Tag Archive for: Cybersecurity

Surviving the Worst-Case Scenario: Best Practices for Incident Response

/by

There’s no way around it: Cyberattacks are escalating. According to data from the Identity Theft Resource Center (ITRC), the number of reported data breaches from January to September 2021 exceeded the total volume of breaches in 2020 by 17 percent — and with threat vectors such as ransomware and phishing on the rise, this number isn’t going anywhere but up.

What does this mean? It’s a matter of when, not if, when it comes to network compromise, and companies can no longer assume that security frameworks offer invincibility from evolving cyberattack trends. Instead, they need an approach designed to help them survive the work-case scenario — and come out stronger on the other side.

This is the role of robust cybersecurity incident response (IR) plans. Here’s what you need to know about how these plans work, where they can help, and what steps are necessary for effective implementation.

What is a Cybersecurity Incident Response Plan?

A cybersecurity incident response plan provides a framework for teams to follow in the event of a cyber incident or attack. Research firm Gartner defines an IR plan as something “formulated by an enterprise to respond to potentially catastrophic, computer-related incidents such as viruses or hackers.”

While there are no one-size-fits-all approaches to creating a cybersecurity incident response plan, common components include:

  • Creating an overall strategy to mitigate risk
  • Identifying potential threat vectors
  • Assigning specific tasks to team members
  • Testing the plan regularly to ensure effective operation.

It’s also worth noting that cyber incident response plans play a role in regulatory compliance. With companies now handling large volumes of financial, personal, and health information from various sources, alignment with compliance expectations requires companies to adopt the mandate of “due diligence.” That is, they must take every reasonable precaution to protect data at rest, in transit, and in use. While businesses can’t avoid every cyberattack, lacking due diligence can lead to legal and regulatory challenges. Robust incident response frameworks help ensure organizations are meeting current compliance goals.

How can a Strong Cyberattack Incident Response Plan Help Put the House Back Together?

A robust IR plan helps put your digital house back together by providing a pathway from initial incident detection to eventual remediation. This is critical because when incidents occur, panic and fear are common responses: Teams want to do everything they can to get networks back on track but simply throwing everything you have at the problem — all at once — often leads to process overlap and policy confusion.

By creating a cyberattack incident response plan that lays out a specific order of events when threats are detected and assigns key tasks to staff, teams can respond in unison when attacks occur. For example, one employee may be responsible for identifying the source of the threat, while another looks to quarantine the affected area. Other team members may be tasked with informing C-suite members about what’s happening and ensuring that backup data is safe from harm.

The Phases of an Incident Response Plan: Timing is Everything

Cyber incidents happen without warning and in real-time — they don’t wait for companies to ready their defenses and prepare for an attack. As a result, timing is everything. Businesses must be ready to respond at a moment’s notice when attacks occur to mitigate the overall impact and get systems back up and running ASAP.

To help streamline this process. The National Institute of Standards and Technology (NIST) defines four key phases:

  1. Preparation speaks to the actions taken before an attack occurs. These include regular network evaluations such as vulnerability scans and penetration tests, along with the deployment of protective tools such as encryption software, failover backups, and automated incident analysis tools.
  2. Next is detection and analysis. This includes determining primary attack vectors — such as emails, web applications, brute-force efforts such as DDoS or improper network usage by employees — along with identifying and analyzing signs of compromise such as network performance drops, antivirus warnings, or unusual traffic amounts.
  3. Containment, Eradication, and Recovery policies determine where attack data will be stored for analysis and debriefing, while eradication looks to remove malware code or breached user accounts once attacks are under control. Recovery focuses on bringing systems back online using a staged approach to ensure no threats remain.
  4. Finally, post-incident activity asks the question: What did we learn? By using data collected during the attack, companies can assess what information was needed sooner to improve response, what additional steps might speed recovery, and what steps they can take to prevent future incidents.

Top Tips for Managing Collateral Damage After an Attack

After attacks occur and incident response plans activate, it’s critical to manage collateral damage and get back on track. Five best practices include:

#1 Prioritize Visibility

The more you know, the better prepared you are to respond when attacks occur. By prioritizing network visibility, your team can discover what they don’t know and take appropriate action.

#2 Define Recovery Times

Recovery point objectives (RPOs) and recovery time objectives (RTOs) help set goals for getting back on track and provide a finite resolution to the IR process.

#3 Seek Out Answers

While successfully mitigating an attack offers business value, managing long-term collateral damage means looking for answers about what happened, why, and what can be done to prevent similar breaches in the future.

#4 Leverage Active Backups

Multiple local and cloud backups can help get your systems back up and running. By logically segmenting them from operational networks, you can significantly reduce their risk of compromise and streamline the recovery process.

#5 Practice, Practice, Practice

As noted by the Open Web Application Security Project (OWASP), practice is paramount to ensure IR plans work as intended. From regular drills to simulated, unscheduled attacks, the more you practice your cybersecurity incident response plan, the better.

Surviving — and Thriving — After the Worst-Case Scenario

While the goal of cybersecurity planning is to help companies survive the brunt of an attack and come out the other side relatively unscathed, effective IR response offers actionable post-incident threat data to help enterprises reduce the risk of future attacks. Intelligent network modeling from RedSeal, meanwhile, provides the insight and integrations you need to take action and thrive in the wake of cyberattacks quickly.

By creating a comprehensive model of your network across cloud, hybrid and virtual environments, teams can quickly locate compromised devices, determine which assets are accessible, and take steps to stop attackers in their tracks. Integration with IBM QRader, Splunk Adaptive Response Initiative, and ArcSight, meanwhile, provides end-to-end situational awareness for improved response.

Survive the worst-case scenario — and come out better on the other side — with an in-depth cyberattack incident response plan. See how RedSeal can help. 

