• Search for:
    15Aug, 2024
    Kicking cyber security down the road can come back to bite you

    The consequences of a successful cyber attack can be disastrous. They can lead to untold operational disruption from substantial financial loss to significant reputational damage. Yet despite the clear and present danger, some businesses continue to deprioritize cyber security, with a concerning 15% failing to invest in cyber security measures. Whether this is a calculated decision or a matter of managing risk, it exposes the businesses’ data and processes to attack.

    Large corporations like Microsoft and AT&T, both of which recently experienced cyber breaches, are particularly vulnerable. These very public incidents can feed the perception that small and medium-sized businesses are unlikely to be targeted by cybercriminals. However, this does not ring true when compared to a recent government survey which showed that 45% of medium-sized businesses, and 50% of all companies in the UK, have suffered some breach or cyber attack in the past 12 months.

    For these smaller businesses, implementing simple security procedures is a strong start. Some quick market research can also highlight that engaging with the right managed services provider (MSP) can be a cost-effective way of enhancing security and reducing cyber risk. Despite this, convincing business leaders to invest in cyber defenses can be an uphill battle – even if decisions to delay only amplify the risk. Turning a blind eye could lead to devastating consequences.

    An overshadowed priority

    Despite a shared understanding of cyber threats among security leaders and the C-suite, cyber security often gets overlooked. The root of this lies in a misalignment of priorities. Immediate business concerns like revenue growth, market expansion, and customer acquisition overshadow cyber security, which has historically been viewed as a cost center, rather than a revenue driver.

    This misalignment relegates security measures to a secondary issue, to be addressed only after a breach occurs. Alarmingly, a third of security leaders only prioritize cyber security expertise after an attack has happened.

    This reactive approach to cyber security is fraught with risk. Neglecting proactive cyber security measures can lead to a raft of negative consequences, including financial repercussions. The immediate costs from a breach might include ransom payments, remediation expenses, and legal fees, while long-term impacts can involve lost business, regulatory fines, and increased insurance premiums.

    Staff retention can also take a hit following a cyber attack – over half of employees indicate they would leave companies that have suffered from a breach. They are often driven by insecurity about the company’s future or frustration over inadequate security measures, leading to higher turnover rates.

    The repercussions also extend to business relationships. Larger or partner companies, particularly those with stringent security standards, may be unwilling to engage with businesses that fail to meet their security expectations, limiting opportunities for growth and collaboration. Similarly, the same could be said for potential customers who might shy away from businesses that have suffered a breach, further isolating the business from lucrative partnerships and contracts.

    Securing buy-in

    To ensure cyber security is prioritized, it is vital to convey to the C-suite the very real implications of not mitigating cyber security risks. The most effective way to get this message across is by using business metrics to show the potential financial impact of cyber attacks.

    Presenting case studies of similar organizations that have suffered financial losses from breaches and providing relevant statistics showing the financial and reputational cost can be very powerful to enhance your pitch. It is also key to highlight the benefits that strong cyber security affords a business. This includes building customer confidence, reputational protection, regulatory compliance, and financial security.

    Starting with baseline measures can help secure initial support from the C-suite. Simple steps, such as regular software updates, staff cyber awareness training, and using Endpoint Detection & Response (EDR) tools to quickly identify threats like ransomware can substantially reduce exposure to cyberattacks.

    Even simple changes to a company’s security posture can have long-lasting effects. Many threat actors and hackers are looking for easy targets – companies with exposed vulnerabilities. For example, one of the most common breach points is overlooked or underestimated aspects like poor password security.

    Since the human factor is such a large part of attacks, regular cyber awareness training sessions for all employees help to build a foundational understanding of cyber threats and safe practices. When everyone in the organization is vigilant and informed, the overall security posture is strengthened. For password security in particular, companies can also implement multi-factor authentication tools to ensure employees accessing the network are who they say they are.

    There is a myriad of cyber security tools out there to help secure your systems. Wading through the industry jargon can be tough and is often a daunting task. Tools such as Network Detection and Response (NDR) and Security Incident and Event Management (SIEM) require teams of specialists to constantly monitor and modify settings to maximize efficiency. Achieving this in a small and medium-sized business can be difficult and expensive. This can be overcome by partnering with an MSP who can provide expert advice and technical support to deliver a comprehensive security solution to your organization.

    It is time to implement cyber security measures now

    By deprioritising cyber security, businesses are essentially deferring costs. Every organization accrues a cyber security debt, which can be managed in two ways: it can either be paid upfront through continuous support and rigorous cyber security measures, or it will inevitably be paid later, often at a much higher cost when a breach occurs.

    A proactive approach to cyber security that adopts even simple cyber security solutions can better protect businesses from the risk and cost of a breach and help them build a reputation as a secure and dependable partner.

    Investing in cyber security today is not just about avoiding future costs; it’s about ensuring the long-term success and sustainability of the business.

    Ref: Link

    14Aug, 2024
    Delta vs. CrowdStrike: The duties vendors owe to customers – or do they?

    In a potentially groundbreaking dispute, Delta Air Lines is threatening to sue CrowdStrike, a leading cybersecurity firm, for alleged negligence and breach of contract. This case brings to the forefront critical questions about the duties vendors owe to their customers in an increasingly digital world.

