A Simple 5-Step Framework To Minimize The Risk Of A Data Breach.

 

Today's businesses run on data. They collect it from customers at every interaction, and they use it to improve efficiency, increase their agility, and provide higher levels of service. But it's becoming painfully obvious that all of that data businesses collect has also made them an enticing target for cybercriminals.

With each passing day, the evidence of that grows. In the last few months, we've witnessed massive data breaches that targeted Neiman Marcus,Facebook, and the Robinhood stock trading app. And they're hardly alone. In recent years, the number of data breaches worldwide has averaged close to three per day.

That statistic suggests that the average business has a target on its back and is running out of time to mount a defense of its data. And doing so doesn't have to be difficult. To help, here's a simple 5-step framework businesses of all sizes can use to protect their customer data.

Step One: Review and Adapt Data Collection Standards.

The first step businesses need to take to increase the security of their customer data is to review what types of data they're collecting and why. Most companies that undertake this exercise end up surprised by what they find. That's because, over time, the volume and variety of customer information that gets collected to expand well beyond a business's original intent.

For example, it's fairly standard to collect things like a customer's name and email address. And if that's all a business has on file, they won't be an attractive target to an attacker. But if the business has a cloud call centre or any type of high touch sales cycle or customer support it probably collects home addresses, financial data, and demographic information, they've then assembled a collection that's perfect for enabling identity theft if the data got out into the wild.

So, when evaluating each collected data point to determine its value, businesses should ask themselves: what critical business function does this data facilitate. If the answer is none, they should purge the data and stop collecting it. If there's a valid answer, but of a function that's not critical, the business should weigh the benefits the data creates against the possible harm they'd suffer if it were exposed in a breach.

Step Two: Minimize Data Access

After paring down the amount of data to protect, the next step is to reduce the data's attack surface by minimizing who has access to it. Access controls play an outsize role in data protection because the theft of user credentials is the primary way that malicious actors find their way into protected systems. For that reason, businesses need to apply the principle of least priviledge(poLp) to both their data repositories as well as the systems that connect to them.

And minimizing access to data has another beneficial side effect: it helps to prevent insider threats from causing a data breach. Research firm Forrester predicted that insider threats would lead to 31% of breaches this year – a number that will only grow from there. So, by keeping sensitive customer data out of most employees' hands in the first place, businesses are addressing internal and external threats at the same time.

Step Three: Eliminate Passwords Wherever Possible.

Even after reducing the number of people that have access to customer data, there's still another way businesses can make it harder for hackers to gain access to it. And that's to eliminate passwords as a primary authentication method wherever possible. It's a small change that can make a world of difference.

According to the 2021 Verizon Data Breach Investigations Report, 61% of all data breaches last year involved the use of credentials, stolen or otherwise. So it logically follows that the fewer credentials there are to worry about, the better. And there are a few ways to reduce reliance on conventional password authentication systems.

One is the use of two-factor authentication. This means accounts require both a password and a time-limited security token, typically delivered via app or SMS. But an even better approach is the use of hardware security keys. They're physical devices that rely on unbreakable cryptographic credentials to control data access. With them in use, the threats of phishing and other social engineering attacks are greatly diminished. They're the best current secure authentication method, at least until solutions like Hushmesh go mainstream.

Step Four: Encrypt Data at Rest and in Motion.

While it is true that compromised credentials are by far the biggest threat to cause a data breach, they aren't the only threat. It's always possible for an attacker to exploit a software flaw or other security loophole to bypass the normal access control methods and gain access to customer data. Worst of all, such attacks are both difficult to detect and even harder to stop once in progress.

That's why step four in any competent data protection plan is to ensure that all customer data remains encrypted at all times. This means using software that employs strong encryption as data passes through it, networking hardware and components that employ encryption, and a data storage system that allows for data encryption at rest. Doing this minimizes the data access an attacker could gain without credentials and can help contain the damage if a breach does occur.

Step Five: Develop a Data Breach Response Plan.

No matter how you look at it, there's no such thing as perfect cybersecurity. Attackers are always hard at work looking for weaknesses to exploit. Businesses that prepare well will eliminate or minimize many of them. But that doesn't mean a data breach will become impossible.

That's why the final step in the customer data protection framework is to develop a data breach response plan. It should give the business a roadmap to help it respond if an attacker does gain access to customer data. The plan should spare no details – spelling out everything from how internal IT teams should react, who the go-to 3rd-party security consultants are, and how customers are to be notified of the breach.

