The infiltration was only spotted and stopped after the hackers roamed the network undetected for almost a year
RDP on the Radar
Recently, McAfee released a blog related to the wormable RDP vulnerability referred to as CVE-2019-0708 or “Bluekeep.” The blog highlights a particular vulnerability in RDP which was deemed critical by Microsoft due to the fact that it exploitable over a network connection without authentication. These attributes make it particularly ‘wormable’ – it can easily be coded to spread itself by reaching out to other accessible networked hosts, similar to the famous EternalBlue exploit of 2017. This seems particularly relevant when (at the time of writing) 3,865,098 instances of port 3389 are showing as open on Shodan.
Prior to this, RDP was already on our radar. Last July, McAfee ATR did a deep dive on Remote Desktop Protocol (RDP) marketplaces and described the sheer ease with which cybercriminals can obtain access to a large variety of computer systems, some of which are very sensitive. One of the methods of RDP misuse that we discussed was how it could aid deploying a targeted ransomware campaign. At that time one of the most prolific targeted ransomware groups was SamSam. To gain an initial foothold on its victims’ networks, SamSam would often rely on weakly protected RDP access. From its RDP launchpad, it would proceed to move laterally through a victim’s network, successfully exploiting and discovering additional weaknesses, for instance in a company’s Active Directory (AD).
In November 2018, the FBI and the Justice department indicted two Iranian men for developing and spreading the SamSam ransomware extorting hospitals, municipalities and public institutions, causing over $30 million in losses. Unfortunately, this did not stop other cybercriminals from using similar tactics, techniques and procedures (TTPs).
The sheer number of vulnerable systems in the wild make it a “target” rich environment for cybercriminals.
In the beginning of 2019 we dedicated several blogs to the Ryuk ransomware family that has been using RDP as an initial entry vector. Even though RDP misuse has been around for many years, it does seem to have gained an increased popularity amongst criminals focused on targeted ransomware.
Recent statistics showed that RDP is the most dominant attack vector, being used in 63.5% of disclosed targeted ransomware campaigns in Q1 of 2019.
Source: Coveware Q1 statistics
Given the dire circumstances highlighted above it is wise to question if externally accessible RDP is an absolute necessity for any organization. It is also wise to consider how to better secure RDP if you are absolutely reliant on it. The good news is there are several easy steps that help an organization to better secure RDP access.
That is why, in this blog, we will use the adversarial knowledge from the McAfee ATR red team to explain what easy measures can be undertaken to harden RDP access.
Recommendations are additional to standard systems hygiene which should be carried out for all systems (although it becomes more important for Internet connected hosts), such as keeping all software up-to-date, and we intentionally avoid ‘security through obscurity’ items such as changing the RDP port number.
Do not allow RDP connections over the open Internet
To be very clear… RDP should never be open to the Internet. The internet is continuously being scanned for open port 3389 (the default RDP port). Even with a complex password policy and multi-factor authentication you can be vulnerable to denial of service and user account lockout. A much safer alternative is to use a Virtual Private Network (VPN). A VPN will allow a remote user to securely access their corporate network without exposing their computer to the entire Internet. The connection is mutually encrypted, providing authentication for both client and server, preferably using a dual factor, while creating a secure tunnel to the corporate network. As you only have access to the network you will still need to RDP to the computer but can do so more securely without exposing it to the internet.
Use Complex Passwords
An often-used alternative acronym for RDP is “Really Dumb Passwords.” That short phrase encapsulates the number one vulnerability of RDP systems, simply by scanning the internet for systems that accept RDP connections and launching a brute-force attack with popular tools such as, ForcerX, NLBrute, Hydra or RDP Forcer to gain access.
Using complex passwords will make brute-force RDP attacks harder to succeed.
Below are the top 15 passwords used on vulnerable RDP systems. We built this list based on information on weak passwords shared by a friendly Law Enforcement Agency from taken down RDP shops. What is most shocking is the fact that there is such a large number of vulnerable RDP systems did not even have a password.
The TOP 15 used passwords on vulnerable RDP systems
Use Multi-Factor Authentication
In addition to a complex password, it is best practice use multi-factor authentication. Even with great care and diligence, a username and password can still be compromised. If legitimate credentials have been compromised, multi-factor authentication adds an additional layer of protection by requiring the user to provide a security token, e.g. a code received by notification or a biometric verification. Better yet, a FIDO based authentication device can provide an extra factor which is not vulnerable to spoofing attacks, in a similar fashion to other one-time-password (OTP) mechanisms. This increases the difficulty for an unauthorized person to gain access to the computing device.
