The event illustrated two things:

1. how deep the roots of digitization have become globally;
2. the fragility of the global technology ecosystem, exacerbated by an overreliance on a select number of cloud providers.

This is a wake-up call for us all. Although not a cyber attack, imagine if a nation state was able to find and exploit such vulnerabilities through a coordinated and sustained attack?

It’s given us a glimpse into what cyber armageddon could look like; how should we respond?

The Interconnectivity Trade-Off

Dubbed “the largest IT outage in history,” the global technology outage was caused when an update to one of CrowdStrike’s pieces of software, Falcon Sensor, malfunctioned, paralyzing computers running Windows and resulting in widespread tech failures around the world.

While not the cause, the severity of the impact was only made possible as a result of the increasingly interconnected systems and software that have become so entrenched in our digital infrastructure. The effects were also inflamed by the global reliance on a select number of cloud providers – with Windows devices the worst impacted, many initially thought it was solely a Microsoft issue.

This dependency has brought with it many benefits – global connectivity, efficiency and innovation. But it’s a simple fact that it leaves us all more vulnerable. If a major cloud provider goes down or is impacted, the world grinds to a halt.

For many of us in the business of IT and security, questions are starting to be asked about the trade-off: can we find a way to remain connected, but become more resilient and lessen the impact of events like these?

The initial discussion has been around reassessing cloud strategies, such as avoiding the automatic updating of patches. Some may also be thinking about a multi-cloud approach, where more than one cloud provider is used to ensure continuity if one goes down – “Microsoft is down? That’s ok, we can just switch to Google.” However, despite being a relatively simple undertaking, it would be an expensive luxury that’s out of reach for most.

Build Something from the Ground Up

Rather than trying to patch up ever more complex and interdependent legacy architecture, company boards should use this opportunity to explore shifting their legacy digital architecture to something built from the ground up and future proof.

That is, firms should be viewing this as an opportunity to run an entirely new, low-cost, digital infrastructure in parallel, which is independent of their primary cloud provider and legacy applications. The idea is that in the case of a major systems outage, organizations would have the ability to seamlessly switch over to this secondary infrastructure without manual intervention, allowing them to perform critical functions throughout the crisis. This infrastructure would be backed up with essential data, with advanced security protocols to protect against cyber threats. As a minimum, this provides an out-of-band communications channel for the board and senior management to tell staff and clients what to do and ensures they are not swamped by fraudulent scams after the Crowdstrike outage.

Imagine an airline affected by a major software outage. Having an independent backup system would allow them to continue day-to-day operations such as booking passengers, handling ticket changes and scheduling flights. Instead of relying on extensive manual interventions to recover the primary system, backup protocols would prevent disruption while the main systems are brought back online.

Any solution developed in this way needs to be quick-to-implement and must be able to initiate a contingency command and control process, handle basic tasks and keep the company running in the event of a major attack or outage. Our mission critical clients are beginning to build these fail-over systems that can handle basic tasks and keep the company running in the event of a major attack or outage. In some instances, these shadow systems operate entirely through a mobile messaging platform.

Continuity and Resilience are Possible

As businesses now begin to revisit how they can ensure a return to business as usual as quickly as possible when disaster strikes, they should not be clouded by all the technical terms and confusing offerings, and just focus on three simple and fundamental principles when assessing their current and future risks: completeness, accuracy and validity.

Shifting legacy digital architecture towards something that is built from the ground up ticks all these boxes.  Moreover, it addresses the inter-connectivity, inter-dependency and relatedness and reputational risks that we all face in the digital world today. This may just be the difference between surviving the next global meltdown or being left in its wake.

Andersen Cheng is the founder and chairman of Post-Quantum.

The post CrowdStrike Cyber Armageddon: How Do Firms Now Build Resilience? appeared first on My TechDecisions.

For eCommerce businesses, the main risk is DDoS attacks. Known as a dangerous and malicious attack to destabilize and halt services or products, its biggest drawback is disrupting operations. By making products or services utterly inaccessible to consumers, DDoS attacks effectively eliminate any incoming profits.

