cybersecurity

Vulnerability management as an integral part of cybersecurity

The Center for Internet Security (CIS) is responsible for identifying and developing standards, tools, and solutions in the information security field. The continuous vulnerability management process is included in the list of CIS recommendations and is an integral part of cybersecurity and network security. It is the responsibility of organizations to regularly collect, evaluate information regarding vulnerabilities and take prompt action to correct or minimize «opportunities» for criminal activity. This is due to the rapid growth of cybercrime, that forces organizations to pay more attention to information security. Vulnerability management should be part of an overall information risk management strategy.

A vulnerability is a certain flaw in an organization’s information system that can be used by a cybercriminal to gain access and perform unauthorized actions (running codes, gaining access to system memory, installing malware, stealing, destroying or changing company corporate data).

The most dangerous for the system security are computer worms. It is a malicious software that self-replicates, infects other computers, and remains active on infected systems. Vulnerabilities in network protocols, operating systems, and backdoors are often exploited to distribute such software.

Vulnerability management is the process of identifying, assessing, prioritizing, remediating (eliminating and preventing potential attacks, or minimizing attacks impact and scale), and reporting on security vulnerabilities in web applications, mobile devices, and software. As a result, organizations have the opportunity to receive up-to-date data on the state of the IT environment, the presence of vulnerabilities and the risks associated with them. Vulnerabilities cannot be ignored. The only way to reduce the risk of a cyberattack is to identify and fix each vulnerability.

The Vulnerability Management process is a cyclical process of identifying, classifying, fixing, and mitigating security vulnerabilities. Vulnerability discovery, assessment and reporting are important elements of the program.

Vulnerability detection is performed using a scanner, software that scans computers, networks, and applications for known vulnerabilities. The scan detects vulnerabilities that result from misconfiguration and erroneous network programming, and scans with or without authentication.

The essence of authenticated scanning is to provide access to low-level data (certain services, configuration details, precise information about operating systems, software, configuration issues, access controls, security controls, and patch management. Unauthenticated scanning does not provide access to network resources, that can lead to inaccurate information about operating systems and installed software.

Scanners can make mistakes and miss vulnerabilities, penetration testing (automated testing with software or mechanical testing of information technology to find vulnerabilities) should be used. The testing process involves collecting information, identifying possible attack vectors, making attempts to use them, and generating conclusions. Testing can also be used to test local security controls, compliance with security policies, employee susceptibility to social engineering attacks, and incident response strategies.

The vulnerability assessment process includes 5 steps:

  1. Vulnerability detection (analysis of network scans, penetration test results, firewall logs, etc.);
  2. Checking vulnerabilities (determining the possibility of vulnerability using, its severity to determine security risk level);
  3. Prioritization of vulnerabilities (vulnerability assessment, determination of the procedure for eliminating vulnerabilities);
  4. Planning for vulnerabilities elimination (determining the plan and measures of action to eliminate vulnerabilities, determining their effectiveness);
  5. Elimination of vulnerabilities (removal and correction of vulnerabilities to prevent possible use by cybercriminals).

The vulnerability remediation phase involves several options:

What is information security vulnerability and how to fix it?

The database of information security vulnerabilities has grown significantly in recent years. This in turn creates a huge potential for attackers and hackers. Any vulnerability can become a way to implement a successful cyberattack. However, many companies do not pay enough attention to vulnerabilities and do not have a clear strategy for their effective elimination. Often companies use all their resources in the wrong places, that not only does not solve the problem, but also slows down the work of all systems.

A vulnerability is a weak point in a company’s information ecosystem that can be used to attack its cyberspace, IT infrastructure, software applications, and digital assets. Also, vulnerabilities are a «great» tool for a cybercriminal to gain unauthorized access to the system, compromise and steal data. Successful exploitation of vulnerabilities allows a cybercriminal to install malware, run malicious code, and as a result gain access to user accounts and steal data. There are many exploits for vulnerabilities: SQL injection, cross-site scripting (XSS), web shell attacks (code that can control a damaged device) and open-source exploits (a type of malware).

There are several categories of vulnerabilities:

Vulnerability remediation is the process of finding, eliminating and neutralizing security vulnerabilities in a company’s IT environment (computers, digital assets, networks, web applications, mobile devices, etc.). The eliminating vulnerabilities process consists of several stages.

