Category Archives: Risk Management

High-Level FAQ on Attack Surface Mapping

Posted on by
Reply

Q:What is attack surface mapping?

A: Attack surface mapping is a technique used to identify and assess potential attack vectors on a system or network. It involves identifying and analyzing the various components, data flows, and security controls of a system to identify potential vulnerabilities.

Q:What are the benefits of attack surface mapping?

A:Attack surface mapping helps organizations to better understand their security posture, identify weaknesses, and deploy appropriate controls. It can also help reduce risk by providing visibility into the system’s attack surface, allowing organizations to better prepare for potential threats.

Q:What are the components involved in attack surface mapping?

A: Attack surface mapping involves examining the various components of a system or network, including hardware, software, infrastructure, data flows, and security controls. It also includes evaluating the system’s current security posture, identifying potential attack vectors, and deploying appropriate controls.

Q:What techniques are used in attack surface mapping?

A: Attack surface mapping typically involves using visual representations such as mind-maps, heat maps, and photos to illustrate the various components and data flows of a system. In addition, it may involve using video demonstrations to show how potential vulnerabilities can be exploited.

How Information Security and Risk Management Teams Can Support FinOps

Posted on by
Reply

As organizations continue to move their operations to cloud services, it is becoming increasingly important for information security and risk management teams to understand how they can support financial operations (FinOps). FinOps is a management practice that promotes shared responsibility for an organization’s cloud computing infrastructure and cloud cost management. In this post, we will explore some ways in which the information security and risk management team can support FinOps initiatives.

1. Establishing Governance: Information security and risk management teams can play a vital role in helping FinOps teams establish effective governance. This includes creating a framework for budget management, setting up policies and procedures for cloud resource usage, and ensuring that all cloud infrastructure is secure and meets compliance requirements.

2. Security Awareness Training: Information security and risk management teams can provide security awareness training to ensure that all cloud practitioners are aware of the importance of secure cloud computing practices. This includes data protection, authentication protocols, encryption standards, and other security measures.

3. Cloud Rate Optimization: Information security and risk management teams can help FinOps teams identify areas of cost optimization. This includes analyzing cloud usage data to identify opportunities for cost savings, recommending risk-based ways to optimize server utilization, and helping determine the most appropriate pricing model for specific services or applications.

4. Sharing Incident Response, Disaster Recovery, and Business Continuity Insights: Information security and risk management teams can help FinOps teams respond to cloud environment incidents quickly and effectively by providing technical support in the event of a breach or outage. This includes helping to diagnose the issue, developing mitigations or workarounds, and providing guidance on how to prevent similar incidents in the future. The data from the DR/BC plans are also highly relevant to the FinOps team mission and can be used as a roadmap for asset prioritization, process relationships, and data flows.

5. Compliance Management: Information security and risk management teams can help FinOps teams stay compliant with relevant regulations by managing audits and reporting requirements, ensuring that all relevant security controls are in place, auditing existing procedures, developing policies for data protection, and providing guidance on how to ensure compliance with applicable laws.

The bottom line is this: By leveraging the shared data and experience of the risk management and information security teams, FinOps teams can ensure their operations are secure, efficient, and completely aligned with the organization’s overall risk and security posture. This adds value to the work of all three teams in the triad. By working together, the teams can significantly enhance the maturity around technology business management functions. All-in-all, by working together, the teams can create significantly better business outcomes.

 

FAQ for Enterprise Authentication Inventory

Posted on by
Reply

Q: What is authentication inventory?

A: Authentication inventory is the process of identifying and documenting all of the systems and applications that require remote access within an organization, as well as the types of authentication used for each system and any additional security measures or policies related to remote access.

Q: Why is authentication inventory important?

A: Authentication inventory is important because it helps organizations protect themselves from credential stuffing and phishing attacks. By having a complete and accurate inventory of all points of authentication, organizations can ensure that the right security protocols are in place and that any suspicious activity related to authentication can be quickly identified and addressed.

Q: What steps should I take to properly inventory and secure my authentication points?

A: To properly inventory and secure your authentication points, you should: 1) Identify the different types of authentication used by the organization for remote access; 2) List all of the systems and applications that require remote access; 3) Document the type of authentication used for each system/application and any additional security measures or policies related to remote access; 4) Check with user groups to ensure that they use secure authentication methods and follow security policies when accessing systems/applications remotely; 5) Monitor access logs for signs of unauthorized access attempts or suspicious activity related to remote access authentication; 6) Regularly review and update existing remote access authentication processes as necessary to ensure accurate data.

