Why programming skills are essential for pen-testers

Why programming skills are essential for penetration testers

 

Some security professionals across the world would say that one does not need to learn coding to hunt for bugs in web applications. In fact, some experienced security professionals would go even further to suggest that entry-level positions in cybersecurity and hacking does not require extensive knowledge of programming.

Although this holds true to some extent, a career in hacking and pen-testing web applications demands in-depth knowledge in programming.

 

Where do many researchers go wrong?

In case of Cross-Site Scripting (XSS) attacks, for instance, researchers report the bugs by triggering an alert. This clearly does not call for advanced understanding of programming. 

But they may lack the skills to exploit the same bug to create a javascript code so as to steal cookies or leverage the XSS bug to carry out other malicious activities. 

Inspired by such bounty hunters, beginners in the field assume that all they have to do is fire up Burp Intruder, add a list of payloads, and prompt an alert on the browser to earn a quick buck. 

 

Why do you need to learn programming in security testing?

Understanding the application:

Awareness and proficiency in programming can help a researcher understand an application’s infrastructure and the implementation of its many functionalities. Once you are familiar with the workings and technicalities of web applications, even entry-level programmers can certainly outsmart amateur coding enthusiasts. 

 

Attack automation:

Hackers use tools such as Nmap, Metasploit, Amass, etc. to automate enumeration and exploitation processes. Automation of enumeration attacks saves them a lot of time and effort. By learning how to code, you are also opening yourself up to vast knowledge, which can guide a beginner to build such tools on their own. Apart from that, while pen-testing, a programmer at some point will have to write a code that can exploit a vulnerability; for instance, when you have to pass the current timestamp along with a request, you need to automate it using coding. This requires that you are well versed with programming.

 

Conclusion

Programming is said to be the future of innovations, and a necessary skill to master. Therefore, a security professional should undergo training and have adequate knowledge regarding programming. Anyone pursuing a career in penetration testing should consider programming as an essential part of their occupation. It does not merely set you apart from peers, but also gives you a competitive advantage over them. 

 

Happy Automation! 

What makes web applications an easy target for hackers?

 

Web applications form a major part of an organization’s attack surface and according to Verizon’s 2020 Data Breach Investigation Report, web applications are the single most significant cause for data breaches. Web application attacks account for 43% of all successful data breaches. 

These websites contain several vulnerabilities such as Remote Code Execution (RCE), Server-Side Request Forgery (SSRF), Local File Inclusion (LFI), Server Side Template Injection (SSTI), and more. Some of these vulnerabilities allow intrusion of corporate networks. These vulnerabilities are the result of mistakes that programmers make. Developers trust and hope that their applications will end up in the right hands, which often turns out to be the biggest mistake they ever made. 

In this multi-part series about web apps, we explore the common mistakes and threats affecting web applications, as well as point out factors regarding applications that appeal to threat actors. The first part of this multi-part series focuses on web app user input and the pitfalls of not validating or sanitizing it. The article also sheds a light on the steps one can take to prevent application attacks and reduce vulnerabilities.

 

Rule #1: Never trust user input

While developing an application, web programmers should refrain from accepting data from users and in fact should presume all data is bad until proven otherwise. This is how threat actors leverage different vulnerabilities:  

 

Remote Code Execution

In an instance where the Image File Upload functionality of an application uploads the filename and contents onto a server, the server processes it further. However, if the application doesn’t validate user inputs, it permits the attacker to upload the server side language extension file, such as the .php file. This further allows the attacker to execute OS commands on the server.

 

Local File Inclusion 

Similarly, when web applications are coded poorly, hackers can inject local files into the include statements. For instance, an attacker can exploit the Local File Inclusion vulnerability by changing the path of a PDF file with that of another sensitive file such as passwd. If the application doesn’t validate the input, the attacker can simply read internal server files.

 

Example

Test URL: https://vulnerable.site/somefile.php?file=validpdffile.pdf

To 

Attacking URL: https://vulnerable.site/somefile.php?file=../etc/passwd

 

Server Side Request Forgery

In an attack that exploits this vulnerability hackers gain partial or complete access to the requests sent by the application, to abuse a functionality. This allows them to make the server-side application to configure HTTP requests that lead to malicious domains of the attacker’s choice. If the website does not validate the user input, the hacker can access internal server files and more.

 

Example

Test URL: https://vulneralbe.site/somefile.php?filetocall=https://external.site/somefile.js

To

Attacking URL: https://vulneralbe.site/somefile.php?filetocall=file:///etc/passwd

 

SQL Injection

This vulnerability allows hackers to insert or inject a query into an entry field, so as to execute malicious SQL statements. This enables actors to retrieve sensitive data from the database evading any security measures.