Remediation is a key step in the vulnerability management process and is critical to protecting networks, preventing data loss, and ensuring business continuity. At this stage, the process of neutralization and/or elimination of active vulnerabilities or security threats takes place. The remediation process helps reduce the chances of data loss, data leaks, DDoS attacks, malware, and phishing. The remediation process is a collaboration between development, risk management, and security teams to determine a cost-effective way to fix vulnerabilities.

Vulnerabilities are addressed using innovative data processing techniques, threat intelligence and automated prediction algorithms. Such techniques help identify vulnerabilities and prioritize each one.

The fix process includes:

You can improve the process of eliminating vulnerabilities by using:

Cloud data leak

Almost every action in the modern world has an electronic footprint. Technological development provides more opportunities and conveniences in the daily activities of business and an average person. The cloud is increasingly being used to store sensitive data (banking information, card and bank account numbers, medical records, personally identifiable information (PII), phone number, address, etc.). On the one hand, this is very convenient, on the other hand, it increases the risk of information disclosure. There are many options for how cybercriminals obtain sensitive data. For example, an attack (a targeted attempt to cause damage through technical or social means), a hack (a type of attack using technical vulnerabilities to gain unauthorized access), a leak (caused by some act or omission of the party that owns the data).

However, there is a separate type of leaks – cloud leaks. This type is the cause of other larger and more dangerous cases of data disclosure. The cloud is part of the Internet and offers a separate private place to perform various business operations. A cloud leak occurs when cloud storage is not properly separated from the Internet.

A cloud data leak is a situation in which sensitive data stored in a private cloud is accidentally leaked onto the Internet.  A mistake simplicity is incommensurable with consequences scale. There are many benefits to using the cloud or partnering with vendors that use it. However, it is worth considering potential problems and risks. Cloud leaks are an operational issue that needs to be addressed within the IT processes that manage data processing in the cloud.

information that may be disclosed:

Goals of using disclosed data:

Cloud leak prevention:

Ransomware lifecycle and protection methods

One of the most popular and rapidly growing categories of cybercrime is ransomware. More than 4000 ransomware attacks occur daily. This number of attacks and close relationship between company and third parties increases the risk compromising employee data. Sensitive data can be secured with a ransomware prevention strategy and a process for quickly detecting compromised data.

An effective attack prevention strategy involves deploying security controls at every stage in the evolution of a typical ransomware attack.

The main stages of a ransomware attack are:

  1. Phishing attack – email that contains malicious links that redirect the user to a scam site to steal internal credentials. This is the most popular way to launch an attack;
  2. Interaction with the user (victim) – following the link, downloading attachments, etc.;
  3. Account compromise – compromise of the victim’s corporate credentials by addressing them to a malicious site or using social engineering (for example, a hacker pretends to be an employee of the IT department and requests confirmation of a two-factor authentication message. At this stage, malware is most often injected, initiating the installation of ransomware;
  4. Designation of privileged data – privileged credentials detection and compromise to gain unauthorized access to sensitive network areas;
  5. Search for sensitive data (personal data, customer data, social security numbers, corporate credentials, corporate and personal email data, any digital trail that can be used for identity theft);
  6. Data exfiltration – malware deployment to establish backdoor connections to the cybercriminal’s servers. Data transfer is carried out through backdoor connections. For this data the cybercriminal will demand a ransom;
  7. Data encryption – a cybercriminal encrypts the operating and computer systems of the victim in order to cause maximum damage. The victim receives a ransom notice (usually in a TXT file) with a clear indication of the ransom price. Cybercriminals demand ransom payment in cryptocurrency (bitcoins), since it is more difficult for law enforcement agencies to track their movement. To speed up the process of paying the ransom, criminals threaten to place data on the dark web or delete it;
  8. Data dump is the final stage of the attack. At this stage cybercriminals publish all compromised data in the cybercriminal marketplace. Some cybercriminals delete data, saving themselves from publishing it on the black market and tracking purchase requests. If the victim refuses to pay the ransom, the cybercriminal can punish the victim and publish all the data on the forums. Free access to data posted on such forums does more harm to the company than selling it to 1 group of cybercriminals.

