Blogs

Our ideas, experiences, and opinions… in words.

Security Best Practices to Protect Against Insider Threats

By Blogs, Security Best Practices

Its not the technology controls alone nor the sophistication of controls that one have implemented can protect an organization entirely from malicious insiders.
It requires a combination of technical, procedural, and cultural measures to effectively defend against malicious insiders. Whether they are of intentional or ignorant type.
An insider or a malicious insider threat can be of many forms – current or former employees, contractors, or business partners who misuse their access and privileges to harm the organization, or a trusted API connection to a third-party which is being exploited under the hood. So lets note what are some effective ways for an organization to protect itself from insider threats: “malicious and ignorant”. Below are the few Security Best Practices to Protect Against Insider Threats:

Employee Screening
Conduct thorough background checks on all employees before hiring, especially for positions with access to sensitive data or systems.

Increase employees cybersecurity awareness, Continuous training.
With negligence as one of the primary causes of insider security incidents, prioritizing employee cybersecurity education becomes imperative. It’s essential to ensure that your employees fully understand your security policies, the importance of adhering to them, and the potential consequences of non-compliance. Equally vital is equipping your employees with fundamental skills to recognize and respond to potential threats. Educate employees about security policies, acceptable use, and the consequences of insider threats. Promote a culture of security and encourage employees to report suspicious activity without fear of reprisal.

User Access Control/ Zero trust approach
Least Privilege Principle: Limit user access to only what is necessary for their roles. Regularly review and update permissions as job roles change.

Multi-Factor Authentication (MFA)

Implement MFA for critical systems and sensitive data to make it harder for insiders to compromise accounts.

Good password policy
Your organization’s sensitive data and systems are protected from attackers by an effective password policy. Internal company accounts of employees may be compromised, allowing unauthorized access to confidential data. Creating a thorough password policy is crucial to reducing this risk.
Insiders must adhere to specific rules outlined in a password management policy. These instructions can advise using different passwords for every account, coming up with complicated passwords, and changing passwords frequently. Additionally, without disclosing the credentials, you can give employees access to the endpoints of your company by using password management software.

Monitoring privileged users activity
Privileged users within your network present heightened risks compared to regular users due to their elevated access rights. Therefore, it is crucial to give their actions special attention. By closely monitoring privileged users, you significantly increase your ability to detect early indications of privileged account compromise or misuse of privileges.

Continuously Monitor the activity of employees behavior
Consider implementing user activity monitoring tools that enable real-time visibility into user sessions. By accessing and observing user sessions that involve interaction with your sensitive data and systems, you can significantly enhance the security of these valuable assets. Continuous monitoring can help you ensure early detection and timely response to suspicious user behavior. To effectively safeguard your assets, consider monitoring the activities of your employees and vendors within your infrastructure is must.

Ensure data security, Data Loss Prevention (DLP)
Protecting your valuable data is of utmost importance when managing insider risks. Encryption is the tried and true security practice that effectively safeguards your data from unauthorized access. Securing your data also involves performing full, differential, and incremental backups. By doing so, you can safeguard your valuable information and minimize the risk of data loss. Ensuring quick restoration of business operations is crucial in the event of physical or digital data damage. Regular backups are the key to achieving this. Deploy DLP solutions to monitor and prevent unauthorized data transfers or access to sensitive information. Encrypt sensitive data at rest and in transit always.

Control access to systems and data
To mitigate insider risks, controlling access to systems and data within your organization is essential. Implementing a zero-trust architecture adds an additional layer of protection. This approach requires approval or user identity verification before granting access to critical assets. The principle of least privilege can also be employed, whereby each user is granted the minimum level of access rights required, with privileges elevated only when necessary. Combine this with conditional access measures like that of enforcing geo fencing, enterprise mobile management with containerized security for organizational data, etc.

Regularly review user access rights
User access reviews involve determining which individuals have access to specific data or systems and assessing whether they need such access for their job roles. Regular user access reviews guarantee that existing access permissions align with the organization’s current business and security requirements.