 

Example

Test URL:https://targetsite.com/somefile.php?id=2

However, if the web application does not validate the user input, the attacker can submit something like this:

Attacking URL: https://targetsite.com/somefile.php?id=’ OR ‘1’=’1’–+

From the above instances and scenarios it is clear that if the user input is not properly validated or sanitized, most web app vulnerabilities can be exploited, eventually leading to breaches and data loss.

 

How can you reduce vulnerabilities and prevent attacks

Let us look at the issue at hand before we suggest a solution. The following instance summarizes the problem:

This is a test application that accepts the user input and returns results based on it.

Web App normal search

An average user looks up topics such as Python or JAVA, while hackers with a malicious intent would submit something like this:

Web App unvalidated

There are a number of symbols we can inject, such as a single quote(‘), double quotes (“), open, closed angle brackets (<>), equals to (=), and open, closed brackets [()], and if the web application accepts these without validating them, attackers can used this as a weapon to steal session cookies of other people, by using advanced XSS payloads (Cross-Site scripting payloads).

Now, let’s try to understand the logic of the code:

Web App coding gone bad

The GET variable named $_GET[‘vulnparam’] at the TOP accepts the user input, which then allows the webapp to proceed with that variable name $vulparam. As you may have noticed, the user input variable $_GET[‘vulnparam’] is not validated. The web application is using it as it is.

The right way to code

In order to validate the user input first, we use the htmlentities() function that converts characters and symbols to HTML entities. This helps to prevent Cross-site Scripting (XSS) attacks and the web app proceeds further with the encoded user input.

 

Summary

Almost every OWASP Web Vulnerability is exploited in real world websites as web applications fail to properly validate user input, before processing it. Therefore, it is important that app developers and security testers regularly collaborate with each other. Once the programmer has built a particular feature or an app, security testers can test it before deploying them on the prod servers. Ultimately, this will save them a lot of time and prevent any data loss that could have resulted from exploitation. 

Cyber Trivia - Cybersecurity Quiz CloudSEK

[Quiz] Weekly Cyber Trivia Quiz Contest #4

Cyber Trivia Quiz is here!

Find out if you’re up-to-date on your cybersecurity news from across the world.

If you’re behind on the news, fret not. We’ve sprinkled in some hints to help you along.

We will select 3 people in random who submitted the quiz and got all 10 questions right.
Prize: Amazon Vouchers worth 100 INR to each winner.

Get cracking! #CyberTrivia

Why you should be worried about a cyber pandemic that could take over the cyberspace

 

Companies of all sizes and sectors fall prey to data breaches and ransomware attacks. Security incident(s) that result in data leakage can stain the reputation of the concerned organization, let alone the legal battle that follows. Enterprises spend millions of money on security products to attain a comprehensive security posture, yet attackers are able to  compromise networks and exfiltrate data. Threat actors as well as state sponsored actors craft sophisticated attack vectors that are undetectable and develop zero-day exploits for applications used by victim organizations. 

Quite often, the RaaS [Ransomware as a Service] model for ransomware developers are advertised on underground hacker forums. Today, anyone can make use of the RaaS platform and become a ransomware operator. Companies pay the ransom amount, when it becomes the only viable option. This emboldens threat actors to carry out more campaigns against organizations.

State sponsored APTs are more dangerous since they are backed by nation states. Their funding never runs dry, which in turn enables them to develop complex infrastructure. Target objective is another factor that makes APTs stand out, since geopolitical factors are their primary motivation and not financial factors.

Ransomware rate

Threat Landscape

Recent trends in the cyber threat intelligence landscape involves ransomware and banking trojans. Multistage complex malware downloaders can also be found in the wild. They facilitate further dissemination of ransomware and other spyware/ trojans. Certain ransomware groups also engage in looting cryptocurrency by compromising crypto exchanges.

 

Ransomware

Ryuk

Ryuk has been spotted in various attacks targeting enterprise organizations worldwide, demanding ransom payments ranging from 15 to 50 Bitcoins (BTC); which translates to between US$97,000 and $320,000 at the time of valuation. 

 

Fig1. Popular attack vectors
Fig1. Popular attack vectors

 

Ransomware targets Windows

REvil/ Sodinokibi

REvil/ Sodinokibi ransomware was first detected in 2019, targeting the health and IT sectors. Later, it began auctioning off sensitive data over the dark web, stolen from companies using its malicious code. As part of their tactics, this ransomware group threatens to release their victims’ data, unless their ransom demands are met.

 

Dharma/ CrySiS

Dharma ransomware appends various extensions to infected files and is a variant of CrySiS. The malware has been in operation since 2016 and the threat actors behind the ransomware continue to release new variants which are not decryptable.

 

STOP/ djvu

Djvu is a high-risk virus that belongs to the STOP malware family. Firstly discovered by Michael Gillespie, this virus is categorized as ransomware and is designed to lock (encrypt) files using a cryptography algorithm. 

