Cyber Security FAQ’s

Tailgating is both a physical cybersecurity challenge as well as a digital one. Many people, most notably company employees, lose sight of that fact. Unauthorized people can access sensitive and proprietary data left unprotected on a desk in a folder or an unattended computer with open data files that remain unlocked during the owner’s absence. Tailgating is aptly named using its most common method of waiting for a card-carrying person to open an unmanned secure entrance and follow them through the door without being challenged for credentials. Once inside the secure area, they can create opportunities to obtain protected data in various ways.

Download files from an unattended online computer to a USB stick
Search an unattended desk for email credentials. Once they have that information, they can go anywhere and access the cloud account of that individual to download data. They only need to be in the secure area of the building for a few minutes.
The unauthorized person can put malware on unattended computers, such as keyloggers, after which they will have your sign-in credentials remotely.

The bottom line is that tailgating is a technique where the bad guy uses someone else’s credentials to gain entry to a restricted or access-controlled area. It’s strictly a socially exploitative method to subvert standard cybersecurity prevention practices. It’s deception because employees fail to ensure no one follows them through an unmanned secure entry point.

Let’s think about some common sense ways to defeat a tailgating operation.

Be aware of every person in the secure space. Do you know them? If you don’t, challenge them and ask what they are there for and whom they are working with that you do know.
Most companies have a common requirement that employees always wear their badges externally. Is there anyone in the secure area that doesn’t have a badge showing? Challenge them, or remind the person you know to wear his badge. You are the cybersecurity first line of defense.
Protect passwords, commonly called cybersecurity hygiene, and various other governance types of controls. Don’t write down passwords. Don’t share passwords and other login information.
Substantial and recurring education of people on what tailgating is and the impacts of not maintaining good cybersecurity practices in the workplace.

In the bigger cybersecurity picture, these practical preventative measures tackle the issue of social engineering controls (policy and procedure) to prevent the compromise of sensitive data.

We face some confusion of terms with spooling as a cybersecurity threat. Spooling is a legitimate computer function used to manage a computer’s input and output operations. It stands for Simultaneous Peripheral Operations On-Line and involves temporarily storing data in buffer memory or spool before processing. Spooling is a means to improve the computer’s operation by ensuring you don’t overload the microprocessor’s ability to send or receive data beyond the rated speed of the microprocessor. Spooling ensures that all the data being sent or received is done efficiently and accurately without crashing the computer.

However, the bad guys know how computers work and can use that knowledge to crash your computer by purposely sending too much data to your machine than your buffer memory can handle. Essentially, the computer loses track of what it’s doing, which creates errors in your operating system (OS), causing various OS subroutines to time out and crash the computer because it can’t execute the assigned tasks. Spooling, as a malicious cyberattack, is also known as a Disk Operating System Denial of Service (DDoS). There are many ways to disable a computer using DDoS techniques. Spooling is a particular version of how to do it. Your IT team assigned to fend off cyberattacks has a problem with this because the attack looks like legitimate traffic is being sent to your computer. It’s not until the traffic exceeds the typical profile of use of your machine for an extended time that they realize an attack is underway. It’s a more complex analysis that has to be detected in real-time to protect your machine against such an attack. The more computers running on the network, the more challenging it is to see the attack at its inception.

Spooling can cause motherboard damage, where the chips that have the memory and operating system are stored, or a data loss will occur because the computer will overwrite the data multiple times to try to process the amount of data coming in. That will corrupt the computer memory requiring it to be restored. The legitimate data trying to make it to your computer will be lost by being overwritten in memory by the false data.

Setting up your machine correctly can prevent spooling attacks. Here are some settings to be managed:
Leverage your spam filter. Spam filters should stop most spoofed emails from entering your inbox in the first place.
Use spoofing detection software. Software such as ARP and IP spoofing is effective for spoofing prevention.
Use a Virtual Private Network (VPN). Using a VPN will allow you to keep your traffic protected via encryption.
Use packet filtering. Packet filtering filters incoming packets and prevents compromised packets from questionable sources.

Security Information and Event Management (SIEM) is a cybersecurity system of record with threat detection, investigation, and response capabilities, often available via a Software-as-a-System (SaaS) cloud-native app. Thus, it is a tool that provides services for your cybersecurity team to prevent your system from being attacked. SIEM software helps security professionals monitor the IT infrastructure and check for real-time anomalies. The key word here is real-time, in that the software already knows your system and its typical performance characteristics and monitors all those key parameters looking for something that doesn’t fit the known performance trends. This is done by centralizing security information from multiple endpoints, servers, applications, and other sources and reacting immediately to any observed cyberattacks. So, the good guys are out there fighting the good fight against those bad actors that would try to harm your system and your company.