And that last part is quite possibly the most important. In the aftermath of a data breach, how a business goes about making its customers whole can determine how well it will bounce back, if at all. For example, it might be wise to partner with a consumer security firm like Aura to provide affected customers with financial fraud protection and identity protection in the aftermath of a breach. That will reduce the risk of any follow-on events that further damage the business's reputation.

Conclusion.

The simple fact is that businesses that have yet to suffer a data breach are operating on borrowed time. And the odds are very much against them. But applying the framework detailed here will go a long way toward shifting the odds back in their favor. It will minimize the risk of a data breach, limit the damage if one does occur, and help the company deal with the aftermath. In the imperfect world that is the world of cybersecurity, there isn't much more any business can ask for.

 

 

 

 

 

 

Best Practices to Thwart Business Email Compromise (BEC) Attacks.

 

Business email compromise (BEC) refers to all types of email attacks that do not have payloads. Although there are numerous types, there are essentially two main mechanisms through which attackers penetrate organizations utilizing BEC techniques, spoofing and account take-over attacks.

In a recent study, 71% of organizations acknowledged they had seen a business email compromise (BEC) attack during the past year. Forty-three percent of organizations experienced a security incident in the last 12 months, with 35% stating that BEC/phishing attacks account for more than 50% of the incidents.

The FBI's Internet Crime Complaints Centre (IC3) reports that BEC scams were the most expensive of cyberattacks in 2020, with 19,369 complaints and adjusted losses of approximately $1.8 billion. Recent BEC attacks include spoofing attacks on Shark Tank Host Barbara Corcoran, who lost $380,000; the Puerto Rican government attacks that amounted to $4 million, and Japanese media giant, Nikkei, who transferred $29 million based on instructions in a fraudulent email.

To thwart a BEC attack, an organization must focus on the Golden Triangle: the alignment of people, process, and technology. Read on to discover best practices every organization should follow to mitigate BEC attacks.

Process.

The finance department in every organization has an expenditure authorization policy in place. This policy establishes clear approval levels for any expenditures/payments to safeguard the company's assets.

While all expenditures/payments should be part of an approved budget, this policy provides a tool for the finance department to ensure that each payment is authorized by the right individual or individuals based on the amount.

In some cases, the CEO or president of a company is granted unlimited authority when it comes to requesting payments. Cybercriminals realize this, which is why they spoof the email accounts of high-level individuals.

Given the current cybersecurity landscape, the finance department should re-evaluate this policy to put stricter processes in place. This may mean requiring multiple authorizations for major expenditures paid via check, wire transfer, or any other channel to ensure the payment request is legitimate. It may also spell out how electronic authorizations are obtained.

For example, if someone in the finance department receives an email from the CEO requesting a wire transfer, the administrator processing the request is required to follow the company policy to obtain additional approvals, including sending emails to a pre-approved distribution list to gain electronic approvals along with confirmations via phone. The expenditure amounts dictate who can sign and co-sign and would be based on your organization's risk appetite, that is, how much your company is willing to lose.

As a member of the IT team, you should speak with the finance department to explain how BEC and other spoofing attacks happen. Provide real-life examples of recent BEC attacks and brainstorm what your company would do differently to thwart the attack. Based on these examples, the finance department should re-evaluate the current policy with cybersecurity spoofing and BEC in mind. This may mean that the Chairman of the Board, CEO, or company president cannot be the only signature on major expenditures, the dollar amount based, again, on your company's risk appetite.

Now that the process is established within the expenditure authorization policy, the company now must ensure that its people are trained to follow the policy, without exception.

People.

All company employees must be trained to know what a cybersecurity attack looks like, what to do, what not to do, and this training should be delivered on an ongoing basis since the cybersecurity landscape is changing so rapidly.

Employees in the finance department – or anyone who is authorized to disburse funds in any form – should be trained on what BEC and other spoofing attacks look like.

Emphasize that many of these attacks take the form of emails from high-level executives, they tend to be "urgent" requests, and sometimes the request is sent minutes before the close of business and requires immediate payment. With this training, plus the requirement that all employees follow the expenditure authorization policy, your company should be able to stop BEC attacks.

Many companies purchase insurance to cover these BEC losses, but no organization can be certain that the carrier will pay. For example, trading firm Virtu Financial Inc. lost $6.9 million in a BEC scam but their insurer, Axis Insurance, has refused to pay claiming "the unauthorized access into Virtu's computer system was not the direct cause of the loss, but rather, the loss was caused by separate and intervening acts by employees of Virtu who issued the wire transfers because they believed the 'spoofed' email asking for the funds to be transferred to be true." Virtu Financial Inc. has filed a complaint against Axis Insurance for allegedly breaching the contract by refusing to provide coverage for the cyberattack.

