Oleh Diposting pada

“Security” and “overtime” go hand in hand. According to a recent survey, one in five CISOs works 65 hours a week, not the 38 or 40 written in their contract. Average overtime clocks in at 16 hours a week. The same is true for the rank-and-file infosec employees — roughly half complain of burnout due to constant stress and overwork. At the same time, staff shortages and budget constraints make it very hard to do the obvious thing: hire more people. But there are other options! We investigated the most time-consuming tasks faced by security teams, and how to speed them up.

Security alerts

The sure winner in the “timewaster” category is alerts generated by corporate IT and infosec systems. Since these systems often number in the dozens, they produce thousands of events that need to be handled. On average, a security expert has to review 23 alerts an hour — even off the clock. 38% of respondents admitted to having to respond to alerts at night.

What to do

  1. Use more solutions from the same vendor. A centralized management console with an integrated alert system reduces the number of alarms and speeds up their processing.
  2. Implement automation. For example, an XDR solution can automate typical analysis/response scenarios and reduce the number of alerts by combining disparate events into a single incident.
  3. Leverage an MSSP, MDR service or commercial SoC. This is the most efficient way to flexibly scale alert handling. Full-time team members will be able to focus on building overall security and investigating complex incidents.

Emails with warnings

Notices from vendors and regulators and alerts from security systems get sent to the infosec team by email — often to a shared inbox. As a result, the same messages get read by several employees, including the CISO, and the time outlays can run to 5–10 hours a week.

What to do

  1. Offload as many alerts as possible to specialized systems. If security products can send alerts to a SIEM or a dashboard, that’s better than email.
  2. Use automation. Some typical emails can be analyzed using simple scripts and transformed into alerts in the dashboard. Emails that are unsuited to this method should be analyzed, scored for urgency and subject matter, and then moved to a specific folder or assigned to a designated employee. You don’t need an AI bot to complete this task; email-processing rules or simple scripts will do the job.

These approaches dramatically reduce the number of emails that require reading and fully manual processing by multiple experts.

Emails flagged by employees

Let’s end the email topic with a look at one last category of attention-seeking messages. If your company has carried out infosec training or is experiencing a major attack, many employees will consider it their duty to forward any suspicious-looking emails to the infosec team. If you have lots of eagle-eyed colleagues on your staff, your inbox will be overflowing.

What to do

  1. Deploy reliable protection at the mail gateway level — this will significantly reduce the number of genuine phishing emails. With specialized defense mechanisms in place, you’ll defeat sophisticated targeted attacks as well. Of course, this will have no impact on the number of vigilant employees.
  2. If your email security solution allows users to “report a suspicious email”, instruct your colleagues to use it so they don’t have to manually process such alerts.
  3. Set up a separate email address for messages with employees’ suspicions so as to avoid mixing this category of emails with other security alerts.

    4. If item 2 is not feasible, focus your efforts on automatically searching for known safe emails among those sent to the address for suspicious messages. These make up a large percentage, so the infosec team will only have to check the truly dangerous ones.

Prohibitions, risk assessments, and risk negotiations

As part of the job, the CISO must strike a delicate balance between information security, operational efficiency, regulatory compliance, and resource limitations. To improve security, infosec teams very often ban certain technologies, online services, data storage methods, etc., in the company. While such bans are inevitable and necessary, it’s important to regularly review how they impact the business and how the business adapts to them. You may find, for example, that an overly strict policy on personal data processing has resulted in that process being outsourced, or that a secure file-sharing service was replaced by something more convenient. As a result, infosec wastes precious time and energy clambering over obstacles: first negotiating the “must-nots” with the business, then discovering workarounds, and then fixing inevitable incidents and problems.

Even if such incidents do not occur, the processes for assessing risks and infosec requirements when launching new initiatives are multi-layered, involve too many people, and consume too much time for both the CISO and their team.

