ChatGPT: A Valuable Ally for Your Information Security Team

One of the best ways to learn to use ChatGPT and other systems is to simply ask them how they can help you. Here is an example:

Prompt: 

Please write a blog post with some examples of things that ChatGPT could do to help an information security team. For each thing, write one or more sample prompts that they could use to get started. Please output in plain text without any markup or specialized formatting.

Response:

Title: ChatGPT: A Valuable Ally for Your Information Security Team

In a digital age where threats to information security are ever-evolving, having a well-rounded defense strategy is crucial. Among the plethora of tools and resources available, ChatGPT, developed by OpenAI, emerges as a valuable ally for information security teams. Here are some ways ChatGPT could assist in bolstering your organization’s cybersecurity measures, along with sample prompts to kickstart these initiatives:

1. Threat Intelligence Analysis
– Sample Prompt: “Identify recent cyber threats relevant to our industry and summarize their characteristics and potential impact.”

2. Phishing Detection Training
– Sample Prompt: “Generate examples of phishing emails related to our company, and explain how to distinguish them from legitimate communications.”

3. Automated Reporting of Security Incidents
– Sample Prompt: “Develop a script for collecting and formatting data related to security incidents for easier analysis and reporting.”

4. Policy and Compliance Documentation
– Sample Prompt: “Help draft a comprehensive Acceptable Use Policy that aligns with industry standards and regulatory requirements.”

5. Security Awareness Training Material Development
– Sample Prompt: “Create engaging training materials to educate employees about cybersecurity best practices and organizational policies.”

6. Log Analysis and Anomaly Detection
– Sample Prompt: “Analyze these system logs to identify any unusual activities and potentially malicious behavior.”

7. Password Policy Enforcement
– Sample Prompt: “Develop a communication to educate employees about our new password policy and the importance of strong, unique passwords.”

8. Incident Response Plan Development
– Sample Prompt: “Assist in drafting an Incident Response Plan outlining the steps to be taken in the event of a security breach.”

9. Vulnerability Assessment
– Sample Prompt: “Provide a checklist for conducting a vulnerability assessment of our network and systems.”

10. Security Tool Evaluation
– Sample Prompt: “Research and compare different cybersecurity solutions to help us decide which tools would best meet our security needs.”

ChatGPT can be a remarkable asset for information security teams, aiding in a multitude of tasks ranging from threat intelligence analysis to policy documentation. By integrating ChatGPT into your cybersecurity strategy, you stand to not only enhance your defense against cyber threats but also free up valuable time for your security personnel to focus on more complex, critical aspects of your organization’s security posture.

Summary:

Learning to use these AI tools is easy if you ask them for help. Learning to use them properly will go a long way toward increasing your productivity. 

 

* Just to let you know, we used some AI tools to gather the information for this article, and we polished it up with Grammarly to make sure it reads just right!

What to Look For in a DHCP Log Security Audit

Examining the DHCP logs

In today’s ever-evolving technology landscape, information security professionals face numerous challenges in ensuring the integrity and security of network infrastructures. As servers and devices communicate within networks, one crucial element to consider is DHCP (Dynamic Host Configuration Protocol) logs. These logs provide valuable insights into network activity, aiding in identifying security issues and potential threats. Examining DHCP logs through a thorough security audit is a critical step that can help organizations pinpoint vulnerabilities and effectively mitigate risks.

Why are DHCP Logs Important?

DHCP servers are central in assigning IP addresses and managing network resources. By constantly logging activities, DHCP servers enable administrators to track device connections, detect unauthorized access attempts, and identify abnormal network behavior. Consequently, DHCP logs clarify network utilization, application performance, and potential security incidents, making them a vital resource for information security professionals.

What Security Issues Can Be Identified in DHCP Logs?

When analyzing DHCP logs, security professionals should look for several key indicators of potential security concerns. These may include IP address conflicts, unauthorized IP address allocations, rogue DHCP servers, and abnormal DHCP server configurations. Additionally, DHCP logs can help uncover DoS (Denial of Service) attacks, attempts to bypass network access controls, and instances of network reconnaissance in some circumstances.