    As cybersecurity threats evolve, the expectations placed on vendors to safeguard sensitive data and maintain robust security measures are higher than ever, but these vendors cannot be responsible for every aspect of their customers’ environments. How can cybersecurity vendors and their customers balance these responsibilities effectively and minimize risk?

    The dispute

    At the end of July, Delta’s CEO indicated that the CrowdStrike-Microsoft event cost the airline $500M because the IT outage stranded thousands of customers and caused them to cancel more than 6,000 flights. This cost includes not only lost revenue but also “the tens of millions of dollars per day in compensation and hotels” for delays stretching over a period of six days.

    Delta states that they have no choice but to seek damages from CrowdStrike for the disruptions due to the high costs incurred by the outage. Delta expected all technology deployed in their ecosystem to be thoroughly tested before release into their mission-critical environment. Unfortunately, CrowdStrike’s testing did not identify the issue.

    Do the legal arguments hold?

    Media reports thus far indicate that Delta believes CrowdStrike was negligent, which they argue is shown by the seemingly weak initial CrowdStrike apology. Delta had to manually reset 40,000 servers to resolve the issue and took longer to bounce back to normal operations than its competitors, sparking an investigation by the US Department of Transportation’s Office of Aviation Consumer Protection. That investigation may result in additional costs for Delta on top of the reputational hits the airline has already endured.

    CrowdStrike, on the other hand, argues that Delta’s claims are meritless and emphasizes their own efforts to appropriately assist vendors with recovery from the outage, satisfying the cybersecurity company’s duty of care to its customers and vendors in the event of a systems failure. If CrowdStrike is found to be negligent in its performance of the Delta contract, a court could declare that the damage caps in its contract moot, thus entitling Delta and other similarly impacted CrowdStrike customers to a much larger financial recovery.

    It remains to be seen whether Delta will file a lawsuit, but such a case may be difficult to win, particularly if CrowdStrike can show that it reasonably fulfilled its contractual obligations. In some respects, the negligence argument is analogous to claiming that a sprinkler system provider should ensure a building can never have a fire, highlighting the unrealistic expectations sometimes placed on cybersecurity vendors.

    This event highlights the challenging dynamic for Delta and any other CrowdStrike customer seeking damages, even though the incident made it impossible for them to operate their business effectively. Incidents like these are a harsh reminder that accidents, just like cyberattacks, can have serious impacts, and customers may still be on the hook for losses.

    Responsibility includes accountability and trust

    Regardless of the allegations from Delta, CrowdStrike appears to be holding up to its responsibility as a cybersecurity vendor. For example, this past week the company released a root cause analysis of the incident detailing the lessons learned, including how they are improving their process and identifying steps to enhance resilience.

    Without question, a lot of things went wrong on July 19. This public volleying between CrowdStrike and Delta highlights the challenges for cybersecurity vendors and their customers in digital environments reliant on multiple integrations and interdependencies. To protect cybersecurity vendors and their customers effectively, both parties must hold themselves accountable and act as trustworthy partners in protecting against cyber and business continuity risks.

    4 ways to manage these risks

    Given the ever-present cyber risks and potential for downtime events that pose a serious threat to business continuity, it makes sense for companies to identify alternative ways to manage these risks.

    1. Understand how incidents like these can impact business and operations. It is now critical to fully understand how an outage could impact the business and enable internal teams to focus on impact mitigation strategies in addition to typical incident response.

    2. Know the status quo when negotiating contracts with vendors to the greatest extent possible. At the beginning of a vendor relationship, consider the impact if that vendor fails to the extent that the customer can’t deliver on its own business obligations. If Delta could have foreseen this event and its impact, they could have negotiated higher limitations of liability in the contract (although unlikely to come anywhere close to the $500M mark).

    3. Consider insurability. Based on various insurance industry estimates, it appears that insurance recovery for this event will only be a fraction of the total estimated losses. Additionally, many cyber insurance policies are designed to primarily cover malicious events, which this event was not. That said, coverage is available for losses of this type and companies should be reviewing their policies right now and seeking to amend coverage as desired.

    4. Evaluate whether it makes sense to have redundant or alternative capabilities in place in case of a vendor failure. It may turn out that entirely redundant capabilities are cost prohibitive or impractical, but by not at least considering the question and understanding the tradeoffs, the business is not fulfilling its own duty of care.

    A new shared responsibility model

    Minimizing risk requires vendors and their customers to work together. No cybersecurity vendor has control over the environments in which their solutions are deployed, but they can and must do their best to minimize the risk that their solutions, intended to protect their customers, do not cause massive IT outages.

    Customers, on the other hand, must maintain a modern IT infrastructure, stay up to date on available software patches, and be prepared for diverse risk scenarios. There is not a shared responsibility model defined for these types of relationships yet, but this may be the defining event that prompts one to emerge.

    Ref: Link

    31Jul, 2024
    Surging data breach disruption drives costs to record highs

    Security teams are getting better at detecting and responding to breach incursions, but attackers are inflicting greater pain on organizations’ bottom lines. IBM’s recent Cost of a Data Breach Report 2024 found the global average breach hit a record $4.88 million. That’s a 10% increase from 2023 and the largest spike since the pandemic.