What to do

  1. Avoid overly strict prohibitions. The more bans, the more time spent on policing them.
    2. Maintain an open dialogue with key customers about how infosec controls impact their processes and performance. Compromise on technologies and procedures to avoid the issues described above.
    3. Draw up standard documents and scenarios for recurring business requests (“build a website”, “collect a new type of information from customers”, etc.), giving key departments a simple and predictable way to solve their business problems with full infosec compliance.
  2. Handle these business requests on a case-by-case basis. Teams that show a strong infosec culture can undergo security audits less frequently — only at the most critical phases of a project. This will reduce the time outlays for both the business and the infosec team.

Checklists, reports, and guidance documents

Considerable time is spent on “paper security” — from filling out forms for the audit and compliance departments to reviewing regulatory documents and assessing their applicability in practice. The infosec team may also be asked to provide information to business partners, who are increasingly focused on supply chain risks and demanding robust information security from their counterparties.

What to do

  1. Invest time and effort in creating “reusable” documents, such as a comprehensive security whitepaper, a PCI Report on Compliance, or a SOC2 audit. Having such a document helps not only with regulatory compliance, but also with responding quickly to typical requests from counterparties.
  2. Hire a subspecialist (or train someone from your team). Many infosec practitioners spend a disproportionate amount of time formulating ideas for whitepapers. Better to have them focus on practical tasks and have specially trained people handle the paperwork, checklists, and presentations.
  3. Automate processes — this helps not only to shift routine control operations to machines but to correctly document them. For example, if the regulator requires periodic vulnerability scan reports, a one-off resource investment in an automatic procedure for generating compliant reports would make sense.

Selecting security technologies

New infosec tools appear monthly. Buying as many solutions as possible won’t only balloon the budget and the number of alerts, but also create a need for a separate, labor-intensive process for evaluating and procuring new solutions. Even leaving tenders and paperwork aside, the team will need to conduct market research, evaluate the contenders in depth, and then carry out pilot implementation.

What to do

  1. Try to minimize the number of infosec vendors you use. A single-vendor approach tends to improve performance in the long run.
    2. Include system integrators, VARs, or other partners in the evaluation and testing process when purchasing solutions. An experienced partner will help weed out unsuitable solutions at once, reducing the burden on in-house infosec during the pilot implementation.

Security training

Although various types of infosec training are mandatory for all employees, their ineffective implementation can overwhelm the infosec team. Typical problems: the entire training is designed and delivered in-house; a simulated phishing attack provokes a wave of panic and calls to infosec; the training isn’t tailored to the employees’ level, potentially leading to an absurd situation where infosec itself undergoes basic training because it’s mandatory for all.

What to do

Use an automated platform for employee training. This will make it easy to customize the content to the industry and the specifics of the department being trained. In terms of complexity, both the training materials and the tests adapt automatically to the employee’s level; and gamification increases the enjoyment factor, raising the successful completion rate.


#boost #performance #infosec #team

Oleh Diposting pada

One of the many dangerous tools in cybercriminals’ arsenals is OSINT. In this post, we explain what it is, the danger it poses, and how to guard your company against OSINT.

What is OSINT?

OSINT stands for open-source intelligence. That is, the collection and analysis of data obtained from publicly accessible information channels. Such sources can basically be anything: newspapers and magazines, television and radio, data published by official organizations, scientific research, conference reports, etc.

Nowadays, of course, such intelligence is primarily based on information scraped from the internet. Over the past 10–15 years, online public communication platforms have become especially valuable as OSINT-gathering tools: chats, forums, social networks, and messengers.

The range of people using OSINT is quite diverse: journalists, scientists, civil activists, government and business analysts, as well as intelligence officers themselves. In a nutshell, OSINT is an important and effective tool for collecting data. But perhaps the more significant question is how such information gets put to use.

OSINT and information security

OSINT can be used in planning a targeted attack on your company. After all, for a successful operation, cybercriminals need a huge amount of information about the victim organization.

This is especially true in the case of attackers who rely less on hi-tech tools (costly zero-day exploits, sophisticated malware, etc.) and more on social engineering tricks. For this type of threat actor, OSINT is often the number-one tool.