The key lies in understanding how it works to protect your business and keep out these intrusions. In this article, we will review the different layers and ways to prevent them.

7 Layers of DDoS Attacks

1. Physical Layer Attacks

These DDoS attacks target the network or infrastructure of a business. By using a range of techniques: overloading network switches, jamming wireless signals, or physically cutting cables, attackers can cut income streams if they can access a business’s location. The difficulty in preventing it lies in how unpredictable people can be. One of the best ways to combat this is by installing surveillance that regularly monitors and alerts owners of suspicious activities. This can mitigate risks, especially if alerts go directly to the police.

2. Data Link Layer Attacks

Unlike physical layer attacks, data link attacks target how network devices communicate. With a MAC (Media Access Control) address, attackers can trick digital devices into communicating with a fake network device. In other cases, it is also common to use STP (Spanning Tree Protocol) attacks to manipulate how the network switches forward traffic. The only way to manage this is by ensuring businesses have a foolproof authentication mechanism, including MAC filtering that drives smooth configuration.

3. Network Layer Attacks

Network layer attacks work by affecting data that is transmitted across the Internet. Through IP (Internet Protocol) fragmentation attacks, data is sent in small batches to overwhelm network devices. Or, attackers can engage in ICMP (Internet Control Message Protocol) floods where a target is drowned with ICMP messages. To prevent such occurrences, firewalls and intrusion detection systems should be utilized to block or flag uncommon network traffic.

4. Transport Layer Attacks

As the name suggests, transport layer attacks target how data is transmitted between network devices. By engaging in techniques such as TCP (Transmission Control Protocol) SYN floods, attackers send a high volume of TCP SYN requests to a target. On the other hand, they can also use UDP (User Datagram Protocol) floods, where a high volume of UDP packets is sent to the target. Hence, businesses need to implement load balancers and rate limiters to reduce and prevent possible transport layer attacks to halt a high volume of traffic from overwhelming their network devices.

5. Session Layer Attacks

Not limited to network devices, DDoS attacks can also occur in applications by targeting how they communicate. Using techniques such as SSL (Secure Sockets Layer) attacks, attackers exploit vulnerabilities in SSL/TLS (Transport Layer Security) protocols to intercept data, or they can drown a target with SIP (Session Initiation Protocol) messages. The easiest way to prevent session layer attacks is by ensuring applications are securely configured with updated SSL/TLS certificates.

6. Presentation Layer Attacks

As the name implies, presentation layer attacks work by attacking how information is presented to users. Through techniques such as XML (Extensible Markup Language) attacks, attackers either exploit vulnerabilities in XML parsers to execute malicious code or implement XSS (Cross-Site Scripting) attacks, where they inject malicious scripts into web pages. Firms can avoid presentation layer attacks with secure coding practices and frequent vulnerability scans.

7. Application Layer Attacks

For the application layer attacks, its emphasis lies in attacking the way applications function. Using techniques such as SQL (Structured Query Language) injection attacks, attackers inject malicious SQL queries into a target application to gain unauthorized access to data. In other cases, they can also use RFI (Remote File Inclusion) attacks to exploit vulnerabilities in web applications to execute malicious code. Unlike the other solutions, you can educate employees to prevent these attacks. You can eradicate this possibility by focusing on coding practices, phishing awareness, and password hygiene.

DDos Protection

DDoS Protection takes a community of conscious efforts to keep firms up and running. For businesses to excel, driving revenue and consumers to the store is no longer an option. Cybersecurity is vital to help safeguard existing assets and keep revenue flowing. Hence, implementing these features should be paramount to stay vigilant for businesses to flourish.

The post 7 Layers of DDoS Attacks and How To Prevent Them appeared first on My TechDecisions.

AVI-SPL has been a Cisco solutions provider for more than a decade, the company says. It thus continues to deepen and expand the expertise in its Cisco practice to guide companies everywhere. With this, it aims to reimagine the workplace for better employee, partner and customer engagement as new hybrid work models take hold. In Cisco fiscal year (FY) 2023, AVI-SPL ranked as the #3 video devices partner in the U.S. and globally.