    While the study notes that organizations, on average, improved their time to identify and contain breaches, rising business costs drove the global average breach cost higher. Among the largest contributors were lost business costs, expenses from post-breach customer support (such as setting up help desks and credit monitoring services), and paying regulatory fines. Some 70% of the 604 organizations studied reported that their operations were either significantly or moderately disrupted.

    The new research, conducted independently by Ponemon Institute and analyzed by IBM, studied breached organizations from 16 countries and regions and across 17 industries. It also included interviews with 3,556 security and business professionals from the breached organizations. In its 19th year, the Cost of a Data Breach Report provides actionable insights and up-to-date research, making it a critical benchmark for the industry.

    While the report’s findings suggest some damages from a breach are unavoidable, they also highlight several risk areas that security teams can and should address. For instance, the findings underscore the growing importance of security AI and automation technologies for mitigating breach impacts and lowering costs associated with those breaches.

    Below are those takeaways and several others from the Cost of a Data Breach Report 2024.

    AI and automation in security most effective at reducing average costs

    More organizations are adopting AI and automation in their security operations, up 10% from the 2023 report. And most promising, the use of AI in prevention workflows had the highest impact in the study, reducing the average cost of a breach by $2.2 million, compared to organizations that didn’t deploy AI in prevention.

    Two out of three organizations in the study deployed AI and automation technologies across their security operations center. This factor may also have contributed to the overall decrease in average response times – those using AI and automation saw their time to identify and contain a breach lowered by nearly 100 days on average.

    Only 20% of organizations said they are using gen AI security tools, yet those that did saw a positive impact, with gen AI security tools shown to mitigate the average cost of a breach by more than $167,000. Read the report

    Security staffing shortages led to higher breach costs and more security investment

    Staffing shortages in security departments continued to grow, with 53% of organizations facing a high-level skills shortage, up 26% from 2023. The industry-wide skills shortage could be expensive for organizations. Those with severe staffing shortages experienced breach costs that were $1.76 million higher on average than those with low-level or no security staffing issues.

    These staffing shortages may be contributing to the increasing use of security AI and automation, which has been shown to reduce data breach costs. At the same time, staffing shortages may see some ease, as businesses reported they intend to increase security investments as a result of the breach. Organizations planned investments including threat detection and response tools like SIEM, SOAR, and EDR, according to the report. Organizations also plan to increase investments in identity access management, and data protection tools.

    These additional investments could pay off in mitigating future breach costs. More organizations in 2024 identified the breach with their own security teams and tools (42%) compared to last year (33%), and those organizations had lower than average breach costs, including nearly $1 million lower on average than breaches that were identified by the attacker, such as in an extortion attack.

    Cloud and data security issues remained prominent

    Forty percent of breaches involved data stored across multiple environments including public cloud, private cloud, and on-premise. These multi-environment breaches cost more than $5 million on average and took the longest to identify and contain (283 days), highlighting the challenge of tracking and safeguarding data, including shadow data, and data in AI workloads, which can be unencrypted.

    The types of data records stolen in these breaches underscored the growing importance of protecting an organization’s most sensitive data, including customer personal identifying information (PII) data, employee PII, and intellectual property (IP). Costs associated with customer PII and employee PII records were the highest on average.

    Customer PII was involved in more breaches than any other type of record (46% of breaches). However, IP may grow even more accessible as gen AI initiatives bring this data out in the open. With critical data becoming more dynamic and available across environments, businesses will need to assess the specific risks of each data type and their applicable security and access controls.

    What else is new in the 2024 Cost of a Data Breach Report

    Each year poses new data security challenges as threats and technologies emerge, and this report evolved to reflect these changes. New research conducted for the first time this year in the 2024 Cost of a Data Breach Report included:

    • Organizations experiencing long-term operational disruption, and the time it takes to restore data, systems, or services to their pre-breach state
    • To what extent organizations are using AI and automation in each of four areas of security operations: prevention, detection, investigation, and response
    • How long it took organizations to report the breach if they were mandated to do so
    • Whether organizations that involved law enforcement following a ransomware attack paid the ransom

    Of course, the report continues to showcase the top costliest geographies and industries, the initial causes of data breaches and their costs, and much more. Importantly, the report continues to provide recommendations from IBM experts, addressing the report findings, to help organizations understand the risks and how to mitigate the impacts and potential costs of a data breach.

    Ref: Link

    9Oct, 2023
    AWS to Mandate Multi-Factor Authentication from 2024

    Amazon Web Services (AWS) said it will require multi-factor authentication (MFA) for all privileged accounts starting mid-2024, in a bid to improve default security and reduce the risk of account hijacking.

    From that time, any customers signing into the AWS Management Console with the root user of an AWS Organizations management account will be required to use MFA to proceed, chief security officer, Steve Schmidt said in a blog post.

    “Customers who must enable MFA will be notified of the upcoming change through multiple channels, including a prompt when they sign into the console,” he added.

