Incident

Why Every Business Needs a Cybersecurity Incident Response TeamCISOMAGon October 21, 2021 at 5:39 am Feedzy

FeedzyRead MoreIn order to get back on track from the ongoing pandemic, organizations have to take into account a completely altered reality, which is very different from what we’ve been taught so far. Many companies have restructured their business continuity plans to stay afloat during this unprecedented time. Many of these measures are not only point-in-time […]
The post Why Every Business Needs a Cybersecurity Incident Response Team appeared first on CISO MAG | Cyber Security Magazine.

In order to get back on track from the ongoing pandemic, organizations have to take into account a completely altered reality, which is very different from what we’ve been taught so far. Many companies have restructured their business continuity plans to stay afloat during this unprecedented time. Many of these measures are not only point-in-time responses to the current crisis but are also expected to continue after COVID-19. With accelerated digitization across businesses, cyberattacks are becoming more sophisticated, precise, and targeted than ever before. To this, add the sheer volume of security alerts and false positives; it’s like searching for a needle in a haystack. The IT team is suffering from burnout, leaving organizations with hulking security risks and corresponding financial risks.

By Satya Machiraju, VP, Information Security, Whatfix

The threat of cybercrime is ever increasing and is having a significant impact on enterprises. To protect against cyberattacks, companies need to get back to the basics of security by design and integrating cybersecurity into their entire system life cycle. Almost every organization nowadays is vulnerable to being breached, whether it is due to its own security weaknesses or the weaknesses of its critical suppliers. Because of this, digital platforms need to be treated as critical infrastructure – a centralized mechanism for detecting and responding to security incidents should be put in place. If data or functionality are lost, it can be crippling, regardless of the threats. Having an incident response plan and disaster recovery plan allows you to minimize risks and prepare for a variety of events.

What is an Incident Response Team?

Incident response teams, also called incident response units, plan for and respond to IT incidents, such as cyberattacks, system failures, and data breaches. Additionally, these teams can develop incident response plans, identify and resolve system vulnerabilities, enforce security policies, and evaluate security best practices.

An organization’s incident response teams should be made up of subject matter experts from various domains/departments with reasonable authority and expertise to respond to an incident as soon as it is noticed. Organizations with an incident response team are able to handle incidents in a structured manner. Documenting and testing an incident response plan allows an organization to respond and recover from an incident faster, with minimal impact on its customers and stakeholders.

Incident Response Team: A Blueprint for Success

An average company generates around 30 GB of security log data that is close to 30,000,000 events per day. Almost all security operations teams find it challenging to separate the “Wheat from the Chaff” and thereby not being able to connect the dots to identify the critical chain of events resulting in breaches going undetected or not responded immediately. This is primarily owing to too many error-prone manual processes, lacking the highly skilled talent to solve all of this, and the inability of a human to crunch or process large chunks of data.

Automating incident response enables the security operations team to let tools or systems address the known issues with known resolutions. This allows them to focus on more critical issues or enhancements of the business. There are various commercial and open-source SOAR (Security Orchestration, Automation and Response) solutions that help the security teams in their journey towards automation.

SOAR is typically a collection of software solutions or tools that allow security teams to streamline security operations in threat and vulnerability management, incident detection and response, and security operations automation. SOAR allows security teams to collect threat-related data from a range of sources and automate the responses to the threat.

Building an Effective Incident Response Plan

In every industry, data breaches have become an inevitable part of doing business. For organizations to minimize damage, while also reducing costs and recovery times, it is important to have incident response plans in place. The use of incident response plans allows organizations to respond quickly and effectively to security incidents. In order to respond quickly to cyber incidents, organizations must develop a proactive and responsive set of capabilities as part of their incident response plans. The basic process could be summarized as follows:

Establish an Incident Response team
Identify your assets and crown jewels
Identify the threat vectors associated with your assets and crown jewels
Implement monitoring capabilities to identify the threats/attempts
Document your threat response guidelines
Document the incident communication processes
Train employees to be vigilant, to alert stakeholders
Test the Incident response plan
Document the learnings
Incorporate the learnings

An incident could have implications from legal, regulatory, privacy, and contractual perspective too. An inadequate or incorrect approach in handling an incident could have serious ramifications in the aforesaid areas. Having a team responsible for incident detection and response helps organizations and the workforce to be able to consult the subject matter experts for any specific suspicious activity thereby ensuring that immediate action is taken. The incident response team can also ensure that the response to suspicious activity or a breach is performed in line with the Incident response plan and would be able to address any situation that is not captured in the plan.

Securing the Digital Workforce

As a result of a mostly or entirely remote workforce, organizations are more susceptible to security breaches and less able to respond to potential security incidents. A remote workforce incident can be effectively handled by identifying the impacts, updating the incident response plan, and communicating the new plan with the incident response team. In light of increasing cyberattacks that threaten business operations and reputation, developing an effective Cyber Incident Response Plan (CIR) becomes essential for organizations to stay on top of the cybersecurity curve.

About the Author

Satya Machiraju is the VP of Information Security at Whatfix. Satya leads Whatfix’s security team by developing and deploying processes and solutions to minimize and mitigate cybersecurity and regulatory compliance risks. Satya is based in India and is passionate about protecting customers’ information, as well as creating a culture of cybersecurity preparedness across Whatfix by putting “security first.”

Satya brings over two decades of experience in cloud security and architecture, global cyber security and enterprise risk management, regulatory compliance consulting, information security strategy consulting, IT governance and project management, vendor and partner risk management, and privacy and regulatory compliance. Prior to Whatfix, Satya was VP/CISO at Qualfon, Senior Director of Information Security at [24]7.ai, and Senior Manager of Information Security at Aditya Birla Minacs Worldwide, Ltd.

Disclaimer

Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.

The post Why Every Business Needs a Cybersecurity Incident Response Team appeared first on CISO MAG | Cyber Security Magazine.

In order to get back on track from the ongoing pandemic, organizations have to take into account a completely altered reality, which is very different from what we’ve been taught so far. Many companies have restructured their business continuity plans to stay afloat during this unprecedented time. Many of these measures are not only point-in-time responses to the current crisis but are also expected to continue after COVID-19. With accelerated digitization across businesses, cyberattacks are becoming more sophisticated, precise, and targeted than ever before. To this, add the sheer volume of security alerts and false positives; it’s like searching for a needle in a haystack. The IT team is suffering from burnout, leaving organizations with hulking security risks and corresponding financial risks.

By Satya Machiraju, VP, Information Security, Whatfix

The threat of cybercrime is ever increasing and is having a significant impact on enterprises. To protect against cyberattacks, companies need to get back to the basics of security by design and integrating cybersecurity into their entire system life cycle. Almost every organization nowadays is vulnerable to being breached, whether it is due to its own security weaknesses or the weaknesses of its critical suppliers. Because of this, digital platforms need to be treated as critical infrastructure – a centralized mechanism for detecting and responding to security incidents should be put in place. If data or functionality are lost, it can be crippling, regardless of the threats. Having an incident response plan and disaster recovery plan allows you to minimize risks and prepare for a variety of events.

What is an Incident Response Team?

Incident response teams, also called incident response units, plan for and respond to IT incidents, such as cyberattacks, system failures, and data breaches. Additionally, these teams can develop incident response plans, identify and resolve system vulnerabilities, enforce security policies, and evaluate security best practices.

An organization’s incident response teams should be made up of subject matter experts from various domains/departments with reasonable authority and expertise to respond to an incident as soon as it is noticed. Organizations with an incident response team are able to handle incidents in a structured manner. Documenting and testing an incident response plan allows an organization to respond and recover from an incident faster, with minimal impact on its customers and stakeholders.