The Eyes Have It: Six Commonly Overlooked Cybersecurity Threats

/by

It’s been a banner year for cybersecurity threats. According to the Identity Theft Resource Center  (ITRC), the number of breaches reported as of September 30th, 2021, already exceeds the total number of breaches in 2020. And while rapid shifts to remote and hybrid work are partly responsible for this increase, attackers are also taking this opportunity to expand their efforts and find new ways to confuse security tools, confound infosec defenders and compromise critical services.

The result? Even with a focus on security, businesses often overlook cybersecurity threats that could cause substantial harm. Here’s a look at six commonly overlooked concerns and what companies can do to mitigate the risk.

The State of Cybersecurity in 2021

In many respects, 2021 has marked a return to form for attackers — threats such as phishing and ransomware are on the rise, as are the use of advanced persistent threats (APTs) to conduct reconnaissance and collect data. The result is a familiar landscape for information security professionals: Teams need to establish and maintain defensive systems capable of detecting, identifying, and removing common threats.

But there’s also an evolution of attacker efforts. Not only are they broadening their horizons, but they’re also selecting new targets: Small and midsize businesses now account for more than 70 percent of all attacks. With many of these businesses now storing valuable personal and financial data but often lacking specialized IT teams and robust infrastructure, attackers are more likely to get in — and get out — without being noticed.

The result is a changing security landscape that requires both active observation and robust response from IT teams. Unfortunately, continual monitoring for common threats often shifts the focus to the growing forest of technology threats — and leaves companies struggling to see the trees.

Six Overlooked Security Threats

Despite best efforts, it’s easy for teams to overlook cybersecurity vulnerabilities. Six of the most commonly neglected threats include:

1. Ineffective Encryption

Encryption remains a front-line defense against both familiar and overlooked security threats. If attackers can’t use data they steal, its value to them is significantly reduced. The challenge? Many businesses still rely on outdated encryption models that are easily circumvented or fail to consider the continuous movement of data across internal networks and external connections.

2. Open Source Solutions

Open source tools and application programming interfaces (APIs) are great ways for companies to reduce the work required to build new apps and services. But there is a caveat. These open solutions may contain critical vulnerabilities that could be exploited to compromise critical data.

3. Phishing 2.0

While phishing efforts remain popular, attackers now realize the need for innovation as businesses become more security-savvy. As a result, the quality of phishing emails has increased substantially over the past few years. Gone are the obvious grammar and spelling mistakes. Instead, they’ve been replaced with socially-engineered data and details designed to fool even experienced team members.

4. IoT Interconnection

The Internet of Things (IoT) offers a way to connect mobile devices, sensors, and monitoring to help streamline operations. But this same interconnection creates an increased attack surface that provides malicious actors multiple points of compromise.

5. Malvertisements

Malvertising — the process of using online ads to spread malware — is once again on the rise. By injecting malicious ads into legitimate ad networks, attackers can compromise even well-defended networks to capture user behavior and log keystrokes.

6. Invisible Assets

What you don’t see can hurt you. This is especially problematic as companies expand into multiple cloud networks. More devices and apps mean less visibility, which in turn increases the chance of a successful attack.

Potential Harms of Unseen Threats

The potential harms of unseen threats are variable — the nature and depth of these threats speak to their impact at scale. In general, however, businesses face three broad harms if attacks are successful.

Operational Impacts

First up are operational impacts. Consider the SolarWinds attack reported in late 2020. Attackers actually compromised the company’s system much earlier last year, allowing them to conduct significant data collection and eventually exploit SolarWinds’ IT management platform, which more than 33,000 companies use. As a result, more than 18,000 companies were rendered vulnerable to cybersecurity attacks and had to interrupt operations temporarily to get systems back on track.

Compromised Compliance

The next potential harm of unseen threats is compromised compliance. If companies don’t have processes and procedures to detect and mitigate attacks ASAP, they may fail to meet security due diligence obligations as outlined in compliance regulations. Sanctions or fines can result.

Reputation Damage

Finally, unseen threats can lead to severe reputation damage. While customers are now willing to share their personal and financial data if businesses can offer increased personalization and improved service, they also have no patience for companies that lose or misuse this information. If attacks go undetected and consumer data is compromised, your business reputation may be irreparably damaged.

Four Steps to Mitigate Risk

While it’s impossible to predict every potential threat to your network — or account for the evolution of attack vectors — there are four steps companies can take to mitigate cybersecurity risk.

1. Discover your assets. What services and software are on your network? How do these solutions connect and interact with other operations? Locally? At scale? Complete asset analysis helps you discover what you have so you can protect what matters.

2. Conduct a vulnerability assessment. Next, you need to determine where your assets are vulnerable with an in-depth scan of all interconnected resources. This provides both increased visibility of detected assets and can also help uncover “blind spots” that need attention.

3. Triage your findings. Prioritization is the third step in this risk mitigation process. By considering potential severity and asset value along with upstream and downstream access requirements, your teams can prioritize defensive efforts.

4. Remediate your issues. Finally, you need a plan to remediate and mitigate overlooked issues. In practice, this includes the identification of precise access paths and devices that require updating or adjustment to isolate, contain and eliminate potential threats.

Keeping Your Eyes on the Prize

The goal of any infosec effort? To defend networks, services, and people from harm. Unfortunately, traditional tools can’t keep up with the volume and variety of cyberattacks in today’s environment. To maximize protection and stay ahead of potential threats, organizations need to boost visibility with vulnerability best practices that help teams zero in on overlooked cybersecurity threats.

See more to secure more: Learn more about Network Vulnerability Best Practices with RedSeal.