Technology.

Next-generation, advanced cybersecurity technology can help block any email threat, including spam, phishing, BEC and follow-on attacks, advanced persistent threats (APTs), and zero-day that attack vulnerabilities – all before the threat reaches end-users.

These types of solutions include:

• An anti-spam engine that blocks malicious communications with anti-spam and reputation-based filters.
• An anti-phishing engine to detect malicious URLs and prevent any type of phishing attack before it reaches end-users.
• An anti-spoofing engine to prevent payload-less attacks such as spoofing, look-alike domains, and display name deception.
• Anti-evasion technologies that detect malicious hidden content by recursively unpacking the content into smaller units (files and URLs) which are then dynamically checked by multiple engines in seconds.
• Machine intelligence (MI) and natural language processing (NLP) to check for aberrations from the norm in content and context, such as identifying an abnormal writing style, key words that may signify malicious activity, strange IP addresses, geo locations, timing, etc.
• Detection to prevent advanced threats and zero-day attacks.
• Ad-hoc email analysis for end-users to identify suspicious emails before taking reckless action.
• End-user contextual help to flag emails with customizable banners based on policies and rules to provide end-users with additional contextual information and increase their security awareness.

The solution should be able to detect and stop spoofing and account take-over attacks, where a cybercriminal gets access to a legitimate email account and tries to go further into the network.

Final Thoughts.

The proficiency of these attacks is why businesses and managed service providers (MSPs) choose to use Acronis Cyber Protection solutions. With a unique combination of machine intelligence (MI), automation, and integration, this all-in-one cyber protection solution is designed to help lower business risk and improve productivity, regardless of how data loss occurs.

 

 

 

 

How to Build a Security Awareness Training Program that Yields Measurable Results.

 

Organizations have been worrying about cyber security since the advent of the technological age. Today, digital transformation coupled with the rise of remote work has made the need for security awareness all the more critical.

Cyber security professionals are continuously thinking about how to prevent cyber security breaches from happening, with employees and contractors often proving to be the most significant risk factor for causing cyber security incidents. Proactive cyber security professionals will find that an effective security awareness training program can significantly reduce their risk of getting exposed to a cyber incident.

For a security awareness training program to be successful, it must be measurable and yield positive, actionable results over time.

The following looks at what good security awareness looks like and how vital phishing simulations and awareness training is in devising effective cyber security programs.

The essentials of a cyber security awareness training program.

Employees represent security risks mainly because they are unaware of how their actions and decisions cause security incidents. To address this cause, enterprises undertake extensive security awareness training efforts to help employees know what they should and shouldn't do when working digitally.

The mere act of exposing employees to security training is not enough; a program is not effective unless it produces results in building real skills that change employee behavior and empower them to make the right choice in the face of a cyberattack.

To achieve this, companies must select a security awareness training that is data-driven, adaptive per employee location, takes into account role and behavior towards cyber training, is continuous and high-frequency, and engages each employee at least once a month.

Some of the key features organizations should be looking for in a security awareness program can be divided into the following.

Continuous cyber education training and a hands-on approach.

The more employees are exposed to real-life phishing emails and other security risks, the more likely they are to succeed in protecting the organization and assets against phishing, malware, and many other threats. However, with cybersecurity awareness, theoretical knowledge becomes even more valuable when put into practice. Therefore training must become a hands-on learning experience with simulations and concrete action.

Identify weakest links and employ real-time feedback.

Statistically, fewer than 20 percent of employees in an organization are responsible for most human error-induced mistakes. To make sure all employees are properly trained, organizations must run simulations frequently - at least once a month. This is also where continuous feedback loops come into play. By engaging or disengaging with the content, employees reflect on the security gap that exists between them and the organizational risk, illustrating the need for cybersecurity awareness training in the first place. Moreover, when security events include real-time feedback, employees immediately understand the missteps and how to prevent similar situations in the future.

Culture and the scientific training method.

Cyber security awareness must be ingrained in the organization's daily practices without feeling like a daily grind. Organizations should make training an engaging, effortless, and seamless part of employees' daily routines, regularly encouraging continuous learning via small digestible security awareness learning bites..

Behind effective cyber security training is often a scientific method. A next generation approach to security awareness training should focus bringing together learning expertise, data science, and automation. 

How to Measure Progress.

Having a training program in place is a great start, but organizations must ask themselves: how do I know if my security awareness training is working?

Organizations usually rely solely at click rates (e.g. how many employees click on phishing simulations) to measure success. And this is precisely where they go wrong.

Companies must focus on progress over time, and not just measure participation.