Incident Response Team: A Blueprint for Success

An average company generates around 30 GB of security log data that is close to 30,000,000 events per day. Almost all security operations teams find it challenging to separate the “Wheat from the Chaff” and thereby not being able to connect the dots to identify the critical chain of events resulting in breaches going undetected or not responded immediately. This is primarily owing to too many error-prone manual processes, lacking the highly skilled talent to solve all of this, and the inability of a human to crunch or process large chunks of data.

Automating incident response enables the security operations team to let tools or systems address the known issues with known resolutions. This allows them to focus on more critical issues or enhancements of the business. There are various commercial and open-source SOAR (Security Orchestration, Automation and Response) solutions that help the security teams in their journey towards automation.

SOAR is typically a collection of software solutions or tools that allow security teams to streamline security operations in threat and vulnerability management, incident detection and response, and security operations automation. SOAR allows security teams to collect threat-related data from a range of sources and automate the responses to the threat.

Building an Effective Incident Response Plan

In every industry, data breaches have become an inevitable part of doing business. For organizations to minimize damage, while also reducing costs and recovery times, it is important to have incident response plans in place. The use of incident response plans allows organizations to respond quickly and effectively to security incidents. In order to respond quickly to cyber incidents, organizations must develop a proactive and responsive set of capabilities as part of their incident response plans. The basic process could be summarized as follows:

Establish an Incident Response team
Identify your assets and crown jewels
Identify the threat vectors associated with your assets and crown jewels
Implement monitoring capabilities to identify the threats/attempts
Document your threat response guidelines
Document the incident communication processes
Train employees to be vigilant, to alert stakeholders
Test the Incident response plan
Document the learnings
Incorporate the learnings

An incident could have implications from legal, regulatory, privacy, and contractual perspective too. An inadequate or incorrect approach in handling an incident could have serious ramifications in the aforesaid areas. Having a team responsible for incident detection and response helps organizations and the workforce to be able to consult the subject matter experts for any specific suspicious activity thereby ensuring that immediate action is taken. The incident response team can also ensure that the response to suspicious activity or a breach is performed in line with the Incident response plan and would be able to address any situation that is not captured in the plan.

Securing the Digital Workforce

As a result of a mostly or entirely remote workforce, organizations are more susceptible to security breaches and less able to respond to potential security incidents. A remote workforce incident can be effectively handled by identifying the impacts, updating the incident response plan, and communicating the new plan with the incident response team. In light of increasing cyberattacks that threaten business operations and reputation, developing an effective Cyber Incident Response Plan (CIR) becomes essential for organizations to stay on top of the cybersecurity curve.

About the Author

Satya Machiraju is the VP of Information Security at Whatfix. Satya leads Whatfix’s security team by developing and deploying processes and solutions to minimize and mitigate cybersecurity and regulatory compliance risks. Satya is based in India and is passionate about protecting customers’ information, as well as creating a culture of cybersecurity preparedness across Whatfix by putting “security first.”

Satya brings over two decades of experience in cloud security and architecture, global cyber security and enterprise risk management, regulatory compliance consulting, information security strategy consulting, IT governance and project management, vendor and partner risk management, and privacy and regulatory compliance. Prior to Whatfix, Satya was VP/CISO at Qualfon, Senior Director of Information Security at [24]7.ai, and Senior Manager of Information Security at Aditya Birla Minacs Worldwide, Ltd.

Disclaimer

Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.

Sinclair Broadcast Group Network Encrypted with Ransomware — Operations Disruptedminu.sirsalewalaon October 20, 2021 at 2:25 pm Feedzy

FeedzyRead MoreIn a span of five months, yet another media company, Sinclair Broadcast Group, has been a victim of a ransomware attack. The threat actors encrypted certain servers and workstations, disrupting the company’s operational networks. The company implemented its incident response plan upon detection to contain the attack. It engaged legal counsel, a cybersecurity forensic firm, […]
The post Sinclair Broadcast Group Network Encrypted with Ransomware — Operations Disrupted appeared first on CISO MAG | Cyber Security Magazine.

In a span of five months, yet another media company, Sinclair Broadcast Group, has been a victim of a ransomware attack. The threat actors encrypted certain servers and workstations, disrupting the company’s operational networks.

The company implemented its incident response plan upon detection to contain the attack. It engaged legal counsel, a cybersecurity forensic firm, and other incident response experts to investigate the security incident.

It also disclosed data theft from the network, the extent of which is unknown. Sinclair stated, “While the Company is focused on actively managing this security event, the event has caused – and may continue to cause – disruption to parts of the Company’s business, including certain aspects of its provision of local advertisements by its local broadcast stations on behalf of its customers. The Company is working diligently to restore operations quickly and securely.”

Sinclair Broadcast Group, one of the nation’s largest television station operators, announced Monday that it had been hit by a ransomware attack over the weekend that resulted in data theft and network disruption. Happy Monday! pic.twitter.com/nCzWETUI2e

— Nita Cosby (@5_2blue) October 18, 2021

There are no “good” ransomware attacks. These must be met with strong response. Sinclair today. Could be AP, still the gold standard for election results, tomorrow. https://t.co/ETUj1I4wSF

— Juliette Kayyem (@juliettekayyem) October 18, 2021

Purplesec’s 2021 Trends Report talks about the growing threat of ransomware and the exponential rate at which it is multiplying.

Highlights of the report:

The average ransomware payment in 2021 increased by 82% year over year to $570,000.
121 ransomware incidents have been reported in the first half of 2021, up 64% year-over-year.
The largest ransom demand observed so far in 2021 is $100 million.
Ransomware has become a popular form of attack in recent years growing 350% in 2018.
Ransomware detections are on the rise with Ryuk detections increasing by 543% over Q4 2018, and since its introduction in May 2019,
81% of cyber security experts believe there will be more ransomware attacks than ever in 2019.
In 2019 ransomware from phishing emails increased 109% over 2017.
21% of ransomware involved social actions, such as phishing.
New ransomware variants grew 46% in 2019.
68,000 new ransomware Trojans for mobile were detected in 2019.
Ransomware attacks increased 41% in 2019 with 205,000 businesses who lost access to their files.
It’s estimated that a business will fall victim to a ransomware attack every 14 seconds.

The Big Media Incidents

American media company Cox Media Group (CMG) too had experienced a cyberattack in the month of June, in which the malicious threat actor encrypted the network servers and forced the systems to go offline.
Nine Network, a popular name in free-to-air television networks in Australia was a victim of a cyberattack in March 2021. The attack caused disruption of live broadcasts of the channel and its online news website.
A Germany-based large newspaper and magazine publisher; Funke Media Group was in news in the December of 2020 for a ransomware attack. The attack caused operational disruption and numerous editions of the daily newspaper were not published. Per the media reports, the large-scale ransomware attack had encrypted up to 6,000 employee laptops and other endpoints. The entire production network had to be switched off to contain the breach.

The media and entertainment industry runs 24/7 operations and cannot face any downtime. The need to be available online also exposes their network to cyberattacks and security vulnerabilities. A stronger security posture and a well-planned incidence response solution can mitigate the risk and help deter future security incidents.

See also:

Cox Media Group Validates Ransomware Attack that Pulled Down its Broadcasts
Conti Ransomware Attacks on Rise – CISA, FBI, NSA Issue Joint Alert

The post Sinclair Broadcast Group Network Encrypted with Ransomware — Operations Disrupted appeared first on CISO MAG | Cyber Security Magazine.

In a span of five months, yet another media company, Sinclair Broadcast Group, has been a victim of a ransomware attack. The threat actors encrypted certain servers and workstations, disrupting the company’s operational networks.

The company implemented its incident response plan upon detection to contain the attack. It engaged legal counsel, a cybersecurity forensic firm, and other incident response experts to investigate the security incident.