 

Ransomware strains reported

Fig2. Ransomware strains Q1 2020 (incl. STOP)
Fig2. Ransomware strains Q1 2020 (incl. STOP)

Cooperation between ransomware families has also been noticed to increase lately, enforcing more efficiency in operating Ransomware as a Service [RaaS] offerings.

Fig3. Ransomware strains Q1 2020 (excl. STOP)
Fig3. Ransomware strains Q1 2020 (excl. STOP)

STOP, Dharma, Phobos, and REvil have had major roles to play in the RaaS sector. They are very active, even today, carrying out their campaigns, especially Dharma and REvil.

Phishing and ransomware

Malware attacks vs. Malware-free attacks

Malware attacks are simple use cases where a malicious file is written to disk. This can be easily detected and blocked by Endpoint Detection and Response (EDR). Malware-free attacks are more in-memory code execution and credential spraying attacks that require more sophisticated detection mechanisms. We have seen an increase in malware-free attacks as part of campaigns since 2019. They successfully evade security measures and defenses set up by the enterprises.

 

Cost of a Ransomware Attack

The total cost of a ransomware attack includes the ransom amount (if paid), costs for network remediation, lost revenue, and the cost of a potential damage to the reputation of the brand. Recent trends in attacks indicate that more businesses are targeted and threatened to release data, for a ransom. 

It seems that ransomware groups have evaluated the long-term impacts of their attack on the brand image, trust, and reputation of organizations that refuse to pay up. Ryuk ransomware is largely responsible for the massive surge in ransomware demands. Ransomware operators demand an average of $288,000 for the release of systems.

Ransomware affectes business

Fig4. Largest amount of ransom reported in 2019
Fig4. Largest amount of ransom reported in 2019

 

Fig5. Largest avg. ransom pay-offs 2020
Fig5. Largest avg. ransom pay-offs in 2020

 

Ransomware statistics for 2020

Taking into account the current trend and statistics, ransomware + downtime costs for the top five countries for 2020 are estimated to be:

  • Italy: $1.1 billion – $4.3 billion
  • Germany: $1 billion – $4 billion
  • Spain: $830 million – $3.3 billion
  • UK: $469 million – $1.9 billion
  • France: $121 million – $485 million

 

Hidden Costs of ransomware

  • Downtime of Information systems
  • Loss of Reputation
  • Penalties/Fines[Compliance]
  • Legal Action from user

Avg. ransom payment

 

Cyber security during COVID-19

“WHO reports fivefold increase in cyber attacks, urges vigilance”

Threat actors have exploited COVID-19 extensively to carry out phishing attacks, masquerading as WHO and similar agencies, to deliver malware-laced emails. COVID-19-related phishing attacks went up by 667%, scams increased by 400% over the month of March 2020, making Coronavirus the largest-ever security threat. To make things worse, social distancing guidelines observed across countries forced organizations to work from remote locations, putting the security of such organizations at risk. Remote work exposed user endpoints to external threats and had the following impacts:

  • Increased security risk from remote working/ learning
  • Potential delay in cyber-attack detection and response
  • Business Continuity Plans (BCP) to feature global pandemics

 

Effective Threat Intelligence

For an average company earning $10K/ hour, operating 8 hours a day, and 5 days a week, the downtime cost is estimated at $1,760,000 each month. Estimated average downtime is 1-2 hours. Cost of 1.6 hours average downtime/ week for a Fortune 500 company is approximately $46M per year. 

A Distributed Denial of Service [DDoS] attack that temporarily disrupts the activities of a website, can last for a few days or even longer. According to the IDG DDoS report, 36% of companies that have experienced more than five DDoS attacks, suffer an average downtime of 7-12 hours.

An experienced Cyber Threat Intelligence (CTI) team gathers information from different sources and converts it into intelligence to safeguard client corporations. If an effective CTI is not part of a company’s mature security model they can fall prey to any attack at any time.

A CTI team can actively monitor and create actionable intelligence on the following areas of your business:

  • Supply chain 
  • Dark web monitoring for data leaks 
  • Zero-days
  • New emerging attack vectors

Threat intelligence must be actionable. Threat Intelligence provides Tactics, Techniques and Procedures (TTPs) and Indicators of Compromise (IoCs) to the security team, especially to the Security Operation Center (SOC) team, for proactive/ reactive measures to counter cyber threats.

 

Indicators of Compromise

These are some of the common Indicators of Compromise:

  • IP addresses, URLs and Domain names used by malware
  • Email addresses, email subject, links and attachments used by malware  
  • Registry keys, filenames and file hashes and DLLs of malware 
Examples
  • hxxp://45.142.213.230/bssd [sectopRAT Trojan]
  • hxxp://45.142.213.230/blad [SectopRAT Trojan]
  • [email protected] [djvu ransomware]
  • [email protected]     [djvu ransomware]
  • ef95c48e750c1a3b1af8f5446fa04f54 [maze]
  • f04d404d84be66e64a584d425844b926 [maze]

 

Tactics, Techniques, Procedures/ TTPs

TTPs define the behaviour of a threat actor or group and explain how the actor carries out an attack against the network and makes a lateral movement within the intranet. 