Company can protect and mitigate the ransomware impact by implementing security measures at each stage of the attack:

  1. Cybersecurity training. It is very difficult to defeat ransomware if it has already infiltrated the corporate network. By preventing intrusion, cybercriminals are unable to carry out a successful attack. Employees often don’t know how to recognize threats and how to respond to them, and thus contribute to the attack success. It is important to provide high-quality training for all employees, inform about potential risks and teach them to recognize threats;
  2. Tracking interactions with malicious links and attachments. To prevent an attack from progressing to the next stage, such activity must be detected as soon as possible. Employees should alert IT security professionals immediately;
  3. Prevent account compromise. Multi-factor authentication should be implemented. The most secure form is the biometric authentication method. Biometrics such as fingerprints, facial recognition are very difficult to steal or copy;
  4. Protection of privileged data. Implementation of a password manager, multi-factor authentication, zero-trust security model (all internal traffic is perceived as malicious, and therefore the user must constantly confirm his identity to get access to confidential resources);
  5. Prevent data loss. Closing or segmenting from the general users access to sensitive network areas. It is also necessary to ensure that all user accounts that have access to restricted areas are protected by multi-factor authentication;
  6. Prevent data theft. This process consists of 2 elements: detection and prevention. Detection methods include:

Prevention methods include:

  1. Protection against data encryption. Rapid switchover processes to backup systems can minimize business disruption in the event of a ransomware attack. Such environments must be accessible with a unique set of credentials, i.e. they must be different from those used in a normal IT environment.

What is cyberattack?

Modern technologies have become firmly established, both in the life of an ordinary person and in business. The latest tools are used to conduct efficient business activities, as well as for convenience. With many advantages and new opportunities, the risk of becoming a cybercriminals’ victim increases. Many companies use cloud services to store corporate data, place data on the Internet, forgetting about reliable cybersecurity organization. The need for information security, understanding and managing risks, identifying and preventing incidents is a priority for any company.

Cyberattack is an unauthorized attempt to access a system to modify, damage or steal data. To accomplish this, cybercriminals use various methods to launch an attack: malware, phishing, ransomware, man-in-the-middle, etc. Cyberthreats can vary in complexity, from installing malware on a small company’s system to trying to disable critical infrastructure (government, public agency etc.). The result of a successful cyberattack is often data leakage and disclosure.

The target of any cyberattack is a physical or logical resource that has at least one vulnerability. As a result of an attack, the confidentiality, integrity, or availability of a resource can be violated. However, damage, disclosure, control over resources may go beyond the identified vulnerabilities, including gaining access to the Wi-Fi network, social networks, operating systems or confidential information (credit card information, bank accounts, etc.).

Types of cyberattacks:

  1. Internal and external

An internal cyberattack is initiated within an organization by a person who has access to sensitive data. An external cyberattack is initiated outside the organization, such as a distributed denial of service (DDoS) attack using a botnet.

  1. Passive and active

Passive cyberattacks include attempts to access or use information from the target system, while using system resources. Common examples of passive cyber threats are:

Active cyberattacks include deliberate attempts to change or affect a system (data leaks, ransomware attacks etc.).

Cyberthreat is a potential cybersecurity risk that exists when there are circumstances, opportunities, actions, events that cause data leakage or any other type of unauthorized access. A cyberthreat can be any vulnerability that can be exploited to further cybercriminals’ goals.

Cyberthreats can be intentional (for example, a cybercriminal purposefully launches a ransomware attack, encrypts data and demands a ransom) and accidental (for example, poorly configured S3 bucket security, resulting in a big data leak).

Measures to prevent and detect cyberattacks:

Cybersecurity key performance indicators

Confidential data protection is of key importance for any company. Any information leakage can lead to devastating consequences: damage to reputation, financial losses, market positions loss, customer churn, etc. The internal cybersecurity system must provide reliable data protection, as well as be proactive – detect and prevent cyberattacks in time.

To track cybersecurity level, it’s necessary to have a checklist and analyze KPIs. Key Performance Indicators (KPIs) are an effective way to measure the success and effectiveness of any program, including cybersecurity. It is impossible to assess the real state of security and protection level without analyzing the operation of the cybersecurity system.

Cybercriminals evolve dynamically and constantly come up with new and more sophisticated methods of attack. Accordingly, processes and technologies for their prevention are changing. It is important to regularly evaluate the effectiveness of protection tools and timely replace and/or update obsolete tools.

