Manoharan Mudaliar

Cyber Security Consultant

Situations Where You Should Consider Penetration Testing

Panic after a cyber attack

In this age of change and progress, cyber threats continue to evolve rapidly. Cyber attackers use experience from previous attacks and knowledge of current deficiencies to come up with new and unique methods of breaking through the digital barriers in place within most firms.  The diaspora of cyber criminals from their original modes of attack have found most companies lacking, which possibly explains the increase in cyber attacks and the punitive damages suffered as a result of these attacks.

In this war between prevention and damages, penetration testing comes as the perfect tool for checking vulnerabilities and patching up gaps in your endpoint systems/firewall. Penetration testing is conducted by professional ethical hackers, as a method designed to assist organizations in identifying hidden vulnerabilities in their applications, systems and networks.

While penetration testing has proven itself to be a worthwhile assessment technique, there seems to be confusion over the frequency of these tests. We believe that every organization should commission pen testing at least once a year, while other larger businesses should conduct these tests at least on a quarterly basis.

It is, however, also necessary for businesses to consider events around them and commission testing if they feel the need for it. Research and real-life experiences have proven that unplanned penetration tests happen to be a lot more effective than planned penetration tests.

In this blog we look at certain situations where you should consider penetration testing. Be ready for these scenarios and perform penetration testing to unearth basic vulnerabilities.

After Significant Infrastructure Changes

Growth almost always comes with change. As organizations grow, they change; from the culture inside the workplace to the IT environment, everything evolves with growth and time. The breakneck pace at which organizations are adopting cloud technology, the rise of BYOD, the increase in remote working technologies and the proliferation of IoT devices are some of the changes creating new and advanced network security risks. Changes created as part of the adoption and implementation process of new IT platforms can make your systems more vulnerable to cyber attacks.

Organizations that have recently made significant changes to their cloud, hybrid or on-premise infrastructure should keep their security assessments on the front of their mind. Your IT assets are usually left vulnerable after such key changes, which is why you should perform penetration testing in such scenarios to ensure that all vulnerabilities are assessed and the security of all assets is appropriately configured.

Penetration testing should also be seriously considered after you have installed new security technologies in your organization. Scenario based testing can help outline vulnerabilities in your system and can also help improve the effectiveness of your cyber security defenses. The ultimate goal is an overall improvement in how you handle threats and safeguard your systems.

When Launching a New Service, Product or Application

Launching a new service or a product can itself be a daunting task for any organization. The entire process of R&D coupled with financial investments can exhaust you and your team. However, rushing to the market with your new service, product or application can prove to be a costly mistake, especially if you haven’t taken all necessary security precautions.

Web application testing should be an integral part of your Quality Assurance process. Most organizations rush into launching new products or services and eventually go through the hassle and embarrassment of bad publicity when vulnerabilities in the new website or application are penetrated by cyber attackers.

Penetration testing can help uncover all software vulnerabilities related to data authentication, encryption, input validation and session management before the product or service is officially launched. Testing should also be commissioned before you release major app or product updates. Testing will help unearth any and all vulnerabilities in them and would allow you to rectify them before you suffer some actual damage.

When Going Through a Business Acquisition or Merger

Most mergers and acquisitions impact IT environments in ways more than one. IT environments for both firms are going through unprecedented change at a rapid pace. It is hard to imagine the huge amounts of digital assets that change hands during this process. And since the stakes are high, it is only justified for both firms involved in the deal to make testing a vital part of the entire merger and acquisition process.

A vast amount of rather confidential and important data is shared between both parties during a merger or acquisition. Data security is often compromised, but we would want you to make it a priority during the process. Penetration testing should definitely be conducted before and after the merger or acquisition happens, so that confidential consumer data and your digital assets are safeguarded during this crucial juncture. A cyber attack that occurs during the merger and acquisition process can damage not only the deal, but also the reputation and value for organizations involved.

When Working Toward Regulatory Compliance

Regardless of the industry you operate in or the region you currently service, serious sanctions await you if you do not take the required steps toward improving security. The DPA Act of 2018 and the GDPR show the hard line approach most regulators are now willing to take toward organizations who aren’t sincere in their efforts to securing and safeguarding confidential consumer personal and financial data.