The most valuable source of open data in preparing an attack on an organization is employees’ activity on social networks. First and foremost, this means LinkedIn. There, it’s usually possible to find the full organizational structure of the company, with all names, positions, work histories, social connections, and lots of other extremely useful information about employees.

You don’t have to look far for examples of just how effective OSINT can be. Remember the infamous Twitter (now X) hack a couple of years back that targeted a whole bunch of people and companies, from Musk, Gates, and Apple to Obama and Biden)? It began with the hackers finding Twitter employees on LinkedIn who had access to Twitter’s internal account management system, and making contact with them. Then it was a simple matter of applying social engineering and good old phishing to dupe them into revealing the credentials needed to hijack the high-profile accounts.

How to protect your company from OSINT

Open-source intelligence is a predominantly passive method of information gathering, so there’s no simple and universal way to counter it. Fortunately there are measures you can take on several fronts.

Employee training and awareness

As mentioned above, modern-day OSINT is largely based on social networks, and information gathered through OSINT is most effective for social-engineering attacks. Thus, the human factor comes to the fore here.

Therefore, to counteract OSINT and the potential consequences of it, you need to work closely with your employees. Training is key here to increase awareness of potential threats and ways to protect against them.

The focus should be on two aspects: first, on the dangers of posting sensitive information about your company on social networks. Second, employees should learn to be more wary of calls, emails, and text messages that prod them to take some potentially risky action (and to be able to define “potentially risky action”). It must be clear that even if an email uses real company details, that doesn’t necessarily mean that the sender is a real colleague. The information could have been collected from open sources.

As a rough guide, if a caller, introducing himself as, say, John Smith, tells you that he works in such-and-such a position and asks for a username and password, this is wholly insufficient authentication – even if a John Smith does indeed hold this position in the company.

To raise awareness, you can develop and conduct your own in-house training program, or hire expert consultants. Another option is to use an interactive educational platform. For example, the Kaspersky Automated Security Awareness Platform.

It would also be useful to establish an internal cybersecurity communication channel with employees to convey information about live threats effectively.

Open-source counterintelligence

Over the past decade, the world of cybercrime has become highly compartmentalized. Some actors create malware, others collect data – all of which gets bought on the dark web and used for specific attacks by others.

The fact that information has been collected about your company is a surefire indicator of an impending attack. As such, monitoring activity of this kind will give you advance warning of the threat. For example, if someone puts data about your company up for sale, it’s very likely it’ll be used later to carry out an attack. So, by doing your own counterintelligence, you can take preemptive action: warn employees about what data the attackers have; put security analysts on high alert; and so on.

But such monitoring doesn’t necessarily have to be done in-house: there are ready-made services that you can subscribe to, such as Kaspersky Digital Footprint Intelligence. Note that our service offers far more than just the monitoring of mentions of your company on the dark web. It also tracks attacks on your suppliers and customers and, keeps tabs on APT campaigns that may affect your company or industry, provides vulnerability analysis, and much more.

Segmentation, rights management and Zero Trust

The third front is to mitigate the potential damage from attacks that deploy OSINT and social engineering. The primary goal here should be to limit spreading over the corporate network in the event of endpoint compromise.

The first requirement here is proper network segmentation: dividing company resources into separate subnets; defining security policies and settings for each of them; and restricting data transfer among them.

Also, pay attention to user access management. In particular, implement the principle of least privilege; that is, define and grant users only those accesses they need to perform their tasks. And review these rights regularly to reflect changes in their roles and responsibilities.

The ideal option would be to adopt the Zero Trust concept, which assumes there’s no secure perimeter, and so, by definition, no device or user is trusted, both inside and outside the corporate network.

Wrap-up

Open-source intelligence can be a powerful tool in criminals’ arsenals. Therefore, you need to be aware of the dangers and take steps to mitigate potential damage. Here’s a summary of my thoughts on how to protect your company from OSINT:

  • Be sure to train employees in the basics of information security. To do this, you can use our interactive Kaspersky Automated Security Awareness Platform.
  • Establish an internal communications channel to inform employees about information security.
  • Try to monitor the collection and sale of your company’s data on the dark web. Our Kaspersky Digital Footprint Intelligence can help with that.
  • Take measures in advance to minimize potential damage: manage user rights with maximum possible granularity; use network segmentation. And, ideally, embrace Zero Trust.