If You Build It, They Will Come: The Top Four Cybersecurity Threats for Manufacturing Companies

/by

Manufacturing companies face increasing risk from cyberattacks. As noted by IBM’s Security Intelligence blog, ransomware incidents rose more than 150 percent across the manufacturing sector from Q1 2019 to Q1 2020. Other recent survey data found that two-thirds of manufacturing firms believe their data breach risk has increased over the past two years.

There’s no single cause for this upward threat trajectory — the combination of always-on connected devices with growing cloud computing use and the increasing need for big data analysis in production planning and management all play a role in the evolution of manufacturing attacks.

Here’s a look at the underlying causes, possible impacts, and potential remedies for the top four manufacturing cybersecurity threats.

The Impact of Industry 4.0 on Manufacturing

Industry 4.0 changes the way manufacturing companies conduct day-to-day operations. From the use of always-connected sensors and devices that make up the industrial Internet of things (IIoT) to the integration of “smart devices” capable of proactively predicting maintenance needs, the digitization of Industry 4.0 represents a significant leap forward for manufacturing firms.

Unlike its operational predecessors — mechanization (1.0), mass production (2.0), automation (3.0), and globalization (3.5) — Industry 4.0 represents a substantive move into the world of always-on, always-connected devices. While this provides a wealth of data to help companies make better-informed manufacturing decisions, it also introduces significant risk. Frameworks such as industrial control systems (ICS) and supervisory control and data acquisition (SCADA) solutions that were historically cut off from external Internet connections are now part of a larger integrated ecosystem. Often, this ecosystem lacks the security controls and oversight necessary to identify and eliminate risks.

What the Cloud Means for Manufacturing

Cloud computing also plays a significant role in the shift to Industry 4.0 as firms look for ways to connect disparate tools and systems across both local facilities and global operations. The result is significant spend by manufacturing firms on robust cloud services. Recent data suggests the cloud market for manufacturing will grow by more than 15 percent year-over-year for the next five years.

But increasing cloud adoption also comes with a concern: complexity. As more applications and services are added to existing IT infrastructure, it’s easy for teams to lose track of what’s been deployed, where, and why. Consider the addition of public cloud services to help bolster computing resources and the storage of big data. Traditionally, these functions reside on-site, making it easy for teams to monitor operations. But as functions shift into the cloud, IT staff must contend with multiple layers of network connection and communication. As a consequence, teams find it harder to see exactly what’s going on — which potentially exposes key data to cybersecurity risk.

The Top Four Cybersecurity Threats

For manufacturing firms, four cybersecurity threats are now common: Data exfiltration, ransomware, phishing, and insider attacks. Let’s break down each in more detail.

1. Data Exfiltration

Data exfiltration occurs when attackers compromise manufacturing networks and then steal data to share or sell. Exfiltration often starts with malware — malicious actors may use legitimate-seeming emails that convince users to click links or download attachments, which then deploy malware to infiltrate network-connected storage systems. Personnel, product, or financial data is then in the hands of hackers, who may sell it on the dark web or threaten its release unless companies agree to pay for its return.

Take the example of Titan Manufacturing and Distributing. The company’s network was compromised by data exfiltration malware for almost a year, during which time attackers stole the names, billing addresses, and payment card details of more than 1,800 customers.

2. Ransomware

Another major threat to manufacturers is ransomware. This threat vector sees attackers infecting systems with programs designed to encrypt critical manufacturing data, rendering it inaccessible for companies. Then, they demand payment for decryption keys and threaten to delete or sell the information if their demands aren’t met.

Ransomware was responsible for the 2019 attack on Norwegian aluminum company Norsk Hydro, which has manufacturing operations in more than 40 companies worldwide. While the company didn’t pay the ransom, removing malicious code and remediating the damage — combined with lost revenue — cost the company almost $75 million.

3. Phishing

Phishing attacks happen when cybercriminals attempt to convince corporate users that they’re legitimate business contacts or members of the organization itself. In some cases, the intent of phishing attacks is to have users supply login credentials as part of a fake “reset” or “verification” process. In other situations, attackers attempt to compel specific — and costly — action. For example, attackers masquerading as C-suite executives may try to trick users into transferring funds into foreign bank accounts or request detailed HR data about specific employees. If staff can be convinced these emails are authentic, they often comply with requests immediately rather than double-checking because they don’t want to risk a management-level rebuke.

This was the case for aircraft parts manufacturer FACC. Attackers were able to convince multiple users that the CEO wanted money transferred into foreign accounts. The result was a loss of $61 million and civil prosecution of both the former CEO and chief financial officer for failing to detect and stop the fraud before it occurred.

4. Insider Attacks

Insider attacks may be the result of malicious action or accidental misuse of networks and data by employees. In either case, however, the results are the same: Manufacturing data is exposed, and corporate operations are put at risk. As noted by Industry Week, manufacturing firms now rank among the top five industries with the highest number of insider threats, and the average cost of an insider threat for a single manufacturing firm is more than $8.8 million.

Best Practices to Address Cybersecurity Concerns

To reduce the risk of manufacturing cybersecurity threats, firms need to follow three critical best practices.

Improved Visibility

As cloud and IIoT connections become more complex, it’s easy for teams to lose network visibility. This often creates a situation that sees companies acting based on what they think their network looks like rather than its actual structure. As a result, improved visibility is the first step on the road to enhanced cybersecurity.

Enhanced Agility

Agility is also critical. With cyberattacks on the rise, it’s now a matter of when not if firms will be attacked. Consequently, organizations must be prepared to respond ASAP if threats or vulnerabilities are detected across their networks.

Increased Access Control

As the number of public-facing connections and services increases, companies need granular access control to ensure that the right people are accessing the right data at the right time. Additionally, they must have processes to flag potential malicious actors are flagged and refuse access.