It also disclosed data theft from the network, the extent of which is unknown. Sinclair stated, “While the Company is focused on actively managing this security event, the event has caused – and may continue to cause – disruption to parts of the Company’s business, including certain aspects of its provision of local advertisements by its local broadcast stations on behalf of its customers. The Company is working diligently to restore operations quickly and securely.”

Purplesec’s 2021 Trends Report talks about the growing threat of ransomware and the exponential rate at which it is multiplying.

Highlights of the report:

The average ransomware payment in 2021 increased by 82% year over year to $570,000.
121 ransomware incidents have been reported in the first half of 2021, up 64% year-over-year.
The largest ransom demand observed so far in 2021 is $100 million.
Ransomware has become a popular form of attack in recent years growing 350% in 2018.
Ransomware detections are on the rise with Ryuk detections increasing by 543% over Q4 2018, and since its introduction in May 2019,
81% of cyber security experts believe there will be more ransomware attacks than ever in 2019.
In 2019 ransomware from phishing emails increased 109% over 2017.
21% of ransomware involved social actions, such as phishing.
New ransomware variants grew 46% in 2019.
68,000 new ransomware Trojans for mobile were detected in 2019.
Ransomware attacks increased 41% in 2019 with 205,000 businesses who lost access to their files.
It’s estimated that a business will fall victim to a ransomware attack every 14 seconds.

American media company Cox Media Group (CMG) too had experienced a cyberattack in the month of June, in which the malicious threat actor encrypted the network servers and forced the systems to go offline.
Nine Network, a popular name in free-to-air television networks in Australia was a victim of a cyberattack in March 2021. The attack caused disruption of live broadcasts of the channel and its online news website.
A Germany-based large newspaper and magazine publisher; Funke Media Group was in news in the December of 2020 for a ransomware attack. The attack caused operational disruption and numerous editions of the daily newspaper were not published. Per the media reports, the large-scale ransomware attack had encrypted up to 6,000 employee laptops and other endpoints. The entire production network had to be switched off to contain the breach.

The media and entertainment industry runs 24/7 operations and cannot face any downtime. The need to be available online also exposes their network to cyberattacks and security vulnerabilities. A stronger security posture and a well-planned incidence response solution can mitigate the risk and help deter future security incidents.

See also:

Cox Media Group Validates Ransomware Attack that Pulled Down its Broadcasts
Conti Ransomware Attacks on Rise – CISA, FBI, NSA Issue Joint Alert

Sinclair Broadcast Group suffers ransomware attack, breachon October 18, 2021 at 3:08 pm Feedzy

FeedzyRead MorePost Content

Getty Images/iStockphoto

Sinclair Broadcast Group suffered a ransomware attack that caused massive network disruptions as well as a data breach.

One of the U.S.’s largest publicly traded media companies disclosed the incident Monday after discovering servers and workstations were encrypted with ransomware over the weekend. The investigation into a “potential security incident” started Saturday, but by Sunday it was clear that “certain office and operational networks were disrupted,” according to the company’s statement.

The Maryland-based company did confirm in a statement to its website, as well as an SEC filing Monday, that data was stolen, though the types and volume of data affected are unknown. Ransomware gangs have increasingly employed tactics of encrypting and stealing data in the hopes of further extorting victims into paying.

Sinclair has more than 4,000 employees according to its LinkedIn profile, but the potential impact of the data breach extends beyond the company’s headcount. Founded in 1986, Sinclair operates at least 21 regional sports network brands, and provides services to 185 television stations in 86 markets. While the scope of the breach has yet to be determined, Sinclair said it is working to determine exactly what information the data contained.

That work included implementing an incident response plan with legal counsel and an unnamed cybersecurity forensic firm. In a statement to SearchSecurity, Sinclair said the firm has “assisted other companies in similar circumstances.”

SearchSecurity asked the company for additional information about the incident, including the ransomware variant used in the attack and whether a ransom payment has been made. Sinclair did not comment.

In its statement, the company said it notified law enforcement and other governmental agencies. While an investigation has been launched, it appears fallout from the attack is ongoing.

“The event has caused — and may continue to cause — disruption to parts of the company’s business, including certain aspects of its provision of local advertisements by its local broadcast stations on behalf of its customers,” the statement said.

One of Sinclair’s affiliates, Fox 17 WZTV, issued a statement on its website regarding how “system-wide network technical difficulties impacted its streaming abilities.”

“We are also currently unable to access our email and your phone calls to the station,” the statement said.

Similarly, WLOS 13 reporter Caitlyn Penter also took to Twitter Monday with email concerns.

“FYI if you email me something I won’t see it. Please call,” the tweet said.

The Sinclair-owned television station issued its own statement to WLOS 13 Twitter as well, addressing technical difficulties that viewers may have experienced.

“This is impacting our live streams and our website. We will share news updates, as we receive them, here on social media,” the tweet read.

According to the Sinclair statement, the company cannot determine the material impact the attack will have on its businesses, operations or financial results. Ransomware attacks have been ramping up since 2020, and Emsisoft threat analyst Brett Callow said other major media companies, including Entercom Communications and Cox Media Group, have been hit in recent years as well as various newspapers. The timing of the attack also lines up with prior ransomware incidents.

“This is another high-profile attack that has occurred over a weekend — something CISA warned about at the end of August,” Callow said in an email to SearchSecurity.

CISA, as well as other governmental agencies including the FBI, have continually warned businesses about ransomware threats. In June, the White House issued its own directive specifically for businesses that included several recommendations and best practices on staying vigilant around ransomware.

It appears Sinclair will use this incident to analyze its security posture. “As the company conducts its investigation, it will look for opportunities to enhance its existing security measures,” the Sinclair statement read.

Related Resources

Data Classification: The First Step To Protecting Unstructured Data
-HelpSystems

Dig Deeper on Data security breaches

“Incident Response professionals are working in a high-paced and stressful environment”CISOMAGon October 13, 2021 at 7:36 am Feedzy

FeedzyRead MoreAt the beginning of 2021, when the cybersecurity community was reeling from the aftereffects of the SolarWinds supply chain attack, a new ransomware strain made a disruptive entry. Babuk Locker compromised some of the global corporate networks, encrypted users’ sensitive information, and demanded a lofty ransom of $60,000 to $85,000 in Bitcoins. And since then, […]
The post “Incident Response professionals are working in a high-paced and stressful environment” appeared first on CISO MAG | Cyber Security Magazine.

At the beginning of 2021, when the cybersecurity community was reeling from the aftereffects of the SolarWinds supply chain attack, a new ransomware strain made a disruptive entry. Babuk Locker compromised some of the global corporate networks, encrypted users’ sensitive information, and demanded a lofty ransom of $60,000 to $85,000 in Bitcoins. And since then, ransomware threats have grown in volume and sophistication. It continues to be touted as the “most prominent” threat, crippling the security architecture of critical sectors and SMBs alike. While some companies volunteered to pay the ransom, others focused on building strong incident response and disaster recovery plans.

Pooja Tikekar, Sub Editor at CISO MAG, chatted with Sriram Tarikere, Senior Director with Alvarez & Marsal’s Global Cyber Risk Services in New York, to discuss the need for having well-prepared incident response teams in responding to threats. He also shares ways to respond to a cyber incident in a timely manner, common cloud migration misconceptions, and security predictions for 2022.

Tarikere has over 15 years of experience in executing cybersecurity and privacy risk assessments, ranging from very detailed ISO 27001/NIST, HIPAA, PCIDSS and Risk Quantification assessments, to technical cloud and blockchain secure design and architecture reviews, application and network security assessments, red teaming, threat hunting and social engineering exercises. He has led and coordinated incident response and forensic investigation efforts for some of the largest and high-profile breaches in the recent past. He also advises clients on some of the most complex cybersecurity initiatives and acts as a trusted security adviser to organizations, C-Suite and board members.