MITRE ATT&CK is the most widely used, open-source threat intelligence framework to understand adversary tactics and techniques. There are 11 tactics and 291 techniques listed in this framework.

 

Example of Tactic and Technique

 

Tactic 
Techniques
Initial Access T1193: Spear Phishing Attachment
Execution T1059: Command-Line Interface

T1086: PowerShell

T1085: Rundll32

T1064: Scripting

T1204: User Execution

T1028: Windows Remote Management

 

The efficacy of a CTI team to predict the possibility of an occurrence and ensure effective implementation of mitigation measures is essential to the survival of any organisation in their current realm of operations.

 

Conclusion

To further their nefarious intentions, threat actors arm themselves with sophisticated tools and advanced capabilities. It is quite difficult for the law enforcement as well as cyber security practitioners to keep pace with these actors. An effective CTI system can help organizations contain the attack within the network, reduce associated costs, and minimize data loss. Investing in a strong CTI system will allow security operation centers to predict and mitigate attacks proactively. However, a CTI system is only as strong as its weakest link: humans. Human errors can cause even the most impenetrable, robust security system to fail. A good security system monitors information systems and applications and conducts regular vulnerability assessments and pentesting. But, a comprehensive security system prioritizes employee/ user training and updation on cyber hygiene and best practices.

Worst cybersecurity strategies and how we can overcome them

 

Towards the end of March 2020, almost all businesses across the globe had enforced remote work policy. And as governments are easing the social distancing rules and restrictions, some organizations have gradually reopened over the last few weeks. However, the pandemic has clearly had an adverse impact on small businesses and large corporations alike, and business leaders are not aiming for a quick comeback. Whether they have decided to resume work from the office or extend the remote work policy to 2021, companies in various sectors are strategizing for a transformation in the way they work and communicate. 

Cybersecurity witnessed a dramatic change during the last couple of months and unsecure remote workforces have forced organizations to recognize the importance of cybersecurity preparedness. Cyber attacks have increased multifold since the Coronavirus outbreak where cyber criminals preyed on an unready, unaware workforce. There has been a spike in the number of phishing attacks and malware, ransomware campaigns. So, as more organizations plan their comeback, hopefully every company’s plan and strategy prioritizes information security. It is also important that organizations steer clear of any security blunders that could cost them their reputation and financial standing. 

In this article we list some of the worst cybersecurity practices and strategies that could be detrimental to your organization, and compare them with alternate solutions and best practices.

 

Achieving 100% security vs. Minimizing risks

Although 100% security might sound like the perfect answer to emerging threats, it is likely that an entirely secure system is possible only when it is disabled. So the best alternate solution is to identify technological and financial resources your organization can spare, and minimize the risk of incidents that may occur. Simply being aware of this can help you build a better strategy of detecting the threat, establishing a mechanism to respond to the threat or prevent it, thereby minimizing the impact of the threat. It is also essential to understand the various attack vectors that actors use to infiltrate your organization, and to allocate available resources to address all these threats.

 

Lax with security updates vs. Regular software fixes

Security vulnerabilities are found on a daily basis and developers release patches frequently. However, businesses that have integrated such software usually fail to apply these patches and update the software. This could be because of stretched resources or lack of awareness. Harmful software vulnerabilities can create a security weakness/ holes which allows attackers to exploit and infect your systems, gaining access to your sensitive, personal information. The solution to this is a dedicated IT team to ensure that network and software are updated regularly. 

 

Pursue attackers vs. Prevent attacks

Attackers, these days, are pretty sophisticated and are quick to come up with new technologies that enable them to hack into your systems. Staying ahead of these actors is critical to save your organization from the humiliation and loss the attacks could cost you. This is why it is important to take proactive measures to prevent attacks and outrun cyber criminals, instead of pursuing them. Organizations should also be aware of the implications of a possible attack and should be able to defend their valuable assets. 

An assessment of the following attack vectors and technologies that could assist you in avoiding attacks altogether. Employees form a major part of the threat vector, thus making it important to keep them aligned with the organization’s cybersecurity practices.