“Cisco’s recognition of AVI-SPL as a leading workspaces partner speaks volumes to our ability to confidently guide customers to reimagine and realize the modern work experience,” says Tom Nyhus, AVI-SPL vice president of the Cisco practice. “By embracing Cisco Webex’s innovative, leading-edge roadmap and programs, together we’ve helped global companies stay securely connected and productive from anywhere.”

The partnership between Cisco and AVI-SPL grew significantly in 2023 with new, joint go-to-market efforts. Per a statement, AVI-SPL led the way with the new Cisco Webex Hardware as a Service (HaaS) program. It thus became one of the first partners to conduct a customer pilot of the program. AVI-SPL also beta-tested new video devices and provided feedback through Cisco’s Video Champions Advisory Council around market trends and customer needs.

The Cisco 2023 Webex Partner Award honors partners who have developed and delivered exceptional Cisco-based solutions and services during the past year.

Cisco announced the Annual Partner Awards during the WebexOne 2023 conference on October 25, 2023. Additional details on the 2023 awards are available on the Cisco Webex blog.

Another version of this article originally appeared on our sister-site Commercial Integrator on November 1, 2023. It has since been updated for My TechDecisions’ audience.

The post AVI-SPL Receives Cisco 2023 Reimagine Workspaces Partner of the Year – Americas Award appeared first on My TechDecisions.

A breach notification letter filed with the Office of the California Attorney General said the Cl0p ransomware gang gained access to its MOVEit managed file transfer (MFT) server on May 30 and stole files containing personally identifiable information (PII).

Clearinghouse is a nonprofit that provides educational reporting, data exchange, verification, and research services to approximately 22,000 high schools and 3,600 colleges and universities, which make up roughly 97% of students in public and private institutions, according to Bleeping Computer.

“On May 31, 2023, the Clearinghouse was informed by our third-party software provider, Progress Software, of a cybersecurity issue involving the provider’s MOVEit Transfer solution,” NSC wrote in the letter. “After learning of the issue, we promptly initiated an investigation with the support of leading cybersecurity experts. We have also coordinated with law enforcement.”

The stolen PII contained names, birth dates, contact information, Social Security numbers, student ID numbers and other school-related records. NSC said it has implemented patches to the MOVEit software and additional monitoring measures to further protect its systems and customers’ data. It is also offering identity monitoring services at no cost for two years.

In late May, the Cl0p ransomware gang began exploiting an SQL injection vulnerability in the MOVEit Transfer platform, leveraging a zero-day security flaw and gaining access to an underlying database, reports Help Net Security. Starting June 15, the cybercriminals started extorting organizations that fell victim to the attacks, exposing names on its dark web data leak site.

In late June, NSC notified the impacted schools about the breach but did not provide many details as the investigation was ongoing. At that time, Databreachnet.com reported that NCS’s name had been removed from Cl0p’s leak site, “which is often an indication that a victim paid.”

The breach has affected many organizations across the globe, including governments, financial institutions, pension systems, and other public and private entities. Among the victims are multiple U.S. federal agencies and two U.S. Department of Energy entities.

Coveware, a cyber extortion incident response firm, estimates the gang will collect around $75-100 million in payment due to high ransom requests.

Another version of this article originally appeared on our sister-site Campus Safety on September 25, 2023. It has since been updated for My TechDecisions’ audience.

The post Nearly 900 Schools Impacted by National Student Clearinghouse Data Breach appeared first on My TechDecisions.

The company’s update comes amid reports of widespread exploitation, including several at several U.S. agencies that were breached as part of the attack. Cybersecurity researchers say ransomware groups have seized upon the vulnerability and are using it to exfiltrate data to compel victim organizations to pay the ransom.

In the advisory, dated June 16, Progress says it has discovered vulnerability in MOVEit Transfer that could lead to escalated privileges and potential unauthorized access to the environment.