Use an RDP Gateway
Recent versions of Windows Server provide an RDP gateway server. This provides one external interface to many internal RDP endpoints, thus simplifying management, including many of the items outlined in the following recommendations. These comprise of logging, TLS certificates, authentication to the end device without actually exposing it to the Internet, authorization to internal host and user restrictions, etc.
Microsoft provides detailed instructions for configuration of remote desktop gateway server, for Windows Server 2008 R2 as an example, over here.
Lock out users and block or timeout IPs that have too many failed logon attempts
A high number of failed logon attempts is a strong indication of a brute force attack. Limiting the number of logon attempts per user can prevent such attacks. A failed logon attempt is logged under Windows Event ID 4625. An RDP logon falls under logon type 10, RemoteInteractive. The account lockout threshold can be specified in the local group policy under security settings: Account Policies.
For logging purposes, it is best to log both failed and successful logons. Additionally, it is important to note that “specific security layer for RDP connections” needs to be enabled. Otherwise, you will be unable to tell that the logon attempt came over RDP or see the source IP address. A comparison is shown below.
Event log network logon (type 3) note no source network address
Event log RDP logon (type 10) note the source network address present
Use a Firewall to restrict access
Firewall rules can be created to restrict Remote Desktop access so that only a specific IP address or a range of IP addresses can access a given device. This can be achieved by simply opening “Windows Firewall with Advanced Security,” clicking on Inbound Rules and scrolling down to the RDP rule. A screen shot can be seen below.
Firewall settings for inbound RDP connections
Enable Restricted Admin Mode
When connecting to a remote machine via RDP, credentials are stored on that machine and may be retrievable by other users of the systems (e.g. malicious attackers). Microsoft has added restricted admin mode which instructs the RDP server not to store credentials of users who log in. Behind the scenes, the server now uses ‘network’ login rather than ‘interactive’ and therefore uses hashes or Kerberos tickets rather than passwords for authentication. Assessment of the pros and cons of this option are recommended before enabling in your environment. On the negative side, the use of network login exposes the possibility of credential reuse (pass the hash) attacks against the RDP server. Pass the hash is likely possible anyway, internally, via other exposed ports so may not significantly increase exposure there, but when including this option to Internet servers, where other ports are likely (and should be!) restricted, pass the hash is then extended to the Internet. Given the pros and cons, avoiding internal escalation of privilege is often prioritized and therefore restricted admin mode is enabled.
Microsoft TechNet describes configuration and usage of restricted mode here.
There are four levels of encryption supported by standard RDP: Low, Client Compatible, High, and FIPS Compliant. This is configured on the Remote Desktop server. This can be further improved upon by using Enhanced RDP Security. When Enhanced RDP security is used, encryption and server authentication are implemented by external security protocols, e.g. TLS or CredSSP. One of the key benefits of Enhanced RDP Security is that it enables the use of Network Level Authentication (NLA) when using CredSSP as the external security protocol.
Certificate management is always a complexity, but Microsoft does provide this through the use of Active Directory Certificate Services (ADCS). Certificates can be pushed using Group Policy Objects (GPO) where this is available. Incompatible operating system environments must import certificates via the web interface exposed at https://<server>/Certsrv.
Enable Network Level Authentication (NLA)
To reduce the amount of initially required server resources, and thereby mitigate against denial of service attacks, network level authentication (NLA) can be used. Within this mode, strong authentication takes place before the remote desktop connection is established, using the Credential Security Support Provider (CredSSP) either through TLS or Kerberos. NLA can also help to protect against man-in-the-middle attacks, where credentials are intercepted. However, be aware that NLA over NTLM does not provide strong authentication and should be disabled in favor of NLA over TLS (with valid certificates).
Microsoft TechNet describes configuration and usage of NLA in Windows Server 2008 R2 here.
Interestingly, BlueKeep, mentioned above, is partially mitigated by having NLA enabled. As reported by Microsoft in the associated advisory “With NLA turned on, an attacker would first need to authenticate to Remote Desktop Services using a valid account on the target system before the attacker could exploit the vulnerability.”