Most organizations today realize the importance of compliance and the bad press they might receive if they fail to adhere to the regulations in place. Almost all data security regulations and guidelines make it necessary for organizations to perform regular security assessments. Security assessments can unearth possible vulnerabilities in your system. The vulnerabilities found through penetration testing methods can then be addressed to eventually improve how your company responds to cyber attacks.

GDPR and PCI DSS are current regulations in place within Europe and the United Kingdom, which require organizations to safeguard cardholder data at all times to avoid penalties that come with non-compliance. These regulations clearly require firms to assess their security protocols on an annual basis.

When Implementing Remote Systems

With the COVID-19 virus in full steam, many organizations have had to innovate and head towards a remote model of work. Remote work is the order of the day as it allows organizations to keep the steam of their engine running, even with most of the employees working from home.

However, remote work comes with a myriad of risks, especially since organizations have had to rush into it. But, a situation like this definitely warrants penetration testing, as there are a lot more vulnerabilities coming from unmonitored endpoint systems being used by workers to assess organizational networks from home.

After you position an endpoint security system, it is necessary that you run a penetration test to determine if there still are any vulnerabilities that have escaped your eye. Negligence right now can lead to irreparable damages in the long run.

Reasons to Go for Scenario Based Testing

Scenario based testing is a specialist form of testing that assesses your security networks through ethical hackers. This method of penetration testing can help you find out the effectiveness of your organization’s digital security and can also help drive improvements in threat hunting, incident response and breach detection.

Organizations should use scenario based testing as it gives answers to the following questions:

  • How effective are your current security protocols at detecting, preventing and responding to threats within the system?
  • Are there any blind spots within your network that attackers can persistently exploit?
  • Are sophisticated attacks shut down by your security analysts before they render irreparable damage to your systems?
  • How good is your security team at identifying genuine attacks and differentiating them from false positives? The sheer number of alerts being generated by your security system can lead to alert fatigue, which is why penetration testing helps determine whether your security analysts are still up to the job or if they are burdened by the frequent alerts.
  • Do you have any incident response plan in place for addressing threats and managing possible compromises? A plan of action can help you sail through attacks, even when the tides aren’t in your favor.
  • Do your in-house security personnel and teams have the intellectual know-how to mitigate the damage from breaches and remediate them? Loopholes in this regard can ameliorate damage further.

All these questions, when answered, help you identify where you currently stand and the steps that can be taken to improve your network security standing. With the right efforts and tests, you definitely can improve your network security to prevent attacks.

A cyber security consultant can help you perform penetration tests and identify the need for them. I’m a certified information security manager with extensive experience in helping organizations from various industries devise cyber security protocols and measures to ward off sophisticated and invasive cyber threats.

 

Cisco Releases Major Security Updates on Various Platform

Cisco Security Advisory team releases security updates that address a vulnerability in multiple products.

Summary

Most of the vulnerabilities in various products highlight that a remote attacker could exploit vulnerabilities to take control of the affected system.

Major Affected Software and Appliance

  • Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software OSPF Packets Processing Memory Leak Vulnerability[1]
  • Cisco ASA Appliance Software and Firepower Threat Defense Software IPv6 DNS Denial of Service Vulnerability[2]
  • Cisco ASA Software and Firepower Threat Defense Software Web Services Information Disclosure Vulnerability[3]
  • Cisco Adaptive Security Appliance Software Kerberos Authentication Bypass Vulnerability[4]
  • Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Path Traversal Vulnerability[5]
  • Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software SSL/TLS Denial of Service Vulnerability[6]
  • Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Malformed OSPF Packets Processing Denial of Service Vulnerability[7]
  • Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Media Gateway Control Protocol Denial of Service Vulnerabilities[8]

Advisory

It is highly advised to review the Cisco Advisory for more information and apply the necessary steps.

For detailed information, please visit

  1. https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-ftd-ospf-memleak-DHpsgfnv
  2. https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ipv6-67pA658k
  3. https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-info-disclose-9eJtycMB
  4. https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-asa-kerberos-bypass-96Gghe2sS
  5. https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-path-JE3azWw43
  6. https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-ssl-vpn-dos-qY7BHpjN
  7. https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-ftd-ospf-dos-RhMQY8qx
  8. https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-mgcp-SUqB8VKH

Reference

https://tools.cisco.com/security/center/publicationListing.x
https://www.us-cert.gov/ncas/current-activity/2020/05/07/cisco-releases-security-updates-multiple-products

COVID-19 CYBER WARNING BY CISA & NCSC

The U.S. Department of Homeland Security (DHS), the United Kingdom’s National Cyber Security Centre (NCSC), and Cybersecurity and Infrastructure Security Agency (CISA) have released a joint statement.