Seek Out and Remove End-Of-Life Components

Posted on by
Reply

Just a quick reminder, at some point during each quarter, it is a good idea to enact a process to seek out and remove any end-of-life products in your environment. This is not only a best practice but a significant risk reduction measure as well. Make it an ongoing periodic process, and you’ve got a powerful weapon against threats and emerging issues stemming from end-of-life hardware, firmware, and software in your networks.

How to Search for End-Of-Life Products In Your Environment

The first step is to identify the devices, applications, and firmware that are no longer supported by their vendors. You can do this manually or with a tool. The next step is to determine which of those devices have been deployed in your network. Once you know where they are, you need to find them. There are several ways to search for these devices:

Use Network Inventory Tools

Network inventory tools such as Nmap and Nessus will allow you to scan your entire network to locate all of the devices on your network. These tools will also tell you what operating systems and versions of software/firmware are running on the device. If you’re using a vendor-specific tool, you’ll be able to see if there are any known vulnerabilities associated with the product in many cases.

Talk to Device and Application Owners

If you don’t already have a relationship with the owners of the devices and applications, then you should start building one now. It’s important to get to know the people who own the devices and applications so that you can ask questions about how they use the devices and applications. You may even want to consider getting an end-of-life security policy together for the organization so that you can make sure everyone understands the risks of end-of-life components.

Once you have discussed the issues with the owner, remove the component if possible. Otherwise, add it to a list of components to look for workarounds or replacements. Many organizations that can’t manage to replace an end-of-life component either place it in a low trust network zone, front-end it with firewalls or ACLs, and increase monitoring and detection of the assets involved. Of course, the component should be reviewed quarterly until it can be removed from service.

Doing this process every quarter will increase your networks’ overall stability and trust worthiness, plus reduce risk and management headaches. It’s well worth your time and an effective part of an overall risk management strategy.

How Do I Know If My Company Needs a Risk Management Policy?

Posted on by
Reply

Risk management policies protect companies against financial losses due to various risks. These risks include legal issues, employee misconduct, environmental hazards, etc.

A company may implement a risk management policy to minimize these risks. However, several questions should be asked before implementing such a policy.

What Are the Risks That Could Lead to Financial Losses?

Many types of risks can lead to financial losses. Some examples include:

• Legal issues

• Employee misconduct

• Environmental hazards

• Product liability

• Cybersecurity threats

• Data breaches

• Other

It is important to understand what type of risk your company faces. For example, if your company sells products online, you will face cyber security risks.

Are There Any Existing Policies?

Before deciding whether or not to adopt a risk management policy, it is important to determine whether any existing policies cover the risks your company faces.

For example, if your company has an insurance policy, then you may not need to implement a separate risk management policy.

However, if your company does not have an insurance policy, then it is necessary to consider implementing a risk management policy.

Is Implementing a New Policy Worth It?

Once you know what type of risks your company faces, it is time to decide whether or not to implement a risk management plan.

Some companies feel that they do not need a risk management plan because their current policies already address their risks. However, this decision should be made carefully.

If your company does not have a formal risk management policy, then it is possible that some of the risks your company faces could go unaddressed. This means that the risks could become more significant problems down the line.

In addition, if your company decides to implement a risk management program, it is crucial to ensure that the program covers all the risks your company faces, including those currently unaddressed.

Do Your Employees Understand What Is Being Done?

When implementing a risk management plan, it is vital to ensure employees understand what is being done.

This includes explaining why the risk management plan was implemented, how the plan works, and what steps must be taken to comply.

The goal here is to ensure that employees understand your company’s risks and how the risk management plan helps mitigate them.

Will the Plan Be Cost-Effective?

Finally, it is essential to evaluate whether or not the risk management plan will be cost-effective.

Cost-effectiveness refers to the amount of money saved compared to the costs incurred.

For example, suppose your company spends $1 million per year to insure its assets. In addition, suppose that the risk management plan saves $500,000 per year. Then, the risk management plan would be considered cost-effective if it saves $500,000 annually.

In this case, the risk management plan is cost-effective because it saves $500,00 annually.