Analysis of key performance indicators (KPIs), key risk indicators (KRIs) and security measures allows to get a complete picture of security team work, understand what is working and what doesn’t work, and take appropriate actions. Metrics provide quantitative information that can be easily compiled into a report and shared with all stakeholders.

Cybersecurity key performance indicators:

There is no general decision on which metrics to use. Each company chooses KPI and KRI depending on the field of activity, company needs, rules, guidelines, management’s vision of risks, etc. It is important that the selected metrics are understandable to everyone, including non-technical specialists, reflect the current situation and help make decisions regarding company cybersecurity.

Basic methods to protect sensitive data

One of the main digital world tasks is confidential information protection. This is a large and complex task, that can also be complicated by poor data management, poor network security, endpoint protection, and encryption methods. To prevent the growing number of cyber-attacks, it is necessary to use more powerful cyber security methods.

Both organizations and individuals need to know the basic methods of protecting sensitive data to avoid leakage and loss. The loss of personal or corporate data can be devastating and have serious consequences.

Confidential information is sensitive information that requires a higher level of data security to prevent unauthorized access by hackers or malware. Such data is usually protected and inaccessible to unauthorized persons. There are cybersecurity and data protection standards that are set in the USA by the Federal Trade Commission (FTC), in Europe – by the General Data Protection Regulation (GDPR), Australia – by the Australian Cyber ​​Security Center (ACSC).

Confidential data may include:

Basic methods for protecting confidential information:

  1. Data classification and organization. Data classification refers to the process of organizing data into specific categories that make it easier to access, rank data by criticality, and reduce storage and backup costs. Data organization allows to determine data risk level (low, medium, high), determine public and private information, and apply appropriate security measures for each level of confidentiality. The classification policy allows to assess the use of sensitive data, ensure better privacy and data protection.
  2. Data encryption. The method is to encode the data by cryptographers using complex algorithms and ciphers to protect the data from theft or disclosure. If the encrypted data is stolen, it is almost impossible to decrypt it without the decryption key. Data encryption provides confidentiality during information transfer and allows for authentication processes. Companies that work with particularly sensitive data should use an encryption method.
  3. Personal Data Protection Impact Assessment (DPIA). These are operational tools to protect corporate information that carries a high risk of personal information disclosure. Under the DPIA, organizations must:
  1. Data masking (obfuscation) is one of the ways to protect data by replacing the original data with fictitious ones. Data masking is also used internally to hide information from developers, testers, and others.
  2. Multi-factor authentication. Using a password and authentication is one of the easiest security methods. The data of large corporations quite often end up on the dark web. Corporate users can use multi-factor authentication to protect sensitive information.
  3. Backups. The foundation of all security solutions is data management and backup. Backup should be performed at least once a week.
  4. Strong network security. This involves the use of many different security solutions to better protect sensitive data from theft and unauthorized access. Tools to improve security:

Why is it necessary to use multi-factor authentication?

Multi-Factor Authentication is an authentication method that requires a minimum of 2 identity verification forms to gain access to an account, application, data set, etc. This is an additional layer of security for a user’s online account. To gain access, user must enter a password, and then confirm the login attempt through a special program, code, etc. An additional verification method can prevent gaining unauthorized access by cybercriminals, thereby preventing a cyberattack. Setting up and using authentication is one of the most important and simple cybersecurity tools, making it accessible to any person and organization.

Authentication is critical to many security policies in terms of protecting sensitive data and preventing data leakage. Cybercriminals often use special software to steal login information. Also, users themselves can increase the risk of becoming a victim by setting the same data for several inputs. Lack of validation makes users a bait for attackers.

Organizations should implement an identity and access management (IAM) system that also authenticates user credentials. In this case, it is possible to control user access to critical corporate information and prevent unauthorized users from accessing data.

According to statistics, 99.9% of compromised users didn’t use multi-factor authentication. It is also important to regularly update a security system to eliminate older security protocols usage. As a rule, they don’t include support for multi-factor authentication, that significantly increases the risk of information leakage.