    “We will expand this program throughout 2024 to additional scenarios such as standalone accounts (those outside an organization in AWS Organizations) as we release features that make MFA even easier to adopt and manage at scale.”

    The move follows previous AWS efforts to improve take up of MFA. The firm began offering a free security key to account owners in the US from fall 2021, and a year later enabled organizations to register up to eight MFA devices per account root user or per IAM user in AWS.

    “We recommend that everyone adopts some form of MFA, and additionally encourage customers to consider choosing forms of MFA that are phishing-resistant, such as security keys,” Schmidt concluded.

    “While the requirement to enable MFA for root users of AWS Organizations management accounts is coming in 2024, we strongly encourage our customers to get started today by enabling MFA not only for their root users, but for all user types in their environments.”

    MFA is a critical step to mitigate the risks posed by phishing attacks on employees. An IBM X-Force study last month revealed that the top initial access vector for cloud compromise between June 2022 and June 2023 was use of valid credentials by threat actors.

    This happened in nearly two-fifths (36%) of real-world cloud incidents investigated by the security vendor, with credentials either discovered during an attack or stolen/phished prior to targeting an account.

    Resource : https://www.infosecurity-magazine.com/news/aws-multifactor-authentication-2024/

    7Feb, 2023
    Rise in cyber threats demand new strategies for data recovery

    We are more connected than ever in this digital era, and those connections are faster and increasingly more immediate. Advanced technologies are accelerating incredible achievements for businesses and consumers.

    While technology offers significant benefits, it has also made it easier for those who seek to gain an advantage by exploiting others. Hidden in the digital web of interconnections are people intent on stealing your content or holding it to a hefty ransom for its return, making the information age a double-edged sword.

    Today’s organizations need digital sentries and multiple lines of defense against cybercrime, which can devastate a business when it hits and impact it for years after the initial attack.

    Ransomware has been steadily growing in prominence and impact since the 2017 WannaCry ransomware outbreak that infiltrated systems around the world. While criminals develop more advanced techniques, the fundamentals of ransomware remain the same. Attackers penetrate a network, find and encrypt data, and demand payment for a decryption key.

    The threat of ransomware is increasing quickly. It’s not a question of “if” but of “when” you will face this challenge. Choosing between ransom payments or suffering data loss is costly and risky.

    The impact of an attack is enormous, and the costs associated with cyberattacks, including lost business, insurance rate hikes, lawsuits, criminal investigations, and bad press, can even put a company out of business – and fast. Here are just a few of the many data breaches that occurred during the past two years and their costly toll:

    • The New York Times reported that T-Mobile Reached a $500 Million Settlement in a Huge 2021 Data Breach: The company, which said the hacking had affected 76.6 million people, agreed to pay $350 million to settle claims and spend $150 million to bolster security.
    • Insiders reported that global insurance provider CNA Financial forked over a reported mind-blowing $40 million post-cyber-attack last year.
    • The Washington Post reported that a ransomware attack on U.S. software provider Kaseya in 2021 targeted the firm’s remote-computer-management tool and endangered up to 2,000 companies globally.

    While there are many strategies for mitigating the risks associated with cyber threats, such as ransomware, each comes with challenges. Backup is a critical means of recovery, yet decades-old legacy enterprise backup solutions were not designed to handle the scale and complexity of today’s data. And this problem continues to grow. Terabytes of data are rapidly becoming petabytes to exabytes of data and beyond. IDC predicts the world’s collective data will reach 175 zettabytes by 2025.

    Backup is Broken

    Traditional backup as we know it is broken, and here’s why:

    • Backups are periodically done in batches – when data recovery is needed, the last available copy could be more than 24 hours old, resulting in permanently lost data and/or recent changes.
    • Backup is outdated – snapshot-based legacy backup soft­ware, developed decades ago, still uses agents to protect and recover virtual machines, resulting in high maintenance costs, time wasted on administration, or even failed recoveries.
    • It’s expensive – aside from costs associated with impacts on production and resources, legacy backup requires multiple licenses, additional agent purchases, and increased IT infrastructure costs.
    • Legacy backup tools are complex – they use distributed systems for data transfer, requiring dedicated hardware, extensive configuration, and a lot of IT time and resources.
    • It’s disruptive – legacy backup jobs often don’t complete in time, disrupt production environments with unplanned downtime, and heavily burden already constrained IT resources.

    And it’s slow – legacy backup copying processes place an enormous load on your production environment, causing network lag and downtime.

    A New Backup Paradigm to Recover Data Instantaneously

    What’s needed is continuous data availability. This approach would provide a strong first line of defense against cyber threats, enabling organizations to recover compromised data easily and almost instantly. And yet, continuous data availability has been out of reach given the weaknesses of traditional backup. Business leaders have been forced to accept levels of data loss, measured by recovery point objectives (RPO), and downtime, measured by recovery time objectives (RTO).

    Traditionally, backup occurs outside the operating system data path. As data volumes increase exponentially – both in the number of files and the amount of data generated – backup systems that scan file systems are no longer feasible, particularly as we enter the realms of billions of files and petabytes or more data.