“If you are a MOVEit Transfer customer, it is extremely important that you take immediate action as noted below in order to help protect your MOVEit Transfer environment,” the company says in the new advisory. “In Progress MOVEit Transfer versions released before 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), 2023.0.3 (15.0.3), a SQL injection vulnerability has been identified in the MOVEit Transfer web application that could allow an un-authenticated attacker to gain unauthorized access to the MOVEit Transfer database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint which could result in modification and disclosure of MOVEit database content.”

The incident, which was first identified in late May, now stretches well into June as organizations rush to patch their systems and protect their environment.

According to Progress Software, “All MOVEit Transfer customers must take action and apply the patch to address the June 15th CVE-2023-35708 vulnerability discovered in MOVEit Transfer. “

However, organizations have two paths to take, depending on if they applied the remediation and patching steps from the first MOVEit Transfer Critical Vulnerability (May 2023) advisory prior to June 15.

For those who have not yet applied the May 2023 patch, they should do so and follow the remediation steps immediately, the company says. This includes the newest patch for two separate vulnerabilities, including the original from May 31 (CVE-2023-34362) and another identified on June 9 (CVE-2023-35036).

Once that is taken care of, organizations should apply the June 15 patch (CVE-2023-35708).

If organizations have applied the May 31 and June 9 patch, they should now apply the June 15 patch, which will bring them fully up to date.

There is a lot of information coming out about these bugs, but cybersecurity firm Rapid7 has a detailed timeline of events, up until this new information.

May 27-28: Rapid7 services teams have so far confirmed indicators of compromise and data exfiltration dating back to at least May 27 and May 28, 2023 (respectively).

May 31: Progress Software publishes an advisory on a critical SQL injection vulnerability in their MOVEit Transfer solution.

May 31: Rapid7 begins investigating exploitation of MOVEit Transfer.

June 1: Rapid7 publishes initial analysis of MOVEit Transfer attacks after responding to incidents across multiple customer environments.

June 1: The security community publishes technical details and indicators of compromise.

June 1: Compromises continue; Rapid7 responds to alerts.

June 1: CISA publishes Security Advisory.

June 2: CVE-2023-34362is assigned to the zero-day vulnerability.

June 2: Mandiant attributes the attack to a threat cluster with unknown motives.

June 2: Velociraptor releases an artifact to detect exploitation of MOVEit File Transfer critical vulnerability.

June 4: Rapid7 publishes a method to identify which data was stolen.

June 4: Nova Scotian government discloses it is investigating privacy breach.

June 5: Microsoft attributes the attack to Lace Tempest, a Cl0p ransomware affiliate that has previously exploited vulnerabilities in other file transfer solutions (e.g., Accellion FTA, Fortra GoAnywhere MFT).

June 5: UK companies BA, BBC, and Boots disclose breaches as victims in MOVEit File Transfer.

June 5: Cl0p ransomware group claims responsibility for the zero-day attack.

June 6: Security firm Huntress releases a video allegedly reproducing the exploit chain.

June 6: The Cl0p ransomware group posts a communication on their leak site demanding that victim organizations contact them by June 14 to negotiate extortion fees in exchange for the deletion of stolen data.

June 7: CISA publishes #StopRansomware Cybersecurity Advisory regarding MOVEit File Transfer Vulnerability CVE-2023-34362.

June 9: Progress Software updates advisory to include a patch for a second MOVEit Transfer Vulnerability, which was uncovered by Huntress during a third-party code review. The vulnerability is later assigned CVE-2023-35036.

June 12: Rapid7 releases a full exploit chain for MOVEit Transfer Vulnerability CVE-2023-34362.

Organizations impacted should consult Progress Software, their cybersecurity services provider, and CISA for more information.

The post Progress Software Urges Further Action to Prevent MOVEit Exploitation appeared first on My TechDecisions.

That list of bugs that should be prioritized includes two remote code execution vulnerabilities in Microsoft Exchange Server, an elevation of privilege bug in Microsoft SharePoint, a trio of remote code execution flaws in Windows Pragmatic General Multicast, and a handful of others.

Based on input from security researchers from Zero Day Initiative (ZD), Tenable, Immersive Labs and others, here is a look at the vulnerabilities that warrant more attention for the June 2023 Patch Tuesday release.