Perform regular security and IT compliance audits
By conducting regular audits, you can evaluate the effectiveness of your existing security measures and pinpoint any deficiencies in your security policies. Audits provide valuable insights into areas that require improvement, allowing you to mitigate insider risks and ensure compliance with cybersecurity standards, laws, and regulations.

Incident Response Plan
Develop a comprehensive incident response plan that includes procedures for handling insider threats. Test the plan regularly through tabletop exercises and simulations.

Exit Procedures
Implement strict exit procedures to revoke access immediately when an employee leaves the organization. Conduct exit interviews to ensure all assets are returned and access credentials are disabled.

Whistleblower Programs
Establish anonymous reporting channels for employees to report suspicious activity. Ensure that reports are taken seriously and investigated promptly.

Physical Security
Limit physical access to critical infrastructure and sensitive areas. Use security cameras and access control systems to monitor and control physical access.

Vendor and Third-Party Risk Management
Extend security policies to third-party vendors and partners who have access to your systems or data. Verify their security practices and conduct regular audits.

Legal Measures
Develop legal agreements and contracts that explicitly outline the consequences of insider threats and unauthorized data access.

Remember that while technical controls are essential, a strong security culture and continuous employee education are very crucial in mitigating the risks associated with malicious insiders. It’s important to strike a balance between security and trust to maintain a healthy work environment while safeguarding the organization’s assets.

Effective Cyber Defense Strategies for Enterprises against Social Engineering Attacks – Part1

By Blogs, Cyber Defense Strategies

Digital transformation, digital technology usage from what it was to how it is being adopted today by enterprises, and individuals are an almost essential commodity. New applications in this mobile-first cloud-first era are exposing individuals, and organizations to potential cyber security vulnerabilities that can be exploited through social engineering attacks without much of sophistication.

Social engineering attacks are real and are considered major threats to organizations of every size. They are of manipulation techniques that exploit human error to gain access to something sensitive. They employ deception, manipulation, intimidation, etc to exploit the human element, or users, of target information assets in the cyber context. Generally, these attacks are successful because individuals may be persuaded to take an action by strong incentives like money, sentiment, fame, or fear, as well as by simple deceit. These attacks pose a serious threat to cybersecurity because users can still be tricked into revealing their credentials or executing a malicious action for an attacker regardless of how robust the technical security infrastructure is. There have been many major incidents in the industry notably – Target, Yahoo, Zoom, RSA, Marriott, Twilio, and so on breaches where social engineering was employed to successfully exploit. Eventually leading to a major business impact.

Here are a few major techniques and types that can come under social engineering attacks – Phishing, Spear Phishing, Whaling, Vishing, Smishing, BEC, DSD, Angular Phishing, Baiting, Quid Pro Quo, Impersonating, Shoulder Surfing, Eavesdropping, Desk Sniffing, Dumpster Diving, Pharming, Tailgating, Credential Harvesting, Water Hole Attacking, URL Hijacking/ TypoSqating, Pretexting, Popup Windows, Reverse Social Engg, Weaponized QRCodeing, Robocalls, Deep fakes, Supply chain attacks.

Countering social engineering attacks through solely by using technology is not an adequate solution for any organization or individual. To defend, the security approach for the human factor is to improve security through awareness and practice. At the organizational level, a methodical approach to continuously identifying, train vulnerable employees can significantly reduce cybersecurity social engineering threats. This involves continuous assessment of the workforce’s security awareness, maintaining efficient means of communication – regarding the latest threats, and attack tactics in addition to routine system updates, and the underlying appropriate security infrastructure.

Social Engineering attack defense measures 1

Organizations must adopt a continuous approach to people, processes, and technology with their Information security program. It necessitates a must training, awareness, and strict policy control programs that is made relevant in every aspect of the organization along with applicable technology controls and the infrastructure making it a PEOPLE, PROCESS, TECHNOLOGY aspect.

In simple summary – employee & user awareness, multi-factor authentication, monitoring the user & entity behavior, strict identity and access controls, patching, data classification, and leak protection, and zero-trust network access(ZTNA) are a few must-have essential strategies. Organizations must implement these strategies through a proactive, continuous approach for better protection against social engineering attacks.