#OSINT #dangerous

Oleh Diposting pada

The new Avast Cybersecurity Basics Training Quiz provides training on Data Security, Identity Management, and Social Media Security

Did you know that 65% of adults in the US wish they know more about how to spot or avoid phishing scams*? Education and training are crucial components for SMBs to have a solid cybersecurity defense, especially for employees.  
 
Helping safeguard SMBs’ data, devices, and their people 

(lebih…)

Oleh Diposting pada

For decades, we were told tales of all-seeing, all-knowing hackers who use sophisticated social-engineering techniques — that is, manipulating folks into handing over secret information with neither threats of violence nor other maltreatment, or getting them to perform other reckless actions from an information security perspective.

The problem is, such tales can cloud one’s grasp on reality. Knowing so many stories about this technological voodoo, people should, you might think, be aware of such tricks. Sadly, this isn’t the case at all. Here are three high-profile cases of recent years showing that social engineering is still a potential threat, perhaps more so than ever.

Even a schoolboy can hack the director of the CIA

Let’s start with a story that could easily be taken for a Hollywood movie with the title, say, Hackers versus Spies; however, it would be less of an action thriller and more a satirical comedy.

In October 2015, a hacker group calling itself Crackas With Attitude used social engineering to gain access to the personal AOL account of CIA Director John Brennan. The hack was followed by a phone interview with the New York Post, in which one member of the group described himself as an American high-school student.

Although the CIA chief’s email was private, it revealed many interesting things related to his work: in particular, the social security numbers and other personal information of more than a dozen high-ranking US intelligence officers, as well as a 47-page application for top-secret security clearance filed by Brennan himself.

In November of that very same year, the story continued: this time hackers targeted the personal AOL accounts of another high-ranking official, FBI Deputy Director Mark Giuliano and his wife. On this occasion, the hackers’ haul, which they later made public, included the names, email addresses and phone numbers of 3500 US law enforcement agencies’ employees.

Just a couple months later, in January 2016, these same hackers got hold of a string of personal accounts belonging to Director of National Intelligence James Clapper. Finally, in February 2016, they publicly released the data of 9000 employees of the US Department of Homeland Security, plus 20,000 employees of the FBI, which the criminals claimed they’d obtained by hacking into the US Department of Justice.

That same month, one of the hackers was apprehended. He was indeed a high-school kid (though not American, but British), named Kane Gamble. As a result, the young hacker, aka Cracka, who was only fifteen when he committed his crimes, was named as the leader of the group and sentenced in the UK to two years in prison (of which he served eight months), with an internet ban for the same term (which he observed in full). A few  months later, two other members of Crackas With Attitude were detained in the U.S. This time they were adults: Andrew Otto Boggs, 23, got two years in a U.S. jail, and Justin Gray Liverman, 25, got five.

During the trial, it transpired that for more than six months — from June 2015 to February 2016 — the young Gamble successfully pretended to be the director of the CIA and on his behalf defrauded passwords from employees of both call centers and hotlines. Using them, the group managed to gain access to highly sensitive documents relating to intelligence operations in Afghanistan and Iran. Who knows, would the hackers have been caught at all had they not decided to make a public mockery of the CIA chief, the FBI deputy chief, and the director of U.S. National Intelligence?

Hacking the Twitter accounts of Biden, Musk, Obama, Gates and others

The following incident took place on July 15, 2020, when a bunch of Twitter accounts began to spread similar message: “All bitcoins sent to the address below will be sent back doubled! If you send $1000, I will send back $2000. Only doing this for 30 minutes.” It looked like a typical Bitcoin scam that wouldn’t warrant a mention were it not for one nuance: all these accounts really did belong to famous people and major companies.