Making the Most of Comprehensive Cybersecurity

Making the most of cybersecurity starts by recognizing the risk: Threats such as data exfiltration, ransomware, phishing, and insider attacks are now commonplace and costly.

Firms must also account for the increasing attack surfaces created by cloud-enabled Industry 4.0 deployments. From unintentional exposure to public-facing Internet connections to previously undiscovered vulnerabilities, the move to modern infrastructure comes with a commensurate threat increase.

What can organizations do to protect themselves? To mitigate the impact of evolving threats, companies need security solutions capable of delivering improved visibility, enhancing overall agility, and increasing access control. Only then can organizations fortify themselves against threats and protect their growth and profitability.

Ready to get started? Find more information here or sign up for a live demo of RedSeal for manufacturers.

Visibility: The key to proper Cloud Security Posture Management

/by

Cloud security has become increasingly complex and distributed. The rapid transition to remote work and increased cloud adoption have changed the IT landscape dramatically, which has produced new vectors for cyber attacks and data breaches. Today’s cyber criminals aren’t necessarily trying to knock down doors. Organizations are actually leaving many of them open themselves. According to Gartner, through 2023, “…at least 99% of cloud security failures will be the customer’s fault.”

This is an unsettling prediction, but not entirely surprising given realities that teams face today. The overwhelming complexity of the cloud systems asks for both expertise in both application development and security, which is perhaps unreasonable. The placement of security controls has moved away from security teams and into application development teams.

CSPM: The industry’s response to cloud complexity

To deal with this complexity and constant change, a new market segment has emerged broadly referred to as Cloud Security Posture Management (CSPM), which is typically used by security organizations that want the equivalent visibility and security that they’ve had with on-premise environments.

Current CSPM technology aims to help security teams understand what resources they have in their cloud environments, what security controls are in place, how it is all really configured–and to automate as much of it as possible. And while it is largely successful in accomplishing these feats, CSPM in its current form isn’t without its limitations. As we’ve learned in the past with our approach to securing on-premise networks, visibility plays a fundamental role.

The importance of visibility

It’s not uncommon for organizations to lose track of their cloud deployments over time, considering it only takes a developer and a department credit card to spin up a cloud environment. Nowadays developers are empowered to innovate at speed and scale but who is actually keeping track of these newly-created multi-cloud VPCs, VNETs, and VCNs? Even more worrisome–who is responsible for securing them?

There are always unknowns when networks grow and change, but we also know that tools that provide visibility can give security teams a more accurate, dynamic and comprehensive look at what resources they have, how they are connected and the risks associated with them.

Unfortunately, many CSPM tools present their findings in static, tabular forms and it can be challenging to get an understanding of the relationships between resources, such as between multiple accounts and whether they’re shared or not. Teams are often being asked to secure unmonitored cloud environments and can benefit from a visual, interactive model of their organization’s cloud resources.

This visibility allows security teams to gain full awareness of their cloud footprint and reduce their overall attack surface by understanding the interconnectivity between their resources. Some CSPM tools can show connectivity where there is traffic, but security teams want to calculate how an instance gets to the Internet, what security points it goes through, and through which port and protocols.

Understanding end-to-end access

Current CSPM solutions remain insufficient when it comes to accurately calculating access that can lead to data breaches. Many tools simply call into the APIs of CSPs looking for misconfigurations at the compute and container levels but they don’t fully understand “end-to-end” access. For example, they may only look at a setting in AWS that states a particular subnet is “public” so therefore it’s exposed. That’s not necessarily true because there may have other security controls in place, such as 3rd party firewalls or their own Kubernetes security policy.

For example, perhaps a network security engineer who doesn’t understand native AWS and Azure firewalls instead decides to use a 3rd party firewall from a vendor they’re already familiar with. If that firewall is blocking access to the public-facing Internet, current CSPM tools won’t recognize it, and security engineers can spend their days chasing false positives simply due to a lack of accurate information involving access.

Prioritizing exposed resources

With increased cloud complexity comes increased risk–there were over 200 reported breaches in the past 2 years due to misconfigured cloud deployments. Several of the largest data breaches occurred when cloud misconfigurations left critical resources exposed to untrusted networks, so prioritization efforts should begin there. Unintended access and Shadow IT can also lead to cloud leaks, and so by establishing an “exposure first” security approach, cloud security teams can identify key vulnerabilities and prevent costly breaches.

CSPM is a key ally in the fight to secure the cloud, but security teams need additional visibility and improved accuracy that is still lacking in many

For more information on RedSeal’s CSPM solution, RedSeal Stratus, check out our website. Or sign up for the Pilot program.

Lock Up Your Jewels: Reducing Exposure and Limiting Risk in a Ransomware-Riddled World

/by

Ransomware is on the rise. That’s an often-repeated statement in the headlines — but what does it really mean for companies?

Data tells the tale. According to Tech Republic, attacks surged 57 percent between October 2020 and March 2021, while Purple Sec’s 2021 Cyber Security Trends Report notes that ransomware attacks have grown 350 percent since 2018. What’s more, the average ransomware payment rose by 82 percent to $570,000, with the largest single ransom demand coming in at $100 million.

Now that attackers have successfully breached some business networks, companies are understandably worried about the risk of data exfiltration leading to downtime or revenue losses. As Security Boulevard points out, companies now spend almost $2 million to recover after an attack and, on average, suffer 21 days of downtime. Even more worrisome? Paying up doesn’t guarantee the return of encrypted data. Attackers may decide to keep or destroy data or return for another round of attacks once they know payment is possible.

What’s the bottom line? Reducing exposure and limiting risk requires more than recognizing that ransomware is on the rise. To combat these attacks and safeguard what matters, companies need solid strategies backed by advanced cybersecurity solutions.