What to choose?  Vulnerability assessment or Penetration testing?

By Blogs

As Organizations become more distributed and connected they are exposed to a lot of cyber threats.  On the other hand, cyber threats continue to grow and evolve in frequency, vector, and complexity. The evolving tools, tactics, and procedures used by threat actors to breach organizations can only be defended by up-to-date proactive security measures and continuous improvement practices in place.  

The majority of attacks originate from a range of automated offensive tools to scan the target organization/entity for unpatched vulnerabilities, common misconfigurations, obsolete systems, weak known credentials, expired certifications, etc.  Whether the organization is being specifically targeted or just a target of an indiscriminate attack both vulnerability assessments and penetration testing play a curtail role in the proactive identification of vulnerabilities thereby helping in enhancing the organizational cyber defense, and risk management measures.

Both vulnerability assessments and Penetration testing are considered proactive security testing and auditing practices in cyber security; they are often interchangeably used but they are two different approaches with related processes.

Vulnerability Assessment is a systematic review of security weaknesses in a system; in other words, it is the process of identifying, quantifying, and prioritizing the vulnerabilities in a system.

Mostly for known vulnerabilities. VA tools are generally designed to automatically scan for new and existing threats that can target your system. There are four major stages in vulnerability assessments.

–       Vulnerability Identification 

–       Vulnerability Analysis 

–       Risk Assessment 

–       Remediation 

A Good vulnerability report should contain at least the details of the target, description and severity of each uncovered vulnerability with timestamps. 

Penetration Testing is an exercise to exploit vulnerabilities in the system. It is used to determine whether a detected vulnerability is genuine o. Although there are automated tools that can be launched to exploit a vulnerability, it is done mostly manually by experts also known as – White hat hackers/ ethical hackers. The main purpose of Pentest is to simulate an attack on identified vulnerabilities and exploit them; thereby prioritizing the actions to validate and mitigate confirmed security weaknesses in the system. One can say Pentest is a form of simulated hacking. Generally, the pentesting assignments are categorized based on the level of information and access given to the target 

–     White-box pentesting: Penetration testers are given internal knowledge of the target system- the connectivity information, architecture documentation, source code, sometimes system credentials to identify, analyze, and exploit the potential weakness in the target system. It is the most time-consuming but also considered the comprehensive type among the other options of penetration testing. 

–     Gray-box pentesting: In a Gray-box pentesting, some level of access details to the target system and internal knowledge is given. It is to create a more realistic attack simulation where the attacker has gained already some level of knowledge and information about the controls of the target system. 

–     Black-box pentesting: In a black-box pentesting, other than that of what is already publicly available/published data, the tester is not given internal knowledge of the target system. A black-box pentesting exploits the vulnerabilities from outside the network. It is the quickest of all, the downside is that if it is not exploited, any vulnerabilities of internal services remain uncovered.

Vulnerability AssessmentPenetration Testing 
– Automated 
– Does not validate false positives 
– Programmed scans
– Non-intrusive 
– Manual
– Rules out false positives 
– Applies Tailored, intuitive tactics
– Intrusive 
GoalUncover known vulnerabilitiesUncover and exploit identified vulnerabilities
ScopeBroad Focused
OutcomeList of vulnerabilities with priority for fixing.Safely exploit the vulnerability, Establish attack methodology, and Remediation measures. 

The choice of whether to do vulnerability assessment or penetration testing depends really on the criticality of the business and the risk. Vulnerability assessment scan is to find the vulnerabilities of a system and prioritize them for fixing. Whereas, the idea of penetration testing is to identify if an adversary can break into the organization’s defense and the related risk, and exposure. 

Both are essential elements of a properly planned organization’s cyber security program.

Remote workforce security essentials for a secure work from home, anywhere approach

By Blogs

There is this joke that surfaced among tech circles- “ Who leads the digital transformation of your organization” (A) CTO (B) CEO (C) Covid 19. And the answer being marked as (C) Covid 19.