In conclusion, conducting a comprehensive security audit of DHCP logs is an essential practice for information security professionals. By leveraging the data contained within these logs, organizations can identify and respond to potential threats, ensuring the overall security and stability of their network infrastructure. Stay tuned for our upcoming blog posts, where we will delve deeper into the crucial aspects of DHCP log analysis and its role in fortifying network defenses.

Parsing the List of Events Logged

When conducting a DHCP log security audit, information security professionals must effectively parse the list of events logged to extract valuable insights and identify potential security issues.

To parse the logs and turn them into easily examined data, obtain the log files from the DHCP server. These log files are typically stored in a default logging path specified in the server parameters. Once acquired, the logs can be examined using various tools, including the server management console or event log viewer.

Begin by analyzing the log entries for critical events such as IP address conflicts, unauthorized IP address allocations, and abnormal DHCP server configurations. Look for any indications of rogue DHCP servers, as they can pose a significant security risk.

Furthermore, pay close attention to entries related to network reconnaissance, attempts to bypass network access controls and DoS attacks. These events can potentially reveal targeted attacks or malicious activities within the network.

By effectively parsing the list of events logged, information security professionals can uncover potential security issues, identify malicious activities, and take necessary measures to mitigate risks and protect the network infrastructure. It is crucial to remain vigilant and regularly conduct DHCP log audits to ensure the ongoing security of the network.

Heuristics that Represent Malicious Behaviors

When conducting a DHCP log security audit, information security professionals should look for specific heuristics representing potentially malicious behaviors. These heuristics can help identify security issues and prevent potential threats. It’s essential to understand what these heuristics mean and how to investigate them further.

Some examples of potentially malicious DHCP log events include:

1. Multiple DHCP Server Responses: This occurs when multiple devices on the network respond to DHCP requests, indicating the presence of rogue DHCP servers. Investigate the IP addresses associated with these responses to identify the unauthorized server and mitigate the security risk.

2. IP Address Pool Exhaustion: This event indicates that all available IP addresses in a subnet have been allocated or exhausted. It could suggest an unauthorized device or an unexpected influx of devices on the network. Investigate the cause and take appropriate actions to address the issue.

3. Unusual DHCP Lease Durations: DHCP lease durations outside the normal range can be suspicious. Short lease durations may indicate an attacker attempting to maintain control over an IP address. Long lease durations could suggest an attempt to evade IP address tracking. Investigate these events to identify any potential malicious activities.

Summary

A DHCP log security audit is crucial for information security professionals to detect and mitigate potential threats within their network. By analyzing DHCP log events, security teams can uncover malicious activities and take appropriate actions to protect their systems.

In this audit, several DHCP log events should be closely examined. One such event is multiple DHCP server responses, indicating the presence of rogue DHCP servers. Investigating the IP addresses associated with these responses can help identify unauthorized servers and address the security risk.

Another event that requires attention is IP address pool exhaustion. This event suggests the allocation of all available IP addresses in a subnet or an unexpected increase in devices on the network. Identifying the cause of this occurrence is vital to mitigate any potential security threats.

Unusual DHCP lease durations are also worth investigating. Short lease durations may suggest an attacker’s attempt to maintain control over an IP address, while long lease durations could indicate an effort to evade IP address tracking.

By conducting a thorough DHCP log security audit, security teams can proactively protect their networks from unauthorized devices, rogue servers, and potential malicious activities. Monitoring and analyzing DHCP log events should be an essential part of any organization’s overall security strategy.

* Just to let you know, we used some AI tools to gather the information for this article, and we polished it up with Grammarly to make sure it reads just right!