However, if the risk management plan only saves $100,000 per year, then the plan is not cost-effective.

In Conclusion

As discussed above, there are many reasons to implement a risk management strategy.

These strategies can help your company avoid potential financial losses caused by certain risks.

In addition, implementing a risk management plan can make your company more efficient and productive.

 

A Cynefin Risk Management Use Case

Posted on by
Reply

Lately, I have been working on using the Cynefin framework to help a client with supply chain risk management. I’m not going to dig into the specifics here, but I wanted to share a quick workflow that we used during this process that has been very useful for us.

Risk Matrix

First, we built a risk matrix for supply chain risk. Basically, there are a number of these available via the various search engines. We took some of the most common ones and tore them down to commonalities, then built them into our matrix. We turned this into a simple spreadsheet.

Heat Mapping

Next, once we had our risk matrix, we did an exercise where we heat mapped the various risks, scoring them high/medium/low subjectively. This gave us an excellent tool to monitor our situation and communicate it with our stakeholders.

Applying Cynefin

Next, we mapped all of the high risks into the cynefin framework by researching the present state of each, whether best practices were available and relevant, being developed, or still in the experimental stage. This gave us a good idea of which problems we could simply focus on using known techniques and skills against, which ones we needed to take existing decent practices and optimize them, and which problems we needed to experiment with solutions for.

Sharing and Feedback

Overall, the exercise took around an hour to complete once we compiled the basic templates and completed the risk matrix research. For those of you facing complex risk management problems, this workflow might assist. Let me know on social media (@lbhuston) if it provides any help or if you have suggestions and feedback. Thanks for reading!

Preparing for the End of SMS Authentication

Posted on by
Reply

Over the last several years, wealth management/asset management firms have been integrating their systems with banking, trading and other financial platforms. One of the largest challenges wealth management firms face, from a technology standpoint, is managing multi-factor authentication when connecting to the accounts of their clients. In the coming year to eighteen months, this is likely to get even more challenging as SMS-based authentication is phased out. 

Today, many financial web sites, applications and phone apps require the use of SMS one-time security verification codes to be sent via text to the user. This usually happens once the user has entered their login and password to the system, after which it triggers the credential to be sent to their mobile phone number on record. The user then inputs this code into a form on the system and it is verified, and if correct, allows the user to proceed to access the application. This is called two factor authentication/multi-factor authentication (“MFA”) and is one of the most common mechanisms for performing this type of user authorization.

The problem with this mechanism for regulating sign ins to applications is that the method of sending the code is insecure. Attackers have a variety of means of intercepting SMS text messages and thus defeating this type of authentication. Just do some quick Google searches and you’ll find plenty of examples of this attack being successful. You’ll also find regulatory guidance about ending SMS authentication from a variety of sources like NIST and various financial regulators around the world. 

The likely successor to SMS text message authentication is the authenticator app on user mobile devices and smartphones. These authenticator apps reside in encrypted storage on the user’s phone and when prompted, provide a one-time password (“OTP”) just like the code sent in the text message. The difference is, through a variety of cryptographic techniques, once the application is setup and  the settings configured, it doesn’t need to communicate with the financial platform, and thus is significantly more difficult for attackers to compromise. Indeed, they must actually have the user’s device, or at the very least, access to the data that resides on it. This greatly reduces the risk of interception and mis-use of the codes in question, and increases the security of the user’s account with the financial institution.

This presents a significant problem, and opportunity, for wealth management firms. Transitioning their business processes from integrating with SMS-based authentication to authenticator apps can be a challenge on the technical level. Updates to the user interaction processes, for those firms that handle it manually, usually by calling the user and asking for the code, are also going to be needed. It is especially important, for these manual interactions, that some passphrase or the like is used, as banks, trading platforms and other financial institutions will be training their users to NEVER provide an authenticator app secret to anyone over the phone. Attackers leveraging social engineering are going to be the most prevalent form of danger to this authentication model, so wealth management firms must create controls to help assure their clients that they are who they say they are and train them to resist attackers pretending to be the wealth management firm. 

Technical and manual implementations of this form of authentication will prove to be an ongoing challenge for wealth management firms. We are already working with a variety of our clients, helping them update their processes, policies and controls for these changes. If your organization has been traditionally using SMS message authentication with your own clients, there is even more impetus to get moving on changes to your own processes. 