Ransomware Attacks in the Headlines

Although attackers often target smaller businesses to reduce the risk of getting caught, that hasn’t stopped some groups from prioritizing bigger payouts. Case in point: The Colonial Pipeline attack. On May 7th, 2021, staff found a digital ransom note saying that attackers had already exfiltrated data from Colonial’s network. The company immediately suspended both IT and operations, leading to sudden interruptions in fuel delivery along the East Coast. Within a day, Colonial paid the $5 million ransom and began getting their systems re-secured and back online.

Also making the news were attacks using the REvil ransomware-as-a-service (RaaS) suite. According to the Department of Justice, a Ukrainian national was arrested in conjunction with attacks spanning the last three years, including the July 2021 attack of information technology company Kaseya. While Kaseya says it didn’t pay the ransom demanded, it took the company ten days to recover from the attack and bring their software-as-a-service (SaaS) servers back online.

Why is Ransomware on the Rise?

So what’s driving the rise of ransomware? Several factors are converging that make ransomware attacks easier than ever before.

Enhanced RaaS Tools

Taking a cue from legitimate businesses, some capable coders have created ransomware-as-a-service (RaaS) platforms that sell both basic and customized attack tools to interested parties. The result is a win-win for hackers: They take money up-front from buyers while simultaneously reducing their risk since they’re not actually carrying out the attacks. Many RaaS marketplaces now resemble more familiar eCommerce offerings. Attack designers offer promotions, sales, and even customer support to keep clients coming back.

Expanded Attack Surfaces

Ransomware is also on the rise, thanks to expanding attack surfaces. With more potential avenues of attack — via mobile connections, internet of things (IoT) networks, or open-source software deployments — attackers can pick and choose their preferred compromise method. This reality is forcing IT staff to look to secure multiple points of potential compromise.

Evolved Work Environments

With remote and hybrid work here to stay, businesses now face the challenge of securing networks both in the office and at a distance. For many, however, the abrupt initial shift to remote work created insecure frameworks that remain in use but lack proper protection.

What are the Common Attack Vectors?

The constant evolution of technology means that attackers are always exploring new avenues of compromise. For example, the rise in open source software and application programming interfaces (APIs) has changed how businesses design and develop new services while simultaneously expanding the attack surface.

Despite occasional boundary-pushing, however, most attackers prefer to stick with tried-and-true ransomware vectors.

Remote desktop protocol (RDP)

The remote desktop protocol makes it possible for administrators to access servers and desktops anywhere, anytime. But RDP also opens the door to ransomware attacks. If malicious actors steal legitimate account credentials, they can leverage RDP to access networks, install ransomware, and leave without detection.

Phishing

In 2020 alone, bad actors created almost seven million phishing emails and scam pages. Using promises of COVID vaccines or masquerading as instructions from C-suite executives, these emails create a compromise point for ransomware. If attackers can convince users to click on malicious links or provide account information, they can infiltrate networks and deploy ransomware.

Software vulnerabilities

Open-source software tools and APIs make it possible for companies to streamline software development and put them at risk of unknown or zero-day vulnerabilities. If attackers compromise unreported issues, they can gain network access and encrypt data before teams have a chance to respond.

DDoS attacks

Distributed-denial-of-service (DDoS) attacks are now being used in concert with ransomware. In some cases, cybercriminals hit companies with DDoS attacks and demand ransom for restoration of services. In others, DDoS efforts are used as a distraction while ransomware is deployed.

Combatting the Rise of Ransomware Attacks

To combat the rise of ransomware, companies are best served with a multi-step approach designed to reduce both the initial risk and overall impact of ransomware threats.

Step 1: Identify Your Assets

First, pinpoint what you need to protect on your network. Think of the most critical assets as the “crown jewels” of your organization. Where are they located, and how are they currently defended?

Step 2: Prioritize Your Vulnerabilities

Next, conduct a security assessment — either in-house or using a third party — to determine where your risks lie. While on-site IT teams have greater familiarity with your network, using in-house personnel may be a security drawback because they may not recognize potential vulnerabilities. By contrast, third-party evaluators can often attack your network in unexpected ways to discover new or undiscovered weaknesses.

Step 3: Secure Your Workforce

Without a secure workforce, efforts at ransomware reduction won’t be effective. Addressing this issue requires the use of tools such as virtual private networks (VPNs) to protect connections and data. You should also deploy zero-trust security solutions that require two (or more) factor authentication and include robust identity and access management (IAM).

Step 4: Reduce Your Response Time

When attacks occur, you need to react ASAP. This rapid response requires the use of advanced cybersecurity solutions that help unify infosec response with end-to-end visibility that empowers teams to react in real-time.

Keep it Secret, Keep it Safe

Ransomware isn’t going anywhere. Attackers are constantly looking for new ways to compromise systems or leveraging tried-and-true methods to slip past IT security. Add in the risk of RaaS, increasing attack surfaces, and hybrid work, and it’s clear that companies need defensive strategies capable of finding, detecting, and defeating ransomware attacks no matter what form they take and no matter what vector they use.

Ready to ramp up your ransomware defense? Click here and see how Red Seal can help.

RedSeal Opens Stratus Early Adopter Program to Security Teams Struggling with Cloud Security

/by

Stratus — a SaaS-based Cloud Security Posture Management (CSPM) solution — addresses dangers of exposure and unintended access issues; Free webinar and demo on December 8

SAN JOSE, Calif., Dec. 01, 2021 (GLOBE NEWSWIRE) — RedSeal today introduced its Stratus Early Adopter Program, which provides select customers and prospects the opportunity to evaluate the company’s new SaaS-based Cloud Security Posture Management (CSPM) solution. The new Stratus SaaS offering is focused on providing visibility to cloud and Kubernetes inventory and determining exposed resources in cloud and hybrid cloud environments.