Keeping Track of Your Attack Surfaces

In the modern, digitally connected realm, the phrase “out of sight, out of mind” could have calamitous implications for organizations. As cyber adversaries incessantly evolve in their nefarious techniques, staying ahead in the cybersecurity arms race is imperative. One robust strategy that has emerged on the horizon is Continuous Threat Exposure Management (CTEM) programs. These programs are pivotal in enabling organizations to meticulously understand and manage their attack surface, thus forming a resilient shield against malicious onslaughts such as ransomware attacks.

A deeper dive into CTEM unveils its essence: it’s an ongoing vigilance protocol rather than a one-off checklist. CTEM programs provide a lucid view of the potential vulnerabilities and exposures that adversaries could exploit by continuously scanning, analyzing, and evaluating the organization’s digital footprint. This proactive approach transcends the conventional reactive models, paving the way for a fortified cybersecurity posture.

Linking the dots between CTEM and ransomware mitigation reveals a compelling narrative. Ransomware attacks have metamorphosed into a menace that spares no industry. The grim repercussions of these attacks underscore the urgency for proactive threat management. As elucidated in our previous blog post on preventing and mitigating ransomware attacks, a proactive stance is worth its weight in digital gold. Continuous Threat Exposure Management acts as a linchpin in this endeavor by offering a dynamic, real-time insight into the organization’s attack surface, enabling timely identification and remediation of vulnerabilities.

MicroSolved (MSI) stands at the forefront in championing the cause of proactive cybersecurity through its avant-garde CTEM solutions. Our offerings are meticulously crafted to provide a panoramic view of your attack surface, ensuring no stone is left unturned in identifying and mitigating potential threats. The amalgamation of cutting-edge technology with seasoned expertise empowers organizations to stay several strides ahead of cyber adversaries.

As cyber threats loom larger, embracing Continuous Threat Exposure Management is not just an option but a quintessential necessity. The journey towards a robust cybersecurity posture begins with a single step: understanding your attack surface through a lens of continuous vigilance.

We invite you to contact MicroSolved (MSI) to explore how our CTEM solutions can be the cornerstone in your quest for cyber resilience. Our adept team is poised to guide you through a tailored roadmap that aligns with your unique organizational needs and objectives. The digital realm is fraught with peril, but with MicroSolved by your side, you can navigate through it with confidence and assurance.

Contact us today and embark on a journey towards transcending the conventional boundaries of cybersecurity, ensuring a safe and secure digital sojourn for your organization.

* Just to let you know, we used some AI tools to gather the information for this article, and we polished it up with Grammarly to make sure it reads just right!

Safeguarding Your SSH Configurations with ssh-audit

In the vast ocean of network security, SSH (Secure Shell) stands as a towering lighthouse guarding the data traffic to and from your servers. However, how do you ensure that this lighthouse is in optimal condition? Enter ssh-audit, a tool for auditing your SSH server and client configurations.

Ssh-audit supports SSH1 and SSH2 protocol servers, diving deep into the SSH configurations to grab banners, recognize the software and operating systems involved, and even detect compression settings. It gathers information on key exchanges, host keys, encryption, and message authentication code algorithms, providing a comprehensive report on their status.

Getting started with ssh-audit is a breeze. Clone the repository from GitHub, and with a few commands in your terminal, you’re on your way to auditing your SSH configurations. The tool fetches algorithm information, outputting details such as availability, removal or disabling status, and security strength (unsafe, weak, legacy, etc). Moreover, it provides algorithm recommendations based on the recognized software version, aligning your settings with industry standards.

The icing on the cake? Ssh-audit outputs security information, including related issues and assigned CVE (Common Vulnerabilities and Exposures) list, offering you a clear picture of the security posture of your SSH setups.

With ssh-audit, not only do you get to audit your SSH configurations, but you also receive actionable insights to harden your SSH setups against potential threats. So, the next time you’re looking to bolster your network security, try ssh-audit and sail smoothly in the turbulent waters of cyber threats.

Note that MSI has no relationship with the tool or the authors. We just found the tool useful for infosec teams.

 * Just to let you know, we used some AI tools to gather the information for this article, and we polished it up with Grammarly to make sure it reads just right!