CVE-2023-32031 – Microsoft Exchange Server Remote Code Execution Vulnerability

If this looks familiar, you aren’t alone. Microsoft has issued fixes for a number of Exchange Server remote code execution bugs in recent years, and this one is a bypass of fixes for CVE-2022-41082 and CVE-2023-21529, with the latter listed as being under active exploitation.

This vulnerability exists within the Command class, and the issue results from the lack of proper validation of user-supplied data, which can result in the deserialization of untrusted data. This bug requires the attacker to have an account on the Exchange server, but successful exploitation could lead to executing code with SYSTEM privileges.

CVE-2023-28310  – Microsoft Exchange Server Remote Code Execution Vulnerability

This is the other Exchange RCE bug listed this month, and like its twin this month, is rated as important but considered more likely to be exploited. This also requires an attacker to be authenticated, so an attacker will need valid credentials.

According to researchers, both Exchange Server bugs closely mirror the vulnerabilities identified as part of the ProxyNotShell exploits. Successful exploitation could result in an attacker gaining access to an organization’s email account, or even the ability to impersonate any user.

Since attackers are adept at stealing valid credentials via phishing attacks, these should not be ignored.

CVE-2023-29357 – Microsoft SharePoint Server Elevation of Privilege Vulnerability

According to researchers, this critical-rated vulnerability is used to bypass authentication due to a flaw within the ValidateTokenIssuer method. Microsoft lists enabling the AMSI feature to mitigate this flaw, but organizations are still urged to deploy the update as soon as possible.

Exploitation is achieved by sending a spoofed JWT authentication token to a vulnerable server, giving them privileged of an authenticated user on the target, researchers say.

CVE-2023-29363/32014/32015 – Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability

This trio of vulnerabilities, all critical-rated, allow a remote, unauthenticated attacker to execute code on an affected system where the messag queuing service s running in a Pragmatic General Multicast (PGM) Server environment. This is the third month in a row that Microsoft has patched a critical-rated bug in this component.

For successful exploitation, a system must have message querying services enabled.

For further June 2023 Patch Tuesday analysis, consult research blogs from Zero Day Initiative, Tenable, Immersive Labs and others.

The post June 2023 Patch Tuesday: Exchange Server, SharePoint, PGM appeared first on My TechDecisions.

The vulnerability–tracked as CVE-2023-27997–is a heap-based overflow flaw that could allow a remote attacker to execute arbitrary code or commands via specially crafted requests, says the Sunnyvale, Calif.-based firewall and endpoint security firm.

According to Fortinet, its Product Security Incident Response Team, following a previous incident from January also impacting FortiOS SSL VPN with exploitation, initiated a code audit of the SSL-VPN module, leading to the identification of issues that have been remediated in the company’s patch.

The investigation found that CVE-2023-27997 “may have been exploited in a limited number of cases.”

In the company’s blog, Fortinet says the attacks mimic the activity of Volt Typhoon, a suspected China-sponsored hacking group that has been targeting critical infrastructure organization. However, Fortinet doesn’t go as far to link exploitation of the vulnerability to that group, but does expect Volt Typhoon and other threat actors to leverage the bug in unpatched software and devices.

FortiGate devices were identified by the U.S. National Security Agency as being targeted by Volt Typhoon as an initial intrusion vector.

Organizations should apply the patch immediately. If they aren’t able to do so, disabling SSL-VPN is a legitimate workaround, the company says.

These devices and other SSL VPN products from Citrix, Pulse Secure and others have been popular targets in recent years, says Satnam Narang, senior staff research engineer at vulnerability management firm Tenable.

According to Narang, these flaws have not only been exploited by ransomware groups but also by nation-state aligned threat actors with a particular focus on flaws in Fortinet devices.

“SSL-VPNs are attractive targets due to their internet-facing nature, providing access to a company’s intranet,” Narang says. “They became even more popular at the beginning of the pandemic, as organization’s shifted towards allowing for remote work.”

Narang adds that pre-authentication bugs like CVE-2023-27997 are especially valuable to remote attackers because they don’t need to have valid credentials.

