• Cyber Work Blog

  • 著者: Infosec
  • ポッドキャスト
『Cyber Work Blog』のカバーアート

Cyber Work Blog

著者: Infosec
無料で聴く

  • サマリー

  • Stay caught up on the latest trends in cybersecurity education, threats and career development with a selection of audio blogs from the Infosec Resources website: https://resources.infosecinstitute.com/. For weekly conversations with cybersecurity practitioners, subscribe to our Cyber Work Podcast.
    © 2021 Infosec
    続きを読む 一部表示
エピソード
  • Attackers don’t hack in: They log in with your credentials

    Attackers don’t hack in: They log in with your credentials
    2021/12/08
    It is a truism: cyber attackers take the path of least resistance. While enterprises spend millions in malware signature detection and sandbox execution, endpoint detections, threat indicators, vulnerability assessments and scans, proxies and firewalls, none of these defend against the path of least resistance — compromised credential attacks. Why is this the path of least resistance? And how can we better protect this attack vector? The path of least resistance To the first question, excuses vary. Some say it’s a security training issue; others regard it as a “personal security hygiene” issue for employees. Still, others consider it an IT problem rather than ops (or vice versa). Moreover, sometimes senior leaders are permitted special password policy exceptions — even though they’re the most sought-after targets. The bottom line: no one wants to take responsibility for credential theft. And this patchwork of responses and philosophies offers attackers massive gaps to exploit via social engineering, like simple phishing, or other means, to acquire legitimate credentials to access a network, then move laterally to find and extract the information they want. This is exponentially easier than deploying a zero-day remote code execution (RCE), a vector existing tools can identify readily. We live in a world of ignored credential proliferation, and we’re paying the price. The 2020 Verizon Data Breach Investigation Report claims that over 80% of hacking-related data breaches involve brute force or the use of lost, stolen or compromised passwords. The FBI reported in 2020 that 41% of attacks in the financial sector involved credential-stuffing. Crowdstrike’s 2020 Global Threat Report reveals that most attacks don’t involve any malware and identified credential dumping as one of the most prevalent alternative attacks used. These attacks are challenging to identify and intercept reliably using vulnerability scanners, endpoint detections, SOAR, SIEM, BAS tools or most manual penetration tests. In a world where 61% of companies have over 500 accounts with non-expiring passwords and where 10 billion account details, along with 600 million passwords, are available online due to known breaches, it is clear that credential-based attacks are a favorite for malicious actors. Why? Quite simply, they’re easy to get and difficult to identify as a threat. So, what do we do to protect against this attack vector? Vulnerable does not equal exploitable I always say, “The hardest part of cybersecurity is knowing what not to do.” The key to this statement is an understanding that vulnerable does not equal exploitable. Security teams need to be able to identify the vulnerabilities that present the most risk. Scanners and other tools reveal an overwhelming number of vulnerabilities — more than can be patched by even the most active security team working around the clock. The key instead is to focus on those attack vectors relevant to an attacker. By focusing on the changing techniques an attacker uses with harvested credentials, technical misconfigurations and exploitable software vulnerabilities regardless of CVSS score, teams can evaluate attack vectors with operational context based on the adversary’s perspective. This approach allows security teams to identify vulnerabilities that are actual threats. You might be surprised to hear that the vast majority of vulnerabilities are unexploitable. According to Kenna, only 2.7% of identified vulnerabilities are exploitable, and only 0.4% of those have actually been exploited. Of course, the impact of those breaches can be massive. That’s why it’s crucial to focus on those areas that are operationally relevant to attackers themselves. While software vulnerabilities subsume most of the conversation in information security, only a tiny percentage of breaches ever leverage them, peaking at just 5% of breaches in 2017. More recent numbers indicate a rate reaching half that number. Traditional approaches of using...
    続きを読む 一部表示
    5 分
  • Red teaming: Is it the career for you?