Restrict users who can logon using RDP
All administrators can use RDP by default. Remote access should be limited to only the accounts that require it. If all administrators do not need remote access you should consider removing the Administrator account from the RDP access group. You can then add the specific users which require access to the “Remote Desktop Users” group. See here for more information on managing users in your RDS collection.
Minimize the Number of Local Administrator Accounts
Local administrator accounts provide an attack vector for attackers who gain access to a system. Credentials can be cracked offline and more accounts means more likelihood of a successful crack. Therefore, you should aim for a maximum of one local administrator account which is secured appropriately.
Ensure that Local Administrator Accounts are Unique
If the local administrator accounts match those assigned to their counterparts on other systems within the server’s internal network, the attacker can potentially re-use credentials to move laterally. This issue occurs quite frequently, so Microsoft provided Local Administrator Password Solution (LAPS) as a means to avoid this scenario across the organization with central management of unique local administrator credentials. This is particularly relevant for externally exposed systems.
Microsoft provides a download and usage information for LAPS here.
Limit Domain Administrator Account Access
Accounts within the domain admins group have full control of the domain by default, by virtue of being part of the administrators group for all domain controllers, domain workstations and domain member servers. If a credential for a domain admin account is retrieved from the RDP server, the attacker now holds the ‘keys to the kingdom’ and is in full control of the entire domain. You should reduce the amount of domain administrators within the organization in general and avoid accessing the RDP server or other externally exposed systems via these accounts, to avoid inadvertently making credentials accessible.
In general, ‘least privilege’ administration models should be used. Microsoft provides guidance in this area, including how best to use domain admin accounts, here.
Consider Placement Within the Network
Where possible, RDP servers should be placed within a DMZ or other restricted area of the network. The idea here is that if an attack is successful, its scope is reduced and confined to the RDP server alone. Often RDP is exposed specifically to allow external users onto the network, so this may not be a feasible solution, however it should be considered and the quantity of services reachable within the internal network should be minimized.
Consider using an account-naming convention that does not reveal organizational information
There are many options for account naming conventions, ranging from firstname.lastname to not deriving usernames from name data; all having their pros and cons. However, some of the more commonly used account naming conventions such as firstname.lastname, make it very easy to guess usernames and email addresses. This can be a security concern as spammers and hackers will readily use this information.
When trying to run an efficient IT organization, having remote access to certain computer systems might be essential. Unfortunately, when not implemented correctly, the tools that make remote access possible also open your systems up to unwanted guests. In the last few years there have been far too many examples of where vulnerable RDP access gave way to a full-scale network compromise.
In this article we have shown that RDP access can be hardened with some easy steps. Please take the time to review your RDP security posture.
The cloud era has fundamentally changed the way businesses must think about security. For a long time, we built security around the perimeter. But today, the boundaryless landscape demands that we start with the individual.
In our journey with customers co-designing our products and services, Microsoft has learned that our identity solutions need to do more than just support employee productivity. We have to take things further to ensure our solutions empower our customers to work more closely with their business partners and nurture deeper relationships with their customers, who want help not just securing their personal information, but also protecting their privacy. The problems our customers need to solve, and the scenarios they want enabled for the future, have shaped the design principles guiding our identity strategy.
Embrace open standards
The world of cloud and devices is inherently heterogenous. Our customers, their partners, and their customers will use many devices, apps, and services from many different vendors. The complexity of managing and securing such a mixed environment could be overwhelming if not for open standards. For example, OAuth 2.0, OIDC, and SAML enable single sign-on across apps and clouds from multiple vendors, SCIM enables automated user provisioning, and the new standards from the FIDO alliance make signing in more secure. This is why every API and protocol Azure AD supports is based on open standards and why Microsoft is actively engaged in all the major identity standards bodies.
Offer industry-leading security
Our goal is to create an identity system that’s secure and private from the ground up. This means blocking every avenue of attack that we can. Enabling MFA reduces credential-based security breaches by more than 99 percent, but there’s still risk from people mishandling their passwords or getting tricked into handing them over. Adopting FIDO with the recently ratified WebAuthN standard makes it possible to eliminate passwords altogether, replacing them with a biometric device or a phone. If you have a Microsoft Account, you can go passwordless today. Soon, passwordless sign-in will be an option on every Microsoft platform and application, as well as for third party applications that integrate with Azure AD.