SIEM is also a maturing software and must adapt to the bad actors’ new techniques to penetrate your systems. So, it is not perfect. Hackers continuously develop new cyber attack methods, meaning SIEM must mature to counter the latest and already known techniques. It is a monumental task. According to Microsoft and United States government agencies, effective SIEM solutions are cloud-based and leverage artificial intelligence to accelerate threat detection, investigations, and response. In addition, an in-depth analysis of Siem’s extensibility revealed that current SIEM solutions need to improve features such as behavioral analysis, risk analysis and deployment, visualization, data storage, and reaction capabilities to keep up with the market. In other words, it’s not perfect. As long as bad guys are figuring out how to defeat the protections that are developed, we need good guys to counter what they do.

If you’re an IT guy reading this, you must keep up with SIEM developments. It’s a moving target requiring constant upgrades to new versions. Gartner is a non-biased industry resource for emerging technology. It tracks SIEM development and provides reviews, comparisons, and development activity among the vendors with a SIEM product. It’s a great source to see what exists today and what’s planned for tomorrow.

Hashing is a friend of the cybersecurity team. It is a one-way cryptographic process that converts a message you might send a data stream to a peer into a fixed length of code that cannot be reverse-engineered. Thus, anyone that might intercept the data packet while it travels the Internet to its location won’t be able to de-encrypt it, modify it, or in any way be able to figure out what it said. You can pretty well guess what it’s used for. It’s used when storing passwords, verifying file integrity, or creating a digital signature in apps like Acrobat.

Aha, the light just flashed on. It’s an encryption algorithm. Hashing is a one-way process of generating a unique digital fingerprint for data to ensure its integrity. It converts the data to message digest or hash, which is a number generated from a string of text. Encryption, conversely, is converting plain text into ciphertext to protect confidentiality using an algorithmic encryption process. If you know the encryption key, you can reverse the encryption so you can read it. Aha, semantics, you might say. Not so. Let’s just say you must salt the hash before storing the password. Yeah, look it up.

Some examples of hashing algorithms include MD5, SHA-1, SHA-2, and SHA-3. That’s just like a sportscaster covering sports news. The scores tonight were 2-1; 122-117 … SHA-3 (Secure Hash Algorithm 3 is the latest member of the Secure Hash Algorithm family of standards, released by NIST on August 5, 2015, where NIST is the National Institute of Standards and Technology in charge of such things, i.e., a government agency. The MD5 message-digest algorithm is a widely used hash function producing a 128-bit hash value. You were going to ask.

Hashing is an essential tool in cybersecurity as it provides a secure and efficient method of protecting sensitive data. Hey, it’s a good guy tool. Get to know it. If you know what it does and how to use it, you can keep your data safe from people without permission to know what it is.

Endpoint Detection and Response (EDR) is a cybersecurity technology that continually monitors an “endpoint”. Endpoints are devices and peripherals (IOT devices) that are attached to your computer or network and are turned on through either a wired connection or via Bluetooth (wireless).

• Mobile phones
• iPads
• Routers
• External hard drives
• IOT gadgets (multiplying exponentially YOY)

EDR does its job in real-time with immediate reaction to any anomaly. EDR detects threats across your network. EDR analytics investigates the entire lifecycle of the threat, providing insights into what happened and answers the:

• What
• Where
• When 
• How

It stops the detected threat as it happens.

EDR does its job by monitoring traffic on the network as well as at each device endpoint that’s active. The data is collected and put in a database for after-the-fact analysis. Each threat detection event contributes to a more comprehensive analysis designed to discover new threat profiles. The analytic results support:

• Suspicious system-level behaviors
• Contextual information about the threat
• Blocks malicious activity
• Potential remediation methods

EDR is an approach to endpoint protection in which software actively identifies, stops, and reacts to cyber threats. So, what’s the difference between EDR and the standard anti-virus protection? 

EDR and antivirus are both security solutions, but they work differently. Antivirus searches for threats on a device, while EDR monitors a system for unusual activity. EDR can adapt to new threats in real-time, while antivirus looks for similar or exact matches in its malware database. EDR incorporates antivirus and other endpoint security functionality, providing more fully-featured protection against various potential threats. Antivirus is cost-effective for individuals and offers various types of protection, including virus protection, web protection, spam protection, and a firewall. 

One of the drawbacks of EDR is that it can be expensive for organizations to implement. EDR requires significant resources to be effective, including hardware, software, and personnel. EDR can also generate a large amount of data that needs to be analyzed and acted upon. This can be time-consuming and require additional resources.

