Worst cybersecurity strategies and how we can overcome them

 

Towards the end of March 2020, almost all businesses across the globe had enforced remote work policy. And as governments are easing the social distancing rules and restrictions, some organizations have gradually reopened over the last few weeks. However, the pandemic has clearly had an adverse impact on small businesses and large corporations alike, and business leaders are not aiming for a quick comeback. Whether they have decided to resume work from the office or extend the remote work policy to 2021, companies in various sectors are strategizing for a transformation in the way they work and communicate. 

Cybersecurity witnessed a dramatic change during the last couple of months and unsecure remote workforces have forced organizations to recognize the importance of cybersecurity preparedness. Cyber attacks have increased multifold since the Coronavirus outbreak where cyber criminals preyed on an unready, unaware workforce. There has been a spike in the number of phishing attacks and malware, ransomware campaigns. So, as more organizations plan their comeback, hopefully every company’s plan and strategy prioritizes information security. It is also important that organizations steer clear of any security blunders that could cost them their reputation and financial standing. 

In this article we list some of the worst cybersecurity practices and strategies that could be detrimental to your organization, and compare them with alternate solutions and best practices.

 

Achieving 100% security vs. Minimizing risks

Although 100% security might sound like the perfect answer to emerging threats, it is likely that an entirely secure system is possible only when it is disabled. So the best alternate solution is to identify technological and financial resources your organization can spare, and minimize the risk of incidents that may occur. Simply being aware of this can help you build a better strategy of detecting the threat, establishing a mechanism to respond to the threat or prevent it, thereby minimizing the impact of the threat. It is also essential to understand the various attack vectors that actors use to infiltrate your organization, and to allocate available resources to address all these threats.

 

Lax with security updates vs. Regular software fixes

Security vulnerabilities are found on a daily basis and developers release patches frequently. However, businesses that have integrated such software usually fail to apply these patches and update the software. This could be because of stretched resources or lack of awareness. Harmful software vulnerabilities can create a security weakness/ holes which allows attackers to exploit and infect your systems, gaining access to your sensitive, personal information. The solution to this is a dedicated IT team to ensure that network and software are updated regularly. 

 

Pursue attackers vs. Prevent attacks

Attackers, these days, are pretty sophisticated and are quick to come up with new technologies that enable them to hack into your systems. Staying ahead of these actors is critical to save your organization from the humiliation and loss the attacks could cost you. This is why it is important to take proactive measures to prevent attacks and outrun cyber criminals, instead of pursuing them. Organizations should also be aware of the implications of a possible attack and should be able to defend their valuable assets. 

An assessment of the following attack vectors and technologies that could assist you in avoiding attacks altogether. Employees form a major part of the threat vector, thus making it important to keep them aligned with the organization’s cybersecurity practices.

  • Security vulnerabilities
  • Firewall settings
  • Anti-malware and anti ransomware technologies
  • Data egress points
  • Creating awareness among employees 
  • Training them to combat social engineering tactics
  • Practice good internet hygiene

 

Weak passwords vs. Password management programmes

Despite the increasing number of cyber attacks most users tend to fall back on weak or easy passwords, sometimes reusing the same passwords for multiple accounts. An online security survey by Google indicates that 52% respondents reuse the same passwords for several accounts. The Ponemon research, “The 2019 State of Password and Authentication Security Behaviors Report,” reports that 69% respondents have shared their credentials among colleagues. Also, 57% respondents have not changed their passwords even after enduring phishing attacks. Which also means that they have not considered alternate solutions such as Password Manager. 53% respondents mentioned that they rely on memory to manage their credentials. 

Password Managers assists users in memorizing passwords of all their accounts, for which the users simply have to remember the master password of the Password Manager. Password management programmes will also generate random, strong passwords when you create a new account. Organizations should also make sure that the access to company-related documents and software is limited. Password Managers also support two factor authentication methods, which adds an extra layer of security. 

 

Assume you’re not a desirable target vs. Prepare for the worst

Although it is true that cyber criminals target popular brands and companies, companies that are part of any industry are vulnerable to cyber attacks regardless of its size. In fact, small businesses are soft targets, considering the lack of resources allocated to protect their systems. Data breach of any scale is significant and the ramifications can be devastating. Privacy, data breaches can cost you more than a financial loss, it can tarnish your reputation and leave yourself wide open to lawsuits and legal action. 

Therefore, it is important for organizations to gear up against emerging cyber threats. Companies should resort to cyber threat monitoring solutions such as CloudSEK’s XVigil, to detect and prevent undesirable actors trying to target your security posture.

 

Using public Wi-Fi and unknown devices vs. Network Security

Unauthorized access to your computer network can lead to several forms of attacks such as Man-in-the-middle attacks, malware delivery, snooping, sniffing, breaches, etc. A major concern regarding public as well as home Wi-Fi is unencrypted networks which exposes your online activities to hackers. Similar is the case with unknown devices and unsolicited software. The use of such devices and software opens the door to malicious actors looking to abuse your systems. 

Establish a secure network and secure communications (SSL connections) over the network, and also make sure to log out of all your accounts once you’re done using them. While on a public network avoid accessing any sensitive information, including PII, addresses, banking information, etc. 

 

Coronavirus has brought about an extensive change in the workplace and in the way we work. Technology will surely have a significant role to play in all of it. Meetings, conferences and collaborations are increasingly conducted over the internet, adapting to a more decentralized organizational structure. These changes can also contribute to an undesirable impact on cybersecurity. When organizations are busy building contingency plans to accommodate COVID-19 into the way they work, we hope their plans won’t fall short of cybersecurity strategies.

Why monitoring the most popular P2P messenger should be a cybersecurity priority

 

Cloud-based encrypted communication platform – Telegram – became an overnight sensation, owing to a WhatsApp outage that occurred in 2018. The user base of Telegram hit a whopping 400 million, as of April 2020, since its inception in the year 2013. The non-intrusive nature of the app, contrary to the likes of Facebook Messenger and WhatsApp, is another reason for its popularity.

However, over the years, the app and its developer Pavel Durov have also been on the receiving end of some criticism. The anonymous secure connection of Telegram allows users to access selectively prohibited networks and websites. Among other proxy servers and VPN services, Telegram is also completely or partially banned across several countries that are unwilling to risk national security. Furthermore, the app is not as secure as it claims to be. Its security flaws have been a major cause for data leaks.

In Russia, a struggle that ensued between the Federal Security Service (FSB) and Telegram, after the St. Petersburg bombing, resulted in the application’s ban in 2018. Pavel Durov refused to share the encrypted messages of the suicide bomber who was apparently active on the messaging platform. A court maintained that the app remain banned until its developer agreed to hand over its data encryption keys to the authorities. Russian authorities failed to hold up the ban successfully and decided to lift the ban only recently.

In 2016, 15 million Iranian users’ records were leaked following a major data breach. Iranian hackers exploited the security flaws in Telegram to compromise accounts. In particular, they hacked the SMS verification codes that are generally sent to the users. This attack targeted Saudi royals, NATO officials, and even nuclear scientists.