We now put the full power of the cloud behind every authentication request. Using Azure AD Conditional Access as a starting point, organizations can implement a Zero Trust security strategy that examines not only the identity of the user, but also the type and health of their device, the properties and reputation of the network they’re connecting from, the app they’re using, and the sensitivity of the data they’re trying to access. This not only makes security stronger, it also improves the user experience. For example, we can employ cloud-scale machine learning algorithms, which process trillions of signals daily, to learn each user’s common behavioral patterns and flag authentication attempts that are abnormal or high risk. This way, policies invoke MFA or other additional measures only when necessary, making the experience less interruptive to users.
Make governance easier and more automatic
Implementing strong governance strengthens security guardrails, but most customers find the task daunting. Granting access is easy. Remembering months later to remove access for each person who may have changed roles is not. Identity systems should make it easier to assign the right access to the right people, for example, by automating user access provisioning and deprovisioning based on a user role, location, and business unit. It should be easier for employees and partners to request access when they need it. And most importantly, the system should prompt administrators to review access permissions on a regular cadence or when people change roles. And all of these processes should be driven and informed by world class machine learning and AI which constantly monitor for unusual patterns and unrecognized risks.
Deliver a comprehensive solution, not building blocks
One of the key things we’ve learned from our enterprise customers is that they’re sick and tired of cobbling together identity solutions based on mix and match sets of identity building blocks acquired from a myriad of vendors. They want a holistic solution that supports all their applications and all their different identities while giving them security and control without the gaps that inevitably occur when multiple point solutions are patched together. We’ll do this by delivering a completely integrated identity and access management suite that gives them a single place to go to manage—and protect—all identities, whether they belong to employees, business partners, or customers and all of the resources, they need to access.
Give people control over their information
A holistic solution that accepts identities people bring with them is a necessary prerequisite to the vision of decentralized identity. Microsoft believes everyone has the right to own and control their digital identity—one that securely and privately stores all personal data. To achieve this vision, we need to augment existing cloud identity systems with one that individuals, organizations, and devices can own so they can control their digital identity and data. We believe a standards-based decentralized identity system can unlock a new set of experiences that empowers users and organizations to have greater control over their data—and deliver a higher degree of trust and security.
Taking the next step
Everyone in the identity division at Microsoft is passionately committed to ensuring the systems we build empower people to do their best work and live their best lives.
If one thing is clear, though, these identity initiatives are a journey. Over the coming months, we’ll invite you to participate in a series of technology previews, where your feedback will help shape how identity services will take us closer to a world without passwords, where organizations can easily manage and secure complex environments, and individuals can worry less and stop making trade-offs among ease of use, privacy, and security. Working together as an industry, we’re building a better path to security and privacy, anchored around the one constant in this fast-moving, heterogenous world—you.
The post 5 principles driving a customer-obsessed identity strategy at Microsoft appeared first on Microsoft Security.
For several months we have been profiling experienced security practitioners as well as those still getting started. Our reasoning is simple - there is no one surefire way to gain the experience and knowledge necessary to thrive in the world of cybersecurity. Nearly everyone has a different path - some are PhDs while others barely made it out of high school. Some had deeply technical backgrounds while others stumbled into security out of pure curiosity. Even with the lack of a defined path, we’re hoping that these profiles help individuals figure out the best path for them.
While Windows Defender Antivirus makes catching 5 billion threats on devices every month look easy, multiple advanced detection and prevention technologies work under the hood to make this happen.
Windows Defender Antivirus is the next-generation protection component of Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP), Microsoft’s unified endpoint security platform. Much like how Microsoft Defender ATP integrates multiple capabilities to address the complex security challenges in modern enterprises, Windows Defender Antivirus uses multiple engines to detect and stop a wide range of threats and attacker techniques at multiple points.
These next-generation protection engines provide industry-best detection and blocking capabilities. Many of these engines are built into the client and provide advanced protection against majority of threats in real-time. When the client encounters unknown threats, it sends metadata or the file itself to the cloud protection service, where more advanced protections examine new threats on the fly and integrate signals from multiple sources.