“Despite patches being available, the inherent value of the flaw remains significant, considering the ongoing success threat actors achieve by exploiting known, unpatched vulnerabilities,” Narang says. “It’s not a question of ‘if’, but rather ‘when’ a public proof-of-concept exploit for this flaw is made public, that we can expect more widespread scanning and exploitation of vulnerable assets.”

The post Patch FortiGate SSL-VPN Devices Immediately appeared first on My TechDecisions.

Barracuda Networks is urging organizations with Email Security Gateway appliances impacted by a remote command injection bug in the devices to replace them, even if they were patched.

The company’s recommendation comes after Barracuda was first alerted to anomalous traffic coming from Email Security Gateway (ESG) appliances on May 18, which prompted the company to begin an investigation with the help of cybersecurity firm Mandiant.

This week, Barracuda updated its notice, urging customers with impacted ESG appliances to replace them regardless of their patch version level.

“Barracuda’s remediation recommendation at this time is full replacement of the impacted ESG,” the company says in its advisory.

According to the advisory, Barracuda identified a remote command injection vulnerability in their ESG appliance one day after discovering the “anomalous traffic” and engaging Mandiant. A patch was released a day after that on May 20, but the patch is apparently not enough to prevent compromise of the affected devices.

The company is also releasing a “series of security patches” to all appliances.

Exploitation for 10 months

Alarmingly, Barracuda and other cybersecurity firms say exploitation of these ESG appliances has been discovered to date back to fall 2022, specifically October 2022.

According to Barracuda, the vulnerability existed in a module which initially screens attachments of incoming emails. The bug has been leveraged to obtain unauthorized access to a subset of ESG appliances, and malware was identified on a subset of appliances to give attackers a backdoor.

Evidence of data exfiltration was also identified, the company says.

The company notified users with impacted appliances to take action, but “additional customers may be identified in the course of the investigation,” the firm says.

About the vulnerability and malware

According to Barracuda, the vulnerability, CVE-2023-2868, stems from “incomplete input validation of user supplied .tar files as it pertains to the names of files contained within the archive.”

This allows a remote attacker to format file names in a particular manner that would result in “remotely executing a system command through Perl’s qx operator with the privileges of the Email Security Gateway product,” the company says.

Barracuda also identified three malware strains that make the backdoor possible.

Recommendations

Barracuda is recommending that organizations with ESG appliances ensure that the devices are receiving and applying updates and security patches, but the company is of course also recommending that organizations discontinue the use of compromised ESG appliances and contact the company’s support to obtain a new ESG virtual or hardware appliances.

In addition, organizations should rotate any applicable credentials connected to the ESG appliance, including:

• Any connected LDAP/AD
• Barracuda Cloud Control
• FTP Server
• SMB
• Any private TLS certificates

Organizations should also review their network logs for any of the indicators of compromise listed in Barracuda’s advisory. They should contact compliance@barracuda.com if any are identified, the firm says.

Barracuda’s official statement

The company’s official statement reads as such:

The latest information related to the Barracuda’s Email Security Gateway (ESG) vulnerability and incident has been published on Barracuda’s Trust Center (https://www.barracuda.com/company/legal). The product CVE is published here: https://nvd.nist.gov/vuln/detail/CVE-2023-2868. 

An ESG product vulnerability allowed a threat actor to gain access to and install malware on a small subset of ESG appliances. On May 20, 2023, Barracuda deployed a patch to ESG appliances to remediate the vulnerability. 

Not all ESG appliances were compromised, and no other Barracuda product, including our SaaS email solutions, were impacted by this vulnerability.

As of June 8, 2023, approximately 5% of active ESG appliances worldwide have shown any evidence of known indicators of compromise due to the vulnerability. Despite deployment of additional patches based on known IOCs, we continue to see evidence of ongoing malware activity on a subset of the compromised appliances. Therefore, we would like customers to replace any compromised appliance with a new unaffected device.

We have notified customers impacted by this incident. If an ESG appliance is displaying a notification in the User Interface, the ESG appliance had indicators of compromise. If no notification is displayed, we have no reason to believe that the appliance has been compromised at this time. Again, only a subset of ESG appliances were impacted by this incident.  