When measuring the success of a security awareness program, it's all about context.

Companies should look for qualitative, not simply quantitative results. For instance, if a company sends out three phishing simulations over a year, there is no way of knowing whether one was sent while an employee was on vacation or if an employee clicked because they were new to the company or whether the email went unnoticed due to a flurry of meetings and other tasks.

 

When progress is measured instead of participation, teams get a clear view of the benefits of a security awareness training solution over time. Instead of looking at the company as one block of employees, it would be worthwhile to approach them individually with specific strengths and weaknesses. To evaluate the impact of your security awareness training, you need actionable data to identify valuable metrics such as:

• High-risk employees: The number of employees who fail to learn at a good pace and avoid more scams over time.
• Resilience: The level of security awareness in the company or even within specific teams.
• Meantime between failures: Proving that employee learning is occurring and that retention is improving over time. In machinery, MTBF is used to measure the amount of time since the machine failed last. In the security awareness industry, MTBF shows the resilience of an organization. If employees have fewer simulation failures and mistakes are decreasing, the employees are acquiring knowledge from the program, and best of all – retaining it.

An effective security awareness program requires the right platform.

Security professionals who wish to address security risks in their organizations need to ensure that their employees know daily security risks. An ongoing, employee-centric, and engaging security awareness program is one of the best ways to have vigilant employees.

Organizations must foster security awareness to build a culture of readiness to mitigate security risks effectively. CybeReady addresses this by offering a fully autonomous, data-driven security readiness platform that delivers, measures, and optimizes complete out-of-the-box awareness training that is continuous, contextual, and adaptive.

 

CybeReady's Security Awareness Training platform offers key capabilities :

• Training and simulation content is adapted based on employee role and locale
• Training and simulation content and frequency auto-adapt to mitigate measured risks
• No IT effort required
• One-click executive reporting
• Measurements provide progress improvements metrics
• Proven results :

200% higher employee engagement

400% increase in Employee Resilience Score (within 12 months)

80% reduction in high-risk group size 

Final thoughts.

Despite the broad adoption of first-generation security awareness solutions, the human element continues to be a primary catalyst for data breaches, with phishing accounting for 36% of breaches.. This means that organizations need to turn security awareness into a readiness culture to mitigate security risks effectively.

 

 

 

 

U.S., U.K. and Australia Warn of Iranian Hackers Exploiting Microsoft, Fortinet Flaws.

 

Cybersecurity agencies from Australia, the U.K., and the U.S. on Wednesday released a joint advisory warning of active exploitation of Fortinet and Microsoft Exchange ProxyShell vulnerabilities by Iranian state-sponsored actors to gain initial access to vulnerable systems for follow-on activities, including data exfiltration and ransomware.

The threat actor is believed to have leveraged multiple Fortinet FortiOS vulnerabilities dating back to March 2021 as well as a remote code execution flaw affecting Microsoft Exchange Servers since at least October 2021, according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Australian Cyber Security Centre (ACSC), and the U.K.'s National Cyber Security Centre (NCSC).

The agencies did not attribute the activities to a specific advanced persistent threat (APT) actor.

Targeted victims include Australian organizations and a wide range of entities across multiple U.S. critical infrastructure sectors, such as transportation and healthcare. The list of flaws being exploited are below — 

• CVE-2021-34473 (CVSS score: 9.1) - Microsoft Exchange Server remote code execution vulnerability (aka "ProxyShell")
• CVE-2020-12812 (CVSS score: 9.8) - FortiOS SSL VPN 2FA bypass by changing username case
• CVE-2019-5591 (CVSS score: 6.5) - FortiGate default configuration does not verify the LDAP server identity
• CVE-2018-13379 (CVSS score: 9.8)-FortiOS system file leak through SSL VPN via specially crafted HTTP resource requests

Besides exploiting the ProxyShell flaw to gain access to vulnerable networks, CISA and FBI said they observed the adversary abusing a Fortigate appliance in May 2021 to gain a foothold to a web server hosting the domain for a U.S. municipal government. The next month, the APT actors "exploited a Fortigate appliance to access environmental control networks associated with a U.S.-based hospital specializing in healthcare for children," the advisory said.

The development marks the second time the U.S. government has alerted of advanced persistent threat groups targeting Fortinet FortiOS servers by leveraging CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591 to compromise systems belonging to government and commercial entities.

As mitigations, the agencies are recommending organizations to immediately patch software affected by the aforementioned vulnerabilities, enforce data backup and restoration procedures, implement network segmentation, secure accounts with multi-factor authentication, and patch operating systems, software, and firmware as and when updates are released.