Cyber Security – Rezilyens LLC

Cybersecurity | Shifting the Balance of Power | Rezilyens.AI

admin — Fri, 07 Aug 2020 16:25:55 +0000

The most significant trend we see with the companies we meet is that attackers usually succeed. Many companies despite significant cyber security investments – sometimes in the millions of dollars – organizations are not fully aware of their attacker-exposed IT ecosystem and risks. At the same time, attackers perform reconnaissance, identify targets and exploit weaknesses. And, they have time on their side because organizations remain unaware of their blind spots

A major contributing factor to attacker success is that while IT has evolved dramatically over the past decade, Security Testing solutions have not. To be clear, most approaches that are at least two decades old, like vulnerability scanning and penetration testing. Attackers perform reconnaissance, identify targets and exploit weaknesses. Again, with the luxury of time on their side. But, if we could discover all the IT assets in your attack surface, understand their business context, and test them for weaknesses, we would be able to prevent breaches by proactively focusing on the most important risks.

We believe the most effective way to reduce risk is to look at the attack surface from the outside, using an attacker’s point-of-view, and identify and remediate those exact attack vectors they would likely target. Those critical attack vectors are 1000 times more important than a pile of CVEs in a vulnerability scanner report. So, here is how our approach helps you demonstrate to your CEO or Board that you’re improving the company’s security posture.

Our insurgent mission is to eliminate the world’s shadow risk – identify and eliminate the critical security risks in your organization’s IT ecosystem: the shadow risk that attackers seek and target.

We bridge the gap left by legacy tools – bridge the gap between what legacy tools can do and what organizations need.

Reconnaissance process – automatically map an organization’s attack surface based on the reconnaissance process, methodologies and technologies that sophisticated attackers use.

Global botnet – enable gathering of attacker-exposed data of nearly billion servers and devices – petabytes of data.

Far more than port scanning – typical port scanners scan for open ports and banners; we’re collecting dozens of fingerprints for each asset. We can detect web applications, links, references, URL patterns, headers, banners, certificates, deployed software, and unique keywords, which may resemble departments’ and subsidiary names.

Mapping the entire IT ecosystem – using fingerprints per company to calculate the company’s attack surface mathematical graph! There are dozens of iterations to calculate this attack surface graph. We start with Company X, and very quickly start discovering its subsidiaries, acquired companies and partner-specific assets that are strongly related to this company.

IT ecosystem with context – It’s important to consider one’s entire IT ecosystem data as a graph, not a list of IPs, so you can understand the content and context of each asset – and thus understand what’s most attractive to an attacker.

Reveals the attacker’s path of least resistance – simulate the attacker’s assessment of the entire attack surface, focusing on finding highly exploitable assets that provide access to other critical assets in your network.

Legacy scanners ignore attack vectors – legacy vulnerability scanners ignore actual attack vectors, and essentially detect only CVEs in known assets.

Evaluating like an attacker – leverage the attacker’s decision-making process to determine the discoverability level of these assets and the attractiveness level of these assets based on their business context. For instance, a mainframe or source code management system is probably much more interesting to attackers than an Apache server which may be 10 years old and has no data on it based on what attackers can see.

Prioritizing based on business impact – our unique analysis allows us to bring the number of critical attack vectors down from the thousands that a legacy scanner would show you to just 5 or 10. Critical attack vectors prioritized by the platform will typically include exposures that no other solution identifies. Typical penetration testing scope is less than 1% of an organization’s attack surface and are a classic ‘checkbox’ and don’t suffice anymore.

Even sophisticated organizations can be exposed – [Real World Example] A client of ours added a third-party a deception system, which created their biggest security weak spot. The system was misconfigured by an engineer from the deception company and that misconfiguration exposed the telco’s management system to the Internet. Our approach identified this critical vulnerability.

Actionable, remediation guidance – Each identified issue is supported with actionable, prioritized and prescriptive remediation guidance so your team knows where to start and how to get it done.