    A new approach would make the file system and backup one and the same. As a result, every change in the file system would be recorded as it happens, end users could recover lost data without the assistance of IT, and finding files would be easy, regardless of when they may have existed, and across the entire time continuum. Such an approach would redefine enterprise storage by converging storage and data resilience into one system. Every change that occurs in the data path would be captured. This approach would not require decryption keys, users could just unwind ransomware events with a single operation.

    Current backup and recovery solutions are not where the world needs them to be, but that doesn’t mean we should settle for less. In 2023, there will be an increased focus on the “first line of defense,” where cyberattacks are stopped altogether or can be swiftly unwound without recourse to backups. Instead of taking hours, days, and sometimes weeks or more, recovery would take place almost immediately.

    Backup that sits within the operating system data path could enable continuous data access. This method could provide unprecedented data protection, making it possible to approach the ideal of zero RTO, giving users control of searching and recovering data immediately without IT assistance, and an RPO of zero, eliminating the significant cost and impact of data loss and interrupted data access.

    Anything more is a compromise that exposes organizations to increased risk of data and financial loss. Companies should push vendors to achieve zero RPO and zero RTO and seek out solutions that achieve those objectives.

    Resource : https://www.securityinfowatch.com/cybersecurity/information-security/breach-detection/article/21294365/rise-in-cyber-threats-demand-new-strategies-for-data-recovery

    20Dec, 2022
    Mobile App Users at Risk as API Keys of Email Marketing Services Exposed

    Analysis of 600 apps on the Google Play store by CloudSEK’s BeVigil security search engine found that 50% were leaking application programming interface (API) keys of three popular transactional and marketing email service providers.

    The providers included Mailgun, MailChimp and SendGrid. CloudSEK has notified all involved entities and affected apps about the hardcoded API keys.

    The leaked API keys allow threat actors to perform a variety of unauthorized actions such as sending emails, deleting API keys, and modifying two-factor authentication (2FA).

    An API is a piece of software that allows applications to communicate with each other without any human intervention. An API key is a special identification used by users, developers or calling programs to authenticate themselves to an API.

    CloudSEK said that an overall examination of all three providers’ data revealed that the USA was the country with the highest number of downloads followed by the UK, Spain, Russia and India, leaving over 54 million mobile app users vulnerable.

    In a breakdown of the research, CloudSEK noted how attackers could potentially exploit leaked API keys and said that it is advisable to keep API keys private.

    MailGun provides email API services, enabling brands to send, validate and receive emails through their domain at scale. The research noted that in this case, an API key leak could allow threat actors to send and read emails, get Simple Mail Transfer Protocol (SMTP) credentials, IP addresses and statistics, as well as retrieve mailing lists of customers in order to launch phishing campaigns.

    CloudSEK said that 35% of the analyzed packages contained a valid Mailgun key embedded in their android code and 132 domains were configured with the valid keys.

    MailChimp is a transactional email service first introduced in 2001 and later launched as a paid service with an additional freemium option in 2009. An API key leak in this case would allow threat actors to read conversations, fetch customer information, expose email lists of multiple campaigns containing PII, start fake email campaigns and manipulate promotional codes. The research also noted that threat actors could authorize third party applications connected to a MailChimp account.

    The report highlighted that of a total of 319 identified API keys, 28% were found to be valid and of those, 12 keys allowed read email access.

    Finally, SendGrid is a communication platform intended for transactional and marketing emails. It provides cloud-based services to assist businesses with shipping notifications, friend requests, sign-up confirmations, email newsletters, etc.

    An API lead would allow a threat actor to send emails, create API keys and control IP addresses used to access accounts, according to CloudSEK.

    The research found that of 319 API keys, 128 were found to be valid and of those, 121 could allow threat actors to send emails using SendGrid, 65 could allow threat actors to delete API keys and 42 could allow the modification of 2FA.

    Following the findings, CloudSEK said: “In modern software architecture, APIs integrate new application components into existing architecture. So its security has become imperative. Software developers must avoid embedding API keys into their applications and should follow secure coding and deployment practices like standardize review procedures, rotate keys, hide keys and use vault.”

    Resource : https://www.infosecurity-magazine.com/news/api-keys-email-marketing-services/?&web_view=true

    12Dec, 2022
    Experts devised a technique to bypass web application firewalls (WAF) of several vendors

    Claroty researchers devised a technique for bypassing the web application firewalls (WAF) of several vendors.

    Researchers at industrial and IoT cybersecurity firm Claroty devised an attack technique for bypassing the web application firewalls (WAF) of several industry-leading vendors.

    The technique was discovered while conducting unrelated research on Cambium Networks’ wireless device management platform.

    The researchers discovered a Cambium SQL injection vulnerability that they used to exfiltrate users’ sessions, SSH keys, password hashes, tokens, and verification codes.

    The experts pointed out that they were able to exploit the SQL injection vulnerability against the on-premises version, while hacking attempts against the cloud version were blocked by the Amazon Web Services (AWS) WAF.

    Then the experts started investigating how to bypass the AWS WAF.

    The researchers discovered that appending JSON syntax to SQL injection payloads allows bypassing the WAF because it is unable to parse it. 