Some Thoughts on Security Policy Violation and Terminations

There was recently a discussion on one of my forums that I visited about whether or not employees should be terminated if they violate information security policies. 

The discussion was heated by some parties, and the threads grew long and multi-layered. 

I asked Frase.io to summarize that discussion and pull together a relevant set of ideas stemming from it. Here is what the AI tool created:

Following information security policies is crucial for the protection of sensitive data and the overall cybersecurity of a company. Therefore, it is important to discuss whether employees should face consequences for not adhering to these policies.
When employees fail to follow information security policies, it can put the entire organization at risk. The consequences of a data breach can be severe, including financial loss, damage to reputation, and legal implications. Therefore, some argue that firing employees who do not comply with these policies is necessary to maintain a secure work environment.
On the other hand, it is essential to consider the context and severity of the violation before deciding on termination. Employees may unintentionally make mistakes or be unaware of the policies, in which case education and training may be more appropriate than immediate termination.
Implementing a fair and consistent approach to enforcing information security policies is crucial. This includes clear communication of expectations, regular training programs, and providing employees with the necessary tools and resources to comply with policies.
Ultimately, the decision to fire an employee for not following information security policies should be based on a thorough assessment of the situation. It is important to balance the need for security with fairness and understanding, considering the employee’s intentions, previous behavior, and potential for improvement.

After all of the rhetoric and the flames, this seems to be a rational approach to me. I think that stripped of the emotions of the participating infosec practitioners; there is logic here that is useful. 

What do you think about termination for security policy violations? What have you seen that works, and what doesn’t in your experience? Drop me a line on Twitter (@lbhuston) or Mastodon (@lbhuston@mastodon.social) and let me know your opinion.

 

* Just to let you know, we used some AI tools to gather the information for this article, and we polished it up with Grammarly to make sure it reads just right!

5 Fun-tastic Fall Activities for Information Security Teams

 

Fall is in the air, and along with pumpkin spice lattes and cozy sweaters, it’s also the perfect time for information security teams to step out of their digital shells and engage with other departments in their organizations. While security is serious business, there’s no harm in adding a dash of fun to foster better collaboration and understanding. Here are five light-hearted yet factual activities to spice up your information security team’s fall:

1. Cybersecurity Pumpkin Carving Contest

Unleash your inner artist and host a cybersecurity-themed pumpkin carving contest. Encourage teams from all departments to carve out their favorite security tools, icons, or even infamous cyber villains. Not only does this activity tap into everyone’s creative side, but it also sparks conversations about the importance of protecting the digital realm while having a gourd time!

2. “Escape the Phishing” Maze

Turn the concept of an escape room into an interactive cybersecurity challenge. Create a “phishing” maze where participants need to navigate through a series of puzzles and scenarios related to online security. This activity not only educates participants about the dangers of phishing attacks but also gets them working together to solve problems, fostering team spirit.

3. Crypto Treasure Hunt

Transform your office space into a treasure hunting ground by organizing a crypto-themed treasure hunt. Provide clues related to encryption, decryption, and security best practices that lead teams from one clue to another. Not only does this activity promote learning about cryptography, but it also encourages friendly competition among departments.

4. Security Awareness Fair

Set up a “Security Awareness Fair” in your office’s common area. Each department can have its own booth showcasing their approach to security. From IT’s “Spot the Vulnerability” game to HR’s “Password Strength Analyzer,” everyone gets to display their security prowess in a fun and informative way. This fair promotes cross-departmental engagement and ensures that everyone learns a thing or two about cybersecurity.

5. Cyber Movie Night

Host a cybersecurity-themed movie night with popcorn and cozy blankets. Screen movies like “Hackers,” “WarGames,” or even cybersecurity documentaries. After the movie, encourage lively discussions about what’s accurate and what’s exaggerated in the portrayal of hacking and security. It’s a laid-back way to bridge the gap between tech-savvy and non-technical teams.

