by Teknita Team | Aug 10, 2022 | Security
Ransomware is Malware that commonly uses encryption to hold a victim’s data for ransom. An organization’s data in encrypted so that they cannot access. Ransom is then demanded to unencrypt and make it available again. Ransomware is usually designed to spread across a network and target database and file servers.
An attacker can gains access to the environment through a targeted attack, via email spam or phishing or an existing vulnerability they discover. Once access is established, the malware encrypts data using a key pair generated by the attacker. Once specific goals are met the ransomware prompts the user for a ransom to be paid to decrypt the files. If the ransom is paid then the attacker would promise to deliver the private key to the organization so they can decrypt their data. Unfortunately even if the ransom is paid, some organizations never hear from their attacker again and they are not provided the key.
How it Happens?
Ransomware often starts through a phishing email that contains an infected or malicious attachment. Other attacks can start by someone downloading a file that was infected or unknowingly allowing an application to be installed by a website. Another possible entry point is through a vulnerability in a particular application or OS. In many cases these vulnerabilities are identified with patches provided by the software vendor. WannaCry was an example of a ransomware attack that took advantage of a vulnerability in the Windows OS. The vulnerability was identified with a patch provided before the attack, but infected computers had not applied the patch or were running a version of the Windows OS that was out of support.
How to Protect Yourself?
Patching
The best and easiest defense is to make sure that all laptops, servers and network devices are kept up to date with the latest patches and firmware. In many cases, vulnerabilities are identified by the vendor or other Whitehat hackers and reported to the vendor so they can correct the problem. This usually happens before the vulnerability can be exploited.
Patching has become straightforward with several ways to automate including:
- OS Settings – Automatic download and installation of patches can be configured within the OS though sometimes reboots are not automatic and require attention.
- Azure Update Management – Used to manage operating system updates for Windows and Linux VMs in Azure or Physical or virtual machines in on-premises environments.
- AWS Systems Manager Patch Manager – Similar to Azure Update Management, AWS Patch Manager allows for cloud and on-prem patch application and updates.
- WSUS/SCCM – Microsoft offerings provided to automate and report on patching of Windows machines.
- Third party patching tools – Some 3rd party patch automation tools exist that improve on or simplify the features within SCCM.
Network Segmentation
Many malware packages including Ransomware spread to new machines from infected machines on the same network. If an organizations network is completely open then 1 infected machine can be used to infect everything. Segmentation improves security by dividing a network into segments to control how traffic flows across the network. This segmentation limits traffic to where it needs to go and can limit the damage and spread of malware. A related best practice is to isolate access from third parties via dedicated access portals.
Security
Make sure to keep current on recommendations for updates to protocols and best practices. Organizations should also consider encrypting their data. This will ensure that even if there is a data breach, the attacker is not able to use the data as part of a ransom threat. That said, Ransomware can re-encrypt data so this is not a protection against a Ransomware encryption attack.
Another area to review is the organizations authentication practices. If an attack is started due to a password obtained through a 3rd party breach then it is very easy for an attacker to place malware anywhere that the breached account has access. With 2 factor (or multi-factor) authentication this becomes much less likely as the attacker would also need to be in possession of the account owners’ phone or have access to their secondary email account.
Training
Educate the user community on what Phishing looks like and proper etiquette for content from unknown sources. The best defense is to make sure that staff are not clicking on unsafe attachments, browsing to unknown website, or downloading unsafe content.
Backups
Every organization should have a backup process in place though most have focused on recovering from equipment failure. Many backup processes simply make sure that the data is backed up onto a device other than the one being protected. With ransomware this is not enough as many impacted organizations discover that their backups are also encrypted and useless for a recovery effort. For proper protection organizations must incorporate multiple copies of data, use different storage media and keep at least 1 copy offline or otherwise inaccessible by the source network. Cloud backup solutions can also achieve this using multi-factor authentication and network segmentation in addition to minimum retention range checks which ensure at least one recovery point in case of attack.
You can read more about Ransomware Attack here.
Teknita has the Cyber Security experts to support all your technology initiatives.
We are always happy to hear from you.
Click here to connect with our experts!
by Teknita Team | Aug 3, 2022 | Security
Logs are critical when you are attempting to detect a breach, investigating ongoing security issues, or performing forensic investigations. These five must-know Cloud Logging security and compliance features can help customers create logs to best conduct security audits.
