Social engineering attacks are real and are considered major threats to organizations of every size. They are of manipulation techniques that exploit human error to gain access to something sensitive. They employ deception, manipulation, intimidation, etc to exploit the human element, or users, of target information assets in the cyber context. Generally, these attacks are successful because individuals may be persuaded to take an action by strong incentives like money, sentiment, fame, or fear, as well as by simple deceit. These attacks pose a serious threat to cybersecurity because users can still be tricked into revealing their credentials or executing a malicious action for an attacker regardless of how robust the technical security infrastructure is. There have been many major incidents in the industry notably – Target, Yahoo, Zoom, RSA, Marriott, Twilio, and so on breaches where social engineering was employed to successfully exploit. Eventually leading to a major business impact.

Here are a few major techniques and types that can come under social engineering attacks – Phishing, Spear Phishing, Whaling, Vishing, Smishing, BEC, DSD, Angular Phishing, Baiting, Quid Pro Quo, Impersonating, Shoulder Surfing, Eavesdropping, Desk Sniffing, Dumpster Diving, Pharming, Tailgating, Credential Harvesting, Water Hole Attacking, URL Hijacking/ TypoSqating, Pretexting, Popup Windows, Reverse Social Engg, Weaponized QRCodeing, Robocalls, Deep fakes, Supply chain attacks.

Countering social engineering attacks through solely by using technology is not an adequate solution for any organization or individual. To defend, the security approach for the human factor is to improve security through awareness and practice. At the organizational level, a methodical approach to continuously identifying, train vulnerable employees can significantly reduce cybersecurity social engineering threats. This involves continuous assessment of the workforce’s security awareness, maintaining efficient means of communication – regarding the latest threats, and attack tactics in addition to routine system updates, and the underlying appropriate security infrastructure.

Organizations must adopt a continuous approach to people, processes, and technology with their Information security program. It necessitates a must training, awareness, and strict policy control programs that is made relevant in every aspect of the organization along with applicable technology controls and the infrastructure making it a PEOPLE, PROCESS, TECHNOLOGY aspect.

In simple summary – employee & user awareness, multi-factor authentication, monitoring the user & entity behavior, strict identity and access controls, patching, data classification, and leak protection, and zero-trust network access(ZTNA) are a few must-have essential strategies. Organizations must implement these strategies through a proactive, continuous approach for better protection against social engineering attacks.

The post Effective Cyber Defense Strategies for Enterprises against Social Engineering Attacks – Part1 appeared first on Teksalah - Beyond Solutions.

The post Remote workforce security essentials for a secure work from home, anywhere approach appeared first on Teksalah - Beyond Solutions.

Most Organizations have multiple applications running across cloud, SaaS, and On-Premise environments, These heterogeneous environments bring complexity, cost, and user identity Management security challenges, especially when they are not integrated into a central authentication. On the other hand, Users find it difficult to manage their multiple application passwords. No one likes remembering all these credentials. What’s worse is many use the same username and password, irrespective of the application they are using – resulting in passwords more prone to the dictionary and brute force attacks to visible passwords on sticky notes around desks. This is where the Single Sign-On technology comes into focus and works like a champ and with cloud being prevalent, it is effective for organizations to consolidate the existing identity and authentication across applications and systems.

What is Single Sign-On?

Single Sign-On (SSO) is a method of authentication that allows applications, web portals to use other trustworthy systems, applications to verify users. OR Single sign-on enables users to securely authenticate with multiple applications and web portals by logging in only once—with just one set of credentials (normally domain username and password). SSO is an essential feature of an Identity and Access Management (IAM) platform for controlling access and identity. Verification of user identity is important when it comes to knowing which all accesses and permissions a user could have.

How It Works

Single Sign-On works by having a central server(s) or as a service (SaaS options), that all the organization applications are configured to trust and integrate to. When you log in for the first time a cookie/token gets created on this central server. Then, whenever you try to access a second application at its login, you get redirected to the central server, if you already have a cookie there, you will get redirected directly to the app with a token, without login prompts, which means you’re already logged in.

Authentication with SSO depends on trust between domains (websites/ applications). With single sign-on, this is what happens when you try to log in to an application or website connected to SSO:

1. The website first checks to see whether you’ve already logged in to the SSO solution, in which case it gives you access to the required website.
2. If you not logged in, it redirects you to the SSO login screen.
3. You enter the single username/password that you use for corporate access normally a domain username and password.
4. The SSO solution requests authentication from the identity provider or authentication system that your company uses like Active Directory. It verifies your identity and notifies the SSO solution.
5. The SSO solution passes authentication data to the website and returns you to that site.
6. After login, the site passes authentication verification data with you as you move through the site to verify that you are authenticated each time you go to a new page.