These next-generation protection engines ensure that protection is:
- Accurate: Threats both common and sophisticated, a lot of which are designed to try and slip through protections, are detected and blocked
- Real-time: Threats are prevented from getting on to devices, stopped in real-time at first sight, or detected and remediated in the least possible time (typically within a few milliseconds)
- Intelligent: Through the power of the cloud, machine learning (ML), and Microsoft’s industry-leading optics, protection is enriched and made even more effective against new and unknown threats
My team continuously enhances each of these engines to be increasingly effective at catching the latest strains of malware and attack methods. These enhancements show up in consistent top scores in industry tests, but more importantly, translate to threats and malware outbreaks stopped and more customers protected.
Here’s a rundown of the many components of the next generation protection capabilities in Microsoft Defender ATP:
In the cloud:
- Metadata-based ML engine – Specialized ML models, which include file type-specific models, feature-specific models, and adversary-hardened monotonic models, analyze a featurized description of suspicious files sent by the client. Stacked ensemble classifiers combine results from these models to make a real-time verdict to allow or block files pre-execution.
- Behavior-based ML engine – Suspicious behavior sequences and advanced attack techniques are monitored on the client as triggers to analyze the process tree behavior using real-time cloud ML models. Monitored attack techniques span the attack chain, from exploits, elevation, and persistence all the way through to lateral movement and exfiltration.
- File classification ML engine – Multi-class, deep neural network classifiers examine full file contents, provides an additional layer of defense against attacks that require additional analysis. Suspicious files are held from running and submitted to the cloud protection service for classification. Within seconds, full-content deep learning models produce a classification and reply to the client to allow or block the file.
- Detonation-based ML engine – Suspicious files are detonated in a sandbox. Deep learning classifiers analyze the observed behaviors to block attacks.
- Reputation ML engine – Domain-expert reputation sources and models from across Microsoft are queried to block threats that are linked to malicious or suspicious URLs, domains, emails, and files. Sources include Windows Defender SmartScreen for URL reputation models and Office 365 ATP for email attachment expert knowledge, among other Microsoft services through the Microsoft Intelligent Security Graph.
- Smart rules engine – Expert-written smart rules identify threats based on researcher expertise and collective knowledge of threats.
On the client:
- Behavior monitoring engine – The behavior monitoring engine monitors for potential attacks post-execution. It observes process behaviors, including behavior sequence at runtime, to identify and block certain types of activities based on predetermined rules.
- Memory scanning engine – This engine scans the memory space used by a running process to expose malicious behavior that may be hiding through code obfuscation.
- AMSI integration engine – Deep in-app integration engine enables detection of fileless and in-memory attacks through Antimalware Scan Interface (AMSI), defeating code obfuscation. This integration blocks malicious behavior of scripts client-side.
- Heuristics engine – Heuristic rules identify file characteristics that have similarities with known malicious characteristics to catch new threats or modified versions of known threats.
- Emulation engine – The emulation engine dynamically unpacks malware and examines how they would behave at runtime. The dynamic emulation of the content and scanning both the behavior during emulation and the memory content at the end of emulation defeat malware packers and expose the behavior of polymorphic malware.
- Network engine – Network activities are inspected to identify and stop malicious activities from threats.
Together with attack surface reduction—composed of advanced capabilities like hardware-based isolation, application control, exploit protection, network protection, controlled folder access, attack surface reduction rules, and network firewall—these next-generation protection engines deliver Microsoft Defender ATP’s pre-breach capabilities, stopping attacks before they can infiltrate devices and compromise networks.
As part of Microsoft’s defense-in-depth solution, the superior performance of these engines accrues to the Microsoft Defender ATP unified endpoint protection, where antivirus detections and other next-generation protection capabilities enrich endpoint detection and response, automated investigation and remediation, advanced hunting, threat and vulnerability management, managed threat hunting service, and other capabilities.
These protections are further amplified through Microsoft Threat Protection, Microsoft’s comprehensive, end-to-end security solution for the modern workplace. Through signal-sharing and orchestration of remediation across Microsoft’s security technologies, Microsoft Threat Protection secures identities, endpoints, email and data, apps, and infrastructure.
The enormous evolution of Microsoft Defender ATP’s next generation protection follows the same upward trajectory of innovation across Microsoft’s security technologies, which the industry recognizes, and customers benefit from. We will continue to improve and lead the industry in evolving security.
Tanmay Ganacharya (@tanmayg)
Principal Director, Microsoft Defender ATP Research
Talk to us
Questions, concerns, or insights on this story? Join discussions at the Microsoft Defender ATP community.