Let us know if we can be of service. You can reach out and have a no stress, no hassle discussion with our team by completing this web form. You can also give us a call anytime at 614-351-1237. We’d love to help! 

Getting ROI with ClawBack, our Data Leak Detection Platform

Posted on by
Reply

So, by now, you have likely heard about MicroSolved’s ClawBack™ data leakage detection engine. We launched it back in October of 2019, and it has been very successful among many of our clients that have in-house development teams. They are using it heavily to identify leaks of source code that could expose their intellectual property or cause a data breach at the application level.

While source code leaks remain a signficant concern, it is really only the beginning of how to take advantage of ClawBack. I’m going to discuss a few additional ways to get extreme return on investment with ClawBack’s capabilities, even if you don’t have in-house developers.

One of the most valuable solutions that you can create with ClawBack is to identify leaked credentials (user names and passwords). Hackers and cyber-criminals love to use stolen passwords for credential-stuffing attacks. ClawBack can give you a heads up when stolen credentials show up on the common pastebin sites or get leaked inadvertantly through a variety of common ways. Knowing about stolen credentials makes sense and gives you a chance to change them before they can be used against you. 

We’ve also talked a lot about sensitive data contained in device configurations. Many potentially sensitive details are often in configuration files that end up getting posted in support forums, as parts of resumes or even in GITHub repositories. A variety of identifiable information is often found in these files and evidence suggests that attackers, hackers and cybercriminals have developed several techniques for exploiting them. Our data leak detection platform specializes in hunting down these leaks, which are often missed by most traditional data loss prevention/data leakage prevention (DLP)/data protection tools. With ClawBack watching for configurations exposures, you’ve got a great return on investment.

But, what about other types of data theft? Many clients have gotten clever with adding watermarks, unique identity theft controls, specific security measures and honing in on techniques to watch for leaked API keys (especially by customers and business partners). These techniques have had high payoffs in finding compromised data and other exposures, often in near real time. Clients use this information to declare security incidents, issue take down orders for data leaks and prevent social engineering attackers from making use of leaked data. It often becomes a key part of their intrusion detection and threat intelligence processes, and can be a key differentiator in being able to track down and avoid suspicious activity.

ClawBack is a powerful SaaS Platform to help organizations reduce data leaks, minimize reputational risk, discover unusual and often unintentional insider threats and help prevent unauthorized access stemming from exposed data. To learn more about it, check out https://microsolved.com/clawback today.

All About Credit Union Credential Stuffing Attacks

Posted on by
Reply

Credential stuffing attacks continue to be a grave concern for all organizations worldwide. However, for many Credit Unions and other financial institutions, they represent one of the most significant threats. They are a common cause of data breaches and are involved in some 76% of all security incidents. On average, our honey nets pretending to be Credit Union and other financial services experience targeted credential stuffing attacks several times per week. 

What Is Credential Stuffing?

“Credential stuffing occurs when hackers use stolen information, such as usernames and passwords from database breaches or phishing software from one account, and attempt to gain access to another. The hackers prey on people’s habit of using the same usernames and passwords for multiple sites. Using automated tools, they run large amounts of stolen information across multiple sites looking to find the same usernames and passwords being used elsewhere. Once they find a match, they can monetize the personal and financial information they gather.” (ardentcu.org)

How Common is Credential Stuffing?

Beyond our honey nets, which are completely fake environments used to study attackers, credential stuffing and the damage it causes is quite starteling. Here are some quick facts:

  • It is estimated that automated credential-stuffing attempts makes up 90% of enterprise login traffic in the US. (securityboulevard.com)

  • It’s estimated that credential stuffing costs companies more than $5 billion a year and creates havoc with consumers. (ardentcu.org)

  • According to Akamai’s latest State of the Internet report on credential stuffing, its customers alone were deluged by 30 billion malicious login attempts between November 2017 and June this year, an average of 3.75 billion per month. (theregister.com)

  • Significant credential stuffing attacks are a favorite of professional hacking groups from Russia, India, Asia and Africa. They often gather extensive lists of stolen and leaked credentials through advanced Google hacking techniques, by combing social media for password dumps (so called “credential spills”) and by purchasing lists of exposed credentials from other criminals on the dark web. Lists of member information from compromised online banking, online retailers and business association sites are common. This information often includes names, addresses, bank account numbers/credit card numbers, social security numbers, phone numbers and other sensitive data – enabling credential stuffing and social engineering attacks against victims around the world.