Cyber attackers are on the lookout for healthcare organizations and companies that are offering essential services to respond to the COVID-19 pandemic on a national and international level. Considering the situation of cybercriminal activities, the National Cyber Security Centre (NCSC), the Department of Homeland Security (DHS), and Cybersecurity and Infrastructure Security Agency (CISA) have issued a warning and a joint advisory to the organizations.

Ever since the coronavirus outbreak, the risk of Advanced Persistent Threat (APT) actors trying to gain unauthorized access to these organizations’ networks and obtaining confidential COVID-19 data has significantly increased. APT actors may attempt to gather information on international and national policies for the healthcare sector or breach critical research data related to the coronavirus.

APT actors have been using password spraying for the past many years. It’s a data breaching technique where the cyber attacker attempts to obtain access by testing out a few common passwords on several organizations’ accounts, assuming that at least one account must have a common password. APT groups use this method to gain forceful access into government organizations, law enforcement agencies, research and academic organizations, telecommunication companies, financial institutions, and retail organizations.

Microsoft Office 365 security best practice and recommendation

U.S. Govt Issues O365 Security Practice and Recommendation

Summary

The majority of businesses are shifting to Microsoft Office 365 and other cloud services to amp up collaborations within their departments to fulfill the “telework” requirements. However, due to the rapid deployment of these cloud services, organizations may be ignoring the security factor associated with these third-party platforms.

Details

There are various security best practices and recommendations available to deploy. I strongly recommend to fine-tuning based on the deployment and design architecture, and never one size fits for all. Due to COVID-19 current situation and becoming a new normal for every organization and most of the works are carried from home “WHF.”

Microsoft O365 provides cloud-based email capabilities, also, chat and other various cloud applications. While the abrupt shift to work-from-home may necessitate the rapid deployment of cloud collaboration services, such as O365, hasty deployment can lead to oversights in security configurations and undermine a sound O365-specific security strategy.

The below mentioned are the few best practice for O365 deployment;

Best Practices for O365 Deployment

Enable Multi-Factor Authentication for Administrator Accounts

Azure subscribers are, by default, assigned to the role of Global Administrator. These administrators have the highest privileges that permit them to modify every setting in your Azure Active Directory (AD) in an Office 365 environment. They can add new usernames and modify the old ones, assign tasks, reset passwords, manage licenses, and domain names. In an on-premise Active Directory environment, this is similar to the role of a domain administrator.

The Azure Global Administrator accounts are created before any other account so that they can start with tenant configuration and user migration. These Global Administrator accounts aren’t granted multi-factor authentication by default. Even the new feature “secure by default” also needs to be enabled by the subscriber first. This feature helps with effectuating administrators’ usage of Multi-factor Authentication. The Global Administrator accounts are open to the internet because they are cloud-based. Lack of security can make these accounts vulnerable to online attackers, and they can hack into customers’ accounts during user migration to Microsoft Office 365.

Assign Administrator Roles Using Role-Based Access Control (RBAC):

Given the privileges assigned to the Global Administrator’s role, these accounts should only be used when required. It’s best to use specified administrator roles for Azure Active Directory (AD) such as application administrator, application developer, authentication administrator, and others to avoid or at least minimize the assigning of high-level privileges.

Shifting to the less-privileged rule can minimize the risks of a data breach if any account of administrator is attacked. Administrators must be assigned permissions limited to their roles and tasks.

Enable the Unified Audit Log (UAL):

Unified Audit Log is a logging feature in Microsoft Office 365 that comprises events and data related to Exchange Online, Azure Activity Drive (AD), SharePoint, OneDrive, Power Bi, and other online services offered by O365. This event log allows administrators to keep an eye on any malicious activities or actions against organizational policies. To ensure maximum data protection, the Security and Compliance Center is allowed access to the Unified Audit Log.

While all users don’t have permissive privileges in an Office 365 environment, they can still access information that can be damaging for a business if retrieved by unauthorized personnel. Also, cybercriminals can breach into unauthorized user accounts via phishing emails. They can further breach into other organizations’ cloud system via the applications and features that the hacked user account has access to.