In a more recent event, pro-democracy campaigners in Hong Kong coordinated their demonstrations against their government using Telegram. Although the app has been banned in the country since 2015, users found a way around it.

In Germany, the police launched a crackdown on criminals to prevent premeditated crimes. For this they only had to use proprietary software to hack into Telegram correspondences. The police successfully carried this out for two years.

 

Why should you monitor Telegram for threats?

The anonymity associated with the app is concern for regulators and governments. It increases the odds of misuse of the app’s features. Which is why Telegram activities on the app should be monitored for the following reasons:

Selective chat encryption

Although users tend to think that their correspondences are all encrypted and secure, the app requires you to change the settings to “activate” end-to-end encrypted chats. Most users are not aware of this.

Proprietary encryption

Telegram relies on the symmetric encryption method and uses proprietary protocol MTproto, making it difficult external cryptographers to audit its efficacy. 

Exposes Metadata

Researchers have uncovered flaws in the app whereby an attacker can snoop on significant data about the user, apart from their chats. For instance, the attacker can figure out when the user is online and offline. This could in turn help them determine who the user is talking to, which is a rather serious flaw.

Breeding ground for illegal activities

In a 2016 report by Memri, Telegram was referred to as “the app of choice for many ISIS, pro-ISIS and other jihadi and terrorist elements.” Terrorist organizations weaponize Telegram to disseminate hatred and misinformation. The anonymity that the messaging app offers indirectly, endorses criminal activities, harmful to civilians and governments alike.

Corrupted files

Latest research from Symantec indicates that media files shared on WhatsApp and Telegram can be manipulated using a malware. This security flaw, known as media file jacking, exists in Android devices. It allows attackers to intercept the process by which applications save media files on the device’s storage.

Command and control

The ‘Masad Clipper and Stealer’ malware, capable of allowing hackers to access user’s personal information and their crypto wallets, was sold via Telegram channels. The Telegram channel was also a makeshift command and control for the same malware.

 

CloudSEK’s proprietary cyber threat monitoring platform XVigil gathers information from Internet Relay Chat (IRC) and chat rooms (for instance, Telegram Channels). The platform then detects conversations that are intended to obtain information about your organisation, and weaponize it against you. XVigil crawls across various parts of the internet to find mentions of your digital assets, so that you can take proactive measures to prevent any external threats to your brand and infrastructure.

data breach impact

How much does a data breach cost you?

 

The increase in cyber-attacks during the Coronavirus pandemic has highlighted the gaps in traditional cybersecurity programs. With the large-scale shift to teleworking, companies have been forced to take their operations online. And this has proved to be a breeding ground for threat actors. From the increase in ransomware attacks and phishing campaigns to bitcoin scams and data leaks, we have witnessed increasingly sophisticated threats across the internet.

There is no denying that cyber threats have far-reaching real-world impact. From stock price to reputation, organizations cannot escape the consequences of a cyber-attack. For example: Twitter’s shares went down by 3% following the recent hack that targeted several profile twitter accounts.

The annual Cost of Data Breach report by the Ponemon Institute has been quantifying this impact for the last 15 years. The Cost of a Data Breach Report 2020 (published by IBM) has found a 1.5% decrease in the average cost from $3.92 million in 2019 to $3.86 million in 2020. However, for organizations that have mandated remote work, the average cost of a data breach is $137,000 more, making the global annual cost almost $4 million.

In this article we explore ways to incorporate the findings from this report to strengthen an organization’s cyber security posture.

 

Key takeaways from the report’s findings:

 

Identify stolen or leaked credentials

Stolen credentials, which are the costliest and most frequent threat vectors, are the root cause for 19% of malicious breaches. Despite this, organizations are slow to identify and neutralize leaked credentials. The longer the credentials are exposed the higher the chance that threat actors will exploit them to orchestrate large-scale intrusive attacks.

Which is why it is important to incorporate processes and tools that ensure data leaks related to your organization are monitored continuously. This includes real-time monitoring of the surface web, deep web, and dark web using a comprehensive threat monitoring tool such as CloudSEK’s XVigil.

 

Monitor for cloud misconfigurations

Cloud misconfigurations are exploited in 19% of malicious breaches. And the cost of these breaches, at $4.41 million, is 14% higher than the average. While the move to cloud-based services and databases are convenient, they come with a unique set of security requirements.

The bedrock of cloud security is a combination of Identify Access Management (IAM), permission controls, and continuous misconfiguration monitoring. XVigil’s Infrastructure Monitor offers solutions to scan for misconfigured cloud storage, web applications, and ports. This allows you to identify and mitigate the risks before they can be exploited by threat actors.

 

Leverage Artificial Intelligence (AI) to identify and mitigate threats

Automation separates the winners from the losers. The cost of breaches for organizations that have not leveraged end-to-end AI based security solutions was $6.03 million, which is more than double the cost of breaches seen by organizations that have deployed automated security solutions. With a difference of $3.58 million between companies that have deployed automated solutions and those that have not, automation is no longer a bonus, but the very core of effective cybersecurity.

 

Secure your customers’ PII

80% of data breaches include customers’ Personally Identifiable Information (PII). And each lost or stolen record costs an organization an average of $175, which is 17% higher than the average cost of a stolen record. Since customer PII is the most coveted type of data, it is important to ensure that it is anonymized and backed-up regularly. And as a rule of thumb, enforce strong password policies, encryption standards, and multi-factor authentication.

 

The healthcare industry needs to up its cybersecurity quotient

It takes the healthcare industry 329 days to identify and contain a breach, which is 49 days more than the average 280 days, and a whopping 96 days more than the financial sector. The faster a breach is identified, the lower the cost incurred. So, it doesn’t come as a surprise that the healthcare sector, for the 10th year in a row, clocked the highest average cost of a breach at $7.13 million, which is a 10.5% increase from 2019.

Timely identification only comes with continuous real time monitoring of internal and external threats. And this cannot be done manually, which is why automation and AI-driven security tools need to be deployed across organizations.

 

Proactively mitigate remote work related data breaches

With more organizations adopting remote work, there has been a surge in cyber-attacks, globally. Relaxed security controls to support remote work, unsecured home Wi-Fi networks, dependence on conferencing platforms, and the deluge of COVID-related scams have made it easier for threat actors to target organizations.

It is incumbent on organizations to reassess their cybersecurity programs to account for new threat vectors. So much so that 76% of respondents believe that despite their current cybersecurity measures, remote work will increase the time it takes to detect and contain a breach. But by deploying solutions that can address the WFH-related threat vectors, organizations can gain a significant advantage over threat actors.

 

Given that a data breach can have severe short-term and long-term impacts on an organization, taking preventive measures is a must. And with more and more companies adopting teleworking, the need for continuous monitoring of the internet, for threats related to your organization, is at an all time high.

Here’s where XVigil can help you strengthen your security posture. XVigil’s AI-driven engine scours the internet for threats and data leaks related to your organization, prioritizes it by severity, and provides real time alerts. Thus, giving you enough time to mitigate the threats before it can have adverse impacts on your business.

Market plummets

Want to deter threat actors? Start by nullifying your data leaks.