Implementing security controls for cloud environments now extends beyond the responsibility of traditional network security teams, and today includes application developers and DevOps teams. These controls must also consider workload containerization such as Kubernetes, and native offerings from Cloud Security Providers such as Amazon Web Services. As a result, there is exponential growth and pervasiveness of misconfigurations, which put high value resources at risk of unintended exposure to the Internet.

Current members of the Stratus Early Adopter Program represent enterprises ranging from banking and financial services firms, to federal government agencies and high-tech companies. These users have reported benefiting from Stratus’ ability to easily see both exposure and conductivity in and across all accounts in a single view.

Security challenges in the cloud have become so prevalent that Gartner has defined CSPM as a new category of security products designed to identify misconfiguration issues and risks in the cloud. As a CSPM, RedSeal Stratus helps security teams better manage this increased risk by:

  • Immediately identifying which resources are unintentionally exposed to the Internet due to misconfigurations
  • Visualizing their complete AWS cloud architecture to truly understand connectivity between and within cloud resources
  • Understanding their Amazon Elastic Kubernetes Service (EKS) inventory and identifying overly permissive user and service accounts

“Everyone knows that visibility is critical for CSPM to meet its full potential, but very few vendors are delivering on this promise,” said Bryan Barney, RedSeal CEO. “What makes visibility so powerful is the true calculation of access and exposure, and not simply the reliance on CSP settings. With RedSeal Stratus, we are now providing the most accurate, reliable and actionable approach to calculating access and exposure in the cloud.”

RedSeal Stratus is currently focused on AWS cloud environments. Recognizing the demand for better security posture management across Microsoft Azure and Kubernetes environments, Stratus will evolve to support these platforms early next year, making Stratus a complete, robust CSPM solution. Participants of the Stratus Early Adopter Program are eligible for a free 6-month subscription to RedSeal Stratus, with up to 3,000 EC2 instances.

Stratus Webinar and Demonstration

RedSeal will be hosting a free webinar for customers and prospects interested in joining the Stratus Early Adopter Program. The online event will take place on Tuesday, December 8th at 11:00am PST and will provide an exclusive overview of RedSeal’s new SaaS-based CSPM solution. The webinar will cover how RedSeal Stratus can help security teams better manage increased cloud security risks with:

  • Complete and up-to-date visualization of cloud infrastructure
  • Detailed knowledge of Amazon EKS accounts and policies
  • Out-of-the-box dashboard that identifies resources that exposed to the Internet

Click here to register for the free event.

About RedSeal

RedSeal — a security solutions and professional services company — helps government agencies and Global 2000 companies see and secure their on-premise networks and cloud environments. RedSeal Stratus, the company’s SaaS CSPM solution, gives an integrated view of cloud security posture through visualization of cloud-native and Kubernetes controls, and shows which resources are unintentionally exposed to the Internet. RedSeal’s Classic product brings in all network environments — public and private clouds as well as on-premises. This award-winning security solution verifies that networks align with security best practices, validates network segmentation policies, and continuously monitors compliance with policies and regulations. It also prioritizes mitigation based on each vulnerability’s associated risk. The company is based in San Jose, Calif. Follow RedSeal on Twitter and LinkedIn.

State and Local Cybersecurity Threats in 2021: Weathering the Storm

/by

Recent pandemic pressures have created the perfect storm for state and local cybersecurity breaches. With some staff still working from home, state and local agencies face the challenge of deploying defense at a distance over networks, connections, and applications that are often insecure, unencrypted, and in many cases unapproved. What’s more, ransomware has surged — a significant problem since less than 40 percent of state and local staff members have received training on how to prevent cyberattacks.

The result is an increasing volume of local and state government cybersecurity threats, which are occurring across the country. For example, GovTech reported that an issue with third-party software exposed more than 38 million health records across states, including Texas, Indiana, Maryland, and New York. Another case reported by Healthcare IT News detailed a smaller-scale breach in California caused by a single employee that occurred over ten months and exposed both patient and employee data.

With hybrid work here to stay and cyberattacks on the rise, government organizations need to improve cybersecurity practices. They must focus on protecting against breaches that can compromise data, impair operations, and cause significant expenses.

Identifying the Biggest Barriers in Effective Defense

Before agencies can deploy better cybersecurity measures, they must identify critical vulnerabilities and threat vectors. And while every state and local government faces unique data handling and security challenges, three barriers to effective defense are common: visibility, accessibility, and resiliency.

Visibility

Traditionally, state and local governments have been behind the curve when it comes to technology adoption. As noted by research firm Deloitte, however, evolving citizen expectations around access and ease of use “will require uprooting outdated systems and practices and replacing them with new models.” As a result, agencies are now looking to expand their agility to streamline service availability and improve collaboration. To meet these goals, many have integrated and deployed cloud-based software, platforms, and infrastructure.

While these solutions offer improved agility and efficiency, they introduce significant new security risks. IT teams can not keep track of every app and service in use, which reduces visibility while simultaneously expanding the total attack surface.

Accessibility

For most state and local governments, the problem here isn’t too little access for employees that require it — it’s too much for those that don’t. One common example of excessive access occurs when staff complete one project and move to another. In many cases, their existing permissions aren’t revoked. Instead, new access is simply layered on top of the old, which creates a security risk. And with insider threats often more challenging to detect than their external counterparts, it’s now critical for agencies to identify, control, and correct for excessive access.

Resiliency

Most state and local governments have familiar security controls such as firewalls and antivirus scanners in place to catch potential threats. However, many lack the tools and tactics required to remediate issues when they occur, mitigate the amount of damage done and get services back up and running.