The platform…

At its foundation, leverages a bot network to SCAN the internet to identify all the assets that belong to your organization.
It then builds a MAP of your attack surface using a graph data model that understands what’s yours, and what’s related, based on asset fingerprints and classification.
The platform security-TESTs your attack surface using techniques that go beyond basic vulnerability scanning.
Is the PRIORITIZES risks using an attacker’s perspective.
And helps you ELIMINATE RISK and validate it has been eliminated.
The goal is to help you MANAGE your CYBER RISK and communicate the progress and status of that to your stakeholders.

Cyber Rezilyens: Perils of Code Security (Injection)

admin — Tue, 14 Jul 2020 11:06:17 +0000

Why is code security so difficult?

It’s often said that, “Defenders think in lists, adversaries in graphs.” Our adversaries are humans supported by bots and automation. As an enterprise defender, you are in a game with an adversary, so you need to start thinking and acting strategically with a long game in mind and a playbook to counter adversaries’ own plays. Trust me, your adversaries are doing this as we speak.

They have a mission, objective, a game plan and a set of trusted plays they run against enterprise networks. If you are building lists and checking boxes, you aren’t in the game – you are on the bench while the action is on the field of play … which happens to be your network, cloud assets, plants, partners, and supply chain. For instance, the attack surface is getting larger for the attackers to exploit and there are too many doors, windows and entry points. It is not a question of IF but WHEN and some of the latest include –

Companies worry EU court ruling could disrupt global data transfers. The European Union’s highest court will decide Thursday whether a widely used tool for moving data from within the bloc to outside countries is legal. Companies have started looking for alternative methods to continue transferring personal information around the world ahead of the ruling.
The European Court of Justice will determine whether a mechanism known as standard contractual clauses is enough to keep data private outside the bloc.
SAP issues fix for vulnerability affecting thousands of customers. Enterprise software maker SAP SE said a patch released should fix a problem that could have let hackers take control of widely used applications. The Department of Homeland Security called the bug, known as Recon, a “critical vulnerability” and urged customers to apply SAP’s update immediately. It is estimated that 40,000 organizations are affected by Recon.
New Jersey tech services firm hit by ransomware. Collabera, which provides technology services and staffing, detected a cyberattack that appeared to be ransomware. Employee data was compromised during the incident, according to an internal memo.

What is your playbook? Many security products are point solutions, meaning they solve one problem, sometimes well, sometimes not. Unfortunately, point solutions are often easy for adversaries to bypass. The challenge enterprises face is there are so many products to address so many threats at different points in enterprise architecture, each with its own requirements for management, and poor native integration capabilities. One of many such vulnerabilities is “Injection.” SQL injection (SQLi) is a technique used to inject malicious code into existing SQL statements.

A code injection happens when an attacker sends invalid data to the web application with the intention to make it do something that the application was not designed/programmed to do. Perhaps the most common example around this security vulnerability is the SQL query consuming untrusted data. The core of a code injection vulnerability is the lack of validation and sanitization of the data used by the web application, which means that this vulnerability can be present on almost any type of technology.

Anything that accepts parameters as input can potentially be vulnerable to a code injection attack. SQL injection attacks can affect any application that uses a SQL database and handles data, including websites, desktops, and phone apps—with extremely serious consequences. These injections make it possible for malicious users to bypass existing security controls and gain unauthorized access to obtain, modify, and extract data, including customer records, intellectual property, or personal information. Attackers can also use this technique to locate the credentials of administrators and gain complete control over affected websites, applications, and database servers. When managing a website, it’s important to stay on top of the most critical security risks and vulnerabilities. Preventing code injection vulnerabilities really depends on the technology you are using on your website. For example, if you use WordPress, you could minimize code injection vulnerabilities by keeping it to a minimum of plugin and themes installed. If you have a tailored web application and a dedicated team of developers, you need to make sure to have security requirements your developers can follow when designing and writing software. This will allow them to keep thinking about security during the lifecycle of the project. We are as strong as our weakest link. Here are few actions we can take to prevent and detect injections:

Separate data from the web application logic.
Leverage SQL injection attack tool like Havij, SQLmap, or jSQL to identify vulnerable code.
Apply patches and updates to the vulnerable code along with any other out-of-date components.
Implement settings and/or restrictions to limit data exposure in case of successful injection attacks.
The preferred option is to use a safe API, which avoids the use of the interpreter.
Use positive or “whitelist” server-side input validation. This is not a complete defense as many applications require special characters, such as text areas or APIs for mobile applications.
For any residual dynamic queries, escape special characters using the specific escape syntax for that interpreter.
Use LIMIT and other SQL controls within queries to prevent mass disclosure of records in case of SQL injection.
Consider setting up a web application firewall to filter malicious requests to your website. These can be particularly useful to provide protection against new vulnerabilities before patches are made available.