Tarikere earned a master’s degree in computer sciences/cybersecurity from New York University. He holds the Chief Information Security Officer (CISO) certificate. He is a CISSP, PCI-QSA, GWAPT, GCIH and ISO 27001 Lead Auditor.

Edited excerpts of the interview follow:

As information security and incident response professional with over a decade of experience, what are some of the pressing issues you encountered during your career, and more recently?

While the cybersecurity threat landscape is continuously evolving, threat actors are employing more and more sophisticated tactics to attack organizations, and organizations are continuing to bring cybersecurity to the forefront; below are some critical challenges that organizations continue to encounter to date.

Industry Collaboration: Real-time threat and vulnerability information-sharing and widespread collaboration within the industry.

Cyberattacks due to Emerging Technology: Inability for cybersecurity to keep up with the pace of innovation and rapid change in the technology landscape.

People Problem: Humans are the weakest link in the chain, given their lack of technological understanding.

Senior Executive Buy-in and Engagement: Cybersecurity has always been an afterthought. Although we see a shift in the perspective, we are far from where we need to be.

Supply Chain Risk: Supply chain risk has, is, and continues to present a significant challenge for organizations.

Cyber Skill Shortage: It’s not just buying tools; it’s investing in people, in their knowledge and ability, that they are prepared to detect, contain, and respond to cyberattacks. Hiring and retaining cybersecurity professionals remains a top challenge for organizations in 2021.

At the end of 2020, the SolarWinds attack blew the internet. In response, businesses and federal agencies prioritized their cybersecurity budgets and embraced proactive security practices. However, the threat landscape grew manifold in 2021, and supply chains and critical infrastructure continued to incur breaches and ransomware attacks. What, according to you, is the root cause for all this?

Gartner predicts that by 2023, in addition to costing businesses over $50 billion, cyberattackers would have weaponized the Operational Technology systems to the point that they may harm or take a human life.[1] Historically, critical infrastructure has been designed to have their Industrial Control Systems (ICS) isolated and physically separated from the internet and other corporate networks. Furthermore, it was thought that the risk of cyberattacks on critical infrastructures was low because of the highly customized nature of these systems that required a specialized skill set to understand the architecture of the control system configurations and operate them efficiently.

As more and more organizations are modernizing their industrial processes by connecting these ICS components to the cloud and internet to improve system efficiency, employ open technologies and universal operating systems to reduce the cost of maintenance, they are also unknowingly giving threat actors more ways to compromise these systems through ransomware and extortion attacks.

Per the findings of VMware’s “The State of Incident Response” survey, 49% of organizations lack adequate tools (including staff and expertise) to detect cyberthreats. And it reflects a harrowing scenario in incident response. How can security leaders overcome this core challenge?

With the ever-growing threat landscape and attack vectors that the threat actors will leverage to attack an organization, the ability to detect, triage, contain, and respond to an incident in a timely manner will always be a pain point for the security leaders for the foreseeable future. Some of the ways to alleviate and overcome these challenges are:

Enhance visibility of the system events within the organization.
Implement a structured incident response process. Employ automation wherever possible.
Continue and enhance employee awareness programs to include the latest types of attacks.
Partner with an external incident response firm who are experts in the field and has been doing this day in and day out to do the heavy lifting during the incident response process.
Partner with key internal stakeholders like legal, finance, crisis communication, and business groups to ensure they are prepared when needed.
Test and practice the incident response process through simulated cyberattack exercises to ensure that the incident response process is working effectively and as designed.

While on this topic, could you shed light on the evolution of incident handling, incident management, and incident response? And what are some of the qualities to look for when hiring incident response personnel?

Knowing the how, why, and where of cyberattacks is a strong quality of the incident response (IR) professional. Having a finger on the pulse of the ongoing threat landscape and different cyberattacks happening across the globe will be a core criterion of any cybersecurity professional.

Problem Solving and Analytical Skills: Not all incidents are similar, and IR professionals need to be able to adapt to changing situations, new leads that are uncovered, and a variety of attack scenarios to respond as quickly as possible. Strong problem-solving and analytical skills coupled with out-of-the-box thinking will aid in their ability to face and resolve the most sophisticated attacks and unexpected situations.

Teaming and Collaboration: IR is a team sport. So, the ability of the member to collaborate and work in a team setting can aid in responding to an incident effectively and efficiently. This is important because these days, attackers have assembled teams of skilled like-minded individuals that have varied levels of experiences and perspectives themselves, so accumulating an internal team in a similar manner enables the organization to quickly identify tactics and anticipate the next move.

Technical Capability: While the IR team member will be analyzing a wide range of systems and artifact types, like RAM, network traffic, and many different log sources. Ability to find and correlate small digital footprints “breadcrumbs” left behind any time anyone does something on a system or network is an essential quality of the IR professional. Furthermore, understanding the know-how and having intrinsic knowledge on the working of the operating systems, kernels, network protocols, middleware, application software and malware will come in handy when performing advanced forensics and planning the containment and response strategy.

Communications: Although lower on the list, this is as important and, in some cases, more important than others. Incident Response professionals are working in a high-paced and stressful environment. The IR personnel should be able to articulate the technical details into something that the executives can understand when updating them of the incident. Furthermore, the IR personnel should provide clear guidance and action items for the other stakeholders like Business Groups, Legal, Crisis communications, etc. throughout the response process.

It is said, “data is the oil of 21st century,” and with more business moving online, cloud storage to some extent assures reliability compared to local storage. But is it cost-effective? And how can IT teams alleviate a hasty switch to the cloud and ensure a smooth and secure data migration process?

Organizations need to understand the core concept of maintaining the Confidentiality, Integrity, and Availability of the data they are the guardians of. They can transfer the risk by moving it to the cloud but will not be able to eliminate the risk completely. Organizations will still need to implement appropriate security controls to protect the data in the cloud.

Some of the common misconceptions regarding moving to the cloud are that “Cloud provider is responsible for the Security,” “Organization can meet compliance requirement on the cloud,” etc. The organization needs to understand that although a cloud service provider (CSP) provides the necessary tools and technologies required to secure the environment and meet the compliance obligations, it is the responsibility of the organizations to do proper due diligence when moving their applications workloads and data to the cloud.

It is always recommended that the organizations perform in-depth due diligence of their cloud migration strategy using industry-leading frameworks. Although not a comprehensive list of controls, some of the questions that the due diligence assessment should address are:

WHAT – What data or application is the organization moving? Is it sensitive, regulated, or restricted data?

WHERE – Where will the data be stored? Are there any data protection regulations that restrict the movement of data?

WHO – Who will have access to the application and the underlying data? Will it only be internal resources or any third parties? Will the data be shared publicly or restricted to specific groups of people?

HOW – How will the data be protected? How will the organization detect and respond to the security events/incidents? How will the organization recover the data in the event of an incident? How will the organization protect the Confidentiality, Integrity, and Availability of the data being moved to the cloud?

Cybersecurity is often a fleeting thought for small businesses. And hackers commonly target them because their financial capacity (security budgets) is limited. How can small businesses re-think security preparedness in a post-pandemic world?

Cyberattacks are a growing threat for small businesses. According to the FBI’s Internet Crime Report, the cost of cybercrimes exceeded $4.1 billion in 2020 alone.[2] Small businesses are attractive targets because they have sensitive information that threat actors can leverage without breaking into security infrastructures like that of big enterprises and corporations. cyberthreat vectors are constantly evolving, but some of the most common types of attacks that small business owners should be aware of are malware infection, viruses, business email compromise (BEC), ransomware, and phishing.

Cyber Hygiene: Organizations and their leadership should have a holistic view of their critical assets, systems, services, and third-party partners to determine the security risk and exposure. Hence, the organization must maintain strong cyber hygiene by keeping inventory of critical assets, ensuring that their systems are patched and protected, and is continuously monitored for security threats.