The result is IT environments that are primed to respond but struggle with resiliency. To effectively manage evolving threat landscapes, state and local governments need security plans and policies covering all aspects of an attack — from initial compromise to identification, isolation, remediation, and restoration.

Exploring the Issue of State and Local Breaches

So what do these breaches look like in practice? Let’s explore the impact of three recent scenarios.

1) New York State, January 2020

In January 2020, New York state officials found themselves up against a massive cyberattack that disabled access to databases used by the state’s civil service, environmental department, and police force. Likely the work of foreign actors, the hack went unreported for months, even as officials looked to restore critical access.

As noted by Security Today, the state received word about a potential flaw — and available patch — for its Citrix-based systems in December 2019. Unfortunately, the state did not install the patch in time to prevent the issue. As a consequence, more than 80,000 state devices were vulnerable to malware compromise. While it appears attackers didn’t access any citizen data, the state had to cover the costs of a three-week forensic investigation of more than 40 servers.

2) Multiple Municipalities, June 2021

Local government cybersecurity teams often look to save time and money by using the same services as other municipalities. It makes sense: They’ve been proven to work with government systems and generally have a track record for reliability.

However, if service providers become compromised, the results can be far-reaching. As reported by ZDNet, that’s what happened across dozens of municipalities in the US when a Massachusetts software provider used misconfigured Amazon S3 buckets. As a result, more than 1,000 gigabytes (GB) of data and 1.6 million files were exposed. Compromised data included email addresses, physical addresses, and driver’s license information, along with deed and tax records.

3) Oldsmar, Florida, February 2021

A cyberattack on Oldsmar, Florida in 2021 didn’t compromise data access or expose files. Instead, it nearly poisoned the town’s 15,000 residents. On February 5th, a plant operator at the local water treatment facility received an alert that someone had gained remote system access. The attacker opened multiple applications and services and then increased the concentration of sodium hydroxide — also called lye — to 100 times its normal level. Fortunately, operators were able to retake control and cancel the change quickly and prevent disastrous consequences.

Grant Funding for State and Local Governments

The good news is some new help is on the horizon for local and state government cybersecurity, thanks to the $1.2 trillion infrastructure package. The plan includes $1 billion in cybersecurity grants to help local and state governments boost their defense. If approved, the new program would offer $200 million worth of grants in 2022, $400 million in 2023, $300 million in 2024, and $100 million in 2025. In addition, the plan funds creation of a response and recovery fund at the Cyber and Infrastructure Security Agency (CISA), which would give an additional boost to cybersecurity efforts.

Mitigating the Impact of Cybersecurity Threats

Mitigating the impact of local and state cybersecurity threats depends on a strategy of defense in depth. In practice, this requires a three-step approach: Identification, evaluation, and implementation.

Identification focuses on finding potential threats in current cyber defenses — such as those tied to open source software, authorized apps, excessive access, and unintended exposure to the Internet. Evaluation includes internal and external assessment of existing security policies to see what’s working, what isn’t, and what vulnerabilities state and local governments need to prioritize. Finally, implementation looks to deploy security solutions that directly address key concerns, such as comprehensive cloud security services that provide visibility into public, private, and hybrid stacks simultaneously to empower threat detection and response.

Battening Down the Hatches

State and local governments now face a trifecta of security challenges: remote work, ransomware, and worker education. The combination creates ideal circumstances for malicious actors. By taking advantage of ideal compromise conditions, attackers can breach government networks, access critical services, and exfiltrate citizens’ data.

The result is a growing need to batten down the digital hatches by creating and implementing an in-depth strategy to help build robust, reliable, and resilient security infrastructure. To prevent risks and a host of unwanted outcomes, state and local governments need to prioritize cybersecurity.

Ready to boost cyber resiliency and better weather the storm? Click here to see a demo of RedSeal’s cloud security solution in action.

Join us!

Hear from Shannon Lawson, CISO, City of Phoenix, how the state and local agency leaned toward hardening their environment from attacks, recognized exposures, secured infrastructures, mitigated risks, and stayed compliant. The live webinar is January 18, 2022. Register now and don’t miss out!

Simplifying and Securing Hybrid Clouds

/by

GovLoop | October 26, 2021

President Joe Biden’s executive order (EO) on cybersecurity suggests the cloud will play a pivotal role in the federal government’s future; it urges agencies to maximize the technology’s flexibility and scalability rapidly and securely.

But what can happen if agencies embrace the cloud too rapidly? The answer is haphazard and insecure IT environments. These environments often occur when agencies combine on-premises and cloud-based IT in a hybrid model.

Read More

RedSeal Announces Distribution Agreement with TD SYNNEX, providing RedSeal to Resellers in North America

/by

RedSeal Inc., the award-winning cyber terrain analytics platform announces a strategic agreement with TD SYNNEX

The joint alliance offers MSSPs and security resellers a new and innovative way to identify and address cyber threats while combating the latest and most prevalent security business challenges. 

RedSeal’s platform shows organizations what is on their networks, how everything is connected, and the associated risk across physical—and cloud-based network environments. RedSeal verifies that network devices are securely configured, validates network segmentation policies, and continuously monitors compliance with policies and regulations. It also prioritizes mitigation based on each vulnerability’s associated risk.

The agreement marks the continued expansion of the TD SYNNEX security portfolio, which addresses the rapidly evolving threat landscape with leading solutions and the support of veteran network engineers available to consult on every point of the sales cycle.

“We here at RedSeal are extremely excited about working with TD SYNNEX moving forward. They will be a true force multiplier as we expand our portfolio and will allow us to reach additional markets. The potential here is significant, and we appreciate the opportunity to expand our reach together,” said Jay Miller, Vice President Worldwide Sales, RedSeal.