For example, Google implemented a Single Sign-On (SSO) Solution in its various services. Google’s central server is https://accounts.google.com. Here, once we login to this server, we will be able to access Gmail, Youtube, and Google Docs without entering your credentials again.

What Are the Benefits of Single Sign-On

Single Sign-On clearly minimizes the risk of poor password habits and the increased productivity of users.

1. Seamless user experience: Customers can use a single identity to navigate multiple web and mobile domains or service applications. As customers no longer need to do repeated logins they can enjoy a modern digital experience.
2. Stronger password protection: Since users only need to remember one password for multiple applications, they are more likely to create a stronger (harder to guess) passphrase beyond policies, and less likely to write it down. These best practices reduce the risk of password theft. We can integrate this with MFA for additional security
3. It increases employee and IT productivity: Reduce support calls, improve user experience and Mitigate security risks
4. It combines with Risk-Based Authentication (RBA): You can combine SSO with risk-based authentication (RBA). With RBA, you and your security team can monitor user habits. This powerful combination can prevent cybercriminals from stealing data, damaging your site, or draining IT resources
5. It reduces password fatigue: To prevent cybercrime, security professionals insist on unique passwords for every single application. This means that the average user must remember dozens of passwords for personal and office use. Unfortunately, this often leads to “password fatigue.”
6. It prevents Shadow IT.
7. Reduces User time: Users will spend less time logging into various apps to do their work. Ultimately it enhances the productivity of businesses.

With more applications moving to the cloud, security and data are a prime concern, CASB Cloud Access Service Broker solution with SSO single sign-on as a framework greatly improves system and application security.

We would be covering the CASB Part in our next blog post in this series.

The post Identity and Access – Part 1 – Single Sign-On (SSO) appeared first on Teksalah - Beyond Solutions.

As part of bringing awareness and what matters the most when it comes to cybersecurity proactive prevention, we are here with yet another blog post and the required essentials.

If we could put it this way – With the ongoing pandemic (COVID-19) many of us have new realizations!. Cybersecurity and COVID-19 are two different challenges, but they do have key common things. Both are global – we all are vulnerable to them, they do not respect boundaries, they don’t discriminate any, and impacts everyone., Again both require basic measures in place to first prevent. That basic Hygiene is the best measure! so far.

Taking up with cybersecurity – Organizations across wants to ensure that their data and services are secure, up & running for delivering business operations with customer confidence. Hence – Proactive prevention.

In order to conduct business securely, as a first step organizations need to understand their exposure, where the threats can emerge and need to know how users are accessing business-critical services. To do this IT teams must adopt a platform that continuously monitors and recognizes the users, devices, networks, and services being used. Simply you cannot protect what you can’t see.

Most organizations implement different security solutions like firewalls as silos that could help them protect, but hackers use modern techniques to penetrate systems which means IT also needs to adopt technologies that help them gather, correlate, alert by analyzing event data from integrating security solutions. Thus, the need for an effective cybersecurity monitoring system is seen as basic and essential. Because on a regular basis no one would have enough time to go through the number of data sets that systems present,. We need meaningful analytics and actionable information out of monitoring systems.

Security Information and Event Management (SIEM) is a proven approach to Identify events that matter most by consolidating, analyzing, correlating raw data and event logs that are collected across from users, devices, applications, and networks. It helps organizations detect threats and prioritize remidative actions before an actual threat occurs. These are purpose-built software systems that store logs, normalizes, aggregates and correlates that data to discover trends, detect threats, and generate alerts. The main capabilities of SIEM are log collection, security monitoring, threat detection, investigation, and response. Apart from this, some SIEM solutions have the capability of behavioral analysis, forensic & incident response, threat response workflow, etc. Most importantly SIEM System provides intelligent insights that enable teams to respond quickly to reduce the impact of incidents.

With a well-integrated SIEM System in-place organizations can identify potential threats inside and outside networks proactively.

A few notable SIEM Solutions – for your reference-
IBM QRadar
ArcSight
Splunk
AT&T Cyber Security ( Alien Vault )
Elastic SIEM
Azure Sentinel ( Cloud Native )

Know more about our security offerings https://teksalah.com/cyber-security-solutions-in-uae/

The post Preventive Security Essentials – Monitoring and Analytics ( Part 1) appeared first on Teksalah - Beyond Solutions.

The post Teksalah Mimecast – Webinar (19 May 2020 | 11:00AM) appeared first on Teksalah - Beyond Solutions.