Multi-factor Authentication (MFA) – Enforce Multi-factor Authentication on accounts that store, process, or transmit sensitive information. It is always recommended to enable and enforce MFA on all internet-facing resources of the organization.

Security Awareness Training: Educate the employees to create strong passwords, follow good browsing practices, avoid suspicious downloads, protect sensitive customer, employee, and vendor information, spot phishing emails, and maintain good cyber hygiene. Perform periodic training on cybersecurity best practices for the employees.

Supply Chain Risk Management: Organizations should evaluate their current business partners and vendors and the level of access they have to their IT systems, network, and data. Ensure that the partners have sufficient security controls to protect the organization’s assets.

Protect sensitive data and back up the rest: Identify the critical data for the organization and ensure that they are constantly backed up to a secure location on a continuous basis. If possible, back up the data to an offsite location periodically in the event that the online copy is corrupted or unusable. Consider rendering the sensitive data unreadable when possible.

Secure Payment Processing and Fund Transfer: Work with the banks or card processors to ensure the most trusted and validated tools and anti-fraud services are being used. Isolate the systems that store, process, or transmit payment information from other systems within the organization. Implement strong validation checks and controls when making vendor payments to protect the organization from wire transfer fraud.

DHS offers free cybersecurity toolkits for Risk and Vulnerability Scanning and Phishing Campaign Assessment toolkit here – https://us-cert.cisa.gov/resources/ncats and Supply Chain Risk Management Toolkit here – https://www.cisa.gov/ict-supply-chain-toolkit.

Could you give us your top cybersecurity predictions for the remainder of 2021?

Considering that the cyber threat landscape is continuously evolving, one cannot make true predictions on where the industry is heading. However, trends and security research by various organizations indicate that:

Ransomware threats will continue to dominate the rest of 2021 and into 2022. Cyberthreats actors will continue to get creative, and their attacks will become more sophisticated to ensure that the organizations cannot recover normal business operations without paying the ransom.
Social engineering, specifically phishing, will continue to dominate the mode of infiltration for the foreseeable future until organizations enforce a multi-layered defense approach to protect their users from falling prey to such social engineering attacks.
Supply chain risks will be at the forefront with organizations evaluating their exposure and ability to protect and respond to attacks to or via their third-party partners.
Even though cyberattacks continue to occur, cybersecurity investments will continue to rise. Organizations and solution providers will continue to innovate to stay ahead of the curve. Governments and law enforcement agencies will step in, propose policy solutions to protect their economies, organizations from ransomware extortion attacks.

Note: Views or opinions expressed by the interviewee are his own and doesn’t represent those of the people, institution, or organizations that the interviewee may or may not be associated with in professional and personal capacity, unless explicitly stated.

About the Author

Pooja Tikekar is the Sub Editor at CISO MAG, responsible for quality control. She also presents C-suite interviews and writes news features on cybersecurity trends.

More from the author.

The post “Incident Response professionals are working in a high-paced and stressful environment” appeared first on CISO MAG | Cyber Security Magazine.

At the beginning of 2021, when the cybersecurity community was reeling from the aftereffects of the SolarWinds supply chain attack, a new ransomware strain made a disruptive entry. Babuk Locker compromised some of the global corporate networks, encrypted users’ sensitive information, and demanded a lofty ransom of $60,000 to $85,000 in Bitcoins. And since then, ransomware threats have grown in volume and sophistication. It continues to be touted as the “most prominent” threat, crippling the security architecture of critical sectors and SMBs alike. While some companies volunteered to pay the ransom, others focused on building strong incident response and disaster recovery plans.

Pooja Tikekar, Sub Editor at CISO MAG, chatted with Sriram Tarikere, Senior Director with Alvarez & Marsal’s Global Cyber Risk Services in New York, to discuss the need for having well-prepared incident response teams in responding to threats. He also shares ways to respond to a cyber incident in a timely manner, common cloud migration misconceptions, and security predictions for 2022.

Tarikere has over 15 years of experience in executing cybersecurity and privacy risk assessments, ranging from very detailed ISO 27001/NIST, HIPAA, PCIDSS and Risk Quantification assessments, to technical cloud and blockchain secure design and architecture reviews, application and network security assessments, red teaming, threat hunting and social engineering exercises. He has led and coordinated incident response and forensic investigation efforts for some of the largest and high-profile breaches in the recent past. He also advises clients on some of the most complex cybersecurity initiatives and acts as a trusted security adviser to organizations, C-Suite and board members.

Tarikere earned a master’s degree in computer sciences/cybersecurity from New York University. He holds the Chief Information Security Officer (CISO) certificate. He is a CISSP, PCI-QSA, GWAPT, GCIH and ISO 27001 Lead Auditor.

Edited excerpts of the interview follow:

As information security and incident response professional with over a decade of experience, what are some of the pressing issues you encountered during your career, and more recently?

While the cybersecurity threat landscape is continuously evolving, threat actors are employing more and more sophisticated tactics to attack organizations, and organizations are continuing to bring cybersecurity to the forefront; below are some critical challenges that organizations continue to encounter to date.

Industry Collaboration: Real-time threat and vulnerability information-sharing and widespread collaboration within the industry.
Cyberattacks due to Emerging Technology: Inability for cybersecurity to keep up with the pace of innovation and rapid change in the technology landscape.
People Problem: Humans are the weakest link in the chain, given their lack of technological understanding.
Senior Executive Buy-in and Engagement: Cybersecurity has always been an afterthought. Although we see a shift in the perspective, we are far from where we need to be.
Supply Chain Risk: Supply chain risk has, is, and continues to present a significant challenge for organizations.
Cyber Skill Shortage: It’s not just buying tools; it’s investing in people, in their knowledge and ability, that they are prepared to detect, contain, and respond to cyberattacks. Hiring and retaining cybersecurity professionals remains a top challenge for organizations in 2021.

At the end of 2020, the SolarWinds attack blew the internet. In response, businesses and federal agencies prioritized their cybersecurity budgets and embraced proactive security practices. However, the threat landscape grew manifold in 2021, and supply chains and critical infrastructure continued to incur breaches and ransomware attacks. What, according to you, is the root cause for all this?

Gartner predicts that by 2023, in addition to costing businesses over $50 billion, cyberattackers would have weaponized the Operational Technology systems to the point that they may harm or take a human life.[1] Historically, critical infrastructure has been designed to have their Industrial Control Systems (ICS) isolated and physically separated from the internet and other corporate networks. Furthermore, it was thought that the risk of cyberattacks on critical infrastructures was low because of the highly customized nature of these systems that required a specialized skill set to understand the architecture of the control system configurations and operate them efficiently.

As more and more organizations are modernizing their industrial processes by connecting these ICS components to the cloud and internet to improve system efficiency, employ open technologies and universal operating systems to reduce the cost of maintenance, they are also unknowingly giving threat actors more ways to compromise these systems through ransomware and extortion attacks.

Per the findings of VMware’s “The State of Incident Response” survey, 49% of organizations lack adequate tools (including staff and expertise) to detect cyberthreats. And it reflects a harrowing scenario in incident response. How can security leaders overcome this core challenge?

With the ever-growing threat landscape and attack vectors that the threat actors will leverage to attack an organization, the ability to detect, triage, contain, and respond to an incident in a timely manner will always be a pain point for the security leaders for the foreseeable future. Some of the ways to alleviate and overcome these challenges are:

Enhance visibility of the system events within the organization.
Implement a structured incident response process. Employ automation wherever possible.
Continue and enhance employee awareness programs to include the latest types of attacks.
Partner with an external incident response firm who are experts in the field and has been doing this day in and day out to do the heavy lifting during the incident response process.
Partner with key internal stakeholders like legal, finance, crisis communication, and business groups to ensure they are prepared when needed.
Test and practice the incident response process through simulated cyberattack exercises to ensure that the incident response process is working effectively and as designed.