Follow us on Twitter @MsftSecIntel.
Many of us live out whole lives on Facebook, Twitter, Instagram and LinkedIn, publicising our thoughts, interacting with friends, strangers and businesses, and keeping abreast of current affairs.
But all that activity has made social media a breeding ground for a new form of cyber attack known as angler phishing.
What is angler phishing?
Angler phishing is a specific type of phishing attack that exists on social media. Unlike traditional phishing, which involves emails spoofing legitimate organisations, angler phishing attacks are launched using bogus corporate social media accounts.
This is how it works: cyber criminals are aware that organisations are increasingly using social media to interact with their customers, whether that’s for marketing and promotional purposes or to offer a simple route for customers to ask questions or make complaints.
Here’s an example:
Making complaints on social media puts pressure on organisations to resolve the issue promptly.
Organisations often respond more quickly to issues raised on social media, as it provides an opportunity for good PR.
Most responses are along the same lines as our example: the organisation asks the customer to provide their personal details, so it can verify the issue and respond appropriately.
Unfortunately, cyber criminals have exploited this by spoofing corporate accounts and intercepting customer queries.
They use account handles that mimic legitimate sites – like ‘@dominoscustomercare’, for example – search for customer complaints directed at the legitimate site and respond.
Eagle-eyed individuals might notice that the response came from a different account than the one they messaged, but it’s not uncommon for a big company to direct customer complaints to a dedicated account.
But more often than not, people see that the response comes from an account with the organisation’s name and logo and don’t notice the difference.
The fraudster will then ask the customer to direct message them their account details (as many genuine organisations do) or direct them towards what is supposedly a customer support page but is in fact a malicious site, which steals personal information or infects the customer’s device with malware.
Phishing email protection
Many social media users know very little about angler phishing. That’s bad news for organisations, given how often employees browse social media during their lunch breaks or quiet periods.
After all, it only takes one person clicking a bogus link to infect the organisation’s systems.
That’s why it’s important to teach your staff how to spot scammers’ bait. Our Phishing Staff Awareness Course teaches you everything you need to avoid every type of attack, from social media scams to email- and SMS-based threats.
A version of this blog was originally published on 19 June 2017.
Cybercrime affecting businesses has become so widespread that IT and network security professionals are always thinking about that next breach and the costs of recovering from it. This increased risk has also raised the demand for better virtual defenses to prevent the loss of sensitive organizational data such as personal consumer details and internal communications.
There is a substantial need for cybersecurity training. It’s something that many businesses are interested in, but implementing the right system isn’t easy. Physical labs are expensive, require significant time and resources, and aligning everyone’s schedules is often impossible.
Virtual labs are a great way for you to provide your customers and partners with access to the latest cybersecurity product demos and training. These labs are accessible from anywhere, customers can engage with them on their terms, they cost less, and increase the overall quality of the training.
What’s the Appeal of Virtual Cybersecurity Labs?
In the corporate sphere, there has been a trend in recent years of organizations shifting away from traditional instructor-led courses towards virtual cybersecurity training labs. The transition is due to the high demand for meticulous cybersecurity education that offers first-hand experience to participants while keeping costs low.
Cloud-based training environments are appealing because they offer a scenario-based approach. Since the field of cybersecurity requires analytical and critical thinking in real-world circumstances, the controlled environment of a virtual lab is often cited as the best method for teaching network security. Learners will encounter real-world scenarios, work through them, and engage with essential hands-on material that provides more engagement than a traditional slideshow or lecture.
What Are The Primary Benefits of a Virtual Cybersecurity Lab?
- These classes offer training and simulations that are run through cloud-based virtual machines that are accessible from any of the major browsers. Participants can engage with the material, request help, and engage in team exercises from anywhere in the world.
- A virtual lab removes the need for travel costs or high-end hardware on the client side since training is conducted primarily through an Internet browser on the employee’s terminal. The simulation is centralized and accessible from anywhere at any time with nothing but an Internet connection.
- Because the host hardware is centralized, upgrading the lab in response to continually evolving technologies and security trends can be done inexpensively and quickly.
- A single lab can be expanded to accommodate additional employees or partners at little to no cost. You can add additional RAM, user slots, and other specs as needed. This has helped make virtual labs a popular choice for growing businesses.