 

70% of successful breaches are perpetrated by external actors whose attacks originate on the internet. Since these actors don’t have access to your organization’s internal assets or networks, they rely on data available on the internet. With 8.5 billion records compromised, in 2019 alone, adversaries can find an employee’s credentials, or your organization’s API keys, within a few hours. Allowing them to infiltrate your organization, spread malware and ransomware, or steal intellectual property and sensitive documents. 

Apart from the direct operational impacts, cyber-attacks affect an organization’s hard-earned reputation and revenue as well. Snapchat shares dropped by 3.4% the day after their source code leak was made public. And in addition to the immediate backlash, companies that have experienced a breach, underperform the market by > 15%, even 3 years later. 

Considering the stakes, it is important to take a closer look at the types of leaked data that threat actors seek out, and ways to effectively prevent them from getting their hands on it. 

 

What types of data do threat actors look for?

 

1. Credentials

 

27% of successful breaches involve stolen credentials

In almost all cyber-attacks affecting an organisation, credentials are involved either as a target of theft or as a means to furthering access in a network. This includes email credentials and hardcoded access credentials that can be used to access confidential emails, systems, and documents. 

 

Target was breached using stolen credentials

In one of the first major breaches, threats actors uploaded BlackPOS to Target’s point-of-sale (PoS) network, allowing them to steal customers’ credit card information and other personal details. It was later found that threat actors were able to compromise Target servers using credentials stolen from Fazio Mechanical Services. Fazio, Target’s HVAC vendor, had access to Target servers. And since the network was not properly segmented, threat actors were able to compromise Target’s PoS network.

 

2. Source codes

 

100,000 + GitHub code repos contain secret keys that can give attackers privileged access

While source code can be exposed on purpose, by malicious insiders, most often it is exposed by developers being careless while pushing code from their machines to GitHub. Leaked source code could potentially expose SSH keys – digital certificates that unlock online resources, Application Programming Interface (API) keys, and other sensitive tokens. Using the source code, threat actors can find vulnerabilities that can be exploited, to launch cyber-attacks on the company.

 

Mercedes-Benz “smart car” components’ source code leak

After discovering one of Daimler AG’s Git web portals, a researcher registered an account on Daimler’s code-hosting portal and downloaded 580 Git repositories from the company’s server. The repositories contained the source code of onboard logic units (OLUs) used in Mercedes vans, which provide live vehicle data. The researcher then uploaded the files to file-hosting service MEGA, the Internet Archive, and on his own GitLab server, thus making it public. 

 

3. Sensitive data

 

Over 23 million stolen credit cards are being traded on the Dark Web

Sensitive data such as credit card details, healthcare information, customer PII, etc. often end up on the dark web after being exposed on unsecured databases or cloud storage. This information could be used to launch phishing attacks. It could also lead to your intellectual property being exposed to the public. 

 

540 million Facebook users’ records were exposed on unsecured S3 buckets

Mexico based digital media company Cultura Colectiva exposed 146 GB of Facebook user data, including comments, likes, account names, reactions, and Facebook IDs, on an unsecured Amazon S3 bucket. Another S3 bucket, belonging to Facebook integrated app At The Pool, exposed 22,000 Facebook users’ friend lists, interests, photos, group memberships, and check-ins.

 

How to eliminate these low hanging fruits that expedite attacks?

As seen from the above examples, despite their best efforts, Target, Mercedes, and Facebook were not able to prevent their data from leaking. This can be attributed to the highly distributed, interconnected, and globalized nature of modern businesses. This means, there aren’t enough resources to monitor every employee, vendor, and vendor’s vendor. But the good news is, if you can detect data leaks in time, and have them taken down, their impact will be greatly reduced. 

Usually, a data breach lifecycle is 279 days, 206 days to identify a breach, and 73 days to contain it. Instead of 206 days, if a data leak can be identified within a few hours, its presence across the surface web and dark web can be contained. However, this cannot be done manually. The only way to effectively identify and curb data leaks is to adopt AI-driven real-time monitoring.  

 

Continuous monitoring for leaked or exposed data

Incorporate processes and tools that ensure data leaks related to your organization are monitored continuously. This includes real-time monitoring of the surface web, deep web, and dark web, for credentials, source code, and sensitive information. Deploy a comprehensive threat monitoring tool such as CloudSEK’s XVigil, whose AI-driven engine scours the internet for threats and data leaks related to your organization, prioritizes them by severity, and provides real-time alerts. Thus, giving you enough time to neutralize the data leaks before it can have adverse impacts on your business.

Shadow IT

What is shadow IT and how do you manage shadow IT risks associated with remote work?

With cyber threats on the rise, and the recent implementation of remote work across businesses and organizations, in-house IT teams are struggling to preserve their security posture. Furthermore, an increasing number of employees are using applications, hardware, software, and web services that their IT departments are not aware of. A Forbes Insights survey found that more than 1 in 5 organizations have experienced a security incident due to shadow IT resources. 

Amidst the COVID-19 crisis, with entire workforces confined to their homes, the use of personal networks and devices is growing rapidly. This allows employees to install or work with external applications and infrastructure that complements their skills and/ or requirements. While this may improve employee productivity, it exposes employees and their organizations to a wide range of cyber threats. 

 

What is Shadow IT?

Shadow IT refers to the use of diverse Information Technology (IT) systems, devices, software, applications, and services, without the authorization of IT departments. Although shadow IT enhances efficiency, it also subjects users and their organizations to heightened risks of data breaches, noncompliance issues, unforeseen costs, etc. 

Microsoft 365, work management apps such as Slack, Asana, Jira, etc., messaging apps like Whatsapp, cloud storage, sharing, and synchronisation apps such as OneDrive and DropBox are the most common examples of shadow IT. Obviously, these applications are not inherently threatening, and are usually installed with the best intentions, but they tend to endanger the overall security of the organization, in the event of misuse or negligence.

 

What are the different forms of shadow IT and which is the most popular one?

Users employ various forms of shadow IT applications and services. Broadly, they can be classified as:

  • Hardware: Personal devices, systems, servers and other assets.
  • Ready-to-use software: Adobe Photoshop, MS Office, etc.
  • Cloud services: Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), and Infrastructure-as-a-Service (IaaS) services.

While users subscribe to various IT services that are not administered by their IT departments, the most common form of shadow IT are SaaS-based cloud services. SaaS based applications are gaining popularity across workforces, regardless of the industry or sector. This is because, such publicly available applications, often outperform on-premise applications and infrastructure. 

 

Why do employees prefer shadow IT?

A research by the Everest Group found that shadow IT accounted for 50% or more of the IT spending in large organizations. So, dismantling shadow IT means, organizations have to devote more funds to build and maintain approved applications and infrastructure. However, employees prefer external applications even with the availability of in-house applications, simply because they are comparatively sophisticated. 

Here are some common reasons for employees opting for shadow IT solutions:

  • Efficiency and agility

This is probably the most common reason behind the increasing use of shadow IT. Users employ external IT resources to produce better results. Also, because it makes work pretty easy. Latest research by Entrust Datacard reported that 77% of the surveyed IT employees believed that organizations could be frontrunners if they were successful in meeting the shadow IT needs of their employees. 