  • Security vulnerabilities
  • Firewall settings
  • Anti-malware and anti ransomware technologies
  • Data egress points
  • Creating awareness among employees 
  • Training them to combat social engineering tactics
  • Practice good internet hygiene

 

Weak passwords vs. Password management programmes

Despite the increasing number of cyber attacks most users tend to fall back on weak or easy passwords, sometimes reusing the same passwords for multiple accounts. An online security survey by Google indicates that 52% respondents reuse the same passwords for several accounts. The Ponemon research, “The 2019 State of Password and Authentication Security Behaviors Report,” reports that 69% respondents have shared their credentials among colleagues. Also, 57% respondents have not changed their passwords even after enduring phishing attacks. Which also means that they have not considered alternate solutions such as Password Manager. 53% respondents mentioned that they rely on memory to manage their credentials. 

Password Managers assists users in memorizing passwords of all their accounts, for which the users simply have to remember the master password of the Password Manager. Password management programmes will also generate random, strong passwords when you create a new account. Organizations should also make sure that the access to company-related documents and software is limited. Password Managers also support two factor authentication methods, which adds an extra layer of security. 

 

Assume you’re not a desirable target vs. Prepare for the worst

Although it is true that cyber criminals target popular brands and companies, companies that are part of any industry are vulnerable to cyber attacks regardless of its size. In fact, small businesses are soft targets, considering the lack of resources allocated to protect their systems. Data breach of any scale is significant and the ramifications can be devastating. Privacy, data breaches can cost you more than a financial loss, it can tarnish your reputation and leave yourself wide open to lawsuits and legal action. 

Therefore, it is important for organizations to gear up against emerging cyber threats. Companies should resort to cyber threat monitoring solutions such as CloudSEK’s XVigil, to detect and prevent undesirable actors trying to target your security posture.

 

Using public Wi-Fi and unknown devices vs. Network Security

Unauthorized access to your computer network can lead to several forms of attacks such as Man-in-the-middle attacks, malware delivery, snooping, sniffing, breaches, etc. A major concern regarding public as well as home Wi-Fi is unencrypted networks which exposes your online activities to hackers. Similar is the case with unknown devices and unsolicited software. The use of such devices and software opens the door to malicious actors looking to abuse your systems. 

Establish a secure network and secure communications (SSL connections) over the network, and also make sure to log out of all your accounts once you’re done using them. While on a public network avoid accessing any sensitive information, including PII, addresses, banking information, etc. 

 

Coronavirus has brought about an extensive change in the workplace and in the way we work. Technology will surely have a significant role to play in all of it. Meetings, conferences and collaborations are increasingly conducted over the internet, adapting to a more decentralized organizational structure. These changes can also contribute to an undesirable impact on cybersecurity. When organizations are busy building contingency plans to accommodate COVID-19 into the way they work, we hope their plans won’t fall short of cybersecurity strategies.

How to build a secure AWS infrastructure

 

Every day more businesses migrate from their traditional IT infrastructure, while the pandemic has only accelerated the adoption of cloud technologies among remote workforces. Cloud services such as Amazon Web Services (AWS) have been widely accepted as a channel for cloud computing and delivering software and applications to a global marketplace, cost effectively and securely. However, cloud consumers tend to wash their hands of the responsibility towards securing their cloud infrastructure. 

Cloud service providers and consumers share the responsibility of ensuring a safe and secure experience on the cloud. While service providers are liable for the underlying infrastructure that enables cloud, users are responsible for the data that goes on the cloud and who has access to it. 

AWS cloud service

The AWS Well-Architected Framework is a guide/ whitepaper issued by Amazon on AWS key concepts, design principles, and architectural best practices. Security is one of the five pillars that this Framework is based on, upholding the fact that protecting your data and improving security is crucial for AWS users. This blog intends to summarize the whitepaper on the security pillar and discuss:

  • Design principles for AWS
  • Few use case scenarios, and 
  • Recommend ways to implement a securely designed AWS infrastructure. 

 

AWS provides a variety of cloud services, for computation, storage, database management, etc. A good architecture commonly focuses on the efficient methods for reaching peak performance, scalable design, and cost saving techniques. But other cloud infrastructure design aspects are given more importance, quite often, compared to the security dimension.

The security of the cloud infrastructure can be divided into five phases:

  1. Identity verification and access management with respect to AWS resources.
  2. Attack detection, identification of potential threats and misconfigurations.
  3. Controlling access via defining trust boundaries, applying best practices in operation.
  4. Classifying all data, protecting data at all states: rest and transit.
  5. Incident response: Pre-defined mechanisms to respond and mitigate any surfacing security incident.

 

The Shared Responsibility Model

As I mentioned earlier, it is the collective responsibility of the user and the AWS service provider to secure the cloud infrastructure. It is important to keep this in mind while we explore the different implementation details and design principles. 

AWS provides plenty of monitoring, protection and threat identification tools to reduce the operational burden of its users, and it is very important to understand and choose an appropriate service to achieve a well secured environment.

AWS offers multiple services of different nature and use cases such as EC2 and Lambda. Each of these cloud services have varying levels of abstraction that enable users to focus on the problem to be solved instead of its operation. The share of each party’s responsibilities similarly vary based on the level of abstraction. With higher levels of abstraction, the share of responsibility to provide security in the cloud shifts further to the service providers (with some exceptions).