As workforces are mandated to telework in an effort to contain the spread of the COVID19 virus pandemic, At these challenging lock downtimes, almost all the organizations are enabling work-from-home, if not getting ready with the required ICT, Security Cloud infrastructure. Most of the workforce working remotely, and for these types of remote workloads, many of the organizations are not ready and finding it difficult to cope.

VPN Servers to App Delivery to VDI Infra, collaboration tools for all of them their security and availability, performance has now become a critical backbone for organizations. Employees who have never worked remotely are told to work from home or WFH. For many organizations and individuals, this is unchartered territory.

With this blog post, we would like to bring to your notice – a few important cybersecurity risks that a remote workforce may present and some best practices for mitigating those risks.

Whether as part of standard work program or as a component of business continuity plans, for Organizations engaging in telework we would recommend to start with a defined policy – ex ‘Work from home Policy, BYOD policies’- addressing the scope, roles and responsibilities, and mandatory infosec and organizational specific guidelines.

Our recommendations are :

• VPN Server security and their up-to-date patching
• Enabling Multi-Factor-Authentication for VPN Accounts and user logins
• Application Delivery Controllers and enforcing end-point mandatory compliance checks
• SaaS applications and data, service access protecting with conditional access and logging.
• Ensuring Mobile Device and Endpoint Management security practice in place for corporate and personal (BYOD) devices.
• PKI And TLS Security for Document Signing, and Secure email SMIME protection.
• Tightened email phishing and spam protection measures.
• Must MDR/ End-point-security software for all the devices.
• Configuring and limiting maximum load provision, auto-provision setting with your cloud infrastructure/ to protect against misuse.
• Engaged threat detection, monitoring, protection systems in place for data and Services protection.
• Ensuring compliance and regulatory standards.
• Recoverable Backups and working HA systems.
• And more importantly, given the social-engineering aspect of most attacks, end-user education is more critical than ever.

Need of the hour for many is to enable work-from-home to their employees and to ensure business continuity during these pressing times, it is important to ensure cybersecurity recommendations are taken into consideration to avoid any superimposed security incidents that are very much prevalent these times.

Amid the COVID-19 crisis, In order to help organizations setup required infra and protect remote employees faster, In coordination with our product vendors we are stepping it up and offering some of our products and services free of charge for a limited time. Including support services to help companies through the set-up and deployment processes.

The post The New Normal ‘Work from home’: Security risks, challenges, and recommendations appeared first on Teksalah - Beyond Solutions.

The post SELECT PARTNER AWARD – RUBRIK 9th October 2019 appeared first on Teksalah - Beyond Solutions.

Implementing DMARC “Domain-based Message Authentication Reporting and Conformance” is currently the good way around to defend from phishing and spoofing attacks. DMARC is built on two other authentication protocols – SPF, DKIM.

With this blog we try to simplify the SPF, DKIM, DMARC- Email Authentication Protocol measures the way they work and for your easy adoption.

So what are these – SPF, DKIM, DMARC?

In a nutshell – SPF, DKIM, DMARC would help step-up the protection measures by confirming and validating the sender domain and that an email came from the domain that says it does. And verifies that the email is not forged or altered.

SPF – Sender Policy Framework:

This has been there around for a long time (as a next measure to the PTR),. It is a method for authorizing mail servers of a particular domain for sending authoritatively and a way for recipient servers ( mail receiving party ) to verify if the sending server (MTA) is authorized for sending emails for that domain.

By Creating an SPF record in domain DNS, you can designate (kind of whitelist) which all email servers are authorized to send an email for the domain on your behalf.

• Sender adds a DNS record for their domain with “authorized to send email server’s ip addresses”. A typical SPF DNS TXT record looks like : (example only)

v=spf1 ip4:213.42.193.66/32 ip4:86.96.198.0/29include:spf.protection.outlook.com~all

(ref- https://en.wikipedia.org/wiki/Sender_Policy_Framework )

• Recipient server while receiving an email from senders MTA/SMTP Server, it checks against the DNS TXTrecord of that domain name – If the IP Address is listed/ authorized. (extracts domain name from the “return-path:” field of the envelope)
• If the IP address match – the message passes the SPF
• If the IP address not listed in SPF, or does not match in the list, it is considered – “Hard-fail”; in most cases, the email ends up rejected, or marked spam by the receiving party.
• For not having an SPF record for a domain is considered “soft-fail” and the receiving party may very well treat this as spam too.

DKIM – DomainKeys Identified Mail:

As it sounds, it is an email authentication protocol to protect against email spoofing (both email body, header) using public-key cryptography.