Whether It is a large enterprise or a small one, The COVID-19 has pushed every one of us with limited InPerson interactions, imposed lockdowns, and also has disrupted the conventional approaches of doing business. As a consequence, many businesses have rolled out work from home. The forced change, otherwise not so common has also undisputedly accelerated overall digital adaption like (1) Cloud adoption (2) Collaboration (3) Connectivity (4) Leading to sensitive data flow across personal devices and home networks, implicating new areas of security concerns and risks.

There have been numerous industry reports, and new predictions about the surge in attacks, ransomware, phishing, dwell time activity threat reports in the context of work from home remote working environments. All pointing to increased attack surface, vulnerabilities, lack of controls across organizations of all kinds.

There is no doubt that remote working is here to stay. How people connect and work is evolved, businesses must adopt ways and means to secure and defend work from home/anywhere infrastructure. Generally, organizations have enough attention and resources with reasonable information security, availability measures around their core business & technology service controls (data centers – cloud-native, hybrid, on-prem)., but less on the user side remote working environments.

Here are our four key essential areas for a sustainable remote workforce security. Building blocks of secure work from home, work from anywhere environments.

  • User awareness
  • Device Security
  • Email Security
  • Access & Network Security

User Awareness
No matter how secure your infrastructure and policies are, an unaware employee or an ignorant user falling for a phishing link or a sophisticated social engineering attack can lead to major impacts. For Organizations, It is essentials users are regularly trained and aware of do’s and don’t’s, in addition to this best practices are (1) Multi-factor authentication (2) Least privilege access (3) log everything – user activity logging on data and services across.

Device Security
For all endpoints including that of personal devices(BYOD), mobiles consider enforcing automated baseline security validations before allowing access to corporate data and services.
An organization must ensure a suitable – (1) Endpoint protection platform, (2) Disk Encryption, (3) Mandatory Critical Patching (4) Tightened device policies (EMM)/ Endpoint Management.
A key capability is that if the local agent could integrate with service side controls and determine the device health and security posture as factors in the access decision to facilitate allow/block access to corporate data and services.

Email Security
Email is used widely. It is the most consumed service across businesses and naturally the preferred threat vector for cyber-attacks.
While organizations have in-place email gateway protection to combat spam and email threats. it is essential to have (1) The users trained on spear phishing, spoofing threats (2) Implement email encryption and signatures – SMIME PKI (3) enhance the security by implementing DMRAC, DKIM, SPF, MFA.

Access & Network Security
To defend against the high-risk aspects associated with vulnerable user side home networks, unsecured kiosks, internet access, public networks It is essential organizations consider deploying secure connectivity controls and access measures. Must consist (1) User Identity Protection (2) Multifactor Authentication to services (3) Any typical Zero Trust Network Access (ZTNA) facilitating access security policies allowing organizations granular access control and visibility. More advanced options are the integration of Cloud Security Access brokers (CASB) and Secure Access Service Edge (SASE) technologies.

The above approach is by no means complete and only addresses a few key areas.
Protecting the distributed workspace is critical for any organization and challenging. While technologies are evolving and new ones are emerging faster, a holistic risk-based approach would help organizations defend better.

Identity and Access – Part 1 – Single Sign-On (SSO)

By Blogs, Identity & Access Management

Introducing Single Sign-On (SSO) Solution in any Organization can offer greater security and improved usability.

Most Organizations have multiple applications running across cloud, SaaS, and On-Premise environments, These heterogeneous environments bring complexity, cost, and user identity Management security challenges, especially when they are not integrated into a central authentication. On the other hand, Users find it difficult to manage their multiple application passwords. No one likes remembering all these credentials. What’s worse is many use the same username and password, irrespective of the application they are using – resulting in passwords more prone to the dictionary and brute force attacks to visible passwords on sticky notes around desks. This is where the Single Sign-On technology comes into focus and works like a champ and with cloud being prevalent, it is effective for organizations to consolidate the existing identity and authentication across applications and systems.

What is Single Sign-On?

