Categories
Uncategorized

White House Issues Warning on Russian Cyber Attacks

Companies are urged to strengthen their cyber defenses

In a statement on March 21st, 2022, the White House warned American companies to prepare for potential Russian cyberattacks and to boost their cyber defenses.

The statement specifically noted the possibility of these attacks in the wake of sanctions placed on Russia by the United States government and allies. These sanctions come after Russia’s widely condemned invasion of Ukraine and are believed to be having a major impact on the Russian economy. However, Russia has attacked American businesses and governments in the past, and additional attacks can now be expected. As a result, the United States government formally urges all American businesses — large or small — to prepare their own cyber defense and layered security strategy.

Past White House Actions

The statement highlighted the White House’s actions to protect Americans and American businesses from cyberattacks, including:

  • Executive orders that are designed to modernize and improve the cybersecurity of all aspects of the federal government.
  • Combined public-private cyber security plans that are meant to improve the cybersecurity of a variety of critical infrastructure components, including electric, energy, and water pipelines.
  • Mandates that all government agencies use new cybersecurity measures.
  • Increased cooperation among allies — and particularly the G7 nations — that is meant to better coordinate efforts to stop cyberattacks on an international level. 
  • Increased coordination and resource provision with the private sector, specifically by working on expanding and enhancing the CISA Shields Up campaign. This effort — promoted by the Cybersecurity & Infrastructure Security Agency — is meant to give private businesses guidance about the types of cybersecurity measures they can take and resources where they can find these measures.

Recommended Business Actions

The Whitehouse statement also noted that even the most robust government defenses cannot stop all attacks. As such, all American businesses are asked to “execute the following steps with urgency.”

  • Require that all company devices and networks use multi-factor authentication (MFA) to gain access. Multi-factor authentication usually requires the use of two devices to gain access to a company network or company data, thus making hacking a company’s network much more difficult.
  • Ensure that all security measures and patches are as up-to-date as possible and consistently update all devices frequently.
  • Work with professionals to ensure that security measures are as robust and complete as possible. This may involve investing more time and money into cybersecurity efforts, but this is likely an expense well worth making, particularly in today’s perilous cybersecurity world
  • Work to ensure cyber resiliency of their computer networks. This means having all data consistently backed up and potentially using off-site backups to protect data best.
  • Conduct all appropriate cybersecurity risk assessments and cybersecurity training.
  • Plan for a cyber attack. This means training staff and developing the appropriate strategies and procedures for what to do if a network is attacked, breached, or taken down. This may include notification policies in the event that foreign actors access sensitive customer data. 

Long-Term Measures Needed

Finally, the statement noted the need for long-term cooperation from the private sector to boost America’s cybersecurity systems for the foreseeable future. These long-term investments include:

  • Ensuring that cybersecurity is considered throughout an entire product development cycle, not just as something that is added in but something that is part of a product’s entire development. This saves time, money, and work, all while reducing risk.
  • Using software that has as limited access as possible. This can limit the possibility that a bad actor can access critical systems while also ensuring that information cannot be leaked — accidentally or intentionally — by someone else who has access to your data or network.
  • Using the most modern security tools available and create procedures that ensure your business will constantly be on the lookout for new security upgrades. These procedures can make it so that you routinely look to upgrade your security.
  • Ensuring that all developers who use open-source software and coding list where they got their code from, thus making it easy to patch code later down the line. Create procedures with your software developers that will ensure they stay in touch with your business or organization and can protect their software or code if it is later found to be compromised. 

Resources Are Available

Unfortunately, as has been noted by numerous articles on the subject, the vast majority of businesses say that they are unprepared for a cyberattack. This is understandable: Preparing a cyber defense is beyond the capabilities of most small businesses, which often don’t understand how to implement SEC guidance on cyber security threats, add multi-factor authentication, or engage in appropriate cybersecurity risk assessments. All of this helps to drive home the need for businesses to find appropriate guidance from outside experts who understand cyber security and can help provide small businesses with the resources they need. 

If your business is interested in doing more to improve its cybersecurity strategy, including conducting a cybersecurity risk assessment or examining cyber insurance, vTech IO has a slew of free resources to help guide you through implementing recommended cybersecurity best practices. Check out our free resources, and contact us today if you have more questions and are looking for more information. 

Categories
Uncategorized

Securing Your Cloud Infrastructure

Cloud computing enables companies to grow without boundaries. However, growth without a solid controls framework can quickly introduce risk to an environment. Gartner says that “Enterprise attack surfaces are expanding. Risks associated with the use of cyber-physical systems and IoT, open-source code, cloud applications, complex digital supply chains, social media and more have brought organizations’ exposed surfaces outside of a set of controllable assets.” Here we’ll discuss some common cybersecurity issues in cloud computing, show you what to look for in your risk assessment and how to mitigate these items.

Cloud Sprawl

Cloud sprawl is the uncontrolled and unplanned growth of computing resources throughout an environment. Cloud resources are easy to create and delete quickly. Unfortunately, this can lead to confusion about how many resources are being used. It also leads to a lack of visibility into the workloads being deployed in the data center.

Preventing Cloud Sprawl

Companies should review and approve requests to provide resources to prevent cloud sprawl. Another strategy to avoid this issue is to implement cloud management software. 

Cloud management software is often designed to report on a company’s cloud usage and the cost of services across different departments or projects. It also helps with provisioning, billing, and analysis, leading to better decision-making about IT resource utilization. 

Data Exposure in Cloud Computing

The HIPAA Journal estimates that between 70%–80% of organizations surveyed suffered a cloud data breach in the past 18 months (as of June 2020, the date of the report). Data stored in remote locations make it hard for security personnel to monitor and control access to sensitive information. The issue often occurs unintentionally due to poor configuration settings or not enforcing security measures.

Preventing Data Breaches

The first step in preventing a data breach is by having a solid cybersecurity strategy in place. Additionally, companies should:

  1. Restrict access to data
  2. Encrypt all information that is not required for day-to-day operations  
  3. Restrict unauthorized users from accessing services

Shadow IT 

Shadow IT refers to employees outside of IT performing IT functions without authorization. The recent work-from-home trend forced companies to find a way to support their remote workforce. Most turned to cloud solutions. Without adequate protection, employees may knowingly or unknowingly perform unauthorized actions.