    “Using JSON syntax, it is possible to craft new SQLi payloads. These payloads, since they are not commonly known, could be used to fly under the radar and bypass many security tools.” reads the report published by Claroty. “Using syntax from different database engines, we were able to compile the following list of true statements in SQL:

    • PostgreSQL: ‘{“b”:2}’::jsonb <@ ‘{“a”:1, “b”:2}’::jsonb Is the left JSON contained in the right one? True.
    • SQLite: ‘{“a”:2,”c”:[4,5,{“f”:7}]}’ -> ‘$.c[2].f’ = 7 Does the extracted value of this JSON equals 7? True.
    • MySQL: JSON_EXTRACT(‘{“id”: 14, “name”: “Aztalan”}’, ‘$.name’) = ‘Aztalan’ Does the extracted value of this JSON equals to ‘Aztalan’? True.”

    Claroty researchers used the JSON operator ‘@<’ to throw the WAF into a loop and supply malicious SQLi payloads.

    The researchers verifies that the bypass attack technique also worked against firewalls from other vendors, including Cloudflare, F5, Imperva, and Palo Alto Networks.

    “We discovered that the leading vendors’ WAFs did not support JSON syntax in their SQL injection inspection process, allowing us to prepend JSON syntax to a SQL statement that blinded a WAF to the malicious code.” the report concludes.

    Resource : https://securityaffairs.co/wordpress/139445/hacking/web-application-firewalls-waf-bypass.html

    10Dec, 2022
    Why is Robust API Security Crucial in eCommerce?

    API attacks are on the rise. One of their major targets is eCommerce firms like yours.

    APIs are a vital part of how eCommerce businesses are accelerating their growth in the digital world.

    ECommerce platforms use APIs at all customer touchpoints, from displaying products to handling shipping. Owing to their increased use, APIs are attractive targets for hackers, as the following numbers expose:

    • API attack traffic increased by 681% in 2021
    • 77% of retail respondents experienced API security incidents in 2021– according to Noname security

    If left unaddressed, API abuse can damage your reputation, harm consumers, and affect the bottom line. Hence API security is worthy of consideration for eCommerce stakeholders.

    Why do eCommerce companies need APIs?

    API makes it easy for retailers and eCommerce platforms to handle product listings and orders. It transformed the static website into a completely customizable headless store. Retailers use APIs for various functions, including login, product catalog, shipping, and subscription.

    It empowers businesses to enhance customer experience. While making purchases, one service handles orders; another calculates tax; another enables shipping, and so on.

    But customers have no idea what is happening behind the screen. API connects these decoupled elements and helps to share data seamlessly.

    Key benefits of APIs in eCommerce

    • It streamlines operations and ensures seamless customer engagements
    • It is effective for data monitoring and analytics, a vibrant factor for retailers
    • It enables communication with chatbots
    • Connects eCommerce platform with 3rd party marketplaces

    Why Is API Security Crucial for Ecommerce?

    APIs are easy to use and integrate for businesses. Even though most APIs are not intended for public use, they often have full access to all sensitive assets and information.

    Customers enter PII while purchasing on online sites like emails, passwords, credit card details, and phone numbers. They also share transaction details like bonuses, balances, and rewards. This increases the opportunity for attackers to steal the data.

    They are easy to expose if not designed and tuned for robust, ongoing security. Inadequate security testing and a lack of business logic have resulted in an overall rise in API security risks.

    Important factors that drive API security concerns are

    Authentication Flaw

    Many APIs not properly checking if the request comes from a legitimate user. Hackers find coding errors in authentication and escalate privileges. They further use enumerated technologies to compromise users’ accounts.

    For instance, some eCommerce platforms integrate with external logistics systems to pass on shipping details. In this situation, if there is an insufficient authentication chain, API can leak PII via replay attacks.

    Automated Attacks #

    Automated attacks on insecure APIs are increasing with the widespread adoption of APIs. Rather than exploiting vulnerabilities in APIs code, hackers exploit business logic flaws within APIs.

    They may feed malicious scripts into bots to access your product details at scale.

    With bad bots overwhelming your site, your genuine user cannot shop on your site. For example, they can snatch the complete inventory of high-demand products within seconds.

    Volumetric attacks against eCommerce API without rate limiting (#4 in OWASP API Security Top 10) can cause shopping apps non-responsive, resulting in user dissatisfaction.

    Shadow and Zombie APIs

    Still, many businesses struggle to separate real transactions from fake. They are also blindsided by unprotected shadow APIs.

    Equally, Zombie APIs are the most common method of attack. Zombie APIs may longer be unmonitored. They can contain malicious codes or may expose sensitive data or functionality.

    Third-party APIs

    E-commerce businesses integrate with 3rd parties like shipping and payment systems. Third-party APIs are challenging to manage. These are the ones that attackers typically target.

    For example, shopping cart API is a prime target as it offers entry points into the business. A leading UK retailer experienced attacks more than 1000 times a day on this API. The attack increased 10-fold times when special offers were running.

    Traditional Security Tools

    Most businesses lack adequate defense capabilities to protect against the ever-evolving API risks. API threats are highly sophisticated and persistent, and traditional methods are ineffective against them.