  • Inadequate coordination

Poor communication and coordination between various teams and the IT department is not conducive for productivity. Therefore, it could cause employees to choose shadow IT over onsite software and applications.

  • Inconsistency

If customers’ programs cannot be integrated with the organization’s systems/ software, employees may resort to using external services for better results. 

  • Readily available tools

Clearance from the IT department could be time-consuming. So, when the necessary software, service, or hardware is readily available, and is compatible on any device, naturally employees would choose to use them. 

 

What are the potential risks associated with shadow IT?

 

Security

On the subject of employees using shadow IT, security is definitely the principal concern. As IT departments are not aware of certain applications that employees use, it would be impossible for them to provide security updates and patches, or test the newly adopted applications. Unpatched vulnerabilities can cost organizations a fortune, such as in the case of Maersk in 2017, when hackers exploited their computers because it lacked the latest Microsoft security patches. This incident cost Maersk over $200 million in lost revenue. 

 

Data breaches, leaks

Shadow IT applications that support file sharing, storage, and collaboration are prevalent among employees of every organization. As effective as they are, they can cause data breaches and leaks. Since IT departments are not familiar with these additional software deployed on its network, they eventually lose control over the organization’s data. In 2018, Gartner predicted that in 2020, one-third of successful attacks that target organizations will be through their data located in shadow IT resources and shadow IoTs. 

 

Non-compliance and violation of regulations

If and when organizations fail to conduct risk assessments and take preventive measures with regard to unauthorized applications, it could burden them with severe sanctions for non-compliance. These actions also risk violating regulations such as HIPAA, GDPR, etc. On becoming aware of such shadow IT applications that are in use within the organization, they are forced to conduct a separate security audit which results in unforeseen costs. 

 

What can organizations do to avoid these risks?

 

  • Regular monitoring of networks and vulnerability scanning

Monitor your organization’s network continuously for any shadow IT applications. And scan such applications along with other in-house assets for vulnerabilities that could expose your organization to cyberthreats. Ensure to install the latest updates. 

 

  • SaaS Management

The IT department could set up a system of SaaS Management or simply Software Asset Management, to keep track of all the applications used within the organization. 

 

  • Internal monitoring tools

We would also encourage organizations to leverage digital risk monitoring tools such as CloudSEK’s XVigil. XVigil helps to detect data leaks, pertinent to the organization, caused by shadow IT, early on. Giving you sufficient time to address these issues, before it affects your security posture.

 

  • Train employees

Security/ IT teams should create awareness among employees. This could also give you an idea of the various shadow IT devices, or applications that your employees use. While security/ IT teams are on it, they may also want to educate employees on the different types of data that they deal with and the responsibilities that come along with it.

 

  • Address employees’ technology needs

Organizations should address employees’ technology requirements, to eliminate the need for external applications. Employees often cite long approval processes and delays in acquiring sanctioned applications, as reasons for adopting external solutions to meet their immediate needs. 

 

  • Prepare a list of usable applications or devices

Keeping in mind that not all applications or devices pose a threat, organizations could prepare a list of approved applications/ devices and encourage employees to use them.

web-application-testing

6 major quality metrics that will optimize your web app

 

As more businesses migrate to cloud environments, making it easier for customers to access their services/ products, we have witnessed a sharp rise in the number of online businesses employing web applications. Also known as web apps, they have assumed great significance in this digital era, allowing businesses to develop and achieve their objectives, expeditiously.

Well designed web apps allow organizations to gain competitive advantage and appeal to more customers. Hence, it is essential to have measurable or quantifiable metrics to gauge the quality of a web app.

 

What is a web application?

Web apps are software programs that require a web browser for interaction. And unlike other applications, users need not install the software to run web applications; all they require is a web browser. Web applications include everything from small-scale online games to video streaming applications like Netflix.

 

 What are Software Quality Metrics?

Software quality metrics gauge the quality of the software, its development and maintenance, and the execution of the project itself. In essence, software quality metrics record not only the number of defects or security flaws in the software, but also the entire process of development of the project, as well as the product.  

 

Classification of Quality Metrics

Based on the components and features, software quality metrics can be classified into:

  • Product quality metrics
  • In-process quality metrics
  • Project quality metrics

A user grades the quality of an application based on their experience with its features/functionalities, the value it provides, and after-sales services such as maintenance, upgrades, etc. However, the quality of the software is also measured based on the project, the teams involved, project cost, etc.  

 

Six major quality metrics to consider for better web applications

 

  1. Usability of the web application:

Usability testing assesses the ease with which end-users consume the application. It ensures effective interaction between the user and the app. Web applications that have a complicated design or interface, are least prefered by users.

In order to test the usability of web apps, its navigation, content, and other user-facing features should be tested.

For example:

  • Images and other non-text content should be placed appropriately, so as to avoid distractions.
  • The options “Search” and “Contact us” should be easy to find. 

 

  1. Performance of the web application:

Performance testing determines the behaviour of the application under different settings and configurations. For example: Performance during high usage vs normal usage. Performance of a web app contributes to its adoption, continued usage, and overall success.  

Types of performance testing

  • Load testing
  • Web stress testing

In load testing, we evaluate the performance of the web app when multiple users access it concurrently. This helps to ascertain if the app can sustain peak hours, handle large user requests or simultaneous database access requests, etc.

In web stress testing, the system is tested beyond the limits of standard conditions.  The objective of web stress testing is to assess the behaviour of the app during volatile conditions such as when web pages time out or a delay between requests and responses, and how it recovers from crashes.

 

  1. Compatibility on different platforms and browsers:

The quality of the software also depends on whether the application is compatible with different browsers, hardware, operating systems, applications, network environments, and devices.

For instance,

  • If developers intend to have a mobile version of a web application, they ought to address and resolve any issues that may arise in that scenario.
  • While performing various actions such as printing or downloading, from a web application, the elements on the page, including text, images, etc., should be fixed in place, and properly aligned to fit on the page. 

 

  1. Requirements Traceability:

This parameter traces and maps user requirements throughout its life (from its source, through stages of its development and deployment), using test cases. It checks whether every user requirement is met and defines the purpose of each requirement and the factors they depend on.

 

Modes of requirement traceability

Based on the direction of tracing, requirement traceability can be classified into:

  • Forward traceability: Tracing the requirement sources to the resulting requirement, to ensure coherence.
  • Backward traceability: Tracing the various components of design or implementation back to its source, to verify that requirements are updated.
  • Bidirectional traceability: Tracing both backward and forward.

 

  1. Reliability:

A web application is not reliable if it does not produce consistent results. In an ideal situation, the application must operate failure-free, for a specified period of time, in a particular environment.

For example, a medical thermometer is only reliable if it measures the accurate temperature every time it is used.

 

  1. Security testing for the web application:

The security implementations of a web application is another factor that determines its success.  As a study shows, hackers can attack users in 9 out of 10 web applications. These attacks include redirecting users to a malicious site, stealing credentials, and spreading malware. So, ignoring this factor could cause serious damage to users and their businesses.