At first, the scam messages started appearing in Twitter accounts directly related to cryptocurrencies: the giveaway was “announced” by Binance founder Changpeng Zhao, and several other cryptoexchanges, including Coinbase, and the crypto news site CoinDesk. But it didn’t stop there, as, one after another, more and more accounts belonging to famous entrepreneurs, celebrities, politicians and companies began to join the jamboree: Apple, Uber, Barack Obama, Elon Musk, Kim Kardashian, Bill Gates, Joe Biden (who wasn’t yet president), Jeff Bezos, Kanye West; and the list went on.

Tweet from the hacked account of Elon Musk Source

In the few hours that saw Twitter trying to get to the root of the problem, the hackers managed to collect more than US$100,000 — a tidy sum, but nothing compared to the reputational blow suffered by the company. It soon became clear that the hackers had penetrated Twitter’s internal account management system. Initially it was assumed they did this with insider help.

However, that turned out not to be the case. The hackers were quickly found and arrested, and again the group leader was a school kid — this time an American, the then 17-year-old Graham Ivan Clark. He was handed down three years in jail and another three on probation. More importantly, however, the investigation established that the attack was carried out with no insider help. Instead, hackers used a mix of social engineering and phishing to dupe Twitter employees into giving them system access.

First, they studied LinkedIn profiles to identify employees likely to have access to the account management system. Next, using LinkedIn’s Recruiter feature, they collected their contact information, including cell phone numbers. The hackers then called these employees, pretending to be colleagues, and using the data persuaded them to visit a phishing site imitating Twitter’s internal login page. This way, the attackers obtained passwords and two-factor authentication codes allowing them to log into the Twitter account management system and take possession of dozens of accounts with millions of followers.

Again, who knows if they’d have been caught had they not targeted half of the world’s Top-10 rich list, plus other famous personalities and, most significantly, the Twitter accounts of a former and future U.S. president.

Sky Mavis and the half-billion-dollar heist

This is a story that took place in 2022. The starring yet unwanted role went to Sky Mavis, creator of the NFT game Axie Infinity. Let’s not delve into the game specifics — suffice it to say that players earn cryptocurrency in it. At one point, some residents of Southeast Asia worked there as if it were a proper job. At its peak, the game had a daily audience of up to 2.7 million people and weekly revenue of up to US$ 215 million.

However, in March 2022, even before the crypto crash, Sky Mavis found itself in serious trouble. During an attack on the Ronin Network, which underpins all cryptocurrency activity in Axie Infinity, hackers made off with 173,600 ETH and 25.5 million USDC from the company’s accounts, worth around US$540 million at the time of the attack.

The details of the heist emerged a few months later, in July. Through a fake company, the attackers had contacted Sky Mavis employees on LinkedIn and invited them to job interviews. Eventually they got to a senior engineer who, after several rounds of interviews, was made an extremely tempting job offer. The fake offer was sent in an infected PDF through which the hackers managed to gain access to the company’s internal network.

After that, armed with access to the corporate network, the hackers were able to get hold of the private keys for confirming transactions and then withdraw cryptocurrency. They laundered the stolen funds through a complex scheme involving two cryptomixers and around 12,000 intermediate cryptowallets, followed by conversion to bitcoin and a subsequent cashout.

Analysts who helped the U.S. investigators linked the attack to the North Korean group Lazarus. Only about 10% of the face value of the stolen coins could be recovered. Or about 5% if you count in dollars: in the six months after the robbery to the close of the investigation, the crypto market collapsed, causing the Ethereum exchange rate to nosedive.

How to guard against social engineering

Sure, no one wants to be on the receiving end of such attack. But the fact is that total protection against social engineering is near-impossible — because it targets people. For effective defense against social-engineering techniques, your company should focus on employee training. Our Kaspersky Automated Security Awareness Platform is perfect for this purpose. Through a combination of exercises and simulations, the solution raises staff awareness of a wide range of attack methods and ways to defeat them.


#Social #engineering #top3 #hacks #years