AWS - Shared Responsibility Model
AWS – Shared Responsibility Model

 

Management and Separation of User Accounts to Organise Workload

Based on the nature of processes that are run on AWS, and the sensitivity of the data that is processed, workloads can change. They must be separated by a logical boundary and organised into multiple user accounts to make sure that different environments are isolated. For instance, the production environment commonly has stricter policies, more compliance requirements, and must be isolated for the development and test environments.

It is important to note that the AWS root user account must not be used for common operations. And using AWS Organizations one could simplify things and create multiple users under the same organisation, with different access policies and roles. Also, it is ideal to enable Multi-Factor Authentication, especially on the root account.

 

Managing Identity and Permissions

AWS Resources can be accessed by humans (such as developers or app users) or machines (such as EC2 instance or Lambda functions). Setting up and managing an access control mechanism based on the identity of the requester is very important, as these individuals seeking access could be an external or internal part of the organization. 

Each account should be granted access to different resources and actions using IAM (Identity and Access Management) roles, with policies defining the access control rules. Based on the identity of the user account and the IAM attached, certain critical functionalities can be disabled. For example, denying certain changes from all the user accounts, with exceptions for the Admin. Or preventing all users from deleting Amazon VPC flow logs.

For each identity added on AWS Organisation, they should be given access to only a set of functions that are necessary to fulfil the required tasks. This will limit unintended access to functionalities. And unexpected behaviours arising from any identity will only have a small impact. 

 

Leveraging AWS Services to Monitor and Detect for Security Issues

Regular collection and analysis of logs generated from each workload component is very important to detect any unexpected behaviour, misconfiguration or a potential threat. However, collection and analysis of logs is not quite enough. The volume of incoming logs can be huge, and an alerting and reporting flow should be set up along with an integrated ticketing system. AWS provides services such as these to ensure automated and easy processes:

  • CloudTrail: Provides the event history of the AWS account activity which includes all AWS services, Management console, SDKs, CLIs, etc.
  • Config: Enables automated assessment, auditing, and evaluation of the configuration of each AWS resource.
  • GuardDuty: Continuous security monitoring service that flags malicious activity surfacing within AWS environments by analysing log data and searching for patterns that may indicate any sort of privilege escalation, exposed credentials, established connections to malicious IPs, or domains.
  • Security Hub: Presents a comprehensive view of the security status of AWS infrastructure by enabling aggregation, prioritization, deduplication of security alerts from multiple AWS services and even third party products.

 

Protecting the Infrastructure: Networks and Compute

Obsolete software programmes and outdated dependencies are not unusual and it is essential to patch all systems in the infrastructure. This can be done manually by system administrators, but it is better to use the AWS Systems Manager Patch Manager which basically automates the process of applying patches to the OS, applications and code dependencies.

It is crucial to set up AWS security groups in the right way, mainly during the phase when the infrastructure is growing at a fast rate. Things often go wrong when unorganized, messy security groups are added to the infrastructure. Creation of security groups and assignment of them should be dealt with caution, as even a slight overlook can result in the exposure of critical assets and data stores, on the internet. Security groups should clearly define ingress and egress traffic rules, which can be set under the Outbound traffic settings. 

If some assets are required to be exposed on the internet, make sure your network is protected against DDoS attacks. AWS services such as Cloudfront, WAF, and Shield help to enable DDoS protection at multiple layers. 

 

Protecting the Data

The classification of all data stored at multiple locations inside the infrastructure is essential. Unless it is clear which data is most critical and which ones can be directly exposed on the internet, setting up protection mechanisms can be a bit of a task. Data resting inside all the different data stores must be classified in terms of sensitivity and criticality. If the data is sensitive enough to prevent direct access from users, policies and mechanisms for ‘action at a distance’ shall be put in place. 

AWS provides multiple data storage services, the most common ones being S3 and EBS disks. Application data can usually be found lying around inside data stores self hosted on EBS volumes. Also, all sensitive data that goes into S3 buckets should be properly encrypted prior to that. In fact, it would be better to enable encryption by default on these.

Protecting in transit data is also equally important, and to do that, secure connections are required, which can be obtained using TLS encryptions. Making sure that data is transferred over secure channels should be enough. AWS Certificate Manager is a good tool to manage SSL/ TLS certificates.

 

Preparing and Responding to Security Incidents the Right Way

Once all the automation has been set up, and security controls are put in place, designing incident response plans and playbooks becomes easier. A good plan must cover the response, communication, and recovery steps following any security incident. This is where the logs, snapshots and backups, GuardDuty findings play a critical role. They make the task relatively more efficient. Overall, the aim should be to prepare for an incident before it happens and to iterate and train the entire team to thoroughly follow the incident response plan.