Remember, the goal of these activities isn’t just to have fun, but to build bridges between information security teams and other departments. By approaching cybersecurity engagement with a light-hearted touch, you’re more likely to break down barriers, share knowledge, and create a culture of collaboration that lasts beyond the fall season. So, gear up for a season of learning, laughter, and interdepartmental camaraderie!

 

* Just to let you know, we used some AI tools to gather the information for this article, and we polished it up with Grammarly to make sure it reads just right!

 

3 Daily Habits for Information Security Practitioners to Stay Updated

  1. Stay Informed with Industry News:
    • Why? The cybersecurity landscape is ever-evolving. New threats, vulnerabilities, and attack vectors emerge daily.
    • How?
      • Subscribe to cybersecurity news websites and blogs like KrebsOnSecurity, The Hacker News, or Dark Reading.
      • Join forums and online communities like Reddit’s r/netsec or Stack Exchange’s Information Security.
      • Set up Google Alerts for specific cybersecurity keywords to get real-time updates.
  2. Engage in Continuous Learning:
    • Why? Technologies and tools in the cybersecurity domain are constantly advancing. To remain effective, professionals must keep up with the latest techniques and methodologies.
    • How?
      • Dedicate time each day to learn something new, whether it’s a new programming language, a cybersecurity tool, or a security protocol.
      • Enroll in online courses or webinars. Platforms like Coursera, Udemy, and Cybrary offer many courses tailored for cybersecurity professionals.
      • Participate in Capture The Flag (CTF) challenges or cybersecurity simulations to hone your skills in a practical environment.
  3. Network with Peers:
    • Why? Networking helps share knowledge, learn about real-world challenges, and understand best practices from experienced professionals.
    • How?
      • Attend local or virtual cybersecurity meetups, conferences, and seminars.
      • Join professional organizations such as (ISC)², ISACA, or the Information Systems Security Association (ISSA).
      • Engage in discussions on LinkedIn groups or Twitter threads related to cybersecurity.

Remember, the field of information security is vast and dynamic. By integrating these habits into your daily routine, you’ll be better equipped to stay ahead of the curve and safeguard your organization’s digital assets.

 

* Just to let you know, we used some AI tools to gather the information for this article, and we polished it up with Grammarly to make sure it reads just right!

 

Brent’s Interview About His Most Recent Book

 

Introduction

In today’s digital age, the importance of cyber-security cannot be overstated. With threats evolving at an unprecedented rate, organizations need to be proactive in their approach to safeguarding their assets. “We Need To Talk: 52 Weeks To Better Cyber-Security” by L. Brent Huston offers a comprehensive guide to navigating the complex world of cyber-security. We sat down with the author to delve deeper into the inspiration, content, and significance of this book.

Interview

Q1: What inspired you to write “We Need To Talk: 52 Weeks To Better Cyber-Security”?

A1: As a virtual CISO and 30+ year security practitioner, I know how important it is to keep the security team engaged with one another, encourage open discussions, and do continual learning. I wrote the book to give security teams a good basis for these discussions every week for a year. Covering the basics and letting the team discuss sticking points and areas for improvement has led my clients to identify some interesting trends and rapidly mature their security programs. I think, literally, “We Need To Talk”. We need it as practitioners, individuals, teams, and organizations. This is a stressful, detail-oriented, rapid-change business, and talking helps nearly everyone involved.

Q2: Why did you feel it was essential to provide such a comprehensive view of cyber-security?

A2: So much of what we do is complex and touches multiple areas of our organization that we must bring the basics to each. I picked the topics for discussion in the book to address the high-level, technical, and procedural controls that almost every organization needs. I threw in some of the more tenacious topics I’ve encountered in my career and a few curve balls that have bitten us over the years. Information security and risk management are broad-spectrum careers, and we need a broad spectrum of topics to help security teams be successful.

Q3: Can you elaborate on how the structure of the book facilitates this year-long journey?