Preventing Shadow IT 

Enforce strict policies to prevent employees from accessing applications and systems they don’t have permission to use on their work computers. 

Another cybersecurity strategy to prevent Shadow IT is by monitoring internet activity with network monitoring tools, threat detection software, and identity management solutions.

Cloud Service Provider API Compromise

The most critical API security risks include Broken object level, user, and function-level authorization, excessive data exposure, lack of resources (DDoS), security misconfiguration, and insufficient logging and monitoring.

Preventing API Compromise

When designing an API, it is vital to be aware of the potential threats and vulnerabilities. A few tips for preventing your API from being compromised are below:

  • Implement Strict Authentication and Authorization: Provide strict authentication and authorization between client applications requesting data.
  • Secure Data Transmission: Use HTTPS protocol when transmitting sensitive information over both public and private networks (ensure that SSL/TLS certificates are verified).
  • Implement Rate Limiting: With increased use and popularity, APIs are prime targets for DDoS cyberattacks. Avoid this by placing rate limits on how often your API can be called within a specific time. 
  • Use an API Gateway: API gateways manage API traffic. They authenticate, control, and analyze how APIs are used.

The Exploitation of Multi-Tenancy Environments

Multi-Tenancy allows cloud service providers to get maximum hardware utilization, minimizes the cost of operating and maintaining a data center, and offers greater flexibility in provisioning resources. This convenience can create security risks for companies using these shared environments. Specifically:

  • Lack of Isolation: Lack of data isolation in multi-tenant infrastructure makes it a prime target for cyberattacks by competitors or external sources. These attacks happen due to a lack of authorization controls for shared physical resources.
  • Tenant Workload Interference: If one tenant creates an overload, it could negatively impact the workload performance for other tenants.
  • Compromised Virtualization Layer: If a virtualization layer gets compromised, the other virtual machines on the host are impacted. Thus, a malicious user could change configuration settings on each company’s virtual machine.

Mitigating Multi-Tenancy Security Issues

These risks may lead companies to avoid a multi-tenancy environment. However, there are many ways to avoid these issues. For example:   

  • Protect Connections: Use a VPN client for secure data transmissions.
  • Implement Encryption: Encrypt data in transit and at rest with an encryption key management system. 
  • Enforce Access Control: Implement access control lists (ACLs) on all containers that contain sensitive information. 
  • Perform Audits: Perform regular audits about who is accessing what resources. 

Cloud computing gives companies resources to scale their business quickly, efficiently, and cost-effectively. Given the benefits, it is no wonder companies are embracing it for their digital transformation strategy. However, companies should consider the security risks involved. That way, they can plan their transition and minimize their chances of a costly security incident. 

Whether you are just starting your cloud journey or are already migrated your business applications and data the cloud,, vTECH io’s security specialists can support your initiatives and guide you on your way to achieving a robust cloud strategy that ensures productivity, reduces cost and help you stay one step ahead of the cyber criminals.

Contact us to learn more.

Categories
Uncategorized

Cybersecurity Implications of the Escalating Russia-Ukraine Conflict

In today’s modern era, global conflicts look a lot different than they used to. With the essential role that computers, cell phones, smart technology and the internet play in our daily, personal and professional lives, there’s no doubt that this vital tech has become a real go-to target on the world stage as of late. As tensions continued to rise to new and uncertain heights between Russia and Ukraine over the past several months, one thing remained abundantly clear: the combat breaking out between the two countries wasn’t just a physical one. Cyberwarfare had begun well before any bullets were fired. But what exactly does potential cyber warfare mean for your organization and how can you ensure cybersecurity preparation? 

The Current Russia-Ukraine Conflict

As Russia and Ukraine enter a state of physical warfare that many have feared for months — even years — now, what many fail to realize is that the two have been engaged in cyberattacks long before things escalated to real blows. As countries like America and the United Kingdom prepare to launch global cyberattacks of their own at a moment’s notice to protect their ally Ukraine against Russia’s continued cybersecurity threats, there’s a real worry that the world’s cybersecurity is at risk. This begs a couple of questions: How legitimate are these threats and what should organizations be prepared for?

As noted by the US Cybersecurity and Infrastructure Agency (CISA), there are no specific or credible cyber threats to the U.S. homeland at this time. However, Russia’s unprovoked attack on Ukraine — which has involved cyber-attacks on the Ukrainian government and critical infrastructure organizations — may impact organizations both within and beyond the region (particularly in the wake of costs imposed by the United States and our allies).

The Increased Risk of Cybersecurity Attacks

The increased risk of cybersecurity attacks — not just in Russia and Ukraine, but the world over — means that your organization needs to be ready for anything and everything that could come next. This could include everything from malware to distributed denial of service (DDoS) attacks to phishing campaigns and all sorts of other cybersecurity risks in between.

To gauge the current threat level and know what exactly it is that you need to prepare for, it’s worth looking to the experts. Take the DHS cybersecurity strategy, for example. This five-year plan of sorts gives you a good idea of how the government plans to handle any serious threats. The DHS’s Cybersecurity Infrastructure Security Agency is another useful place to look. You can also continue to look to vTECH io. We have the know-how and the expertise to help you protect yourself from the threats of ransomware, the dark web or other forms of cyberattacks that might be looming ahead. Read on to know precisely what you need to prepare for. 

What You Need to Prepare For

While Ukraine and Russia have been engaged in cyberattacks for years now, there’s a very real fear that these attacks will spread outside of the parameters of these two countries and go global. Your incident response plan is going to be integral in keeping you safe from whatever may come. But how do you know what you need to prepare for? After all, not everyone had the foresight to attend cybersecurity conferences 2022 or read up on the best cybersecurity strategies before Russia and Ukraine went to war. Well, preparing for today’s heightened cybersecurity risks starts by taking the following steps to create a cybersecurity strategy and reduce your likelihood of being targeted.

Steps To Take to Reduce the Likelihood of Being Targeted

To reduce your likelihood of being targeted in the heightened security risks between Russia and Ukraine, consider following the steps we’ve outlined below to create your cybersecurity strategy. 