Authentication factors:

  1. Knowledge factor – user information for identity verification: PIN code, security questions, secure passwords;
  2. Possession factor – physical possession of a thing for identity verification: one-time passwords, mobile phone (text messages, authentication applications), smart cards, SIM cards, software tokens (digital authentication keys), physical key or key card;
  3. Inherence factor – user’s physical features: biometric data (fingerprint ID, Face ID, voice recognition, retinal scan).

MFA solutions are designed to improve safety. However, each additional factor can complicate the login process. For example, the user can forget the password, lose the mobile device with which he logs into the system. Multi-factor authentication should be used wherever possible but should not be the only form of security.

The main problems of implementing multi-factor authentication:

Ways to simplify the authentication process while maintaining the security level:

  1. Adaptive authentication integrates machine learning into the authentication process while taking into account a wide range of information (location, access time, IP address, devices used, VPN, network availability). The method consists in analyzing and identifying suspicious activity. For normal user behavior, basic login information will be required, in case of suspicious behavior, an additional verification factor is requested.
  2. Single sign-on (SSO) is a secure authentication process that allows a user to verify their identity across multiple sites and applications. SSO solves the problem of remembering multiple passwords and repeating authentication multiple times.
  3. Push authentication – authentication through a mobile application that is tied to a physical device, not a phone number. A text message can be intercepted by attackers, making phone number authentication more dangerous. Push authentication eliminates the problem of re-entering the one-time password and ensures a seamless user experience.

Cybersecurity rating – what is this?

Cybersecurity ratings are objective and dynamic indicators of a company’s security conditions. These metrics are data-driven and generated by a trusted and independent safety assessment platform. The security rating is a valuable and objective measure of the security posture of an entire organization. The higher rating means more reliable security state. Organizations use this indicator to understand and mitigate various critical, interrelated internal and external security risks, as well as to assess the security of external organizations (suppliers, partners, insurance companies, investment companies).

Security rating is derived from objective verification of the information and is calculated by an independent organization. The verification process takes place by collecting commercial data that can quantify security risks. High scores indicate the effectiveness of security practices and lower risks of potential cyberattacks. Regular monitoring of vulnerabilities and status scanning allows to maintain the proper security level.

Today’s business is actively using tools that help speed up the trading process, increase customer reach, understand their habits and behavior, and improve business operations efficiency. However, it also increased the risks and threats to cybersecurity. In addition to the fact that a cyberattack can be directed directly at a business, it can also be hooked through third-party partners. A vulnerability in one of the business partners could lead to a data breach. Security ratings provide a daily measurement of a company’s security performance, monitor and compare internal security performance, strengthen risk management and mitigate risk.

The security rating is used for:

  1. Third party risk management (understanding third party rasks, its due diligence and identification of security problems, pricing and risk management in the field of cyber insurance, investment in the company);
  2. Cybersecurity performance management (internal security management, continuous monitoring and assessment of cybersecurity state, security indicators analysis);

The security rating allows to:

According to Gartner, cybersecurity ratings will be an important tool for assessing the risks of existing and new business relationships. Traditional evaluation methods are time consuming and the questionnaires for each third-party partner require careful tracking. Moreover, questionnaires are not always 100% accurate. They are a subjective and one-time assessment that becomes inaccurate as security issues arise. Security ratings bridge this gap and provide a continuous, objective and up-to-date process for assessing the state of safety. This allows to identify existing and potential cyber threats, as well as determine ways to mitigate their influence. Security ratings allow to generate reports on cybersecurity results for senior executives and all stakeholders.

The most common types of phishing attacks and their signs

According to a Cisco report, 90% of data breaches are caused by phishing attacks. Millions of users are affected by malware and ransomware. However, phishing attacks are no less harmful. The availability of the latest security protocols and software cannot fully protect against cyber threats.  A low user knowledge level increases the risk of becoming a cybercriminals victim. It is important to ensure that all users are properly trained.

Phishing attack is a cyberattack that uses social engineering to illegally acquire sensitive data. Often the attack is carried out through malicious links and files that users are tricked into opening. Phishing attacks are also combined with malware to do more damage. To successfully implement an attack, a cybercriminal carefully studies user behavior. Thus, he selects the easiest and the most efficient way to achieve his goals.

Signs of phishing attempts:

Cybercriminals are constantly developing new phishing methods to obtain sensitive data.