Barracuda’s guidance remains consistent for customers. Out of an abundance of caution and in furtherance of our containment strategy, we recommend impacted customers replace their compromised appliance. If a customer received the User Interface notification or has been contacted by a Barracuda Technical Support Representative, the customer should contact support@barracuda.com to replace the ESG appliance. Barracuda is providing the replacement product to impacted customer at no cost. 

If you have questions on the vulnerability or incident, please contact compliance@barracuda.com. Please note that our investigation is ongoing, and we are only sharing verified information. 

Barracuda has engaged and continues to work closely with Mandiant, leading global cyber security experts, in this ongoing investigation. 

We will provide updates as we have more information to share.

The post Barracuda: Replace Compromised ESG Appliances Immediately appeared first on My TechDecisions.

Announced at Cisco Live in Las Vegas, Cisco announced Cisco Networking Cloud for simplified IT management, security service edge solution Cisco Secure Access, a new Secure Firewall 4200, Cisco Multicloud Defense, Cloud Native Application Security, Full-Stack Observability, a generative AI-powered security assistant and a new Webex device.

Cisco Networking Cloud

Cisco announced its vision for the Cisco Networking Cloud: to simplify network management via a single platform experience for seamlessly managing all networking domains.

New innovations include single sign-on, API key exchange/repository, sustainable data center networking solutions and expanded network assurance with Cisco Thousand Eyes.

Cisco says Networking Cloud will “dramatically simplify IT” with a more flexible Cisco Catalyst switch stack, improved visibility into data center power and energy consumption and new AI data center blueprints to improve performance and visibility for network operations.

Security enhancements

Cisco announced several new security tools and enhancements, including a new security service edge solution for hybrid work security, generative AI capabilities and innovations across firewall, multicloud and application security.

The company during its Cisco Live event announced its first generative AI capabilities in the Security Cloud, including an AI-powered Policy Assistant designed to help security and IT administrators describe granular security policies and evaluate how best to implement them across different aspects of their security infrastructure. It will be available later this year.

Cisco also announced a new SOC Assistant, available by the end of the year, to help support SOC analysts and detect and respond to threats faster by contextualizing events across email, web, endpoints and the network to tell the analyst what happened and the impact.

In addition, Cisco announced the Cisco Firewall 4200 Series, featuring AI and ML-based encrypted threat blocking without decryption, complete threat inspection and policy for each individual application and simplified branch routing. Cisco Secure Firewall 4200 Series appliance will be generally available in September 2023 supporting the 7.4 version of the operating system. The 7.4 OS will be generally available for the rest of the Secure Firewall appliance family in December 2023.

Cisco also announced new capabilities in Panoptica, the company’s cloud-native application security solution including Cloud Security Posture Management, a new attack path engine and an integration with Cisco’s Full Stack Observability portfolio.

Full-Stack Observability

The company also used its Cisco Live event to announce the general availability of its Full-Stack Observability (FSO) platform to give customers the ability to develop and grow an application ecosystem built on an open, extensible architecture, including new use cases in a single consumption model. Additionally, Cisco’s new bi-directional integration between AppDynamics and ThousandEyes drives powerful customer digital experience monitoring and closes observability gaps with rapid actionable recommendations and insights, the company says.

Room Bar Pro

Also at Cisco Live, Cisco announced the Room Bar Pro, a new easy-to-deploy video bar with “significant processing power, more connections, touch screen integration, and all of the advanced AI capabilities built into (Cisco’s) RoomOS platform.”

Cisco says the Room Bar Pro, based on the powerful NVIDIA processor, is optimized for medium workspaces (5-12 seats) of varying shapes. The device also features a dual camera system that reaches further, wider, and frames everyone in the room in ultra-high quality, even when participants are sitting at the ends of the table.

The post Cisco Live 2023: Simplified Management, Enhanced Security, AI appeared first on My TechDecisions.

Additionally, a Data Breach Investigations Report from Verizon showed that web applications and email are the top two vectors for breaches. Because they’re often internet-facing, web apps and email can provide a useful avenue for attackers to try and slip through an organization’s perimeter – and their tricks are only growing more sophisticated.

