (CIEM,)

GUEST ESSAY: Here’s what every business should know — and do — about CaaS: crime-as-a-service

By Jack Chapman

It doesn’t matter if you want to learn a new language or figure out how to fix your broken clothes dryer; the tools, tutorials, and templates you need are available online.

Related: Enlisting ‘human sensors’

Unfortunately, with crime-as-a-service, the same is true for people interested in trying their hand at cybercrime. The dark web provides virtually everything potential attackers need to make their move.

Let’s look closely at precisely what crime-as-a-service (CaaS) is, why it’s so dangerous, and how your business can defend itself.

CaaS variants

Experts define  CaaS as what happens when sophisticated hackers and criminals work together to create technology, toolkits, and methodologies geared toward carrying out cyberattacks. CaaS is happening with increasing regularity. For example, an Illinois man recently faced conviction for running a website that allowed users to buy subscriptions to launch distributed denial of service (DDoS) attacks against computer networks.

FIRESIDE CHAT: All-powerful developers begin steering to the promise land of automated security

By Byron V. Acohido

Software developers have become the masters of the digital universe.

Related: GraphQL APIs pose new risks

Companies in the throes of digital transformation are in hot pursuit of agile software and this has elevated developers to the top of the food chain in computing.

There is an argument to be made that agility-minded developers, in fact, are in a terrific position to champion the rearchitecting of Enterprise security that’s sure to play out over the next few years — much more so than methodical, status-quo-minded security engineers.

With Black Hat USA 2021 reconvening in Las Vegas this week, I had a deep discussion about this with Himanshu Dwivedi, founder and chief executive officer, and Doug Dooley, chief operating officer, of Data Theorem, a Palo Alto, CA-based supplier of a SaaS security platform to help companies secure their APIs and modern applications.

For a full drill down on this evocative conversation discussion please view the accompanying video. Here are the highlights, edited for clarity and length:

LW:  Bad actors today are seeking out APIs that they can manipulate, and then they follow the data flow to a weakly protected asset. Can you frame how we got here?

Dwivedi: So 20 years ago, as a hacker, I’d go see where a company registered its IP. I’d do an ARIN Whois look-up. I’d profile their network and build an attack tree. Fast forward 20 years and everything is in the cloud. Everything is in Amazon Web Services, Google Cloud Platform or Microsoft Azure and I can’t tell where anything is hosted based solely on IP registration.

So as a hacker today, I’m no longer looking for a cross-site scripting issue of some website since I can only attack one person at a time with that. I’m looking at the client, which could be an IoT device, or a mobile app or a single page web app (SPA) or it could be an … more

SHARED INTEL: Ramifications of 86 cities storing citizens’ data in misconfigured AWS S3 buckets

By Byron V. Acohido

The ethical hackers at WizCase recently disclosed another stunning example of sensitive consumer data left out in the open in the public cloud —  for one and all to access.

Related: How stolen data gets leveraged in full-stack attacks

This latest high-profile example of security sloppiness was uncovered by a team of white hat hackers led by Ata Hakçil. They found personal documents, collected by over 80 US municipalities, sitting in Amazon Web Services S3 storage buckets left wide open in the public cloud.

This included citizens’ physical addresses, phone numbers, drivers’ licenses, tax documents, and more.  There was no need for a password or login credentials to access this information, and the data was not encrypted.

The WizCase team traced this exposure  back to a cloud-delivered information management tool — mapsonline.net, supplied by Woburn, Mass.-based PeopleGIS.  WizCase reached out to PeopleGIS and the S3 buckets in question have since been secured.

Some 114 Amazon S3 storage buckets used a common naming pattern associated with  PeopleGIS; of those 28 appeared to be properly configured, and were not accessible without proper credentials; but 86 were accessible without any password nor encryption. The WizCase team outlined three ways this could have happened:

•PeopleGIS created and handed over the buckets to their city customers, and some of them made sure these were properly configured