Single Sign-On (SSO) is a method of authentication that allows applications, web portals to use other trustworthy systems, applications to verify users. OR Single sign-on enables users to securely authenticate with multiple applications and web portals by logging in only once—with just one set of credentials (normally domain username and password). SSO is an essential feature of an Identity and Access Management (IAM) platform for controlling access and identity. Verification of user identity is important when it comes to knowing which all accesses and permissions a user could have.

How It Works

Single Sign-On works by having a central server(s) or as a service (SaaS options), that all the organization applications are configured to trust and integrate to. When you log in for the first time a cookie/token gets created on this central server. Then, whenever you try to access a second application at its login, you get redirected to the central server, if you already have a cookie there, you will get redirected directly to the app with a token, without login prompts, which means you’re already logged in.

Authentication with SSO depends on trust between domains (websites/ applications). With single sign-on, this is what happens when you try to log in to an application or website connected to SSO:

  1. The website first checks to see whether you’ve already logged in to the SSO solution, in which case it gives you access to the required website.
  2. If you not logged in, it redirects you to the SSO login screen.
  3. You enter the single username/password that you use for corporate access normally a domain username and password.
  4. The SSO solution requests authentication from the identity provider or authentication system that your company uses like Active Directory. It verifies your identity and notifies the SSO solution.
  5. The SSO solution passes authentication data to the website and returns you to that site.
  6. After login, the site passes authentication verification data with you as you move through the site to verify that you are authenticated each time you go to a new page.

For example, Google implemented a Single Sign-On (SSO) Solution in its various services. Google’s central server is https://accounts.google.com. Here, once we login to this server, we will be able to access Gmail, Youtube, and Google Docs without entering your credentials again.

What Are the Benefits of Single Sign-On

Single Sign-On clearly minimizes the risk of poor password habits and the increased productivity of users.

  1. Seamless user experience: Customers can use a single identity to navigate multiple web and mobile domains or service applications. As customers no longer need to do repeated logins they can enjoy a modern digital experience.
  2. Stronger password protection: Since users only need to remember one password for multiple applications, they are more likely to create a stronger (harder to guess) passphrase beyond policies, and less likely to write it down. These best practices reduce the risk of password theft. We can integrate this with MFA for additional security
  3. It increases employee and IT productivity: Reduce support calls, improve user experience and Mitigate security risks
  4. It combines with Risk-Based Authentication (RBA): You can combine SSO with risk-based authentication (RBA). With RBA, you and your security team can monitor user habits. This powerful combination can prevent cybercriminals from stealing data, damaging your site, or draining IT resources
  5. It reduces password fatigue: To prevent cybercrime, security professionals insist on unique passwords for every single application. This means that the average user must remember dozens of passwords for personal and office use. Unfortunately, this often leads to “password fatigue.”
  6. It prevents Shadow IT.
  7. Reduces User time: Users will spend less time logging into various apps to do their work. Ultimately it enhances the productivity of businesses.

With more applications moving to the cloud, security and data are a prime concern, CASB Cloud Access Service Broker solution with SSO single sign-on as a framework greatly improves system and application security.

 

We would be covering the CASB Part in our next blog post in this series.

Preventive Security Essentials – Monitoring and Analytics ( Part 1)

By Blogs No Comments

As part of bringing awareness and what matters the most when it comes to cybersecurity proactive prevention, we are here with yet another blog post and the required essentials.

If we could put it this way – With the ongoing pandemic (COVID-19) many of us have new realizations!. Cybersecurity and COVID-19 are two different challenges, but they do have key common things. Both are global – we all are vulnerable to them, they do not respect boundaries, they don’t discriminate any, and impacts everyone., Again both require basic measures in place to first prevent. That basic Hygiene is the best measure! so far.

Taking up with cybersecurity – Organizations across wants to ensure that their data and services are secure, up & running for delivering business operations with customer confidence. Hence – Proactive prevention.

In order to conduct business securely, as a first step organizations need to understand their exposure, where the threats can emerge and need to know how users are accessing business-critical services. To do this IT teams must adopt a platform that continuously monitors and recognizes the users, devices, networks, and services being used. Simply you cannot protect what you can’t see.