Follow SEC Guidance on Cybersecurity

Many government institutions specialize in making cybersecurity recommendations for organizations. These include the SEC, the CISA and the NYDFS cybersecurity regulation. Take inspiration from these institutions when forming your organization’s cybersecurity preparedness plan.

Get Cyberinsurance

Another important step your organization can take is obtaining cyberinsurance. This kind of policy will protect your organization from liability in any sort of data breach that concerns your customers’ sensitive information.

Invest in Zero-Trust Network Architecture

Zero-trust network architecture is a cybersecurity strategy that assumes every user on your network holds the potential to be a threat, requiring everyone to verify themselves every time they log in. Like blockchain cybersecurity, which uses the blockchain to reduce the risk of fraudulent activity, zero-trust network architecture is a great way to bring maximum security to your preparedness plan.

Hire a Certified Ethical Hacker

Today, you can hire employees who have pursued cybersecurity certificate programs or studied to become cybersecurity majors. These individuals — sometimes referred to as certified ethical hackers — have gotten the cybersecurity certification to keep your organization safe. These educated men and women in cybersecurity know exactly what steps to take to reduce your likelihood of being targeted.

Conduct Cybersecurity Risk Assessment

Last but not least, conducting computer security risk assessment and incident management can be an excellent and foolproof way to mitigate your organization’s risk. By consulting experts in the cybersecurity industry — such as vTECH io — you can get a customized and specialized approach that suits your organization’s unique cybersecurity needs.

The Bottom Line: How vTECH io Can Help

If you’re still feeling uncertain about the current Russia-Ukraine conflict and are unsure of how the increased risk of cybersecurity attacks and incidents might affect your organization, look no further than vTECH io. We have the insight you need on the escalated cyber risk and can help you determine the steps you should take to reduce your likelihood of becoming a target and the severity of the potential damage.

At vTECH io, we stress the importance of the multilayered security approach and the necessity of ensuring that there are no gaps. Our cybersecurity defense framework addresses each of these layers with the utmost care and precision, helping you to detect, prevent, and respond to all cybersecurity incidents that may come your way.

For more information, contact vTECH io today or visit our website, where you will find a library of downloadable resources on the different areas we can assist in your cybersecurity preparedness plan. Click here to learn more.

Categories
Uncategorized

American worldwide logistics and freight forwarding company Expeditors International shuts down global operations after cyber attack

American logistics and freight forwarding company Expeditors International was hit by a cyberattack over the weekend that paralyzed most of its operations worldwide.

Expeditors company has over 18,000 employees worldwide and has annual gross revenue of around $10 billion. The company discovered the attack on February 20, 2022, it doesn’t provide details about the attack and announced to have launched an investigation into the incident.

“Expeditors International of Washington, Inc. (NASDAQ:EXPD) announced that on February 20, 2022, we determined that our company was the subject of a targeted cyber-attack. Upon discovering the incident, we shut down most of our operating systems globally to manage the safety of our overall global systems environment.” reads the announcement published by the company.”The situation is evolving, and we are working with global cybersecurity experts to manage the situation. While our systems are shut down we will have limited ability to conduct operations, including but not limited to arranging for shipments of freight or managing customs and distribution activities for our customers’ shipments.”

The information publicly available on the attack suggests the company was the victim of a ransomware attack and was forced to shut down its network to avoid the threat from spreading.

The attack impacted the company’s operations, including the capability to arrange for shipments of freight or managing customs and distribution activities for our customers’ shipments.

The company hired cybersecurity experts to investigate the security breach and recover from the attack.

The company warned the incident could have a material adverse impact on our business, revenues, results of operations and reputation

“We are incurring expenses relating to the cyber-attack to investigate and remediate this matter and expect to continue to incur expenses of this nature in the future. Depending on the length of the shutdown of our operations, the impact of this cyber-attack could have a material adverse impact on our business, revenues, results of operations and reputation.” concludes the advisory.

Categories
Uncategorized

Fortinet Security Researchers Discover Multiple Vulnerabilities in Adobe Illustrator & Photoshop

By Kushal Arvind Shah and Yonghui Han | February 10, 2022

Affected platforms: Windows and MacOS

Impacted parties: Users of Adobe Illustrator 2022, versions 26.0.2 and earlier

                               Users of Adobe Illustrator 2021, versions 25.4.3 and earlier

                               Users of Adobe Photoshop 2022, versions 23.1 and earlier

                               Users of Adobe Photoshop 2021, versions 22.5.4 and earlier

Impact:  Multiple vulnerabilities leading to Arbitrary Code Execution or Information Disclosure.

Severity level: Critical and Important

Toward the end of 2021, Fortinet security researchers Kushal Arvind Shah and Yonghui Han discovered and reported numerous zero-day vulnerabilities in Adobe Illustrator and Photoshop. This Patch Tuesday (dated Feb 08, 2022), Adobe released several security patches (1 and 2) which fixed 14 of them. These vulnerabilities are identified as CVE-2022-23186, CVE-2022-23188, CVE-2022-23189, CVE-2022-23190, CVE-2022-23191, CVE-2022-23192, CVE-2022-23193, CVE-2022-23194, CVE-2022-23195, CVE-2022-23196, CVE-2022-23197, CVE-2022-23198, CVE-2022-23199, and CVE-2022-23203. All of these vulnerabilities have different root causes pertaining to a multitude of Illustrator and Photoshop Plugins. Due to the severity of these vulnerabilities, we suggest users apply the Adobe patches as soon as possible.

Following are some details on these vulnerabilities. More information can be found on the related Fortinet Zero Day Advisory pages by clicking on the CVE links, below:

CVE-2022-23186

This is an Arbitrary Code Execution vulnerability that exists in the decoding of CorelDraw Drawing (CDR) files in Adobe Illustrator. Specifically, the vulnerability is caused by a malformed CDR file, which causes an Out of Bounds Write memory access due to an improper bounds check. 

A remote attacker may be able to exploit this vulnerability to execute arbitrary code within the context of the application via a crafted CDR file.

Fortinet released IPS signature Adobe.Illustrator.CVE-2022-23186.Arbitrary.Code.Execution for this specific vulnerability to proactively protect our customers.