While on this topic, could you shed light on the evolution of incident handling, incident management, and incident response? And what are some of the qualities to look for when hiring incident response personnel?

Knowing the how, why, and where of cyberattacks is a strong quality of the incident response (IR) professional. Having a finger on the pulse of the ongoing threat landscape and different cyberattacks happening across the globe will be a core criterion of any cybersecurity professional.

Problem Solving and Analytical Skills: Not all incidents are similar, and IR professionals need to be able to adapt to changing situations, new leads that are uncovered, and a variety of attack scenarios to respond as quickly as possible. Strong problem-solving and analytical skills coupled with out-of-the-box thinking will aid in their ability to face and resolve the most sophisticated attacks and unexpected situations.
Teaming and Collaboration: IR is a team sport. So, the ability of the member to collaborate and work in a team setting can aid in responding to an incident effectively and efficiently. This is important because these days, attackers have assembled teams of skilled like-minded individuals that have varied levels of experiences and perspectives themselves, so accumulating an internal team in a similar manner enables the organization to quickly identify tactics and anticipate the next move.
Technical Capability: While the IR team member will be analyzing a wide range of systems and artifact types, like RAM, network traffic, and many different log sources. Ability to find and correlate small digital footprints “breadcrumbs” left behind any time anyone does something on a system or network is an essential quality of the IR professional. Furthermore, understanding the know-how and having intrinsic knowledge on the working of the operating systems, kernels, network protocols, middleware, application software and malware will come in handy when performing advanced forensics and planning the containment and response strategy.
Communications: Although lower on the list, this is as important and, in some cases, more important than others. Incident Response professionals are working in a high-paced and stressful environment. The IR personnel should be able to articulate the technical details into something that the executives can understand when updating them of the incident. Furthermore, the IR personnel should provide clear guidance and action items for the other stakeholders like Business Groups, Legal, Crisis communications, etc. throughout the response process.

It is said, “data is the oil of 21st century,” and with more business moving online, cloud storage to some extent assures reliability compared to local storage. But is it cost-effective? And how can IT teams alleviate a hasty switch to the cloud and ensure a smooth and secure data migration process?

Organizations need to understand the core concept of maintaining the Confidentiality, Integrity, and Availability of the data they are the guardians of. They can transfer the risk by moving it to the cloud but will not be able to eliminate the risk completely. Organizations will still need to implement appropriate security controls to protect the data in the cloud.

Some of the common misconceptions regarding moving to the cloud are that “Cloud provider is responsible for the Security,” “Organization can meet compliance requirement on the cloud,” etc. The organization needs to understand that although a cloud service provider (CSP) provides the necessary tools and technologies required to secure the environment and meet the compliance obligations, it is the responsibility of the organizations to do proper due diligence when moving their applications workloads and data to the cloud.

It is always recommended that the organizations perform in-depth due diligence of their cloud migration strategy using industry-leading frameworks. Although not a comprehensive list of controls, some of the questions that the due diligence assessment should address are:

WHAT – What data or application is the organization moving? Is it sensitive, regulated, or restricted data?
WHERE – Where will the data be stored? Are there any data protection regulations that restrict the movement of data?
WHO – Who will have access to the application and the underlying data? Will it only be internal resources or any third parties? Will the data be shared publicly or restricted to specific groups of people?
HOW – How will the data be protected? How will the organization detect and respond to the security events/incidents? How will the organization recover the data in the event of an incident? How will the organization protect the Confidentiality, Integrity, and Availability of the data being moved to the cloud?

Cybersecurity is often a fleeting thought for small businesses. And hackers commonly target them because their financial capacity (security budgets) is limited. How can small businesses re-think security preparedness in a post-pandemic world?

Cyberattacks are a growing threat for small businesses. According to the FBI’s Internet Crime Report, the cost of cybercrimes exceeded $4.1 billion in 2020 alone.[2] Small businesses are attractive targets because they have sensitive information that threat actors can leverage without breaking into security infrastructures like that of big enterprises and corporations. cyberthreat vectors are constantly evolving, but some of the most common types of attacks that small business owners should be aware of are malware infection, viruses, business email compromise (BEC), ransomware, and phishing.

Cyber Hygiene: Organizations and their leadership should have a holistic view of their critical assets, systems, services, and third-party partners to determine the security risk and exposure. Hence, the organization must maintain strong cyber hygiene by keeping inventory of critical assets, ensuring that their systems are patched and protected, and is continuously monitored for security threats.

Multi-factor Authentication (MFA) – Enforce Multi-factor Authentication on accounts that store, process, or transmit sensitive information. It is always recommended to enable and enforce MFA on all internet-facing resources of the organization.

Security Awareness Training: Educate the employees to create strong passwords, follow good browsing practices, avoid suspicious downloads, protect sensitive customer, employee, and vendor information, spot phishing emails, and maintain good cyber hygiene. Perform periodic training on cybersecurity best practices for the employees.

Supply Chain Risk Management: Organizations should evaluate their current business partners and vendors and the level of access they have to their IT systems, network, and data. Ensure that the partners have sufficient security controls to protect the organization’s assets.

Protect sensitive data and back up the rest: Identify the critical data for the organization and ensure that they are constantly backed up to a secure location on a continuous basis. If possible, back up the data to an offsite location periodically in the event that the online copy is corrupted or unusable. Consider rendering the sensitive data unreadable when possible.

Secure Payment Processing and Fund Transfer: Work with the banks or card processors to ensure the most trusted and validated tools and anti-fraud services are being used. Isolate the systems that store, process, or transmit payment information from other systems within the organization. Implement strong validation checks and controls when making vendor payments to protect the organization from wire transfer fraud.

DHS offers free cybersecurity toolkits for Risk and Vulnerability Scanning and Phishing Campaign Assessment toolkit here – https://us-cert.cisa.gov/resources/ncats and Supply Chain Risk Management Toolkit here – https://www.cisa.gov/ict-supply-chain-toolkit.

Could you give us your top cybersecurity predictions for the remainder of 2021?

Considering that the cyber threat landscape is continuously evolving, one cannot make true predictions on where the industry is heading. However, trends and security research by various organizations indicate that:

Ransomware threats will continue to dominate the rest of 2021 and into 2022. Cyberthreats actors will continue to get creative, and their attacks will become more sophisticated to ensure that the organizations cannot recover normal business operations without paying the ransom.
Social engineering, specifically phishing, will continue to dominate the mode of infiltration for the foreseeable future until organizations enforce a multi-layered defense approach to protect their users from falling prey to such social engineering attacks.
Supply chain risks will be at the forefront with organizations evaluating their exposure and ability to protect and respond to attacks to or via their third-party partners.
Even though cyberattacks continue to occur, cybersecurity investments will continue to rise. Organizations and solution providers will continue to innovate to stay ahead of the curve. Governments and law enforcement agencies will step in, propose policy solutions to protect their economies, organizations from ransomware extortion attacks.

Note: Views or opinions expressed by the interviewee are his own and doesn’t represent those of the people, institution, or organizations that the interviewee may or may not be associated with in professional and personal capacity, unless explicitly stated.

About the Author

Pooja Tikekar is the Sub Editor at CISO MAG, responsible for quality control. She also presents C-suite interviews and writes news features on cybersecurity trends.

More from the author.