Cyber Rezilyens: The Forward-Reverse Perils of Cybersecurity

admin — Sat, 20 Jun 2020 02:42:46 +0000

Every organization – no matter who they are, how large they are, or where they are in the world – is at risk from cyber attackers. More than $125 billion each year is spent on information security worldwide and the spending is increasing. Cyber attackers are, however, evading the defense, breaking in, remaining undetected for months, and finding the Crown Jewels.

The Crown Jewels are essential data, intellectual property and other critical assets. Cyber attackers are stealing or hijacking the Crown Jewels to disrupt operations, causing enormous financial and reputational damage.

First, the attack surface is getting larger for the attackers to exploit and there are too many doors, windows and entry points. It is not a question of IF but WHEN and here’s why –

The latest include –

Australian organizations are being targeted by a “sophisticated state-based cyber actor” and the attack was targeting all levels of government as well as political, business, education and health organizations.
Cyberattacks on health care, pharmaceutical and research organizations in order to steal valuable research on coronavirus vaccines and treatments.
Amazon discloses large cyberattack attempted against a cloud customer. AWS Shield fended off the attack, which threw 2.3 trillion bits of data per second at the customer’s cloud service and much higher than the previous DDoS record of 1.7 trillion bits per second in 2018.
H&R Block reports unauthorized access of customer accounts: The tax prepare discovered in early June that some customer accounts on their portal had been accessed in late April by an intruder.
Cognizant employee data breached. Cognizant Technology Solutions Corp. notified an unspecified number of employees and customers were impacted.
Akamai gives customers more time to pay bills; and fallout from attack on legal-tech firm Epiq hits several large customers. Hackers trigger far-reaching destruction by targeting low-profile firm.
Austrian telecoms (A1 Telekom Austria) detected a hacker on its network in December (2019) but it took them about six months to eject the hacker given this was an advanced persistent threat (APT).

The Newton’s first law is the law of inertia, it is also, alas, the first law of cyber attacked companies. It’s not their fault since there are innate cognitive biases that bind us to the present while blinding us to long-term threats and opportunities.

Among them are availability and confirmation biases, which is our instinct to solve problems based solely on the information that we have immediately at hand and our tendency to interpret data in a way that supports our pre-existing expectations. A one size fits all approach doesn’t work since all cyber attacks are not made equal and most likely why companies are getting wrong today in terms how they approach cyber security. A malware is several standard deviations different than an advanced persistent threat (APT) campaign that isn’t in the realm of a normal hack. Where a less sophisticated cyber attack might be dealt with by removing malware from compromised computers, fending off an APT requires analyzing attacker’s behavior; a cat and mouse game that can take several months to analyze hacker movement and damage.

What’s different in an advanced persistent threat (APT)?

The hacker is going to quietly study how the network and servers are connected for some time before preparing to conduct espionage leveraging a VPN (Virtual Private Networks) or equivalent to mask their location and presence.

How you mitigate advanced persistent threat (APT)?

Here are some techniques for consideration among a long list of them-

It is just as important to predict the behavior of the intruders and shut down entry points to the network when the attackers aren’t active.
The operation of kicking a hacker out of a network must be executed quickly while the attacker is inactive so that any openings into the company’s infrastructure can be sealed up before the hacker has time to respond.
There needs to additional safeguards to separate the less critical parts of its network from the critical infrastructure.
There needs to be an additional layer of security credentials making it harder for anyone without the extra login details to access the network infrastructure.
One option is to disconnect servers from the internet and make existing passwords invalid at the same time before carefully letting users back in.
Back up corporate data so that nothing would be lost if the hacker outsmarted you.
Leverage multifactor authentication to access all corporate accounts.
Augment the tools that monitor threats so they will receive alerts more frequently about attempted intrusions.

It’s a big effort for any company that suffers an attack. It is far more effective to invest in detection and prevention than remediation.