The most common types of phishing attacks are:

  1. Email phishing is the oldest and most used type of phishing attack. Emails that imitate legitimate senders target corporate users and individuals. Using a malicious link, document, or image, an attacker forces the victim to download malicious code (for example, «verify» personal information by clicking on a link).

Signs: request for personal information; urgent problem; shortened links; suspicious URL; spelling and grammatical errors; nested files; empty image;

  1. Spear phishing is more targeted and focused on a specific person or company. Attackers collect information from open sources and attack entire enterprises and departments.

Signs: unusual requests, links to shared drives; suspicious and unsolicited emails; reference to personal data;

  1. Whaling – a targeted attack on a specific person or group of people from the senior management. Most often the CEO of the company becomes the victim.

Signs: invalid domain address, use of personal email; new contact requests;

  1. Business email compromise – attackers impersonate managers in order to gain access to his account with the ability to make decisions and send internal requests to employees.

Signs: urgency, unusual behavior, lack of lawyers in correspondence;

  1. Voice phishing – an attack using a phone to get information or money.

Signs: blocked and hidden number, requests for confidential information or money;

  1. HTTPS (a standard traffic encryption protocol that requires TSL/SSL certificates) phishing is a URL-based attack that aims to trick people into clicking on a malicious link.

Signs: shortened links, text with hyperlinks, spelling errors in the URL.

  1. Clone phishing – attackers copy a letter previously sent by a legitimate person or organization, forge the sender’s address and resend it to the victim with a malicious attachment or link.

Signs: duplicate emails, errors in the email address, hyperlinked text.

  1. SMS phishing – attacks through SMS messages with malicious attachments and links.

Signs: suspicious and unsolicited messages, messages from unknown numbers, authentication request.

  1. Pop-up phishing – an attack through pop-up windows. Attackers insert malware in the form of pop-up ads. A click starts the infection process.

Signs: Browser notifications, new tab or window, urgent message pop-ups (antivirus update, subscription renewal, etc.).

  1. Social media phishing – using information from social networks, attackers gain access with the help social engineering to the victim’s confidential data.

Signs: suspicious links, suspicious accounts.

  1. Angler phishing – attackers pose as customer service employees in a phishing attack by creating a fake account and contacting a potential victim. During the interaction, the cybercriminal specifies personal data, and then provides a link to solve the problem that contains malware.

Signs: unverified account, no profile history.

  1. Evil Twin phishing – attacks consist of creating an unsecured Wi-Fi hotspot and luring users into connecting. Once the victim has connected, all incoming and outgoing data (personal information, financial data, etc.) can be intercepted by attackers. This type of attack is more likely to occur in public places with free Wi-Fi (cafes, hotels, airports, etc.). The best way to avoid becoming a victim in this case is to use a VPN.

Signs: duplicate Wi-Fi hotspots, security alerts.

  1. Website spoofing – creation of a completely fake site identical to the legitimate one to obtain confidential information. Most often, the websites of organizations from finance, healthcare and social networks field are faked, as they contain important personal information.

Signs: errors in writing URLs, errors on the site.

  1. Email spoofing – creating a completely fake email domain.

Signs: suspicious and unsolicited emails, errors in email addresses.

  1. DNS spoofing (pharming attacks) is a technically more complex type of attack where a cybercriminal has to hack a domain name server (DNS) that converts domain names into IP addresses.

Signs: unsecured website, website errors.

  1. Image-based phishing – occurs through sending an email with an image that contains hyperlinks, malicious URLs, links to infected sites.

Signs: embedded link in image, spam, large call to action buttons.

  1. Search Engine Phishing – attackers create legitimate pages based on keywords and queries to rank in search engines (Google, Bing). The pages contain interesting suggestions to lure the victim into entering banking information. More often, such pages offer free vacations, products, investment opportunities, discounts, job offers, etc.

Signs: attractive offers that are hard to refuse, poorly designed sites.

  1. Watering Hole phishing – an attack is aimed at a specific company or group of people by infecting a site they frequently visit. Cybercriminals find site vulnerabilities, infect it, and lure potential victims with emails to that site.

Signs: security alerts, security testing.

  1. Man in the middle (MITM) – an attacker intercepts the communication chain, becomes an «intermediary», controls communication, intercepts data and has the ability to manipulate it to obtain personal information from both sides.

Signs: insecure sites, spelling errors in the URL, noticeably slow communication process.

GoUp Chat