Why monitoring the most popular P2P messenger should be a cybersecurity priority

 

Cloud-based encrypted communication platform – Telegram – became an overnight sensation, owing to a WhatsApp outage that occurred in 2018. The user base of Telegram hit a whopping 400 million, as of April 2020, since its inception in the year 2013. The non-intrusive nature of the app, contrary to the likes of Facebook Messenger and WhatsApp, is another reason for its popularity.

However, over the years, the app and its developer Pavel Durov have also been on the receiving end of some criticism. The anonymous secure connection of Telegram allows users to access selectively prohibited networks and websites. Among other proxy servers and VPN services, Telegram is also completely or partially banned across several countries that are unwilling to risk national security. Furthermore, the app is not as secure as it claims to be. Its security flaws have been a major cause for data leaks.

In Russia, a struggle that ensued between the Federal Security Service (FSB) and Telegram, after the St. Petersburg bombing, resulted in the application’s ban in 2018. Pavel Durov refused to share the encrypted messages of the suicide bomber who was apparently active on the messaging platform. A court maintained that the app remain banned until its developer agreed to hand over its data encryption keys to the authorities. Russian authorities failed to hold up the ban successfully and decided to lift the ban only recently.

In 2016, 15 million Iranian users’ records were leaked following a major data breach. Iranian hackers exploited the security flaws in Telegram to compromise accounts. In particular, they hacked the SMS verification codes that are generally sent to the users. This attack targeted Saudi royals, NATO officials, and even nuclear scientists.

In a more recent event, pro-democracy campaigners in Hong Kong coordinated their demonstrations against their government using Telegram. Although the app has been banned in the country since 2015, users found a way around it.

In Germany, the police launched a crackdown on criminals to prevent premeditated crimes. For this they only had to use proprietary software to hack into Telegram correspondences. The police successfully carried this out for two years.

 

Why should you monitor Telegram for threats?

The anonymity associated with the app is concern for regulators and governments. It increases the odds of misuse of the app’s features. Which is why Telegram activities on the app should be monitored for the following reasons:

Selective chat encryption

Although users tend to think that their correspondences are all encrypted and secure, the app requires you to change the settings to “activate” end-to-end encrypted chats. Most users are not aware of this.

Proprietary encryption

Telegram relies on the symmetric encryption method and uses proprietary protocol MTproto, making it difficult external cryptographers to audit its efficacy. 

Exposes Metadata

Researchers have uncovered flaws in the app whereby an attacker can snoop on significant data about the user, apart from their chats. For instance, the attacker can figure out when the user is online and offline. This could in turn help them determine who the user is talking to, which is a rather serious flaw.

Breeding ground for illegal activities

In a 2016 report by Memri, Telegram was referred to as “the app of choice for many ISIS, pro-ISIS and other jihadi and terrorist elements.” Terrorist organizations weaponize Telegram to disseminate hatred and misinformation. The anonymity that the messaging app offers indirectly, endorses criminal activities, harmful to civilians and governments alike.

Corrupted files

Latest research from Symantec indicates that media files shared on WhatsApp and Telegram can be manipulated using a malware. This security flaw, known as media file jacking, exists in Android devices. It allows attackers to intercept the process by which applications save media files on the device’s storage.

Command and control

The ‘Masad Clipper and Stealer’ malware, capable of allowing hackers to access user’s personal information and their crypto wallets, was sold via Telegram channels. The Telegram channel was also a makeshift command and control for the same malware.

 

CloudSEK’s proprietary cyber threat monitoring platform XVigil gathers information from Internet Relay Chat (IRC) and chat rooms (for instance, Telegram Channels). The platform then detects conversations that are intended to obtain information about your organisation, and weaponize it against you. XVigil crawls across various parts of the internet to find mentions of your digital assets, so that you can take proactive measures to prevent any external threats to your brand and infrastructure.

data breach impact

How much does a data breach cost you?

 

The increase in cyber-attacks during the Coronavirus pandemic has highlighted the gaps in traditional cybersecurity programs. With the large-scale shift to teleworking, companies have been forced to take their operations online. And this has proved to be a breeding ground for threat actors. From the increase in ransomware attacks and phishing campaigns to bitcoin scams and data leaks, we have witnessed increasingly sophisticated threats across the internet.

There is no denying that cyber threats have far-reaching real-world impact. From stock price to reputation, organizations cannot escape the consequences of a cyber-attack. For example: Twitter’s shares went down by 3% following the recent hack that targeted several profile twitter accounts.

The annual Cost of Data Breach report by the Ponemon Institute has been quantifying this impact for the last 15 years. The Cost of a Data Breach Report 2020 (published by IBM) has found a 1.5% decrease in the average cost from $3.92 million in 2019 to $3.86 million in 2020. However, for organizations that have mandated remote work, the average cost of a data breach is $137,000 more, making the global annual cost almost $4 million.