Disable Legacy Protocol Authentication When Appropriate

Azure Activity Directory (AD) is a feature that Office 365 uses to corroborate with its email service, Exchange Online. It is linked to a variety of devised protocols including:

  • Post Office Protocol (POP3)
  • Simple Mail Transport Protocol (SMTP)
  • Internet Message Access Protocol (IMAP)

However, these protocols do not support the modern multi-factor authentication features because they are used with the senior email clients. Subscribers and users have access to disable the legacy mail protocols at any given time. However, if senior email clients are necessary for a business, the legacy protocols won’t be deactivated if a tenant or user tries to disable it. This leaves email accounts with only a password and username as the principal method for authentication and increases the risk of internet attacks.

One way of handling this security issue is to create a log of all the user email accounts that still require the use of legacy protocol and only authorize those accounts to access the protocols. Using the policies of Conditional Access in Azure Active Directory can help minimize the number of users allowed to access and authenticate with the legacy mail protocols. Taking these measures will significantly decrease an organization’s risk of cyberattacks.

Enable Alerts for Suspicious Activity

Enabling alerts and Unified Activity Log (UAL) in a Microsoft Office 365 environment can largely enhance an organization’s effectiveness in pinpointing malicious activities happening within their cloud. It will alert the Security and Compliance Center whenever an abnormal event is identified. It’s advised for the organizations to at least enable alerts for suspicious logins, such as those from unrecognized IP addresses and user accounts that have exceeded the benchmark set for sent emails.

Incorporate Microsoft Secure Score

Microsoft also offers a built-in feature called the Microsoft Secure Score, which measures an organization’s security condition relative to the Office 365 services it uses and offers recommendations for improvements and upgrades.

Though the recommendations offered by this tool do not provide information on all aspects of security configuration, it’s still beneficial for organizations because Office 365 keeps upgrading and adding to its offerings. Microsoft Secure Score provides a centralized dashboard to organizations for timely tracking of activities and enhancing compliance and security within the Office 365 environment.

Combine Audit Logs With Current Security Information and Event Management (SIEM) Tool:

Organizations must integrate their existing log management and tracking solutions with their O365 Unified Audit Log (UAL). It will further enhance their ability to identify abnormal activities on-premises and correlate them with potential malicious activities in the Office 365 environment.  This will ensure that you can detect unusual activity in your environment and correlate it with any potential anomalous activity in O365.

It’s highly recommended that organizations practice the following measures:

  • Enabling multi-factor authentication (MFA). This is one of the most effective mitigations to eliminate the risk of credential theft of administrators and users in the O365 environment.
  • Securing Azure AD Global Administrators from cyberattacks and following the rule of “Least Privilege.”
  • Authenticating Unified Audit Log (UAL) in the Security and Compliance Center.
  • Enabling alerts for proactive actions against malicious logins and emails.
  • Integrate with organizational SIEM solutions.
  • Disable legacy email protocols, if not required, or limit their use to specific users.

What is IT-Governance Risk Compliance

Other than providing solutions in the form of quality products and services, a business’s primary purpose of existence is profitability. Yet, to make such profits, businesses need to have excellent administration. Organizations with great leadership and administration are observed to accomplish their objectives. Additionally, organizations need to have an effective risk alleviation plan. In the corporate landscape, risks are inescapable—each organization, regardless of whether a small startup or based on a large scale, has to experience different risks.

What makes them different is how they deal with these risks and manage to thrive. Also, organizations need to comply with the legal regulations and their policies. Businesses can only succeed if they operate in a disciplined manner. With these three factors consolidated, businesses increase their chances of achieving their short-term and long-term objectives.

If a business follows the framework of Governance Risk Compliance (GRC), it’s an indication that they have good governance and leadership, an efficient plan for risk management and mitigation, and abide by the country laws and state regulations.

What Is Governance Risk and Compliance (GCR)?

In the corporate world, the term Governance Risk and Compliance (GCR) suggests a company’s compliance with governance, risk alleviation, and laws. These three factors are focused on helping organizations accomplish their goals. It’s an organized approach to managing primary business operations, and if planned well, it can lead to handsome revenues and profits.