- Feedback between instructors and participants is instant and convenient. Instructors can step in at any point and offer help, track user participation, and other relevant analytics.
What Should You Look for in a Virtual Cybersecurity Environment Provider?
There is no shortage of virtual lab providers on the market. Cloud-based cybersecurity courses are in huge demand because of the added customization that they offer. The process for developing a suitable training lab differs depending on your organization’s needs and preferences. However, here are a few things to consider:
- Networking devices, including switches, routers, and firewalls. Remember that you want to support multiple instances of virtualization for the networking scenarios used in the course. While you want the reliability of enterprise-grade equipment, consider looking into the refurbished market if your business needs to keep costs low.
- Find a reputable virtual lab provider. There are many virtual IT labs on the market. Find one that offers the right mix of features, analytics, and the ability to scale as you grow.
- Have the right IT team in place. Your IT team will need to create the environments for any material that you want to teach within the cloud. Getting started isn’t hard, but it will require an IT professional that knows how to prepare the needed virtual environments.
The goal of this process is to build a successful hands-on virtual cybersecurity lab that is scalable to all participants and teaches essential cybersecurity skills in real-world environments to your customers and business partners.
Are Virtual Cybersecurity Labs Really the Future?
It’s safe to say that cloud technology isn’t going anywhere at this point. We are still feeling the effects of the innovation wave that was caused by the invention of cloud technology.
Everything we do today is tied to the cloud in some way.
- The most popular software offered by Adobe and Microsoft is all cloud-based.
- That CRM your business relies on is powered by the cloud.
- Your favorite Spotify playlist is stored in the cloud.
B2B training is changing. The advancements in virtual labs have accelerated the obsolescence of traditional labs. Agile companies that want to stay competitive will need to accept this and transition their cybersecurity, IT, and product demos to the cloud.
New technologies are frightening to businesses with established processes. But if we’ve learned anything from the failures of Kodak, Nokia, Xerox, Blockbuster, and other large corporations, it’s that failing to stay in line with innovation can (and will) lead to disastrous results in the long-term.
The post Are Virtual Cybersecurity Labs the Future of Cybersecurity Education? appeared first on CyberDB.
The financial services industry is naturally a lucrative target for cyber criminals. Financial organisations trade and control vast amounts of money, as well as collect and store customers’ personal information so clearly, a data breach could be disastrous for an industry that is built on trust with its customers.
The financial services industry is second only to retail in terms of the industries most affected by cyber crime – the number of breaches reported by UK financial services firms to the FCA increased 480 per cent in 2018, compared to the previous year. While financial services organisations are heavily regulated and cybersecurity is becoming more of a business priority, there is still much more to be accomplished when it comes to businesses understanding what measures must be taken – from the C-suite down – to effectively protect organisations against inevitable breaches.
So how can financial services firms proactively equip themselves to respond to increased regulatory scrutiny and mitigate the impact from the growing number of threats they will face?
Mitigating the Cyber Threat Financial institutions were able to defend against two-thirds of unauthorised fraud attempts in 2018, but the scale of attacks significantly increased. Significant market players including Tesco Bank, Metro Bank and HSBC all reported breaches in the last year. Clearly, the banks’ cybersecurity defences have not developed at a fast enough pace. Cyber criminals can and will dramatically outspend their targets with increasingly sophisticated attack methods. In addition, many of the traditional banks struggle with large, cumbersome legacy systems, which pose significant reliability issues, as well as flaws in security.
Last year’s IT banking disaster led to thousands of TSB customers being locked out of their accounts, leading to fraudsters exploiting the situation by posing as bank staff on calls to customers in order to steal significant sums of money from customers. The breach occurred while the company was conducting an upgrade on its IT systems to migrate customer data to a new platform. This wasn’t just bad luck for TSB, but a failure to adequately plan and assess the risks that come with such a huge project. The bank has since pledged to refund all customers that are victims of fraud, a move which will likely see other banks reviewing their approach to the rise of this particular type of cybercrime.
The industry must understand that security incidents are an ever-present risk. However, organisations can be prepared - scoping a defence strategy specific to the firm, with processes for implementation, will mean an attack can be quickly identified, isolated and resolved, minimising business impact.