1. Cloud Logging is a part of Assured Workloads.
Google Cloud’s Assured Workloads helps customers meet compliance requirements with a software-defined community cloud. Cloud Logging and external log data is in scope for many regulations, which is why Cloud Logging is now part of Assured Workloads.
2. Cloud Logging is now FedRAMP High certified.
FedRAMP is a U.S. government program that promotes the adoption of secure cloud services by providing a standardized approach to security and risk assessment for federal agencies adopting cloud technologies. The Cloud Logging team has received certification for implementing the controls required for compliance with FedRAMP at the High Baseline level. This certification will allow customers to store sensitive data in cloud logs and use Cloud Logging to meet their own compliance control requirements.
Below are the controls that Cloud Logging has implemented as required by NIST for this certification:
- Event Logging (AU-2)
- Making Audits Easy (AU-3)
- Extended Log Retention (AU-4)
- Alerts for Log Failures (AU-5)
- Create Evidence (AU-16)
3. “Manage your own Keys,” also known as customer managed encryption keys (CMEK), can encrypt Cloud Logging log buckets.
For customers with specific encryption requirements, Cloud Logging now supports CMEK via Cloud KMS. CMEK can be applied to individual logging buckets and can be used with the log router. Cloud Logging can be configured to centralize all logs for the organization into a single bucket and router if desired, which makes applying CMEK to the organization’s log storage simple.
4. Setting a high bar for cloud provider transparency with Access Transparency.
Access Transparency logs can help to audit actions taken by Google personnel on content, and can be integrated with existing security information and event management (SIEM) tools to help automate your audits on the rare occasions that Google personnel may access your content. While Cloud Audit logs tell who in your organization accessed data in Google Cloud, Access Transparency logs tell if any Google personnel accessed your data.
5. Track who is accessing your Log data with Access Approval Logs.
Access Approvals can help you to restrict access to your content to Google personnel according to predefined characteristics. While this is not a logging-specific feature, it is one that many customers ask about. If a Google support person or engineer needs to access your content for support for debugging purposes (in the event a service request is created), you would use the access approval tool to approve or reject the request.
You can read more about Cloud Logging here.
Teknita has the expert resources to support all your technology initiatives.
We are always happy to hear from you.
Click here to connect with our experts!
by Teknita Team | Jul 21, 2022 | Security
A spam filter is an email service feature that filters and quarantines spam emails from a user’s inbox. It ensures a clean and spam-free mailbox for the user that saves productive energy and provides a high level of work efficiency. A spam filter has become a necessity in recent times as cyber adversaries rigorously work to find and exploit vulnerabilities. Sending spam and phishing emails is one of the most preferred and lucrative ways which they can use to lure users into falling into their trap.
A spam filter service detects unsolicited and unwanted email and wipes them out from a user’s mailbox. Different spam filters have various mechanisms for segregating spam from legitimate emails; however, they all strive to attain a common goal – making sure that only genuine and informative emails reach the end-user.
Spam Filtering Techniques And Usage:
Blacklist filter: This is a relatively easy way of identifying spam email. In this system, the filter has been pre instructed to avoid emails sent from specific senders or addresses – known as a blacklist. Any mail from a blacklisted person or email address gets auto marked as spam.
Content filter: A spam filter might work by following a content filtering system, whereby it will review the content of every email sent to the user. By doing so, it tries to determine if it is a spam email or not.
Rules-based filter: This is very similar to the blacklist filter but contains an added feature. In this filter, a user can not only blacklist users but can also blacklist words. In case an email has any of the blacklisted terms or happens to be sent by a blacklisted user, it gets auto marked as spam.
Header filter: Another way a spam filter works is by reviewing the header of every email sent to the user, searching for falsified information, or other signs that could confirm whether the email is spam.
Permission filter: This spam filter makes it mandatory for any email sender to be pre-approved by the recipient. This way, only known persons can reach out to you. Although the permission filter is a great way to ensure security from spam, it kills the prospect of authentic and genuine business or academic emails reaching you by becoming a barrier in communication.
Challenge-response filter: This filter is similar to the permission filter and requires a sender to enter a code to gain permission to send an email to the recipient.
The primary task of a spam filter is the segregation of spam emails from genuine ones. It is done by enabling a user to distinguish between the approved and unapproved email addresses. Approved addresses or white addresses are the ones that have been marked as safe by the user. On the other hand, the unapproved or blacklisted addresses are the ones that have been marked as dangerous, unimportant, or spam. Any email from an approved address goes straight to the user’s mailbox. In contrast, all emails from blacklisted sources get auto blocked or deleted based on the instructions that the user feeds into the system.