For example,

  • To test the security of web applications, we test URLs that a user can and cannot access. If an online document has an ID/ identifier such as ID=”456″ or identifier=”zm9vdC0xNl8yMDE5…” at the end of its URL, the user should only be able to access that document. In the event that the user tries to change the ID/ identifier, they should receive an appropriate error message upon altering the URL.
  • Automatic traffic can be prevented by using CAPTCHA.

Types of security testing

  • Dynamic Application Security Testing (DAST): It detects indicators of security vulnerabilities in applications that are running.
  • Static Application Security Testing (SAST): It analyzes the application source code, and/ or compiled versions of code that are indicative of security vulnerabilities.
  • Application Penetration Testing: It assesses how applications defend against possible attacks.

 

Additional components to be considered

To ensure that the web application is fully functional in all aspects, the following components should be inspected:

Links

  • Internal links
  •  Outgoing links
  •  Links that direct users to another section on the same page
  • Orphan pages in web applications
  • Broken links

Forms or other input fields

  • Verify all validations
  • Check default values
  • Wrong input
  • Links to update forms, edit forms, delete forms, etc. (if any)

Database 

  • Review data integrity while editing, deleting, and updating forms
  • Check if data is being retrieved and updated correctly

Cookies 

  • Check whether the cookies are encrypted or not
  • Evaluate application behavior after deleting cookies

Avoid costly breaches by upgrading your third-party vendor risk management 

According to a Ponemon study, 59% of the surveyed companies had experienced a data breach due to their third-party vendors. While data breaches can be caused by several sources, those that involve a third-party have been found to increase the total cost of a data breach by approximately $370,000. And considering that data breaches affect an organization’s reputation, revenue, and compliance, third-party vendor risk management can no longer be an afterthought. 

Given the level of access most vendors have to an organization’s network, traditional risk management frameworks fall short. Traditional strategies focus on vetting vendors, having a robust onboarding process, and periodic assessments. However, a rapidly evolving cyber threat landscape renders these assessments and findings obsolete, within a few days or weeks.  

The failure of traditional vendor risk management is evident in the several high-profile breaches. Starting with the Target breach in 2013, to the recent Facebook and Airbus breaches, they were all traced back their respective third-party vendors. So, this calls for a more dynamic vendor risk management approach, which covers a wide range of vendor related risks. 

In this article, we explore:

  • Risks associated with third-party vendors
  • Common pitfalls in traditional vendor risk management strategies
  • Ways to upgrade your vendor risk management, and effectively reduce associated risks

 

Risks associated with third-party vendors

Outsourcing is an integral part of most businesses because they provide:  

  • Flexibility: Offering a dynamic workforce and adaptable operations.
  • Scalability: Reaching new markets and serving more customers.
  • Expertise: Catering to different sectors and industries.
  • Cost cutting: Saving on infrastructure and operational costs.  

For these reasons, outsourcing is here to stay. However, as vendors and organizations become more interconnected, the cybersecurity risks also multiply. Vendors serve as an entry point for threat actors to make their way into a company’s networks by:

 

  • Exploiting vulnerabilities in a vendor’s systems

While a business has control over patching and updating their assets, they cannot monitor a vendor’s systems, and ensure they do the same. 

Ticketmaster’s data breach was due to a vulnerability in their vendor’s system:

A data breach at Ticketmaster, an American ticket sales and distribution company, was traced back to Inbenta, a third-party, which powers Ticketmaster’s customer support agent. Inbenta was one of the 800 victims targeted by Magecart’s digital credit card skimming campaign. An attacker targeted Inbenta’s front-end servers, where they stored code libraries used by Ticketmaster. Then, by exploiting a number of vulnerabilities, the attacker modified the code to steal customer data. 

 

  • Using network/ system credentials exposed by vendors

Vendors usually need remote access to a company’s systems in order to access data and applications, or to carry out maintenance activities. And vendors could leave your network credentials exposed, or threat actors could compromise a vendor’s network to steal the credentials. This is especially damaging, if there is no proper network segmentation, giving the threat actor unbridled access to the company. 

Threat actors used stolen vendor credentials to access Target’s PoS network 

In one of the first major breaches, threats actors uploaded BlackPOS to Target’s point-of-sale (PoS) network, allowing them to steal credit card information and other personal details. It was later found that threat actors were able to compromise Target servers using credentials stolen from Fazio Mechanical Services. Fazio, Target’s HVAC vendor, had access to Target servers. And due to improper network segmentation, threat actors were able to compromise Target’s PoS network. 

 

  • Using source code leaked by vendors

Most companies keep their source code confidential. So, unlike open-source software, the public cannot view or modify their source code. Leaked source code usually finds its way to dark web sites, where the code will be available to hackers even after it has been taken down from the original location. Hackers then use the source code to find vulnerabilities that can be exploited to launch cyber-attacks on the company and its customers.  

Partners leaked the source code of Team Fortress 2 and CS:GO source codes 

Team Fortress 2 and Counter-Strike: Global Offensive (CS:GO) source codes were found online and then uploaded to torrent sites. CS:GO confirmed that the code was originally shared with their partners in 2017, and was subsequently leaked. And despite reassurances that the leak doesn’t affect current players, several screenshots and videos made the rounds, purporting to be Remote Code Execution (RCE) exploits based on the leaked code. Thus, impacting the games’ reputations.   

 

  • Sensitive information exposed by vendors

In the recent past, there have been several cases of vendors exposing Amazon storage buckets and databases that can be accessed over the internet. This gives threat actors easy access to sensitive information, which they then sell on the dark web, to the highest bidder. 

Vendors exposed 540 million Facebook users’ records 

Mexico based digital media company Cultura Colectiva exposed 146 GB of Facebook user data, including comments, likes, account names, reactions, and Facebook IDs, on an unsecured Amazon S3 bucket. Another S3 bucket, belonging to Facebook integrated app At The Pool, exposed 22,000 Facebook users’ friend lists, interests, photos, group memberships, and check-ins.

 

Common pitfalls in traditional vendor risk management strategies

While traditional vendor risk management frameworks are a good starting point, there are a few areas they need to address to be effective in a hyper-connected world. Dynamic third-party risk management should: 

 

  • Address fourth/ nth party vendors

A 2019 survey found that only 2% of organizations identify and monitor all their subcontractors. And 8% of organizations monitor subcontractors only for critical infrastructure and IT. The remaining 90% said they lacked the required skills to monitor fourth/ nth parties. 

  • Adapt to a constantly evolving cyberthreat landscape

Organizations generally perform vendor risk assessments, at the time of onboarding, and at regular intervals thereafter. During the intervals between assessments, new vulnerabilities, exploits and, malware and ransomware strains show up. Ans assessment don’t account for these unknowns.

  • Leverage automation and technology 

Standard vendor risk management frameworks don’t offer a common, integrated platform that tracks the end to end process from risk identification and prioritization to issue tracking and mitigation. It also doesn’t provide actionable intelligence, which organizations can leverage, to make better cybersecurity decisions.  

 

Ways to upgrade your vendor risk management, and effectively reduce associated risks

Companies need to upgrade their standard vendor risk management process, to ensure their vendors are not putting their data and network at risk. Organizations can do this by incorporating a few effective tools and processes such as:

  • Updating contractual standards

Update contracts to account for new regulatory and data privacy requirements. And ensure your vendor is obligated to disclose risks and data breaches in a timely manner. It would also help to have defined processes to mitigate risks and to respond to data breaches.    