CVE-2022-23188

This is a Buffer Overflow vulnerability in the Adobe Illustrator ‘MPS’ plugin. Specifically, the vulnerability is caused by a malformed Macintosh Picture Image file (PCT) file, which causes an Out of Bounds Write memory access due to improper bounds check when manipulating a pointer to an allocated buffer.

A remote attacker may be able to exploit this vulnerability to execute arbitrary code within the context of the application via a crafted PCT file.

Fortinet released IPS signature Adobe.Illustrator.CVE-2022-23188.Buffer.Overflow for this specific vulnerability to proactively protect our customers.

CVE-2022-23189

This is a Null-Pointer Dereference vulnerability that exists in the decoding of AutoCAD Drawing (DWG) files in Adobe Illustrator. Specifically, the vulnerability is caused by a malformed DWG file, which causes a NULL pointer dereference. 

Attackers can exploit this vulnerability with a crafted DWG file, potentially leading to an application denial-of-service.

Fortinet released IPS signature Adobe.Illustrator.CVE-2022-23189.Null.Pointer.Dereference for this specific vulnerability to proactively protect our customers.

CVE-2022-23190

This is a Memory Corruption vulnerability that exists in the decoding of Computer Graphics Metafile (CGM) files in Adobe Illustrator. Specifically, the vulnerability is caused by a malformed CGM file, which causes an Out of Bounds Read memory access due to an improper bounds check. The specific vulnerability exists in the ‘Reader_for_CGM’ plugin.

Attackers can exploit this vulnerability for unintended memory reads, potentially leading to a memory data leak via a crafted CGM file.

Fortinet released IPS signature Adobe.Illustrator.CVE-2022-23190.Memory.Corruption for this specific vulnerability to proactively protect our customers.

CVE-2022-23191

This is a Memory Corruption vulnerability that exists in the decoding of Macintosh Picture Image file (PCT) in Adobe Illustrator. Specifically, the vulnerability is caused by a malformed PCT file, which causes an Out of Bounds Read memory access due to an improper bounds check. The specific vulnerability exists in the ‘MPS’ plugin.

Attackers can exploit this vulnerability for unintended memory reads, potentially leading to a memory data leak via a crafted PCT file.

Fortinet released IPS signature Adobe.Illustrator.CVE-2022-23191.Memory.Corruption for this specific vulnerability to proactively protect our customers.

CVE-2022-23192

This is a Memory Corruption vulnerability existing in the decoding of Adobe Illustrator Artwork (AI) files in Adobe Illustrator. Specifically, the vulnerability is caused by a malformed AI file, which causes an Out of Bounds memory access due to an improper bounds check.

Attackers can exploit this vulnerability for unintended memory reads, potentially leading to a memory data leak via a crafted AI file.

Fortinet released IPS signature Adobe.Illustrator.CVE-2022-23192.Memory.Corruption for this specific vulnerability to proactively protect our customers.

CVE-2022-23193

This is a Memory Corruption vulnerability existing in the decoding of Portable Document Format (PDF) files in Adobe Illustrator. Specifically, the vulnerability is caused by a malformed PDF file, which causes an Out of Bounds memory access, due to improper bounds check.

Attackers can exploit this vulnerability for unintended memory reads, potentially leading to a memory data leak, via a crafted PDF file.

Fortinet released IPS signature Adobe.Illustrator.CVE-2022-23193.Memory.Corruption for this specific vulnerability to proactively protect our customers.

CVE-2022-23194

This is a Memory Corruption vulnerability that exists in the decoding of Computer Graphics Metafile (CGM) files in Adobe Illustrator. Specifically, the vulnerability is caused by a malformed CGM file, which causes an Out of Bounds Read memory access due to an improper bounds check. The specific vulnerability exists in the ‘Reader_for_CGM’ plugin.

Attackers can exploit this vulnerability for unintended memory reads, potentially leading to a memory data leak via a crafted CGM file.

Fortinet released IPS signature Adobe.Illustrator.CVE-2022-23194.Memory.Corruption for this specific vulnerability to proactively protect our customers.

CVE-2022-23195

This is a Memory Corruption vulnerability that exists in the decoding of Computer Graphics Metafile (CGM) files in Adobe Illustrator. Specifically, the vulnerability is caused by a malformed CGM file, which causes an Out of Bounds Read memory access due to an improper bounds check. The specific vulnerability exists in the ‘Reader_for_CGM’ plugin.

Attackers can exploit this vulnerability for unintended memory reads, potentially leading to a memory data leak via a crafted CGM file.

Fortinet released IPS signature Adobe.Illustrator.CVE-2022-23195.Memory.Corruption for this specific vulnerability to proactively protect our customers.

CVE-2022-23196

This is a Memory Leak vulnerability that exists in the decoding of CorelDraw Drawing (CDR) files in Adobe Illustrator. Specifically, the vulnerability is caused by a malformed CDR file, which causes an Out of Bounds memory access due to an improper bounds check. 

Attackers can exploit this vulnerability for unintended memory reads, potentially leading to a memory data leak via a crafted CDR file.

Fortinet released IPS signature Adobe.Illustrator.CVE-2022-23196.Memory.Leak for this specific vulnerability to proactively protect our customers.

CVE-2022-23197

This is a Memory Leak vulnerability that exists in the decoding of CorelDraw Drawing (CDR) files in Adobe Illustrator. Specifically, the vulnerability is caused by a malformed CDR file, which causes an Out of Bounds memory access due to an improper bounds check. 

Attackers can exploit this vulnerability for unintended memory reads, potentially leading to a memory data leak via a crafted CDR file.

Fortinet released IPS signature Adobe.Illustrator.CVE-2022-23197.Memory.Leak for this specific vulnerability to proactively protect our customers.

CVE-2022-23198

This is a Null-Pointer Dereference vulnerability that exists in the decoding of CorelDraw Drawing (CDR) files in Adobe Illustrator. Specifically, the vulnerability is caused by a malformed CDR file, which causes a NULL pointer dereference. 

Attackers can exploit this vulnerability with a crafted CDR file, potentially leading to an application denial-of-service.