A3: This is a great question. The book idealizes a weekly security team meeting where the team discusses one of the topics and why it is relevant and then works through a series of questions to help them hone and refine their security program. The book includes a topic for each week, appropriate background information about that topic, and a set of questions for discussion by the team. As I piloted the book with my clients, it became clear that these were ultra-powerful discussions and led to some amazing insights. I knew then that I had to write and put the book out there to benefit security teams and practitioners.

Q4: How did leveraging AI tools shape the content and structure of the book?

A4: I used several AI tools to help generate the content of the book. It was written programmatically, in that I wrote some programming to leverage an AI backend to generate the questions and background information for each topic. I then adjusted the code and moderated the output until I got the book I wanted. It took a while, but it was fantastic when completed. I wanted to experiment with writing with AI tools, and since I knew the book I wanted to create had a specific format and content, it seemed like a good experiment. Ultimately, I learned much about working with AI and using Grammarly for editing and self-publishing. I have been absolutely thrilled with the response to the book and how the experiment turned out. In fact, it gave birth to another project that I am just beginning and will pave the way for some exciting new breakthroughs in how to work with AI tools in the coming years.

Q5: What is the one core message or lesson from your book that you’d like security teams to take away?

A5: The one takeaway I would have them consider is that discussion among the security team can really help a lot of the team members and the organization at large. We need to talk more about the work we do, both inside our teams and to the other teams we work with across the enterprise. The more we discuss, the more likely we can support each other and find the best solutions to our common problems and issues. Implementing the strategies, tactics, and insights we discover along the way might just be the change we need to make information security more effective, easier to manage, and even more fun!

Summary

L. Brent Huston’s “We Need To Talk: 52 Weeks To Better Cyber-Security” is more than just a book; it’s a roadmap for security teams to navigate the intricate maze of cyber-security. Through structured discussions, the book aims to foster collaboration, understanding, and growth among security professionals. With the unique blend of AI-generated content and Huston’s vast experience, this book promises to be an invaluable resource for those in the field.

 

* Just to let you know, we used some AI tools to gather the information for this article, and we polished it up with Grammarly to make sure it reads just right!

 

3 Essential Tips for Enhancing Site-to-Site VPN Security

 

Site-to-site VPNs are a crucial tool for securing communication between different network locations. To ensure the utmost security for your VPN connections, consider implementing these three key suggestions:

1. Select Strong Secrets or Secure Certificates

The foundation of any secure site-to-site VPN is the authentication mechanism. Opt for strong pre-shared keys or secure digital certificates when configuring your VPN. Using weak passwords or keys can leave your VPN vulnerable to attacks. Remember, a strong password should be lengthy, complex, and incorporate a mix of letters, numbers, and special characters. Alternatively, employing secure certificates provides an added layer of protection as they are difficult to intercept or guess.

2. Implement Modern, Peer-Reviewed Cryptography

Ensure that your site-to-site VPN employs modern encryption protocols have been rigorously reviewed by the security community. Protocols like IKEv2/IPsec are popular choices that offer robust encryption and authentication mechanisms. Peer-reviewed cryptography guarantees that the algorithms have undergone extensive scrutiny and are less likely to contain vulnerabilities or backdoors. Currently, AES is the suggested cryptographic mechanism for most VPNs. DES and 3DES should be eliminated wherever possible.

3. Create Proper Firewall Rules or ACLs

Managing traffic over your VPN connection is essential for maintaining a secure network environment. Utilize firewall rules or Access Control Lists (ACLs) to carefully regulate data flow between connected sites. You can prevent unauthorized access and potential breaches by explicitly defining what types of traffic are permitted and denied. Regularly review and update these rules to adapt to changing security requirements.

In Conclusion

Enhancing your site-to-site VPN’s security involves strong authentication, robust encryption, and intelligent traffic management. By selecting strong secrets or certificates, implementing modern cryptography, and creating well-defined firewall rules, you can significantly bolster the security of your VPN connections. Securing your network is an ongoing process, so staying updated on the latest security practices and adapting your configurations is essential.