Data loss prevention (DLP) measures in cybersecurity aim to prevent data from being compromised due to data loss, modification, or erasure. DLP is an internal security solution that uses various software tools to prevent unsafe or inappropriate sharing, transfer, or use of sensitive data.  Some of the best data loss prevention software include Symantec Endpoint Protection, TERAMIND, Kogni, Mailbox Exchange Recovery, SolarWinds, and Check Point. However, as with most cybersecurity solutions, data safeguarding starts with rigorous and well-thought-out policies and best practices within the corporate workforce. To be totally practical, the software tools must work across the boundaries of the local server where data will be stored, cloud-based locations where on-premise data is typically backed-up and stored, and at the endpoint devices where employees are accessing the data. No DLP strategy is bulletproof and requires extensible administrative policies that accompany what the software tools take care of.

1. Security awareness training is the first order of the day. The employee must protect passwords and credentials. Passwords must be strong, meaning they must use capital letters, lowercase letters, numbers, and special characters, making them random. Your user ID should be well-thought-out, avoiding using your company email address. Passwords should be changed routinely, typically every six months. Sharing or writing down your credentials is a bad thing. If you’re forgetful, use secure password storage software to store it.
2. Security policy and best practices should include no sharing of credentials. The company should also create a database permissions matrix that limits who can download data, who can only read data, and who shouldn’t have access at all. That’s called a “least privilege” default policy.

Cybersecurity DLP efforts aim to mitigate data breaches and loss, either accidentally or because the system was hacked (stolen credentials are a primary way). If the bad guys happen to steal the credentials of someone without database access, they get nothing.

Smishing is phishing that uses SMS or MMS text messages to deceive victims into giving sensitive information to a disguised attacker. Smishing can be assisted by malware or fraudulent websites. Both mobile users and enterprise security are at risk. Enterprise security that doesn’t have endpoint monitoring can be caught off guard. Remote workers that bring their own devices (BYOD) don’t play well in adhering to company policies.  

Smishing attacks can take many forms. Here are some examples of smishing attacks:

• “You’ve won!” messages
• Company-wide texts asking everyone to log in or update their password
• “Your favorite candidate needs your support” messages
• “Shocking news headline” messages
• “Sign-in alert, tap link” messages
• “Track your package” messages
• Messages that ask you to provide information to a government agency

The dark and the ugly of smishing:

1. It’s practically an unknown cyber threat to most people. Less than 35% of people can tell you what smishing means. See this ProofPoint report.
2. It’s a very profitable money-grab game for the bad guys. We’re talking billions of $ and Euros.
3. In its many forms, social media is again proven not to be your friend. Smishing attacks are on the rise exponentially. 
4. One favorite scheme is to exploit the two-factor authentication (2FA) by redirecting you to fake login pages or even intercepting your one-time password prompt and sending it to a device they control.
5. Smishing is insidious in its approach, using local phone numbers to gain your trust or even spoofing numbers you recognize.

The list of methods is long and scary. You’ve probably been victimized and don’t even realize it. Anti-virus can help, but you’re mostly on your own using sound judgment and good decision-making.

Here are some tips to protect yourself from smishing attacks:

• Do not respond to suspicious messages.
• Call your bank directly if you receive a message that appears to be from them.
• Do not click on links within messages.
• Never share your password or MFA code.
• Slow down; never act in haste.
• Please report it to your IT team. They are the people in the know that are on your side.
• Be vigilant; look for signs of common smishing messages.

Spear phishing is an attack that uses email or other electronic communications to deceive a specific individual or organization into divulging sensitive information, downloading malware, or performing other actions that benefit the hacker. Spear phishing messages are addressed directly to the victim and use personal data or additional information specific to their targets to make their deception more convincing. Spear phishing is a cyber social threat that’s mind play meant to con you into doing something you probably wouldn’t under normal circumstances without thoroughly checking out the story being spun. The tactic requires the hacker to carefully plan and use personal knowledge about you that can be obtained from your public social media postings, resume postings, and online profiles you create. Spear phishing is a specific sort of phishing threat, the broader term used for less sophisticated efforts to attack a wider audience of more general knowledge needed to hack electronic files or gain access to sensitive data. Smishing is a specific term for phishing SMS and MMS messages using similar tactics on your smartphone.