Fortinet released IPS signature Adobe.Illustrator.CVE-2022-23198.Null.Pointer.Dereference for this specific vulnerability to proactively protect our customers

CVE-2022-23199

This is a Null-Pointer Dereference vulnerability that exists in the decoding of CorelDraw Drawing (CDR) files in Adobe Illustrator. Specifically, the vulnerability is caused by a malformed CDR file, which causes a NULL pointer dereference. 

Attackers can exploit this vulnerability with a crafted CDR file, potentially leading to an application denial-of-service.

Fortinet released IPS signature Adobe.Illustrator.CVE-2022-23199.NULL.Pointer.Dereference for this specific vulnerability to proactively protect our customers

CVE-2022-23203

This is a Buffer Overflow vulnerability existing in the decoding of Universal 3D (U3D) files in Adobe Photoshop. Specifically, the vulnerability is caused by a malformed U3D file, which causes an Out of Bounds memory access due to improper bounds check. The specific vulnerability exists in the ‘U3D’ plugin.

A remote attacker may be able to exploit this vulnerability to execute arbitrary code within the context of the application via a crafted U3D file.

Fortinet released IPS signature Adobe.Photoshop.CVE-2022-23203.Arbitrary.Code.Execution for this specific vulnerability to proactively protect our customers.

Categories
Uncategorized

How to protect your network from a future attack

While it’s certainly wise to make the initial fixes to strengthen your defenses, these actions need to be applied on a regular basis

A new report on how to protect your networks from attack can be a helpful document that covers a lot of different bases within the cybersecurity landscape. The report, Proactive Preparation and Hardening to Protect Against Destructive Attackswas written by several cybersecurity analysts “based on front-line expertise with helping organizations prepare, contain, eradicate, and recover from potentially destructive threat actors and incidents,” in the words of the authors.

It contains hundreds of tips for protecting Windows deployments, including command-line strings, adjusting various group policy parameters, and other very practical tips that could indicate potential compromised systems.

While reading the report is sobering because of its enormity of vision, that same vision is also tremendously useful and can serve as a blueprint for how IT and security managers can prepare for the inevitable attack, no matter if you’re the size of General Motors or the corner flower shop. The report covers several specific areas that require strengthening.

Active Directory hardening and backups

Organizations should verify that backups (recommended are system state backups, and the report shows the commands to initiate and verify such backups) for domain controllers and critical assets are available and protected against unauthorized access or modification. The report also has loads of suggestions on malware “tells” that security managers can look for, such as unauthorized users accessing backup media or shadow copies being deleted (a common event that precedes a ransomware attack).

Network segmentation

Organizations should have both physical and logical separation between IT domains and operational technology processes and controls. This means having separate AD forests and network segments, along with IP protocols and ports that could bridge the divide between the two domains. One common indication of potential compromise is where a failed login is attempted across domains, whereby an attacker is attempting to reuse credentials to move around your infrastructure.

Disable administrative access wherever possible

Auditing and limiting this access is another security mechanism, since many organizations have created far too many accounts with a wide collection of permissions. The report suggests using registry key modifications, stopping certain service accounts (or using group policies to get this under control), and provides the necessary commands to track and lock down these accounts, along with detecting and preventing abuses of other privileged accounts.


Further reading:
Why SMBs should include access revocation in their employee separation process
Avast finds employees connecting personal devices to SMB networks



RDP hardening

As we wrote about earlier this year, the Remote Desktop Protocol (RDP) can be a major way for attackers to enter your networks. Organizations should periodically scan their public IP address ranges to ensure that all systems do not have any open ports 445 and 3389. The link above has other suggestions to lock down this vulnerability, and the report also has additional proactive measures, such as using network-level authentication settings in group policies and using RDP’s restricted admin mode.

We suggest reading through the full report to explore the full collection of tips and research that it contains. Before you get overwhelmed, though, you should realize that the report shows how you need to be making these changes and looking for possible compromised systems on a regular basis after you’ve implement these “hardening” activities.

Many organizations don’t have regular follow ups to see if changes to their network infrastructure or securing the accounts of former employees are actually done. While it’s certainly wise to make the initial fixes to strengthen your defenses, these actions need to be applied on a regular basis. 

Publish with permission from Avast Business

Categories
Uncategorized

2022 Top Security Trends and Challenges

Check out our video interview with John Maddison, Chief Marketing Officer (CMO) and Executive Vice President (EVP) of Products for Fortinet, as he discusses changes and challenges in the networking landscape. Maddison will explore top trends and challenges enterprises are facing right now and the solutions to handle them.

Maddison has 30 years of executive management experience in the cybersecurity and telecommunications industries.

This transcript has been edited for clarity.

What trends are you seeing as the corporate networking landscape evolves?

There’s always been three drivers that influence this industry evolution. There is the threat landscape, the cybercriminals. We know what tactics they’re using and what they’re going after. There is the infrastructure of the company. So as companies move their infrastructure, they have to make changes to their cybersecurity architectures and postures. And then the third one is really regulatory and compliance.

It’s these three factors that have driven these changes in the industry to a certain degree. And depending on the period in time, if you go back into between 2000 and 2010, the threat landscape changed a lot, but the infrastructure was pretty consistent. In 2010 to 2017, the infrastructure changed a lot with cloud and IoT and all these things.

So, you’ve got this threat landscape that is moving very rapidly. You’ve got people continuing with their digital acceleration, especially with COVID driving that. And you’ve got regulatory and compliance with governments and regulations, with certifications, etc. And so, I think that that’s what’s causing the security industry to be very dynamic right now. And so, from a threat landscape perspective, there has been a shift in the last two years.

When I say a shift, I still think cybercriminals are after data, IDs, credit cards, and a lot of state-sponsored stuff such as intellectual property. But now we’re seeing new ransomware threats. In the data from our own survey we’re seeing ransomware increase around 10x over the last 18 months, it’s a new type of threat. It’s closing down your operation.

Colonial Pipeline was probably the most public example we’ve seen in the last year, but it’s happening all the time. And in fact it’s happening to a lot of small- and medium-sized businesses. As you know, ransomware attacks will say: “Well, I’ll bring your manufacturing shop up if you pay us $10,000.” And the businesses do it and everyone moves on. So, it’s just a huge crime wave.