What Can Credit Unions Do About Credential Stuffing?

The key to handling this threat is to be able to prevent, or at the very least, identify illicit login attempts and automate actions in response to failed logins. Cybercriminals use a variety of tools, rented botnets (including specifically built credential stuffing bots) and brute force attacks to pick off less than strong passwords all around the Internet. Then, as we discussed above, they use that stolen information to probe your credit union for the same login credentials. 

The first, and easiest step, in reducing these cybercriminals’ success rate is to teach all of your legitimate users not to use the same password across multiple systems, and NEVER use passwords from public sites like Facebook, LinkedIn, Instagram, Pinterest or Twitter for example, as account credentials at work or on other important sites. Instead, suggest that they use a password manager application to make it simple to have different passwords for every site. Not only does this help make their passwords stronger, but it can even reduce support costs by reducing password reset requests. Ongoing security awareness is the key to helping them understand this issue and the significance their password choices have on the security of their own personal information and that of the company.

Next, the Credit Union should have a complete inventory of every remote login service, across their Internet presence. Every web application, email service, VPN or remote access portal and every single place that a cybercriminal could try or use their stolen credentials to gain an account takeover. Once, the Credit Union knows where login credentials can be used, they should go about preventing abuse and cyberattacks against those attack surfaces. 

The key to prevention should start with eliminating any Internet login capability that is not required. It should then progress to reducing the scope of each login surface by restricting the source IP addresses that can access that service, if possible. Often Credit Unions are able to restrict this access down to specific countries or geographic areas. While this is not an absolute defense, it does help to reduce the impacts of brute force attacks and botnet scans on the login surfaces. 

The single best control for any authentication mechanism, however, is multi factor authentication (MFA) (basically a form of secure access code provided to the user). Wheverever possible, this control should be used. While multi factor authentication can be difficult to implement on some services, it is widely available and a variety of products exist to support nearly every application and platform. Financial services should already be aware of MFA, since it has been widely regulated by FFIEC, NCUA and FDIC guidance for some time.

More and more, however, credential stuffing is being used against web mail, Office 365 and other email systems. This has become so common, that a subset of data breaches called Business Email Compromise now exists and is tracked separately by law enforcement. This form of unauthorized access has been wildly popular across the world and especially against the financial services of the United States. Compromised email addresses and the resulting wire transfer fraud and ACH fraud that stems from this form of credential theft/identity theft are among some of the highest financial impacts today. Additionally, they commonly lead to malware spread and ransomware infections, if the attacker can’t find a way to steal money or has already managed to do so.

No matter what login mechanism is being abused, even when MFA is in place, logging of both legitimate access and unauthorized access attempts is needed. In the event that a security breach does occur, this data is nearly invaluable to the forensics and investigation processes. Do keep in mind, that many default configurations of web services and cloud-based environments (like Office 365) have much of this logging disabled by default. 

While Credit Unions remain prime targets, having good prevention and detection are a key part of strong risk management against credential stuffing. Practicing incident response skills and business recovery via tabletop exercises and the like also go a long way to stengthening your security team’s capabilities.

How Can MicroSolved Help?

Our team (the oldest security firm in the midwest) has extensive experience with a variety of risk management and security controls, including helping Credit Unions inventory their attack surfaces, identify the best multi factor authentication system for their environment, create policies and processes for ensuring safe operations and performing assessments, configuration audits of devices/applications/cloud environments. 

We also scope and run custom tabletop exercises and help Credit Unions build better information security programs. Our team has extensive experience with business email compromise, wire/ACH/credit card fraud prevention, cybercriminal tactics and incident response, in the event that you discover that credential theft has occurred. 

Lastly, our ClawBack data leak detection platform, can help you watch for leaked credentials, find source code and scripts that might contain reuseable account credentials and even hunt down device configurations that can expose the entire network to easy compromise. 

You can learn more about all of our services, and our 28 years of information security thought leadership here.

Lastly, just reach out to us and get in touch here. We’d love to talk with your Credit Union and help you with any and all of these controls for protecting against credential stuffing attacks or any other cybersecurity issue.