  • Focusing on nth party risk management

Ensure you have complete visibility of your vendor’s vendors. Determine if the products and services are provided directly by the vendor or by a subcontractor. And have contractual agreements with vendors that mandate such disclosures. 

  • Continuous vendor risk monitoring

Incorporate processes and tools that ensure vendor related risks are monitored even between regular assessments. This includes real-time monitoring of the surface web, deep web, and dark web, for source code, sensitive information, and credentials. An IBM study found that the Mean-time-to-identify (MTTI) a breach is 197 days. It is during this interval that a comprehensive SaaS platform such as CloudSEK’s XVigil, will help. XVigil’s AI-driven engine scours the internet for threats related to your organization, prioritizes it by severity, and provides real time alerts. Thus, giving you enough time to mitigate the threats, before it can have adverse impacts on your business. 

Threat actors’ next big target: VIPs, Executives, and Board members

A recently uncovered spear phishing campaign, orchestrated by the PerSwaysion group, targeting 150+ executives across the globe, is a prime example of the growing trend of concerted cyber attacks on CXOs and VIPs. This process of targeted attacks on VIPs is commonly known as Whaling. Whaling tactics are similar to general spear-phishing. But they differ in the fact that it specifically targets high-level and important individuals within an organization. 

Threat actors are slowly moving from large-scale, low-value attacks, which target a general population, to small-scale, high-value attacks, which target the key personnel of an organization. Furthermore, the Verizon 2019 Data Breach Report found that senior executives are 12 times more likely to be targets of social incidents, and 9 times more likely to be targets of social breaches. This is because high-profile personnel have exclusive clearances, privileges, and access to:

  • Confidential and sensitive information including financials, trade secrets etc. 
  • Authorize or order other employees in the organization to carry out certain tasks.
  • Valuable assets including networks, devices, and facilities. 

How do threat actors target C-level executives?

Research and reconnaissance

  • To orchestrate a typical attack, threat actors perform extensive reconnaissance and research, to understand an organization’s structure and functions.
  • Using this information, they narrow down the list of potential targets and their associates.
  • They then collect personal information about the shortlisted VIPs. Most companies publish their executives’ details on social media, news media, and their own websites. Thus, a simple Google search will give the threat actor access to this information. Moreover, the executives themselves have personal accounts on platforms such as Facebook and LinkedIn. And often, the privacy settings on these accounts are lax. 
  • They further search for exposed account credentials from previous data leaks. Given that most of us, executives being no exception, use the same password for multiple accounts, the exposed credentials can be used to gain access to the executive’s official email account.

Data theft attacks

  • Once hackers have obtained access to C-suite executives accounts, through brute-force attacks or other means, they steal valuable information. This may include client lists, customer data, financial data, internal processes, business strategy and plan, and more. 

Impersonation attacks

  • Threat actors could hijack executives’ social media accounts and post harmful messages. And, this could tarnish the reputation of the executive and their organization.  
  • Using the email access, threat actors decipher the communication frequencies and styles within the organization. For example: If there is a trail of audit related emails, threat actors can send requests for audit related details in continuation to the ongoing communication. 
  • If threats actors cannot get access to an executives’ credentials, they create fake email IDs. These email IDs closely resemble one of the executives’ email IDs or that of the HR department or Accounting department. From the fake ID they send an urgent, actionable, and believable email to a C-level executive. 

Extended attacks

  • Threat actors bank on executives having limited time, or relying on assistants, to read and respond to emails. They also ensure the emails are believable. For this, they add references to the executive’s interests and hobbies, which are gleaned from their social media profiles. The emails usually request the email recipient, who is also an executive or VIP, for sensitive information, wire transfers, or to download an attachment. 
  • If the recipient falls for the trap, they will end up revealing sensitive information or authorizing someone else to do so. They could also authorize transfers to the fake account details shared by the threat actor. A malicious attachment could drop a malware or ransomware payload in their systems. The recent PerSwaysion campaign used a fake Microsoft Outlook login page, from where they were able to collect 150+ executives’ login credentials. The credentials can be used to orchestrate other attacks or could be sold on the Dark Web, to the highest bidder.  

How to protect C-level executives from these attacks?

Given the heightened risk to VIPs, here are a few measures to combat and mitigate threats:

Continuous monitoring

Deploy a real-time monitoring tool that will scour the internet – surface web, deep web, and dark web – for potential threats.  A comprehensive SaaS platform such as CloudSEK’s XVigil tracks VIP’s personal email IDs for their presence in past security breaches. Organizations are alerted to such threats immediately, along with other significant details pertaining to the risk.

Review social media presence

Ensure the executives’ social media accounts have the highest level of privacy. Report duplicate accounts and delete dormant accounts on a regular basis. 

Multi-layered protection

Enable Multi Factor Authentication (MFA) for all their accounts, including email, company assets and network. 

Regular cybersecurity refreshers

Since threat actors are constantly changing and upgrading their whaling tactics and ruses, periodic training will help executives spot and avoid such traps. 

 

An attack on a VIP doesn’t just affect them personally, it also affects their organizations revenue and brand image. Threat actors could gain access to the company’s central database, and steal employee and customer details, and leak them or even sell them. It takes years of painstaking effort to build a company’s brand image, and any damage to this intangible asset can have very serious and far-reaching consequences. Hence it is important to enable processes, and tools such as XVigil, to continuously monitor and protect VIPs and their organizations. 

Combating data breaches caused by misconfigured apps

From the outset of the pandemic, we have seen a dramatic increase in the number of cyber attacks and data breaches. And with much success, threat actors are abusing the fear and panic these adverse conditions are causing. As a result, there has been a precipitous rise in the number of COVID-themed trojans, ransomware attacks, as well as scams and phishing attacks across organisations and verticals. As more organizations shift to remote work, with inadequate policies and strategies in place, they gamble on their own employee and business data security, and privileged controls. And this has served as a catalyst, for an increased number of data breaches, across the globe. 

This article delves into the various ways in which data breaches can occur, and safety practices to ensure that you organization is not impacted by:

  • Cloud misconfigurations
  • Elasticsearch exposures
  • Exposed Internal API/ portals 
  • Phishing attacks and credential disclosure
  • Insecure WiFi/ no VPN

Cloud Misconfigurations

Cloud misconfigurations have led to massive data breaches. For example, The “Capital One” and “Imperva” data breaches were caused by the disclosure of AWS API keys. 

Fugue’s survey shows that 84% of the 300 IT professionals surveyed believe that they are already victims of undiscovered cloud breaches.

 

Data Breach: Fugue Survey
Fugue Survey

As pointed out by the survey, the most common causes of cloud misconfigurations are: 

  • Lack of awareness of cloud security and related policies, 
  • Insufficient controls and lapse in supervision, 
  • Too many cloud APIs to adequately govern, and 
  • Negligent internal activities

Although Cloud operations take a considerable load off of developers, and facilitate the smooth management and monitoring of multiple services, enforcing proper access control policies, user management, access key management, API access control becomes essential.