And now that these cybercriminals are using Bitcoin they can disguise where the money is and get away with it. From the infrastructure perspective, I think the digital acceleration of COVID has driven this kind of work from anywhere, remote, making sure that all businesses are digitally connected. Everything’s firing off right now and causing customers to worry.

And across all of this, probably an area that we’ll talk about in a minute is the skill set.

There are not enough people in normal jobs, never mind a very skilled cybersecurity professional working on containers in the cloud, you can just forget getting those people. It’s an interesting environment today, and the supply chain’s another piece of it as well.

What challenges do organizations face with the shift to a work-from-anywhere model?

I think what enterprises did initially and small businesses to some degree say, “let’s get everyone on remote access, security, encrypted, VPN access. Let’s get them at least secured in such a way, everyone’s got endpoint security sitting on there.” And I think what people are saying now is, “hey, we’re 18 months later on, this isn’t going to change in the next 18 months either.”

And I like the concept of working from anywhere versus working from home. Because, me personally, I’m in the office today. You can’t tell from my gray background here but over there’s a nice, lovely view of the Apple campus to our right there. So, I’m in the office maybe two or three days and I’ve got a half a day back in the home office, which I really wanted to get out of as quickly as possible.

And then I think coming up in the new year is a bit of travel assuming COVID doesn’t get out of control again. So, this work from anywhere means you’re going to have a consistent user experience. So, for me, I don’t want to be changing things around just because I’m on a plane or I’m at my office. But then you need the security to be automatic as well. And so, this work-from-anywhere architecture is not just a single product, it’s not just an endpoint, it’s not just some secure home networking, it’s a new application plane approach.

For instance, we acquired recently a majority stake in Linksys. So, regarding everywhere security, it’s not just a zero-trust policy engine, it’s not just some cloud security, it’s all of those things that come together, but it needs to be a seamless user experience and the ability for enterprises to control the security capabilities. That’s going to be with us for a long time and customers and enterprises are saying, “I’ve got to invest in the long term for this.”

What challenges come from digital transformation?

What this digital acceleration or transformation is doing is causing customers to upgrade their networks and infrastructure to be more flexible, be more dynamic, and be more agile in a way to be able to bring applications more quickly. And what that does is, as I said right at the beginning of this conversation, that this acceleration is great, but it expands our dependency on remote networks.

So, I’ll give you an example of a retail outfit two years ago. They had internet connectivity to my retail. Did it matter that much if the network went down? My guest WiFi went down in my coffee shop of course, but I’m going, “no, not really. Oh, the WiFi’s down. Oh, we’ll fix it next week.” Today, if that’s down, they’re not getting orders.

We’re seeing customers require highly available and highly secure connectivity to all these. So that’s just one example of when you put more digital emphasis on your business. The network’s very important, the applications are very important, and the agility across there is very important as well.

How do your customers describe the threat landscape?

What customers are realizing is first of all, and we’ve known this for a while, is that I don’t care if I’ve spent a hundred million dollars a week on cybersecurity, I’m still going to get compromised in some way because I don’t control everything. I don’t control the whole supply chain. You’ve got to build something that’s going to accept at some point that some vulnerability or some compromise or something happens.

The question is, can you detect these vulnerabilities as quickly as possible? And then can you respond to it as quickly as possible? So, this movement from traditional protection technologies, which are pretty static, to detection and response technologies, customers are overwhelmingly starting to invest in that. But it all becomes part of a platform, but they just realized the sophistication.

We’ll see a lot of the new threats in the wild. What they call the “kill-chain sequence” is format, which goes, “hey, I got to do some reconnaissance, then I do an infection. And then I take some information and then I use it in malicious ways.”. But we’re seeing people at the very front end of these kill chains doing a lot of reconnaissance. So, your external assets, which you would never normally think about, your DNS service or web service, are always sitting in different spaces. You need to look at those as well.

It’s getting very complex. Imagine a small business trying to do all this as well. I mean they rely heavily on their partners. We’re a very partner-focused company. Again, I think it comes back to a lot of the training and education that’s needed against these threats, but also the compliance with what you’re trying to build from a digital perspective.

How can companies address the skills gap in the security landscape?

We have an IT awareness system, which customers can use free of charge. When we do a survey we’re still getting like 6% to 8% of people clicking on suspicious emails and links. They’re not even very sophisticated dummy phishing emails. They’re pretty bad, in fact. Even if you could half that you could reduce your attack surface quite a bit.

And then on the flip side, there is this training of cybersecurity professionals – either to be a security analyst or to understand how you build a secure network, how to secure your cloud applications. Finding qualified candidates, that’s a bigger problem.

As I said, we here at Fortinet provide free training for customers and partners. We’ve even been re-skilling some veterans, bringing them into the talent pool, which has been very exciting to see.

In all honesty it’s a big industry problem and we’re trying our best to help but I think it’s going to be problematic and you’ll see some customers go, “well, I just haven’t got the people, or I can’t keep the people, so maybe I do some more outsourcing.” It’s likely we’ll see some outsourcing trends as well.

What is the best strategy to secure a network?

I think there’s two key trends. One is, I think customers are saying, “I just can’t get my 20 or 30 vendors to work together nicely so I’m going to go to more of a platform approach.” This approach is known as something called the security fabric. Gartner just came out with a very similar concept called the mesh. The cybersecurity mesh architecture says the endpoints should be able to talk to the network to understand what’s going on in the cloud.

Today, that’s three different vendors that don’t want to talk to each other. I’m not saying you go from 20 or 25 vendors down to one. I would never advise that, but maybe you go from 25 vendors to maybe five or six platforms that each have a specific use case, and they all work together. I think this concept of a platform is gaining momentum. I think over the years a lot of people have invested heavily into point products, and that’s changing. I think people are saying, “enough is enough. I just can’t keep buying stuff that doesn’t even work together.”

This platform approach is the No. 1 approach for businesses today. I call this consolidation. It’s not like you’re getting rid of the endpoint security or the network security. You’re just saying, “I’ll go with the same vendor so it works together.”

And another big concept, which is probably the foundation of our company, Fortinet, over the last 20 years is convergence.