Spear-phishers use a range of tactics to make their emails appear legitimate, sometimes even legitimate science practices. Common tactics include personalization – attackers will often research their victims and craft personalized messages that appear to come from someone known or trusted to them. Impersonation – attackers will impersonate someone known that the victim will trust. Urgency – attackers will create a sense of urgency in their messages, such as threatening to close an account or take other action if the victim does not respond immediately. In the vernacular of the day, spear phishing is a form of social engineering which, in more everyday language, is a con job. The funny thing about these scams is that they usually fold their cards and melt away into the ether if you call the hacker’s bluff. A good example is if the pressure tactic is to threaten you with arrest when the hacker impersonates a cop or FBI agent, or IRS auditor. They will usually impersonate someone local to where you live. Go to the police station, surrender, and ask the desk sergeant if there is a warrant for your arrest.

What can you do to protect yourself against spear phishing? Well, the first order of business is to keep your wits about you. Ask many questions until you find the point of inconsistency in the story. There will be one. The only one that knows you better than the hacker is you. Of course, the surefire way to defend yourself against spear phishing is to follow the security training provided to you by your company.

• Use email security software.
• Enforce tight password management practices.
• Enforce multi-factor authentication (MFA).
• Encrypt all sensitive corporate data.
• Do regular backups and install the latest security patches, especially if you’re a remote worker using your personal devices.
• Apply the techniques taught to you in your continuous security training.

SOAR stands for Security Orchestration, Automation, and Response. It is a process that focuses on building and maintaining a secure and trusted system of systems across all organizational boundaries. Protecting complex and distributed data systems in large enterprises, governments, and across national societal infrastructures is necessary. SOAR technology solutions operate at the various system boundaries and share data using artificial intelligence and machine learning (AI/ML) to detect cyberattacks and counter them in a coordinated way using immediate system-wide response capabilities.  

SOAR technology helps coordinate, execute, and automate tasks between various people and tools, all within a single platform. The volume of data to be stored and processed requires abundant computer power and communication systems to defend against the cyberattack and analyze and learn so that future attacks can be recognized and countered more expeditiously before data loss and system damage occurs. The bottom line is that SOAR systems rachets up the effectiveness of the cybersecurity posture.

SOAR technology typically comprises three components that work together to find and stop attacks: orchestration, automation, and incident response. Orchestration connects internal and external tools, including out-of-the-box and custom integrations, to be accessed from one central place. Automation enables the execution of tasks across these tools without human intervention. Incident response provides a framework for managing the entire incident lifecycle, from detection through remediation.

There are many SOAR solutions commercially available in the market. Some of the top SOAR solutions include:

• Chronicle SOAR
• Devo SOAR
• Fortinet FortiSOAR
• IBM QRadar SOAR
• Palo Alto Networks Cortex XSOAR
• Rapid7 InsightConnect
• ServiceNow Security Incident Response (SIR)
• Splunk SOAR
• Swimlane SOAR
• ThreatConnect SOAR

SOAR is a maturing technology. Its full capabilities have yet to be realized. Gartner is a well-known research and advisory company that provides information technology research and analysis. They have published several reports on SOAR technology. According to Gartner, SOAR technology is a critical component of security operations and is expected to become a standard tool for security teams. This report provides a clear statement on the future maturity of the technology. It is an emerging technology. According to the Gartner:

Many organizations struggle to keep up with an evolving threat landscape and are plagued by understaffed and overworked teams suffering from what Gartner® calls “alert fatigue exacerbated further by complexity and duplication of tools.”

As a result, security orchestration, automation, and response (SOAR) solutions continue to be adopted by organizations across the globe to improve the effectiveness of security operations.“SOAR solutions are primarily adopted to create consistency in security processes and improve threat detection and response by providing context enrichment and improving downstream prioritization.”

• The nuances of SOAR and some of the solutions are currently available.

• Recommendations for security and risk management leaders on SOAR deployment best practices are included

• An analysis of and predictions for the future of SOAR technology and its impact on the market are included.

Baiting is a social engineering attack designed to lure the victim into clicking on links, opening attachments, or downloading malware. It is a technique attackers use to gain access to a user’s sensitive data. Baiting promises an item, commodity, or reward to attract victims, infect their systems with malware, and steal their sensitive information.

Baiting can be done digitally via email, SMS text, and social media. Baiting does its job by taking advantage of human psychology. It tricks your mind by exploiting how we process information. If someone offers you something, your first reaction is to accept it unconditionally. It’s especially effective when the “someone” is impersonating a business partner or family acquaintance. It can be carried off through intimidation by impersonating a person of authority like a police officer or Internal Revenue auditor threatening to arrest you for a crime or audit your taxes for some obscure but believable reason. In this scenario, you act compulsively out of fear. In both cases, the attacker counts on you not to think but only do what is asked. They will keep you distracted by holding you on the phone until you do what they ask. It is insidious and calculating.