So what can security teams and end users do to combat these increasingly sophisticated email threats? Here are a few tips on how to keep email attacks from getting through.

Watch out for evolving phishing attempts

Many successful email compromises can be attributed to phishing attacks becoming more advanced. Historically, BEC would entail a bad actor stealing a user’s alias and password – maybe by sending them a fake Office or Google login form to fill out – and hoping they don’t encounter multifactor authentication (MFA), which could remediate the attack.

However, the last few years have seen new approaches, like an increase in the use of social engineering to secure MFA tokens, where bad actors trick users into providing their one-time MFA passcode. The attacker may try push bombing, where they spam the end user with notifications to authenticate until the user finally accepts it out of fatigue. Or they may use newer malicious proxies and tools that adopt the traditional phishing approach of stealing a username and password by sending a fraudulent link for the user to click. But these proxies can bypass MFA by completing the entire authentication transaction and securing an authenticated session.

Unfortunately, all these new approaches and commoditized tools mean BEC continues to be a lucrative attack vector for malicious actors. With defense often one step behind, end users must stay vigilant. Whenever something looks suspicious, rely on other communication channels to confirm a message’s legitimacy before carrying out an action that could be damaging to you or your organization.

Adopt a layered security approach

There is no magic bullet to cybersecurity; you can’t rely on a single control, policy, or training session for end users. Therefore, a layered approach with various tools, procedures, and training is necessary to be effective. Should one layer fail, another will be there to pick up the slack.

Security teams must identify the technical controls they can implement to minimize the impact of phishing in the instance that an attack gets through. A DNS firewall prevents network users and systems from connecting to known malicious internet locations and can effectively neutralize links to a bad destination. To combat malware, proactive anti-malware tools can monitor unusual behavior (instead of using signature-based detection) to identify malicious software and keep it from infecting computers and other devices.

Make sure to employ tools that can quickly identify and respond to attacks that slip through the cracks. Strong endpoint detection and response (EDR) tools can enhance visibility within your network to detect malicious activity and act on it before the incident grows. Finally, leverage MFA, as it remains the single best measure a security team can implement to protect against authentication attacks. Reinforce MFA with social engineering training for end users so that this line of defense remains strong.

Build a security-first culture

Most security professionals understand that no defense is perfect, especially with human behavior involved. They recognize the need for security awareness training since a successful attack is often the result of human error. The importance of training only grows as the methods for deceiving end users continue to evolve.

Security teams must continuously train users to be hyper-aware of business email compromise. Put a heavy emphasis on email phishing, spear phishing and social engineering. Since many attacks can come from vectors beyond email – via text message, over WhatsApp or other messaging applications, or voice calls via deepfake software – it’s important that users understand the entire range of threats.

Building a culture that promotes security awareness and in which users are comfortable coming to the IT team to flag an issue or suspicious activity is key. If a user is the victim of a phishing attempt, empower them to quickly notify IT so the threat can be addressed swiftly. Shaming them will only have negative consequences. You don’t want a user to hide a mistake they made, resulting in further risk of damage to the organization. Create a culture where users feel they are part of the security team and on the lookout for phishing attempts and malicious activity. More watchful eyes will create strength in numbers.

A skeptical mindset is a necessary tool in the current threat landscape. A bad actor will often compromise the account of a familiar party like a co-worker, partner, or vendor and use that in a phishing attempt. Remember: A message that appears to be from a trusted source isn’t always a trusted message. Take an extra second to double-check suspicious requests and cover your bases. Staying alert is the best protection you can have.

When it comes to email or other messaging-based cybersecurity threats, the reality is you will never get the click rate down to zero. But your security team should focus on getting your click rate as low as possible so your technical controls can pick up the slack wherever it’s needed.

______________________________________________________________________________________________________________________________________

Trevor Collins, is a Network Security Engineer at WatchGuard Technologies.

The post Email Attacks are Evading Security Protections. Here’s How Security Teams Should Respond. appeared first on My TechDecisions.