You can read more about Spam Filters here.
Teknita has the Cyber Security experts to support all your technology initiatives.
We are always happy to hear from you.
Click here to connect with our experts!
by Teknita Team | Jun 27, 2022 | Security
Cookies refer to one or more small pieces of data that identify your computer to a website with a unique code. The cookies are sent by a web server to your device while you’re on that server’s website. Your computer stores that cookie and, when you visit that website again, the server can recognize that the device is the same one as was used previously.
Cookies are generally broken into two groups:
- Session cookies, which expire immediately after you’re done being online
- Persistent cookies, which stick with you during many different web sessions
Cookies can be extremely useful. For example, authentication cookies, allow a user who logs into a website to click and view multiple pages on the site without having to re-authenticate each time he or she tries to access another page requiring authentication. Cookies can also allow a site to remember a user’s username without authenticating the user, or other personalization preferences.
Cookies are heavily utilized by marketing firms who can target your interests and buying habits. Cookies are the reason why you might be eyeing a new pair of sandals on one website and then see ads for that same pair of sandals when you’re on other websites. That proves cookies aren’t always great. Privacy issues are one thing to consider. Many sites now use third-party cookies. Many sites, for example, may present banner ads from the same ad provider, and the code from that provider can send and receive cookies to run on all of those sites, enabling it to track your activity across multiple sites. According cybersecurity specialists, it is best to know who is following your activities, and you should review and clean out cookies that may be unwanted.
You can read more about cookies and how to delete them here.
Teknita has the expert cybersecurity specialists to answer all your questions.
We are always happy to hear from you.
Click here to connect with our experts!
by Teknita Team | Jun 23, 2022 | Security
Operational technology (OT) is the use of hardware and software to monitor and control physical processes, devices, and infrastructure. Operational technology systems are found across a large range of asset-intensive sectors, performing a wide variety of tasks ranging from monitoring critical infrastructure (CI) to controlling robots on a manufacturing floor. OT is used in a variety of industries including manufacturing, oil and gas, electrical generation and distribution, aviation, maritime, rail, and utilities.
Operational technology security is defined as, “Practices and technologies used to (a) protect people, assets, and information, (b) monitor and/or control physical devices, processes and events, and (c) initiate state changes to enterprise OT systems.” OT security solutions include a wide range of security technologies from next-generation firewalls (NGFWs) to security information and event management (SIEM) systems to identity access and management, and much more.
Often, IT and OT networks are kept separate, duplicating security efforts and eschewing transparency. Typically, OT networks report to the COO and IT networks report to the CIO, resulting in two network security teams each protecting half of the total network.
You can read more about OT security here.
Teknita has the expert resources to support all your technology initiatives.
We are always happy to hear from you.
Click here to connect with our experts!
by Teknita Team | May 23, 2022 | Security
1. SQL Injection:
Injecting malicious SQL code into the entry field for hacking database-driven websites or websites that use dynamic SQL.
2. Malware attacks:
Hackers install malicious software on the victim’s system without consent in this cyberattack.
3. Phishing and Spear Phishing:
Hackers send malicious emails that appear to be from genuine sources to gain personal information or influence victims to do something via these emails.
4. Man-in-the-middle attack :
Perpetrator intercepts the communication between client and server to either eavesdrop or impersonate someone.
5. Denial of Service attack :
Perpetrator shuts down the victim’s system or network to make it inaccessible to its intended users.
6. Distributed Denial of Service :
Hackers flood the organization’s servers or networks with fake or bot users to crash the system’s normal functioning and interrupt the communication channel.
7. Password attack:
It is one of the most common types of cyberattacks where attackers use a mechanism to steal passwords by either looking around the person’s desk or using the sniffing technique.
8. Botnet:
It is a collection of malware-infected internet-connected devices that remains under the control of a single attacking party known as bot herders. It allows attackers to steal credentials saved on devices and gives them unauthorized access, leading to data theft and DDoS attacks.
9. IP Spoofing:
Attacker modifies the IP address in the packet header. The receiving computer system thinks it is from a legitimate or trusted source.
10. Session hijacking:
Attacker hijacks the user session. It usually starts when a user logs in to the application and ends when they log out.
You can read more about Cyber Security Threats here.
Teknita has the expert resources to support you.
Contact us now to kick off your planning with a complimentary assessment with our experts.