Coinbase Confirms Security Incident Affecting 6,000 UsersCISOMAGon October 6, 2021 at 5:32 am Feedzy

FeedzyRead MorePopular cryptocurrency exchange Coinbase admitted that unknown intruders bypassed its multi-factor authentication (MFA) mechanism to steal crypto funds from over 6,000 users. “Unfortunately, between March and May 20, 2021, you were a victim of a third-party campaign to gain unauthorized access to the accounts of Coinbase customers and move customer funds off the Coinbase platform. […]
The post Coinbase Confirms Security Incident Affecting 6,000 Users appeared first on CISO MAG | Cyber Security Magazine.

Popular cryptocurrency exchange Coinbase admitted that unknown intruders bypassed its multi-factor authentication (MFA) mechanism to steal crypto funds from over 6,000 users.

“Unfortunately, between March and May 20, 2021, you were a victim of a third-party campaign to gain unauthorized access to the accounts of Coinbase customers and move customer funds off the Coinbase platform. At least 6,000 Coinbase customers had funds removed from their accounts, including you,” Coinbase said in an official notice sent to its customers.

Vulnerability in MFA Feature

Threat actors reportedly exploited a bug in Coinbase’s SMS MFA feature to compromise user accounts and pilfer cryptocurrency. The flaw reportedly allowed hackers to receive the victims’ 2FA tokens via SMS. Third parties require prior knowledge of the email address, password, phone number associated with the Coinbase account, as well as access to the customer’s email account. While it’s still unknown how the hackers obtained the user credentials, Coinbase stated that attackers could have leveraged phishing or social engineering techniques to trick victims into unknowingly disclosing login credentials.

“We have not found any evidence that these third parties obtained this information from Coinbase itself. Even with the information described above, additional authentication is required to access your Coinbase account. However, in this incident, for customers who use SMS texts for two-factor authentication, the third-party took advantage of a flaw in Coinbase’s SMS Account Recovery process to receive an SMS two-factor authentication token and gain access to your account,” Coinbase added.

Information Exposed

The intruders who have accessed Coinbase accounts can view sensitive user information such as full name, email address, home address, date of birth, IP addresses for account activity, transaction history, account holdings, and balance. They may also alter users’ account details like email, phone number, or other information associated with their account to transfer funds illicitly. Coinbase clarified that it is working to restore any changes made by attackers to customer accounts.

Mitigation

Coinbase immediately updated its SMS Account Recovery protocols to prevent further bypassing of the authentication procedures. The company also announced that it deposited funds into the affected user accounts along with free credit monitoring services. While the threat actors behind the security incident are unknown, Coinbase stated it’s closely working with law enforcement authorities to investigate the incident.

Meanwhile, the company urged its customers to update their account login credentials and use a robust authentication procedure such as a time-based, one-time password (TOTP) or a hardware security key.

The post Coinbase Confirms Security Incident Affecting 6,000 Users appeared first on CISO MAG | Cyber Security Magazine.

Popular cryptocurrency exchange Coinbase admitted that unknown intruders bypassed its multi-factor authentication (MFA) mechanism to steal crypto funds from over 6,000 users.

“Unfortunately, between March and May 20, 2021, you were a victim of a third-party campaign to gain unauthorized access to the accounts of Coinbase customers and move customer funds off the Coinbase platform. At least 6,000 Coinbase customers had funds removed from their accounts, including you,” Coinbase said in an official notice sent to its customers.

Vulnerability in MFA Feature

Threat actors reportedly exploited a bug in Coinbase’s SMS MFA feature to compromise user accounts and pilfer cryptocurrency. The flaw reportedly allowed hackers to receive the victims’ 2FA tokens via SMS. Third parties require prior knowledge of the email address, password, phone number associated with the Coinbase account, as well as access to the customer’s email account. While it’s still unknown how the hackers obtained the user credentials, Coinbase stated that attackers could have leveraged phishing or social engineering techniques to trick victims into unknowingly disclosing login credentials.

“We have not found any evidence that these third parties obtained this information from Coinbase itself. Even with the information described above, additional authentication is required to access your Coinbase account. However, in this incident, for customers who use SMS texts for two-factor authentication, the third-party took advantage of a flaw in Coinbase’s SMS Account Recovery process to receive an SMS two-factor authentication token and gain access to your account,” Coinbase added.

Information Exposed

The intruders who have accessed Coinbase accounts can view sensitive user information such as full name, email address, home address, date of birth, IP addresses for account activity, transaction history, account holdings, and balance. They may also alter users’ account details like email, phone number, or other information associated with their account to transfer funds illicitly. Coinbase clarified that it is working to restore any changes made by attackers to customer accounts.

Mitigation

Coinbase immediately updated its SMS Account Recovery protocols to prevent further bypassing of the authentication procedures. The company also announced that it deposited funds into the affected user accounts along with free credit monitoring services. While the threat actors behind the security incident are unknown, Coinbase stated it’s closely working with law enforcement authorities to investigate the incident.

Meanwhile, the company urged its customers to update their account login credentials and use a robust authentication procedure such as a time-based, one-time password (TOTP) or a hardware security key.

The post Coinbase Confirms Security Incident Affecting 6,000 Users appeared first on CISO MAG | Cyber Security Magazine.

Conti Ransomware Group Reportedly Stole 1.5TB Of Data from JVCKenwoodCISOMAGon October 2, 2021 at 5:30 am Feedzy

FeedzyRead MoreMultinational electronics firm JVCKenwood admitted that it had been hit by a security incident that affected some of its operations in Europe. The company also admitted there was a possible breach of sensitive information during the cyberattack. However, there is no sign of customers data leak at present. Several security experts suspect that the Conti […]
The post Conti Ransomware Group Reportedly Stole 1.5TB Of Data from JVCKenwood appeared first on CISO MAG | Cyber Security Magazine.

Multinational electronics firm JVCKenwood admitted that it had been hit by a security incident that affected some of its operations in Europe. The company also admitted there was a possible breach of sensitive information during the cyberattack. However, there is no sign of customers data leak at present. Several security experts suspect that the Conti Ransomware group is behind the security incident.

Based in Japan, JVCKenwood is known for its brands JVC, Kenwood, and Victor, which provide equipment to automobile and health care organizations.

“JVCKenwood detected unauthorized access on September 22, 2021, to the servers operated by some of the JVCKENWOOD Group’s sales companies in Europe. It was found that there was a possibility of information leak by the third-party who made the unauthorized access,” the company said in an official statement.

Conti Ransomware Attack

While JVCKenwood is investigating the incident to find further details, multiple reports claimed that Conti ransomware attackers have compromised the critical networks and stole over 1.7 TB of data. The attackers reportedly demanded a $7 million ransom to decrypt the critical files.

Conti is a Russian-speaking ransomware group that reportedly victimized more than 400 organizations worldwide, of which 290 are in the U.S. alone. Conti attackers infiltrate victim networks through phishing emails (malicious links or attachments) or stolen/cracked remote desktop protocol (RDP) credentials. Their average recorded dwell time in the victim’s network ranges between four days to three weeks. The highest recorded bid of the Conti ransomware gang stands at $25 million.

CISA, FBI, and NSA Warn About Conti Ransomware

The Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the FBI alerted users and organizations about the rise of Conti ransomware attacks.

Protect against the #Conti #ransomware threat using the #cybersecurity guidance from @CISAgov, @FBI and NSA. Understand Conti group TTPs and take immediate action: https://t.co/Fa1jQdtyoP pic.twitter.com/3Tt3GVorkU

— NSA Cyber (@NSACyber) September 22, 2021

To secure organizations’ critical systems against Conti ransomware, the agencies recommended certain security mitigations such as enabling multi-factor authentication, implementing network segmentation, and keeping operating systems and software up to date.

The post Conti Ransomware Group Reportedly Stole 1.5TB Of Data from JVCKenwood appeared first on CISO MAG | Cyber Security Magazine.