Appropriate Defence Strategy
The FCA has set out various cybersecurity insights that show how cybersecurity practices of UK financial services firms are under the regulatory microscope, as the cyber threat continues to grow. The approach from the FCA includes practices for organisations to put into action such as those that promote governance and put cyber risk on the board agenda. The advice also covers areas such as identifying and protecting information assets, being alert to emerging threats and being ready to respond, as well as testing and refining defences. With cybercrime tools and techniques advancing at a rapid pace, and increasing regulations, it’s no wonder that many organisations struggle to keep up to ensure their defences stay ahead of the game.
In order for in-house security teams to keep up to date with current and evolving threats and data protection issues, firms must invest in regular training. Specialist skills are required to mitigate cyber risk, which for some could be cost-prohibitive. As an alternative, an insourced model allows you to leverage a dedicated and skilled team on an ‘as you need’ basis to deliver an appropriate strategy. With a Cyber Security as a Service (CSaaS) model in place, organisations can rapidly access a dedicated team with the knowledge and skills to deliver a relevant and risk appropriate cyber security strategy.
Crucially, in addition to completing a gap analysis and a multi-layered defence strategy, the model will also apply to people and processes. Attackers will generally aim at the weakest point of an organisation – often it’s staff. Human nature means passwords are forgotten, malware isn’t noticed, or phishing emails are opened, for example. Therefore, a blended approach of technology, processes and shared behaviour is required that promotes the need for staff awareness and education of the risks, in order to effectively combat the threat.
With increased regulatory attention across security and privacy, firms must take steps to improve their defences, or risk severe financial and reputational damage. The issue of cybersecurity risk must become as embedded within business thinking as operational risk. Anyone within an organisation can be a weak link, so the importance of cybersecurity defences must be promoted at all levels – from the board all the way through to the admin departments. It’s everyone’s responsibility to keep the organisation protected against threats.
While the threat of cyber attack is real, financial services firms do not have to take on the battle alone. With a CSaaS model in place, organisations can start to take back control of their cybersecurity strategy and embed it as a trusted, cost-effective and workable core part of the business’ process.
You probably know what phishing is. It’s been around almost as long as the Internet, and everyone from your employer to Facebook provides warnings about how to identify and report such scams.
But are you aware of how extensive phishing is? The cyber security company Webroot has identified four facts about how phishing works that might make you see the threat in a new light.
1. Phishing sites have a lifecycle of about 15 hours.
In order to reduce the chances of being detected and blocked, scammers are constantly creating new phishing sites and deactivating old ones.
On average, phishing sites are live for only 15 hours. By the time someone’s raised the alarm about a malicious site and the organisation has updated its security measures and warned employees not to click the link, the fraudster is already well on their way to their next scam.
2. Most malicious links are hidden within benign domains.
Scammers rarely use dedicated domain names for phishing attacks these days, because they can be easily identified and blacklisted.
Instead, malicious emails will almost always contain domains “associated with benign activity” to increase the probability of their success. Criminal hackers prefer to compromise a single page of a benign site and replace its content with a phishing page, which is more difficult to detect.
3. About 400,000 phishing sites are created each month
To keep up with the phishing sites’ brief lifecycle, scammers are forced to create hundreds of thousands of phishing sites each month.
The websites might be used for a single phishing campaign or used for a variety of attacks. Either way, it’s easy to see why it’s so difficult for spam filters keep track of malicious sites. There are simply so many that a few will inevitably fall through the system and end up in users’ inboxes.
4. Google, PayPal and Apple are the most commonly spoofed organisations
Scammers have always targeted well-respected organisations, but things are so much easier for them now that there are dozens of organisations that collect the majority of people’s personal data.
Google is the most frequently spoofed organisation, but PayPal, Amazon and Facebook are also hugely popular subjects for phishing scams.
Want to know how to prevent phishing attacks?
If you want to avoid falling for phishing scams, you have to trust your own judgement. Technological solutions like spam filters can’t catch everything, and they won’t help in the event of specific forms of phishing, like BEC (business email compromise) scams.
Fortunately, no matter how severe the threat is, there are always clues that can help you identify phishing scams.
You can teach your employees how to become experts at spotting those clues with the help of our Phishing Staff Awareness Course. Packed with real-life examples and best practices for staying safe, this online course helps employees become an active part of your organisation’s cyber security strategy.
A version of this blog was originally published on 14 December 2016.