Baiting can also be done physically and in person. Let’s not forget about this method because it’s even more dangerous. Let’s say you’re sitting at a restaurant like Panera, where Wi-Fi is available. Yes, you’re using your secure VPN to encrypt your communications. Someone asks if they can sit at your table because the restaurant is crowded and you’re alone. Again human psychology comes into play because you, yes, to be friendly. This person doesn’t talk to you or anything. He just checks out what he needs to do on his computer. He plugs a USB stick into his laptop to access whatever data he needs to complete the job. When he’s done, he leaves, and you acknowledge his departure. After he’s gone, you notice his USB stick is lying on the side of the table, forgotten. You look out the window, thinking maybe you can catch him. Alas, you cannot. So, you pick up his USB stick and put it in your computer, thinking his company name or something might be on it. You just fell for the bait, and now your computer is infected with malware, and you don’t even know it. That baiting attack is effective, with an estimated success rate of 4598%, and expeditious, with the first drive connected in less than six minutes. Yeah, nasty. How did they know you’d be at that restaurant at that time? You were important enough to stalk, and you were very predictable. Did your laptop have a malware protection app?

From the cyber attack point of view, cloning is a category of phishing attacks where once a hacker gets access to your system, they clone (copy) the sensitive, proprietary, and intellectual property data they want so it can be used to either blackmail your company or sell the data to a competitor to get money via that route. In either case, the hacker intends to use the cloned data for evil purposes.

Now, your IT department also replicates (clones) files for storage as a backup file or for testing and development purposes. The backup files would be used to restore the integrity of a database if a system failure (cyberattack?) on the operational server corrupted it. The backup server is usually located in a different place with strict controls on access to the backup files. Technically, they are cloning data files the same way a hacker would, but for the right reasons. The point is that you may hear the word cloning used in multiple contexts.

There are several risks associated with cloning in cyber security. First, if attackers gain access to a system clone, they can have a considerable head start in compromising that system. They will already know all of the software and configurations in place and only need to find a way to exploit them. Understanding the structure of the database schema and the protection measures safeguarding it, cloning can lead to data theft, financial loss, malware infection, and company reputation damage. Strong endpoint monitoring software would detect the unusual activity of large data files being cloned and transferred to unauthorized locations.

There are several ways to protect yourself from cloning attacks in cybersecurity. One of the most effective methods is implementing stronger credentials, two-factor authentication, and a robust security training program so the hackers don’t victimize employees. Access to the backup data should be limited to only IT personnel. Rigorous processes and procedures should drive the use of backup data to restore systems to operation.

A honeypot gambit is an effort by a legitimate company to turn the tables on a cyberattack. Taking a page from the cyber hacker playbook, you try to con the con man. A honeypot is a cybersecurity mechanism that uses a fake or manufactured target to attract cyber attackers away from the real ones. Honeypots are network-attached systems that mimic likely cyber-attack targets, such as vulnerable networks. It can help computer systems defend against cyberattacks and understand attacker behavior patterns. The honeypot distracts the attacker from the real prize and gives your IT defenders the information they need to counter cyberattacks by learning their methods through analysis of the attack vector that gathers intelligence on the identity, methods, and purpose of their actions.

Honeypots are useful in the benefits they offer, including data collection, cost savings, encryption circumvention, and enhanced cybersecurity detection reliability. Regarding reliability, cyber attackers should only access honeypots, so honeypots shouldn’t generate false positives that other detection technologies might generate. Listed below are the main benefits of honeypots:

• Observe hackers in action and learn about their behavior
• Gather intelligence on attack vectors, malware, and exploits. Use that intel to train your IT staff
• Create profiles of hackers who are trying to gain access to your systems
• Improve your security posture

Hacker pockets are deep but not bottomless. Generally, they follow the path of least resistance in attacking vulnerable targets that yield results. An attack on your honeypot decoys does not achieve that purpose. Your systems become like a disease to them. They will chart a course around your systems. Developing a reputation as a tough hack will pay dividends over the long haul.

While honeypots can be effective tools for improving cybersecurity, trying to con the con man also comes with some risks:

• Honeypots can be costly and time-consuming to implement. Setting up and maintaining honeypots can be expensive and require significant time and resources. Your budget (time and money) comes directly from the profit bucket. You’ll have to show a return on the investment.
• Honeypots can create additional attack surfaces.
• Hackers are greedy but not stupid. A clever hacker may be able to use a decoy computer to attack other systems in a network.
• A cybercriminal can use a honeypot of their design to supply bad intelligence to your network defense team.