Implement these tips today to build a resilient and secure site-to-site VPN that safeguards sensitive data and ensures seamless communication between your network locations.

 

* Just to let you know, we used some AI tools to gather the information for this article, and we polished it up with Grammarly to make sure it reads just right!

 

Preventing and Mitigating Ransomware Attacks Part Two

In my last installment, I outlined guidance for the first three ransomware initial attack vectors detailed in the MS-ISAC #StopRansomware guide. In this paper I will outline the last three initial attacks vectors found in the guide. The fourth vector they deal with is Precursor Malware Infections.

Researchers have found that ransomware infections are usually preceded by reconnaissance malicious code that lays the groundwork for the full ransomware attack to come. In some cases, ransomware deployment is the last step in a network compromise and is dropped to obscure previous post-compromise activities such as business email compromise. These malicious code packages have been dubbed ‘precursor malware.’ For example, malware such as Qakbot, Bumblebee and Emotet have been employed as precursors to ransomware attacks. Identifying and remediating such precursor malware can alert you to the possibility of an imminent ransomware attack, and can help you prevent the full ransomware attack from actually happening. For this attack vector, the guide recommends:

  • Ensuring that antivirus and anti-malware software and signatures are automatically updated. In fact, the authoring organizations go one step further and recommend using a centrally managed antivirus solution.
  • Using application allowlisting and/or endpoint detection and response (EDR) solutions on all assets to ensure that only authorized software is executable, and all unauthorized software is blocked. Application allowlisting is deeper than traditional application control solutions and works at the file level to screen against unwanted applications. EDR is cybersecurity technology that monitors and responds to threats on endpoints such as mobile phones, laptops and IoT devices that connect to your network. This is recommended for cloud-based resources.
  • Implementing IDS systems. These can be used to detect command and control activity and other potentially malicious network activity that occurs prior to ransomware deployment.
  • Monitor indicators of activity and block malware file creation with the Windows Sysmon utility. Sysmon has a file block executable option that can used to block the creation of malicious executables, DLL files, and system files that match specific hash values.

The fifth initial attack vectors listed in the #StopRansomware Guide is advanced forms of social engineering. Advanced forms of social engineering attacks include tactics such as search engine optimization (SEO) poisoning, imposter websites (drive-by downloads) and malvertising (malicious advertising). All of these techniques are used to extract information from users or to provide an avenue for attackers to inject malware into the network. To help counter this threat vector, the guide recommends:

  • Ensuring that you have a good cybersecurity awareness training program that schools your employees in how to recognize and report advanced social engineering attempts against your network.
  • Employing a protective DNS service. A protective DNS service is any security service that analyzes DNS queries to identify and mitigate threats.
  • Implementing sandboxed browsers to help thwart malware that can be introduced through web browsing. Sandboxed browsers isolate the host machine from malicious code.

The sixth initial attack vector listed in the #StopRansomware guide is one that is on everyone’s mind since the MOVEit attacks started: third parties and managed service providers. In the modern business world, organizations are employing ever-increasing numbers of third-party software packages and managed service providers to perform all kinds of tasks for them. To be effective, these services need access to internal network information and devices, and become in effect a part of your internal network. This increases the attack surfaces available to ransomware attackers immensely. To help thwart these kinds of attacks, the guide recommends:

  • Examining the risk management and cyber hygiene practices employed by managed service providers (MSPs) to ensure they are in line with best practices and your organization’s security requirements. They also recommend that you formalize security requirements in contract language with these providers.
  • Ensuring the use of least privilege and separation of duties when setting up access of third parties. They should only be allowed access to those devices and servers that are within their role or responsibilities.
  • Creating service control policies (SCPs) for cloud-based resources to prevent users or roles, organization wide, from being able to access specific services or take specific actions within services such as deleting logs or changing configurations outside of their role.

Implementing the recommendations found in the #StopRansomware guide encompasses the best advice available to date for preventing and mitigating ransomware attacks against your organization, and will help you remain competitive in the markets of today.