Multinational electronics firm JVCKenwood admitted that it had been hit by a security incident that affected some of its operations in Europe. The company also admitted there was a possible breach of sensitive information during the cyberattack. However, there is no sign of customers data leak at present. Several security experts suspect that the Conti Ransomware group is behind the security incident.

Based in Japan, JVCKenwood is known for its brands JVC, Kenwood, and Victor, which provide equipment to automobile and health care organizations.

“JVCKenwood detected unauthorized access on September 22, 2021, to the servers operated by some of the JVCKENWOOD Group’s sales companies in Europe. It was found that there was a possibility of information leak by the third-party who made the unauthorized access,” the company said in an official statement.

Conti Ransomware Attack

While JVCKenwood is investigating the incident to find further details, multiple reports claimed that Conti ransomware attackers have compromised the critical networks and stole over 1.7 TB of data. The attackers reportedly demanded a $7 million ransom to decrypt the critical files.

Conti is a Russian-speaking ransomware group that reportedly victimized more than 400 organizations worldwide, of which 290 are in the U.S. alone. Conti attackers infiltrate victim networks through phishing emails (malicious links or attachments) or stolen/cracked remote desktop protocol (RDP) credentials. Their average recorded dwell time in the victim’s network ranges between four days to three weeks. The highest recorded bid of the Conti ransomware gang stands at $25 million.

CISA, FBI, and NSA Warn About Conti Ransomware

The Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the FBI alerted users and organizations about the rise of Conti ransomware attacks.

Protect against the #Conti #ransomware threat using the #cybersecurity guidance from @CISAgov, @FBI and NSA. Understand Conti group TTPs and take immediate action: https://t.co/Fa1jQdtyoP pic.twitter.com/3Tt3GVorkU

— NSA Cyber (@NSACyber) September 22, 2021

To secure organizations’ critical systems against Conti ransomware, the agencies recommended certain security mitigations such as enabling multi-factor authentication, implementing network segmentation, and keeping operating systems and software up to date.

The post Conti Ransomware Group Reportedly Stole 1.5TB Of Data from JVCKenwood appeared first on CISO MAG | Cyber Security Magazine.

Personal Data of 106 Mn Visitors to Thailand Left Exposed OnlineCISOMAGon September 22, 2021 at 9:35 am Feedzy

FeedzyRead MoreThailand is one of the popular tourist destinations with a large number of visitors from across the world. While the country is looking forward to welcoming tourists post-pandemic, a recent data breach incident has left a bitter experience among millions of travelers who visited Thailand in the last 10 years. Bob Diachenko, cybersecurity researcher and […]
The post Personal Data of 106 Mn Visitors to Thailand Left Exposed Online appeared first on CISO MAG | Cyber Security Magazine.

Thailand is one of the popular tourist destinations with a large number of visitors from across the world. While the country is looking forward to welcoming tourists post-pandemic, a recent data breach incident has left a bitter experience among millions of travelers who visited Thailand in the last 10 years.

Bob Diachenko, cybersecurity researcher and security leader at Camparitech, discovered an unprotected Elasticsearch server exposing the personal data of over 106 million international travelers to Thailand. The unsecured database, which included tourists’ sensitive information such as full names, passport numbers, and arrival dates, was exposed online, allowing anyone to access the data. Diachenko also confirmed that the leaky server exposed his own name and entries to Thailand. However, the database has now been secured after he reported the issue to the Thai authorities.

Diachenko claimed that any tourist who traveled to Thailand in the last 10 years might have had their personal data exposed in the incident.

What was exposed in the breach

The database hosted over 200GB of users’ data (more than 106 million records). The exposed information included:

Date of arrival in Thailand
Full name
Sex
Passport number
Residency status
Visa type
Thai arrival card number

The Breach Impact

The Thai authorities stated that there is no sign of any misuse of the leaked data. While no financial data was leaked in the incident, the other exposed information could lead to various security risks if threat actors access it.

“Any foreigner who traveled to Thailand in the last decade or so probably has a record in the database. There are many people who would prefer their travel history and residency status not be publicized, so for them there are obvious privacy issues. None of the information exposed poses a direct financial threat to the majority of data subjects. No financial or contact information was included. Although passport numbers are unique to individuals, they are assigned sequentially and are not particularly sensitive. For example, a passport number can’t be used to open bank accounts or travel in another person’s name on its own,” Diachenko stated.

Unsecure Databases Attract Threat Actors

Threat actors are always on the hunt for unsecured servers. In this case, there is no evidence of how long the database was left exposed before Diachenko’s disclosure. However, a honeypot was planted to monitor hacker intrusions.

“Notably, the IP address of the database is still public, but the database itself has been replaced with a honeypot as of the time of writing. Anyone who attempts access at that address now receives the message: This is honeypot, all access were logged,” Diachenko added.

A honeypot is a security mechanism used to detect or counteract unauthorized intrusions of network and information systems. Earlier, a honeypot experiment from Camparitech found that attackers find and access unprotected databases in hours. The company set up a honeypot to know how quickly the hackers would attack an Elasticsearch server with a dummy database and fake data in it. Comparitech left the exposed data from May 11 until May 22, 2020. It found 175 attacks in just eight hours after the server deployed, with the number of attacks in one day totaled 22.

The post Personal Data of 106 Mn Visitors to Thailand Left Exposed Online appeared first on CISO MAG | Cyber Security Magazine.

Read Aloud

Thailand is one of the popular tourist destinations with a large number of visitors from across the world. While the country is looking forward to welcoming tourists post-pandemic, a recent data breach incident has left a bitter experience among millions of travelers who visited Thailand in the last 10 years.

Bob Diachenko, cybersecurity researcher and security leader at Camparitech, discovered an unprotected Elasticsearch server exposing the personal data of over 106 million international travelers to Thailand. The unsecured database, which included tourists’ sensitive information such as full names, passport numbers, and arrival dates, was exposed online, allowing anyone to access the data. Diachenko also confirmed that the leaky server exposed his own name and entries to Thailand. However, the database has now been secured after he reported the issue to the Thai authorities.

Diachenko claimed that any tourist who traveled to Thailand in the last 10 years might have had their personal data exposed in the incident.

What was exposed in the breach

The database hosted over 200GB of users’ data (more than 106 million records). The exposed information included:

Date of arrival in Thailand
Full name
Sex
Passport number
Residency status
Visa type
Thai arrival card number

The Breach Impact

The Thai authorities stated that there is no sign of any misuse of the leaked data. While no financial data was leaked in the incident, the other exposed information could lead to various security risks if threat actors access it.

“Any foreigner who traveled to Thailand in the last decade or so probably has a record in the database. There are many people who would prefer their travel history and residency status not be publicized, so for them there are obvious privacy issues. None of the information exposed poses a direct financial threat to the majority of data subjects. No financial or contact information was included. Although passport numbers are unique to individuals, they are assigned sequentially and are not particularly sensitive. For example, a passport number can’t be used to open bank accounts or travel in another person’s name on its own,” Diachenko stated.

Unsecure Databases Attract Threat Actors

Threat actors are always on the hunt for unsecured servers. In this case, there is no evidence of how long the database was left exposed before Diachenko’s disclosure. However, a honeypot was planted to monitor hacker intrusions.

“Notably, the IP address of the database is still public, but the database itself has been replaced with a honeypot as of the time of writing. Anyone who attempts access at that address now receives the message: This is honeypot, all access were logged,” Diachenko added.

A honeypot is a security mechanism used to detect or counteract unauthorized intrusions of network and information systems. Earlier, a honeypot experiment from Camparitech found that attackers find and access unprotected databases in hours. The company set up a honeypot to know how quickly the hackers would attack an Elasticsearch server with a dummy database and fake data in it. Comparitech left the exposed data from May 11 until May 22, 2020. It found 175 attacks in just eight hours after the server deployed, with the number of attacks in one day totaled 22.