When you think about the internet and the way it was built, things like routers, and networking, and WiFi, each component is totally unaware of users. It’s totally unaware of devices. It’s totally unaware of where you are, where you’re trying to get to, which application’s trying to run, what content you’re sending. Today, these components are simply routing stuff with little verification on the actual packets being sent.

Now, there are some things in place that maybe authenticate you when you first get on so I’m not saying it’s completely. But most of the time the traditional network and the internet that was built 30 years ago has no clue what’s going on, to be honest. Apart from “I need to get you over here. I don’t care who you are or what you’ve got.” And so this convergence of security networking is a really good example of why people transfer from routing to application or SD-WAN.

I’m not just looking at the IP, I don’t really care what the IP address is, but I want you to get to this application. That’s what’s important. Now, what this evolved approach says is let’s look at the content and what’s inside there: it could be bad or it could be good. This zero-trust approach where I understand, “who is this user? Do they belong to this device? Are they supposed to get to this application? Are they allowed to?”

So yeah, there’s a big transformation coming there on convergence and a big push toward the platform approach. Those are the two mega concepts. Yes, you’ve got some things like SASE (secure access service edge) and these other concepts, which are kind of transient buzz terms in my view. The big ones are convergence and platform.

Categories
Uncategorized

Beware of a new and dangerous RDP exploit

RDP can be a challenge to implement — here are a few steps that you can take to secure its use

The often-exploited Remote Desktop Protocol (RDP) is once again in the news. This time, it has a new attack vector that was discovered by researchers and subsequently patched earlier this month by Microsoft. Given that all versions of Windows for the past 10 years – for both desktop and server – need to be patched, you should put this on your priority list, especially since this new problem can be easily exploited.

RDP has a valuable function in today’s connectivity. It is used often as a way to provide remote access so that users don’t need to physically sit in front of their computers or servers. However, this utility has brought a dark past to the protocol and made RDP a security sinkhole.  One of the more infamous attacks was called BlueKeep, which we covered when it happened in 2019. That was a full-on remote execution vulnerability that triggered warnings from the US National Security Agency for quick patching. 

As a side note, the response to BlueKeep included help from Marcus Hutchins, who found a way to stop the WannaCry outbreak back in 2017. We also wrote how RDP is one of the more common ways that ransomware attacks can be launched and can also be used to initiate denial of service attacks.

In the latest incarnation of RDP exploits, hackers can gain access to data files using a man-in-the-middle attack across a Windows feature known as Named Pipes. This is a feature of Windows that was created more than 30 years ago to provide application-to-application communication that can connect processes on the same computer or across a network.

RDP needs to be implemented with care, as the protocol itself doesn’t have any inherent security features (such as the secure versions of Domain Name System or email protocols). Indeed, you might say that it has inherent insecurities, including:

  • A well-known TCP/IP port (3389): Easy to track by hackers.
  • Weak sign-in credentials: If users have a weak Windows login, hackers can use credential stuffing or brute force attacks to compromise this password.
  • Numerous ways to exploit remote connections: The latest issue (Named Pipes) is merely one of many ways that attacks can worm their way into your systems. They can bring up “Show Options” or Help menus when first connecting to the remote gateway, both of which could allow for file directory browsing, or to bypass file execution block lists.

All of this makes for challenging implementations of RDP. Here are a few steps that you can take to secure its use:

1. Disable RDP when it isn’t needed. You should try this when you’re patching everything, as is suggested by Microsoft.

2. Use better passwords, especially on your local Windows equipment. Employ password managers and single-sign on tools. You have heard this advice before, no doubt, but it remains key!

3. Lock down port 3389, either through your network firewalls or other security tools. This can be tricky, because so many users might require remote access and all it would take to pull off an RDP exploit would be to compromise a single desktop.

4. Invest in better antivirus. Remote Access Shield is one of the features available in Avast Premium Security that can block RDP exploits.

5. Create more effective Active Directory group policies that block and allow specific applications and remote help options to be run remotely. Also, be sure to audit who has administrative privileges to ensure that the absolute minimum number of people have access.

Used with Permission from Avast

Categories
Uncategorized

Distributed Workforce Security

The pandemic turned the workforce on its head. Forced to transition to a remote-first environment quickly many were caught off guard. Now, many find themselves ensnared in a battle to deal with the security risks of remote workers. To make matters worse, there appears to be no going back. A recent Upwork survey indicates that 36.2 million Americans will be working remotely by 2025. This year, companies are taking a hard look at their security posture in preparation for the cybersecurity risks in a remote-first workplace. Let’s discuss a few of the issues companies will face and a few suggestions on how to deal with them.

Increased Cybersecurity Threats for Productivity Endpoints

The spike in remote work increases the landscape of an already threat-filled cybersecurity environment. And it’s not just employee devices such as MacBooks and Windows laptops that pose a problem. Companies are now dealing with endpoints due to increased reliance on cloud resources such as Virtual Machine (VMs) and containers. Given this, a new approach to deal with these endpoints is needed. So what needs to be done?

Protection Above the OS

On-device encryption is a critical first step in securing these devices. Additionally, it is important to have monitoring and threat detection in place with robust plans to remediate issues. While necessary, these tools should not slow down the device. Doing so could frustrate workers and lead them to try and circumvent these measures.

This is evidenced in a recent study by HP that indicates that “full 30% of remote workers under the age of 24 say that they circumvent or ignore certain corporate security policies when they get in the way of getting work done. While the young cohort is most likely to buck the system, 67% of IT leaders say they get “weekly” complaints about restrictive policies and 48% of all workers feel that these measures are a waste of time.

Protection Below the OS

Increased firmware and hardware attacks put the BIOS and chip authentication mechanisms at risk for hacking. If compromised, a hacker has access to all data and credentials stored on the machine. All of which allows them to infiltrate the network and launch a broader attack on the organization’s IT infrastructure.

Artificial Intelligence and Machine Learning

The sophistication of cybersecurity threats increases daily. Traditional threat detection systems are struggling to keep up. Companies can no longer afford to wait days for a software update or patch. They need real-time protection to give them the best chance of protecting their infrastructure. AI and ML-based security tools can do just that. They can observe behavioral patterns to spot unusual activity.