With DKIM configured sender’s MTA would inject a digital signature to the outgoing emails with a hash value. And the receiving MTA  uses public key made available through a TXT record by sending party to decrypt the hash value in the email header and recalculate the hash value for the email message is received. If these two hashes match, then the email is passed indicating email has not been altered and the email did originate from the listed domain.

With most of the email SaaS providers and outbound SMTP gateways, it is about defining the policies and configuring out-of-the-box functionality, but if you are running any on-prem servers like MS Exchange you may have to look at some 3^rd party software packages which can make the DKIM insertions possible.

• Setup the mail server / the mail provider to support DKIM
• Per domain, Generate a pair of DKIM Keys [ Public and Private ]
• Make the public key available in the DNS as TXT record ( in some cases as CNAME)
• Configure to enable DKIM signing

To understand the DKIM DNS TXT record it mainly has two parts, the selector and the payload. Example below :

TXT Mta1._domainkey v=DKIM1; k=rsa; p=[public key]

Mta1 can be anything and is identified as “selector” or “mta”,. The ‘p’ field shall be the public key ( part of the pair that originally  generated along with private key at the server/ MTA)

Note: (More please refer : rfc5585)

• DKIM by itself does not filter email
• Does not authenticate or verify the contents of the message header or body, such as the author From field, beyond certifying data integrity between the time of signing and the time of verifying.
• Does not offer any assertions about the behaviors of the signer.
• Does not prescribe any specific actions for receivers to take upon successful signature verification.
• Does not provide protection after signature verification.
• Does not protect against re-sending (replay of) a message that already has a verified signature; therefore, a transit intermediary or a recipient can re-post the message — that is, post it as a new message — with the original signature remaining verifiable, even though the new recipient(s) might be different from those who were originally specified by the author.
• Example DKIM Signature

DKIM-Signature a=rsa-sha1; q=dns;
d=test.com;
i=user@eng.test.com;
s=TEK2007.eng; c=relaxed/simple;
t=22276972764; x=11179856433;
h=from:xxxxto:xxxxsubject:xxxxdate:xxxx;
b= ADS2134321AFDSFD2134adsfdsd154
DSFKNSADFKHDASNF243KNASDFN234

• From Domain (RFC5322) – is the domain part of the email address.
• Signing Domain – During DKIM Signing, the domain takes the responsibility for the message signing, it inserts its name into the header in a key-value tag.
• It is possible to sign emails on “Per-user-DKIM keys” or “Per-email-address-DKIM”.

DMARC [Domain-based Message Authentication, Reporting, and Conformance]

We can say DMARC is best of both worlds, it uses SPF, DKIM and ensures emails are properly authenticated for their legitimacy. DMARC provides directions to the receiving party (Recipient Server) on what to do if an email claiming that ‘from your domain’ is not properly authenticated.

An email passes DMARC if the email must pass SPF authentication and SPF alignment and/or DKIM authentication and DKIM alignment. The email will fail DMARC if the message fails both (A) SPF or SPF alignment and (B) DKIM or DKIM alignment.

In order for DMARC validation checks to pass, DMARC requires that there be domain alignment as follows:

• For SPF, the RFC5322. From domain and the Return-Path domain must be in alignment
• For DKIM, the RFC5322. From domain and the DKIM d= domain must be in alignment

DMARC requires a DNS record to be published for the domain you wish to use in your “FROM:” address.  Example:

“v=DMARC1;p=reject;pct=100;rua=mailto:postmaster@senderdomain.com”

The DNS TXT  record for DMARC can include several values, but required mainly two of them :

• (v) tells the receiving server to check DMARC
• (p) gives instructions on what to do if authentication fails.

The parameter options for p can include:

• p=none, which instructs the receiving server to take no specific action if authentication fails but to provide data reports.
• p=quarantine, which instructs the receiving server to consider quarantining the message. it could mean routing the mail to spam/junk folders
• p=reject, which instructs the receiving server to reject all non-aligned messages and send a report.

It is advised to start with configuring the DMARC Policy flags from  “none” to “quarantine” to “reject”  phases and with a thorough evaluation.

DMARC Overview:

Image source : https://dmarc.org/overview/

Definitely, DMARC is a very good enhancement to improve organizations email communication, reputation. It greatly minimizes the risks of email spoofing and impersonation while letting you keep a track of fraudulent attempts via reports. However it is not 100% foolproof,  user education and awareness are still key.

The post Protecting and improving email communication : DMARC, DKIM, SPF. appeared first on Teksalah - Beyond Solutions.