    Red teaming: Is it the career for you?
    2021/09/09
    To best protect an organization from would-be-attackers, proactively probing their security measures is an approach fast growing in popularity. Simulating attacks is the job of red teams, and the goal is to find and fix weaknesses before hackers can exploit them. Red team members are ethical hackers hired by an organization to carry out real-world, advanced attacks. The work is worth considering if you’re a cybersecurity pro looking to make a distinct difference for organizations making a concerted effort to keep bad actors out. Red teaming includes “an element of breaking in and legally doing as much as you can under the radar, and that’s pretty fun,” says Curtis Brazzell, managing cybersecurity consultant with GuidePoint Security. What is red teaming? The National Institute of Standards and Technology (NIST) defines red teams as groups of people authorized and organized to emulate a potential adversary’s attack or exploitation capabilities against an enterprise’s security posture. Their objective is to improve enterprise cybersecurity by demonstrating the impacts of successful attacks. They often work together with blue teams, which are a separate group of incident responders charged with defending against the simulated attacks instituted by the red team in a way that represents the organization’s current security posture. Both teams hope to demonstrate how a hacker might get in, the impact and how well security defenses can withstand an attempted attack. In recent years, the concept of purple teams has also risen to the surface. A purple team can be a separate group of people, usually outside security consultants, who oversee red teams and blue teams. A single purple team might perform the functions of both red and blue teams or represent the need for integration between red team testing and blue team defenses. What does a red team member do? Most commonly, blue teams usually consist of security experts internal to the organization. On the other hand, red teams are hired as outside consultants who come in and conduct comprehensive security assessments using simulated cyberattacks. While their tactics likely include a penetration test, their work represents a broader scope that often addresses physical security considerations, employee understanding and network and endpoint vulnerabilities. Red team exercises are ideally done after initial pentests have already been conducted and applicable fixes applied. “A lot of guys on the team are lock pickers, or maybe you use RF (radio frequency) badge scanners,” Brazzell says of how their firm engages in red teaming. “Once inside, we see if maybe you can plug into an open port in a lobby, and then you analyze the wireless traffic. Maybe then we notice the local LAN isn’t segmented from the public, wireless LAN. Physical USB-type attacks, or Rubber Duckies as we like to call them, we’re still doing too, to see if we can’t compromise at least one workstation and then move laterally.” Critically crucial to every red team member is comprehensive security testing using tips and tricks they’ve learned over the years, along with buy-in and the necessary permissions from the organization’s upper management. Without permission, strategies become less ethical hacking and more criminal. With red teaming, “you really have to approach your objectives as an adversary would,” says Amyn Gilani, chief growth officer at Countercraft. “Of course, you also need to make sure you’re sponsored by the correct entities so you don’t get into trouble when you do break something or gain access to something that you shouldn’t have.” Another common component of red teaming is performing “tabletop exercises” together with the organization’s employees. In the exercise, a simulated cyberattack is executed, and then red team members can work with various areas of the organization on how to best handle the scenario. This includes the incident response team and designees from the organization’s legal, human resource...
    続きを読む 一部表示
    6 分
  • Cyber risks of digitizing legacy systems in healthcare environments

    Cyber risks of digitizing legacy systems in healthcare environments
    2021/09/06
    The news is full of reports of vulnerabilities discovered in medical devices. Many of them are quite terrifying. Who can forget the first time they heard that a pacemaker could be hacked — or of the data breaches resulting from these vulnerabilities or misconfigurations. Similarly, all processes involving healthcare data digitization are currently in play. Because the hospital is the playing field on which many of these processes come together, it’s the best place to start looking at some of the security implications for our secure medical data. Some of the more prevalent considerations follow. Processes that generate PHI data Many types of hospital processes generate a large amount of Protected Health Information, or PHI, data. The largest sources that generate and process PHI are Radiology, Patient Monitoring, Medication Management, Surgery, Diagnostics and (Electronic) Medical Records. Each process itself has many steps resulting in different outcomes depending on where the output of one process is used in the one that follows. Let’s look at this in a security-minded way. Mapping the flow of information between these processes can help us structure the network into compartments, noting the data handover points needed in between, such as IP addresses, ports and protocols. This will help to mitigate an attack propagated across different network sections. It also identifies the needed flows and makes sure that any further attacks can be shut down and prohibited. Assets and steps within the individual processes Here’s an example: Radiology uses a few different assets to generate medical images: Ultrasound, X-ray or MRT, and then uses a Picture Archiving and Communication System (PACS) server to store that imagery. Configuration of PACS servers is often the first trap to fall for from a security perspective. That’s because a full and secure configuration is not achieved when the asset is operating according to process requirements! Security is only achieved when all other configuration elements are checked and appropriately secured. One might think that using the PACS server to allow patients access to their medical imagery via web interface might sound like a good idea and a value-add for patients wanting to see their medical info personally. But when a PACS server connects directly to the public internet without any further configuration checks, the consequences can be severe, as recent cases have shown! In the same way, integrating an Electronic Medical Record (EMR) into self-service kiosks or websites in which patients input their data prior to a hospital visit often includes many details that are unrelated to the main operation. Also, the EMR system needs to be checked for vulnerabilities and updates regularly! An EMR can be seen as the central element of all data flows in a hospital, whether the internal flow between PACS and EMR, EMR and Medication Management or the external flow, used for insurance and billing purposes. Any and all of these connections need planning, scrutiny, and intensive monitoring. Putting things together to build a secure structure The promised benefits of digitization might benefit a single asset, a process or the hospital as a whole. Still, that promise also comes with an obligation to think through the implications of digitizing and storing health data and consider the entire security strategy and its contingencies. At the same time, we must remember the possible side effects and not stop thinking of these things when the first signs of “mission accomplished” are in sight. Even though the digitizing process works, that does not necessarily mean it is secured. Mapping out the data flow as well as checking and securing the settings of a device is a vitally important process around any mass digitization effort aimed at securing private and personal medical data. Augmenting that process with the tools needed to further tighten security will build a more secure structure able to be resilient agains...
    続きを読む 一部表示
    4 分

あらすじ・解説

Stay caught up on the latest trends in cybersecurity education, threats and career development with a selection of audio blogs from the Infosec Resources website: https://resources.infosecinstitute.com/. For weekly conversations with cybersecurity practitioners, subscribe to our Cyber Work Podcast.
© 2021 Infosec
続きを読む 一部表示

同じ著者・ナレーターの作品

著者

Cyber Work Blogに寄せられたリスナーの声

カスタマーレビュー:以下のタブを選択することで、他のサイトのレビューをご覧になれます。

Audible.co.jp

Amazon.co.jp
レビューはまだありません。