How to prevent cloud misconfiguration 

  • Understand and utilise the ‘shared responsibility’ security model.
  • Ensure multiple checks while shifting operations to the cloud giving careful consideration to IAM roles, user account permissions, key rotations, test accounts, and storage bucket permissions.
  • Review inbound and outbound traffic rules carefully for the VPC. Security groups are also susceptible to misconfigurations. Therefore, enforce a zero trust policy, and enable VPC logs and monitoring. 
  • Set up behavioural analysis and activity monitoring in addition to strict access policies.

 

Elasticsearch Exposures

Elasticsearch is a search engine that indexes data in the form of documents. Typically, the size of data that this engine indexes is quite large and the indexed result comprises metadata, personal user information, emails or application logs, and more. The service, by default, runs on TCP port 9200. Moreover, most Elasticsearch instances are self-hosted free versions of the software. 

CloudSEK XVigil’s Infrastructure Monitor has detected a significant increase in Elasticsearch instances running on the default port. But it is not rare these days. Recently a UK-based security firm accidentally exposed an Elasticsearch cluster, leaking more than 5 billion documents of breached data between 2012 and 2019.

How to secure Elasticsearch

  • Prevent access to Elasticsearch clusters from the internet. This is the best approach for most databases.
  • Practice ‘security by obscurity,’ whereby, the installed services are not run on the default port. This measure does not merely fix the problem, but drastically reduces the chances of exploitation even via unfocused attacks. 
  • Perform periodic assessments of vendors’/ partners’ networks and ensure that their security controls are set properly. The misconfiguration of privately-owned infrastructure, as well as that of partners and vendors in possession of critical data, adversely impact businesses.
  • Analyse and test every potential entry point to any critical data source/ functionality. This includes supplementary tools, used to expand an application’s capabilities. Most users instal Kibana along with Elasticsearch, which helps to visualise the data Elasticsearch indexes. Kibana dashboards are usually left unauthenticated, inadvertently granting anyone access to the indexed data. 
  • Encrypt the stored data, to render the data useless to the attacker, even if it is accessible. 
  • Employ Elasticsearch’s security methods for authentication, including:
    • Active Directory user authentication
    • File-based user authentication
    • LDAP
    • SAML
    • PKI
    • Kerberos
  • Enforce role-based access control policy, for users who access the cluster.
  • Update Elasticsearch versions regularly, to safeguard the cluster from frequent exploits that affect the older versions. 
  • Back up the data stored in the production cluster.  This is as important as the security measures adopted. A recent attack campaign accessed as many as 15,000 Elasticsearch clusters, and their contents were wiped using an automated script. 

 

Exposed Internal APIs/ Portals

Organizations deploy various applications for internal use. This includes HR management tools, attendance registration applications, file sharing portals, etc. In the event that the entire workforce shifts to remote work, such as times like now, it becomes difficult to track the access and usage of these applications. To top it off, applications are increasingly allowed traffic from the internet, instead of local office networks. As a result, applications and APIs, which lack authentication or use default credentials, are increasingly surfacing on the internet. 

In the past couple of weeks, a number of HR Portals, payroll applications, lead management dashboards, internal REST APIs, and shared FTP servers have surfaced on the internet. Most of the applications are self-hosted, and their default passwords can be used to access them. XVigil has detected multiple instances of directories that contain transaction reports, employee information documents, etc. being served without any authentication. 

How to prevent data disclosure through APIs/ portals

  • Security teams must test these applications thoroughly. 
  • Continuously monitor all internet facing servers. 

 

Phishing attacks and credential disclosures

With a remote workforce communicating primarily via text-based channels such as emails, chats and SMS, it has been much easier for phishing campaigns to take advantage of the distributed workforce. Consequently, the number of spear phishing attacks have surged. Barracuda researchers have observed 3 main types of phishing attacks in the last couple of months: 

  • Scamming
  • Brand impersonation
  • Business Email Compromise (BEC)

Individuals fall prey to phishing attacks, especially during the pandemic, due to:

  • Lack of direct communication
  • Absence of processes and strategies for situations such as this
  • Lack of awareness 

Since emails that use the word COVID have higher click-rates now, scammers are increasingly using them as lures to spread malicious attachments. Once the attachment is downloaded and the malware payload is dropped, threat actors can access keystrokes, files, webcam, or install other malware or ransomware. (Access CloudSEK’s threat intel on COVID-themed scams and attacks)

 

Data breach: Phishing mail
Phishing mail (https://blog.f-secure.com/coronavirus-spam-update-watch-out-for-these-emails/)

How to prepare for phishing attacks

  • Be extremely cautious about any mail you receive.
  • Verify the source of the email, before clicking on any links or attachments. 
  • Even if the links look legitimate, double-check for malicious files. For example: hovering over the attachment will show its actual URL. 

 

Insecure WiFi/ No VPN

Today, every remote workforce is connected to their personal devices and networks. So, the connectivity of such devices should be secured. 

How to prevent attacks via WiFi

  • To avoid brute force attacks, set complex passwords for the router. If the router is an old model, it may use weak encryption for connections, which can be cracked in no time. 
  • Employees working from shared spaces such as hostels, may be connected to shared wifi networks as well. So, to ensure that the data is not tampered within such insecure channels, set up a VPN. In case your organization does not provide a Business VPN, do not download free VPNs which might log your traffic data.

Top open source resources to stay vigilant against COVID-themed cyber attacks

 

As the coronavirus pandemic spreads rapidly across the globe, a panic-stricken populace already confined to their homes, faces the emerging threat of COVID-themed cyber attacks. The trend of recent cyber crimes indicates a spike in the number of COVID-related malicious domains, malware attacks, as well as phishing campaigns. As a result, organizations are left with the daunting prospect of securing their assets, and that of their clients, against adversaries profiting from the pandemic. Without an effective strategy, or the right intelligence, it will be impossible to ward off such attacks.

In this article, we have consolidated popular open source threat intel resources that can help you combat COVID-themed cyber attacks. These open source resources provide the latest intelligence and observations on cyber threats to alleviate the impact such attacks could have on the global community.

COVID-19 Cyber Threat Coalition

Cyber Threat Coalition (CTC)  is the result of combined efforts of around 3,000 security professionals who gather, analyse, and share intelligence pertaining to new COVID-themed threats. At present, the largest contribution of COVID-themed datasets are produced by CTC.  Moreover, they prioritize and defend essential services and the front-line medical sector, against threats. The telecommunication sector is also a part of essential services, as more people shift to remote work.

How does CTC alert organizations?

  • Typically, they examine millions of data points contributed by organizations or individuals, and run the indicators through several security products. 
  • If at least 10 of these security products identify the data point as a threat, CTC volunteers manually verify such findings and add malicious feeds to its Blocklist. If only 5-9 security product vendors identify the data point as malicious, they will be manually verified as malicious feeds before adding them to the Blocklist.
  • This Blocklist helps organizations and individuals, across the globe, block malicious traffic arising from fraudulent activities.
  • Additionally, they have a Beta MISP feed that details the various threat indicators (accessible to those who have set up MISP).