Most organizations implement different security solutions like firewalls as silos that could help them protect, but hackers use modern techniques to penetrate systems which means IT also needs to adopt technologies that help them gather, correlate, alert by analyzing event data from integrating security solutions. Thus, the need for an effective cybersecurity monitoring system is seen as basic and essential. Because on a regular basis no one would have enough time to go through the number of data sets that systems present,. We need meaningful analytics and actionable information out of monitoring systems.

Security Information and Event Management (SIEM) is a proven approach to Identify events that matter most by consolidating, analyzing, correlating raw data and event logs that are collected across from users, devices, applications, and networks. It helps organizations detect threats and prioritize remidative actions before an actual threat occurs. These are purpose-built software systems that store logs, normalizes, aggregates and correlates that data to discover trends, detect threats, and generate alerts. The main capabilities of SIEM are log collection, security monitoring, threat detection, investigation, and response. Apart from this, some SIEM solutions have the capability of behavioral analysis, forensic & incident response, threat response workflow, etc. Most importantly SIEM System provides intelligent insights that enable teams to respond quickly to reduce the impact of incidents.

With a well-integrated SIEM System in-place organizations can identify potential threats inside and outside networks proactively.

A few notable SIEM Solutions – for your reference-
IBM QRadar
ArcSight
Splunk
AT&T Cyber Security ( Alien Vault )
Elastic SIEM
Azure Sentinel ( Cloud Native )

Know more about our security offerings https://teksalah.com/cyber-security-solutions-in-uae/

The New Normal ‘Work from home’: Security risks, challenges, and recommendations

By Blogs
Work From Home and Cyber Security Risks

As workforces are mandated to telework in an effort to contain the spread of the COVID19 virus pandemic, At these challenging lock downtimes, almost all the organizations are enabling work-from-home, if not getting ready with the required ICT, Security Cloud infrastructure. Most of the workforce working remotely, and for these types of remote workloads, many of the organizations are not ready and finding it difficult to cope.

VPN Servers to App Delivery to VDI Infra, collaboration tools for all of them their security and availability, performance has now become a critical backbone for organizations. Employees who have never worked remotely are told to work from home or WFH. For many organizations and individuals, this is unchartered territory.

With this blog post, we would like to bring to your notice – a few important cybersecurity risks that a remote workforce may present and some best practices for mitigating those risks.

Whether as part of standard work program or as a component of business continuity plans, for Organizations engaging in telework we would recommend to start with a defined policy – ex ‘Work from home Policy, BYOD policies’- addressing the scope, roles and responsibilities, and mandatory infosec and organizational specific guidelines.

Our recommendations are :

  • VPN Server security and their up-to-date patching
  • Enabling Multi-Factor-Authentication for VPN Accounts and user logins
  • Application Delivery Controllers and enforcing end-point mandatory compliance checks
  • SaaS applications and data, service access protecting with conditional access and logging.
  • Ensuring Mobile Device and Endpoint Management security practice in place for corporate and personal (BYOD) devices.
  • PKI And TLS Security for Document Signing, and Secure email SMIME protection.
  • Tightened email phishing and spam protection measures.
  • Must MDR/ End-point-security software for all the devices.
  • Configuring and limiting maximum load provision, auto-provision setting with your cloud infrastructure/ to protect against misuse.
  • Engaged threat detection, monitoring, protection systems in place for data and Services protection.
  • Ensuring compliance and regulatory standards.
  • Recoverable Backups and working HA systems.
  • And more importantly, given the social-engineering aspect of most attacks, end-user education is more critical than ever.

Need of the hour for many is to enable work-from-home to their employees and to ensure business continuity during these pressing times, it is important to ensure cybersecurity recommendations are taken into consideration to avoid any superimposed security incidents that are very much prevalent these times.

Amid the COVID-19 crisis, In order to help organizations setup required infra and protect remote employees faster, In coordination with our product vendors we are stepping it up and offering some of our products and services free of charge for a limited time. Including support services to help companies through the set-up and deployment processes.

× Hello, How can I help you?