“We are pleased to work with RedSeal to bring a new, cloud-based security solution to our partners,” said Reyna Thompson, Senior Vice President, North America Advanced Solutions Security and Networking, TD SYNNEX. “RedSeal delivers an all-encompassing solution that we are confident will provide value for many of our reseller partners.”

For more information on RedSeal through TD SYNNEX, contact redseal@synnex.com.

About RedSeal

We boldly deliver on our promise to help organizations master cybersecurity fundamentals in a world of rapidly escalating cyber complexity and threats. We do this by providing a cloud security solution by which every global organization can be confident that it understands what’s on the network, how it’s connected and the associated risks. Founded in 2004, RedSeal is headquartered in San Jose, California.

About TD SYNNEX 

TD SYNNEX (NYSE: SNX) is a leading global distributor and solutions aggregator for the IT ecosystem. We’re an innovative partner helping more than 150,000 customers in 100+ countries to maximize the value of technology investments, demonstrate business outcomes and unlock growth opportunities. Headquartered in Clearwater, Florida, and Fremont, California, TD SYNNEX’ 22,000 co-workers are dedicated to uniting compelling IT products, services and solutions from 1,500+ best-in-class technology vendors. Our edge-to-cloud portfolio is anchored in some of the highest-growth technology segments including cloud, cybersecurity, big data/analytics, IoT, mobility and everything as a service. TD SYNNEX is committed to serving customers and communities, and we believe we can have a positive impact on our people and our planet, intentionally acting as a respected corporate citizen. We aspire to be a diverse and inclusive employer of choice for talent across the IT ecosystem. For more information, visit www.TDSYNNEX.com

© 2021 SYNNEX Corporation. TD SYNNEX, the TD SYNNEX Logo, and all other TD SYNNEX company, product and services names and slogans are trademarks of SYNNEX Corporation. Other names and trademarks are the property of their respective owners.

Understanding What’s In My Cloud

/by

Today’s business applications run in an environment that would be unrecognizable to IT professionals 10 years ago. The rise of virtualization and the cloud has finally cut the ties to specific hardware, and all but the most exotic workloads can now be run anywhere — on virtual machines in your physical buildings, or on a cloud vendor of your choice. The underlying cloud technologies are powerful, but with that power comes great responsibility. Security teams struggle to keep up, because the new technologies focus on agility, rapid rate of change, and dynamic response — all of these are positive buzzwords to most people in a business, but all of them are bad news to security. Ask any military commander — defense is far easier when your resources are home in a well-built fort, and far harder when your troops are constantly moving, shifting location into unfamiliar terrain.

It’s not all doom and gloom, however. Cloud innovation takes away certain legacy risks — after all, you can’t leave an open password on a key router in the middle of your network infrastructure if you don’t control the routers any more! The trouble is that the change to new ways of building and managing modern apps (often referred to as DevOps) closes out some old challenges, but opens just as many new ones. Cloud gives you new kinds of rope, and it’s different from the old rope, but you can still get just as tangled up in the complexities.

Some security fundamentals remain, though. No matter what kind of infrastructure you own or rent, you still need to pursue the basics:

1.    Find all your stuff

2.    Categorize it so you know what’s most important

3.    Harden the individual elements to avoid easy compromise

4.    Map out and run your defenses as a system, so you can be a hard target

The most basic discipline of all is inventory — cyber security experts and industry guidance all agree that you must start there. Inventory in cloud is not like inventory in conventional networks, though, so the same old principle has to be thought about differently in a cloud world.

The good news with the cloud is that each virtual network has a “God of the Cloud” — a central controller, run by the cloud provider that you can talk to via a proprietary API. I call it a “God”, because no endpoints can exist in that small virtual network that the controller did not create. This means you can always find a completely reliable resource for each virtual network — someone who knows the inventory. Problem solved, right? Well, not so fast — it’s certainly very different from legacy on-premises networks, but that’s hardly all there is to it. There are three major problems when talking to each cloud controller — finding the controllers, speaking their language, and keeping up with the changes.

The good news is a cloud account comes with an API you can talk to and get a complete inventory of the assets it knows about. The bad news is your company has many, many accounts. And even once you locate them all, they will speak a proprietary and changing language — the Amazon language for the AWS API is different from Microsoft’s for Azure, or Google’s, or Oracle’s. You need a network linguist to make sense of it all, and pull together a single view of your clouds — in all flavors. And since security is central by its nature (because it needs to look at the complete picture), that means security has the unenviable task of needing to speak all the languages — fluently — at once. This is hard, but it’s a great job for automated software.

Equally, the rate of change in the cloud is something automated software can tackle far more effectively than humans can. Cloud assets have ugly names — often just a long stream of gibberish assigned by a robot, to make it easy for other robots. You’ll need your own robot interpreter to even identify one asset, let alone track it as it moves and changes. The nature of the cloud is highly dynamic — instances are spun up and killed on demand, and they move far faster than, say, a classic vulnerability scanner can keep up with. If you want to see your final as-built infrastructure (and you need to, since this is what your adversary is looking at too), you need software to keep up with all the changes, track the assets, and untangle the myriad ways that cloud assets are marked. There are tags, there are labels, there are unique ID’s, and there are security groups. Every vendor has subtly different rules, and just to add to the confusion cloud vendors don’t even agree on what a cloud network should be called, but they all offer the same idea.

At the end of the day, security is about adapting and keeping up, as the pace of change keeps speeding up. Cloud is just the latest evolution, where names change, details shift, but the core principles remain — first and strongest of all is inventory. This is why we at RedSeal build software to automate all the communication and mapping, so that you can visually scan your cloud footprint, understand your security posture, and make optimal moves to increase your security and reduce your risk.

For more information, check out our overview of RedSeal Stratus Maps and Inventory capabilities to learn more about how you can Map Your AWS Infrastructure Including Connectivity Paths.