In this article we explore ways to incorporate the findings from this report to strengthen an organization’s cyber security posture.

 

Key takeaways from the report’s findings:

 

Identify stolen or leaked credentials

Stolen credentials, which are the costliest and most frequent threat vectors, are the root cause for 19% of malicious breaches. Despite this, organizations are slow to identify and neutralize leaked credentials. The longer the credentials are exposed the higher the chance that threat actors will exploit them to orchestrate large-scale intrusive attacks.

Which is why it is important to incorporate processes and tools that ensure data leaks related to your organization are monitored continuously. This includes real-time monitoring of the surface web, deep web, and dark web using a comprehensive threat monitoring tool such as CloudSEK’s XVigil.

 

Monitor for cloud misconfigurations

Cloud misconfigurations are exploited in 19% of malicious breaches. And the cost of these breaches, at $4.41 million, is 14% higher than the average. While the move to cloud-based services and databases are convenient, they come with a unique set of security requirements.

The bedrock of cloud security is a combination of Identify Access Management (IAM), permission controls, and continuous misconfiguration monitoring. XVigil’s Infrastructure Monitor offers solutions to scan for misconfigured cloud storage, web applications, and ports. This allows you to identify and mitigate the risks before they can be exploited by threat actors.

 

Leverage Artificial Intelligence (AI) to identify and mitigate threats

Automation separates the winners from the losers. The cost of breaches for organizations that have not leveraged end-to-end AI based security solutions was $6.03 million, which is more than double the cost of breaches seen by organizations that have deployed automated security solutions. With a difference of $3.58 million between companies that have deployed automated solutions and those that have not, automation is no longer a bonus, but the very core of effective cybersecurity.

 

Secure your customers’ PII

80% of data breaches include customers’ Personally Identifiable Information (PII). And each lost or stolen record costs an organization an average of $175, which is 17% higher than the average cost of a stolen record. Since customer PII is the most coveted type of data, it is important to ensure that it is anonymized and backed-up regularly. And as a rule of thumb, enforce strong password policies, encryption standards, and multi-factor authentication.

 

The healthcare industry needs to up its cybersecurity quotient

It takes the healthcare industry 329 days to identify and contain a breach, which is 49 days more than the average 280 days, and a whopping 96 days more than the financial sector. The faster a breach is identified, the lower the cost incurred. So, it doesn’t come as a surprise that the healthcare sector, for the 10th year in a row, clocked the highest average cost of a breach at $7.13 million, which is a 10.5% increase from 2019.

Timely identification only comes with continuous real time monitoring of internal and external threats. And this cannot be done manually, which is why automation and AI-driven security tools need to be deployed across organizations.

 

Proactively mitigate remote work related data breaches

With more organizations adopting remote work, there has been a surge in cyber-attacks, globally. Relaxed security controls to support remote work, unsecured home Wi-Fi networks, dependence on conferencing platforms, and the deluge of COVID-related scams have made it easier for threat actors to target organizations.

It is incumbent on organizations to reassess their cybersecurity programs to account for new threat vectors. So much so that 76% of respondents believe that despite their current cybersecurity measures, remote work will increase the time it takes to detect and contain a breach. But by deploying solutions that can address the WFH-related threat vectors, organizations can gain a significant advantage over threat actors.

 

Given that a data breach can have severe short-term and long-term impacts on an organization, taking preventive measures is a must. And with more and more companies adopting teleworking, the need for continuous monitoring of the internet, for threats related to your organization, is at an all time high.

Here’s where XVigil can help you strengthen your security posture. XVigil’s AI-driven engine scours the internet for threats and data leaks related to your organization, prioritizes it by severity, and provides real time alerts. Thus, giving you enough time to mitigate the threats before it can have adverse impacts on your business.

Cyber Trivia - Cybersecurity Quiz CloudSEK

[Quiz] Weekly Cyber Trivia Quiz Contest #3

Cyber Trivia Quiz is here!

Find out if you’re up-to-date on your cybersecurity news from across the world.

If you’re behind on the news, fret not. We’ve sprinkled in some hints to help you along.

We will select 3 people in random who submitted the quiz and got all 10 questions right.
Prize: Amazon Vouchers worth 100 INR to each winner.

Get cracking! #CyberTrivia

 

Winners

 

[Quiz] Weekly Cyber Trivia Friday #2

Cyber Trivia Friday is here!

Find out if you’re up-to-date on your cybersecurity news from across the world.

If you’re behind on the news, fret not. We’ve sprinkled in some hints to help you along.

We will select 3 people in random who submitted the quiz and got all 10 questions right.
Prize: Amazon Vouchers worth 100 INR to each winner.

Get cracking! #CyberTriviaFriday