    Legacy WAF or API gateways need more real-time ability to understand bad from good API activity.

    Hackers can manipulate the discount and promotion APIs during peak times. These tools find it hard to protect against such attacks.

    You will need comprehensive API protection solutions like AppTrana to protect your website and customers’ sensitive information.

    API Security Best Practices for Ecommerce#

    The API threats to eCommerce security are potentially devastating to retailers and customers. For this reason, you must take appropriate measures to address them.

    API Discovery

    The first step is to understand what you have in your API landscape. An inventory of all APIs, including undocumented APIs, is essential if you want to secure what you don’t know about.

    API discovery involves finding and inventorying APIs. 67% of the retail respondents say they lack visibility on API inventory. A good API security solution offers strong API discovery features. It automatically inventories all APIs, including Zombie and shadow APIs.

    Make sure zombie APIs are turned off. After the last customer stops integrating with a deprecated API, ensure the API is turned off. If you’re going to publish API documentation externally, make sure it’s valid and tested, and it’s not exposing vulnerabilities.

    API Security Testing and Penetration Testing#

    Integrate API security at the early stage of the development process. Security enhancement and vulnerability management are key aspects of your API development. Use API security scanners (e.g., Infinite API Scanner) for smooth API vulnerability scans. Make sure to patch the identified vulnerabilities immediately.

    In addition to automated API scanning tools, manual pen testing is vital. It helps you to detect misconfiguration that could otherwise go unseen.

    Proper Authentication and Authorization#

    Validating purchasers who they are and only allowing access to specific resources they have permission for is essential in API security.

    OAuth 2.0, API keys, and Token based authentication are a few API authentication methods to verify users’ identity.

    API Rate Limiting

    According to data, there were 28 API endpoints in 2020 and 89 in 2021, a three-fold increase in API endpoints. A similar increase in API calls is logical. There was a 141% increase in API calls in H1 2021. There has been a corresponding increase in attack surfaces.

    Attackers can make eCommerce sites unavailable for legitimate purchasers with DDoS attacks. With API rate limiting, you can limit the number of requests from overwhelming system resources. It can throttle the request that exceeds the limits. It enables you to make your site available for purchasers without impacting performance.

    API Behaviour and Analytics

    Leverage API protection solution to look for abnormal behaviour in API traffic. Differentiating malicious traffic from normal API traffic can help to detect attacks in progress.

    It also highlights system misbehaviors and other malicious disruptions to your service. It analyzes traffic metadata to pinpoint the attack source. You can use this information to stop the incident and fix the issue in API.

    Tips to protect your eCommerce Site

    • Make sure all third-party integrations and plugins are regularly inspected
    • Help your customers to create strong, unique passwords
    • Ensure that only necessary customer data is stored
    • Always keep your site up-to-date
    • Secure your website with HTTPS
    • Keep a backup of your data

    Ecommerce Security: Plan Ahead to Stay Safe

    An increase in API usage has increased the attack surface, which leaves eCommerce businesses vulnerable. It calls for the immediate requirement to mitigate the API security risks mentioned above.

    Failing to secure an eCommerce platform can directly impact sales. It ruins your reputation. Take immediate measures to win your API security platform.

    Resource : https://thehackernews.com/2022/12/why-is-robust-api-security-crucial-in.html

    16Nov, 2022
    The Uncertain Future of IT Automation

    While IT automation is growing, big challenges remain. Chris Hass, director of information security and research at Automox, discusses how the future looks.

    The majority of today’s cybersecurity breaches stem from unpatched vulnerabilities and outdated systems, which means that many cyberattacks are preventable. Unfortunately, it can be challenging for IT teams to keep up with the pace of new patches every month, especially when employee devices are scattered across a distributed workforce and there’s a shortage of cybersecurity professionals. These emerging factors make efficiency a critical component for any IT team.

    To enable a rapid discovery of new exploits, more companies are turning to IT-automation tools for patching and system management. By streamlining the processes and reducing the workload, IT teams can quickly address new severe exploits and save time to focus their efforts on more high-impact projects.

    However, while the trend of automation will continue to grow, there still remain many challenges to its adoption, and new innovations or threats could change how the future looks for this technology.

    What Can We Expect in IT Automation in the Near Future?

    First and foremost, IT automation will adapt to distributed environments. When we surveyed IT professionals, 80 percent stated that the process of managing endpoints has become harder as a result of more employees working remotely. Having to both maintain management servers across multiple, distributed sites and with sporadic, inconsistent connectivity to endpoints has made it difficult for IT teams to remain efficient and nimble. This has led to more organizations looking for cloud-native solutions to remedy these challenges.

    Cloud-native technologies make connectivity with remote devices easier while staying secure without the use of VPNs. They also improve visibility into the exact, real-time status of a device. IT teams will have an easier time pushing patches automatically without worrying about VPN bandwidth restrictions. Within the next year, anticipate that more businesses will realize these immense benefits and replace existing tools with cloud-native IT automation.

    On the flip side, challenges remain, such as addressing burnout and emerging security concepts.