How can you contribute?

  • CTC maintains a Slack workspace, the invitation for which is available on their official website. This workspace is for researchers who may have information regarding COVID-themed cyber attacks. In addition, they also have a slack room to announce updates, and new developments: #ctc-official-announcements 
  • Their Alienvault open threat exchange (OTX) also gathers data feeds from researchers. CTC considers Alienvault OTX as their primary source of raw data feeds. They are encouraging anyone with high quality threat intel, to join this platform.  

Here is the CTC Blocklist for vetted malicious domains and IP addresses:

COVID-themed cyber attacks: Alienvault OTX group
Alienvault OTX group

COVID-19 CTI League

(https://cti-league.com/)

This is a collective of experts and Incident Responders, from across 40 countries, which gathers COVID-related threat intelligence. Senior Microsoft and Amazon officials are also part of this team. CTI League is geared towards neutralizing cyber threats against the front-line medical sector and critical infrastructure. 

How is the medical sector benefiting from the CTI League?

  • CTI accepts IR (Incident Response) requests from organizations, to detect security incidents and keep them in check. To achieve this, the CTI League connects with researchers and analysts from 22 different time zones. Volunteers help the community find the most appropriate individuals who can secure medical institutions and resources in their location.
  • They assist in taking down websites, web pages, or files from the internet, and escalate cyber attacks, malicious activities, or critical vulnerabilities, to law enforcement agencies and national CERTs.
  • They provide reliable databases, of high-priority indicators of compromise, that help the medical sector investigate and block malicious activities. 

Cyber Threat Alliance

(https://www.cyberthreatalliance.org/)

This is a not-for-profit membership organization that focuses on phishing lures and malware attacks. They help thwart attempts to harm the medical sector, in the time of this unprecedented crisis.

What are they offering?

PhishLabs

(https://www.phishlabs.com/covid-19-threat-intelligence)

Phishing is the most common cyber threat. And even as the world tries to make sense of the coronavirus epidemic, scammers are busy cashing in on the fear and anxiety.  PhishLabs, a team of cybersecurity experts, combines their efforts to provide free resources of Coronavirus-related threat intelligence, with their primary focus on phishing attacks.

What have they got to offer?

Their database is updated with the latest on COVID-themed phishing email, malicious URLs, and domains. They present and share the data in a zip file containing phishing lures (as image files), and phishing URLs (in .xlsx format).

PhishLabs image files
PhishLabs image files

Checkphish: Coronavirus Scam Tracker 

(https://checkphish.ai/coronavirus-scams-tracker)

Checkphish maintains a global dashboard that tracks the latest Coronavirus-themed phishing scams. The results are classified into scams and suspicious sites. Moreover, for each website, it provides scam feeds in the .tsv format.

Sample: https://checkphish.ai/data/covid_feed.tsv

Checkphish scam tracker feed
Checkphish scam tracker feed

The dashboard also allows you to run free URL scans to identify malicious websites. For each queried domain and the domains which are already in the list the dashboard also incorporates website screenshots, Passive DNS (of hosts and domains hosted on given IP), details of similar domains, and their WHOIS information.

COVID-themed cyber attacks: Checkphish dashboard
Checkphish dashboard

MISP 

(https://covid-19.iglocska.eu)

Malware Information Sharing Platform (MISP) is an open source threat intelligence platform. They provide IDS signatures for COVID-19 cyber intrusions in various formats such as: STIX, STIX2, Text, csv, etc., They also allow users to automate the process of collecting information. Researchers and interested parties are only required to send a direct message to the team to access https://covid-19.iglocska.eu/.

Events on MISP
Events on MISP
Post that directs users to a frequently updated dataset
Post that directs users to a frequently updated dataset

RiskIQ

RisqIQ PassiveTotal offers access to RisqIQ datasets such as passive DNS, extensive DNS data, WHOIS registration details, and SSL certificate details. And, as a response to the rising number of COVID-themed cyber attacks, they also share lists of Coronavirus-related domain names that contain ‘covid’, ‘coronav’,  ‘vaccine’, ‘pandemic’, or ‘virus.’ These may or may not be malicious. To facilitate an investigation into these domains, interested analysts are allowed 30-days access to use PassiveTotal, RiskIQ’s threat research platform. 

Links to the lists of COVID-themed domain names:

https://covid-public-domains.s3-us-west-1.amazonaws.com/list.txt (consolidated list)

https://covid-public-domains.s3-us-west-1.amazonaws.com/covid-YYYYMMDD

https://covid-public-domains.s3-us-west-1.amazonaws.com/covid-20200420

Covid-19 Medical Supply Scams from RisqIQ dashboard.
Covid-19 Medical Supply Scams from RisqIQ dashboard.

RisqIQ Dashboard: https://community.riskiq.com/

Github CTI league Repo

(https://github.com/COVID-19-CTI-LEAGUE/PUBLIC_RELEASE)

A GitHub repository, dubbed as COVID-19-CTI-League, also shares vetted, approved IOCs of COVID-themed cyber attacks. Even though the name of the repository resembles the community CTI League (discussed earlier), they aren’t related. 

COVID-themed cyber attacks: CTI League Slack discussion  
CTI League Slack discussion

Independent Researchers And Feeds

Although we have listed out the big names in cyber security, it is important to know that there are individual researchers and cyber security bloggers committed to resolve and neutralize the attacks surfacing during the epidemic. They share their analysis and findings on social media platforms such as Twitter. Here are some of them:

@dustyfresh

Twitter user DustyFresh has set up a feed, updated every 30 seconds, which scans for new COVID-related hostnames discovered in certificate transparency logs. He uses keywords coronavirus, covid19, covid-19, covid, pandemic, etc. 

Although most of the domains in this list are considered malicious, it is upto researchers to figure this out.

@sshell_

Another researcher who goes by the Twitter handle @sshell_ created a real-time dashboard of malicious websites. This dashboard leverages RiskIQ’s feed (mentioned earlier) and lists COVID-themed malicious domains in real-time.

@sshell feed
@sshell feed

@LukasStefanko 

Independent researcher and ESET mobile malware analyst, Lukas Stefanko, tracks COVID-related malware attacks that target Android users, on a daily basis. 

Threatfeeds.io

(https://threatfeeds.io/)

This is another open source threat intelligence platform that gathers Indicators of Compromise from various sources. It allows users to download data for free.

MalwareBazaar

(https://abuse.ch/blog/introducing-malwarebazaar/)

Abuse.ch provides free malware samples that are easily downloadable. MalwareBazaar hopes to help researchers understand malware samples and use the intelligence for further analysis. 

Advisories

The official Twitter accounts of government agencies are also provide regular updates on the latest scams and scamming tactics: 

@CyberDost

Indian Ministry of Home Affairs offers tips and advises the public on safe internet practices, through its Twitter handle @CyberDost and its official website National Cyber Crime Reporting Portal. These platforms can also be used to report any malicious cyber activity that you come across. 

@Europol

This is the Twitter handle of European Union’s Agency for Law Enforcement Cooperation. Europol shares recent trends in cyber attacks and scams themed after the Coronavirus pandemic.