However, if this approach isn’t appropriately integrated within an organization, it won’t prove to be effective in goal achievement.

Let’s dive deeper into the basic concept of each factor.

Governance

This alludes to a business management approach utilized by senior officials. It guarantees that all company frameworks are in line with the company’s short-term and long-term goals. A company without good governance cannot completely execute the other two facets of GCR. This approach also ensures that every piece of information received by the senior executives is factual and error-free, so it can be used to make decisions critical for accelerating business growth.

Risk Alleviation

This factor refers to every activity that helps identify and analyze potential risks that may keep an organization from accomplishing its objectives and goals. Organizations have a wide range of risks that may influence their operations. However, the effect of these risks on an organization’s existing position will vary in general.

Compliance

The last facet of the GRC framework refers to an organization’s compliance with its internal policies and state regulations and legal obligations. Here, the company’s management focuses on determining whether their organization is abiding by statutory and internal requirements. The management must also consider the potential repercussions of non-compliance with these prerequisites and devise remedial measures accordingly. Additionally, they must be informed about any changes in the laws on a national and state level.

Though every employee of a company is responsible for the execution of the GCR framework, it mostly depends on the top-level hierarchy. This is because they are required to regulate and monitor the business, establish realistic goals, and make critical business decisions.

What is Information Technology (IT) GRC?

It is a framework that focuses on authorizing the IT department of a company to help it move forward and accomplishing the goals by conforming to all its rulings. In simpler terms, IT GRC is the application of Information Technology in better management of governance, risks, and compliance on an organizational level. Many businesses are already utilizing this framework to boost their profitability to achieve their targets. A typical example of IT GRC is the use of a spreadsheet for data entry, storage, and analysis.

How Is IT GRC Beneficial for Organizations?

Other than the automation of regular business tasks, IT GRC offers the following advantages to companies:

Information Security

Cybersecurity is one of the significant benefits of implementing the IT GRC framework in an organization. Cybercrimes have surged significantly in the past few years, and the threat has prompted businesses to contemplate over their data security regulations. In the current corporate landscape, an effective cybersecurity system is a regulatory mandate.

Timely Analysis of All Business Reports

IT GRC enables businesses to generate updated reports on the organization’s operations and workflow. Reporting analysis is especially helpful when businesses want to observe how well a particular change in the policies has been implemented throughout the organization.

Ease of Information Collection

By automating the regular tasks, IT GRC makes it easier for businesses to assemble data. It allows management to circulate surveys and questionnaires electronically via the company’s email and collect all the responses. This is a hassle-free approach that costs significantly less and requires little time for data analysis.

Boost Business Profits:

Companies that deploy the IT GRC framework tend to operate more efficiently. They can extract useful information from their data in no time and implement useful insights to stay ahead of their competition. Furthermore, they promptly update their policies and operations according to the changing state laws, which leads to higher customer trust, and ultimately, improved revenues.

Efficient Allocation of Resources

With the IT GRC framework’s help, companies can identify the grey areas, including the non-functioning departments, projects, or product lines that are consuming excessive resources but aren’t profitable. Businesses can move their resource allocation from such areas to others that generate more revenues and profits.

Enhanced Communication Among Departments

IT GRC enables the top hierarchy to effectively communicate the company’s objectives to all the departments in an organization to ensure all of them work toward achieving a collective organization goal. They can further notify all employees about the recent changes via emails or other automated platforms.

Common Challenges Faced by Businesses That Implement IT GRC Framework

  1. Every unit and department of a company adopting the IT GRC framework has to conduct its own auditing because this approach lacks a centralized auditing policy.
  2. Though this framework is expected to secure the policies, strategies, and controls, the extensive auditing processes in large scale organizations may have affected it at some point, leading to compromised security.

Finding the Right IT GRC Tool for Your Business

Though every tool used in the IT GRC framework is useful in an organization’s success, the enormity of profits could rise exponentially if organizations choose the right IT GRC tool, attuned to fulfil their business requirements.

Here are some critical factors that companies must consider while choosing an IT GRC tool:

  • Is the tool user-friendly?
  • Is the data depository aligned with your company’s needs?
  • What are the tasks that the tool can automate?
  • Does the tool’s data modeling capabilities fulfil your business requirements?

If you’re able to pick the appropriate tool, you can reap the real benefits of IT-Governance Risk Compliance.