BYOD Challenges

Bring Your Own Devices (BYOD) have always made the IT department shudder. For many companies, the potential to save money downplayed the security risks associated with it. With BYODs the company does not have to purchase new devices for employees. Plus, allowing them to use their devices cuts down on the learning curve because they are accustomed to using these devices. This flexibility, however, poses a major threat to data security.

IT has little to no control over these devices. As an example, many companies perform patches and upgrades after hours. Without direct access to these devices, these types of upgrades could be delayed further their exposure to cybersecurity threats.

The problem is that many employees don’t know best practices such as using a VPN or not saving company data on their devices. Equipping employees with knowledge will go a long way towards reducing the many cybersecurity threats. A good training program should cover the following items.

Physical Security: Educate employees on what they must do to secure devices. Not only that, outline what they must do to protect their physical workspace.

Password Best Practices: Teach employees how to set strong passwords. Help them to understand why password security is important. Also, teach them best practices such as not writing passwords down or sharing them.

Safeguard Work Data: Instruct them on how to use secure connections to a VPN. Also, make sure they use encryption software and up-to-date antivirus and anti-malware protection on their devices.

Social Engineering

The average organization is targeted by over 700 social engineering attacks in a year. In the office, employers can install technological controls to reduce the risks of these types of attacks. Working from home makes employees less vigilant about security.

Employees don’t realize that even the most simple request can pose serious risks. Consider, for example, a criminal targets two or three employees. The criminal sends a fake email that looks like it comes from the person’s manager. The message stresses that the person needs to send a password to ensure everyone gets paid on time. Here, the attacker used fear and exploited human nature to be helpful to gain sensitive information.

Remote work isn’t going away. It is becoming the new norm. Given this, companies must take additional measures to protect their systems in a landscape where they have less control over employee devices and networks.

 

VTech io has built a full layered security solution designed to protect each segment of the network. Our services include a cybersecurity risk assessment, network monitoring services, enterprise email security and vulnerability and penetration testing services to name a few. Click here to download our free security guide.

Also, watch this video for a great overview:

https://www.youtube.com/watch?v=sntNA5Z4h38

 

Categories
Uncategorized

3 Top Tools for Defending Against Phishing Attacks

By: Justin Jett

Phishing emails are now skating past traditional defenses. Justin Jett, director of audit and compliance at Plixer, discusses what to do about it.

Even with the most sophisticated email scanning and phishing detection system available, phishing emails are still a very common intrusion vector for cybercriminals to use to introduce malware, including ransomware, to a business’ network. That’s because 1) increasingly, legitimate systems are used; and 2) phishing emails can also be effective even when employees are highly educated and are good at spotting and reporting them.

Fortunately, there are tactics to protect your network even when the emails can’t be stopped outright.

Increasingly Effective Phishing

When legitimate email systems are compromised and begin sending out malicious emails from a valid source, the efficacy of phishing is magnified. This was what happened over the weekend when one of the FBI’s email systems was hacked to send out fake cybersecurity alerts to thousands of people.

While the email that was sent out didn’t appear to contain any phishing links, it does show that such email compromises can introduce significant security challenges for IT professionals. Most people who received the email would be unlikely to question its legitimacy—even if they looked at the email headers—because the email came from where it said it came from (in the above case, from the FBI).

This type of compromise is extremely dangerous; it renders email authentication mechanisms like DMARC, SPF and DKIM useless since the email originates from an authorized source; so that means that anti-spam and anti-phishing software is much more unlikely to flag the message as malicious.

Regardless of the actual damage done, the fact remains that such compromises enable malicious actors to execute very effective phishing attacks. So, if the email system has been compromised, what can organizations do to protect their networks from such attacks?

Protecting the Network when Phishing Can’t Be Stopped Outright

There are many resources that network and security professionals should use to protect the business from major attacks. While it would be too exhaustive to list them all, let’s explore a well-rounded, multi-layered approach to try to stop these attacks from gaining control of the network:

1. Advanced Email Security

Although email security is not infallible, as discussed above, there are some functions within email security that should be enabled so that the likelihood of infection from compromising emails is as low as possible.

One of the most effective ways of stopping phishing attacks is to enable link-protecting in the corporate email settings. Such protections have the email system open any links and remove the ones that lead to malware downloads. Obviously, this protection can’t defend against all nefarious links, but it certainly can help reduce the number of malicious links that make it through to inboxes.

Setting higher spam-filter levels can also help block emails that have malicious intent. These settings use advanced heuristic modeling to look for poorly worded emails, or emails that have wording like other known malicious emails. Again, while not perfect, it’s certainly an important first line of defense.

2. Intrusion Detection and Prevention Systems

Hopefully, all organizations already have firewalls in place to block well-known malware from making it onto the network; however, some don’t have systems in place to block malware from spreading once it does enter. Intrusion detection and prevention systems enable organizations to find (detection) and eliminate/alter (prevention) the attack before it can take hold of other systems. These systems are often used as a coordinated effort with the endpoint protection (antivirus) that helps eliminate viruses and common malware.

There is one caveat here: These systems, while very sophisticated, are not as effective at finding relatively new malware or malware that is effective at hiding for long periods of time. This is because the system looks at packets as they traverse the network and thus often misses malicious activity that moves across the network in sporadic time intervals over days or months. Thus, they, like advanced email security, should be included as part of a broader approach that includes other defenses.

3. Flow-Based Network Detection and Response (NDR)

Another important prong of a multilayered approach is network detection and response (NDR), which security professionals can use to detect suspicious traffic, and analyze/block malware that makes it through other security systems.

According to Gartner, NDR systems  work by applying “machine learning and other analytical techniques to network traffic” and it “is helping enterprises detect suspicious traffic that other security tools are missing.” Behavioral, flow-based NDR tools complement signature-based detection solutions because they can detect anomalous behavior based on previously known network traffic.

A Balanced Approach

These three options, plus user education, endpoint detection and other best practices, can contribute to reducing the effectiveness of advanced phishing attacks. By deploying a multi-layered security approach, even when third-party systems are compromised, security teams are more effective at preventing malware from spreading across their network.