    IT and Security Teams’ Mental Health Comes to the Fore

    One thing that has become evident in the 2020s is that there is a lack of attention on and investment in employee mental health and safety. This is especially true when it comes to IT and security workers, who have come under enormous pressure and stress in our hybrid world today, where both outages and cyberattacks aren’t just common, but expected to happen at all times.

    Automation is one way to drive more accessibility and ease-of-use for IT teams. While in the past the core argument for automation is to provide more time for innovation, today the argument must simply be, automation creates more time for teams — but we’re not there yet.

    Consider the (relatively) recent issue with the Log4j vulnerability. The issue wasn’t “just” that there was a new vulnerability to respond to and worry about. It was that many security and IT professionals had to go through the manual task of updating every endpoint across their system, while managers and even the C-suite watched over their shoulders.

    This isn’t easy – it’s stressful, and it will make your teams more likely to quit, which is just unacceptable as we continue to navigate a world reshaped by the Great Resignation and IT skills shortage.

    New IT Security Concepts Are on the Horizon

    As Automox predicted at the end of last year, IT and security transformation continue as organizations everywhere try to find a new normal following the disruptions of the pandemic, and IT automation will have to adjust.

    This has been challenging for many organizations — and more importantly, people, as discussed above — but there are silver linings too. The pandemic has pushed new innovation across many areas, with exciting new tools and practices on the horizon for IT and security teams.

    One innovation that is particularly interesting is cybersecurity mesh architectures. Gartner has claimed that “organizations adopting a cybersecurity mesh architecture will reduce the financial impact of security incidents by an average of 90 percent” by 2024.

    A cybersecurity mesh architecture leverages various parts of the enterprise to integrate widely distributed, disparate security services. This is key to managing and accounting for a workforce that has never been more remote and globally distributed. Designing and implementing an IT security infrastructure that is not focused on a single perimeter, but instead smaller individual perimeters around each access point, provides quality-of-life improvements as well as more control over an organization’s overall security profile.

    Another trend that may seem overdue but is very much happening in real-time is the transition of ITOps and SecOps tools to cloud infrastructure. This includes firewalls, cloud access service brokers (CASBs), web gateways and other tools, as teams wind down legacy on-prem contracts and move to the cloud for more accessibility, speed and scale.

    Bottom line: IT automation is a transformational trend that is already occurring across the enterprise today, but it needs to accelerate in order to address the many pain points security and IT teams still face today.

    Resource : https://threatpost.com/uncertain-future-it-automation/178709/

    1Nov, 2022
    New open-source tool scans public AWS S3 buckets for secrets

    A new open-source ‘S3crets Scanner’ scanner allows researchers and red-teamers to search for ‘secrets’ mistakenly stored in publicly exposed or company’s Amazon AWS S3 storage buckets.

    Amazon S3 (Simple Storage Service) is a cloud storage service commonly used by companies to store software, services, and data in containers known as buckets.

    Unfortunately, companies sometimes fail to properly secure their S3 buckets and thus publicly expose stored data to the Internet. 

    This type of misconfiguration has caused data breaches in the past, with threat actors gaining access to employee or customer details, backups, and other types of data.

    In addition to application data, source code or configuration files in the S3 buckets can also contain ‘secrets,’ which are authentication keys, access tokens, and API keys.

    If these secrets are improperly exposed and accessed by threat actors, they could allow them far greater access to other services or even the company’s corporate network.

    Scanning S3 for secrets

    During an exercise examining SEGA’s recent assets exposure, security researcher Eilon Harel discovered that no tools for scanning accidental data leaks exist, so he decided to create his own automated scanner and release it as an open-source tool on GitHub.

    To help with the timely discovery of exposed secrets on public S3 buckets, Harel created a Python tool named “S3crets Scanner” that automatically performs the following actions:

    • Use CSPM to get a list of public buckets
    • List the bucket content via API queries
    • Check for exposed textual files
    • Download the relevant textual files
    • Scan content for secrets
    • Forward results to SIEM
    Actions performed by the S3crets Scanner
    Actions performed by the S3crets Scanner

    The scanner tool will only list S3 buckets that have the following configurations set to ‘False,’ meaning that exposure was likely accidental:

    • “BlockPublicAcls”
    • “BlockPublicPolicy”
    • “IgnorePublicAcls”
    • “RestrictPublicBuckets”

    Any buckets that were intended to be public are filtered out from the list before the textual files are downloaded for the “secrets scanning” step.

    When scanning a bucket, the script will examine the content of text files using the Trufflehog3 tool, an improved Go-based version of the secrets scanner that can check for credentials and private keys on GitHub, GitLab, filesystems, and S3 buckets.

    Trufflehog3 scans the files downloaded by S3crets using a set of custom rules designed by Harel, which target personally identifiable information (PII) exposure and internal access tokens.

    When used periodically to scan an organization’s assets, the researcher believes that “S3crets Scanner” can help firms minimize the chances of data leaks or network breaches resulting from the exposure of secrets.

    Finally, the tool can also be used for white-hat actions, like scanning publicly accessible buckets and notifying the owners of exposed secrets before bad actors find them.

    Resource: https://www.bleepingcomputer.com/news/security/new-open-source-tool-scans-public-aws-s3-buckets-for-secrets/?&web_view=true